DuckDuckGo is launching a new email privacy service meant to stop ad companies from spying on your inbox. From a report: The company's new Email Protection feature gives users a free "@duck.com" email address, which will forward emails to your regular inbox after analyzing their contents for trackers and stripping any away. DuckDuckGo is also extending this feature with unique, disposable forwarding addresses, which can be generated easily in DuckDuckGo's mobile browser or through desktop browser extensions.

The personal DuckDuckGo email is meant to be given out to friends and contacts you know, while the disposable addresses are better served when signing up for free trials, newsletters, or anywhere you suspect might sell your email address. If the email address is compromised, you can easily deactivate it. These tools are similar to anti-tracking features implemented by Apple in iOS 14 and iOS 15, but DuckDuckGo's approach integrates into iOS, Android, and all major web browsers. DuckDuckGo will also make it easier to spin up disposable email addresses on the fly, for newsletters or anywhere you might share your email.

The man behind last month's scraping of LinkedIn data, which exposed the location, phone numbers, and inferred salaries of 700 million users, says that he did it "for fun" -- though he is also selling the data. 9to5Mac reports: BBC News spoke with the man who took the data, under the name Tom Liner: "How would you feel if all your information was catalogued by a hacker and put into a monster spreadsheet with millions of entries, to be sold online to the highest paying cyber-criminal? That's what a hacker calling himself Tom Liner did last month 'for fun' when he compiled a database of 700 million LinkedIn users from all over the world, which he is selling for around $5,000 [...]. In the case of Mr Liner, his latest exploit was announced at 08:57 BST in a post on a notorious hacking forum [...] 'Hi, I have 700 million 2021 LinkedIn records,' he wrote. Included in the post was a link to a sample of a million records and an invite for other hackers to contact him privately and make him offers for his database."

Liner says he was also behind the scraping of 533 million Facebook profiles back in April (you can check whether your data was grabbed): "Tom told me he created the 700 million LinkedIn database using 'almost the exact same technique' that he used to create the Facebook list. He said: 'It took me several months to do. It was very complex. I had to hack the API of LinkedIn. If you do too many requests for user data in one time then the system will permanently ban you.'"

The U.S. and a coalition of allies on Monday formally attributed the sweeping campaign against Microsoft Exchange email servers to hackers affiliated with China's Ministry of State Security. From a report: The group assessed with "high confidence" that Beijing-linked digital operators carried out the attack that ensnared hundreds of thousands of systems worldwide, a senior Biden administration official told reporters on Sunday. In addition, the partners alleged the ministry -- which oversees the civilian arm of Beijing's intelligence gathering operations -- has utilized contract hackers to conduct other malicious cyber activities around the globe, including a ransomware attack on an American company, and other pursuits to line the pockets of MSS officials.

The use of such hired muscle "was really eye-opening and surprising for us," said the official, who was only authorized to speak anonymously. The coalition includes the U.S., the so-called "Five Eye" nations, Japan, the European Union and NATO. Monday's announcement marks the first time the transatlantic alliance has condemned Chinese digital activities, the official said. The massive Exchange hack was first disclosed in March -- at the same time the Biden administration was dealing with the SolarWinds breach that has since been formally attributed to Russia's foreign intelligence service.

Amazon Web Services (AWS) has shut down infrastructure and accounts linked to Israeli surveillance vendor NSO Group, Amazon said in a statement. From a report: The move comes as a group of media outlets and activist organizations published new research into NSO's malware and phone numbers potentially selected for targeting by NSO's government clients. "When we learned of this activity, we acted quickly to shut down the relevant infrastructure and accounts," an AWS spokesperson told Motherboard in an email.

International investigation finds 23 Apple devices that were successfully hacked. From a report: The text delivered last month to the iPhone 11 of Claude Mangin, the French wife of a political activist jailed in Morocco, made no sound. It produced no image. It offered no warning of any kind as an iMessage from somebody she didn't know delivered malware directly onto her phone -- and past Apple's security systems. Once inside, the spyware, produced by Israel's NSO Group and licensed to one of its government clients, went to work, according to a forensic examination of her device by Amnesty International's Security Lab. It found that between October and June, her phone was hacked multiple times with Pegasus, NSO's signature surveillance tool, during a time when she was in France. The examination was unable to reveal what was collected. But the potential was vast: Pegasus can collect emails, call records, social media posts, user passwords, contact lists, pictures, videos, sound recordings and browsing histories, according to security researchers and NSO marketing materials.

