"Steven Adair, of cybersecurity firm Veloxity, revealed at the Cyberwarcon security conference how Russian hackers were able to daisy-chain as many as three separate Wi-Fi networks in their efforts to attack victims," writes Longtime Slashdot reader smooth wombat. Wired reports: Adair says that Volexity first began investigating the breach of its DC customer's network in the first months of 2022, when the company saw signs of repeated intrusions into the customer's systems by hackers who had carefully covered their tracks. Volexity's analysts eventually traced the compromise to a hijacked user's account connecting to a Wi-Fi access point in a far end of the building, in a conference room with external-facing windows. Adair says he personally scoured the area looking for the source of that connection. "I went there to physically run down what it could be. We looked at smart TVs, looked for devices in closets. Is someone in the parking lot? Is it a printer?" he says. "We came up dry."

Only after the next intrusion, when Volexity managed to get more complete logs of the hackers' traffic, did its analysts solve the mystery: The company found that the hijacked machine which the hackers were using to dig around in its customer's systems was leaking the name of the domain on which it was hosted -- in fact, the name of another organization just across the road. "At that point, it was 100 percent clear where it was coming from," Adair says. "It's not a car in the street. It's the building next door." With the cooperation of that neighbor, Volexity investigated that second organization's network and found that a certain laptop was the source of the street-jumping Wi-Fi intrusion. The hackers had penetrated that device, which was plugged into a dock connected to the local network via Ethernet, and then switched on its Wi-Fi, allowing it to act as a radio-based relay into the target network. Volexity found that, to break into that target's Wi-Fi, the hackers had used credentials they'd somehow obtained online but had apparently been unable to exploit elsewhere, likely due to two-factor authentication.

Volexity eventually tracked the hackers on that second network to two possible points of intrusion. The hackers appeared to have compromised a VPN appliance owned by the other organization. But they had also broken into the organization's Wi-Fi from another network's devices in the same building, suggesting that the hackers may have daisy-chained as many as three networks via Wi-Fi to reach their final target. "Who knows how many devices or networks they compromised and were doing this on," says Adair. Volexity had presumed early on in its investigation that the hackers were Russian in origin due to their targeting of individual staffers at the customer organization focused on Ukraine. Then in April, fully two years after the original intrusion, Microsoft warned of a vulnerability in Windows' print spooler that had been used by Russia's APT28 hacker group -- Microsoft refers to the group as Forest Blizzard -- to gain administrative privileges on target machines. Remnants left behind on the very first computer Volexity had analyzed in the Wi-Fi-based breach of its customer exactly matched that technique. "It was an exact one-to-one match," Adair says.

Microsoft has released a public preview of its redesigned Windows Recall feature, five months after withdrawing the original version due to security concerns. The feature will initially be available only on Qualcomm Snapdragon X Elite and Plus Copilot+ PCs running Windows Insider Dev channel build 26120.2415.

Recall, which continuously captures and indexes screenshots and text for later search, now includes mandatory encryption, opt-in activation, and Windows Hello authentication. The feature requires Secure Boot, BitLocker encryption, and attempts to automatically mask sensitive data like passwords and credit card numbers. The feature is exclusive to Copilot+ PCs equipped with neural processing units for local AI processing.

Damage to two undersea fiber-optic cables in the Baltic Sea this month points to growing vulnerability of critical submarine infrastructure, with German officials suspecting sabotage and Swedish police investigating a Chinese cargo vessel's involvement.

The incident highlights escalating risks to the global submarine cable network, which carries 99% of international telecommunications traffic through 530 cable systems spanning 850,000 miles. These garden hose-thick cables facilitate trillions in daily financial transactions and vital government communications.

Security experts warn that Russia has increased monitoring of undersea cables amid tensions over Ukraine. Taiwan reported 36 cable damages by foreign vessels since 2019, while Houthi rebels denied targeting Red Sea cables this year. Though most of the 100-plus annual cable faults are accidental, deliberate sabotage remains a concern. Repairs are costly, with new transatlantic cables running up to $250 million.

