Apple sent threat notifications to iPhone users in 92 countries on Wednesday, warning them that may have been targeted by mercenary spyware attacks. From a report: The company said it sent the alerts to individuals in 92 nations at 12pm Pacific Time Wednesday. The notification, which TechCrunch has seen, did not disclose the attackers' identities or the countries where users received notifications.

"Apple detected that you are being targeted by a mercenary spyware attack that is trying to remotely compromise the iPhone associated with your Apple ID -xxx-," it wrote in the warning to affected customers. "This attack is likely targeting you specifically because of who you are or what you do. Although it's never possible to achieve absolute certainty when detecting such attacks, Apple has high confidence in this warning -- please take it seriously," Apple added in the text.

Zack Whittaker and Carly Page report via TechCrunch: Microsoft has resolved a security lapse that exposed internal company files and credentials to the open internet. Security researchers Can Yoleri, Murat Ozfidan and Egemen Kochisarli with SOCRadar, a cybersecurity company that helps organizations find security weaknesses, discovered an open and public storage server hosted on Microsoft's Azure cloud service that was storing internal information relating to Microsoft's Bing search engine. The Azure storage server housed code, scripts and configuration files containing passwords, keys and credentials used by the Microsoft employees for accessing other internal databases and systems. But the storage server itself was not protected with a password and could be accessed by anyone on the internet.

Yoleri told TechCrunch that the exposed data could potentially help malicious actors identify or access other places where Microsoft stores its internal files. Identifying those storage locations "could result in more significant data leaks and possibly compromise the services in use," Yoleri said. The researchers notified Microsoft of the security lapse on February 6, and Microsoft secured the spilling files on March 5. It's not known for how long the cloud server was exposed to the internet, or if anyone other than SOCRadar discovered the exposed data inside.

Kobo, a leading e-reader company, is set to release its first color e-readers on April 30: the Kobo Clara Colour ($149.99) and Kobo Libra Colour ($219.99). These devices feature colorful screens, waterproofing, Wi-Fi 5, Bluetooth, USB-C, and an adjustable frontlight.

The Clara has a 6-inch screen, while the Libra boasts a 7-inch display and supports the Kobo Stylus. Both utilize E Ink's Kaleido 3 technology, offering 4,096 colors and improved resolution. Kobo's competitive pricing undercuts other color e-readers, which typically start at $300. The company is also updating its black-and-white Clara model, now called Clara BW, with a faster processor at a lower price of $129.99.

Amazon will no longer pay developers to create applications for Alexa, scrapping a key element of the company's effort to build a flourishing app store for its voice-activated digital assistant. From a report: Amazon recently told participants of the Alexa Developer Rewards Program, which cut monthly checks to builders of popular Alexa apps, that the offering would end at the end of June. "Developers like you have and will play a critical role in the success of Alexa and we appreciate your continued engagement," said the notice, which was reviewed by Bloomberg. Amazon is also winding down a program that offered free credits for Alexa developers to power their programs with Amazon Web Services, according to a notice posted on a company website.

Despite losing the direct payments, developers can still monetize their efforts with in-app purchases. Alexa, which powers Echo smart speakers and other devices, helped popularize voice assistants when it debuted almost a decade ago, letting users summon weather and news reports, play games and more. The company has since sold millions of Alexa-powered gadgets, but the technology appears far from the cutting-edge amid an explosion in chatbots using generative artificial intelligence.

Privacy startup Proton already offers an email app, a VPN tool, cloud storage, a password manager, and a calendar app. In April 2022, Proton acquired SimpleLogin, an open-source product that generates email aliases to protect inboxes from spam and phishing. Today, Proton acquired Standard Notes, advancing its already strong commitment to the open-source community. From a report: Standard Notes is an open-source note-taking app, available on both mobile and desktop platforms, with a user base of over 300,000. [...] Proton founder and CEO Andy Yen makes a point of stating that Standard Notes will remain open-source, will continue to undergo independent audits, will continue to develop new features and updates, and that prices for the app/service will not change. Standard Notes has three tiers: Free, which includes 100MB of storage, offline access, and unlimited device sync; Productivity for $90 per year, which includes features like markdown, spreadsheets with advanced formulas, Daily Notebooks, and two-factor authentication; and Professional for $120 per year, which includes 100GB of cloud storage, sharing for up to five accounts, no file limit size, and more.

