ffkom writes: Modern x86 and ARM CPUs translate opcodes into ops, which are usually stored in a cache of their own for later re-use. Researchers from the university of Virginia have found a way to exploit this for side-channel attacks, where malicious code exfiltrates information from other processes or virtual machines based on measurable characteristics of the op-cache state, which they describe in their scientific paper.. This side-channel attack evades all previous fixes for SPECTRE-like attacks, and poses yet another difficult-to-address risk to all software that runs on CPUs that are used by possibly malicious code at the same time -- like code running on other people's computers ("the cloud") or code running on CPUs that at the same time run "sandboxes" with code from some untrusted sources on the Internet.

wiredmikey shares a report from SecurityWeek: Security researchers have shown how a Tesla -- and possibly other cars -- can be hacked remotely without any user interaction from a drone. This was the result of research conducted last year by Ralf-Philipp Weinmann of Kunnamon and Benedikt Schmotzle of Comsecuris. The attack, dubbed TBONE, involves exploitation of two vulnerabilities affecting ConnMan, an internet connection manager for embedded devices. A hacker who exploits the vulnerabilities can perform any task that a regular user could from the infotainment system. That includes opening doors, changing seat positions, playing music, controlling the air conditioning, and modifying steering and acceleration modes. They showed how an attacker could use a drone to launch an attack via Wi-Fi to hack a parked car and open its doors from a distance of up to 100 meters (roughly 300 feet). They claimed the exploit worked against Tesla S, 3, X and Y models. "Tesla patched the vulnerabilities with an update pushed out in October 2020, and it has reportedly stopped using ConnMan," the report notes. Since the ConnMan component is widely used in the automotive industry, similar attacks could be launched against other vehicles.

Business Insider reports: Former Netflix vice president of IT Michael Kail was convicted by a federal jury on Friday of 28 counts of fraud and money laundering, the U.S. Department of Justice announced in a press release.

Kail, who was indicted in 2018, used his position to create a "pay-to-play" scheme where he approved contracts with outside tech companies looking to do business with Netflix in exchange for taking bribes and kickbacks, according to evidence presented to the jury, the release said. Kail accepted bribes or kickbacks from nine different companies totaling more than $500,000 as well as stock options, according to the Department of Justice's press release...

Netflix sued Kail after he left the company in 2014 to take a role as Yahoo's CIO, accusing him of fraud and breaching his fiduciary duties.
One FBI agent says that Kail "stole the opportunity to work with an industry pioneer from honest, hardworking, Silicon Valley companies," according to the details in the Department of Justice statement: To facilitate kickback payments, the evidence at trial showed that Kail created and controlled a limited liability corporation called Unix Mercenary, LLC. Established on February 7, 2012, Unix Mercenary had no employees and no business location. Kail was the sole signatory to its bank accounts...

Kail faces a maximum sentence of twenty years in prison and a fine of $250,000, or twice his gross gain or twice the gross loss to Netflix, whichever is greater, for each count of a wire or mail fraud conviction, and ten years in prison and a fine of $250,000 for each count of a money laundering conviction.

Australian security software house Click Studios has told customers not to post emails sent by the company about its data breach, which allowed malicious hackers to push a malicious update to its flagship enterprise password manager Passwordstate to steal customer passwords. TechCrunch reports: Last week, the company told customers to "commence resetting all passwords" stored in its flagship password manager after the hackers pushed the malicious update to customers over a 28-hour window between April 20-22. The malicious update was designed to contact the attacker's servers to retrieve malware designed to steal and send the password manager's contents back to the attackers. In an email to customers, Click Studios did not say how the attackers compromised the password manager's update feature, but included a link to a security fix.

But news of the breach only became public after Danish cybersecurity firm CSIS Group published a blog post with details of the attack hours after Click Studios emailed its customers. Click Studios claims Passwordstate is used by "more than 29,000 customers," including in the Fortune 500, government, banking, defense and aerospace, and most major industries.