The Register's Simon Sharwood reports: Japan's National Consumer Affairs Center on Wednesday suggested citizens start "digital end of life planning" and offered tips on how to do it. The Center's somewhat maudlin advice is motivated by recent incidents in which citizens struggled to cancel subscriptions their loved ones signed up for before their demise, because they didn't know their usernames or passwords. The resulting "digital legacy" can be unpleasant to resolve, the agency warns, so suggested four steps to simplify ensure our digital legacies aren't complicated:

- Ensuring family members can unlock your smartphone or computer in case of emergency;
- Maintain a list of your subscriptions, user IDs and passwords;
- Consider putting those details in a document intended to be made available when your life ends;
- Use a service that allows you to designate someone to have access to your smartphone and other accounts once your time on Earth ends.

The Center suggests now is the time for it to make this suggestion because it is aware of struggles to discover and resolve ongoing expenses after death. With smartphones ubiquitous, the org fears more people will find themselves unable to resolve their loved ones' digital affairs -- and powerless to stop their credit cards being charged for services the departed cannot consume.

An anonymous reader quotes a report from KrebsOnSecurity: The financial technology firm Finastra is investigating the alleged large-scale theft of information from its internal file transfer platform, KrebsOnSecurity has learned. Finastra, which provides software and services to 45 of the world's top 50 banks, notified customers of the security incident after a cybercriminal began selling more than 400 gigabytes of data purportedly stolen from the company. London-based Finastra has offices in 42 countries and reported $1.9 billion in revenues last year. The company employs more than 7,000 people and serves approximately 8,100 financial institutions around the world. A major part of Finastra's day-to-day business involves processing huge volumes of digital files containing instructions for wire and bank transfers on behalf of its clients.

On November 8, 2024, Finastra notified financial institution customers that on Nov. 7 its security team detected suspicious activity on Finastra's internally hosted file transfer platform. Finastra also told customers that someone had begun selling large volumes of files allegedly stolen from its systems. "On November 8, a threat actor communicated on the dark web claiming to have data exfiltrated from this platform," reads Finastra's disclosure, a copy of which was shared by a source at one of the customer firms. "There is no direct impact on customer operations, our customers' systems, or Finastra's ability to serve our customers currently," the notice continued. "We have implemented an alternative secure file sharing platform to ensure continuity, and investigations are ongoing." But its notice to customers does indicate the intruder managed to extract or "exfiltrate" an unspecified volume of customer data.

The Federal Communications Commission voted on Thursday to propose new rules governing undersea internet cables in the face of growing security concerns, as part of a review of regulations on the links that handle nearly all the world's online traffic. From a report: The FCC voted 5-0 on proposed updates to address the national security concerns over the global network of more than 400 subsea cables that handle more than 98% of international internet traffic. [...]

Baltic nations said this week they are investigating whether the cutting of two fiber-optic undersea telecommunication cables in the Baltic Sea was sabotage. Rosenworcel noted that in 2023 Taiwan accused two Chinese vessels of cutting the only two cables that support internet access on the Matsu Islands and Houthi attacks in the Red Sea may have been responsible for the cutting of three cables providing internet service to Europe and Asia.

An anonymous reader quotes a report from 404 Media: Instagram is flooded with hundreds of AI-generated influencers who are stealing videos from real models and adult content creators, giving them AI-generated faces, and monetizing their bodies with links to dating sites, Patreon, OnlyFans competitors, and various AI apps. The practice, first reported by 404 Media in April, has since exploded in popularity, showing that Instagram is unable or unwilling to stop the flood of AI-generated content on its platform and protect the human creators on Instagram who say they are now competing with AI content in a way that is impacting their ability to make a living.

According to our review of more than 1,000 AI-generated Instagram accounts, Discord channels where the people who make this content share tips and discuss strategy, and several guides that explain how to make money by "AI pimping," it is now trivially easy to make these accounts and monetize them using an assortment of off-the-shelf AI tools and apps. Some of these apps are hosted on the Apple App and Google Play Stores. Our investigation shows that what was once a niche problem on the platform has industrialized in scale, and it shows what social media may become in the near future: a space where AI-generated content eclipses that of humans. [...]

