Security

Hackers Can Jailbreak Digital License Plates To Make Others Pay Their Tolls, Tickets (wired.com) 72

Longtime Slashdot reader sinij shares a report from Wired with the caption: "This story will be an on-going payday for traffic ticket lawyers. I am ordering one now." From the report: Digital license plates, already legal to buy in a growing number of states and to drive with nationwide, offer a few perks over their sheet metal predecessors. You can change their display on the fly to frame your plate number with novelty messages, for instance, or to flag that your car has been stolen. Now one security researcher has shown how they can also be hacked to enable a less benign feature: changing a car's license plate number at will to avoid traffic tickets and tolls -- or even pin them on someone else.

Josep Rodriguez, a researcher at security firm IOActive, has revealed a technique to "jailbreak" digital license plates sold by Reviver, the leading vendor of those plates in the US with 65,000 plates already sold. By removing a sticker on the back of the plate and attaching a cable to its internal connectors, he's able to rewrite a Reviver plate's firmware in a matter of minutes. Then, with that custom firmware installed, the jailbroken license plate can receive commands via Bluetooth from a smartphone app to instantly change its display to show any characters or image. That susceptibility to jailbreaking, Rodriguez points out, could let drivers with the license plates evade any system that depends on license plate numbers for enforcement or surveillance, from tolls to speeding and parking tickets to automatic license plate readers that police use to track criminal suspects. "You can put whatever you want on the screen, which users are not supposed to be able to do," says Rodriguez. "Imagine you are going through a speed camera or if you are a criminal and you don't want to get caught."

Worse still, Rodriguez points out that a jailbroken license plate can be changed not just to an arbitrary number but also to the number of another vehicle -- whose driver would then receive the malicious user's tickets and toll bills. "If you can change the license plate number whenever you want, you can cause some real problems," Rodriguez says. All traffic-related mischief aside, Rodriguez also notes that jailbreaking the plates could also allow drivers to use the plates' features without paying Reviver's $29.99 monthly subscription fee. Because the vulnerability that allowed him to rewrite the plates' firmware exists at the hardware level -- in Reviver's chips themselves -- Rodriguez says there's no way for Reviver to patch the issue with a mere software update. Instead, it would have to replace those chips in each display. That means the company's license plates are very likely to remain vulnerable despite Rodriguez's warning -- a fact, Rodriguez says, that transport policymakers and law enforcement should be aware of as digital license plates roll out across the country. "It's a big problem because now you have thousands of licensed plates with this issue, and you would need to change the hardware to fix it," he says.

Security

Tracker Firm Hapn Spilling Names of Thousands of GPS Tracking Customers (techcrunch.com) 14

An anonymous reader quotes a report from TechCrunch: GPS tracking firm Hapn is exposing the names of thousands of its customers due to a website bug, TechCrunch has learned. A security researcher alerted TechCrunch in late November to customer names and affiliations -- such as the name of their workplace -- spilling from one of Hapn's servers, which TechCrunch has seen.

Hapn, formerly known as Spytec, is a tracking company that allows users to remotely monitor the real-time location of internet-enabled tracking devices, which can be attached to vehicles or other equipment. The company also sells GPS trackers to consumers under its Spytec brand, which rely on the Hapn app for tracking. Spytec touts its GPS devices for tracking the locations of valuable possessions and "loved ones." According to its website, Hapn claims to track more than 460,000 devices and counts customers within the Fortune 500.

The bug allows anyone to log in with a Hapn account to view the exposed data using the developer tools in their web browser. The exposed data contains information on more than 8,600 GPS trackers, including the IMEI numbers for the SIM cards in each tracker, which uniquely identify each device. The exposed data does not include location data, but thousands of records contain the names and business affiliations of customers who own, or are tracked by, the GPS trackers.

Encryption

Australia Moves To Drop Some Cryptography By 2030 (theregister.com) 31

An anonymous reader shares a report: Australia's chief cyber security agency has decided local orgs should stop using the tech that forms the current cryptographic foundation of the internet by the year 2030 -- years before other nations plan to do so -- over fears that advances in quantum computing could render it insecure.

