The developers behind the open source MongoDB, and its commercial service counterpart MongoDB Atlas, have been busy making the document database easier to use for developers. From a report: Available in preview, Queryable Encryption provides the ability to query encrypted data, and with the entire query transaction be encrypted -- an industry first according to MongoDB. This feature will be of interest to organizations with a lot of sensitive data, such as banks, health care institutions and the government. This eliminates the need for developers to be experts in encryption, Davidson said. This end-to-end client-side encryption uses novel encrypted index data structures, the data being searched remains encrypted at all times on the database server, including in memory and in the CPU. The keys never leave the application and the company maintains that the query speed nor overall application performance are impacted by the new feature.

MongoDB is also now supporting time series data, which are important for monitoring physical systems, quick-moving financial data, or other temporally-oriented datasets. In MongoDB 6.0, time-series collections can have secondary indexes on measurements, and the database system has been optimized to sort time-based data more quickly. Although there are a number of databases specifically geared towards time-series data specifically, such as InfluxDB, many organizations may not want to stand-up an entire database system for this specific use, a separate system costing more in terms of support and expertise, Davidson argued. Another feature is Cluster-to-Cluster Synchronization, which provides the continuous data synchronization of MongoDB clusters across environments. It works with Atlas, in private cloud, on-premises, or on the edge. This sets the stage for using data in multiple places for testing, analytics, and backup.

Apple demonstrated "passkeys" at WWDC 2022, a new biometric sign-in standard that could finally kill off the password for good. TechCrunch reports: Passkeys are based on the Web Authentication API (WebAuthn), a standard that uses public-key cryptography instead of passwords for authenticating users to websites and applications, and are stored on-device rather than on a web server. The digital password replacement uses Touch ID or Face ID for biometric verification, which means that rather than having to input a long string of characters, an app or website you're logging into will push a request to your phone for authentication.

During its WWDC demo of the password-free technology, Apple showed how passkeys are backed up within the iCloud Keychain and can be synced across Mac, iPhone, iPad and Apple TV with end-to-end encryption. Users will also be able to sign in to websites and apps on non-Apple devices using an iPhone or iPad to scan a QR code and Touch ID or Face ID to authenticate. "Because it's just a single tap to sign in, it's simultaneously easier, faster and more secure than almost all common forms of authentication today," said Garrett Davidson, an Apple engineer on the Authentication Experience team.

Several readers have shared the following report: Messaging apps that offer end-to-end encryption can claim that they're protecting their users by saying that they've thrown away the key -- metaphorical and literal -- and can't undo what's been scrambled in transmission. Telegram, however, claims it protects every user whether they use E2EE or not, saying that government data requests have to pass an especially high muster before they would comply and that they have never acceded to such request. Not so, a report claims. Der Spiegel reports from sources that Telegram has fulfilled a number data requests from Germany's Federal Criminal Police Office involving terror and child abuse suspects. Still more data requests for other criminal cases have been more or less ignored. [...] The German government has been pressuring Dubai-based Telegram to cooperate with its investigations into right-wing extremist groups who have been using the messaging platform to spread their cause and coordinate action. Telegram has ramped up its own enforcement actions recently, but its user and group bans have been as comprehensive as lawmakers have been looking for.

Google has halted businesses from using RCS for promotion in India, the company's biggest market by users, following reports of rampant spam by some firms in a setback for the standard that the company is hoping to help become the future of SMS messaging. From a report: Rich Communication Services, or RCS, is the collective effort of a number of industry players to supercharge the traditional SMS with modern features such as richer texts and end-to-end encryption. Google, Samsung and a number of other firms including telecom operators have rolled out support for RCS to hundreds of millions of users worldwide in recent years. Google said last month that RCS messaging in the Messages app for Android had amassed over 500 million monthly active users. The problem, however, is that scores of businesses in India including top banks and other lending firms have been abusing the feature to send unsolicited promotional materials to any individual's phone number they can find in the country.

