The US seized dozens of internet domains and charged six people in a sting intended to bring down a network of cyberattack-for-hire services, the Department of Justice announced on Wednesday. Bloomberg reports: In all, the US obtained a court order to seize 48 websites, and six people were criminally charged in relation to the takedowns, according to federal prosecutors. The FBI was in the process of seizing the websites, officials said Wednesday. The websites were used to launch, or attempt to launch, millions of so-called DDoS attacks around the world, the DOJ said in a statement. Short for distributed-denial-of- service, DDoS attacks direct huge amounts of junk internet traffic at a website or computer network to knock it offline.

DDoS-for-hire services often refer to themselves as "stresser" or "booter" tools that purport to offer a way for individuals to test the resilience of websites and services they operate, according to cybersecurity experts. In reality, the services are often used for harassment, extortion and criminal mischief, they say. The sites seized by the FBI include royalstresser, securityteam and dragonstresser, among others.

"Write a Gizmodo article in which you explain large language models. Make sure to give specific examples. Keep the tone light and casual." That was the prompt Gizmodo gave OpenAI's ChatGPT, which has been taking the internet by storm since it launched on Nov. 30. "We figured it would spin up a replica of our blogging style with no problem at all," reports Gizmodo. "However, that didn't happen. Instead, what we thought would be a swift and efficient process turned out to be a lengthy, laborious, and frustrating one." An anonymous reader shares an excerpt from the report: Suffice it to say, multiple attempts brought less than satisfactory results. For one thing, ChatGPT kept including incorrect information in its explainer -- sometimes mixing up basic facts about the history of its own technology (factual inaccuracy has been an ongoing problem for the program). In other instances, it skimped on the details in critical areas, writing text that read more like OpenAI ad copy than a thoughtful explainer. In at least one instance, it forgot its own name, repeatedly telling me that it didn't know anything about a "ChatGPT" and thus couldn't help with my request. In general, it struggled to find a good balance of factual information, story structure, and accessible, humorous language, when putting its stories together.

In short: ChatGPT was not very good at writing a Gizmodo article -- at least not one about the machine learning tech that underpins it. After probably a dozen tries or more, the following is the best ChatGPT managed to come up with: "Large language models, also known as neural network-based language models, have gained a lot of attention in recent years for their ability to generate human-like text. These models are trained on massive amounts of text data, and use advanced machine learning algorithms to learn the patterns and structures of natural language. One of the most well-known examples of a large language model is GPT-3, developed by OpenAI. This model was trained on more than 45 terabytes of text data, and has 175 billion parameters, which are the variables that the model uses to make predictions. In machine learning, a parameter is a variable that the model uses to make predictions. These parameters are adjusted during training, allowing the model to improve its performance on the task it was trained for. In the case of large language models, such as GPT-3, the model has a large number of parameters, often in the billions, which allows it to learn the intricate patterns and structures of natural language and generate highly coherent and fluent text." ChatGPT's writing may be competently constructed and able to break down the concepts it's tackling, but it wasn't able to produce a "particularly bold or entertaining piece of writing," says Gizmodo. "In short: this article wasn't the easy lift that we thought it would be."

"After asking the chatbot to write about itself a dozen different ways, the program consistently seemed to leave something critical out of its final draft -- be that exciting prose or accurate facts."

That said, ChatGPT did manage to write an amusing poem about Slashdot. It also had a number of things to say about itself.

The Z-Wave Alliance, the Standards Development Organization (SDO) dedicated to advancing the smart home and Z-Wave technology, today announced the completion of the Z-Wave Source Code project, which has been published and made available on GitHub to Alliance members. From a report: The Z-Wave Source Code Project opens development of Z-Wave and enables members to contribute code to shape the future of the protocol under the supervision of the new OS Work Group (OSWG). The goal of the project is to provide a rich development environment that contains the relevant source code and sample applications to those seeking to play a direct role in the advancement of the Z-Wave standard. The quality and interoperability of products utilizing Z-Wave Source Code will also be enforced by a new mandatory Silicon & Stack Certification program. Full Z-Wave certification will continue to test and certify for Z-Wave S2 security, network connectivity, range, battery life, and interoperability including backwards and forwards compatibility.