We're seeing a boom in journaling apps as safer, easier ways to ease us back into posting everything online. From a report: Last year, Apple released a journal app with iOS 17. Former Yahoo CEO Marissa Mayer just unveiled a photo app called Shine, which is made to share photos and memories with a select group of people. Today, Retro -- a startup that we called "the new Instagram" -- is launching a feature called Journals within the app, which lets you record both photos and notes for a select group of people.

As a lifelong journaler, it's hard to forget that I already have an intimate, safe space to record my life and share memories. It is a notebook. I don't have to worry about marketers selling my information, because it's not accessible. What if creating a safe space all of your own means just getting off the internet altogether? Most of these apps are based on the central premise that most of us would rather talk to family or close friends than with a pretty stranger shilling snack boxes. As we reported previously, Retro has a few standout features. Once you join the app, you're prompted to select a few pictures to post per week. In order to see your friends' and family's photos, you have to share photos of your own. That keeps people actively participating instead of lurking.

As the moon blocked the view of the sun across parts of Mexico, the United States and Canada on Monday, the celestial event managed another magnificent feat: It got people offline. From a report: According to Cloudflare, a cloud-computing service used by about 20 percent of websites globally, internet traffic dipped along the path of totality as spellbound viewers took a break from their phones and computers to catch a glimpse of the real-life spectacle.

The places with the most dramatic views saw the biggest dips in traffic compared with the previous week. In Vermont, Arkansas, Indiana, Maine, New Hampshire and Ohio -- states that were in the path of totality, meaning the moon completely blocked out the sun -- internet traffic dropped by 40 percent to 60 percent around the time of the eclipse, Cloudflare said. States that had partial views also saw drops in internet activity, but to a much lesser extent. At 3:25 p.m. Eastern time, internet traffic in New York dropped by 29 percent compared with the previous week, Cloudflare found.

The path of totality made up a roughly 110-mile-wide belt that stretched from Mazatlan, Mexico, to Montreal. In the Mexican state of Durango, which was in the eclipse zone, internet traffic measured by Cloudflare dipped 57 percent compared with the previous week, while farther south, in Mexico City, traffic was down 22 percent. The duration of the eclipse's totality varied by location, with some places experiencing it for more than four minutes while for others, it was just one to two minutes.

Those taking public transport in the tech hub of San Francisco may be reassured to know that their rides will soon no longer be dependent on floppy disks. From a report: San Francisco Municipal Transportation Agency's director of transportation Jeffrey Tumlin told ABC that the city's automatic light-rail control system is running on outdated tech and "relies on three five-inch floppy disks" to boot up. The reporter was holding a 3.5-inch disk in the broadcast, so may have just skipped the word "point."

"It's a question of risk," Tumlin explained in a three-minute segment about the floppy replacement project. "The system is currently working just fine, but we know that with each increasing year the risk of data degradation on the floppy disks increases and that at some point there will be a catastrophic failure." The agency noted that its system was installed in 1998, when floppies were still in common use and, er, "computers didn't have hard drives."

Magnetic switches are emerging as a potential game-changer for mechanical keyboards. By using magnets instead of physical contacts, these switches allow users to adjust the actuation point of each key. While still a nascent technology lacking standardization, magnetic switches could bring a new level of customization to keyboards, TechCrunch writes.

It's the world's most widely used vulnerability database, reports SC Magazine, offering standards-based data on CVSS severity scores, impacted software and platforms, contributing weaknesses, and links to patches and additional resources.

But "there is a growing backlog of vulnerabilities" submitted to America's National Vulnerability Database and "requiring analysis", according to a new announcement from the U.S. Commerce Department's National Institute of Standards. "This is based on a variety of factors, including an increase in software and, therefore, vulnerabilities, as well as a change in interagency support." From SC Magazine: According to NIST's website, the institute analyzed only 199 of 3370 CVEs it received last month. [And this month another 677 came in — of which 24 have been analyzed.]