On Monday night, some Spotify users went to download their favorite podcasts and were met with an error. By Tuesday morning, the issue was resolved. What was the source of the massive disruption impacting some of the platform's biggest producers? An expired security certificate. From a report: The SSL security certificate is what keeps a website secure by enabling encryption, giving it the "s" in HTTPS. For Megaphone, the podcast advertising and publishing platform Spotify acquired in 2020, the certificate expired Monday evening. Shortly thereafter, publishers and listeners for Megaphone-hosted podcasts experienced service disruptions. "Megaphone experienced a platform outage due to an issue related to our SSL certificate," a Spotify spokesperson told NPR. "During the outage, clients were unable to access the Megaphone CMS and podcast listeners were unable to download podcast episodes from Megaphone-hosted publishers. Megaphone service has since been restored." The entire outage lasted for about nine hours, with Megaphone publishing real-time updates of the issue. Some podcast publishers took to Twitter to express their frustration business implications of the outage, according to Verge.

"Researchers at Trend Micro have discovered some new Linux-based ransomware that's being used to attack VMware ESXi servers," reports CSO Online. (They describe the ESXi servers as "a bare-metal hypervisor for creating and running several virtual machines that share the same hard drive storage.") Called Cheerscrypt, the bad app is following in the footsteps of other ransomware programs — such as LockBit, Hive and RansomEXX — that have found ESXi an efficient way to infect many computers at once with malicious payloads.

Roger Grimes, a defense evangelist with security awareness training provider KnowBe4, explains that most of the world's organizations operate using VMware virtual machines. "It makes the job of ransomware attackers far easier because they can encrypt one server — the VMware server — and then encrypt every guest VM it contains. One compromise and encryption command can easily encrypt dozens to hundreds of other virtually run computers all at once."

"Most VM shops use some sort of VM backup product to back up all guest servers, so finding and deleting or corrupting one backup repository kills the backup image for all the hosted guest servers all at once," Grimes adds....

The gang behind Cheerscrypt uses a "double extortion" technique to extract money from its targets, the researchers explain. "Security Alert!!!" the attackers' ransom message declares. "We hacked your company successfully. All files have been stolen and encrypted by us. If you want to restore your files or avoid file leaks, please contact us."

Swiss-based encrypted email provider ProtonMail today announced a restructuring of its privacy-first services, bringing them under a new unifying brand name: Proton. "Today, we are undertaking our biggest step forward in the movement for an internet that respects your privacy. The new, updated Proton offers one account, many services, and one privacy-by-default ecosystem. You can now enjoy unified protection with a modernized look and feel. Evolving into a unified Proton reflects our growth from an end-to-end encrypted email provider to an entire privacy ecosystem, allowing us to deliver even more benefits to the Proton community and make privacy accessible to everyone," the company said. MacRumors adds: Previously, users could only subscribe to each service the company offered individually. Going forward, the new Proton offers one account to access all the services offered in the company's privacy-by-default ecosystem, including Proton Mail, Proton VPN, Proton Calendar, and Proton Drive, all of which can be accessed from proton.me. All Proton services remain available as a free tier, with more advanced features and more storage available via paid plans. The free Proton tier includes up to 1GB of storage and one Proton email address, as well as access to Proton's encrypted Calendar and VPN services. Further reading: Proton Is Trying to Become Google -- Without Your Data.

"In the last six months, we observed a 254% increase in activity from a Linux trojan called XorDdos," writes the Microsoft 365 Defender Research Team. It's a trojan combining denial-of-service functionality with XOR-based encryption for communication.

Microsoft calls it part of "the trend of malware increasingly targeting Linux-based operating systems, which are commonly deployed on cloud infrastructures and Internet of Things devices." And ZDNet describes the trojan "one of the most active Linux-based malware families of 2021, according to Crowdstrike." XorDdos conducts automated password-guessing attacks across thousands of Linux servers to find matching admin credentials used on Secure Shell (SSH) servers... Once credentials are gained, the botnet uses root privileges to install itself on a Linux device and uses XOR-based encryption to communicate with the attacker's command and control infrastructure.