"The Z-Wave Alliance is deeply committed to the global smart home market," said Mitch Klein, Executive Director of the Z-Wave Alliance. "This year the smart home conversations have focused largely on Matter. Shiny and new, and with big brands supporting the initiative, Matter is bringing a lot of attention to the smart home. This makes it easy to overlook Z-Wave as the most established, trusted, and secure smart home protocol, that also happens to have the largest certified interoperable ecosystem in the market. We firmly expect that Z-Wave will play a key role in connecting devices and delivering the experience users really want."

U.S. Senators Elizabeth Warren (D-Mass.) and Roger Marshall (R-Kan.) are introducing a bill to crack down on money laundering and financing of terrorists and rogue nations [PDF] via cryptocurrency. From a report: If it becomes law, the Digital Asset Anti-Money Laundering Act will bring know-your-customer (KYC) rules to crypto participants such as wallet providers and miners and prohibit financial institutions from transacting with digital asset mixers, which are tools designed to obscure the origin of funds. The act would also allow the Financial Crimes Enforcement Network (FinCEN) to implement a proposed rule requiring institutions to report certain transactions involving unhosted wallets -- wallets where the user has complete control over the contents rather than relying on an exchange or other third party.

Microsoft has once again been caught allowing its legitimate digital certificates to sign malware in the wild, a lapse that allows the malicious files to pass strict security checks designed to prevent them from running on the Windows operating system. ArsTechnica: Multiple threat actors were involved in the misuse of Microsoft's digital imprimatur, which they used to give Windows and endpoint security applications the impression malicious system drivers had been certified as safe by Microsoft. That has led to speculation that there may be one or more malicious organizations selling malicious driver-signing as a service. In all, researchers have identified at least nine separate developer entities that abused the certificates in recent months.

The abuse was independently discovered by four third-party security companies, which then privately reported it to Microsoft. On Tuesday, during Microsoft's monthly Patch Tuesday, the company confirmed the findings and said it has determined the abuse came from several developer accounts and that no network breach has been detected. The software maker has now suspended the developer accounts and implemented blocking detections to prevent Windows from trusting the certificates used to sign the compromised certificates. "Microsoft recommends that all customers install the latest Windows updates and ensure their anti-virus and endpoint detection products are up to date with the latest signatures and are enabled to prevent these attacks," company officials wrote.

An anonymous reader quotes a report from KrebsOnSecurity: On Dec. 10, 2022, the relatively new cybercrime forum Breached featured a bombshell new sales thread: The user database for InfraGard, including names and contact information for tens of thousands of InfraGard members. The FBI's InfraGard program is supposed to be a vetted Who's Who of key people in private sector roles involving both cyber and physical security at companies that manage most of the nation's critical infrastructures -- including drinking water and power utilities, communications and financial services firms, transportation and manufacturing companies, healthcare providers, and nuclear energy firms. "InfraGard connects critical infrastructure owners, operators, and stakeholders with the FBI to provide education, networking, and information-sharing on security threats and risks," the FBI's InfraGard fact sheet reads.

KrebsOnSecurity contacted the seller of the InfraGard database, a Breached forum member who uses the handle "USDoD" and whose avatar is the seal of the U.S. Department of Defense. USDoD said they gained access to the FBI's InfraGard system by applying for a new account using the name, Social Security Number, date of birth and other personal details of a chief executive officer at a company that was highly likely to be granted InfraGard membership. The CEO in question -- currently the head of a major U.S. financial corporation that has a direct impact on the creditworthiness of most Americans -- did not respond to requests for comment. USDoD told KrebsOnSecurity their phony application was submitted in November in the CEO's name, and that the application included a contact email address that they controlled -- but also the CEO's real mobile phone number. "When you register they said that to be approved can take at least three months," USDoD said. "I wasn't expected to be approve[d]." But USDoD said that in early December, their email address in the name of the CEO received a reply saying the application had been approved. While the FBI's InfraGard system requires multi-factor authentication by default, users can choose between receiving a one-time code via SMS or email. "If it was only the phone I will be in [a] bad situation," USDoD said. "Because I used the person['s] phone that I'm impersonating."