Other than a short notice advising it was working to establish a new consortium to improve the NVD, NIST had not provided a public explanation for the problems prior to a statement published [April 2]... "Currently, we are prioritizing analysis of the most significant vulnerabilities. In addition, we are working with our agency partners to bring on more support for analyzing vulnerabilities and have reassigned additional NIST staff to this task as well."

NIST, which had its budget cut by almost 12% this year by lawmakers, said it was committed to continuing to support and manage the NVD, which it described as "a key piece of the nation's cybersecurity infrastructure... We are also looking into longer-term solutions to this challenge, including the establishment of a consortium of industry, government and other stakeholder organizations that can collaborate on research to improve the NVD," the statement said. "We will provide more information as these plans develop..."

A group of cybersecurity professionals have signed an open letter to Congress and Commerce Secretary Gina Raimondo in which they say the enrichment issue is the result of a recent 20% cut in NVD funding.
The article also cites remarks from NVD program manager Tanya Brewer (reported by Infosecurity Magazine) from last week's VulnCon conference on plans to establish a NVD consortium. "We're not going to shut down the NVD; we're in the process of fixing the current problem. And then, we're going to make the NVD robust again and we'll make it grow."

Thanks to Slashdot reader spatwei for sharing the article.

The foundations behind Rust, Python, Apache, Eclipse, PHP, OpenSSL, and Blender announced plans to create "common specifications for secure software development," based on "existing open source best practices."

From the Eclipse Foundation: This collaborative effort will be hosted at the Brussels-based Eclipse Foundation [an international non-profit association] under the auspices of the Eclipse Foundation Specification Process and a new working group... Other code-hosting open source foundations, SMEs, industry players, and researchers are invited to join in as well.

The starting point for this highly technical standardisation effort will be today's existing security policies and procedures of the respective open source foundations, and similar documents describing best practices.

The governance of the working group will follow the Eclipse Foundation's usual member-led model but will be augmented by explicit representation from the open source community to ensure diversity and balance in decision-making. The deliverables will consist of one or more process specifications made available under a liberal specification copyright licence and a royalty-free patent licence... While open source communities and foundations generally adhere to and have historically established industry best practices around security, their approaches often lack alignment and comprehensive documentation.

The open source community and the broader software industry now share a common challenge: legislation has introduced an urgent need for cybersecurity process standards.
The Apache Foundation notes the working group is forming partly "to demonstrate our commitment to cooperation with and implementation of" the EU's Cyber Resilience Act. But the Eclipse Foundation adds that even before it goes into effect in 2027, they're recognizing open source software's "increasingly vital role in modern society" and an increasing need for reliability, safety, and security, so new regulations like the CRA "underscore the urgency for secure by design and robust supply chain security standards."

Their announcement adds that "It is also important to note that it is similarly necessary that these standards be developed in a manner that also includes the requirements of proprietary software development, large enterprises, vertical industries, and small and medium enterprises." But at the same time, "Today's global software infrastructure is over 80% open source... [W]hen we discuss the 'software supply chain,' we are primarily, but not exclusively, referring to open source."

"We invite you to join our collaborative effort to create specifications for secure open source development," their announcement concludes," promising initiative updates on a new mailing list. "Contribute your ideas and participate in the magic that unfolds when open source foundations, SMEs, industry leaders, and researchers combine forces to tackle big challenges."

The Python Foundation's announcement calls it a "community-driven initiative" that will have "a lasting impact on the future of cybersecurity and our shared open source communities."

An Ethiopian bank has put up posters shaming customers it says have not returned money they gained during a technical glitch. From a report: Notices bearing their names and photos could be seen outside branches of the Commercial Bank of Ethiopia (CBE) on Friday. The bank says it has recovered almost three-quarters of the $14m it lost, its head said last week. He warned that those keeping money that is not theirs will be prosecuted. Last month, an hours-long glitch allowed customers at the CBE, Ethiopia's largest commercial bank, to withdraw or transfer more than they had in their accounts.

The UK government has admitted its negotiating power over billions of pounds of cloud infrastructure spending has been inhibited by vendor lock-in. From a report: A document from the Cabinet Office's Central Digital & Data Office, circulated within Whitehall, seen by The Register, says the "UK government's current approach to cloud adoption and management across its departments faces several challenges" which combined result "in risk concentration and vendor lock-in that inhibit UK government's negotiating power over the cloud vendors."