While DDoS attacks are a serious threat to system availability and are growing in size each year, Microsoft is worried about other capabilities of these botnets. "We found that devices first infected with XorDdos were later infected with additional malware such as the Tsunami backdoor, which further deploys the XMRig coin miner," Microsoft notes... Microsoft didn't see XorDdos directly installing and distributing the Tsunami backdoor, but its researchers think XorDdos is used as a vector for follow-on malicious activities...

XorDdoS can perform multiple DDoS attack techniques, including SYN flood attacks, DNS attacks, and ACK flood attacks.
Microsoft's team warns that the trojan's evasion capabilities "include obfuscating the malware's activities, evading rule-based detection mechanisms and hash-based malicious file lookup, as well as using anti-forensic techniques to break process tree-based analysis.

"We observed in recent campaigns that XorDdos hides malicious activities from analysis by overwriting sensitive files with a null byte. It also includes various persistence mechanisms to support different Linux distributions."

iFixit CEO Kyle Wiens sat down with Ars Technica to discuss the fight for the right to repair. Here's an excerpt from their report: Tech repairs got complicated in 1998 when Congress passed the Digital Millennium Copyright Act [PDF]. Section 1201 of the copyright law essentially made it illegal to distribute tools for, or to break encryption on, manufactured products. Created with DVD piracy in mind, it made fixing things like computers and tractors significantly harder, if not illegal, without manufacturer permission. It also represented "a total sea change from what historic property rights have been," Wiens said. This makes Washington, DC, the primary battleground for the fight for the right to repair. "Because this law was passed at the federal level, the states can't preempt. Congress at the federal level reset copyright policy. This fix has to happen at the US federal level," Wiens told Ars Technica during the Road to Frontiers talk.

The good news is that every three years, the US Copyright Office holds hearings to discuss potential exemptions. Right to repair advocates are hoping Congress will schedule this year's hearing soon. Wiens also highlighted the passing of the Freedom to Repair Act [PDF] introduced earlier this year as critical for addressing Section 1201 and creating a permanent exemption for repairing tech products.

Apple's self-service repair program launched last month marked a huge step forward for the right to repair initiated by a company that has shown long-standing resistance. Wiens applauded the program, which provides repair manuals for the iPhone 12, 13, and newest SE and will eventually extend to computers. He emphasized how hard it is for iFixit to reverse-engineer such products to determine important repair details, like whether a specific screw is 1 or 1.1 mm. [...]

Wiens envisioned a world where gadgets not only last longer but where you may also build relationships with local businesses to keep your products functioning. He lamented the loss of businesses like local camera and TV repair shops extinguished by vendors no longer supplying parts and tools. [...] He also discussed the idea of giving gadgets second and even third lives: An aged smartphone could become a baby monitor or a smart thermostat. "I think we should be talking about lifespans of smartphones in terms of 20, 25 years," Wiens said. The livestream of the discussion can be viewed here.

Hong Kong is planning a ban on the Telegram messaging service, which is widely used by pro-democracy activists. International Business Times reports: Local media reported that the ban on Telegram was being considered as a means to crack down on rampant doxing, under which pro-democracy campaigners are exposing online sensitive personal data of government officials and citizens. Hong Kong's privacy commissioner for personal data might decide in favor of blocking or restricting access to Telegram in the first such move, the Sing Tao Daily reported, according to Bloomberg. The execution of such a ban would mean that the former British colony has taken a step closer to China-style smothering of personal and civil liberties.

The US is readying new encryption standards that will be so ironclad that even the nation's top code-cracking agency says it won't be able to bypass them. From a report: The National Security Agency has been involved in parts of the process but insists it has no way of bypassing the new standards. "There are no backdoors," said Rob Joyce, the NSA's director of cybersecurity at the National Security Agency, in an interview. A backdoor enables someone to exploit a deliberate, hidden flaw to break encryption. An encryption algorithm developed by the NSA was dropped as a federal standard in 2014 amid concerns that it contained a backdoor. The new standards are intended to withstand quantum computing, a developing technology that is expected to be able to solve math problems that today's computers can't. But it's also one that the White House fears could allow the encrypted data that girds the U.S. economy -- and national security secrets -- to be hacked.

