×
Desktops (Apple)

macOS Breaks Your OpSec by Caching Data From Encrypted Hard Drives (bleepingcomputer.com) 14

Apple's macOS surreptitiously creates and caches thumbnails for images and other file types stored on password-protected / encrypted containers (hard drives, partitions), according to macOS security experts Wojciech Regula and Patrick Wardle. From a report: The problem is that these cached thumbnails are stored on non-encrypted hard drives, in a known location and can be easily retrieved by malware or forensics tools, revealing some of the content stored on encrypted containers. On macOS, these thumbnails are created by Finder and QuickLook. Finder is the default macOS file explorer app, similar to Windows Explorer. Whenever a user navigates to a new folder, Finder automatically loads icons for the files located in those folders. For images, these icons are gradually replaced by thumbnails that show a preview of the image at a small scale.
Australia

Australia Discontinues Its National Biometric ID Project (gizmodo.com.au) 15

The Australian Criminal Intelligence Commission's (ACIC) biometrics project, which adds facial recognition to a national crime database, is being discontinued following reports of delays and budget blowouts. From a report: This announcement comes after the project was suspended earlier this month and NEC Australia staff were escorted out of the building by security on Monday June 4. [...] ACIC contracted the NEC for the $52 million Biometric Identification Services project with the view of replacing the fingerprint identification system that is currently in place. The aim of the project, which was supposed to run until 2021, was to include palm print, foot prints and facial recognition to aid in police investigations. The Australian government stated that it wanted to provide Australians with a single digital identity by 2025.
Security

US Government Finds New Malware From North Korea (engadget.com) 84

Days after the historic North Korea-United States summit, the Department of Homeland Security issued a report on Thursday warning of a new variant of North Korean malware to look out for. Called Typeframe, the malware is able to download and install additional malware, proxies and trojans; modify firewalls; and connect to servers for additional instructions. Engadget reports: Since last May, the DHS has issued a slew of alerts and reports about North Korea's malicious cyber activity. The department also pointed out that North Korea has been hacking countries around the world since 2009. And of course, don't forget that the U.S. also labeled that country as the source of Wannacry cyberattack, which notably held data from the UK's National Health Service hostage, and wreaked havoc across Russia and Ukraine. CNN was first to report the news.
Open Source

'Open Source Security' Loses in Court, Must Pay $259,900 To Bruce Perens (theregister.co.uk) 113

Bruce Perens co-founded the Open Source Initiative with Eric Raymond -- and he's also Slashdot reader #3872. Now he's just won a legal victory in court. "Open Source Security, maker of the grsecurity Linux kernel patches, has been directed to pay Bruce Perens and his legal team almost $260,000 following a failed defamation claim," reports The Register. Slashdot reader Right to Opine writes: The order requires Spengler and his company to pay $259,900.50, with the bill due immediately rather than allowing a wait for the appeal of the case. The Electronic Frontier Foundation's attorneys will represent Perens during OSS/Spengler's appeal of the case.

Perens was sued for comments on his blog and here on Slashdot that suggested that OSS's Grsecurity product could be in violation of the GPL license on the Linux kernel. The court had previously ruled that Perens' statements were not defamatory, because they were statements by a non-attorney regarding an undecided issue in law. It is possible that Spengler is personally liable for any damages his small company can't pay, since he joined the case as an individual in order to preserve a claim of false light (which could not be brought by his company), removing his own corporate protection.

Programming

Eric Raymond Shares 'Code Archaeology' Tips, Urges Bug-Hunts in Ancient Code (itprotoday.com) 103

Open source guru Eric Raymond warned about the possibility of security bugs in critical code which can now date back more than two decades -- in a talk titled "Rescuing Ancient Code" at last week's SouthEast Linux Fest in North Carolina. In a new interview with ITPro Today, Raymond offered this advice on the increasingly important art of "code archaeology". "Apply code validators as much as you can," he said. "Static analysis, dynamic analysis, if you're working in Python use Pylons, because every bug you find with those tools is a bug that you're not going to have to bleed through your own eyeballs to find... It's a good thing when you have a legacy code base to occasionally unleash somebody on it with a decent sense of architecture and say, 'Here's some money and some time; refactor it until it's clean.' Looks like a waste of money until you run into major systemic problems later because the code base got too crufty. You want to head that off...."