Out of more than 1,000 AI-generated Instagram influencer accounts we reviewed, 100 included at least some deepfake content which took existing videos, usually from models and adult entertainment performers, and replaced their face with an AI-generated face to make those videos seem like new, original content consistent with the other AI-generated images and videos shared by the AI-generated influencer. The other 900 accounts shared images that in some cases were trained on real photographs and in some cases made to look like celebrities, but were entirely AI-generated, not edited photographs or videos. Out of those 100 accounts that shared deepfake or face-swapped videos, 60 self-identify as being AI-generated, writing in their bios that they are a "virtual model & influencer" or stating "all photos crafted with AI and apps." The other 40 do not include any disclaimer stating that they are AI-generated. Adult content creators like Elaina St James say they're now directly competing with these AI rip-off accounts that often use stolen content. Since the explosion of AI-generated influencer accounts on Instagram, St James said her "reach went down tremendously," from a typical 1 million to 5 million views a month to not surpassing a million in the last 10 months, and sometimes coming in under 500,000 views. While she said changes to Instagram's algorithm could also be at play, these AI-generated influencer accounts are "probably one of the reasons my views are going down," St James told 404 Media. "It's because I'm competing with something that's unnatural."

Alexios Mantzarlis, the director of the security, trust, and safety initiative at Cornell Tech and formerly principal of trust and safety intelligence at Google, started researching the problem to see where AI-generated content is taking social media and the internet. "It felt like a possible sign of what social media is going to look like in five years," said Mantzarlis. "Because this may be coming to other parts of the internet, not just the attractive-people niche on Instagram. This is probably a sign that it's going to be pretty bad."

Five local privilege escalation (LPE) vulnerabilities in the Linux utility "needrestart" -- widely used on Ubuntu to manage service updates -- allow attackers with local access to escalate privileges to root. The flaws were discovered by Qualys in needrestart version 0.8, and fixed in version 3.8. BleepingComputer reports: Complete information about the flaws was made available in a separate text file, but a summary can be found below:

- CVE-2024-48990: Needrestart executes the Python interpreter with a PYTHONPATH environment variable extracted from running processes. If a local attacker controls this variable, they can execute arbitrary code as root during Python initialization by planting a malicious shared library.
- CVE-2024-48992: The Ruby interpreter used by needrestart is vulnerable when processing an attacker-controlled RUBYLIB environment variable. This allows local attackers to execute arbitrary Ruby code as root by injecting malicious libraries into the process.
- CVE-2024-48991: A race condition in needrestart allows a local attacker to replace the Python interpreter binary being validated with a malicious executable. By timing the replacement carefully, they can trick needrestart into running their code as root.
- CVE-2024-10224: Perl's ScanDeps module, used by needrestart, improperly handles filenames provided by the attacker. An attacker can craft filenames resembling shell commands (e.g., command|) to execute arbitrary commands as root when the file is opened.
- CVE-2024-11003: Needrestart's reliance on Perl's ScanDeps module exposes it to vulnerabilities in ScanDeps itself, where insecure use of eval() functions can lead to arbitrary code execution when processing attacker-controlled input. The report notes that attackers would need to have local access to the operation system through malware or a compromised account in order to exploit these flaws. "Apart from upgrading to version 3.8 or later, which includes patches for all the identified vulnerabilities, it is recommended to modify the needrestart.conf file to disable the interpreter scanning feature, which prevents the vulnerabilities from being exploited," adds BleepingComputer.

Owners of older models of D-Link VPN routers are being told to retire and replace their devices following the disclosure of a serious remote code execution (RCE) vulnerability. From a report: Most of the details about the bug are being kept under wraps given the potential for wide exploitation. The vendor hasn't assigned it a CVE identifier or really said much about it at all other than that it's a buffer overflow bug that leads to unauthenticated RCE.

Unauthenticated RCE issues are essentially as bad as vulnerabilities get, and D-Link warned that if customers continued to use the affected products, the devices connected to them would also be put at risk. Previous bugs in similar products from other vendors have carried warnings that attackers could exploit them to install rootkits and use that persistent access to surveil an organization's web traffic, potentially stealing data such as credentials. Further reading: D-Link Won't Fix Critical Flaw Affecting 60,000 Older NAS Devices.