The Land Down Under's plans emerged last week when the Australian Signals Directorate (ASD) published guidance for High Assurance Cryptographic Equipment (HACE) -- devices that send and/or receive sensitive information -- that calls for disallowing the cryptographic algorithms SHA-256, RSA, ECDSA and ECDH, among others, by the end of this decade.

Bill Buchanan, professor in the School of Computing at Edinburgh Napier University, wrote a blog post in which he expressed shock that the ASD aims to move so quickly. "Basically, these four methods are used for virtually every web connection that we create, and where ECDH is used for the key exchange, ECDSA or RSA is used to authenticate the remote server, and SHA-256 is used for the integrity of the data sent," he wrote. "The removal of SHA-256 definitely goes against current recommendations."

Security

Bluesky Has an Extortion Problem (tedium.co) 36

A cybersquatting scheme targeting prominent writers and entrepreneurs has exposed flaws in Bluesky's domain-based verification system, newsletter Tedium reports, citing users.

Bloomberg columnist Conor Sen reported receiving an extortion attempt this week when an anonymous user who had purchased his namesake domain demanded payment to transfer ownership. The episode has unraveled wider revelations of similar attacks targeting at least five other well-known users, including political blogger Matt Yglesias and The Hustle founder Sam Parr.

The platform's moderation team initially banned Parr's legitimate account while leaving the impersonator active, Sen told Tedium. The fake account was only removed after users escalated the issue to senior Bluesky staff.
AI

Microsoft Acquires Twice as Many Nvidia AI Chips as Tech Rivals (ft.com) 12

Microsoft bought twice as many of Nvidia's flagship chips as any of its largest rivals in the US and China this year, as OpenAI's biggest investor accelerated its investment in artificial intelligence infrastructure. From a report: Analysts at Omdia, a technology consultancy, estimate that Microsoft bought 485,000 of Nvidia's "Hopper" chips this year. That put Microsoft far ahead of Nvidia's next biggest US customer Meta, which bought 224,000 Hopper chips, as well as its cloud computing rivals Amazon and Google.

With demand outstripping supply of Nvidia's most advanced graphics processing units for much of the past two years, Microsoft's chip hoard has given it an edge in the race to build the next generation of AI systems. This year, Big Tech companies have spent tens of billions of dollars on data centres running Nvidia's latest chips, which have become the hottest commodity in Silicon Valley since the debut of ChatGPT two years ago kick-started an unprecedented surge of investment in AI.

China

Chinese Hacker Singlehandedly Responsible For Exploiting 81,000 Sophos Firewalls, DOJ Says (cybernews.com) 16

An anonymous reader shares a report: A Chinese hacker indicted earlier this month and the PRC-based cybersecurity company he worked for are both sanctioned by the US government for compromising "tens of thousands of firewalls" -- some protecting US critical infrastructure, putting human lives at risk.

In a series of coordinated actions, the US Treasury Department's Office of Foreign Assets Control (OFAC), the Department of Justice (DoJ), and the FBI said the massive cyber espionage campaign, which compromised at least 36 firewalls protecting US critical infrastructure, posed significant risks to national security.

A federal court in Indiana earlier this month unsealed an indictment charging 30-year-old Guan Tianfeng (Guan) with conspiracy to commit computer and wire fraud by hacking into firewall devices worldwide, including one "used by an agency of the United States." Guan, employed by the Chinese cybersecurity firm Sichuan Silence -- a known contractor for Beijing intelligence -- was alleged to have discovered a zero-day vulnerability in firewall products manufactured by UK cybersecurity firm Sophos.