"Documentation is important," he added, "applying all the validators you can is important, paying attention to architecture, paying attention to what's clean is important, because dirty code attracts defects. Code that's difficult to read, difficult to understand, that's where the bugs are going to come out of apparent nowhere and mug you."

For a final word of advice, Raymond suggested that it might be time to consider moving away from some legacy programming languages as well. "I've been a C programmer for 35 years and have written C++, though I don't like it very much," he said. "One of the things I think is happening right now is the dominance of that pair of languages is coming to an end. It's time to start looking beyond those languages for systems programming. The reason is we've reached a project scale, we've reached a typical volume of code, at which the defect rates from the kind of manual memory management that you have to do in those languages are simply unacceptable anymore... think it's time for working programmers and project managers to start thinking about, how about if we not do this in C and not incur those crazy downstream error rates."

Raymond says he prefers Go for his alternative to C, complaining that Rust has a high entry barrier, partly because "the Rust people have not gotten their act together about a standard library."
The Courts

The Silk Road's Alleged Right-Hand Man Will Finally Face a US Court (arstechnica.com) 73

It's been nearly five years since the FBI surrounded Ross Ulbricht in the science fiction section of a San Francisco library, arrested him, and grabbed the laptop from which he had run the dark web drug bazaar known as the Silk Road. Ulbricht went on trial in a New York courtroom, and is currently serving a life sentence without parole. But even now, the Silk Road saga still hasn't ended: Half a decade after Ulbricht's arrest, his alleged advisor, mentor and right-hand man Roger Clark will finally face a US court, too. From a report: On Friday, the FBI, IRS, DHS, and prosecutors in the Southern District of New York announced the extradition of 56-year-old Canadian man Roger Clark from a Thai jail cell to New York to face newly unsealed charges for his role in Silk Road's operation. The indictment accuses Clark, who allegedly went by the pseudonyms Variety Jones, Cimon, and Plural of Mongoose in his role as Silk Road's consigliere, of crimes ranging from narcotics trafficking to money laundering. But even those charges don't capture the outsize role Clark is believed to have played in building and managing the Silk Road, from security audits to marketing, and even reportedly encouraging Ulbricht to use violence to maintain his empire.

"As Ulbricht's right-hand man, Roger Clark allegedly advised him of methods to thwart law enforcement during the operation of this illegal ploy, pocketing hundreds of thousands of dollars in the process," writes FBI assistant director William Sweeney in a press statement. "Today's extradition of Roger Clark shows that despite alleged attempts to operate under the radar, he was never out of our reach."

Security

Inside the Private Event Where Microsoft, Google, Salesforce and Other Rivals Share Security Secrets (geekwire.com) 48

News outlet GeekWire takes us inside Building 99 at Microsoft, where security professionals of the software giant, along with those of Amazon, Google, Netflix, Salesforce, Facebook (and others), companies that fiercely compete with one another, gathered earlier this week to share their learnings for the greater good. From the story: As the afternoon session ended, the organizer from Microsoft, security data wrangler Ram Shankar Siva Kumar, complimented panelist Erik Bloch, the Salesforce security products and program management director, for "really channeling the Ohana spirit," referencing the Hawaiian word for "family," which Salesforce uses to describe its internal culture of looking out for one another. It was almost enough to make a person forget the bitter rivalry between Microsoft and Salesforce. Siva Kumar then gave attendees advice on finding the location of the closing reception. "You can Bing it, Google it, whatever it is," he said, as the audience laughed at the rare concession to Microsoft's longtime competitor.

