Nelson Shardey, 74, became tearful on hearing of support for effort to gain settled status after 50 years in UK

A retired 74-year-old newsagent who has lived in the UK for nearly 50 years said “tears were running” from his eyes after strangers fundraised more than £30,000 to support his legal fight to remain in the country.

Nelson Shardey, who has been described as a Merseyside “local legend”, is pursuing a legal challenge against the Home Office after he was refused indefinite leave to remain, despite living and working in the UK since 1977.

Campaigners say move to electronic permits by end of the year is a ‘recipe for disaster’ that could leave immigrants without proof of status

Lawyers and migrant rights campaigners have warned that the government is heading for a repeat of the Windrush scandal after imposing a “cliff edge” deadline for immigrants to switch to new digital visas.

By the end of this year an estimated 500,000 or more non-EU immigrants with leave to remain in the UK will need to replace their physical biometric residence permits (BRPs) – which demonstrate proof of their right to reside, rent, work and claim benefits – with digital e-visas.

Shadow foreign secretary sets out vision for a more strategic, less elitist approach to UK diplomacy

The shadow foreign secretary, David Lammy, says his family history as descendants of enslaved people will inform his work in government, as he seeks to deepen the UK’s relations with the global south and the Commonwealth.

“I will take the responsibility of being the first foreign secretary descended from the slave trade incredibly seriously,” he said in a speech setting out how Labour would reform the Foreign, Commonwealth and Development Office (FCDO), a Whitehall department that has a reputation for institutional conservatism.

Finance chief gives evidence on Paula Vennells and says company looked like ‘corporate bullies’ in how it dealt with branch operators

The former Post Office chief executive Paula Vennells did not believe there had been miscarriages of justice, the Horizon inquiry has heard, as the current finance boss said the company looked like “corporate bullies” in the way it dealt with branch operators.

Alisdair Cameron, the Post Office chief financial officer who joined the board in 2015, told the inquiry on Friday that Vennells had been “clear in her conviction” that nothing had gone wrong with Horizon.

Her inquiry appearance has been long awaited. So far, no official has been held accountable for the ruining of so many lives

Strange to think the northern lights have been glimpsed in public more frequently over the past few years than the former Post Office CEO Paula Vennells. I didn’t see the northern lights last week, but I will see Vennells close up next week, when – at very, very long last – she presents herself before the public inquiry into the Horizon scandal.

Polite notice: if your attention has drifted slightly after the fireworks sparked by ITV’s sensational drama Mr Bates vs The Post Office earlier this year, next week is the time to return with laser-like focus to this story. Post Office is once again box office – and remember, NOT ONE PERSON has yet been held accountable for what happened. Alan Bates has just rejected his second “derisory” offer of government compensation.

Marina Hyde is a Guardian columnist

Do you have an opinion on the issues raised in this article? If you would like to submit a response of up to 300 words by email to be considered for publication in our letters section, please click here.

Lesley Sewell said departed CEO had called for help ‘plugging gaps in her memory’ before select committee appearance

A former Post Office executive has told the inquiry into the Horizon scandal that she blocked Paula Vennells’s phone number after the company’s ex-CEO contacted her asking for help to “plug memory gaps” and to “avoid an independent inquiry”.

Lesley Sewell, who was chief information officer at the Post Office until she left in 2015, said that she had subsequently been contacted by her former boss four times in 2020 and 2021.

ICRC is denied access to prisoners in what is said to be breach of Geneva conventions but critics say UK plan may weaken rule of law

Red Cross officials are to hold talks with the UK over a Foreign Office plan to visit Palestinian detainees held by Israel. Critics say this bypasses a duty on Israel under the Geneva conventions to give the Red Cross access to detainees.

Israel has suspended the International Committee of the Red Cross (ICRC) from access to Palestinian detainees since the Hamas attack on 7 October, and says it will not rescind the policy until Hamas grants access to Israeli hostages.

In the digital realm, security is paramount, especially when it comes to the applications we use daily. Recently, concerns have surfaced regarding vulnerabilities in popular Android applications available on the Google Play Store. Revelations by the Microsoft Threat Intelligence team have unearthed a WPS Office exploit dubbed the Dirty Stream attack, casting a spotlight on […]

The post Xiaomi and WPS Vulnerabilities: File Overwrite Risks Alert appeared first on TuxCare.

