Enlarge (credit: Getty Images)

Hackers backed by a powerful nation-state have been exploiting two zero-day vulnerabilities in Cisco firewalls in a five-month-long campaign that breaks into government networks around the world, researchers reported Wednesday.

The attacks against Cisco’s Adaptive Security Appliances firewalls are the latest in a rash of network compromises that target firewalls, VPNs, and network-perimeter devices, which are designed to provide a moated gate of sorts that keeps remote hackers out. Over the past 18 months, threat actors—mainly backed by the Chinese government—have turned this security paradigm on its head in attacks that exploit previously unknown vulnerabilities in security appliances from the likes of Ivanti, Atlassian, Citrix, and Progress. These devices are ideal targets because they sit at the edge of a network, provide a direct pipeline to its most sensitive resources, and interact with virtually all incoming communications.

Cisco ASA likely one of several targets

On Wednesday, it was Cisco’s turn to warn that its ASA products have received such treatment. Since November, a previously unknown actor tracked as UAT4356 by Cisco and STORM-1849 by Microsoft has been exploiting two zero-days in attacks that go on to install two pieces of never-before-seen malware, researchers with Cisco’s Talos security team said. Notable traits in the attacks include:

Enlarge (credit: Getty Images)

Everyone with a Roku TV or streaming device will eventually be forced to enable two-factor authentication after the company disclosed two separate incidents in which roughly 600,000 customers had their accounts accessed through credential stuffing.

Credential stuffing is an attack in which usernames and passwords exposed in one leak are tried out against other accounts, typically using automated scripts. When people reuse usernames and passwords across services or make small, easily intuited changes between them, actors can gain access to accounts with even more identifying information and access.

In the case of the Roku attacks, that meant access to stored payment methods, which could then be used to buy streaming subscriptions and Roku hardware. Roku wrote on its blog, and in a mandated data breach report, that purchases occurred in "less than 400 cases" and that full credit card numbers and other "sensitive information" was not revealed.

Enlarge (credit: Getty Images)

Highly capable hackers are rooting multiple corporate networks by exploiting a maximum-severity zero-day vulnerability in a firewall product from Palo Alto Networks, researchers said Friday.

The vulnerability, which has been under active exploitation for at least two weeks now, allows the hackers with no authentication to execute malicious code with root privileges, the highest possible level of system access, researchers said. The extent of the compromise, along with the ease of exploitation, has earned the CVE-2024-3400 vulnerability the maximum severity rating of 10.0. The ongoing attacks are the latest in a rash of attacks aimed at firewalls, VPNs, and file-transfer appliances, which are popular targets because of their wealth of vulnerabilities and direct pipeline into the most sensitive parts of a network.

“Highly capable” UTA0218 likely to be joined by others

The zero-day is present in PAN-OS 10.2, PAN-OS 11.0, and/or PAN-OS 11.1 firewalls when they are configured to use both the GlobalProtect gateway and device telemetry. Palo Alto Networks has yet to patch the vulnerability but is urging affected customers to follow the workaround and mitigation guidance provided here. The advice includes enabling Threat ID 95187 for those with subscriptions to the company’s Threat Prevention service and ensuring vulnerability protection has been applied to their GlobalProtect interface. When that’s not possible, customers should temporarily disable telemetry until a patch is available.

Enlarge / A person made of many parts, similar to the attorney who handles both severe criminal law and copyright takedowns for an Arizona law firm. (credit: Getty Images)

If you run a personal or hobby website, getting a copyright notice from a law firm about an image on your site can trigger some fast-acting panic. As someone who has paid to settle a news service-licensing issue before, I can empathize with anybody who wants to make this kind of thing go away.

Which is why a new kind of angle-on-an-angle scheme can seem both obvious to spot and likely effective. Ernie Smith, the prolific, ever-curious writer behind the newsletter Tedium, received a "DMCA Copyright Infringement Notice" in late March from "Commonwealth Legal," representing the "Intellectual Property division" of Tech4Gods.

The issue was with a photo of a keyfob from legitimate photo service Unsplash used in service of a post about a strange Uber ride Smith once took. As Smith detailed in a Mastodon thread, the purported firm needed him to "add a credit to our client immediately" through a link to Tech4Gods, and said it should be "addressed in the next five business days." Removing the image "does not conclude the matter," and should Smith not have taken action, the putative firm would have to "activate" its case, relying on DMCA 512(c) (which, in many readings, actually does grant relief should a website owner, unaware of infringing material, "act expeditiously to remove" said material). The email unhelpfully points to the main page of the Internet Archive so that Smith might review "past usage records."

