Technology

Jaguar's Type 00 concept car has set the internet aflame, but I think it's the right move.

Paying a yearly fee doesn't always make sense. I found the best no-annual-fee credit cards that still earn great rewards.

Just after Cyber Monday, the HP store is featuring a wild deal on a bundle for gaming streamers. Catch it before it disappears!

This cordless stick vacuum makes cleaning your home easier than ever, and right now it's just $65.

Ireland’s far-right candidates expected to succeed on a wave of anti-immigrant rhetoric, but the people rejected them wholesale.

If you're in the market for a short-throw 4K projector, we have a last-minute Cyber Monday deal for you.

Two sides looking to bounce back from heavy losses meet at the King Power Stadium.

• The NES version of Tetris is coming to Nintendo Switch Online
• It's set for a December 12 release
• The 1989 title joins the growing collection of classic Nintendo games on the subscription service

Nintendo has announced that the NES version of Tetris will be joining Nintendo Switch Online this month.

In a new X / Twitter post shared today, Nintendo confirmed that the classic 1989 title will be added to its Nintendo Switch subscription service next week on December 12.

This console version of Tetris features two modes of play, A-Type and B-Type, each with its own unique goals. For A-Type, players must achieve the highest score, while in B-Type, the board starts with randomized blocks at the bottom of the field, and the goal is to clear 25 lines.

To play the NES version of Tetris, Nintendo Switch users must be subscribed to Switch Online for $3.99 / £3.49 / €3.99 a month, or $19.99 / £17.99 / €19.99 for a 12-month membership, both of which give access to the NES, SNES, Game Boy, and Game Boy Color collections.

To get access to the other classic catalogs, including Nintendo 64, Game Boy Advance, and Mega Drive / Genesis, users must purchase the Switch Online Expansion Pack, which costs $49.99 / £34.99 / AU$59.95 for a 12-month pass.

Last week, as part of its November 2024 update, Nintendo added three more classic Sega Genesis games to the service, including ToeJam & Earl: Panic on Funkotron, Vectorman, and Wolf of the Battlefield: Mercs.

The addition of these three titles brought the total number of Sega Genesis games in the collection to 47.

You might also like...

• Nintendo Switch 2: everything we know about a potential Switch successor
• Indiana Jones and the Great Circle's official launch trailer showcases new gameplay ahead of release
• Sony announces its PlayStation 30th Anniversary sale, offering discounts on hundreds of games

A giant 7,050-mAh battery, the new Snapdragon 8 Elite processor and a 100W wired charging speed highlight RedMagic's latest gaming phone. But the phone's software is plagued by annoying defaults.

Hopefully there are no snakes in these games.

Lakeland residents have several internet providers worth considering. Check out CNET's top picks to narrow down your options.

A microSD card is the perfect companion for a number of home security devices. Here's why.

• Security researchers saw corrupted files used in phishing campaigns
• These files bypass email protection solutions
• Word can easily restore them, presenting malicious content to the victim

Cybercriminals have found a new and creative way to sneak phishing emails past your onlinedefenses and into your inbox, experts have warned.

A new report from cybersecurity researchers Any.Run observed crooks distributing corrupted Microsoft Word files in their campaigns. Most phishing emails come with an attachment. That file can either be malware itself, or can contain a link to a malicious website, or download.

In response, most email security solutions these days analyze incoming attachments before the recipient can read them, warning the victim if they are being targeted.

Stealing login credentials

However, if the file is corrupted, security programs cannot read, or analyze it, and thus cannot flag it as malicious. So, hackers have now started deliberately corrupting the phishing files, before sending them out. The trick? Word can easily restore them.

Once they are restored, and readable, it is already too late for email security tools to scan them, and the victim is presented with the malicious content which, in this case, is a QR code leading to a fake Microsoft 365 login page.

Therefore, the goal of the recently observed campaign is to steal people’s cloud credentials.