In an update on its website, Click Studios said in a Wednesday advisory that customers are "requested not to post Click Studios correspondence on Social Media." The email adds: "It is expected that the bad actor is actively monitoring Social Media, looking for information they can use to their advantage, for related attacks." "It is expected the bad actor is actively monitoring social media for information on the compromise and exploit. It is important customers do not post information on Social Media that can be used by the bad actor. This has happened with phishing emails being sent that replicate Click Studios email content," the company said. The report says Click Studios has remained extremely tightlipped about the situation. The company has refused to comment or respond to questions; it's also unclear if the company has disclosed the breach to U.S. and EU authorities, which require companies to disclose data breach incidents or face hefty fines.

Scammers have been spoofing Target's delivery company Shipt's phone number in order to steal its gig workers' earnings by phishing their credentials from them. From a report: On the morning of March 28, a gig worker near Tampa, Florida, was shopping an order for Shipt, Target's delivery platform, when he received an email from "Shipt Support" asking him to reset his password. The worker says he didn't request to reset his password, but didn't think much of the email and went on with this day. Later that evening, the worker says he was sitting at home on his couch when he received a phone call from Shipt's corporate headquarters' phone number. Someone identifying themselves as a Shipt employee and addressing the worker by his first name said there had been unusual activity on his account regarding his password and asked him to read back a code that had been emailed to him to verify his identity.

Remembering the password reset email from earlier that day, the worker provided an authentication code that he'd received via email from Shipt. Shortly after, he received an email notifying him that someone had added a debit card to his account. When the worker checked his account again, he realized someone had logged in and cashed out his entire paycheck -- $499.51. "I noticed my withdrawal balance was zero," he said in a public video uploaded to Facebook. "At that point, I'm livid. I'm pissed." In recent weeks, personal shoppers on Target's delivery app, which boasts roughly 300,000 personal shoppers in the United States, have been repeatedly targeted by scammers hoping to steal their earnings by phishing gig workers' credentials from them. Since March 28, more than 30 gig workers have posted in private, unofficial Facebook groups for Shipt's personal shoppers saying scammers have targeted them using phishing schemes that include spoofing Shipt's corporate phone numbers and asking for passwords over the phone. In at least some cases, the strategy used by scammers is different from other phishing campaigns: Scammers trigger password reset emails sent to personal shoppers by clicking the "forgot password" button below the Shipt login. Then they follow up via phone, asking personal shoppers to "verify" their passwords in order to look into "unusual activity" or requests to update info on their accounts.

schwit1 shares a report from Threatpost: Quick-response (QR) codes used by a COVID-19 contact-tracing program were hijacked by a man who simply slapped up scam QR codes on top to redirect users to an anti-vaccination website, according to local police. He now faces two counts of "obstructing operations carried out relative to COVID-19 under the Emergency Management Act," the South Australia Police said in a statement announcing the arrest. His arrest may just be a drop in the bucket: Reports of other anti-vax campaigners doing the same thing abound. Law enforcement added an additional warning to would-be QR code scammers: "Any person found to be tampering or obstructing with business QR codes will likely face arrest and court penalty of up to $10,000." The police said no personal data was breached, but the incident highlights that truly all an attacker needs is a printer and a pack of Avery labels to do real damage.

In this case, the QR codes were being used by the South Australian government's official CovidSafe app to access a device's camera, scan the code and collect real-time location data to be used for contact tracing in case of a COVID-19 outbreak, ABC News Australia reported. That's a lot of personal data linked to a single QR code just waiting to be stolen. "In this instance, people who scanned the illegitimate QR code were redirected to a website distributing misinformation from the anti-vaxxer community," Bill Harrod, vice president of public sector at Ivanti, told Threatpost. "While this is concerning, the outcome could have been far more perilous."

syn3rg shares a report from ZDNet: A Linux backdoor recently discovered by researchers has avoided VirusTotal detection since 2018. Dubbed RotaJakiro, the Linux malware has been described by the Qihoo 360 Netlab team as a backdoor targeting Linux 64-bit systems. RotaJakiro was first detected on March 25 when a Netlab distributed denial-of-service (DDoS) botnet C2 command tracking system, BotMon, flagged a suspicious file.