Data Storage

Seagate's Breakthrough 32TB HAMR Hard Drives Are Finally Here (tomshardware.com) 79

Seagate has launched its first mass-produced hard drives using heat-assisted magnetic recording (HAMR) technology, introducing 32TB and 30TB models under the Exos M brand. The drives, based on Seagate's Mozaic 3+ platform, mark the company's commercial breakthrough in HAMR technology after 16 years of development. Compatible with existing systems, the 32TB model uses shingled magnetic recording, while the 30TB version employs conventional magnetic recording.
IT

Framework Unveils $39 Storage Expansion Module (theverge.com) 6

Framework has announced a $39 Dual M.2 Adapter for its Laptop 16, enabling users to add two additional M.2 slots to the laptop's expansion bay. The new component allows for up to 26TB of total storage when combined with the laptop's existing SSD slots, supporting various M.2 form factors with PCIe 4.0 connectivity.

The company also replaced the Laptop 16's liquid metal cooling system with Honeywell PTM7958 thermal paste to address performance concerns. Framework will provide the new thermal solution to existing customers upon request. The adapter marks Framework's first modular expansion component for the Laptop 16 since its launch, complementing the optional Radeon RX 7700S graphics card offering.
Privacy

Hackers Hit Rhode Island Benefits System In Major Cyberattack (apnews.com) 29

A cyberattack on Rhode Island's RIBridges system has exposed personal data of individuals involved in programs like Medicaid, SNAP, and others, with hackers demanding a ransom. The breach may include sensitive details like Social Security numbers and banking information. The Associated Press reports: Anyone who has been involved in Medicaid, the Supplemental Nutrition Assistance Program known as SNAP, Temporary Assistance for Needy Families, Childcare Assistance Program, Rhode Island Works, Long-term Services and Supports, the At HOME Cost Share Program and health insurance purchased through HealthSource RI may be impacted, McKee said Saturday.

The system known as RIBridges was taken offline on Friday, after the state was informed by its vendor, Deloitte, that there was a major security threat to the system. The vendor confirmed that "there is a high probability that a cybercriminal has obtained files with personally identifiable information from RIBridges," the state said. The state has contracted with Experian to run a toll-free hotline for Rhode Islanders to call to get information about the breach and how they can protect their data.

IT

To Log Into WordPress, You Now Have To Agree Pineapple on Pizza Is Good (404media.co) 119

WordPress co-founder and CEO of Automattic Matt Mullenweg is trolling contributors and users of the WordPress open-source project by requiring them to check a box that says "Pineapple is delicious on pizza." From a report: The change was spotted by WordPress contributors late Sunday, and is still up as of Monday morning. Trying to log in or create a new account without checking the box returns a "please try again" error.

Last week, as part of the ongoing legal battle between WP Engine and Automattic, the company that owns WordPress.com, a judge ordered Mullenweg to remove a controversial login checkbox from WordPress.org that required users to pledge that they were not affiliated with WP Engine before logging in.

IT

Study Finds Most Fulfilling Jobs: Self-Employment, Government Work, Managing, and Social Service (seattletimes.com) 83

"Envy the lumberjacks, for they perform the happiest, most meaningful work on earth," the Washington Post wrote almost two years ago, after analyzing more than 13,000 journals from the U.S. Bureau of Labor Statistics' time-use survey. (For the first time the surveys asked how workers felt during the day.) And outdoor forestry jobs "look awesome by that metric, dangerous as they often are in the long run," the Post wrote in a recent follow-up. [Alternate URL.]

But is that really the right metric? "Readers kept reminding us that there's more to a fulfilling job than how happy you are while doing it." What about those wanting jobs where they're meaningfully impacting the world? We didn't have a stellar way to measure other feelings about work, but we kept our eye on an often-overlooked federal data provider: AmeriCorps. The independent agency, which CEO Michael D. Smith described to us as "bite-sized" but "punching well above our weight," funds the Civic Engagement and Volunteering Supplement, part of the Census Bureau's Current Population Survey... In 2021 and again in 2023, the researchers behind the CEV asked if you agree or disagree with these four statements:

- I am proud to be working for my employer.
- My main satisfaction in life comes from work.
- My workplace contributes to the community.
- I contribute to the community through my work....


The workers most likely to say they're proud to be working for their employer and that they gain satisfaction from work are — surprise! — the self-employed. The self-employed who are incorporated — a group that often includes small-business owners — are almost twice as likely as private-sector, for-profit workers to strongly profess pride in their employer.