"Although these files operate successfully within the OS, they remain undetected by most security solutions due to the failure to apply proper procedures for their file types," Any.Run said.

"They were uploaded to VirusTotal, but all antivirus solutions returned "clean" or "Item Not Found" as they couldn't analyze the file properly."

Phishing remains one of the most popular attack vectors on the internet. While there are many software solutions helping businesses minimize the threat, the best defense remains the same - using common sense and being careful with incoming email messages. This rings particularly true for messages coming from unknown sources, and messages coming with a sense of urgency.

Via BleepingComputer

You might also like

• The first UEFI bootkit malware for Linux has been detected, so users beware
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

It's a new calendar month, and you know what that means: more movies on Paramount Plus. And this month's list of new additions to the Paramount Plus catalog is a doozy, with some absolute classics joining the line-up.

With so much to choose from it's hard to pick just three favorites, but whether you're looking for a big old weepie, a beautifully acted take on a very modern obsession or just a story about a man with a really big part – and we don't necessarily mean an acting part – then Paramount Plus has you covered.

Her

Score: 95%
Rating: R
Run time: 1h 59m
Director: Spike Jonze

This is even more fun if you imagine it as a prequel to the Joker movie, because the star here is Joaquin Phoenix. But this is a very different role. Phoenix plays Theodore Twombly, a quiet, sensitive man who discovers who he thinks is 'Miss Right', played by Scarlett Johansson. There's just one problem. She's Siri.

If you liked Michel Gondry’s Eternal Sunshine Of The Spotless Mind I think you'll love this. Empire magazine says it's "a sweet, smart, silly, serious film for our times, only set in the future," while RogerEbert.com said that it was "one of the most engaging and genuinely provocative movies you're likely to see this year".

45 Years

Score: 97%
Rating: R
Run time: 1h 33m
Director: Andrew Haigh

Charlotte Rampling is magnificent alongside Tom Courtenay in this incredibly poignant tale of lost love and missed opportunities. Rampling is Kate, a married woman whose life is thrown into upheaval when her husband's long-lost ex is finally discovered in sad circumstances. The revelation puts incredible strain on their relationship, and it's a definite box-of-tissues weepie thanks to the towering performances by both leads.

According to MovieFreak it's "a drama of profound majesty sure to be marveled at for many years to come," while the Associated Press was enchanted: "How many great movies could be written across the enigmatic, profound face of Charlotte Rampling? Hundreds? Thousands? At any rate, Andrew Haigh's 45 Years is one of them."

Boogie Nights

Score: 94%
Rating: R
Run time: 2h 32m
Director: Paul Thomas Anderson

It's 1977 and in the San Fernando Valley Eddie (Mark Wahlberg) and his impressive attributes are discovered by porn producer Jack Horner (Burt Reynolds), who turns him into porn superstar Dirk Diggler. According to the Chicago Tribune the story is told as "a beautifully made survey of '70s excess, filtered through the trashy world of the burgeoning porno film industry in southern California".

The film was frequently compared to Quentin Tarantino's work, but as Vice suggests "the Tarantino comparison is ultimately less about technique than a shared joyful electricity of the filmmaking, the sense of an artist clearly high on the sheer act of making a movie." Entertainment Weekly was one of many publications that felt it really hit the spot. "Boogie Nights, an epic tale of porn, pleasure, and excess, offers a purer hit of exhilaration than any movie this year," it ejaculated.

You might also like

• Everything new on Paramount Plus in December 2024
• The best shows to stream on Paramount Plus
• The best streaming services

The Tor Browser is calling for volunteers within the internet community willing to support its fight against tougher Russian censorship.

The team aims to deploy 200 new WebTunnel bridges by the end of December 2024, "to open secure access for users in Russia," wrote the team in a blog post.

A Tor bridge is a non-public server run by volunteers that helps users bypass censorship and establish a connection to the Tor network.