At the time of discovery, there were no malware detections on VirusTotal for the file, despite four samples having been uploaded -- two in 2018, one in 2020, and another in 2021. Netlab researchers say the Linux malware changes its use of encryption to fly under the radar, including ZLIB compression and combinations of AES, XOR, and key rotation during its activities, such as the obfuscation of command-and-control (C2) server communication. At present, the team says that they do not know the malware's "true purpose" beyond a focus on compromising Linux systems.

There are 12 functions in total including exfiltrating and stealing data, file and plugin management -- including query/download/delete -- and reporting device information. However, the team cites a "lack of visibility" into the plugins that is preventing a more thorough examination of the malware's overall capabilities. In addition, RotaJakiro will treat root and non-root users on compromised systems differently and will change its persistence methods depending on which accounts exist.

For at least the third time since the beginning of this year, the U.S. government is investigating a hack against federal agencies that began during the Trump administration but was only recently discovered, according to senior U.S. officials and private sector cyber defenders. Reuters reports: The new government breaches involve a popular virtual private network (VPN) known as Pulse Connect Secure, which hackers were able to break into as customers used it. More than a dozen federal agencies run Pulse Secure on their networks, according to public contract records. An emergency cybersecurity directive last week demanded that agencies scan their systems for related compromises and report back.

The results, collected on Friday and analyzed this week, show evidence of potential breaches in at least five federal civilian agencies, said Matt Hartman, a senior official with the U.S. Cybersecurity Infrastructure Security Agency. "This is a combination of traditional espionage with some element of economic theft," said one cybersecurity consultant familiar with the matter. "We've already confirmed data exfiltration across numerous environments." The maker of Pulse Secure, Utah-based software company Ivanti, said it expected to provide a patch to fix the problem by this Monday, two weeks after it was first publicized. Only a "very limited number of customer systems" had been penetrated, it added.

Over the last two months, CISA and the FBI have been working with Pulse Secure and victims of the hack to kick out the intruders and uncover other evidence, said another senior U.S. official who declined to be named but is responding to the hacks. The FBI, Justice Department and National Security Agency declined to comment. The U.S. government's investigation into the Pulse Secure activity is still in its early stages, said the senior U.S. official, who added the scope, impact and attribution remain unclear. Security researchers at U.S. cybersecurity firm FireEye and another firm, which declined to be named, say they've watched multiple hacking groups, including an elite team they associate with China, exploiting the new flaw and several others like it since 2019.

tsu doh nimh writes: Big-three consumer credit bureau Experian just fixed a weakness with a partner website that let anyone look up the credit score of tens of millions of Americans just by supplying their name and mailing address, KrebsOnSecurity has learned. Experian says it has plugged the data leak, but the researcher who reported the finding says he fears the same weakness may be present at countless other lending websites that work with the credit bureau. Bill Demirkapi, an independent security researcher who's currently a sophomore at the Rochester Institute of Technology, said he discovered the data exposure while shopping around for student loan vendors online.

Demirkapi encountered one lender's site that offered to check his loan eligibility by entering his name, address and date of birth. Peering at the code behind this lookup page, he was able to see it invoked an Experian Application Programming Interface or API -- a capability that allows lenders to automate queries for FICO credit scores from the credit bureau. "No one should be able to perform an Experian credit check with only publicly available information," Demirkapi said. "Experian should mandate non-public information for promotional inquiries, otherwise an attacker who found a single vulnerability in a vendor could easily abuse Experian's system." Demirkapi found the Experian API could be accessed directly without any sort of authentication, and that entering all zeros in the "date of birth" field let him then pull a person's credit score. He even built a handy command-line tool to automate the lookups, which he dubbed "Bill's Cool Credit Score Lookup Utility."