The spyware can activate cameras or microphones to capture fresh images and recordings. It can listen to calls and voice mails. It can collect location logs of where a user has been and also determine where that user is now, along with data indicating whether the person is stationary or, if moving, in which direction. And all of this can happen without a user even touching her phone or knowing she has received a mysterious message from an unfamiliar person -- in Mangin's case, a Gmail user going by the name "linakeller2203." These kinds of "zero-click" attacks, as they are called within the surveillance industry, can work on even the newest generations of iPhones, after years of effort in which Apple attempted to close the door against unauthorized surveillance -- and built marketing campaigns on assertions that it offers better privacy and security than rivals.

[...] Researchers have documented iPhone infections with Pegasus dozens of times in recent years, challenging Apple's reputation for superior security when compared with its leading rivals, which run Android operating systems by Google. The months-long investigation by The Post and its partners found more evidence to fuel that debate. Amnesty's Security Lab examined 67 smartphones whose numbers were on the Forbidden Stories list and found forensic evidence of Pegasus infections or attempts at infections in 37. Of those, 34 were iPhones -- 23 that showed signs of a successful Pegasus infection and 11 that showed signs of attempted infection.

Earlier this year, Rockstar's parent company Take-Two Interactive played takedown whack-a-mole with reverse-engineered versions of Grand Theft Auto 3 and Vice City. The publisher has apparently gone further in the last week or so, issuing DMCA takedown notices for GTA 5 map mods like Vice City Overhaul, as well as multiple popular mods for earlier games in the series. From a report: GTA: Liberty City was a total conversion that brought the setting of GTA 3 into Vice City's engine, and was first released in 2005. It's no longer available on ModDB. Vice Cry, which replaced Vice City's textures and models with higher-resolution versions, is also gone. So is GTA: Underground, which combined the maps of not just GTA 3, Vice City, and San Andreas, but those of other Rockstar games Bully, Manhunt, and Manhunt 2, then added gang warfare. So are the mods converting San Andreas into ports of console-exclusives Liberty City Stories and Vice City Stories. And that's not all.

A thread on GTAForums has been cataloguing the removals, as well as noting that Rockstar's statement on singleplayer mods, initially made during the back-and-forth over modding tool OpenIV in 2017, and which many modders have been assuming would protect their work, was quietly updated in 2019. It now notes that it does not apply to either the "use or importation of other IP (including other Rockstar IP) in the project" or "making new games, stories, missions, or maps". Neither of those clauses was in the original version of Rockstar's statement, which has been excluded from the Wayback Machine, but can still be read in our news story from the time.

Cellphones "can be transformed into surveillance devices," writes the Guardian, reporting startling new details about which innocent people are still being surveilled (as part of a collaborative reporting project with 16 other media outlets led by the French nonprofit Forbidden Stories).

Long-time Slashdot reader shanen shared the newspaper's critique of a "privatised government surveillance industry" that's made NSO a billion-dollar company, thanks to its phone-penetrating spy software Pegaus: [NSO] insists only carefully vetted government intelligence and law enforcement agencies can use Pegasus, and only to penetrate the phones of "legitimate criminal or terror group targets". Yet in the coming days the Guardian will be revealing the identities of many innocent people who have been identified as candidates for possible surveillance by NSO clients in a massive leak of data... The presence of their names on this list indicates the lengths to which governments may go to spy on critics, rivals and opponents.

First we reveal how journalists across the world were selected as potential targets by these clients prior to a possible hack using NSO surveillance tools. Over the coming week we will be revealing the identities of more people whose phone numbers appear in the leak. They include lawyers, human rights defenders, religious figures, academics, businesspeople, diplomats, senior government officials and heads of state. Our reporting is rooted in the public interest. We believe the public should know that NSO's technology is being abused by the governments who license and operate its spyware.

But we also believe it is in the public interest to reveal how governments look to spy on their citizens and how seemingly benign processes such as HLR lookups [which track the general locations of cellphone users] can be exploited in this environment.