Google is expanding end-to-end encryption (E2EE) to include group texts in the Messages app. The feature will be available as an open beta later this year. Engadget reports: Google hasn't revealed more details about E2EE in group chats, but it will surely be similar to how the option works in one-on-one conversations. Everyone in the group will need to have RCS chat functions switched on to use the feature. You'll be able to tell if a message you're about to share with the group is encrypted if there's a lock icon on the send button. The Messages app now has more than 500 million monthly active users with RCS. So, there's already a large number of people who'd be able to take advantage of E2EE in group chats.

The European Commission has proposed controversial new regulation that would require chat apps like WhatsApp and Facebook Messenger to selectively scan users' private messages for child sexual abuse material (CSAM) and "grooming" behavior. The proposal is similar to plans mooted by Apple last year but, say critics, much more invasive. From a report: After a draft of the regulation leaked earlier this week, privacy experts condemned it in the strongest terms. "This document is the most terrifying thing I've ever seen," tweeted cryptography professor Matthew Green. "It describes the most sophisticated mass surveillance machinery ever deployed outside of China and the USSR. Not an exaggeration." Jan Penfrat of digital advocacy group European Digital Rights (EDRi) echoed the concern, saying, "This looks like a shameful general #surveillance law entirely unfitting for any free democracy." (A comparison of the PDFs shows differences between the leaked draft and final proposal are cosmetic only.) The regulation would establish a number of new obligations for "online service providers" -- a broad category that includes app stores, hosting companies, and any provider of "interpersonal communications service."

An anonymous reader quotes a report from Ars Technica: Researchers are marveling at the scope and magnitude of a vulnerability that hackers are actively exploiting to take full control of network devices that run on some of the world's biggest and most sensitive networks. The vulnerability, which carries a 9.8 severity rating out of a possible 10, affects F5's BIG-IP, a line of appliances that organizations use as load balancers, firewalls, and for inspection and encryption of data passing into and out of networks. There are more than 16,000 instances of the gear discoverable online, and F5 says it's used by 48 of the Fortune 50. Given BIG-IP's proximity to network edges and their functions as devices that manage traffic for web servers, they often are in a position to see decrypted contents of HTTPS-protected traffic.

Last week, F5 disclosed and patched a BIG-IP vulnerability that hackers can exploit to execute commands that run with root system privileges. The threat stems from a faulty authentication implementation of the iControl REST, a set of web-based programming interfaces for configuring and managing (PDF) BIG-IP devices. "This issue allows attackers with access to the management interface to basically pretend to be an administrator due to a flaw in how the authentication is implemented," Aaron Portnoy, the director of research and development at security firm Randori, said in a direct message. "Once you are an admin, you can interact with all the endpoints the application provides, including execute code."

Images floating around Twitter in the past 24 hours show how hackers can use the exploit to access an F5 application endpoint named bash. Its function is to provide an interface for running user-supplied input as a bash command with root privileges. While many images show exploit code supplying a password to make commands run, exploits also work when no password is supplied. [...] Elsewhere on Twitter, researchers shared exploit code and reported seeing in-the-wild exploits that dropped backdoor webshells that threat actors could use to maintain control over hacked BIG-IP devices even after they're patched. BIG-IP users can check exploitability via a one-line bash script that can be found here.

This week the Washington Post described Russia as "struggling under an unprecedented hacking wave" — with one survey finding Russia is now the world's leader for leaked sensitive data (such as passwords and email addresses). "Federation government: your lack of honor and blatant war crimes have earned you a special prize..." read a message left behind on one of the breached networks...

Documents were stolen from Russia's media regulator and 20 years of email from one of Russia's government-owned TV/radio broadcasting companies. Ukraine's government is even suggesting targets through its "IT Army" channel on telegram, and has apparently distributed the names of hundreds of Russia's own FSB security agents. And meanwhile, the Post adds, "Ordinary criminals with no ideological stake in the conflict have also gotten in on the act, taking advantage of preoccupied security teams to grab money as the aura of invincibility falls, researchers said." Soon after the invasion, one of the most ferocious ransomware gangs, Conti, declared that it would rally to protect Russian interests in cyberspace. The pledge backfired in a spectacular fashion, since like many Russian-speaking crime groups it had affiliates in Ukraine. One of them then posted more than 100,000 internal gang chats, and later the source code for its core program, making it easier for security software to detect and block attacks.