Government and nonprofit workers fall somewhere in the middle on those questions. But they rank at the very top on "My workplace contributes to the community" and "I contribute to the community through my work." Local government workers, who include teachers, take the top spot for strong agreement on both, followed by nonprofit workers. Private-sector, for-profit workers once again lag behind. The jobs that do worse on these measures tend to be in manufacturing or other blue-collar production and extraction jobs, or at the lower-paid end of the service sector. Folks in food services (e.g., bartenders and food prep), janitorial roles and landscaping, and personal services (e.g., barbershops, laundry and hotels) all struggle to find greater meaning in their work. Though some better-paid service jobs also struggle by some measures — think sales, engineering or software development.

On the questions regarding pride in your employer and life satisfaction, we see managers and our old friends in agriculture and forestry take the top spots. But right behind them — and actually in the lead in the other question — lurks the real standout, a set of jobs we'd classify as "care and social services." That includes, most notably, religious workers. Looking a bit deeper at about 100 occupations for which we have detailed data, we see clergy were most likely to strongly agree on every question.

Other observations from the article:
  • "As a rule, you feel better about your job as you get older. Presumably, it's some mix of people who love their work delaying retirement, people job-hopping until they find meaningful employment, and people learning to love whatever hand they've been dealt."
  • "Most measures of satisfaction also rise with education, often quite sharply. Someone with a graduate degree is twice as likely as a high school dropout to strongly agree their workplace contributes to the community."
  • But... "More-educated folks are actually a bit less likely to strongly agree that work is their main satisfaction in life."

Encryption

Let's Encrypt Announces New-Certificate-Every-6-Days Offering (letsencrypt.org) 60

The non-profit, free certificate authority Let's Encrypt shared some news from their executive director as they approach their 10th anniversary in 2025: Internally things have changed dramatically from what they looked like ten years ago, but outwardly our service hasn't changed much since launch. That's because the vision we had for how best to do our job remains as powerful today as it ever was: free 90-day TLS certificates via an automated API. Pretty much as many as you need. More than 500,000,000 websites benefit from this offering today, and the vast majority of the web is encrypted.

Our longstanding offering won't fundamentally change next year, but we are going to introduce a new offering that's a big shift from anything we've done before — short-lived certificates. Specifically, certificates with a lifetime of six days. This is a big upgrade for the security of the TLS ecosystem because it minimizes exposure time during a key compromise event.

Because we've done so much to encourage automation over the past decade, most of our subscribers aren't going to have to do much in order to switch to shorter lived certificates. We, on the other hand, are going to have to think about the possibility that we will need to issue 20x as many certificates as we do now. It's not inconceivable that at some point in our next decade we may need to be prepared to issue 100,000,000 certificates per day. That sounds sort of nuts to me today, but issuing 5,000,000 certificates per day would have sounded crazy to me ten years ago... It was hard to build Let's Encrypt. It was difficult to scale it to serve half a billion websites...

Charitable contributions from people like you and organizations around the world make this stuff possible. Since 2015, tens of thousands of people have donated. They've made a case for corporate sponsorship, given through their Donor-Advised Funds, or set up recurring donations, sometimes to give $3 a month. That's all added up to millions of dollars that we've used to change the Internet for nearly everyone using it.

Thanks to long-time Slashdot reader rastos1 for sharing the news.
Encryption

Was the US Telecom Breach Inevitable, Proving Backdoors Can't Be Secure? (theintercept.com) 76

America's 1994 "Communications Assistance for Law Enforcement Act" (or CALEA) created the security hole that helped enable a massive telecomm breach. But now America's FBI "is falling back on the same warmed-over, bad advice about encryption that it has trotted out for years," argues the Intercept: In response to the Salt Typhoon hack, attributed to state-backed hackers from China, the bureau is touting the long-debunked idea that federal agents could access U.S. communications without opening the door to foreign hackers. Critics say the FBI's idea, which it calls "responsibly managed encryption," is nothing more than a rebranding of a government backdoor. "It's not this huge about-face by law enforcement," said Andrew Crocker, the surveillance litigation director at the Electronic Frontier Foundation. "It's just the same, illogical talking points they have had for 30+ years, where they say, 'Encryption is OK, but we need to be able to access communications.' That is a circle that cannot be squared...."