WebTunnel, the provider explains, is a new type of bridge designed to blend into other web traffic and fly under the radar of censors, avoiding blocks. It does so by mimicking encrypted web traffic (HTTPS) while running over a web server with a valid SSL/TLS certificate.

We are calling on the Tor and Internet freedom community to help us scale up WebTunnel bridges. If you've ever thought about running a Tor bridge, now is the time. Our goal is to deploy 200 new WebTunnel bridges by the end of this December (2024) to open secure access for users…November 28, 2024

While the number of active WebTunnel bridges (now 143) has more than doubled since its launch in March, it isn't yet enough to meet the rising demand within the country.

Tor's urgent call follows an escalation in Russian censorship efforts targeting access to Tor – including its built-in censorship circumvention features such as obfs4 connections and Snowflake – and other circumventing tools, like some of the best VPN apps on the market.

As per the latest data, nearly 200 VPN services are currently blocked in Russia at the time of writing. Between July and September alone, about 60 VPN apps silently disappeared from the Apple App Store in the country, bringing the total of unavailable applications in the Big Tech giant's official store to 98.

Running a Tor WebTunnel bridge

Unredacted, a non-profit organization that provides free and open services to bypass censorship and boost privacy online, announced its plans to deploy 10 new WebTunnel bridges only a day after Tor issued its own call for help on November 28.

Tor's campaign is set to run until March 2025 and calls for even more volunteers to set up and run new Webtunnel bridges. Besides helping people in Russia enjoy a free and secure web, you'll receive a Tor t-shirt if you decide to run five or more bridges over this period.

Below are the technical requirements to take part in the initiative:

• Run one WebTunnel per IPv4. Multiple subdomains or distinct domains are also accepted.
• Need to include a valid email address as contact information.
• Maintain your bridges active and functional for at least 12 months.
• Ensure your bridges work close to 24/7.
• Don't host your bridges with Hetzner.

Running a Tor bridge requires some IT skills, but don't worry – Tor put together a WebTunnel guide to help you with the configuration process.

• A new report reveals that shipments of folding displays for smartphones have declined for the first time
• This is in spite of 2024 being a strong year for foldable releases from Samsung, Google, and others
• The rumored folding iPhone, supposedly due in 2026, could be the light at the end of the tunnel

Global shipments of folding displays decreased year on year for the first time in the third quarter of 2024, despite a number of well-received flagship foldable releases during the year, including the Samsung Galaxy Z Fold 6 and Google Pixel 9 Pro Fold.

That’s according to a report from Digital Supply Chain Consultants (DSCC), which aggregates data from across the tech manufacturing chain.

According to the report, demand for foldable displays decreased by 38% year-on-year in the third quarter of 2024, with only a moderate 5% increase in demand expected for the entire of 2024.

This contrasts with a previously strong upwards trend – in every year from 2019 to 2023, demand for folding displays increased by 40%.

DSCC now estimates that demand for the displays will decrease by 4% in 2025 overall, with total shipments holding steady at around 22 million.

The report doesn’t include much information on actual sales of folding phones, but does focus on foldable handsets as the primary use case for these displays.

More releases, fewer shipments

This decline may come as something of a surprise, given that our list of the best foldables has seen a few new entries this year – in 2024 alone the Samsung Galaxy Z Fold 6 and Z Flip 6, Google Pixel 9 Pro Fold, and cheaper options from Motorola have all hit store shelves.

And as our reviews for these devices note, the folding phones released this year have generally been the best we’ve ever seen.

As PhoneArena notes, the decline in shipments may be related to a number of smaller phone makers exiting the folding phone sector completely – generally global-focused brands like Tecno and Oppo.

The report does hold out some optimism, stating that Apple is likely to enter the market in the second half of 2026 – a folding iPhone would be expected to sell well enough to give a significant boost to the entire folding phone market.

Foldable future

While we don’t expect to see folding phones disappear any time soon, the report suggests these powerful devices may remain a niche rather than posing a challenge to the traditional slab form factor.