Cybersecurity experts, law enforcement agencies and governments urged the White House to root out safe havens for criminals engaging in ransomware and step up regulation of cryptocurrencies, the lifeblood of hackers, in the hopes of controlling a growing wave of attacks. From a report: These are two of 48 recommendations made by a task force in a report Thursday to the Biden administration aimed at fighting the continuing ransomware episodes that plague major corporations, local governments and health-care providers across the world. The task force, organized by the Institute for Security and Technology, said the cyber-attacks have become a $350 million criminal industry -- a four-fold increase from the previous year. Last week, the U.S. Justice Department created its own, independent ransomware task force, signaling growing awareness inside the U.S. government of the now decade-old threat. Ransomware is a type of malicious code that typically encrypts a victim's data or network of computers. The hackers then demand a ransom to decrypt the information. More recently, ransomware gangs have also stolen data and threatened to make it public unless the victim pays a fee.

DigitalOcean has emailed customers warning of a data breach involving customers' billing data, TechCrunch has learned. Zack Whittaker reports: The cloud infrastructure giant told customers in an email on Wednesday, obtained by TechCrunch, that it has "confirmed an unauthorized exposure of details associated with the billing profile on your DigitalOcean account." The company said the person "gained access to some of your billing account details through a flaw that has been fixed" over a two-week window between April 9 and April 22. The email said customer billing names and addresses were accessed, as well as the last four digits of the payment card, its expiry date and the name of the card-issuing bank. The company said that customers' DigitalOcean accounts were "not accessed," and passwords and account tokens were "not involved" in this breach.

"To be extra careful, we have implemented additional security monitoring on your account. We are expanding our security measures to reduce the likelihood of this kind of flaw occuring [sic] in the future," the email said. DigitalOcean said it fixed the flaw and notified data protection authorities, but it's not clear what the apparent flaw was that put customer billing information at risk. In a statement, DigitalOcean's security chief Tyler Healy said 1% of billing profiles were affected by the breach, but declined to address our specific questions, including how the vulnerability was discovered and which authorities have been informed.

DigitalOcean has emailed customers warning of a data breach involving customers' billing data, TechCrunch has learned. From the report: The cloud infrastructure giant told customers in an email on Wednesday, obtained by TechCrunch, that it has "confirmed an unauthorized exposure of details associated with the billing profile on your DigitalOcean account." The company said the person "gained access to some of your billing account details through a flaw that has been fixed" over a two-week window between April 9 and April 22. The email said customer billing names and addresses were accessed, as well as the last four digits of the payment card, its expiry date, and the name of the card-issuing bank. The company said that customers' DigitalOcean accounts were "not accessed," and passwords and account tokens were "not involved" in this breach. "To be extra careful, we have implemented additional security monitoring on your account. We are expanding our security measures to reduce the likelihood of this kind of flaw occuring [sic] in the future," the email said.

Cybersecurity firm Kaspersky said today it discovered new malware that appears to have been developed by the US Central Intelligence Agency. From a report: Kaspersky said it discovered the malware in "a collection of malware samples" that its analysts and other security firms received in February 2019. While an initial analysis did not find any shared code with any previously-known malware samples, Kaspersky has recently re-analyzed the files and said it found that "the samples have intersections of coding patterns, style and techniques that have been seen in various Lambert families." Lamberts is the internal codename that Kaspersky uses to track CIA hacking operations. Four years ago, after WikiLeaks exposed the CIA hacking capabilities to the public in a series of leaks known as Vault7, US security firm Symantec publicly linked the Vault7 hacking tools to the CIA and the Longhorn APT (another industry name for Lamberts).

New submitter oblom writes about Mighty, a new approach to web browsing: In short, server-side web navigation, with client-side rendering. Per Y Combinator founder Paul Graham: "Usually when people talk about grand things like changing "the future of computing," they're full of it. But not this time. Suhail [founder of Mighty] has been working on this for 2 years. There's a good chance it's the new default infrastructure. Suhail writes in a blog post: After 2 years of hard work, we've created something that's indistinguishable from a Google Chrome that runs at 4K, 60 frames a second, takes no more than 500 MB of RAM, and often less than 30% CPU with 50+ tabs open. This is the first step in making a new kind of computer. [...] When you switch to Mighty, it will feel like you went out and bought a new computer with a much faster processor and much more memory. But you don't have [to] buy a new computer. All you have to do is download a desktop app.