USDoD said the InfraGard user data was made easily available via an Application Programming Interface (API) that is built into several key components of the website that help InfraGard members connect and communicate with each other. USDoD said after their InfraGard membership was approved, they asked a friend to code a script in Python to query that API and retrieve all available InfraGard user data. "InfraGard is a social media intelligence hub for high profile persons," USDoD said. "They even got [a] forum to discuss things." USDoD acknowledged that their $50,000 asking price for the InfraGard database may be a tad high, given that it is a fairly basic list of people who are already very security-conscious. Also, only about half of the user accounts contain an email address, and most of the other database fields -- like Social Security Number and Date of Birth -- are completely empty. [...] While the data exposed by the infiltration at InfraGard may be minimal, the user data might not have been the true end game for the intruders. USDoD said they were hoping the imposter account would last long enough for them to finish sending direct messages as the CEO to other executives using the InfraGuard messaging portal.

Slashdot reader biobricks shares this report from the New York Times. (Alternate URLs here and here.) When Merav Vonshak wanted to identify the gelatinous blob she had photographed floating in a shallow pool of water on a family vacation, she bypassed a wildlife-related website too often beset by bickering. She gave no consideration to brand-name social media platforms known for snark or misinformation.

Instead she uploaded the picture to a site called iNaturalist, where strangers have come together to pursue a very specific type of truth: the correct scientific classification for the living things they photograph in the wild or the backyard. They have so far processed about 90 million, with at least a quarter completed in 2022 alone.... Like many iNaturalist users, Dr. Vonshak, 45, invokes utopian metaphors not typically associated with social media to describe the platform. ("It reminds me of "Star Trek," you know? Our society as I would wish it would be.") Indeed, while examining mud snakes and mosses, it has dawned on many of the iNaturalist faithful that maybe they are on to something much bigger — a model for using the web that is governed by cooperation, not combat....

A not-for-profit initiative of the California Academy of Sciences and the National Geographic Society, iNaturalist says it aims to connect people to nature through technology. And the site's species-level identifications have been cited in thousands of scientific papers. But in a moment that can feel like everything is subject to dispute — the cause of inflation, the nature of gender, the legitimacy of an election — iNaturalist has also gained recognition as a rare place on the internet where people with different points of view manage to forge agreement on what constitutes reality.... And some social network scholars say its growth holds lessons for improved communication....

With help from a computer-vision algorithm, users who upload an observation typically suggest an identification. Others can then add their own nomination in the comments. As soon as a two-thirds majority emerges, the record receives a "community ID," which can be overwritten anytime the majority shifts.... The growth of iNaturalist has been fueled in part by technologies that have democratized the act of documenting and identifying species. Its machine-learning algorithm, trained on the identifications of iNaturalist users over the last decade, now reliably recognizes some 70,000 types of organisms and provides real-time suggestions. Better smartphone cameras have helped, as have inexpensive macro-lens attachments and the ubiquity of wireless internet access.
But the article also applauds the site's "explicit aim of collaboration and consensus" — 120 million "observations" have been posted just this year — each a chance to experience one more small collective triumph.

In the article one 32-year-old describes the site as "the place where I feel like I interact with strangers and work towards the common good."

A three-year-old NASA satellite lost touch with ground controllers two weeks ago and is now wandering through low Earth orbit without supervision. Sadly, the space agency fears the worst. Gizmodo reports: NASA's Ionospheric Connection Explorer (ICON) mission has not communicated with ground stations since November 25 due to some sort of glitch the space agency is yet to identify, NASA wrote in a blog post on Wednesday. The spacecraft is equipped with an onboard command loss timer that's designed to reset ICON in the event that contact is lost for eight days, but the reset seemingly did not work as the team was still unable to communicate with the spacecraft on December 5 after the power cycle was complete.

Although silent, the ICON spacecraft is still intact. NASA used the Department of Defense's Space Surveillance Network to confirm that ICON is still out there in one piece, according to the space agency. But communication is obviously key for orbiting spacecraft, as it allows the mission team to send commands to satellites and also receive data through downlinked signals. "The ICON mission team is working to troubleshoot the issue and has narrowed the cause of the communication loss to problems within the avionics or radio-frequency communications subsystems," NASA wrote in the blog post. "The team is currently unable to determine the health of the spacecraft, and the lack of a downlink signal could be indicative of a system failure." Oof, that doesn't sound good.

