Agregátor RSS

American telecom service provider AT&T has confirmed that threat actors managed to access data belonging to "nearly all" of its wireless customers as well as customers of mobile virtual network operators (MVNOs) using AT&T's wireless network. "Threat actors unlawfully accessed an AT&T workspace on a third-party cloud platform and, between April 14 and April 25, 2024, exfiltrated

American telecom service provider AT&T has confirmed that threat actors managed to access data belonging to "nearly all" of its wireless customers as well as customers of mobile virtual network operators (MVNOs) using AT&T's wireless network. "Threat actors unlawfully accessed an AT&T workspace on a third-party cloud platform and, between April 14 and April 25, 2024, exfiltrated Newsroomhttp://www.blogger.com/profile/[email protected]

Počítače, internet a AI Alza změnila kategorizaci zboží a sjednotila nové a rozbalené produkty do jedné skupiny. Nové a rozbalené zboží už není oddělené při vyhledávání nebo procházení kategorií, což může být pro zákazníky matoucí. Firefox, kdysi aspirant na pozici nejpoužívanějšího prohlížeče, ...

Byla vydána verze 30.2 svobodného softwaru OBS Studio (Open Broadcaster Software, Wikipedie) určeného pro streamování a nahrávání obrazovky počítače. Přehled novinek na GitHubu. Instalovat lze také z Flathubu.

15K dealerships take estimated $600M+ hit

CDK Global reportedly paid a $25 million ransom in Bitcoin after its servers were knocked offline by crippling ransomware.…

Dawn Aerospace mohou odmontovat pomyslná dětská kolečka z kosmoplánu Aurora. Novozélandské úřady jim schválily lety do výšky téměř 25 kilometrů a neomezenou rychlostí. Aurora by se měla stát prvním soukromě financovaným bezpilotním letounem, který prolomí hranici rychlosti zvuku.

Windows maker insisted everything will be locked down and secure – which given its reputation, uh-oh!

Two House committee chairs have sent a public letter to the White House asking it to look into a deal between AI R&D outfit G42 and Microsoft.…

CRISPR was one of the most influential breakthroughs of the last decade, but it’s still imperfect. While the gene editing tool is already helping people with genetic ailments, scientists are also looking to improve on it.

Efforts have extended the CRISPR family to include less damaging, more accurate, and smaller versions of the gene editor. But in the bacterial world, where CRISPR was originally discovered, we’re only scratching the surface. Two new papers suggest an even more powerful gene editor may be around the corner—if it’s proven to work in cells like our own.

In one of the papers, scientists at the Arc Institute say they discovered a new CRISPR-like gene editing tool in bacterial “jumping genes.” Another paper, written independently, covers the same tool and extends the work to a similar one in a different family.

Jumping genes move around within genomes and even between individuals. It’s long been known they do this by cutting and pasting their own DNA, but none of the machinery has been shown to be programmable like CRISPR. In the recent studies, scientists describe jumping gene systems that, in a process the teams are alternatively calling bridge editing and seekRNA, can be modified to cut, paste, and flip any DNA sequence.

Crucially, unlike CRISPR, the system does all this without breaking strands of DNA or relying on the cell to repair them, a process that can be damaging and unpredictable. The various molecules involved are also fewer and smaller than those in CRISPR, potentially making the tool safer and easier to deliver into cells, and can deal with much longer sequences.

“Bridge recombination can universally modify genetic material through sequence-specific insertion, excision, inversion, and more, enabling a word processor for the living genome beyond CRISPR,” said Berkeley’s Patrick Hsu, a senior author of one of the studies and Arc Institute core investigator, in a press release.

CRISPR Coup

Scientists first discovered CRISPR in bacteria defending themselves against viruses. In nature, a Cas9 protein pairs with an RNA guide molecule to seek out viral DNA and, when located, chop it up. Researchers learned to reengineer this system to seek out any DNA sequence, including sequences found in human genomes, and break the DNA strands at those locations. The natural machinery of the cell then repairs these breaks, sometimes using a provided strand of DNA.

CRISPR gene editing is powerful. It’s being investigated in clinical trials as a treatment for a variety of genetic diseases and, late last year, received its first clinical approval as a therapy for sickle cell disease and beta thalassemia. But it’s not perfect.

Because the system breaks DNA and relies on the cell to repair these breaks, it can be imprecise and unpredictable. The tool also works primarily on short sections of DNA. While many genetic illnesses are due to point mutations, where a single DNA “letter” has been changed, the ability to work with longer sequences would broaden the technology’s potential uses in both synthetic biology and gene therapy.