Enlarge / Claptrap keeps finding himself in wild new places. Now he's heading from Sweden's Embracer Group to New York City's Take-Two Interactive. Okay, maybe not that wild. (credit: Gearbox Interactive)

Embracer Group has been backing away from its all-encompassing position in the games industry lately. The latest divestment is Gearbox Entertainment, the studio behind the Borderlands series it bought in early 2021 for a deal that could have been worth up to $1.37 billion to Gearbox had it stayed inside the Swedish conglomerate's grasp.

The buyer is Take-Two Interactive Software, which had previously partnered with Gearbox on publishing Borderlands and other titles. Take-Two will issue new shares of its common stock to pay $460 million for Gearbox, to be completed before the end of June this year. Embracer paid $363 million in cash and stock for Gearbox in 2021 but promised up to $1 billion more should the developer hit earnings goals over six years.

"Today’s announcement marks the result of the final structured divestment process and is an important step in transforming Embracer into the future with notably lower net debt and improved free cash flow," said Embracer CEO Lars Wingefors in a statement intended to start nobody's imagination running.

Enlarge (credit: DigiPub | Moment)

Glassdoor, where employees go to leave anonymous reviews of employers, has recently begun adding real names to user profiles without users' consent, a Glassdoor user named Monica was shocked to discover last week.

"Time to delete your Glassdoor account and data," Monica, a Midwest-based software professional, warned other Glassdoor users in a blog. (Ars will only refer to Monica by her first name so that she can speak freely about her experience using Glassdoor to review employers.)

Monica joined Glassdoor about 10 years ago, she said, leaving a few reviews for her employers, taking advantage of other employees' reviews when considering new opportunities, and hoping to help others survey their job options. This month, though, she abruptly deleted her account after she contacted Glassdoor support to request help removing information from her account. She never expected that instead of removing information, Glassdoor's support team would take the real name that she provided in her support email and add it to her Glassdoor profile—despite Monica repeatedly and explicitly not consenting to Glassdoor storing her real name.

Can you tell which of these seemingly identical bits of Steam iconography were generated using AI (trick question, it's none of them). (credit: Aurich Lawson)

Back in the days when E3 was still a thing, a relative handful of approved journalists and industry members had to pack themselves into the Los Angeles Convention Center once a year to awkwardly stand in front of demo stations to play some of the hottest upcoming games. Today, any PC gamer can easily sample similar early preview demos from the comfort of their own homes during Steam's periodic Next Fest events.

While we weren't able to try all of the literally hundreds of demos on offer during the most recent Steam Next Fest, we did have a great time trying out a few dozen offerings that caught our interest. Here's a selection of the demos that made the biggest impression on us over the last few days.

Backpack Battles

Developer: PlayWithFurcifer
Planned release date: March 8, 2024
Steam store page

Enlarge (credit: Comcast)

Comcast has reluctantly agreed to discontinue its "Xfinity 10G Network" brand name after losing an appeal of a ruling that found the marketing term was misleading. It will keep using the term 10G in other ways, however.

Verizon and T-Mobile both challenged Comcast's advertising of 10G, a term used by cable companies since it was unveiled in January 2019 by industry lobby group NCTA-The Internet & Television Association. We wrote in 2019 that the cable industry's 10G marketing was likely to confuse consumers and seemed to be a way of countering 5G hype generated by wireless companies.

10G doesn't refer to the 10th generation of a technology. It is a reference to potential 10Gbps broadband connections, which would be much faster than the actual speeds on standard cable networks today.

Enlarge

The hackers who recently broke into Microsoft’s network and monitored top executives’ email for two months did so by gaining access to an aging test account with administrative privileges, a major gaffe on the company's part, a researcher said.

The new detail was provided in vaguely worded language included in a post Microsoft published on Thursday. It expanded on a disclosure Microsoft published late last Friday. Russia-state hackers, Microsoft said, used a technique known as password spraying to exploit a weak credential for logging in to a “legacy non-production test tenant account” that wasn’t protected by multifactor authentication. From there, they somehow acquired the ability to access email accounts that belonged to senior executives and employees working in security and legal teams.

A “pretty big config error”

In Thursday’s post updating customers on findings from its ongoing investigation, Microsoft provided more details on how the hackers achieved this monumental escalation of access. The hackers, part of a group Microsoft tracks as Midnight Blizzard, gained persistent access to the privileged email accounts by abusing the OAuth authorization protocol, which is used industry-wide to allow an array of apps to access resources on a network. After compromising the test tenant, Midnight Blizzard used it to create a malicious app and assign it rights to access every email address on Microsoft’s Office 365 email service.