The post Xiaomi and WPS Vulnerabilities: File Overwrite Risks Alert appeared first on Security Boulevard.

Enlarge (credit: Getty)

A study analyzing Apple, Microsoft, and SpaceX suggests that return to office (RTO) mandates can lead to a higher rate of employees, especially senior-level ones, leaving the company, often to work at competitors.

The study (PDF), published this month by University of Chicago and University of Michigan researchers and reported by The Washington Post on Sunday, says:

In this paper, we provide causal evidence that RTO mandates at three large tech companies—Microsoft, SpaceX, and Apple—had a negative effect on the tenure and seniority of their respective workforce. In particular, we find the strongest negative effects at the top of the respective distributions, implying a more pronounced exodus of relatively senior personnel.

The study looked at résumé data from People Data Labs and used "260 million résumés matched to company data." It only examined three companies, but the report's authors noted that Apple, Microsoft, and SpaceX represent 30 percent of the tech industry's revenue and over 2 percent of the technology industry's workforce. The three companies have also been influential in setting RTO standards beyond their own companies. Robert Ployhart, a professor of business administration and management at the University of South Carolina and scholar at the Academy of Management, told the Post that despite the study being limited to three companies, its conclusions are a broader reflection of the effects of RTO policies in the US.

Read 8 remaining paragraphs | Comments

Enlarge (credit: Getty)

After reversing its position on remote work, Dell is reportedly implementing new tracking techniques on May 13 to ensure its workers are following the company's return-to-office (RTO) policy, The Register reported today, citing anonymous sources.

Dell has allowed people to work remotely for over 10 years. But in February, it issued an RTO mandate, and come May 13, most workers will be classified as either totally remote or hybrid. Starting this month, hybrid workers have to go into a Dell office at least 39 days per quarter. Fully remote workers, meanwhile, are ineligible for promotion, Business Insider reported in March.

Now The Register reports that Dell will track employees' badge swipes and VPN connections to confirm that workers are in the office for a significant amount of time.

Read 11 remaining paragraphs | Comments

Hundreds of protesters prevented an attempt to collect asylum seekers from a south London hotel and transfer them to the Bibby Stockholm barge. The Guardian witnessed crowds blocking the bus and the road outside the Best Western hotel in Peckham before police were able to move in and break up the protest. The bus eventually left the area after seven hours, with no asylum seekers onboard

London protesters block transfer of asylum seekers to Bibby Stockholm

The Department of Homeland Security (DHS), in conjunction with the Cybersecurity and Infrastructure Security Agency (CISA) and the Countering Weapons of Mass Destruction Office (CWMD), has announced a suite of initiatives aimed at securing critical infrastructure and guarding against AI threats.

This announcement comes as the DHS marks the 180-day milestone of President Biden’s Executive Order (EO) 14110, “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence (AI)”.

Securing Critical Infrastructure from AI Threats

• Attacks Using AI: This includes the use of AI to plan or execute physical or cyber attacks on critical infrastructure.
• Attacks Targeting AI Systems: Targeted attacks on AI systems supporting critical infrastructure.
• Failures in AI Design and Implementation: Deficiencies or inadequacies in AI systems leading to malfunctions or unintended consequences.

• Govern: Establish an organizational culture prioritizing AI risk management.
• Map: Understand individual AI use contexts and risk profiles.
• Measure: Develop systems to assess, analyze, and track AI risks.
• Manage: Prioritize and act upon AI risks to safety and security.

The CBRN Threat: Preparing for the Unthinkable

All Hands on Deck: Department Unites for Goal

• Artificial Intelligence Safety and Security Board (AISSB): Established to advise DHS and the critical infrastructure community on the safe and secure development and deployment of AI.
• AI Roadmap: A detailed plan for using AI technologies while protecting individuals’ privacy, civil rights, and civil liberties.
• AI Corps: An accelerated hiring initiative aimed at leveraging AI expertise across strategic areas of the homeland security enterprise.

If only Patch Tuesdays came around infrequently — like total solar eclipse rare — instead of just creeping up on us each month like The Man in the Moon. Although to be fair, it would be tough for Microsoft to eclipse the number of vulnerabilities fixed in this month’s patch batch — a record 147 flaws in Windows and related software.