It was no ordinary gathering at Microsoft, but then again, it's no ordinary time in tech. The Security Data Science Colloquium brought the competitors together to focus on one of the biggest challenges and opportunities in the industry. Machine learning, one of the key ingredients of artificial intelligence, is giving the companies new superpowers to identify and guard against malicious attacks on their increasingly cloud-oriented products and services. The problem is that hackers are using many of the same techniques to take those attacks to a new level. "The challenge is that security is a very asymmetric game," said Dawn Song, a UC Berkeley computer science and engineering professor who attended the event. "Defenders have to defend across the board, and attackers only need to find one hole. So in general, it's easier for attackers to leverage these new techniques." That helps to explain why the competitors are teaming up.
In a statement, Erik Bloch, Director Security PM at Salesforce, said, "This is what the infosec and security industry needs more of. Our customers are shared, and so is our responsibility to protect them.
China

Chinese Cyber-Espionage Group Hacked Government Data Center (bleepingcomputer.com) 36

Catalin Cimpanu, writing for BleepingComputer: A Chinese-linked cyber-espionage unit has hacked a data center belonging to a Central Asian country and has embedded malicious code on government sites. The hack of the data center happened sometime in mid-November 2017, according to a report published by Kaspersky Lab earlier this week. Experts assigned the codename of LuckyMouse to the group behind this hack, but they later realized the attackers were an older Chinese threat actor known under various names in the reports of other cyber-security firms, such as Emissary Panda, APT27, Threat Group 3390, Bronze Union, ZipToken, and Iron Tiger.
Security

17 Backdoored Images Downloaded 5 Million Times Removed From Docker Hub (bleepingcomputer.com) 35

An anonymous reader writes: "The Docker team has pulled 17 Docker container images that have been backdoored and used to install reverse shells and cryptocurrency miners on users' servers for the past year," reports Bleeping Computer. "The malicious Docker container images have been uploaded on Docker Hub, the official repository of ready-made Docker images that sysadmins can pull and use on their servers, work, or personal computers." The images, downloaded over 5 million times, helped crooks mine Monero worth over $90,000 at today's exchange rate. Docker Hub is now just the latest package repository to feature backdoored libraries, after npm and PyPl. Docker Hub is now facing criticism for taking months to intervene after user reports, and then going on stage at a developer conference and claiming they care about security.
The Courts

6 Fitbit Employees Charged With Stealing Trade Secrets From Jawbone (mercurynews.com) 80

Six current and former Fitbit employees were charged in a federal indictment Thursday filed in San Jose for allegedly being in possession of trade secrets stolen from competitor Jawbone, according to information from the Department of Justice. From a report: The indictment charges the six people -- Katherine Mogal, 52, of San Francisco; Rong Zhang, 45, of El Cerrito; Jing Qi Weiden, 39, of San Jose; Ana Rosario, 33, of Pacifica; Patrick Narron, 41, of Boulder Creek; and Patricio Romano, 37, of Calabasas -- with violating confidentiality agreements they had signed as former employees of Jawbone after they accepted employment with Fitbit, according to an announcement from Acting U.S. Attorney Alex G. Tse and Homeland Security Investigations Special Agent in Charge Ryan L. Spradlin. San Francisco-based companies Fitbit and Jawbone were competitors in making wearable fitness trackers until Jawbone, once valued at $3.2B, went out of business in 2017. Each of the defendants worked for Jawbone for at least one year between May 2011 and April 2015, and had signed a confidentiality agreement with the company, according to the Department of Justice.
Security

How the World Cup Plays Out Among Hackers (axios.com) 28

The World Cup began today in Russia, and hackers were watching the games. From a report: In prior years, Cybersecurity firm Akamai has seen declines in cyberattacks while the World Cup games are in play -- "at least until games are out of reach," said Patrick Sullivan, Akamai director of security technology. Once games are well in hand, attacks from the losing team's nation spike well above normal. Often, said Sullivan, that takes the form of attacks designed to take down news stories in the victor's country that tout a home-team win. Sullivan notes activists frequently use various forms of cyber attacks during major sporting events to protest the host nation -- often targeting sponsors to get their point across. He points to protestors upset with the amount of money spent in the recent Brazillian World Cup as an example.
EU

Kaspersky Halts Europol Partnership After Controversial EU Parliament Vote (bleepingcomputer.com) 104

An anonymous reader writes: Kaspersky Lab announced it was temporarily halting its cooperation with Europol following the voting of a controversial motion in the European Parliament. The Russian antivirus vendor will also stop working on the NoMoreRansom project that provided free ransomware decrypters for ransomware victims.