Enlarge / A photo of David L. Mills taken by Raul654 on April 27, 2005. (credit: Raul654 / Benj Edwards / Getty Images)

On Thursday, Internet pioneer Vint Cerf announced that Dr. David L. Mills, the inventor of Network Time Protocol (NTP), died peacefully at age 85 on January 17, 2024. The announcement came in a post on the Internet Society mailing list after Cerf was informed of David's death by Mills' daughter, Leigh.

"He was such an iconic element of the early Internet," wrote Cerf.

Dr. Mills created the Network Time Protocol (NTP) in 1985 to address a crucial challenge in the online world: the synchronization of time across different computer systems and networks. In a digital environment where computers and servers are located all over the world, each with its own internal clock, there's a significant need for a standardized and accurate timekeeping system.

Enlarge (credit: Getty Images | Smith Collection/Gado )

Comcast waited as many as nine days to patch its network against a high-severity vulnerability, a lapse that allowed hackers to make off with password data and other sensitive information belonging to 36 million Xfinity customers.

The breach, which was carried out by exploiting a vulnerability in network hardware sold by Citrix, gave hackers access to usernames and cryptographically hashed passwords for 35.9 million Xfinity customers, the cable TV and Internet provider said in a notification filed Monday with the Maine attorney general’s office. Citrix disclosed the vulnerability and issued a patch on October 10. Comcast didn't patch its network until October 16 at the earliest and October 19 at the latest, a lapse of six to nine days. On October 18, researchers reported that the vulnerability, tracked as CVE-2023-4966 and by the name Citrix Bleed, had been under active exploitation since August.

“However, we subsequently discovered that prior to mitigation, between October 16 and October 19, 2023, there was unauthorized access to some of our internal systems that we concluded was a result of this vulnerability,” an accompanying notice stated. “We notified federal law enforcement and conducted an investigation into the nature and scope of the incident. On November 16, 2023, it was determined that information was likely acquired.”

Enlarge (credit: Getty Images)

A prolific espionage hacking group with ties to China spent over two years looting the corporate network of NXP, the Netherlands-based chipmaker whose silicon powers security-sensitive components found in smartphones, smartcards, and electric vehicles, a news outlet has reported.

The intrusion, by a group tracked under names including "Chimera" and "G0114," lasted from late 2017 to the beginning of 2020, according to Netherlands national news outlet NRC Handelsblad, which cited “several sources” familiar with the incident. During that time, the threat actors periodically accessed employee mailboxes and network drives in search of chip designs and other NXP intellectual property. The breach wasn’t uncovered until Chimera intruders were detected in a separate company network that connected to compromised NXP systems on several occasions. Details of the breach remained a closely guarded secret until now.

No material damage

NRC cited a report published (and later deleted) by security firm Fox-IT, titled Abusing Cloud Services to Fly Under the Radar. It documented Chimera using cloud services from companies including Microsoft and Dropbox to receive data stolen from the networks of semiconductor makers, including one in Europe that was hit in “early Q4 2017.” Some of the intrusions lasted as long as three years before coming to light. NRC said the unidentified victim was NXP.

Enlarge / Dr. Charles H. Townes, inventor of the maser, a key component of atomic clocks, illustrates the differences between it and a standard clock. (credit: Getty Images)

One of the leading thinkers on how humans track time has a big, if simple, proposal for dealing with leap seconds: Don't worry about them. Do leap minutes instead, maybe one every half-century or so.

"We all need to relax a little bit," said Judah Levine, leader of the Network Synchronization Project in the Time and Frequency Division at the National Institute of Standards and Technology (NIST), to The New York Times. Leap seconds—when coordinated, near-impeccable atomic time is halted for one second to synchronize with the Earth's comparatively erratic movements—are a big headache, especially to computer technology.

The International Bureau of Weights and Measures (IBWM) has already voted to eliminate leap seconds entirely by 2035, or at least how they are currently implemented. Levine plans to submit a paper outlining a "leap minute," timed to the next World Radiocommunications Conference held by the International Telecommunication Union (ITU). Starting November 20 in Dubai, United Arab Emirates, the world's radio and communications policymakers will debate various measures and standards. The Times suggests Levine's paper may be published after the conference, but awareness of it—including the Times story itself—should make it a point of contention.