In a blog post last month, encryption expert Susan Landau said CALEA had long been a "national security disaster waiting to happen... If you build a system so that it is easy to break into, people will do so — both the good guys and the bad. That's the inevitable consequence of CALEA, one we warned would come to pass — and it did," she said...

Sean Vitka, the policy director at the progressive group Demand Progress, said the hack has once again provided damning evidence that government backdoors cannot be secured. "If the FBI cannot keep their wiretap system safe, they absolutely cannot keep the skeleton key to all Apple phones safe," Vitka said.

Thanks to Slashdot reader mspohr for sharing the article.
Security

Yearlong Supply-Chain Attack Targeting Security Pros Steals 390,000 Credentials (arstechnica.com) 8

An anonymous reader quotes a report from Ars Technica: A sophisticated and ongoing supply-chain attack operating for the past year has been stealing sensitive login credentials from both malicious and benevolent security personnel by infecting them with Trojanized versions of open source software from GitHub and NPM, researchers said. The campaign, first reported three weeks ago by security firm Checkmarx and again on Friday by Datadog Security Labs, uses multiple avenues to infect the devices of researchers in security and other technical fields. One is through packages that have been available on open source repositories for over a year. They install a professionally developed backdoor that takes pains to conceal its presence. The unknown threat actors behind the campaign have also employed spear phishing that targets thousands of researchers who publish papers on the arXiv platform.

The objectives of the threat actors are also multifaceted. One is the collection of SSH private keys, Amazon Web Services access keys, command histories, and other sensitive information from infected devices every 12 hours. When this post went live, dozens of machines remained infected, and an online account on Dropbox contained some 390,000 credentials for WordPress websites taken by the attackers, most likely by stealing them from fellow malicious threat actors. The malware used in the campaign also installs cryptomining software that was present on at least 68 machines as of last month. It's unclear who the threat actors are or what their motives may be. Datadog researchers have designated the group MUT-1244, with MUT short for "mysterious unattributed threat."

Privacy

UnitedHealthcare's Optum Left an AI Chatbot, Used By Employees To Ask Questions About Claims, Exposed To the Internet (techcrunch.com) 22

Healthcare giant Optum has restricted access to an internal AI chatbot used by employees after a security researcher found it was publicly accessible online, and anyone could access it using only a web browser. TechCrunch: The chatbot, which TechCrunch has seen, allowed employees to ask the company questions about how to handle patient health insurance claims and disputes for members in line with the company's standard operating procedures (SOPs).

While the chatbot did not appear to contain or produce sensitive personal or protected health information, its inadvertent exposure comes at a time when its parent company, health insurance conglomerate UnitedHealthcare, faces scrutiny for its use of artificial intelligence tools and algorithms to allegedly override doctors' medical decisions and deny patient claims.

Mossab Hussein, chief security officer and co-founder of cybersecurity firm spiderSilk, alerted TechCrunch to the publicly exposed internal Optum chatbot, dubbed "SOP Chatbot." Although the tool was hosted on an internal Optum domain and could not be accessed from its web address, its IP address was public and accessible from the internet and did not require users to enter a password.

Microsoft

HDMI 2.2 Specs With Increased Bandwidth To Be Announced at CES 2025 (videocardz.com) 42

HDMI Forum will announce new specifications with increased bandwidth capabilities at CES 2025, ahead of anticipated graphics card launches from AMD and NVIDIA. The announcement, scheduled for January 6, is expected to introduce HDMI 2.2 standard alongside a new cable supporting higher resolutions and refresh rates.

Current HDMI 2.1 specification maxes out at 48 Gbps bandwidth, allowing 10K resolution at 120 Hz with compression. The upgrade aims to compete with DisplayPort 2.1, which offers up to 80 Gbps bandwidth and is already supported by recent AMD and Intel GPUs.
Yahoo!