Though foldable devices offer a lot of power and convenience, they are consistently much more expensive than their slab phone counterparts.

It could be this fact that’s led DSCC to predict that even the most popular folding phone, the Samsung Galaxy Z Flip 6, will sell 10% less than its predecessor, the Z Flip 5.

And while a cheaper Galaxy Z Flip FE has been rumored for a while, there’s still currently no truly cheap folding phone available.

If the report’s prediction of a folding iPhone turns out to be true, we could see a surge in foldable fever – but it seems the industry will have to brace through a quiet year first.

For the latest updates on folding phones, be sure to check out our phones coverage, and for more on the Galaxy Z Fold and Z Flip series, head over to our Samsung phones coverage.

You might also like

• Got an older iPhone? WhatsApp won’t work on it for much longer
• Google just made it easier to move all your photos from iPhone to Android
• The OnePlus 13 is officially going global in January

• Beta code hints that Gemini will get NotebookLM access
• NotebookLM will allow Gemini to create AI podcasts from PDFs or videos
• Linked to your mobile, AI Podcasts could help you learn about any subject around you

Delving deep into the code for the latest beta version of the Google Gemini app, it looks like Google’s NotebookLM AI podcast creation software might be coming to Google Gemini on your phone.

Android Authority has found the following lines of code in a beta version of Gemini:

<string name="assistant_zero_state_suggestions_create_podcast_prompt_query">Generate audio overview</string> <string name="assistant_zero_state_suggestions_create_podcast_snippet_highlight">Generate audio</string> <string name="assistant_zero_state_suggestions_create_podcast_snippet_simplified">overview</string>

As you can see, both “create_podcast” and “Generate audio overview” are visible, indicating that Gemini will have the ability to generate a podcast. Moreover, the NotebookLM section that creates the podcast is called an audio overview. Taken together, these two things would seem to indicate a role for Google’s NotebookLM in a future version of Gemini.

How would it work?

Of all the weird and wonderful uses of AI to arrive in 2024, Google’s NotebookLM remains one of the most captivating. NotebookLM contains a number of products that use AI to help you learn any subject. You feed in your source material as a text file, PDF, or video, and it helps you organize that material. One of the ways it does this is through audio overviews.

An audio overview is essentially an audio file that takes the form of a podcast show between two hosts who are discussing whatever subject you’ve fed it via PDFs, web pages, or a YouTube video. Listening to two people discuss a subject is a great way to help you learn about it.

What makes NotebookLM great is how realistic the podcast sounds. It’s very hard to believe you’re not listening to two real people discussing the subject at hand.

If Gemini gives you the ability to create audio podcasts from data sources you feed it, then it’s going to be a great way to help you learn about new subjects.

You can imagine the situation where you upload a PDF to Gemini and then ask it, “Hey, can you make me a podcast about this PDF?” Combine that with Google Lens, and you could be able to get Gemini to generate podcasts about things you are looking at. Just imagine taking a trip around a famous building, like the Vatican, or having Gemini produce a podcast about the building that acts as a guided tour.

The potential for NotebookLM to integrate with other apps or be useful in new situations is almost unlimited, and we’d expect to see Google coming up with new and interesting ways to use it in the very near future.

You might also like...

• I tried Google’s new one-click AI podcast creator, and now I don’t know what’s real anymore
• Gemini is coming to supercharge Google Assistant on smart displays and speakers – and here's how it will work
• Gemini AI is now here to supercharge all your Google Workspace mobile apps

• A hacker with the alias "Nam3L3ss" started leaking data from six companies
• The companies include Nokia, Bank of America, and others
• The data came from the MOVEit breach that happened more than a year ago

Hackers are still leaking sensitive information stolen via the MOVEit flaw, more than a year after it was first disclosed, experts have warned.

A threat actor with the alias “Nam3L3ss” recently started leaking sensitive data from six major companies to BreachForums: Xerox (42,735), Koch (237,487), Nokia (94,253), Bank of America (288,297), Bridgewater (2,141), Morgan Stanley (32,861), and JLL (62,349), The Register reports.