Contestants hacked the Samsung Galaxy S22 again during the second day of the consumer-focused Pwn2Own 2022 competition in Toronto, Canada. They also demoed exploits targeting zero-day vulnerabilities in routers, printers, smart speakers, and Network Attached Storage (NAS) devices from HP, NETGEAR, Synology, Sonos, TP-Link, Canon, Lexmark, and Western Digital. BleepingComputer reports: Security researchers representing the vulnerability research company Interrupt Labs were the ones to demonstrate a successful exploit against Samsung's flagship device on Wednesday. They executed an improper input validation attack and earned $25,000, 50% of the total cash award, because this was the third time the Galaxy S22 was hacked during the competition.

On the first day of Pwn2Own Toronto, the STAR Labs team and a contestant known as Chim demoed two other zero-day exploits as part of successful improper input validation attacks against the Galaxy S22. In all three cases, according to the contest rules, the devices ran the latest version of the Android operating system with all available updates installed.

The second day of Pwn2Own Toronto wrapped up with Trend Micro's Zero Day Initiative awarding $281,500 for 17 unique bugs across multiple categories. This brings the first two days of Pwn2Own total to $681,250 awarded for 46 unique zero-days, as ZDI's Head of Threat Awareness Dustin Childs revealed. The full schedule for Pwn2Own Toronto 2022's second day and the results for each challenge are available here. You can also find the complete schedule of the competition here.

Google, Oracle, Microsoft and Amazon will share in the Pentagon's $9 billion contract to build its cloud computing network, a year after accusations of politicization over the previously announced contract and a protracted legal battle resulted in the military starting over in its award process. The Associated Press reports: The Joint Warfighter Cloud Capability is envisioned to provide access to unclassified, secret and top-secret data to military personnel all over the globe. It is anticipated to serve as a backbone for the Pentagon's modern war operations, which will rely heavily on unmanned aircraft and space communications satellites, but will still need a way to quickly get the intelligence from those platforms to troops on the ground. The contract will be awarded in parts, with a total estimated completion date of June 2028, the Pentagon said in a statement.

Last July, the Pentagon announced it was cancelling its previous cloud computing award, then named JEDI. At the time, the Pentagon said that due to delays in proceeding with the contract, technology had changed to the extent that the old contract, which was awarded to Microsoft, no longer met DOD's needs. It did not mention the legal challenges behind those delays, which had come from Amazon, the losing bidder. Amazon had questioned whether former President Donald Trump's administration had steered the contract toward Microsoft due to Trump's adversarial relationship with Amazon's chief executive officer at the time, Jeff Bezos. A report by the Pentagon's inspector general did not find evidence of improper influence, but it said it could not determine the extent of administration interactions with Pentagon decision-makers because the White House would not allow unfettered access to witnesses. "It's the most important cloud deal to come out of the Beltway," said analyst Daniel Ives, who monitors the cloud industry for Wedbush Securities. "It's about the Pentagon as a reference customer. It says significant accolades about what they think about that vendor, and that's the best reference customer you could have in that world."

Amazon and Amazon Web Services (AWS) have joined the Open Invention Network (OIN) -- the world's largest patent non-aggression consortium. ZDNet reports: OIN has long protected Linux and Linux-related software from patent aggression by rival companies. With the recent increase in patent troll attacks, the OIN is also defending companies from these assaults. This is a natural move for Amazon. Besides relying on Linux and open-source software both for its retail and cloud businesses, Amazon has a strict policy against patent infringement, and users who engage in this behavior can have their listings removed or accounts deleted. Nevertheless, like all large companies, Amazon has also been sued for patent violations. Joining the OIN simply makes good business sense. Nithya Ruff, the Amazon Open Source Program Office director, added: "Linux and open source are essential to many of our customers and a key driver of innovation across Amazon. We are proud to support a broad range of open-source projects, foundations, and partners, and we are committed to the long-term success and sustainability of open source as a whole. By joining OIN, we are continuing to strengthen open source communities and helping to ensure technologies like Linux remain thriving and accessible to everyone."

