A couple of years ago, I imported a Japanese-market 4×4 van into the US; a 1996 Mitsubishi Delica. Based on the maps I found in the seat pocket and other clues, it seems to have spent its life at some city dweller’s cabin in the mountains around Fukushima, and only driven occasionally. Despite being over 25 years old, it only had 77,000 km on the odometer.

The van had some interesting old tech installed in it: what appears to be a radar detector labeled “Super Eagle 30” and a Panasonic-brand electronic toll collection device that you can insert a smart card into. One particularly noteworthy accessory that was available in mid-90s Delicas was a built-in karaoke machine for the rear passengers. Sadly, mine didn’t have that feature.

But the most interesting accessory installed in the van was the Avco Maptwin Inter, which I immediately identified as some kind of electronic navigation aid, about which there is very little information available on the English-language internet.

When I first saw the Maptwin, I had thought it might be some kind of proto-GPS that displayed latitude/longitude coordinates that you could look up on a paper map. Alas, it’s not that cool. It was not connected to any kind of antenna, and the electronics inside seem inadequate for the reception of a GPS signal. The Maptwin was, however, wired into an RPM counter that was attached between the transmission and the speedometer cable, presumably to delivery extremely accurate and convenient display of how many kilometers have been traveled since the display was last reset.

What I’ve been able to learn is that the Maptwin is computer that was mostly used for rally race navigation, precursor to devices still available from manufacturers like Terra Trip. Now, the Mitsubishi Delica is about the best 4×4 minivan you can get, but it’s extremely slow and unwieldy at speed, so it would be pretty terrible for rally racing. My best guess is that the owner used this device as a navigation aid for overland exploration, as the name “Maptwin” implies, to augment the utility of a paper map. On the other hand, I found an article that indicates that some kinds of rallies were not high speed affairs, but rather accuracy-based navigation puzzles of sorts, so who knows?

The Maptwin wasn’t working when I got the van, and I don’t know if it’s actually broken or just needs to be wired up correctly. If any OSNews readers have any additional information about any of the devices I’ve mentioned, please enlighten us in the comments. If anyone would like to try to get the Maptwin working and report back, please let me know.

As some of the dust around the xz backdoor is slowly starting to settle, we’ve been getting a pretty clear picture of what, exactly, happened, and it’s not pretty. This is a story of the sole maintainer of a crucial building block of the open source stack having mental health issues, which at least partly contributes to a lack of interest in maintaining xz. It seems a coordinated campaign – consensus seems to point to a state actor – is then started to infiltrate xz, with the goal of inserting a backdoor into the project.

Evan Boehs has done the legwork of diving into the mailing lists and commit logs of various projects and the people involved, and it almost reads like the nerd version of a spy novel. It involves seemingly fake users and accounts violently pressuring the original xz maintainer to add a second maintainer; a second maintainer who mysteriously seems to appear at around the same time, like a saviour. This second maintainer manages to gain the original maintainer’s trust, and within months, this mysterious newcomer more or less takes over as the new maintainer.

As the new maintainer, this person starts adding the malicious code in question. Sockpuppet accounts show up to add code to oss-fuzz to try and make sure the backdoor won’t be detected. Once all the code is in place for the backdoor to function, more fake accounts show up to push for the compromised versions of xz to be included in Debian, Red Hat, Ubuntu, and possibly others. Roughly at this point, the backdoor is discovered entirely by chance because Andres Freund noticed his SSH logins felt a fraction of a second slower, and he wanted to know why.

What seems to have happened here is a bad actor – again, most likely a state actor – finding and targeting a vulnerable maintainer, who, through clever social engineering on both a personal level as well as the project level, gained control over a crucial but unexciting building block of the open source stack. Once enough control and trust was gained, the bad actor added a backdoor to do… Well, something. It seems nobody really knows yet what the ultimate goal was, but we can all make some educated guesses and none of them are any good.

When we think of vulnerabilities in computer software, we tend to focus on bugs and mistakes that unintentionally create the conditions wherein someone with malicious intent can do, well, malicious things. We don’t often consider the possibility of maintainers being malicious, secretly adding backdoors for all kinds of nefarious purposes. The problem the xz backdoor highlights is that while we have quite a few ways to prevent, discover, mitigate, and fix unintentional security holes, we seem to have pretty much nothing in place to prevent intentional backdoors placed by trusted maintainers.