Scientists have developed new CRISPR-based systems over the years to address these shortcomings. Some systems only break a single DNA strand or swap out single genetic “letters” to increase precision. Studies are also looking for more CRISPR-like systems by screening the whole bacterial universe; others have found naturally occurring systems in eukaryotic cells like our own.

The new work extends the quest by adding jumping genes into the mix.

An RNA Bridge

Jumping genes are a fascinating feat of genetic magic. These sequences of DNA can move between locations in the genome using machinery to cut and paste themselves. In bacteria, they even move between individuals. This sharing of genes could be one way bacteria acquire antibiotic resistance—one cell that’s evolved to evade a drug can share its genetic defenses with a whole population.

In the Arc Institute study, researchers looked into a specific jumping gene in bacteria called IS110. They found that when the gene is on the move, it calls a sequence of RNA—like the RNA guide in CRISPR—to facilitate the process. The RNA includes two loops: One binds the gene itself and the other seeks out and binds to the gene’s destination in the genome. It acts like a bridge between the DNA sequence and the specific location where it’s to be inserted. In contrast to CRISPR, once found, the sequence can be added without breaking DNA.

“Bridge editing [cuts and pastes DNA] in a single-step mechanism that recombines and re-ligates the DNA, leaving it fully intact,” Hsu told Fierce Biotech in an email. “This is very distinct from CRISPR editing, which creates exposed DNA breaks that require DNA repair and have been shown to create undesired DNA damage responses.”

Crucially, the researchers discovered both loops of RNA can be reprogrammed. That means scientists can specify a genomic location as well as what sequence should go there. In theory, the system could be used to swap in long genes or even multiple genes. As a proof of concept in E. coli bacteria, the team programmed IS110 to insert a DNA sequence almost 5,000 bases long. They also cut and inverted another sequence of DNA.

The study was joined by a different paper written independently by another team of scientists at the University of Sydney detailing both IS110 and a related enzyme in a different family, IS111, that they say is similarly programmable. In their paper, they called these systems “seekRNA.”

The tools rely on a single protein half the size of those in CRISPR. That means it may be easier to package them in harmless viruses or lipid nanoparticles—these are also used in Covid vaccines—and ferry them into cells where they can get to work.

The Next Jump

The approach has big potential, but there’s also a big caveat. So far, the researchers have  only shown it works in bacteria. CRISPR, on the other hand, is incredibly versatile, having proved itself in myriad cell types. Next, they hope to hone the approach further and adapt it to mammalian cells like ours. That may not be easy. The University of Tokyo’s Hiroshi Nishimasu says the IS110 family hasn’t yet shown itself amenable to such a task.

All this is to say it’s still early in the technology’s arc. Scientists knew about CRISPR years before they showed it was programmable, and it wasn’t put to work in human cells until 2013. Although it’s moved relatively quickly from lab to clinic since then, the first CRISPR-based treatments took years more to materialize.

At the least, the new work shows we haven’t exhausted all nature has to offer gene editing. The tech could also be useful in the realm of synthetic biology, where single cells are being engineered on grand scales to learn how life works at its most basic and how we might reengineer it. And if the new system can be adapted for human cells, it would be a useful new option in the development of safer, more powerful gene therapies.

“If this works in other cells, it will be game-changing,” Sandro Fernandes Ataide, a structural biologist at the University of Sydney and author on the paper detailing IS111 told Nature. “It’s opening a new field in gene editing.”

Image Credit: The Arc Institute

Microsoft released 132 updates in its July Patch Tuesday update while addressing four zero-days (CVE-2024-35264, CVE-2024-37985, CVE-2024-38080 and CVE-2024-38112) affecting Windows desktop, Microsoft .NET and Visual Studio. This is a very significant patch cycle for Microsoft SQL Server, but there are no updates for Microsoft browsers and a low profile set of patches for Microsoft Office. No major revisions require attention, with testing focused squarely on SQL dependent applications. 

The team at Readiness has provided a useful infographic detailing the risks with each of the updates this cycle. 

Known issues 

Each month, Microsoft publishes a list of known issues included in its latest release, including two reported minor issues:

• After you install KB5034203 (dated 01/23/2024) or later updates, some Windows devices that use the DHCP Option 235 to discover Microsoft Connected Cache (MCC) nodes in their network might be unable to use those nodes. Microsoft offered two options to mitigate the issue through setting the Cache Hostname or using group policies. Microsoft is still working on a resolution.
• Context menus and dialog buttons in some Windows apps, or parts of the Windows OS user interface (UI), might display in English when English is not set as the display language. This might also affect font size.