Yes, you read that right. Microsoft today released updates to address 147 security holes in Windows, Office, Azure, .NET Framework, Visual Studio, SQL Server, DNS Server, Windows Defender, Bitlocker, and Windows Secure Boot.

“This is the largest release from Microsoft this year and the largest since at least 2017,” said Dustin Childs, from Trend Micro’s Zero Day Initiative (ZDI). “As far as I can tell, it’s the largest Patch Tuesday release from Microsoft of all time.”

Tempering the sheer volume of this month’s patches is the middling severity of many of the bugs. Only three of April’s vulnerabilities earned Microsoft’s most-dire “critical” rating, meaning they can be abused by malware or malcontents to take remote control over unpatched systems with no help from users.

Most of the flaws that Microsoft deems “more likely to be exploited” this month are marked as “important,” which usually involve bugs that require a bit more user interaction (social engineering) but which nevertheless can result in system security bypass, compromise, and the theft of critical assets.

Ben McCarthy, lead cyber security engineer at Immersive Labs called attention to CVE-2024-20670, an Outlook for Windows spoofing vulnerability described as being easy to exploit. It involves convincing a user to click on a malicious link in an email, which can then steal the user’s password hash and authenticate as the user in another Microsoft service.

Another interesting bug McCarthy pointed to is CVE-2024-29063, which involves hard-coded credentials in Azure’s search backend infrastructure that could be gleaned by taking advantage of Azure AI search.

“This along with many other AI attacks in recent news shows a potential new attack surface that we are just learning how to mitigate against,” McCarthy said. “Microsoft has updated their backend and notified any customers who have been affected by the credential leakage.”

CVE-2024-29988 is a weakness that allows attackers to bypass Windows SmartScreen, a technology Microsoft designed to provide additional protections for end users against phishing and malware attacks. Childs said one of ZDI’s researchers found this vulnerability being exploited in the wild, although Microsoft doesn’t currently list CVE-2024-29988 as being exploited.

“I would treat this as in the wild until Microsoft clarifies,” Childs said. “The bug itself acts much like CVE-2024-21412 – a [zero-day threat from February] that bypassed the Mark of the Web feature and allows malware to execute on a target system. Threat actors are sending exploits in a zipped file to evade EDR/NDR detection and then using this bug (and others) to bypass Mark of the Web.”

Update, 7:46 p.m. ET: A previous version of this story said there were no zero-day vulnerabilities fixed this month. BleepingComputer reports that Microsoft has since confirmed that there are actually two zero-days. One is the flaw Childs just mentioned (CVE-2024-21412), and the other is CVE-2024-26234, described as a “proxy driver spoofing” weakness.

Satnam Narang at Tenable notes that this month’s release includes fixes for two dozen flaws in Windows Secure Boot, the majority of which are considered “Exploitation Less Likely” according to Microsoft.

“However, the last time Microsoft patched a flaw in Windows Secure Boot in May 2023 had a notable impact as it was exploited in the wild and linked to the BlackLotus UEFI bootkit, which was sold on dark web forums for $5,000,” Narang said. “BlackLotus can bypass functionality called secure boot, which is designed to block malware from being able to load when booting up. While none of these Secure Boot vulnerabilities addressed this month were exploited in the wild, they serve as a reminder that flaws in Secure Boot persist, and we could see more malicious activity related to Secure Boot in the future.”

For links to individual security advisories indexed by severity, check out ZDI’s blog and the Patch Tuesday post from the SANS Internet Storm Center. Please consider backing up your data or your drive before updating, and drop a note in the comments here if you experience any issues applying these fixes.

Adobe today released nine patches tackling at least two dozen vulnerabilities in a range of software products, including Adobe After Effects, Photoshop, Commerce, InDesign, Experience Manager, Media Encoder, Bridge, Illustrator, and Adobe Animate.

KrebsOnSecurity needs to correct the record on a point mentioned at the end of March’s “Fat Patch Tuesday” post, which looked at new AI capabilities built into Adobe Acrobat that are turned on by default. Adobe has since clarified that its apps won’t use AI to auto-scan your documents, as the original language in its FAQ suggested.