To make Mighty work, we had to solve a lot of complex engineering problems, including designing a custom server to keep costs low, building a custom low-latency networking protocol, forking Chromium to integrate directly with various low-level render/encoder pipelines, and making the software interoperate with a long list of macOS features. We are working hard at ramping up server capacity across the world as we roll it out to users. You might be thinking: "Yeah but what about the lag?" Lag would have been a real problem 5 years ago, but new advances since then have allowed us to eliminate nearly all of it: 5 Ghz WiFi bands, H.265 hardware-accelerated low-latency encoders, widespread 100 Mbps Internet, and cheaper, more powerful GPUs. We also designed a new low-latency network protocol, and we locate servers as close to users geographically as possible. As a result, a user with 100 Mbps internet will rarely notice lag while using Mighty. Watch this demo video and see for yourself.

An anonymous reader quotes a report from Gizmodo: A Maryland defense attorney has decided to challenge the conviction of one of his clients after it was recently discovered that the phone cracking product used in the case, produced by digital forensics firm Cellebrite, has severe cybersecurity flaws that could make it vulnerable to hacking. Ramon Rozas, who has practiced law for 25 years, told Gizmodo that he was compelled to pursue a new trial after reading a widely shared blog post written by the CEO of the encryption chat app Signal, Moxie Marlinspike. It was just about a week ago that Marlinspike brutally dunked on Cellebrite -- writing, in a searing takedown, that the company's products lacked basic "industry-standard exploit mitigation defenses," and that security holes in its software could easily be exploited to manipulate data during cell phone extraction.

Given the fact that Cellebrite's extraction software is used by law enforcement agencies the world over, questions have naturally emerged about the integrity of investigations that used the tech to secure convictions. For Rozas, the concerns center around the fact that "Cellebrite evidence was heavily relied upon" to convict his client, who was charged in relation to an armed robbery. The prosecution's argument essentially turned on that data, which was extracted from the suspect's phone using the company's tools. In a motion recently filed, Rozas argued that because "severe defects" have since been uncovered about the technology, a "new trial should be ordered so that the defense can examine the report produced by the Cellebrite device in light of this new evidence, and examine the Cellebrite device itself." "I think it's going to take a while to figure out what the exact legal ramifications of this are," says Megan Graham, a Clinical Supervising Attorney at the Samuelson Law, Technology & Public Policy Clinic with Berkeley Law School. "I don't know how likely it is that cases would be thrown out," she said, adding that a person who has already been convicted would likely have to "show that someone else identified this vulnerability and exploited it at the time" -- not an especially easy task.

"Going forward, I think it's just hard to tell," Graham said. "We now know that this vulnerability exists, and it creates concerns about the security of Cellebrite devices and the integrity of evidence." But there's a lot that we don't know, she emphasized. Among Graham's concerns, she said that "we don't know if the vulnerability is being exploited," and that makes it difficult to discern when it could become an issue in past cases. "I think there will be cases where defense attorneys are able to get judges engaged [on this issue]. They will present the security concerns, worries about manipulated evidence, and it might be persuasive. I think there will be a wide array of responses when it comes to how this plays out in cases," she said.

The federal government is delaying the deadline for the REAL ID enforcement for a second time. The regulation was put in place in 2005 as a way to ensure travelers' identities following the 9/11 attacks, according to the DHS. Only recently did all 50 states come into compliance. ABC News reports: Every domestic air traveler 18 and older will need a REAL ID-compliant driver's license or identification card, state-issued enhanced driver's license or another TSA-acceptable form of identification beginning on May 3, 2023, the Department of Homeland Security announced Tuesday. The original deadline of Oct. 1, 2020, was postponed for one year due to the pandemic. The second delay is also "due to circumstances resulting from the ongoing COVID-19 pandemic," according to the DHS press release. Currently, only 43% of driver's licenses issued in the U.S. are REAL ID-compliant, according to DHS data.

tiltowait writes: My organization has an acceptable use policy which forbids sending out spam. Every few months, however, the central IT office exempts itself from this rule by delivering deceptive e-mails to all employees as a test of their ability to ignore phishing scams. For those who simply delete the messages, they are a small annoyance, comparable to the overhead of having to regularly change passwords -- also done largely unnecessarily, perhaps even to the point of being another bad practice. As someone working in a departmental systems office, I can also attest that these campaigns generate a fair amount of workload from inquiries about their legitimacy. Aside from the "gotcha" angle, which perpetuates some ill will amongst staff, I can't help but think that these exercises are of questionable net value, especially with other countermeasures, such as MFA and Safelinks, already in place. Is it worth spreading misinformation to experiment on your colleagues in such a fashion?