The publication further added that security researchers analyzed the data dump and confirmed its authenticity, adding that among the leaked information are people’s full names, phone numbers, email addresses, job addresses, employee badges, job titles, and usernames.

Reader Offer: Save up to 70% on Aura identity theft protectionTechRadar editors praise Aura's upfront pricing and simplicity. Aura also includes a password manager, VPN, and antivirus to make its security solution an even more compelling deal.

Preferred partner (What does this mean?)View Deal

MOVEit files keep leaking

This is the type of information cybercriminals like most (apart from passwords and banking data, obviously), since it allows them to run phishing, identity theft, and similar attacks that can lead to ransomware, wire fraud, and more.

"This data is a goldmine for social engineering," Zack Ganot, chief strategy officer for Atlas Privacy said. "Knowing exactly what employee sits on which team, who they report to, what their badge number is, what building they work in, their organizational email and phone number – this is some wild stuff for an attacker looking to exploit an org."

MOVEit is a managed file transfer (MFT) tool, used by large companies to securely share sensitive files. In late May 2023, it was discovered that it had a flaw, which was successfully exploited by a Russian ransomware actor called Cl0p. This group used the flaw to exfiltrate sensitive data from hundreds of companies using MOVEit.

Among the victims were numerous high-profile organizations across various sectors, including US government entities (Department of Energy, Office of Personnel Management), educational institutions (Johns Hopkins University), private enterprises (Shell, British Airways, Ernst & Young), and many others. In total over 62 million individuals were directly affected, with the true number likely higher.

You might also like

• Amazon confirms employee data stolen after third-party MOVEit breach
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• Kaspersky uncovers new campaign, using malicious JavaScript to deploy RATs
• The RATs are used to deploy two infostealers
• Among the victims are people and businesses in Russia

Hackers are targeting people and businesses in Russia with malicious JavaScript, in order to install backdoors on their devices.

Researchers at Kaspersky, who named the campaign “Horns&Hooves”, noted how it started in March 2023, and has since infected roughly 1,000 endpoints.

The campaign starts with a phishing email, in which the attackers impersonate individuals and businesses, and send emails that mimic requests and bids from potential customers, or partners.

Actively developed campaign

The emails come with various attachments, among which is the JavaScript payload. This payload delivers two Remote Access Trojans (RAT): NetSupport RAT and BurnsRAT. In turn, these RATs are used to deploy the final payload: either Rhadamanthys, or Meduza.

These two are known infostealers. Since late 2022, Rhadamanthys is being offered on the dark web as a service, enabling crooks to steal a vast range of information from the target device, from system details, passwords, to browsing data. Rhadamanthys has specialized tools for stealing cryptocurrency credentials, with support for over 30 different wallets.

Meduza, on the other hand, is part of the growing threat landscape for personal and business cybersecurity. Like Rhadamanthys, it steals user credentials and other sensitive information, including login credentials for various services and applications. However, Meduza operates with a more focused scope, aiming to evade detection through various obfuscation and anti-analysis techniques​.

Horns&Hooves is an actively developed campaign, the researchers are saying, stressing that the code was revamped and upgraded numerous times. While attribution proved difficult, there is reason to believe that TA569 is behind the attacks. This group, according to The Hacker News, is also called Mustard Tempest, or Gold Prelude) and is the one running the SocGholish malware.

The same publication also stated that TA569 was seen acting as an initial access broker for affiliates deploying the WastedLocker ransomware strain.

Via The Hacker News

You might also like

• This devious new malware is going after macOS users with a whole barrel of tricks
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

It’s getting harder for organizations to identify the extent of damage incurred from a cyberattack – after the initial shock wave of panic anyway. You don’t want it to be difficult to trace the origins of an attack when the frequency of breaches is as rampant as it is today. Data breaches are more of an eventuality than a possibility.