“In practice, no document scanning or analysis occurs unless a user actively engages with the AI features by agreeing to the terms, opening a document, and selecting the AI Assistant or generative summary buttons for that specific document,” Adobe said earlier this month.

Microsoft Corp. today pushed software updates to plug more than 70 security holes in its Windows operating systems and related products, including two zero-day vulnerabilities that are already being exploited in active attacks.

Top of the heap on this Fat Patch Tuesday is CVE-2024-21412, a “security feature bypass” in the way Windows handles Internet Shortcut Files that Microsoft says is being targeted in active exploits. Redmond’s advisory for this bug says an attacker would need to convince or trick a user into opening a malicious shortcut file.

Researchers at Trend Micro have tied the ongoing exploitation of CVE-2024-21412 to an advanced persistent threat group dubbed “Water Hydra,” which they say has being using the vulnerability to execute a malicious Microsoft Installer File (.msi) that in turn unloads a remote access trojan (RAT) onto infected Windows systems.

The other zero-day flaw is CVE-2024-21351, another security feature bypass — this one in the built-in Windows SmartScreen component that tries to screen out potentially malicious files downloaded from the Web. Kevin Breen at Immersive Labs says it’s important to note that this vulnerability alone is not enough for an attacker to compromise a user’s workstation, and instead would likely be used in conjunction with something like a spear phishing attack that delivers a malicious file.

Satnam Narang, senior staff research engineer at Tenable, said this is the fifth vulnerability in Windows SmartScreen patched since 2022 and all five have been exploited in the wild as zero-days. They include CVE-2022-44698 in December 2022, CVE-2023-24880 in March 2023, CVE-2023-32049 in July 2023 and CVE-2023-36025 in November 2023.

Narang called special attention to CVE-2024-21410, an “elevation of privilege” bug in Microsoft Exchange Server that Microsoft says is likely to be exploited by attackers. Attacks on this flaw would lead to the disclosure of NTLM hashes, which could be leveraged as part of an NTLM relay or “pass the hash” attack, which lets an attacker masquerade as a legitimate user without ever having to log in.

“We know that flaws that can disclose sensitive information like NTLM hashes are very valuable to attackers,” Narang said. “A Russian-based threat actor leveraged a similar vulnerability to carry out attacks – CVE-2023-23397 is an Elevation of Privilege vulnerability in Microsoft Outlook patched in March 2023.”

Microsoft notes that prior to its Exchange Server 2019 Cumulative Update 14 (CU14), a security feature called Extended Protection for Authentication (EPA), which provides NTLM credential relay protections, was not enabled by default.

“Going forward, CU14 enables this by default on Exchange servers, which is why it is important to upgrade,” Narang said.

Rapid7’s lead software engineer Adam Barnett highlighted CVE-2024-21413, a critical remote code execution bug in Microsoft Office that could be exploited just by viewing a specially-crafted message in the Outlook Preview pane.

“Microsoft Office typically shields users from a variety of attacks by opening files with Mark of the Web in Protected View, which means Office will render the document without fetching potentially malicious external resources,” Barnett said. “CVE-2024-21413 is a critical RCE vulnerability in Office which allows an attacker to cause a file to open in editing mode as though the user had agreed to trust the file.”

Barnett stressed that administrators responsible for Office 2016 installations who apply patches outside of Microsoft Update should note the advisory lists no fewer than five separate patches which must be installed to achieve remediation of CVE-2024-21413; individual update knowledge base (KB) articles further note that partially-patched Office installations will be blocked from starting until the correct combination of patches has been installed.

It’s a good idea for Windows end-users to stay current with security updates from Microsoft, which can quickly pile up otherwise. That doesn’t mean you have to install them on Patch Tuesday. Indeed, waiting a day or three before updating is a sane response, given that sometimes updates go awry and usually within a few days Microsoft has fixed any issues with its patches. It’s also smart to back up your data and/or image your Windows drive before applying new updates.

For a more detailed breakdown of the individual flaws addressed by Microsoft today, check out the SANS Internet Storm Center’s list. For those admins responsible for maintaining larger Windows environments, it often pays to keep an eye on Askwoody.com, which frequently points out when specific Microsoft updates are creating problems for a number of users.