The federal government plans to invest $1.5 billion to help spur a standards-based alternative for the gear at the heart of modern cellular networks. From a report: Experts say -- and the government agrees -- that there are economic and national security risks in having such equipment made only by a handful of companies overseas, with the most affordable products coming from China's Huawei. The most likely effort to benefit from the new funding is known as ORAN (Open Radio Access Network), which uses standard computing gear to replace what has been proprietary hardware from companies like Nokia, Ericsson and Huawei. The federal government is kicking off the program with a public comment period, which will run through Jan. 23. Funding for the effort was provided by the Chips and Science Act. The U.S. has largely banned use of Huawei's devices over security concerns amid deepening U.S.-China tensions.

ConsenSys, the company behind the MetaMask crypto wallet, said Tuesday it will release a series of updates to the platform in response to user backlash regarding its data-collection practices. From a report: In a statement, the company explained how and why it was sharing MetaMask user internet-protocol information with Infura, the ConsenSys-made RPC (remote procedure call) service for reading and writing data to the Ethereum blockchain. A change in wording to the ConsenSys user agreement last month revealed that MetaMask, by default, shared users' transaction data with Infura alongside their IP addresses. The revelation sparked outrage in a vocal corner of the crypto community, with some users worrying aloud that their transaction data wasn't as private as they assumed.

In its statement, ConsenSys clarified that it would only "collect wallet and IP address information in connection with 'write' requests, also known as transactions, when MetaMask users broadcast transactions through Infura's RPC endpoints." "We do not store wallet account address information when a MetaMask user makes a 'read' request through Infura, for example in order to check their account balances within MetaMask," the company said. According to MetaMask co-founder Dan Finlay, the platform began collecting and sharing IP-linked transaction data with Infura in 2018 to prevent network overload and to monitor pending transactions. Finlay said MetaMask cannot stop logging IP addresses entirely; if a user interacts with an RPC service like Infura, their IP address will always be visible. ConsenSys, however, will stop logging user IP information directly alongside their transaction data, thereby making it more difficult for the firm to trace transaction activity back to specific users. ConsenSys said it will also make updates to the MetaMask interface.

Elon Musk's SpaceX is expanding its Starlink satellite technology into military applications with a new business line called Starshield. CNBC reports: "While Starlink is designed for consumer and commercial use, Starshield is designed for government use," the company wrote on its website. Few details are available about the intended scope and capabilities of Starshield. The company hasn't previously announced tests or work on Starshield technology.

On its website, SpaceX said the system will have "an initial focus" on three areas: Imagery, communications and "hosted payloads" -- the third of which effectively offers government customers the company's satellite bus (the body of the spacecraft) as a flexible platform. The company also markets Starshield as the center of an "end-to-end" offering for national security: SpaceX would build everything from the ground antennas to the satellites, launch the latter with its rockets, and operate the network in space.

SpaceX notes that Starshield uses "additional high-assurance cryptographic capability to host classified payloads and process data securely," building upon the data encryption it uses with its Starlink system. Another key feature: the "inter-satellite laser communications" links, which the company currently has connecting its Starlink spacecraft. It notes that the terminals can be added to "partner satellites," so as to connect other companies' government systems "into the Starshield network."

Around 2009 Slashdot was abuzz about how over-the-air broadcasting in North America was switching to a new standard called DTV. (Fun fact: North America and South America have two entirely different broadcast TV standards — both of which are different from the DVB-T standard used in Europe/Africa/Australia.) But 2022 ends with us already talking about DTV's successor in North America: the new broadcast standard NextGen TV.

This time the new standard isn't mandatory for TV stations, CNET points out — and it won't affect cable, satellite or streaming TV. But now even if you're not paying for a streaming TV service, another article points out, in most major American cities "an inexpensive antenna is all you'll need to get get ABC, CBS, Fox, NBC and PBS stations" — and often with a better picture quality: NextGen TV, formerly known as ATSC 3.0, is continuing to roll out across the U.S. It's already widely available, with stations throughout the country broadcasting in the new standard. There are many new TVs with compatible tuners plus several stand-alone tuners to add NextGen to just about any TV. As the name suggests, NextGen TV is the next generation of over-the-air broadcasts, replacing or supplementing the free HD broadcasts we've had for over two decades. NextGen not only improves on HDTV, but adds the potential for new features like free over-the-air 4K and HDR, though those aren't yet widely available.

Even so, the image quality with NextGen is likely better than what you're used to from streaming or even cable/satellite. If you already have an antenna and watch HD broadcasts, the reception you get with NextGen might be better, too.... Because of how it works, you'll likely get better reception if you're far from the TV tower.