We fully expect to see more issues relating to how the Windows UI presented over the coming months as Microsoft works through some of the core level issues with new ARM builds. This means that even non-ARM builds will be affected (see CVE-2024-37985). Look out for input method editor, language pack, and dialog box language issues for non-English builds.

Major revisions 

This Patch Tuesday saw Microsoft publishing the following major revisions to past  security and feature updates, including:

• CVE-2024-30098 : Windows Cryptographic Services Security Feature Bypass. Microsoft has added a FAQ to explain how this vulnerability is being addressed and further actions customers must take to be protected from it. This is an informational change only; no further action is required.

Mitigations and workarounds

Microsoft published the following vulnerability-related mitigations for this month’s release cycle: 

• CVE-2024-38077, CVE-2024-38076 and CVE-2024-38074: Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability. Microsoft has (rather helpfully) offered guidance that disabling the Remote Desktop licensing feature mitigates this vulnerability. 
• CVE-2024-38030: Windows Themes Spoofing Vulnerability. If you have Windows NTLM disabled, this vulnerability will not affect your system.

Each month, the Readiness team analyses the latest Patch Tuesday updates and provides detailed, actionable testing guidance based on assessing a large application portfolio and a detailed analysis of the patches and their potential impact on the Windows platforms and app installations.

For this cycle, we have grouped the critical updates and required testing efforts into different functional areas:

Microsoft Office

• Test out your Teams logins (which shouldn’t take too long).
• Because SharePoint was updated, third-party extensions or dependencies will require testing.
• Due to the change in Outlook, Internet Calendars (ICS files) will require testing.
• With the Visio update, large CAD drawings will require a basic import and load test.

Microsoft .NET and developer tools

Microsoft has updated the Microsoft .NET, MSI Installer and Visual Studio with the following testing guidance:

• PowerShell updates will require a diagnostics test. Try the command, “import-module Microsoft.powershell.diagnostics – verbose” and validate that you are getting the correct results from your home directory.
• Due to the change in the Windows core installation technology (MSI), please validate that User Account Control (UAC) still functions as expected.

Microsoft SQL Server

This month is a big update for both Microsoft SQL Server and the local, or workstation supporting elements of OLE. The primary focus for this kind of complex effort should be your line-of-business or core applications. These are the applications that have multiple data connections and rely on complex, multiple object/session requirements. Due to the changes this month, we can’t recommend specific Windows feature testing regimes, as we are most concerned that the business logic (and resulting data) of the application in question might be affected. Only you will know what looks good; we advise a comparative testing regime across unpatched and newly patched systems looking for data disparities.

Windows

Microsoft made another update to the Win32 and GDI subsystems with a recommendation to test out a significant portion of your application portfolio. We also recommend that you test the following functional areas in the Windows platform:

• File compression has been updated, so file and archive extraction scenarios will need to be exercised.
• Due to the Microsoft codec updates, perform a system reboot and test that your audio and camera still work together.
• Security updates will require the testing of the creation of new Windows certificates.
• Networking changes will require a test of DNS and DHCP, specifically the DHCP R_DhcpAddSubnetElement API. As part of these changes, testing VPN authentication will be required. Try to include your Network Policy Server (NPS) as part of the connection creation and deletion effort.
• This month’s update to Remote Desktop Services (RDS) will require the creation and revocation of license requests.
• A significant update to the Network Driver Interface Specification (NDIS) will require testing of network traffic involving repeated bursts of large files. Try using Teams while this networking burst testing is in progress.
• Backup and printing have been updated, so test your volumes and ensure that when you print out a test page, your OS does not crash (yes, really). Try printing out TIFF files. (Hey, you might like it.)

As part of the ongoing effort to support the new ARM architecture, Microsoft released the first patch for this new platform, CVE-2024-37985. This is an Intel assigned processor-level vulnerability that has been mitigated by a Microsoft OS level patch. The Readiness team has provided guidance on potential ARM-related compatibility and testing issues. 

Specifically, the Readiness team was concerned with Input Method Editors (IMEs). We suggest a full test cycle of Windows input related features such as keyboard, mouse, touch, pen, gesture and dictation. Some internet shortcuts might be affected as well as wallpapers.

Windows lifecycle update 

This section contains important changes to servicing (and most security updates) to Windows desktop and server platforms.

• Home and Pro editions of Windows 11, version 22H2 will reach end of service on Oct. 8, 2024. Until then, these editions will only receive security updates. They will no longer receive non-security, preview updates.

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings: 

• Browsers (Microsoft IE and Edge);
• Microsoft Windows (both desktop and server); 
• Microsoft Office;
• Microsoft Exchange Server ;
• Microsoft Development platforms (ASP.NET Core, .NET Core and Chakra Core)
• Adobe (if you get this far).