Enlarge (credit: IBM)

As the utility of AI systems has grown dramatically, so has their energy demand. Training new systems is extremely energy intensive, as it generally requires massive data sets and lots of processor time. Executing a trained system tends to be much less involved—smartphones can easily manage it in some cases. But, because you execute them so many times, that energy use also tends to add up.

Fortunately, there are lots of ideas on how to bring the latter energy use back down. IBM and Intel have experimented with processors designed to mimic the behavior of actual neurons. IBM has also tested executing neural network calculations in phase change memory to avoid making repeated trips to RAM.

Now, IBM is back with yet another approach, one that's a bit of "none of the above." The company's new NorthPole processor has taken some of the ideas behind all of these approaches and merged them with a very stripped-down approach to running calculations to create a highly power-efficient chip that can efficiently execute inference-based neural networks. For things like image classification or audio transcription, the chip can be up to 35 times more efficient than relying on a GPU.

Enlarge / My original US-8-150W shortly before being replaced. Don't judge my zip-tie mounting job—it held for eight years! (credit: Lee Hutchinson)

This morning, I'd like to pour one out for a truly awesome piece of gear that did everything I asked of it without complaint and died before its time: my Unifi 8-port POE switch, model US-8-150W. Farewell, dear switch. You were a real one, and a lightning strike took you from us too soon.

I picked up this switch back in January 2016 when I was ramping up my quest to replace my shaky home Wi-Fi with something a little more enterprise-y. The results were, on the whole, positive (you can read about how that quest turned out in this piece right here, which contains much reflection on the consequences—good and bad—of going overboard on home networking), and this little 8-port switch proved to be a major enabler of the design I settled on.

Happier times—the old US-8-150W right out of the box, when it was brand new. Note those two SFP slots at right.

Why? Well, it's a nice enough device—having 802.3af/at and Ubiquiti's 24-volt passive PoE option made it universally compatible with just about anything I wanted to hook up to it. But the key feature was the two SFP slots, which technically make this a 10-port switch. I have a detached garage, and I wanted to hook up some PoE-powered security cameras out there, along with an additional wireless access point. The simplest solution would have been to run Ethernet between the house and the garage, but that's not actually a simple solution at all—running Ethernet underground between two buildings can be electrically problematic unless it's done by professionals with professional tools, and I am definitely not a professional. A couple of estimates from local companies told me that trenching conduit between my house and the garage was going to cost several hundred dollars, which was more than I wanted to spend.

Enlarge / An FBI agent takes a photo of a memorial for victims of a mass shooting at Robb Elementary School on May 27, 2022, in Uvalde, Texas. Police were criticized for delaying for more than an hour confronting the shooter. Such criticism has led some police to respond more aggressively to hoax school shooting calls. (credit: Michael M. Santiago / Staff | Getty Images North America)

Within the past year, there have been approximately five times more school shooting hoaxes called in to police than actual school shootings reported in 2023.

Where data from Everytown showed "at least 103 incidents of gunfire on school grounds" in 2023, The Washington Post recently uncovered what seems to be a coordinated campaign of active shooter hoaxes causing "swattings"—where police respond with extreme force to fake crimes—at more than 500 schools nationwide over the past year. In just one day in February, "more than 30 schools were targeted," The Post reported.

Education safety experts and law enforcement officials told The Post that this "wave of school shooting hoaxes" is unprecedented. And Drew Evans, the superintendent of the Minnesota Bureau of Criminal Apprehension, warned that just because there's no shooter, that does not mean these schools aren't endangered by the hoaxes.

Enlarge (credit: Michael Reinhard | Getty Images)

Ford Motor Company had a better idea, as it once advertised, producing such iconic cars as the Mustang, Bronco, Thunderbird, and Model T. But it also built the ill-fated Edsel. Ford wasn't alone, either; many inventors and engineers have produced cars that seemed like a good idea until they actually acted on it. Here are a few examples.

1899 Horsey Horseless

Kellogg's cereal wasn't the only product to emanate from Battle Creek, Michigan. The Horsey Horseless also came from there, although it's unknown whether this vehicle was ever actually built. Still, it was a solution to a common problem in the early days of motoring, when automobiles were still uncommon and scared horses. Uriah Smith thought that sticking a horse head on the front of a horseless carriage would prevent horses from getting upset upon seeing one.

"It would have all the appearance of a horse and carriage and hence raise no fears in any skittish animal," he wrote. "Before he could discover his error and see that he had been fooled, the strange carriage would be passed, and then it would be too late to grow frantic and fractious."