The short version is: NextGen is free over-the-air television with potentially more channels and better image quality than older over-the-air broadcasts.
U.S. broadcast companies have also created a site at WatchNextGenTV.com showing options for purchasing a compatible new TV. That site also features a video touting NextGen TV's "brilliant colors and a sharper picture with a wider range of contrast" and its Dolby audio system (with "immersive, movie theatre-quality sound" with enhancements for voice and dialogue "so you get all of the story.") And in the video there's also examples of upcoming interactive features like on-screen quizzes, voting, and shopping, as well as the ability to select multiple camera angles or different audio tracks.

"One potential downside? ATSC 3.0 will also let broadcasters track your viewing habits," CNet reported earlier this year, calling the data "information that can be used for targeted advertising, just like companies such as Facebook and Google use today...

"Ads specific to your viewing habits, income level and even ethnicity (presumed by your neighborhood, for example) could get slotted in by your local station.... but here's the thing: If your TV is connected to the internet, it's already tracking you. Pretty much every app, streaming service, smart TV and cable or satellite box all track your usage to a greater or lesser extent."

But on the plus side... NextGen TV is IP-based, so in practice it can be moved around your home just like any internet content can right now. For example, you connect an antenna to a tuner box inside your home, but that box is not connected to your TV at all. Instead, it's connected to your router. This means anything with access to your network can have access to over-the-air TV, be it your TV, your phone, your tablet or even a streaming device like Apple TV....

This also means it's possible we'll see mobile devices with built-in tuners, so you can watch live TV while you're out and about, like you can with Netflix and YouTube now. How willing phone companies will be to put tuners in their phones remains to be seen, however. You don't see a lot of phones that can get radio broadcasts now, even though such a thing is easy to implement.
But whatever you think — it's already here. By August NextGen TV was already reaching half of America's population, according to a press release from a U.S. broadcaster's coalition. That press release also bragged that 40% of consumers had actually heard of NextGen TV — "up 25% from last year among those in markets where it is available."

"Childhood friends in Oman who figured out how to turn carbon dioxide into rock are among five winners chosen for the Prince of Wales's prestigious Earthshot Prize," reports the BBC: The annual awards were created by Prince William to fund projects that aim to save the planet. Each winner will receive £1m ($1.2m) to develop their innovation.... "I believe that the Earthshot solutions you have seen this evening prove we can overcome our planet's greatest challenges," Prince William said during the ceremony. "By supporting and scaling them we can change our future," he said.
1,500 projects were nominated, according to the event's web site. Here's the five winners:

• A Kenya-based company producing stoves powered by processed biomass (made from charcoal, wood and sugarcane) that "burns cleaner, creating 90% less pollution than an open fire," while cutting fuel costs in half.
• The Indian startup behind Greenhouse-in-a-box. "Plants in the greenhouse require 98% less water than those outdoors and yields are seven-times higher," explains the site, while the greenhouses themselves are 90% cheaper than a standard greenhouse, "more than doubling farmers' incomes [while] using less water and fewer pesticides."
• A Queensland-based program to expand the network of rangers using drones to monitor reefs and wildfires while sharing information and innovative ideas.
• London-based start-up Notpla, which created a plastic alternative made from seaweed and plants that's entirely biodegradable. (The seaweed used in its production also captures carbon twenty-times faster than trees.)
• The company 44.01 removes CO2 permanently by mineralising it in peridotite, accelerating the natural process by pumping carbonated water into peridotite underground. (Unlike carbon storage, "mineralizing" CO2 removes it forever, making the process safer, cost-effective, and scalable.)

Five prizes will be awarded each year until 2030.

A group of federal cyber advisers is putting a suspected teen hacking group under the microscope in the second investigation ever conducted by the Cyber Safety Review Board. From a report: The Department of Homeland Security review board -- a group of 15 federal government and private-sector cyber experts -- announced Friday morning that it will study and provide recommendations to fend off the hacking techniques behind the Lapsus$ data extortion group. The Cyber Safety Review Board first investigated and released a report with security recommendations in July about the Log4j open-source software vulnerability that affected millions of devices last year.