An anonymous reader writes: A ransomware gang is threatening to leak sensitive police files that may expose police investigations and informants unless the Metropolitan Police Department of the District of Columbia agrees to pay a ransom demand. A group that emerged this year called Babuk claimed responsibility for the leak. Babuk is known for ransomware attacks, which hold victims' data hostage until they pay a ransom, often in Bitcoin. The group also hit the Houston Rockets N.B.A. team this month.

In their post to the dark web, Babuk's cybercriminals claimed they had downloaded 250 gigabytes of data and threatened to leak it if their ransom demands were not met in three days. They also threatened to release information about police informants to criminal gangs, and to continue attacking "the state sector," including the F.B.I. and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency. The information already released appeared to include chief's reports, lists of arrests and lists of persons of interest.

Private equity firm Thoma Bravo has announced plans to acquire cybersecurity company Proofpoint in a deal worth $12.3 billion. VentureBeat reports: Founded in 2002 by former Netscape CTO Eric Hahn, Proofpoint was originally known for an email security product that helped businesses identify spam, viruses, and other electric correspondence that might contravene company policies. In the subsequent years, the Sunnyvale, California-based company has expanded its scope to include an array of cloud-based security products designed to protect enterprises from targeted threats. Proofpoint went public back in 2012, with its shares initially trading at around $13 -- these have grown steadily over the past decade, hitting an all-time high of $140 earlier this year and giving it a market capitalization of more than $7 billion.

Thoma Bravo has a track record of taking publicly traded cybersecurity companies private, having done just that with network security company Barracuda in a 2017 deal worth $1.6 billion and with Sophos last year for $3.9 billion. The Proofpoint deal, which is expected to close in Q3 2021, sees Thoma Bravo paying a 34% premium on Proofpoint's closing price at the last full trading day (April 23), with shareholders set to receive $176 for each share they own. It's worth noting that the $12.3 billion price tag positions this as the biggest cybersecurity acquisition of all time, putting it ahead of the $7.68 billion Intel shelled out for McAfee 11 years ago. And by VentureBeat's calculations, the Proofpoint acquisition represents one of the biggest overall technology acquisitions ever, putting it in the top 20, alongside megadeals that include Dell's $67 billion EMC purchase, IBM's $34 billion Red Hat deal, and Salesforce's impending $27.7 billion Slack acquisition.

Apple has spent years reinforcing macOS with new security features to make it tougher for malware to break in. But a newly discovered vulnerability broke through most of macOS' newer security protections with a double-click of a malicious app, a feat not meant to be allowed under Apple's watch. From a report: Worse, evidence shows a notorious family of Mac malware has already been exploiting this vulnerability for months before it was subsequently patched by Apple this week. Over the years, Macs have adapted to catch the most common types of malware by putting technical obstacles in their way. macOS flags potentially malicious apps masquerading as documents that have been downloaded from the internet. And if macOS hasn't reviewed the app -- a process Apple calls notarization -- or if it doesn't recognize its developer, the app won't be allowed to run without user intervention.

But security researcher Cedric Owens said the bug he found in mid-March bypasses those checks and allows a malicious app to run. Owens told TechCrunch that the bug allowed him to build a potentially malicious app to look like a harmless document, which when opened bypasses macOS' built-in defenses when opened. "All the user would need to do is double click -- and no macOS prompts or warnings are generated," he told TechCrunch. Owens built a proof-of-concept app disguised as a harmless document that exploits the bug to launch the Calculator app, a way of demonstrating that the bug works without dropping malware. But a malicious attacker could exploit this vulnerability to remotely access a user's sensitive data simply by tricking a victim into opening a spoofed document, he explained.