Network Battalion 65 [a small hacktivist group formed as the war began looking inevitable] went further. It modified the leaked version of the Conti code to evade the new detections, improved the encryption and then used it to lock up files inside government-connected Russian companies. "We decided it would be best to give Russia a taste of its own medicine. Conti caused (and still causes) a lot of heartache and pain for companies all around the world," the group said. "As soon as Russia ends this stupidity in Ukraine, we will stop our attacks completely."

In the meantime, Network Battalion 65 has asked for ransomware payments even as it has shamed victims on Twitter for having poor security. The group said it hasn't gotten any money yet but would donate anything it collects to Ukraine.
Ars Technica quotes a cybersecurity researcher who now says "there are tens of terabytes of data that's just falling out of the sky."

Thanks to long-time Slashdot reader SpzToid for sharing the article!

"Twitter DMs should have end to end encryption like Signal," Elon Musk tweeted Wednesday to his 89 million followers, "so no one can spy on or hack your messages."

And on Monday, Musk also announced hopes to "authenticate all humans."

But now Security Week is wondering if Musk's acquisition of Twitter will ultimately mean not just better security at Twitter but also innovation for the entire cybersecurity industry: Twitter has struggled with consistent security leadership, hiring and firing multiple CISOs even as nation-state adversaries target Twitter's massive user base with computer-generated disinformation campaigns...."Even if you don't like the guy, you have to root for Twitter to beat the bots," said one prominent CISO interviewed by SecurityWeek on Tuesday. "I think we will all benefit from any security features they [Twitter] can create."

Jamie Moles, a senior technical manager at ExtraHop, said the bot-elimination mission could have spinoff benefits for the entire industry. "While this seems like a Sisyphean task, if he's successful, the methods used by Twitter to eliminate bots from the platform may generate new techniques that improve the detection and identification of spam emails, spam posts, and other malicious intrusion attempts," Moles said. If Musk and his team can train AI to be more effective in combating this, it may well be a boon to security practitioners everywhere," Moles added.

"Identity is one area I expect to see movement. In addition to just detecting bots and spam better, I think we will see Twitter do a better job around verifying humans. There are a lot of things to fix there," said one CISO who requested anonymity because his company does security-related business with Twitter. Industry watchers also expect to see the company improve the multi-factor authentication (MFA) adoption numbers among its massive user base....

If Twitter can build a reliably secure platform with a new approach to distinguishing between human and bot traffic and fresh flavors of MFA and encryption, this could be a big win for the entire industry and users around the world.
Thanks to Slashdot reader wiredmikey for sharing the story

An anonymous reader quotes a report from XDA Developers: Microsoft is testing a VPN-like service for its Edge browser, adding a new layer of security and privacy to the browsing experience. A recently-discovered support page on Microsoft's website details the "Microsoft Edge Secure Network" feature, which provides data encryption and prevents online tracking, courtesy of Cloudflare. While it isn't available yet, even if you have the latest Dev channel build, the Microsoft Edge Secure Network feature appears to be similar in nature to Cloudflare's 1.1.1.1 service. This is essentially a proxy or VPN service, which encrypts your browsing data so that it's safe from prying eyes, including your ISP. It also keeps your location private, so you can use it to access geo-restricted websites, or content that's blocked in your country.

Microsoft Edge's Secure Network mode will require you to be signed into your Microsoft account, and that's because the browser keeps track of how much data you've used in this mode. You get 1GB of free data per month, and that's tied to your Microsoft account. Most VPN services aren't free, so this shouldn't come as a surprise. Cloudflare itself doesn't keep any personally-identifiable user data, and any data related to browsing sessions is deleted every 25 hours. Information related to your data usage is also deleted at the end of each monthly period.