The paper also says that if the UK government -- which has spent tens of billions on cloud services in the last decade -- does not change its approach, "the existing dominance of AWS and Azure in the UK Government's cloud services is set to continue." Doing nothing would mean "leaving the government with minimal leverage over pricing and product options.

"This path forecasts a future where, within a decade, the public sector could face the end of its ability to negotiate favourable terms, leading to entrenched vendor lock-in and potential regulatory scrutiny from [UK regulator] the Competition and Markets Authority." The document has been circulated under the heading "UK Public Sector Cloud Marketplace." It is authored by Chris Nesbitt-Smith, a CDDO consultant, and sponsored by CDDO principal technical architect Edward McCutcheon and David Knott, CDDO chief technical officer.

An anonymous reader writes: Could you imagine discovering that your identity had been used to take out fraudulent loans and when you tried to resolve the issue by providing your state ID and Social Security card you were instead arrested, charged with multiple felonies, jailed for over a year, incarcerated in a mental hospital and given psychotropic drugs, eventually to be released with a criminal record and a judge's order that you could no longer use your real name? As dystopian as this might sound, it actually happened. And it was only after the victim learned his oppressor worked for The University of Iowa Hospital and contacted their security department was the investigation taken seriously leading to the perpetrator's arrest. The Gazette reports: Matthew David Keirans, 58, was convicted of one count of false statement to a National Credit Union Administration insured institution -- punishable by up to 30 years in federal prison -- and one count of aggravated identity theft -- punishable by up to two years in federal prison. Keirans worked as a systems architect in the hospital's IT department from June 28, 2013 to July 20, 2023, when he was terminated for misconduct related to the identity theft investigation. Keirans worked at the hospital under the name William Donald Woods, an alias he had been using since about 1988, when he worked with the real William Woods at a hot dog cart in Albuquerque, N.M. [...] By 2013, Keirans had moved to eastern Wisconsin. He started his IT job with UI Hospitals and worked remotely. He earned more than $700,000 in his 10 years working for the hospital. In 2023, his salary was $140,501, according to the hospital.

In 2019, the real William Woods was homeless, living in Los Angeles. He went to a branch of the national bank and explained that he recently discovered someone was using his credit and had accumulated a lot of debt. Woods didn't want to pay the debt and asked to know the account numbers for any accounts he had open at the bank so he could close them. Woods gave the bank employee his real Social Security card and an authentic California Identification card, which matched the information the bank had on file. Because there was a large amount of money in the accounts, the bank employee asked Woods a series of security questions that he was unable to answer. The bank employee called Keirans, whose the phone number was connected to the accounts. He answered the security questions correctly and said no one in California should have access to the accounts. The employee called the Los Angeles Police Department, and officers spoke with Woods and Keirans. Keirans faxed the Los Angeles officers a copy of Woods' Social Security card and birth certificate, as well as a Wisconsin driver's license Keirans had acquired under Woods' name. The driver's license had the name William David Woods -- David is Keirans' real middle name -- rather than William Donald Woods. When questioned, Keiran told an LAPD officer he sometimes used David as a middle name, but his real name was William Donald Woods. The real Woods was arrested and charged with identity theft and false impersonation, under a misspelling of Keirans' name: Matthew Kierans.

Because Woods continued to insist, throughout the judicial process, that he was William Woods and not Matthew Kierans, a judge ruled in February 2020 that he was not mentally competent to stand trial and he was sent to a mental hospital in California, where he received psychotropic medication and other mental health treatment. In March 2021, Woods pleaded no contest to the identity theft charges -- meaning he accepted the conviction but did not admit guilt. He was sentenced to two years imprisonment with credit for the two years he already served in the county jail and the hospital and was released. He was also ordered to pay $400 in fines and to stop using the name William Woods. He did not stop. Woods continued to attempt to regain his identity by filing customer disputes with financial organizations in an attempt to clear his credit report. He also reached out to multiple law enforcement agencies, including the Hartland Police Department in Wisconsin, where Keirans lived. Woods eventually discovered where Keirans was working, and in January 2023 he reached out to the University of Iowa Hospitals' security department, who referred his complaint to the University of Iowa Police Department.