The company's decision comes after the EU Parliament voted a controversial motion that specifically mentions Kaspersky as a "confirmed as malicious" software and urges EU states to ban it as part of a joint EU cyber defense strategy. The EU did not present any evidence for its assessment that Kaspersky is malicious, but even answered user questions claiming it has no evidence. The motion is just a EU policy and has no legislative power, put it is still an official document. Kaspersky software has been previously banned from Government systems in the US, UK, Netherlands, and Lithuania.

Privacy

Comey, Who Investigated Hillary Clinton For Using Personal Email For Official Business, Used His Personal Email For Official Business (buzzfeed.com) 438

An anonymous reader shares a report: Former FBI Director James Comey, who led the investigation into Hillary Clinton's use of personal email while secretary of state, also used his personal email to conduct official business, according to a report from the Justice Department on Thursday. The report also found that while Comey was "insubordinate" in his handling of the email investigation, political bias did not play a role in the FBI's decision to clear Clinton of any criminal wrongdoing.

The report from the office of the inspector general "identified numerous instances in which Comey used a personal email account (a Gmail account) to conduct FBI business." In three of the five examples, investigators said Comey sent drafts he had written from his FBI email to his personal account. In one instance, he sent a "proposed post-election message for all FBI employees that was entitled 'Midyear thoughts,'" the report states. In another instance, Comey again "sent multiple drafts of a proposed year-end message to FBI employees" from his FBI account to his personal email account.

Government

Cops Are Confident iPhone Hackers Have Found a Workaround to Apple's New Security Feature (vice.com) 126

Joseph Cox, and Lorenzo Franceschi-Bicchierai, reporting for Motherboard: Apple confirmed to The New York Times Wednesday it was going to introduce a new security feature, first reported by Motherboard. USB Restricted Mode, as the new feature is called, essentially turns the iPhone's lightning cable port into a charge-only interface if someone hasn't unlocked the device with its passcode within the last hour, meaning phone forensic tools shouldn't be able to unlock phones. Naturally, this feature has sent waves throughout the mobile phone forensics and law enforcement communities, as accessing iPhones may now be substantially harder, with investigators having to rush a seized phone to an unlocking device as quickly as possible.

That includes GrayKey, a relatively new and increasingly popular iPhone cracking tool. But forensics experts suggest that Grayshift, the company behind the tech, is not giving up yet. "Grayshift has gone to great lengths to future proof their technology and stated that they have already defeated this security feature in the beta build. Additionally, the GrayKey has built in future capabilities that will begin to be leveraged as time goes on,' a June email from a forensic expert who planned to meet with Grayshift, and seen by Motherboard, reads, although it is unclear from the email itself how much of this may be marketing bluff. "They seem very confident in their staying power for the future right now," the email adds. A second person, responding to the first email, said that Grayshift addressed USB Restricted Mode in a webinar several weeks ago.

Bitcoin

The CIA 'Can Neither Confirm Nor Deny' It Has Documents on Satoshi Nakamoto (vice.com) 66

An anonymous reader shares a report: Who is Satoshi Nakamoto? Ever since this pseudonymous person or group unleashed Bitcoin on the world in 2008, Nakamoto's real identity has been one of the biggest mysteries in the cryptocurrency world. And based on a response to my recent Freedom of Information Act (FOIA) request, if the CIA knows anything, it's not talking. [...] In 2016, Alexander Muse, a blogger who mostly writes about entrepreneurship, wrote a blog post that claimed the NSA had identified the real identity of Satoshi Nakamoto using stylometry, which uses a person's writing style as a unique fingerprint, and then searched emails collected under the PRISM surveillance program to identify the real Nakamoto. Muse said the identity was not shared with him by his source at the Department of Homeland Security. [...] I figured it couldn't hurt to ask some other three-letter agencies what they know about Nakamoto. [...] I received a terse reply that informed me that "the request has been rejected, with the agency stating that it can neither confirm nor deny the existence of the requested documents."
Intel

Another Day, Another Intel CPU Security Hole: Lazy State (zdnet.com) 110

Steven J. Vaughan-Nichols, writing for ZDNet: The latest Intel revelation, Lazy FP state restore, can theoretically pull data from your programs, including encryption software, from your computer regardless of your operating system. Like its forebears, this is a speculative execution vulnerability. In an interview, Red Hat Computer Architect Jon Masters explained: "It affects Intel designs similar to variant 3-a of the previous stuff, but it's NOT Meltdown." Still, "it allows the floating point registers to be leaked from another process, but alas that means the same registers as used for crypto, etc." Lazy State does not affect AMD processors.