A group of 18 House Republicans is asking Twitter's board to preserve all records related to Elon Musk's offer to buy the company, setting up a potential congressional probe should the party win back the majority this fall. CNBC: In letters shared exclusively with CNBC, Republicans on the House Judiciary Committee asked Twitter Board Chairman Bret Taylor and other members of the board to preserve any messages from official or personal accounts, including through encryption software, that relate to Twitter's consideration of Musk's offer.

"As Congress continues to examine Big Tech and how to best protect Americans' free speech rights, this letter serves as a formal request that you preserve all records and materials relating to Musk's offer to purchase Twitter, including Twitter's consideration and response to this offer, and Twitter's evaluation of its shareholder interests with respect to Musk's offer," said the letter, led by Ranking Member Jim Jordan, R-Ohio.

"You should construe this preservation notice as an instruction to take all reasonable steps to prevent the destruction or alteration, whether intentionally or negligently, of all documents, communications, and other information, including electronic information and metadata, that is or may be potentially responsive to this congressional inquiry," the letter continued. The request signals that should Republicans take back the majority in the House in the 2022 midterm elections, they may launch an investigation into Twitter, especially if the company declines to take the offer from Musk.

Researchers in Beijing have set a new quantum secure direct communication (QSDC) world record of 102.2 km (64 miles), smashing the previous mark of 18 km (11 miles), The Eurasian Times reported. Engadget reports: Transmission speeds were extremely slow at 0.54 bits per second, but still good enough for text message and phone call encryption over a distance of 30 km (19 miles), wrote research lead Long Guilu in Nature. The work could eventually lead to hack-proof communication, as any eavesdropping attempt on a quantum line can be instantly detected. QSDC uses the principal of entanglement to secure networks. Quantum physics dictates that entangled particles are linked, so that if you change the property of one by measuring it, the other will instantly change, too -- effectively making hacking impossible. In theory, the particles stay linked even if they're light-years apart, so such systems should work over great distances.

The same research team set the previous fiber record, and devised a "novel design of physical system with a new protocol" to achieve the longer distance. They simplified it by eliminating the "complicated active compensation subsystem" used in the previous model. "This enables an ultra-low quantum bit error rate (QBER) and the long-term stability against environmental noises." As a result, the system can withstand much more so-called channel loss that makes it impossible to decode encrypted messages. That in turn allowed them to extend the fiber from 28.3km to the record 102.2 km distance. "The experiment shows that intercity quantum secure direct communication through the fiber is feasible with present-day technology," the team wrote in Nature.

Arqit says its encryption system can't be broken by quantum computers, but former employees and people outside the company question the relevance of its technology. The Wall Street Journal: A U.K. cybersecurity startup rocketed to a multibillion-dollar valuation when it listed publicly last fall on the promise of making encryption technology that would protect the defense industry, corporations and consumers alike from the prying eyes of next-generation computer systems. Founder and Chief Executive David Williams told investors at the time that his company, Arqit Quantum had an "impressive backlog" of revenue and was ready "for hyperscale growth." But Arqit has given investors an overly optimistic view of its future revenue and the readiness and workability of its signature encryption system, according to former employees and other people familiar with the company, and documents viewed by The Wall Street Journal.

While the company says it has a solution to a quantum-computing security challenge that U.S. intelligence last year said "could be devastating to national security systems and the nation," government cybersecurity experts in the U.S. and the U.K. have cast doubt on the utility of Arqit's system. Arqit's stock price reached its highest level to date of $38.06 on Nov. 30 and has since fallen, to $15.06 on April 14, amid a broad pullback of young tech stocks. When the company secured its Nasdaq listing last autumn, its revenue consisted of a handful of government grants and small research contracts, and its signature product was an early-stage prototype unable to encrypt anything in practical use, according to the people. The encryption technology the company hinges on -- a system to protect against next-generation quantum computers -- might never apply beyond niche uses, numerous people inside and outside the company warned, unless there were a major overhaul of internet protocols. Arqit disputed that its encryption system was only a prototype at the company's market debut. "This was a live production software release and not a demonstration or trial," said a company representative. "It was being used by enterprise customers on that day and subsequently for testing and integration purposes, because they need to build Arqit's software into their products."