University of Iowa Police Detective Ian Mallory opened an investigation into the case. Mallory found the biological father listed on Woods' birth certificate -- which both Woods and Keirans had sent him an official copy of -- and tested the father's DNA against Woods' DNA. The test proved Woods was the man's son. On July 17, 2023, Mallory interviewed Keirans. He asked Keirans what his father's name was, and Keirans accidentally gave the name of his own adoptive father. Mallory then confronted Keirans with the DNA evidence, and Keirans responded by saying, "my life is over" and "everything is gone." He then confessed to the prolonged identity theft, according to court documents. The full story can be ready via The Gazette.

An anonymous reader shares a PC Gamer report: PCI Express 7.0 is coming. But don't feel as though you need to start saving for a new motherboard anytime soon. The PCI-SIG has just released the 0.5 version, with the final version set for release in 2025. That means supporting devices are not likely to land until 2026, with 2027-28 likely to be the years we see a wider rollout. PCIe 7.0 will initially be far more relevant to the enterprise market, where bandwidth-hungry applications like AI and networking will benefit. Anyway, it's not like the PC market is saturated with PCIe 5.0 devices, and PCIe 6.0 is yet to make its way into our gaming PCs.

PCI Express bandwidth doubles every generation, so PCIe 7.0 will deliver a maximum data rate up to 128 GT/s. That's a whopping 8x faster than PCIe 4.0 and 4x faster than PCIe 5.0. This means PCIe 7.0 is capable of delivering up to 512GB/s of bi-directional throughput via a x16 connection and 128GB/s for an x4 connection. More bandwidth will certainly be beneficial for CPU to chipset links, which means multiple integrated devices like 10G networking, WiFi 7, USB 4, and Thunderbolt 4 will all be able to run on a consumer motherboard without compromise. And just imagine what all that bandwidth could mean for PCIe 7.0 SSDs. In the years to come, a PCIe 7.0 x4 SSD could approach sequential transfer rates of up to 60GB/s. We'll need some serious advances in SSD controller and NAND flash technologies to see speeds in that range, but still, it's an attractive proposition. Further reading: PCIe 7.0 first official draft lands, doubling bandwidth yet again.

Microsoft is working on a new feature for its Edge browser that will let you limit the amount of RAM it uses. From a report: Leopeva64, who is one of the best at finding new Edge features, has spotted a new settings section in test builds of the browser that includes a slider so you can limit how much RAM Edge gets access to. The RAM slider appears to be targeted toward PC gamers, as there is a setting in Canary versions of Edge that lets you limit the amount of RAM when you're playing a PC game or all of the time. While the slider lets you pick between just 1GB and 16GB on a system with 16GB of RAM, Microsoft warns that "setting a low limit may impact browser speed."

An anonymous reader shares a report: Google offers a VPN via its "Google One" monthly subscription plan, and while it debuted on phones, a desktop app has been available for Windows and Mac OS for over a year now. Since a lot of people pay for Google One for the cloud storage increase for their Google accounts, you might be tempted to try the VPN on a desktop, but Windows users testing out the app haven't seemed too happy lately. An open bug report on Google's GitHub for the project says the Windows app "breaks" the Windows DNS, and this has been ongoing since at least November.

A VPN would naturally route all your traffic through a secure tunnel, but you've still got to do DNS lookups somewhere. A lot of VPN services also come with a DNS service, and Google is no different. The problem is that Google's VPN app changes the Windows DNS settings of all network adapters to always use Google's DNS, whether the VPN is on or off. Even if you change them, Google's program will change them back. Most VPN apps don't work this way, and even Google's Mac VPN program doesn't work this way. The users in the thread (and the ones emailing us) expect the app, at minimum, to use the original Windows settings when the VPN is off. Since running a VPN is often about privacy and security, users want to be able to change the DNS away from Google even when the VPN is running.

quonset shares a report: In a scathing indictment of Microsoft corporate security and transparency, a Biden administration-appointed review board issued a report Tuesday saying "a cascade of errors" by the tech giant let state-backed Chinese cyber operators break into email accounts of senior U.S. officials including Commerce Secretary Gina Raimondo.