Ask CISO heads how long it takes them to identify the blast radius of a breach, and the average response you’ll get is, at best, ‘hours.’ But ‘hours’ isn’t fast enough today. Just a single hour is all it takes for an attacker to pivot across infrastructure to access highly sensitive resources.

If the repeated Internet Archive breaches taught us anything, it’s how damaging exposure of the wrong information can be. Hackers used exposed access tokens from previous incidents to penetrate the organization’s Zendesk implementation. These API keys, left static since the original breach, provided hackers with easy access to over 800,000 support tickets. To add insult to injury, the hackers started replying to old support tickets criticizing the Internet Archive for failing to rotate these keys.

Unfortunately, the number of times we keep seeing these incidents is a symptom of how complex IT infrastructure has become. Finding out who breached your data, where, and how is often headache-inducing. This largely stems from how extremely fragmented identity silos have become, and the pile of identities needing management just keeps growing bigger. But there’s also the fact that access relationships between resources are also fragmented. This fragmentation of access and security models makes organizations vulnerable to human error.

What would fix this? A new cybersecurity paradigm – one without static credentials, eliminating the attack surface targeted by threat actors. Companies can further harden their security by shifting their access model from role-based authentication to attribute-based authentication.

The complexity of identity management

Microsoft’s recent report identified over 600 million identity attacks in its 2024 fiscal year alone. If you’re wondering why that number is so high, it’s because humans make it easy. We leave credentials like passwords, browser cookies, and API keys lying around in the most obvious places. Further, long-lived, stale privileges allow a bad actor to pivot from their initial breach to other destinations on a network.

This makes it only a matter of time before a user inadvertently reveals too much information or prior credentials. Hackers are ready to pounce on these mistakes. We saw this happen with the initial Internet Archive breach, where an exposed GitLab configuration file contained an authentication token that enabled hackers to download the Internet Archive’s source code, which included additional credentials.

It also doesn’t help that access is often managed in completely different ways across Kubernetes clusters, cloud APIs, IoT devices, databases, etc. The silos emerging from this approach obstruct the ability to revoke access to compromised data, or to figure out who had access to what data in the first place.

If we want to begin to thwart cyberattacks, then step one to reducing the attack surface and blast radius has to be to remove all static credentials like passwords, as well as standing privileges. Our industry needs to shift to a mindset of securing identities cryptographically based on physical-world attributes that cannot be stolen (like biometric authentication). Additionally, access should only ever be enforced based on ephemeral privileges that are granted only for the period of time that work needs to be completed. Above all, companies shouldn’t treat identity management, policy governance, and access control as distinct endeavors. They are all interconnected.

Not everyone needs access, and they don’t need it anywhere, anytime

Traditionally, a lot of emphasis has been placed on assigning permissions to users based on their role within an organization – role-based authentication (RBAC). For cybersecurity models to modernize, however, there’s more companies can do to harden access controls, and one way is to ensure that resource access only ever takes place in an appropriate context.

Attribute-based authentication (ABAC) is how we get there, effectively setting very granular requirements for when someone can access a resource.

Imagine you have a database table housing sensitive data. Yes, you can grant access to employees with a certain job title – “Senior IT manager” – but there are other factors you should weigh for whether or not someone should gain access:

Where is the employee? Are they in the office? Or are they in Hawaii?

What device are they on? Are they using a work laptop, a phone, a tablet, or something else?

What time is it? Do they really need access to a resource when it’s in production?

The goal of this mindset is to give organizations the freedom to say things like, “all senior programmers trying to access database table X have to be in Milwaukee between 1pm and 3pm.” You’ve now effectively shut down the ability for anyone to access this database if they don’t fulfill these select requirements. No more access for the random guy drinking a slurpee in Hawaii.

Everyone should be able to govern on attributes when granting access to users, as opposed to granting access to anyone inside ‘the network.’ The mindset should be ‘locked by default’. That’s imperative to reducing the attack surface.

We've featured the best endpoint protection software.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro