Cybersecurity is the rickety scaffolding supporting everything you do online. For every new feature or app, there are a thousand different ways it can break – and a hundred of those can be exploited by criminals for data breaches, identity theft, or outright cyber heists. Staying ahead of those exploits is a full-time job, and one of the most lucrative and sought-after skills in the tech industry. All too often, it’s something up-and-coming companies decide to skip out on, only to pay the price later on.
Described as an “Energy Star label for the IoT,” this will put the logo revealed last year on participating products that meet certain standards for security, along with a QR code customers can scan to find the latest info about how updates work, or how long the support window will be.
After voting in favor of rules and a framework to move forward, the FCC is now asking for some input:
The Commission is also seeking public comment on additional potential disclosure requirements, including whether software or firmware for a product is developed or deployed by a company located in a country that presents national security concerns and whether customer data collected by the product will be sent to servers located in such a country.
Instead of having to go into a separate authentication app to get your 2FA code and then manually type it in, Auto-Type via Quick Access now copies the code to the clipboard for you.
Other experimental features in 1Password include setting default payment details, Touch ID browser integration for Mac, a unified password vault, and a new home tab that will show PIN numbers and other account log-in details based on your location or nearby items.
You can access some of these new features via the Labs tab, while others are available to everyone.
41 attorneys general sent a letter to Meta’s chief legal officer Tuesday demanding the company invest more in stopping scam account takeovers that threaten users’ privacy and “drain” AG resources.
The problem has gotten significantly worse over the past few years, the AGs said. In New York, Meta account takeover complaints spiked from 73 in 2019 to 783 by the end of 2023.
To use the feature, your device needs Android 14 or higher, the latest version of 1Password, and an app that supports passkeys.
But even though 1Password added passkey support for Windows and macOS desktop browsers and iOS devices last year, Google does not yet have an API that supports 1Password passkeys on Chrome for Android. No word on when that will be available to Android users.
[1Password Blog]
The Edge 122.0.2365.63 browser update Microsoft released yesterday is causing a stir. Users encountered “This page is having a problem” or other errors, BleepingComputer is reporting.
Reddit users soon discovered the bug impacted browsers with “Enhanced Web Protection” turned on. Some fixed it by turning the setting off — or switching Edge profiles. Everyone else will have to wait for Microsoft to release a fix, it seems.
The Washington Post describes how law enforcers have gotten companies like Google to hand over data associated with push notifications. Investigators use the code to track down child predators, even through encrypted apps, per the Post, but law enforcement around the world could use the tactic to track down activists and others too.
It also sheds light on why Apple might have chosen to update its law enforcement guidelines late last year to require a court order to provide customers’ push notification data.
[The Washington Post]
Proton’s end-to-encrypted password manager launched last year — but only on the web, Android, and iOS. This new Windows app lets you access your passwords offline (as long as you have a Proton Pass Plus or Unlimited subscription). It also keeps passwords protected with the Argon2 hashing algorithm.
Proton is planning to launch its password manager on macOS and Linux later this year.
US and UK law enforcement disrupted LockBit last week, allowing them to seize the ransomware group’s websites and servers. Despite this effort, LockBit came back online with a new site for data leaks just days later.
But now, Bleeping Computer reports the group is carrying out new attacks with “updated encryptors with ransom notes linking to new servers.” The new servers are only accessible to the victims of LockBit’s latest attacks, Bleeping Computer reports.
[BleepingComputer]
The platform started rolling out passkey support on its iOS app last month, but now it’s available to all iPhone users in the US. That means you can use Face ID, Touch ID, or your device’s passcode to log in to your account instead of entering a password. You can learn how to enable passkeys on X from this support page.
It’s been four days since the FBI announced it had disrupted the group, and now, cybersecurity researcher Kevin Beaumont reports that LockBit seems to have surfaced with claims that it has struck back at the US intelligence agency. Malware tracker vx-underground says the group now has new TOR domains.
The US State Deparment has offered a $15 million reward for information that results in arrests of LockBit attackers.
Cybersecurity blogger Brian Krebs reshared this post showing Kivimäki has been arrested in Helsinki after disappearing when a Finnish appeals court overturned his release from prison.
Kivimäki was initially arrested in France last year for allegedly hacking the Vastaamo online therapy center and leaking patient info online.
PyRIT, or Python Risk Identification Toolkit, can point human evaluators to “hot spot” categories in AI that might generate harmful prompt results.
Microsoft used PyRIT while redteaming (the process of intentionally trying to get AI systems to go against safety protocols) its Copilot services to write thousands of malicious prompts and score the response based on potential harm in categories that security teams can now focus on.
After AT&T wireless service went out for many customers and even first responders across the US Thursday morning, one of the concerns was that the problem, and AT&T’s long delay before making a public statement about it, indicated a possible security breach.
However, according to this tweet, the company thinks it has identified the cause, described as “ the application & execution of an incorrect process used as we were expanding our network.”
Tim Burke faces 14 federal charges in connection to an alleged hack on Fox News, which leaked unreleased portions of a Tucker Carlson interview where West went on an antisemitic rant. The indictment claims Burke and a co-conspirator used “compromised credentials” to “access and save protected commercial broadcast video streams,” according to the Tampa Bay Times.
Following an FBI raid on Burke’s home last year, his lawyers argued he accessed the video feed with no username or password required. “It’s not hacking, it’s just good investigative journalism,” Michael Maddux, Burke’s lawyer, told the Tampa Bay Times on Thursday.
[Tampa Bay Times]
ABC News reports the FBI and Department of Homeland Security (DHS), and other federal agencies, are “urgently investigating” the nation-wide outage to determine if it really was a cyberattack, or a not-so-nefarious technical mishap.
Reuters also has notes from White House spokesperson John Kirby’s comments to reporters:
When asked if government communication was disrupted by AT&T outages, Kirby said: “There was some impact to Commerce (Department) but I don’t know the extent of that, I don’t think it was crippling.” He added that the FirstNet nationwide public safety network was hit but had been fully restored.
U.S. officials have been told that AT&T had no reason to think this was a cybersecurity incident, Kirby said.
Here’s how The Washington Post describes the trove of documents deemed authentic by cybersecurity experts:
The cache — containing more than 570 files, images and chat logs — offers an unprecedented look inside the operations of one of the firms that Chinese government agencies hire for on-demand, mass data-collecting operations.
Worth a read in full to understand what Google, Microsoft, and Apple are up against as state-sponsored hackers seize upon vulnerabilities to grow their businesses.
[The Washington Post]
Passkey support is now available for Sony PlayStation accounts. Users can activate the feature in the security section of their Account Management settings on a PS5, PS4, computer, or mobile device.
PlayStation isn’t the first console to embrace the post-password future. Nintendo added support for passkeys last fall, enabling users to access their accounts with authentication methods such as iOS Face ID or the Android fingerprint sensor.
Update, Wednesday, February 21st, 2024, 5:02PM ET: Updated to include new tweet from the Ask PlayStation Twitter account.
The Department of State is offering up to $15 million in rewards for information that leads to the arrest or conviction of anyone who’s been involved in the ransomeware attacks with LockBit.
The announcement comes one day after law enforcement agencies said they’d disrupted the group and gotten the keys to decrypt hacked data.