It is not possible to know without forensic analysis whether the phone of someone whose number appears in the data was actually targeted by a government or whether it was successfully hacked with NSO's spyware. But when our technical partner, Amnesty International's Security Lab, conducted forensic analysis on dozens of iPhones that belonged to potential targets at the time they were selected, they found evidence of Pegasus activity in more than half.
The investigators say that potential targets included nearly 200 journalists around the world, including numerous reporters from CNN, the Associated Press, Voice of America, the New York Times, the Wall Street Journal, Bloomberg News, Le Monde in France, and even the editor of the Financial Times.

In addition, the investigators say they found evidence the Pegasus software had been installed on the phone of the fiancée of murdered Saudi journalist Jamal Khashoggi. NSO denies this to the Washington Post. But they also insist that they're simply licensing their software to clients, and their company "has no insight" into those clients' specific intelligence activities.

The Washington Post reports that Amnesty's Security Lab found evidence of Pegasus attacks on 37 of 67 smartphones from the list which they tested. But beyond that "for the remaining 30, the tests were inconclusive, in several cases because the phones had been replaced. Fifteen of the phones were Android devices, none of which showed evidence of successful infection. However, unlike iPhones, Androids do not log the kinds of information required for Amnesty's detective work."

Familiar privacy measures like strong passwords and encryption offer little help against Pegasus, which can attack phones without any warning to users. It can read anything on a device that a user can, while also stealing photos, recordings, location records, communications, passwords, call logs and social media posts. Spyware also can activate cameras and microphones for real-time surveillance.

"Starting September 1, 2021, the Chinese government will require that any Chinese citizen who finds a zero-day vulnerability must pass the details to the Chinese government," reports SecurityWeek, "and must not sell or give the knowledge to any third-party outside of China (apart from the vulnerable product's manufacturer)." Brief details are provided in a report by the Associated Press (AP) published Tuesday, July 13, 2021. No source is provided beyond the statement, "No one may 'collect, sell or publish information on network product security vulnerabilities,' say the rules issued by the Cyberspace Administration of China and the police and industry ministries...."

AP describes this action as "further tightening the Communist Party's control over information". This is unlikely to be the primary motivation for the new rule since the government already has a vice-like grip on data. Companies may not store data on Chinese customers outside of China. Foreign companies selling routers and some other network devices in China must disclose to regulators how any encryption features work.
"I would expect the Chinese Government to weaponize any discovered security vulnerabilities to enhance China's cybersecurity capabilities," Joseph Carson, chief security scientist and advisory CISO at ThycoticCentrify, tells SecurityWeek. And Jake Williams, co-founder and CTO at BreachQuest adds that "the defensive advantages of Chinese government organizations being able to mitigate vulnerabilities discovered may well outweigh any offensive gains...."

But he also believes this could rebound against China. "One of the biggest likely issues is brain drain. If Chinese researchers can profit handsomely from their work anywhere else, but can't do so in China, why would they stay? This probably helps China in the short term but harms them in the long term."

The new law does encourage network operators and product vendors to set up a reward mechanism for reported vulnerabilities, according to the Record. But Katie Moussouris, founder and CEO of Luta Security, also raises the issue of western-based bug bounty platforms that have been working with Chinese security researchers for the past years. "If Western-based bug bounty platforms comply with this requirement in order to continue to legally receive bug reports from Chinese researchers, we must assume they will be required to hand over vulnerability data to the Ministry within two days of receiving the reports," Moussouris said. "That requirement will effectively introduce a backdoor straight to the Chinese government in any VDP [vulnerability disclosure program] or bug bounty program where Chinese researchers submit bugs via platforms, even to non-Chinese companies."

200 miles east of Silicon Valley, "A disproportionate number of people who purchased homes in Tahoe in 2020 are employees of some of the largest tech companies in the Bay Area," a real estate brokerage firm specializing in data analytics recently told Outside magazine.

Of the 2,280 new-home buyers Atlasa identified throughout the Tahoe region in 2020, roughly 30 percent worked at software companies. The top three employers were Google (54 buyers), Apple (46), and Facebook (34)... There is, however, one glaring issue with all this rapid, high-priced growth: the people who actually make a mountain town run — the ski instructors and patrollers, lift operators and shuttle drivers, housekeepers and snowcat mechanics, cooks and servers — can no longer afford to live there.
Just last year Sierra Sotheby's found more than 2,350 homes were sold across the Tahoe Basin, for a boggling $3.28 billion (up 86% from the $1.76 billion in 2019), according to the article, which calls the popular tele-working destination a "Zoom town."