Apple has pushed out security updates that it says are "recommended for all users," after fixing a pair of security bugs used in active cyberattacks targeting Mac users. From a report: In a security advisory on its website, Apple said it was aware of two vulnerabilities that "may have been actively exploited on Intel-based Mac systems." The bugs are considered "zero day" vulnerabilities because they were unknown to Apple at the time they were exploited.

[...] The vulnerabilities were reported by security researchers at Google's Threat Analysis Group, which investigates government-backed hacking and cyberattacks, suggesting that a government actor may be involved in the attacks.

Microsoft has announced sweeping changes to Windows security architecture, including new recovery capabilities designed to prevent system-wide outages following July's CrowdStrike incident that disabled 8.5 million Windows devices.

The Windows Resiliency Initiative introduces Quick Machine Recovery, allowing IT administrators to remotely fix unbootable systems through an enhanced Windows Recovery Environment. Microsoft is also mandating stricter testing and deployment practices for security vendors under its Microsoft Virus Initiative, including gradual rollouts and monitoring procedures.

The company is also developing a framework to move antivirus processing outside the Windows kernel, with a preview planned for security partners in July 2025.

An anonymous reader shares a report: The US Patent and Trademark Office banned the use of generative artificial intelligence for any purpose last year, citing security concerns with the technology as well as the propensity of some tools to exhibit "bias, unpredictability, and malicious behavior," according to an April 2023 internal guidance memo obtained by WIRED through a public records request. Jamie Holcombe, the chief information officer of the USPTO, wrote that the office is "committed to pursuing innovation within our agency" but are still "working to bring these capabilities to the office in a responsible way."

Paul Fucito, press secretary for the USPTO, clarified to WIRED that employees can use "state-of-the-art generative AI models" at work -- but only inside the agency's internal testing environment. "Innovators from across the USPTO are now using the AI Lab to better understand generative AI's capabilities and limitations and to prototype AI-powered solutions to critical business needs," Fucito wrote in an email.

WhatsApp's newly unsealed court documents have exposed the extensive reach of NSO Group's Pegasus spyware operation, which targeted "between hundreds and tens of thousands" of devices, according to testimony from the company's head of research and development. The Israeli surveillance firm charged government customers up to $6.8 million for one-year licenses, generating at least $31 million in revenue in 2019 alone, TechCrunch first reported.

The documents detail previously unknown hacking tools named "Hummingbird," "Eden," and "Heaven," developed specifically to compromise WhatsApp users' devices. The revelations emerge from WhatsApp's ongoing 2019 lawsuit against NSO Group for alleged violations of U.S. anti-hacking laws.

Further reading: NSO, Not Government Clients, Operates Its Spyware.

"Here's how Apple's next major product will work," writes Bloomberg's Mark Gurman: The company has been developing a smart home command center that will rival products like the Amazon Echo Hub and Google Nest Hub... The product will run many of Apple's core apps, like Safari, Notes and Calendar, but the interface will be centered on a customizable home screen with iOS-like widgets and smart home controls... The device looks like a low-end iPad and will include a built-in battery, speakers and a FaceTime camera oriented for a horizontal landscape view. The square device, which includes a roughly 6-inch screen, has sensors that let it change the interface depending on how far a user is from the screen. It will also have attachments for walls, plus a base with additional speakers so it can be placed on a table, nightstand or desk.

Apple envisions customers using the device as an intercom, with people FaceTiming each other from different rooms. They'll also be able to pull up home security footage, control their lights, and videoconference with family while cooking in the kitchen. And it will control music throughout the home on HomePod speakers. The device will work with hundreds of HomeKit-compatible items, a lineup that includes third-party switches, lights, fans and other accessories. But the company doesn't plan to roll out a dedicated app store for the product. Given the lack of success with app marketplaces for the Vision Pro, Apple Watch and Apple TV, that's not too surprising.
Looking ahead, the article concludes "The success of this device is still far from assured. Apple's recent track record pushing into new categories has been spotty, and its previous home products haven't been major hits."