Yahoo Cybersecurity Team Sees Layoffs, Outsourcing of 'Red Team,' Under New CTO (techcrunch.com) 12

Yahoo laid off around 25% of its cybersecurity team -- known as The Paranoids -- over the last year, TechCrunch has learned. From the report: Overall, the company has laid off or lost through attrition 40 to 50 people from a total of 200 employees in the cybersecurity team since the start of 2024, according to multiple current and former Yahoo employees who spoke to TechCrunch on condition of anonymity. (Yahoo is TechCrunch's parent company.)

The Paranoids are not the only team affected by the layoffs. Valeri Liborski, who was appointed Yahoo's chief technology officer in September, sent an email this week to employees announcing changes across the broader technology unit, including enterprise productivity and core services. The email to staff, which was obtained by TechCrunch, said: "This was a very difficult decision and one I have not taken lightly."

The Paranoids' so-called red team, or offensive security team -- which conducts cyberattack simulations to identify weaknesses in the company's network before external hackers can -- was eliminated entirely this week, and there have been at least three rounds of layoffs impacting the cybersecurity team this year, according to the sources.

Microsoft

Microsoft Hijacks Keyboard Shortcut To Bring Copilot To Your Attention (theregister.com) 70

An anonymous reader shares a report: Copilot has gone native for Windows Insiders and commandeered a popular keyboard shortcut in the process. The move from a Progressive Web App (PWA) to a native binary -- although most of it appears to still be a website, just not running as a PWA -- will be welcomed. Microsoft noted that once the app update has been installed, Copilot will appear in the system tray.

However, the assistant's quick view feature has been given the Alt+Space keyboard shortcut. This is already used by many other applications, including Microsoft's own PowerToys. PowerToys Run, for example, uses Alt+Space to open a launcher into which users can type in the name of the service they are seeking. Alt+Space is also used to show the context menu of the active window. Therefore, Microsoft's decision to hand the shortcut over to Copilot is unlikely to please keyboard warriors who are used to their shortcuts working in a particular way.

The Windows vendor acknowledged that the shortcut was already in use by many apps, saying: "For any apps installed on your PC that might utilize this keyboard shortcut, Windows will register whichever app is launched first on your PC and running in the background as the app that is invoked when using Alt+Space."

Microsoft

Amazon Paused Rollout of Microsoft Office for a Year After Hacks (bloomberg.com) 13

Amazon has postponed implementing Microsoft's cloud-based Office suite for its workforce by one year, citing security concerns following a Russian cyber attack on Microsoft's systems. The delay affects a $1 billion, five-year contract signed last year to provide Microsoft 365 to Amazon's 1.5 million employees, making the e-commerce giant one of the largest customers of Microsoft's cloud productivity suite.

The decision came after Microsoft revealed that Midnight Blizzard, a Russia-linked hacking group, had breached several employee email accounts, including those of senior executives and cybersecurity staff. Amazon subsequently conducted its own security review and requested enhanced protection measures from Microsoft.
Businesses

Startup Will Brick $800 Emotional Support Robot For Kids Without Refunds (arstechnica.com) 144

Startup Embodied is closing down, and its product, an $800 robot for kids ages 5 to 10, will soon be bricked. From a report: Embodied blamed its closure on a failed "critical funding round." On its website, it explained: "We had secured a lead investor who was prepared to close the round. However, at the last minute, they withdrew, leaving us with no viable options to continue operations. Despite our best efforts to secure alternative funding, we were unable to find a replacement in time to sustain operations."

The company didn't provide further details about the pulled funding. Embodied's previous backers have included Intel Capital, Toyota AI Ventures, Amazon Alexa Fund, Sony Innovation Fund, and Vulcan Capital, but we don't know who the lead investor mentioned above is. When it first announced Moxie in April 2020, Embodied described the robot as a "safe and engaging animate companion for children designed to help promote social, emotional, and cognitive development."

Slashdot Top Deals