Now the region's heading into its summer tourist season — but "with a shorthanded workforce, businesses are unraveling," like the restaurant that simply closed for a week because "We literally do not have enough cooks to operate..." The evidence is showing up in the ways businesses are cutting back during the peak of the busiest time of year, a time when small business owners in Tahoe typically are trying to make as much money as possible so they can survive the slower times of year...

While the hiring crisis spans far and wide across the nation, in Tahoe, the linchpin is housing. At Tahoe Dave's, Dave Wilderotter, the owner of Tahoe Dave's Skis and Boards, starts his employees at $20 an hour. Most of his employees make too much money to qualify for affordable housing. But they don't make enough money to pay Tahoe's rent prices, which have risen by 25% to 50% in the past year. Tahoe's workforce is disappearing because many of them cannot afford to live here any more... Making matters worse, Tahoe's already minimal long-term rental housing stock is getting eaten up by the very hot real estate market. Many landlords are selling homes they've been renting to local workers, leaving those tenants without many options...

"This isn't just tourism that's being hit," says Alex Mourelatos, a business owner on Tahoe's North Shore who also serves on multiple boards for the North Tahoe Public Utility District and nonprofit groups. "It's every service industry. Every industry across people, dentistry, legal, everything, Planned Urban Developments, all the special districts, firemen, teachers, all of them." The hiring crisis has even affected critical services like public transportation. Bus drivers are so hard to come by that the Tahoe Transportation District made the unprecedented decision to shut down an entire bus route down the East Shore.

The district had shuttles but no one to steer the wheel.

Government hackers from several countries used spyware made by an Israeli company to target victims all over the world, according to new research by digital rights watchdog Citizen Lab and Microsoft. From a report: The spyware leveraged two unknown vulnerabilities -- also known as zero-day exploits -- in Windows. Citizen Lab, which is housed at the University of Toronto's Munk School, and Microsoft worked together on the research, and published reports detailing their findings on Thursday. The company said it detected hacking attempts on more than 100 victims including "politicians, human rights activists, journalists, academics, embassy workers, and political dissidents" in Palestine, Israel, Iran, Lebanon, Spain, UK, and other countries. Citizen Lab said it was able to identify and reach out to a victim who let its researchers analyze their computer and extract the malware.

"This was someone who was targeted for their political positions and political beliefs, rather than someone who was the target of a terrorism investigation or something like this," Bill Marczak, one of the researchers at Citizen Lab who worked on the investigations, told Motherboard in a phone call. Citizen Lab concluded that the malware and the zero-days were developed by Candiru, a mysterious Israel-based spyware vendor that offers âoehigh-end cyber intelligence platform dedicated to infiltrate PC computers, networks, mobile handsets," according to a document seen by Haaretz. Candiru was first outed by the Israeli newspaper in 2019, and has since gotten some attention from cybersecurity companies such as Kaspersky Lab. But, until now, no one had published an analysis of Candiru's malware, nor found someone targeted with its spyware.

London-listed cybersecurity firm Avast is in advanced talks with U.S. rival NortonLifeLock about a merger that would create a clear leader in consumer security software. From a report: Both companies confirmed the talks late on Wednesday, with Avast saying an offer would be in cash and shares, although it added there was no certainty a deal will be agreed. Avast, which was founded and based in Prague, Czech Republic, is a pioneer of "freemium" software, whereby basic applications are free and subscribers pay for premium features. Its Avast and AVG branded desktop and mobile software had more than 435 million active users at the end of 2020, of which 16.5 million are paying. The shift to home working during COVID-19 spurred demand for its desktop products like antivirus software, and it recorded 7.1% organic growth in adjusted billings to $922 million last year.

The Russian state hackers who orchestrated the SolarWinds supply chain attack last year exploited an iOS zero-day as part of a separate malicious email campaign aimed at stealing Web authentication credentials from Western European governments, according to Google and Microsoft. Ars Technica reports: In a post Google published on Wednesday, researchers Maddie Stone and Clement Lecigne said a "likely Russian government-backed actor" exploited the then-unknown vulnerability by sending messages to government officials over LinkedIn. Attacks targeting CVE-2021-1879, as the zero-day is tracked, redirected users to domains that installed malicious payloads on fully updated iPhones. The attacks coincided with a campaign by the same hackers who delivered malware to Windows users, the researchers said.

The campaign closely tracks to one Microsoft disclosed in May. In that instance, Microsoft said that Nobelium -- the name the company uses to identify the hackers behind the SolarWinds supply chain attack -- first managed to compromise an account belonging to USAID, a US government agency that administers civilian foreign aid and development assistance. With control of the agency's account for online marketing company Constant Contact, the hackers could send emails that appeared to use addresses known to belong to the US agency. In an email, Shane Huntley, the head of Google's Threat Analysis Group, confirmed the connection between the attacks involving USAID and the iOS zero-day, which resided in the WebKit browser engine.

The PC market is showing early signs of its growth slowing down, after an impressive run of shipments throughout 2020. From a report: Both IDC and Gartner conclude that growth in the second quarter of PC shipments has slowed this year. Demand for new PCs is still above what we saw before the pandemic hit, but a mixture of softer demand and the effects of the global chip shortage mean it's not growing as quickly. "The market faces mixed signals as far as demand is concerned," says Neha Mahajan, a senior research analyst at IDC. "With businesses opening back up, demand potential in the commercial segment appears promising. However, there are also early indicators of consumer demand slowing down as people shift spending priorities after nearly a year of aggressive PC buying." IDC says more than 83 million PCs were shipped in the second quarter of 2021, while Gartner's own figure is more than 71 million. Gartner does not include Chromebook shipments in its results, but the research firm says "Chromebook shipments were once again strong in the second quarter of 2021." Either way, both firms agree that year-over-year growth in this latest quarter wasn't as strong as 2020's sudden growth.

An anonymous reader quotes a report from NBC News: Financial firms may need to bolster their defenses in the face of rocketing cyberattacks after employees began working from home, the Financial Stability Board (FSB) said on Tuesday. The board, which coordinates financial rules for the G20 group of nations, said remote working since economies went into lockdown to fight Covid-19 opened up new possibilities for cyberattacks. Working from home is expected to stay in some form across the financial services industry and beyond. "Most cyber frameworks did not envisage a scenario of near-universal remote working and the exploitation of such a situation by cyber threat actors," the FSB said in a report to G20 ministers and central banks.

Cyber activities such as phishing, malware and ransomware grew from fewer than 5,000 per week in February 2020 to more than 200,000 per week in late April, the FSB said. "Financial institutions have generally been resilient but they may need to consider adjustments to cyber risk management processes, cyber incident reporting, response and recovery activities, as well as management of critical third-party service providers, for example cloud services," the FSB said. The FSB, chaired by Federal Reserve Vice Chair Randal Quarles and comprising regulators and central banks from leading financial centers, will publish a final report in October setting out its next steps. It has already made proposals for strengthening the resilience of money market funds which suffered severed stresses during last year's market turmoil.

Facebook is adding a new perk to its bug bounty program that will pay bonus rewards to researchers based on the time it takes the social network to fix a vulnerability after it's found and reported by bug hunters. ZDNet reports: Essentially, Facebook is acknowledging that it's sometimes slow to reach a bounty decision and is using this bonus payment to encourage patience among the researchers in its bug bounty community. The Payout Time Bonus will reward reports that are paid more than 30 days from the time Facebook receives all the necessary information for a successful reproduction of the report and its impact, Facebook said. The bonuses will be paid on a sliding scale, with payouts made between 30-59 days receiving a 5% bonus; payouts made between 60-89 days receiving a 7.5% bonus; and payouts made after 90 days or more receiving a 10% bonus. Reports that require clarification from the researcher will have the payments adjusted accordingly.

Starting today in the U.S. (and other countries in the not too distant future), you'll be able to encrypt the video footage captured via your Ring devices. ZDNet reports: This is done with Amazon's Video End-to-End Encryption (E2EE). If you decide to install this optional privacy feature, you'll need to install a new version of the Ring application on your smartphone. Once installed, it uses a Public Key Infrastructure (PKI) security system based on an RSA 2048-bit asymmetric account signing key pair. In English, the foundation is pretty darn secure.

Earlier, Ring already encrypted videos when they are uploaded to the cloud (in transit) and stored on Ring's servers (at rest). Law enforcement doesn't have automatic access to customer devices or videos. You choose whether or not to share footage with law enforcement. With E2EE, customer videos are further secured with an additional lock, which can only be unlocked by a key that is stored on the customer's enrolled mobile device, designed so that only the customer can decrypt and view recordings on their enrolled device. In addition, you'll need to opt into using E2EE. It doesn't turn on automatically with the software update. You'll also need to set a passphrase, which you must remember. AWS doesn't keep a copy. If you lose it, you're out of luck. [Just know that if you use E2EE, various features will be missing, such as sharing your videos, being able to view encrypted videos on Ring.com, the Windows desktop app, the Mac desktop app, or the Rapid Ring app, and the Event Timeline. E2EE also won't work with many Ring devices.] ZDNet notes that while police can still ask for or demand your video and audio content, they won't be able to decrypt your E2EE end-to-end encrypted video "because the private keys required to decrypt the videos are only stored on customer's enrolled mobile devices."

Firefox 90 introduces the next version of SmartBlock, the browser's tracker blocking mechanism built into its private browsing and strict modes, which now has improvements designed to prevent buttons that let you log into websites using your Facebook account from breaking, Mozilla announced on Tuesday. From a report: SmartBlock was first introduced with Firefox 87 in March, and if you aren't familiar, here's Mozilla's description of how it works, from the company's blog: "SmartBlock intelligently fixes up web pages that are broken by our tracking protections, without compromising user privacy. SmartBlock does this by providing local stand-ins for blocked third-party tracking scripts. These stand-in scripts behave just enough like the original ones to make sure that the website works properly. They allow broken sites relying on the original scripts to load with their functionality intact." Sometimes, though, the feature would break Facebook login buttons. In a new blog post, Mozilla's Tom Wisniewski and Arthur Edelstein explain why this would happen, using an example of trying to log in to Etsy.

Google has rolled out support for the new Brand Indicators for Message Identification (BIMI) standard to all Gmail users as part of an effort to improve email-sender authenticity. From a report: The new standard is hard to comprehend for non-technical users, but it basically allows companies that have implemented email security standards like DMARC, DKIM, and SPF for their email domains to show "authenticated logos" inside email clients. Since all these security protocols rely on digital certificates and advanced cryptography, the verified logos will only appear for a company's real email domain and not for spoofed emails sent by scammers or cybercrime groups.

The Russia-linked ransomware gang REvil has seemingly vanished from the dark web, where it maintains several pages documenting its activities including one called the "happy blog." From a report: It's not yet known if the sites were down temporarily or if the group -- or law enforcement -- took its websites offline. "It's too early too tell, but I've never seen ALL of their infrastructure offline like this," said Allan Liska, senior threat analyst at cybersecurity firm Recorded Future, in a text message. "I can't find any of their infrastructure online. Their extortion page is gone, all of their payment portals are offline, as is their chat function." Liska said the websites went offline around 1 a.m. Eastern time. The sudden outage comes just days after President Joe Biden said he pressed Russian President Vladimir Putin to act against hackers in his country blamed for recent ransomware attacks.

Microsoft took the wraps off Windows 11 recently, and we expect the new OS to arrive later this year. Upgrading to a new version of Windows is often a painful process, and in the past, you were stuck even if the new software ruined your workflow. It's different this time: Microsoft says you'll be able to go back to Windows 10 if you don't like Windows 11. You'll only have 10 days to decide, though. From a report: How will you know if Windows 11 is worth using? There's a preview program for Windows 11, but the preview builds are still missing some elements of the final release. You don't have to mess with the Insiders builds at all -- you can install the final version when it's available, and take it for a spin. This news comes by way of a PDF that Microsoft has provided to PC manufacturers. It's an FAQ format, and among the various redundant queries is this gem: "Can I go back to Windows 10 after I upgrade if I don't like Windows 11?" The answer is a resounding yes... for 10 days. You'll have that long to decide to roll back to Windows 10. Wait any longer, and you're locked into Windows 11 unless you reformat your system.