The Cyber Safety Review Board, created in 2021 by executive order, describes shoddy cybersecurity practices, a lax corporate culture and a lack of sincerity about the company's knowledge of the targeted breach, which affected multiple U.S. agencies that deal with China. It concluded that "Microsoft's security culture was inadequate and requires an overhaul" given the company's ubiquity and critical role in the global technology ecosystem. Microsoft products "underpin essential services that support national security, the foundations of our economy, and public health and safety."

The panel said the intrusion, discovered in June by the State Department and dating to May "was preventable and should never have occurred," blaming its success on "a cascade of avoidable errors." What's more, the board said, Microsoft still doesn't know how the hackers got in. [...] It said Microsoft's CEO and board should institute "rapid cultural change" including publicly sharing "a plan with specific timelines to make fundamental, security-focused reforms across the company and its full suite of products."

An anonymous reader quotes a report from Ars Technica: Jackson County, Missouri, has declared a state of emergency and closed key offices indefinitely as it responds to what officials believe is a ransomware attack that has made some of its IT systems inoperable. "Jackson County has identified significant disruptions within its IT systems, potentially attributable to a ransomware attack," officials wrote Tuesday. "Early indications suggest operational inconsistencies across its digital infrastructure and certain systems have been rendered inoperative while others continue to function as normal."

The systems confirmed inoperable include tax and online property payments, issuance of marriage licenses, and inmate searches. In response, the Assessment, Collection and Recorder of Deeds offices at all county locations are closed until further notice. The closure occurred the same day that the county was holding a special election to vote on a proposed sales tax to fund a stadium for MLB's Kansas City Royals and the NFL's Kansas City Chiefs. Neither the Jackson County Board of Elections nor the Kansas City Board of Elections have been affected by the attack; both remain open.

The Jackson County website says there are 654,000 residents in the 607-square-mile county, which includes most of Kansas City, the biggest city in Missouri. The response to the attack and the investigation into it have just begun, but so far, officials said they had no evidence that data had been compromised. Jackson County Executive Frank White, Jr. has issued (PDF) an executive order declaring a state of emergency. The County has notified law enforcement and retained IT security contractors to help investigate and remediate the attack. "The potential significant budgetary impact of this incident may require appropriations from the County's emergency fund and, if these funds are found to be insufficient, the enactment of additional budgetary adjustments or cuts," White wrote. "It is directed that all county staff are to take whatever steps are necessary to protect resident data, county assets, and continue essential services, thereby mitigating the impact of this potential ransomware attack."

Bill Toulas reports via BleepingComputer: Firmware security firm Binarly has released a free online scanner to detect Linux executables impacted by the XZ Utils supply chain attack, tracked as CVE-2024-3094. CVE-2024-3094 is a supply chain compromise in XZ Utils, a set of data compression tools and libraries used in many major Linux distributions. Late last month, Microsoft engineer Andres Freud discovered the backdoor in the latest version of the XZ Utils package while investigating unusually slow SSH logins on Debian Sid, a rolling release of the Linux distribution.

The backdoor was introduced by a pseudonymous contributor to XZ version 5.6.0, which remained present in 5.6.1. However, only a few Linux distributions and versions following a "bleeding edge" upgrading approach were impacted, with most using an earlier, safe library version. Following the discovery of the backdoor, a detection and remediation effort was started, with CISA proposing downgrading the XZ Utils 5.4.6 Stable and hunting for and reporting any malicious activity.

Binarly says the approach taken so far in the threat mitigation efforts relies on simple checks such as byte string matching, file hash blocklisting, and YARA rules, which could lead to false positives. This approach can trigger significant alert fatigue and doesn't help detect similar backdoors on other projects. To address this problem, Binarly developed a dedicated scanner that would work for the particular library and any file carrying the same backdoor. [...] Binarly's scanner increases detection as it scans for various supply chain points beyond just the XZ Utils project, and the results are of much higher confidence. Binarly has made a free API available to accomodate bulk scans, too.