And this is a real problem. There are so many utterly crucial but deeply boring building blocks all over the open source stacks pretty much the entire computing world makes use of that it has become a meme, spearheaded by xkcd’s classic comic. The weakness in many of these types of projects is not the code, but the people maintaining that code, most likely through no fault of their own. There are so many things life can throw at you that would make you susceptible to social engineering – money problems, health problems, mental health issues, burnout, relationship problems, god knows what else – and the open source community has nothing in place to help maintainers of obscure but crucial pieces of infrastructure deal with problems like these.

That’s why I’m suggesting the idea of setting up a foundation – or whatever legal entity makes sense – that is dedicated to helping maintainers who face the kinds of problems like the maintainer of xz did. A place where a maintainer who is dealing with problems outside of the code repository can go to for help, advice, maybe even financial and health assistance if needed. Even if all this foundation offers to someone is a person to talk to in confidence, it might mean the difference between burning out completely, or recovering at least enough to then possibly find other ways to improve one’s situation.

If someone is burnt-out or has a mental health crisis, they could contact the foundation, tell their story, and say, hey, I need a few months to recover and deal with my problems, can we put out a call among already trusted members of the open source community to step in for me for a while? Keep the ship steady as she goes without rocking it until I get back or we find someone to take over permanently? This way, the wider community will also know the regular, trusted maintainer is stepping down for a while, and that any new commits should be treated with extra care, solving the problem of some unknown maintainer of an obscure but important package suffering in obscurity, the only hints found in the low-volume mailing list well after something goes wrong.

The financial responsibility for such a safety net should undoubtedly be borne by the long list of ultra-rich megacorporations who profit off the backs of these people toiling away in obscurity. The financial burden for something like this would be pocket change to the likes of Google, Apple, IBM, Microsoft, and so on, but could make a contribution to open source far greater than any code dump. Governments could probably be involved too, but that will most likely open up a whole can of worms, so I’m not sure if that would be a good idea.

I’m not proposing this be some sort of glorified ATM where people can go to get some free money whenever they feel like it. The goal should be to help people who form crucial cogs in the delicate machinery of computing to live healthy, sustainable lives so their code and contributions to the community don’t get compromised. This means not just doling out free money, but also helping people connect to the therapists, doctors, debt restructuring experts and whatever other specialists we all sometimes need in our lives to help us get back on track.

I’m not going to pretend to know how something like this should be set up, organised, or run, and this article and suggestion are more borne out of frustration with how we’re letting these crucial and hard workers hang out to dry and fend for themselves, but it’s obvious the industry needs to do something. If we don’t, we’re going to be seeing a lot more of the kind of orchestrated, sophisticated attacks like the one xz just experienced.

Open source is more than just code, and it’s about damn time we acknowledge that.

On October 3, 2023, Google and Yahoo announced upcoming email security standards to prevent spam, phishing and malware attempts. Outlook.com (formerly Hotmail) is also enforcing these policies.

With the big 3 Email Service Providers (ESP) in agreement, expect widespread adoption soon. Today’s threats are more complex than ever and more ESPs will begin tightening the reigns. Failure to comply with these guidelines will result in emails being blocked beginning April 2024.

In this article, we’re going to cover these guidelines and explain what senders must do in order to achieve and maintain compliance.

↫ XOMedia

Some of these changes – most of them impact bulk senders and spammers – should’ve been implemented ages ago, but seeing them being pushed by the three major email providers, who all happened to be owned, of course, by massive corporations, does raise quite a few red flags. Instinctively, this makes me worried about ulterior motives, especially since running your own email server is already fraught with issues due to the nebulous ways Gmail treats emails coming from small servers.

With the rising interest in self-hosting and things like Mastodon, I hope we’re also going to see a resurgence in hosting your own e-mail. I really don’t like that all my email is going through Gmail – it’s what OSNews uses – but I don’t feel like dealing with all the delivery issues people who try self-hosting email lament about. With a possible renewed wave of interest in it, we might be able to make the process easier and more reliable.

One of the things I’ve always wanted to experiment with on my computers is logging in and authenticating things like sudo requests with a hardware tool – a fingerprint reader, a smart card, or a USB hardware security device like a YubiKey. There’s really no solid reason for me to want this other than that it just feels cool and futuristic to me (yes, even in this, the year of our lord 2024). I have no state secrets, no secret Swiss bank accounts, no whistleblower material to protect, and my computers rarely leave the house – I just want it because it’s possible and cooler than typing in my password.

Due to the flexibility and feature set of the YubiKey, I think it’s the best choice to go for. A no-name USB fingerprint reader would probably be ugly, cumbersome to position, and Linux support would be difficult to determine. A USB smart card reader would bring the same issues as the fingerprint reader, and combined with a smart card it seems like it’s just a Yubikey with extra steps. I do have to admit the idea of sliding a smart card in a slot and have it authorise you sounds really, really satisfying.