But Gurman shares the most interesting part on X.com: If the product does catch on, it will help set the stage for more home devices. Apple is working on a high-end AI companion with a [$1,000] robotic arm and large display that could serve as a follow-up. The company could also put more resources into developing mobile robots, privacy-focused home cameras and speakers. It may even revisit the idea of making an Apple-branded TV set, something it's evaluating. But if the first device fails, Apple may have to rethink its smart home ambitions once again.
Gurman also writes that Apple is also working on a new AirTag with more range and improved privacy features (including "making it more difficult for someone to remove the speaker.")

Google's transistion to Safe Coding and memory-safe languages "will take multiple years," according to a post on Google's security blog. So "we're also retrofitting secure-by-design principles to our existing C++ codebase wherever possible," a process which includes "working towards bringing spatial memory safety into as many of our C++ codebases as possible, including Chrome and the monolithic codebase powering our services." We've begun by enabling hardened libc++, which adds bounds checking to standard C++ data structures, eliminating a significant class of spatial safety bugs. While C++ will not become fully memory-safe, these improvements reduce risk as discussed in more detail in our perspective on memory safety, leading to more reliable and secure software... It's also worth noting that similar hardening is available in other C++ standard libraries, such as libstdc++. Building on the successful deployment of hardened libc++ in Chrome in 2022, we've now made it default across our server-side production systems. This improves spatial memory safety across our services, including key performance-critical components of products like Search, Gmail, Drive, YouTube, and Maps... The performance impact of these changes was surprisingly low, despite Google's modern C++ codebase making heavy use of libc++. Hardening libc++ resulted in an average 0.30% performance impact across our services (yes, only a third of a percent) ...

In just a few months since enabling hardened libc++ by default, we've already seen benefits. Hardened libc++ has already disrupted an internal red team exercise and would have prevented another one that happened before we enabled hardening, demonstrating its effectiveness in thwarting exploits. The safety checks have uncovered over 1,000 bugs, and would prevent 1,000 to 2,000 new bugs yearly at our current rate of C++ development...

The process of identifying and fixing bugs uncovered by hardened libc++ led to a 30% reduction in our baseline segmentation fault rate across production, indicating improved code reliability and quality. Beyond crashes, the checks also caught errors that would have otherwise manifested as unpredictable behavior or data corruption... Hardened libc++ enabled us to identify and fix multiple bugs that had been lurking in our code for more than a decade. The checks transform many difficult-to-diagnose memory corruptions into immediate and easily debuggable errors, saving developers valuable time and effort.
The post notes that they're also working on "making it easier to interoperate with memory-safe languages. Migrating our C++ to Safe Buffers shrinks the gap between the languages, which simplifies interoperability and potentially even an eventual automated translation."

"The Pentagon's latest report on UFOs has revealed hundreds of new reports of unidentified and unexplained aerial phenomena," reports the Associated Press, "but no indications suggesting an extraterrestrial origin.

"The review includes hundreds of cases of misidentified balloons, birds and satellites as well as some that defy easy explanation, such as a near-miss between a commercial airliner and a mysterious object off the coast of New York." Federal efforts to study and identify UAPs have focused on potential threats to national security or air safety and not their science fiction aspects. Officials at the Pentagon office created in 2022 to track UAPs, known as the All-Domain Anomaly Resolution Office, or AARO, have said there's no indication any of the cases they looked into have unearthly origins. "It is important to underscore that, to date, the All-Domain Anomaly Resolution Office has discovered no evidence of extraterrestrial beings, activity, or technology," the authors of the report wrote... Reporting witnesses included commercial and military pilots as well as ground-based observers. Investigators found explanations for nearly 300 of the incidents. In many cases, the unknown objects were found to be balloons, birds, aircraft, drones or satellites. According to the report, Elon Musk's Starlink satellite system is one increasingly common source as people mistake chains of satellites for UFOs. Hundreds of other cases remain unexplained, though the report's authors stressed that is often because there isn't enough information to draw firm conclusions.

No injuries or crashes were reported in any of the incidents, though a commercial flight crew reported one near miss with a "cylindrical object" while flying over the Atlantic Ocean off the coast of New York. That incident remains under investigation. In three other cases, military air crews reported being followed or shadowed by unidentified aircraft, though investigators could find no evidence to link the activity to a foreign power.
The article points out that the report's publication comes "a day after House lawmakers called for greater government transparency during a hearing on unidentified anomalous phenomena." And it concludes with this quote from Republican Represenative Andy Ogles of Tennessee. "There is something out there. The question is: Is it ours, is it someone else's, or is it otherworldly?"

An anonymous reader shared this report from the Kyiv Independent: The United States will partner with Ukraine to transition Ukraine's coal-fired plants to small modular nuclear reactors, and to use them to help decarbonize its steel industry, the countries announced on November 16 at the U.N. Climate Change Conference in Baku, Azerbaijan...

The partnership will build a roadmap and provide technical support to "rebuild, modernize, and decarbonize Ukraine's steel industry with small modular reactors," according to a statement from the U.S. State Department... It will also "facilitate the transition of Ukraine's coal-fired power plants to secure and safe SMR nuclear power plants utilizing existing infrastructure and retraining the workforce," the statement read.

Another project announced at the conference, known as COP29, will build a pilot plant in Ukraine to demonstrate production of clean hydrogen and ammonia using simulated small modular reactor technology.
That clean hydrogen/ammonia project involves a multinational public-private consortium which also includes Japan and South Korea, according to the U.S. State Department. Their announcement says the three projects "will help position Ukraine to take a leadership role on secure and safe nuclear energy" (as well as industrial decarbonization).

Three years ago the U.S. State Department launched a program to help countries develop nuclear energy programs "to support clean energy goals under the highest international standards for nuclear safety, security, and nonproliferation." That program will send $30 million for these three projects...

Chinese hackers, reportedly linked to a Chinese intelligence agency, breached T-Mobile as part of a broader cyber-espionage campaign targeting telecom companies to spy on high-value intelligence targets. "T-Mobile is closely monitoring this industry-wide attack, and at this time, T-Mobile systems and data have not been impacted in any significant way, and we have no evidence of impacts to customer information," a company spokesperson told the Wall Street Journal. Reuters reports: It was unclear what information, if any, was taken about T-Mobile customers' calls and communications records, according to the report. On Wednesday, The Federal Bureau of Investigation (FBI) and the U.S. cyber watchdog agency CISA said China-linked hackers have intercepted surveillance data intended for American law enforcement agencies after breaking into an unspecified number of telecom companies. Further reading: U.S. Wiretap Systems Targeted in China-Linked Hack

The Federal Trade Commission reported Friday that the number of consumer complaints about unwanted telemarketing phone calls has dropped over 50% since 2021, continuing a trend that started three years ago. From a report: This year, the FTC has received 1.1 million reports regarding robocalls, down from 1.2 million one year before 2023 and from more than 3.4 million in 2021. According to this year's National Do Not Call Registry Data Book -- which provides the most recent data on robocall complaints together with a complete state-by-state analysis -- the highest number of consumer complaints targeted unwanted calls about medical and prescription issues, with more than 170,000 reports (most of them robocalls) received until September 30, 2024.

Google is rolling out AI-powered scam call detection for Android phones, aiming to protect users from increasingly sophisticated phone fraud schemes. The new feature, available in beta for Pixel 6 and newer devices, analyzes conversation patterns in real-time to identify potential scams. When suspicious patterns emerge, such as urgently requesting fund transfers, the system alerts users through audio, haptic, and visual warnings.

The detection system operates entirely on-device using Google's machine learning models, with no call audio or transcripts stored or transmitted externally. While Pixel 9 devices utilize Google's advanced Gemini Nano AI model, earlier Pixel phones use the standard machine learning for detection, the company said. The feature, which is opt-in and can be disabled at any time, is currently limited to English-speaking Phone by Google beta users in the United States. Google plans to expand availability to additional Android devices in the future.