This vulnerability exists because modern CPUs include many registers (internal memory) that represent the state of each running application. Saving and restoring this state when switching from one application to another takes time. As a performance optimization, this may be done "lazily" (i.e., when needed) and that is where the problem hides. This vulnerability exploits "lazy state restore" by allowing an attacker to obtain information about the activity of other applications, including encryption operations.
Further reading: Twitter thread by security researcher Colin Percival, BleepingComputer, and HotHardware.
Businesses

Cybercrime is Costing Africa's Businesses Billions (qz.com) 47

An anonymous reader shares a report: Sophisticated malware, software security breaches, mobile scams -- the list of cybercrime threats is growing. Yet African nations continue to fall short of protecting themselves and must constantly grapple with the impact. A new study from IT services firm Serianu shows the pervasive nature of cybercrime across the continent, affecting businesses, individuals, families, financial institutions, and government agencies. The study shows how weak security architectures, the scarcity of skilled personnel and a lack of awareness and strict regulations have increased vulnerability.

Cybercrime cost the continent an estimated $3.5 billion in 2017. The report found more than 90% of African businesses were operating below the cybersecurity "poverty line" -- meaning they couldn't adequately protect themselves against losses. At least 96% of online-related security incidents went unreported and 60% of organizations didn't keep up to date with cybersecurity trends and program updates. (In addition, at least 90% of parents didn't understand what measures to take to protect their children from cyber-bullying.)

China

China's Surveillance State Will Soon Track Cars (wsj.com) 113

China is establishing an electronic identification system to track cars nationwide, according to a report on WSJ, which cites records and people briefed on the matter. From a report: Under the plan being rolled out July 1, a radio-frequency identification chip for vehicle tracking will be installed on cars when they are registered. Compliance will be voluntary this year but will be made mandatory for new vehicles at the start of 2019, the people said. Authorities have described the plan as a means to improve public security and to help ease worsening traffic congestion, documents show, a major concern in many Chinese cities partly because clogged roads contribute to air pollution. But such a system, implemented in the world's biggest automotive market, with sales of nearly 30 million vehicles a year, will also vastly expand China's surveillance network, experts say. That network already includes widespread use of security cameras, facial recognition technology and internet monitoring.
Security

Britain's Dixons Carphone Discovers Data Breach Affecting 5.9 Million Payment Cards (betanews.com) 32

Mark Wilson shares a report from BetaNews: Another week, another cyberattack. This time around, it's the Dixons Carphone group which says it has fallen victim to not one but two major breaches. The bank card details of 5.9 million customers have been accessed by hackers in the first breach. In the second, the personal records of 1.2 million people have been exposed. Dixons Carphone says that it is investigating an attack on its card processing system at Currys PC World and Dixons Travel in which there was an attempt to compromise 5.9 million cards. The company stressed that the vast majority -- 5.8 million -- of these cards were protected by chip and PIN, and that the data accessed did not include PINS, CVVs or any other authentication data that could be used to make payments or identify the card owners. The report goes on to mention that 105,000 non-EU issued payment cards, which were not chip and PIN protected, were also affected. The company says it will be contacting those customers affected by the breaches.
Microsoft

A Vulnerability in Cortana, Now Patched, Allowed Attacker To Access a Locked Computer, Change Its Password (bleepingcomputer.com) 59

Catalin Cimpanu, reporting for BleepingComputer: Microsoft has patched a vulnerability in the Cortana smart assistant that could have allowed an attacker with access to a locked computer to use the smart assistant and access data on the device, execute malicious code, or even change the PC's password to access the device in its entirety. The issue was discovered by Cedric Cochin, Cyber Security Architect and Senior Principle Engineer at McAfee. Cochin privately reported the problems he discovered to Microsoft in April. The vulnerability is CVE-2018-8140, which Microsoft classified as an elevation of privilege, and patched yesterday during the company's monthly Patch Tuesday security updates. Further reading: Microsoft Explains How it Decides Whether a Vulnerability Will Be Patched Swiftly or Left For a Version Update.

Slashdot Top Deals