Anyway, YubiKeys come in all shapes and sizes, but I want one of the USB-A ones with a fingerprint reader built-in, since I can plug it in at the bottom of my monitor, perfectly positioned to put my thumb on it to authenticate. This way, it’s easily accessible to be used to log into my desktop session, authorise sudo requests when I’m configuring things, log into websites with Firefox, and so on.

But there’s a problem: setting up a YubiKey on Linux seems like it’s a huge ordeal.

Just look a the official instructions on the YubiKey website, or the instructions on the Fedora website, my distribution of choice. That’s absolutely insane, and nobody should be expected to understand any of this nonsense to use what is being marketed as a consumer product. It’s important to note that this is not a hardware, software, or driver issue – all the necessary support is there, and Linux can make full use of the functionality tools like the YubiKey offers. The problem is that you’re expected to set this up manually, package by package, configuration file by configuration file, PAM module by PAM module.

When I first looked into getting a YubiKey, I expected biometric and advanced authentication tools like these to be fully integrated into modern Linux distributions and desktop environments. I figured that once you plugged one of these tools into your PC, additional options would become available in GNOME’s or KDE’s user account settings, but apparently, this isn’t the case. This means that even if you manually set everything up using the official arcane incantations, your graphical user interface won’t be aware of any of that, and changing anything will mean you have to go through those official arcane incantations again.

This is entirely unacceptable. The moment you plug in an an advanced hardware security tool like a YubiKey, GNOME and KDE should recognise it, and the settings, tools, and setup ‘wizards’ relevant to it should become available. All the hardware and software support is there – and in 2024, biometric and advanced security devices like these should not be so complicated and unforgiving to set up. Smart cards and fingerprint readers have been supported by Linux for literally decades. Why isn’t this easier?

For now, I’m still in doubt about going through with buying a YubiKey. I definitely have the skills to go through with this whole insane setup process, but I really shouldn’t have to.

There are various ways you can change the default browser and similar defaults on Windows, but oneof the ways many third-party tools do this is by editing the relevant registry strings. It turns out that Microsoft is not particularly happy with this, as they’ve recently introduced a new driver specifically designed to prevent this from happening, by blocking tools like regedit or PowerShell from editing a number of registry keys for setting default applications. The driver was discovered by Christoph Kolbicz.

Microsoft implemented a driver based protection to block changes to http/https and .pdf associations by 3rd party utilities. The rollout was staggered and activated “randomly”, but in the meantime I got many reports – also from business or education environments (but not Server OS).

Microsoft also updated the driver during my tests (from 2.0 to 2.1) and extended the deny list of executables. This means, they can change the behavior almost on the fly and add new tricks or block additional extensions/protocols!

↫ Christoph Kolbicz

Digging further into what, exactly, this driver can do, Microsoft also made it so that even if you disable the driver, an additional scheduled task will run to re-enable the driver and revert the registry changes. It also seems this is somehow related to the changes Microsoft has to make to comply with the EU’s DMA, but the driver is also installed on systems outside of the EU, so it’s all a bit unclear at the moment.

Oracle releases 441 new security patches to address 230 vulnerabilities as part of its April 2024 Critical Patch Update.

The post Oracle Patches 230 Vulnerabilities With April 2024 CPU appeared first on SecurityWeek.

Mandiant summarizes some of the latest operations of Russia’s notorious Sandworm group, which it now tracks as APT44.

The post Recent OT and Espionage Attacks Linked to Russia’s Sandworm, Now Named APT44 appeared first on SecurityWeek.

LabHost, a major phishing-as-a-service platform, has been shut down as part of a major law enforcement operation. 

The post Phishing Platform LabHost Shut Down by Law Enforcement appeared first on SecurityWeek.

Telecom giant Frontier shuts down systems to contain a cyberattack that led to personal information compromise.

The post Frontier Communications Shuts Down Systems Following Cyberattack appeared first on SecurityWeek.

MITRE R&D network hacked in early January by a state-sponsored threat group that exploited an Ivanti zero-day vulnerability.

The post MITRE Hacked by State-Sponsored Group via Ivanti Zero-Days appeared first on SecurityWeek.

Microsoft PlayReady vulnerabilities that could allow rogue subscribers to illegally download movies from popular streaming services.

The post Microsoft DRM Hack Could Allow Movie Downloads From Popular Streaming Services appeared first on SecurityWeek.

Mandiant's M-Trends 2024 report shows that defenses are improving – and that may be true. But the reality remains that these same statistics demonstrate that if anything, the attackers still retain the upper hand.

The post The Battle Continues: Mandiant Report Shows Improved Detection But Persistent Adversarial Success appeared first on SecurityWeek.

CISA warns organizations of a two-year-old Windows Print Spooler vulnerability being exploited in the wild.

The post CISA Warns of Windows Print Spooler Flaw After Microsoft Sees Russian Exploitation appeared first on SecurityWeek.

Palo Alto Networks has shared remediation instructions for organizations whose firewalls have been hacked via CVE-2024-3400.

The post Palo Alto Networks Shares Remediation Advice for Hacked Firewalls appeared first on SecurityWeek.

A new Android trojan named Brokewell can steal user’s sensitive information and allows attackers to take over devices.

The post Powerful ‘Brokewell’ Android Trojan Allows Attackers to Takeover Devices appeared first on SecurityWeek.

A Belarusian hacker activist group claims to have infiltrated the network of the country’s main KGB security agency and accessed personnel files of over 8,600 employees.

The post Hackers Claim to Have Infiltrated Belarus’ Main Security Service appeared first on SecurityWeek.

Okta warned of a spike in credential stuffing attacks using anonymizing services such as Tor, DataImpulse, Luminati, and NSocks.

The post Okta Warns of Credential Stuffing Attacks Using Tor, Residential Proxies appeared first on SecurityWeek.

New CISA guidelines categorize AI risks into three significant types and pushes a four-part mitigation strategy.

The post CISA Rolls Out New Guidelines to Mitigate AI Risks to US Critical Infrastructure appeared first on SecurityWeek.

A vulnerability (CVE-2024-27322) in the R programming language implementation can be exploited to execute arbitrary and be used as part of a supply chain attack.

The post Vulnerability in R Programming Language Could Fuel Supply Chain Attacks appeared first on SecurityWeek.

UnitedHealth Group’s CEO Andrew Witty shares details on the damaging cyberattack in testimony before a US Congress committee set for May 1, 2024.

The post UnitedHealth CEO Says Hackers Lurked in Network for Nine Days Before Ransomware Strike appeared first on SecurityWeek.

SecurityWeek interviews Geoff Belknap, CISO at LinkedIn, and Guy Rosen, CISO at Facebook parent company Meta.

The post CISO Conversations: LinkedIn’s Geoff Belknap and Meta’s Guy Rosen appeared first on SecurityWeek.

Dropbox says hackers breached its Sign production environment and accessed customer email addresses and hashed passwords. 

The post Hackers Compromised Dropbox eSignature Service appeared first on SecurityWeek.

The US government warns of a North Korean threat actor abusing weak email DMARC settings to hide spear-phishing attacks.

The post US Says North Korean Hackers Exploiting Weak DMARC Settings  appeared first on SecurityWeek.

Microsoft security chief Charlie Bell pledges significant reforms and a strategic shift to prioritize security above all other product features.

The post Microsoft Overhauls Cybersecurity Strategy After Scathing CSRB Report appeared first on SecurityWeek.

A report found more than 40 million exposures are impacting 11.5 million critical business entities, with more than half related to cloud platforms.

The post Identity, Credential Misconfigurations Open Worrying Security Gaps appeared first on Security Boulevard.

Iranian state-sponsored group APT42 is targeting NGOs, government, and intergovernmental organizations with two new backdoors.

The post Iranian Cyberspies Hit Targets With New Backdoors appeared first on SecurityWeek.

The centralized system helps organizations identify, track, and reduce risks, addressing the challenges of incomplete risk visibility and manual processes.

The post Critical Risk Launches Critical Start Cyber Risk Register  appeared first on Security Boulevard.

War of the words: Fancy Bear actions are “intolerable and unacceptable,” complains German foreign minister Annalena Baerbock.

The post Germany Warns Russia: Hacking Will Have Consequences appeared first on Security Boulevard.

The wireless communications provider announced the new company at RSA, promising that Level Blue will include managed security services and consulting services.

The post AT&T Spins Out Its Cybersecurity Business to Create LevelBlue appeared first on Security Boulevard.

It takes 4.76 days between public disclosure of a vulnerability and its first exploitations to appear.

The post Fortinet Report Sees Faster Exploitations of New Vulnerabilities appeared first on Security Boulevard.

MITRE has shared more details on the recent hack, including the new malware involved in the attack and a timeline of the attacker’s activities.

The post MITRE Hack: China-Linked Group Breached Systems in December 2023 appeared first on SecurityWeek.

No degree? No problem. The federal government and private industry leaders are coordinating to prioritize skills-based hiring to shore up the nation's cybersecurity workforce.

The post White House Cybersecurity Workforce Initiative Backed by Tech Titans appeared first on Security Boulevard.

AI is rapidly increasing the pace of API creation within organizations, leading to API security becoming as significant as traditional application security.

Here’s what you can learn from the top five API breaches of the last quarter.

The post API Vulnerabilities Found Across AI Infrastructure Projects at NVIDIA, Mercedes appeared first on Security Boulevard.

Hundreds of companies are showcasing their products and services this week at the 2024 edition of the RSA Conference in San Francisco.

The post RSA Conference 2024 – Announcements Summary (Day 1) appeared first on SecurityWeek.

Charges and sanctions announced against Dimitry Yuryevich Khoroshev, the alleged developer and operator of LockBit ransomware.

The post LockBit Ransomware Mastermind Unmasked, Charged appeared first on SecurityWeek.

Google is encouraging the adoption of multi-factor authentication to protect against phishing and other cyberattacks. It hopes 2-Step Verification (2SV) can help.

The post Google Makes Implementing 2FA Simpler appeared first on Security Boulevard.

The new Google Threat Intelligence cloud service draws from Mandiant, VirusTotal, and its own insights and combines them with generative AI.

The post Google Continues Mixing Generative AI into Cybersecurity appeared first on Security Boulevard.

PAFACA SueTok: U.S. Courts “likely” to rule whether new law is constitutional—or even practical.

The post TikTok Ban — ByteDance Sues US to Kill Bill appeared first on Security Boulevard.

Least privilege. It’s like a love-hate relationship. Everyone knows it’s a best practice, but no one is achieving it at scale.  Why? Because it’s hard to do. The market is constantly trying to sell you least privilege, but no solution is making it easier, attainable, or sustainable. TL;DR: We’re going to tell you about a […]

The post There’s a New Way To Do Least Privilege appeared first on Security Boulevard.

In the ever-evolving world of ransomware, it’s getting easier for threat groups to launch attacks – as evidence by the growing number of incidents – but more difficult to make a profit. Organizations’ cyber-defenses are getting more resilient, decryptors that enable victims to regain control of their data, and law enforcement crackdowns on high-profile cybercrime..

The post Ransomware Attacks are Up, but Profits are Down: Chainalysis appeared first on Security Boulevard.

Zscaler says its customer, production and corporate environments are not impacted after a notorious hacker offers to sell access.

The post Zscaler Investigates Hacking Claims After Data Offered for Sale appeared first on SecurityWeek.

Stagnating security budgets and mounting job pressures are weighing on CISOs, a quarter of whom expressed discontent with their salary and overall compensation.

Show me the money: The average total compensation for tech CISOs stands at $710,000.

The post One in Four Tech CISOs Unhappy with Compensation appeared first on Security Boulevard.

Chinese crooks are running a global network of more than 75,000 fake online shops to steal credit card data and process fraudulent payments.

The post Massive Online Shopping Scam Racks Up 850,000 Victims appeared first on Security Boulevard.

A GAO review of NASA projects found that, while some cybersecurity challenges have been addressed, many security policies and standards remain optional.

The post NASA Must Improve Spacecraft Cybersecurity, GAO Report Finds appeared first on Security Boulevard.

A Chrome 124 update patches the second Chrome zero-day that has been found to be exploited in malicious attacks in 2024.

The post Exploited Chrome Zero-Day Patched by Google appeared first on SecurityWeek.

DUDE! You’re Getting Phished.

Dell customer data from the past six (or more?) years was stolen. It looks like someone sold scads of personal information to the highest bidder.

The post Dell Hell: 49 Million Customers’ Information Leaked appeared first on Security Boulevard.

The tech giant says the information stolen doesn't represent a significant risk to users, but cybersecurity experts disagree.

The post Dell Data Breach Could Affect 49 Million Customers appeared first on Security Boulevard.

Bad actors are always ready to exploit political strife to their own ends. Right now, they’re doing so with the conflict in the Middle East. A holistic defense against influence networks requires collaboration between government, technology companies and security research organizations.

The post Emerald Divide Uses GenAI to Exploit Social, Political Divisions in Israel Using Disinformation appeared first on Security Boulevard.

The Chinese hacking contest Matrix Cup is offering big rewards for exploits targeting OSs, smartphones, enterprise software, browsers, and security products.

The post $2.5 Million Offered at Upcoming ‘Matrix Cup’ Chinese Hacking Contest  appeared first on SecurityWeek.