Browsers

Microsoft did not release any updates for its non-Chromium browsers. Following the stable channel release of Chrome (applicable until July 25, 2024) we have not seen any changes, deprecations or testing profile updates to this browser. No further action required.
 

Windows

Microsoft released four critical and 83 updates rated as important with two zero-day patches (CVE-2024-38080 and CVE-2024-38112) affecting the Microsoft Hyper-V and MSHTML feature groups, respectively. In addition to these critical updates, Microsoft patches for July affect the following Windows feature groups:

• Windows NTLM, Kernel, GDI and Graphics;
• Windows Backup;
• Windows Codecs;
• Microsoft Hyper-V;
• Windows (Line) Print and Fax ;
• Windows Remote Desktop and Gateway;
• Windows Secure Boot and Enrolment Manager.

Add these Windows updates to your Patch Now release cycle.

Microsoft Office 

Microsoft returns to form with a critical update for Office this month (CVE-2024-38023) for the SharePoint platform. We have another update for Outlook related to spoofing (CVE-2024-38020), but this vulnerability is not wormable and requires user interaction. There are four more, lower rated updates; please add all of these updates to your standard release schedule.

Microsoft SQL (nee Exchange) Server 

There were no updates for Microsoft Exchange Server this month. However, we have seen the largest release of Microsoft SQL updates in the past few years. These SQL-related updates cover 37 separate reported vulnerabilities (CVEs) and the following main product features

• SQL Server Native Client OLE DB Provider;
• Microsoft OLE DB Driver for SQL.

We covered the testing requirements for this SQL update in our testing guidance section above. This month’s SQL updates will require some preparation and dedicated testing before adding to your standard release schedule.

Microsoft development platforms 

Microsoft released four, low-profile updates to the Microsoft .NET and Visual Studio platforms. We do not expect serious testing requirements for these vulnerabilities. However, CVE-2024-35264 has been reported as publicly disclosed by Microsoft. This makes this an unusually urgent patch for Microsoft Visual Studio attracting a “Patch Now” rating this month.

Adobe Reader (and other third-party updates) 

Very much as our Microsoft Exchange section has been “hijacked” by SQL Server updates this month, we’re using the Adobe section for third-party updates. (There are no updates to Adobe Reader.) 

• CVE-2024-3596: NPS RADIUS Server. A vulnerability exists in the RADIUS protocol that potentially affects many products and implementations of the RFC 2865 in the UDP version of the RADIUS protocol. 
• CVE-2024-38517 and CVE-2024-39684: GitHub Active Directory Management Rights. The  vulnerability assigned to this CVE is in the RapidJSON library which is consumed by the Microsoft Active Directory Rights Management Services Client, hence the inclusion of this CVE with this update.
• CVE-2024-37985: This memory related update from Intel relates to its prefetcher technology. Affected: Core Windows OS memory related components — particularly the new ARM builds, which I find both confusing and ironic.

Read Greg Lambert‘s 2024 Patch Tuesday reports:

• June
• May
• April
• March
• February
• January

The European Commission has released the preliminary findings from an investigation launched last year into X (formerly Twitter), and said it believes the company is in breach of the Digital Services Act (DSA), which applies to marketplaces, social networks, content-sharing platforms, app stores, and online travel and accommodation platforms.

Non-compliance in three areas

In a statement, the Commission said X was found non-compliant in three areas: 

• The “verified account” mechanism is designed and implemented in a way that deceives users and does not correspond to industry practice. “Since anyone can subscribe to obtain such a ‘verified’ status, it negatively affects users’ ability to make free and informed decisions about the authenticity of the accounts and the content they interact with,” the Commission said, adding there is “evidence of motivated malicious actors abusing the ‘verified account’ to deceive users.”
• X does not comply with requirements around transparency in advertising. “In particular, the design does not allow for the required supervision and research into emerging risks brought about by the distribution of advertising online,” the Commission  argued.
• X does not provide access to its public data to researchers, as specified by conditions in the DSA. Its terms of service prohibit researchers from independently accessing public data, and its process for granting researchers access via its application programming interfaces (APIs) “appears to dissuade researchers from carrying out their research projects or leave them with no other choice than to pay disproportionally high fees.”

X now has the right to examine the commission’s documentation and prepare a defense. 

If the preliminary findings are confirmed, the company faces a non-compliance decision that could result in fines of up to 6% of its global annual revenue, an order to address the issues detailed in the decision, and the potential for a period of enhanced supervision. The commission  can also impose periodic penalty payments.

The move could be seen as a warning shot to other companies.

“While the ruling may not have a direct impact on enterprise CIOs, it emphasizes learning from broader implications and the mistakes of others,” said Phil Brunkard, executive counselor at Info-Tech Research Group, UK. “It sets a precedent for public trust in online marketplaces or social media, highlighting the importance of integrity and transparency in data privacy. Regulation is not just about ticking the compliance box — it’s crucial for customer trust. CIOs must ensure strong governance to protect their brands and maintain customer trust, as trust is the foundation for successful organizations.”

Investigations continue

Investigations continue into X’s risk management around the dissemination of illegal content and the effectiveness of how it combats information manipulation.

To assist in its investigations, the Commission released a whistleblower tool that allows people to contact it anonymously with information contributing to compliance monitoring of X and other entities designated Very Large Online Platforms (VLOP) under the DSA.

X is not the only organization under scrutiny. The Commission has also initiated formal proceedings against TikTok, Meta (in separate proceedings launched in April and May 2024, respectively), and AliExpress.

Red team exercise revealed a score of security fails

The US Cybersecurity and Infrastructure Security Agency (CISA) says a red team exercise at a certain unnamed federal agency in 2023 revealed a string of security failings that exposed its most critical assets.…

SpaceX zaznamenal první vážný problém Falconu 9 po dlouhé době úspěchů. Společnosti se nepodařilo dostat nové satelity Starlink na správnou oběžnou dráhu. Při startu 11. července 2024 selhal během mise Starlink 9-3 druhý stupeň rakety. SpaceX přišel o motor rakety Falcon 9. Satelity Starlink se ...

Petr a Karel mají odlišný přístup k upgradování Windows. Jeden rád zkouší nové funkce a neváhá hned instalovat nejnovější verzi, druhý se raději drží osvědčeného prostředí, které zná skoro z paměti. V tomto podcastu odhalujeme motivace obou typů uživatelů. Bojíme se neznámého, ale také oceníme ...

Tyto filmy a seriály jsou teď na českém Netflixu nejoblíbenější. Nerozlišujeme žánr, stáří ani hodnocení na filmových webech. Jde o souhrnnou oblíbenost za poslední týdny, kterou zjišťuje web FlixPatrol.

Evropská komise začala vyšetřovat sociální síť X kvůli možnému porušení Nařízení o digitálních službách (Digital Services Act, DSA). Má totiž podezření, že Muskova společnost ve třech bodech porušuje nastavená pravidla. Pokud by se nakonec z předběžných závěrů staly ty definitivní, X by hrozila ...

OpenAI, the company behind the popular AI ​​chatbot Chat GPT, has now developed an evaluation scale to assess how closely AI models can approach human levels of intelligence, according to a Bloomberg report.

The scale has a total of five levels. The higher the level, the closer the AI ​​model is judged to be to human intelligence. Today’s large-scale language models are currently judged to be at level one; that corresponds to basic intelligence, but not a more advanced problem-solving ability.

Level two means that the system has a basic problem-solving ability that should be comparable to a human with a PhD. Level three means the system can act as a representative for the user. Level four means that the system can create new innovations. Finally, level five involves the step to achieve artificial general intelligence (AGI), an AI system can perform the work of entire organizations.

OpenAI has previously defined AGI as a highly automated system that can outperform humans on the majority of economically valuable tasks. OpenAI’s evaluation scale is considered preliminary and could be adjusted in the future.

More OpenAI news:

• OpenAI is working on new reasoning AI technology
• OpenAI reportedly stopped staffers from warning about security risks
• OpenAI whistleblowers seek SEC probe into ‘restrictive’ NDAs with staffers
• OpenAI: Musk’s control issues at heart of ongoing rift
• OpenAI models still available in China via Azure cloud despite company ban

Microsoft will soon enable the company’s AI assistant Copilot to read and analyze handwritten notes, The Verge reports . The function was expected to begin as a beta test at the end of last month.

Onenote users can use the function to make handwritten notes with a stylus and then let Copilot, for example, sum them up, generate a to-do list, or ask questions about the notes.

The feature can also be used to turn handwritten notes into text that is easier to edit and share. Once live, the feature will only be available to Copilot for Microsoft 365 subscribers and Copilot Pro users.

More on Microsoft Copilot:

• Copilot for Microsoft 365 deep dive: Productivity at a steep price
• 7 ways to use Microsoft Copilot right
• Microsoft Copilot Pro review: Office joins the genAI revolution
• Microsoft’s Team Copilot aims to help manage meetings, group chats
• Microsoft debuts Copilot for finance pros