Lapsus$, which has been outed as a teenage hacking group, is believed to be behind data breaches at Uber, Rockstar Games, Microsoft, Okta and other major companies earlier this year. Data extortion groups break into a company's systems, steal prized information like source codes, and then demand a payment from the company to stop them from leaking the stolen information. Specifically, Lapsus$ targets companies through MFA fatigue, where they use stolen login credentials to log in to a network and then spam account owners with two-factor authentication requests on their phones until they accept one. Suspected members of the gang are believed to be based in the U.K. and have been arrested several times throughout the year.

Maersk and IBM will wind down their shipping blockchain TradeLens by early 2023, ending the pair's five-year project to improve global trade by connecting supply chains on a permissioned blockchain. From a report: TradeLens emerged during the "enterprise blockchain" era of 2018 as a high-flying effort to make inter-corporate trade more efficient. Open to shipping and freight operators, its members could validate the transaction of goods as recorded on a transparent digital ledger.

The idea was to save its member-shipping companies money by connecting their world. But the network was only as strong as its participants; despite some early wins, TradeLens ultimately failed to catch on with a critical mass of its target industry. "TradeLens has not reached the level of commercial viability necessary to continue work and meet the financial expectations as an independent business," Maersk Head of Business Platforms Rotem Hershko said in a statement.

Vulnerabilities in mobile apps exposed Hyundai and Genesis car models after 2012 to remote attacks that allowed unlocking and even starting the vehicles. BleepingComputer reports: Security researchers at Yuga Labs found the issues and explored similar attack surfaces in the SiriusXM "smart vehicle" platform used in cars from other makers (Toyota, Honda, FCA, Nissan, Acura, and Infinity) that allowed them to "remotely unlock, start, locate, flash, and honk" them. At this time, the researchers have not published detailed technical write-ups for their findings but shared some information on Twitter, in two separate threads.

The mobile apps of Hyundai and Genesis, named MyHyundai and MyGenesis, allow authenticated users to start, stop, lock, and unlock their vehicles. After intercepting the traffic generated from the two apps, the researchers analyzed it and were able to extract API calls for further investigation. They found that validation of the owner is done based on the user's email address, which was included in the JSON body of POST requests. Next, the analysts discovered that MyHyundai did not require email confirmation upon registration. They created a new account using the target's email address with an additional control character at the end. Finally, they sent an HTTP request to Hyundai's endpoint containing the spoofed address in the JSON token and the victim's address in the JSON body, bypassing the validity check. To verify that they could use this access for an attack on the car, they tried to unlock a Hyundai car used for the research. A few seconds later, the car unlocked. The multi-step attack was eventually baked into a custom Python script, which only needed the target's email address for the attack.

Yuga Labs analysts found that the mobile apps for Acura, BMW, Honda, Hyundai, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru, and Toyota, use SiriusXM technology to implement remote vehicle management features. They inspected the network traffic from Nissan's app and found that it was possible to send forged HTTP requests to the endpoint only by knowing the target's vehicle identification number (VIN). The response to the unauthorized request contained the target's name, phone number, address, and vehicle details. Considering that VINs are easy to locate on parked cars, typically visible on a plate where the dashboard meets the windshield, an attacker could easily access it. These identification numbers are also available on specialized car selling websites, for potential buyers to check the vehicle's history. In addition to information disclosure, the requests can also carry commands to execute actions on the cars. [...] Before posting the details, Yuga Labs informed both Hyundai and SiriusXM of the flaws and associated risks. The two vendors have fixed the vulnerabilities.

The Australian parliament has approved a bill to amend the country's privacy legislation, significantly increasing the maximum penalties to AU$50 million for companies and data controllers who suffered large-scale data breaches. From a report: The financial penalty introduced by the new bill is set to whichever is greater: AU$50 million, three times the value of any benefit obtained through the misuse of information, and 30% of a company's adjusted turnover in the relevant period.

Previously, the penalty for severe data exposures was AU$2.22 million, considered wholly inadequate to incentivize companies to improve their data security mechanisms. The new bill comes in response to a series of recent cyberattacks against Australian companies, including ransomware and network breaches, resulting in the exposure of highly sensitive data for millions of people in the country. "The Albanese Labor government has wasted no time in responding to recent major data breaches. We have announced, introduced, and delivered legislation in just over a month," reads the media announcement. "These new, larger penalties send a clear message to large companies that they must do better to protect the data they collect."