United States

US Calls Broadcom's Bid For Qualcomm a National Security Risk (nytimes.com) 91

An anonymous reader quotes a report from The New York Times (Warning: source may be paywalled; alternative source): The United States government said Broadcom's proposed acquisition of rival chipmaker Qualcomm could pose a national security risk and called for a full investigation into the hostile bid. The move complicates an already contentious deal and increases the likelihood that Broadcom, which is based in Singapore, will end its pursuit of Qualcomm. Such an investigation is often a death knell for a corporate acquisition. A government panel, the Committee on Foreign Investment in the United States, or Cfius, noted, in part, that the potential risk was related to Broadcom's relationships with foreign entities, according to a letter from a United States Treasury official. It also said that the deal could weaken "Qualcomm's technological leadership," giving an edge to Chinese companies like Huawei. "China would likely compete robustly to fill any void left by Qualcomm as a result of this hostile takeover," the official said in the letter. The letter and the public call for an investigation reflects a newly aggressive stance by Cfius. In most cases, the panel operates in secret and weighs in after a deal is announced. In this instance, Cfius, which is made up of representatives from multiple federal agencies, is taking a proactive role and investigating before an acquisition agreement has even been signed.

One Single Malicious Vehicle Can Block 'Smart' Street Intersections In the US (bleepingcomputer.com) 98

An anonymous reader shares a BleepingComputer report: Academics from the University of Michigan have shown that one single malicious car could trick US-based smart traffic control systems into believing an intersection is full and force the traffic control algorithm to alter its normal behavior, and indirectly cause traffic slowdowns and even block street intersections. The team's research focused on Connected Vehicle (CV) technology, which is currently being included in all cars manufactured across the globe. More precisely, it targets V2I (vehicle-to-infrastructure) protocols, and more precisely the I-SIG system implemented in the US.

The Michigan research team says the I-SIG system in its current default configuration is vulnerable to basic data spoofing attacks. Researchers say this is "due to a vulnerability at the signal control algorithm level," which they call "the last vehicle advantage." This means that the latest arriving vehicle can determine the traffic system's algorithm output. The research team says I-SIG doesn't come with protection from spoofing attacks, allowing one vehicle to send repeated messages to a traffic intersection, posing as the latest vehicle that arrived at the intersection. According to simulated traffic models, the Michigan team says that around a fifth of all cars that entered a test intersection took seven minutes to traverse the traffic junction that would have normally taken only half a minute. Researchers don't believe this bug could be exploited for actual gains in the real world, but the bugs' existence shows the protocol is poorly coded, even four years after first being proved unsecured.


Mysterious $15,000 'GrayKey' Promises To Unlock iPhone X For The Feds (forbes.com) 106

Thomas Fox-Brewster, reporting for Forbes: Just a week after Forbes reported on the claim of Israeli U.S. government manufacturer Cellebrite that it could unlock the latest Apple iPhone models, another service has emerged promising much the same. Except this time it comes from an unkown entity, an obscure American startup named Grayshift, which appears to be run by long-time U.S. intelligence agency contractors and an ex-Apple security engineer. In recent weeks, its marketing materials have been disseminated around private online police and forensics groups, offering a $15,000 iPhone unlock tool named GrayKey, which permits 300 uses. That's for the online mode that requires constant connectivity at the customer end, whilst an offline version costs $30,000. The latter comes with unlimited uses. Another ad showed Grayshift claiming to be able to unlock iPhones running iOS 10 and 11, with iOS 9 support coming soon. It also claims to work on the latest Apple hardware, up to the iPhone 8 and X models released just last year. In a post from one private Google group, handed to Forbes by a source who asked to remain anonymous, the writer indicated they'd been demoed the technology and that it had opened an iPhone X.

New LTE Attacks Can Snoop On Messages, Track Locations, and Spoof Emergency Alerts (zdnet.com) 28

An anonymous reader quotes a report from ZDNet: A slew of newly discovered vulnerabilities can wreak havoc on 4G LTE network users by eavesdropping on phone calls and text messages, knocking devices offline, and even spoofing emergency alerts. Ten attacks detailed in a new paper by researchers at Purdue University and the University of Iowa expose weaknesses in three critical protocol operations of the cellular network, such as securely attaching a device to the network and maintaining a connection to receive calls and messages. Those flaws can allow authentication relay attacks that can allow an adversary to connect to a 4G LTE network by impersonating an existing user -- such as a phone number. Although authentication relay attacks aren't new, this latest research shows that they can be used to intercept message, track a user's location, and stop a phone from connecting to the network. By using common software-defined radio devices and open source 4G LTE protocol software, anyone can build the tool to carry out attacks for as little as $1,300 to $3,900, making the cost low enough for most adversaries. The researchers aren't releasing the proof-of-concept code until the flaws are fixed, however.

GitHub Survived the Biggest DDoS Attack Ever Recorded (wired.com) 144

A 1.35 terabit-per-second DDoS attack hit GitHub all at once last Wednesday. "It was the most powerful distributed denial of service attack recorded to date -- and it used an increasingly popular DDoS method, no botnet required," reports Wired. From the report: GitHub briefly struggled with intermittent outages as a digital system assessed the situation. Within 10 minutes it had automatically called for help from its DDoS mitigation service, Akamai Prolexic. Prolexic took over as an intermediary, routing all the traffic coming into and out of GitHub, and sent the data through its scrubbing centers to weed out and block malicious packets. After eight minutes, attackers relented and the assault dropped off. "We modeled our capacity based on fives times the biggest attack that the internet has ever seen," Josh Shaul, vice president of web security at Akamai told WIRED hours after the GitHub attack ended. "So I would have been certain that we could handle 1.3 Tbps, but at the same time we never had a terabit and a half come in all at once. It's one thing to have the confidence. It's another thing to see it actually play out how you'd hope."

Akamai defended against the attack in a number of ways. In addition to Prolexic's general DDoS defense infrastructure, the firm had also recently implemented specific mitigations for a type of DDoS attack stemming from so-called memcached servers. These database caching systems work to speed networks and websites, but they aren't meant to be exposed on the public internet; anyone can query them, and they'll likewise respond to anyone. About 100,000 memcached servers, mostly owned by businesses and other institutions, currently sit exposed online with no authentication protection, meaning an attacker can access them, and send them a special command packet that the server will respond to with a much larger reply.


23,000 HTTPS Certs Axed After CEO Emails Private Keys (arstechnica.com) 72

An anonymous reader quotes Ars Technica: A major dust-up on an Internet discussion forum is touching off troubling questions about the security of some browser-trusted HTTPS certificates when it revealed the CEO of a certificate reseller emailed a partner the sensitive private keys for 23,000 TLS certificates. The email was sent on Tuesday by the CEO of Trustico, a UK-based reseller of TLS certificates issued by the browser-trusted certificate authorities Comodo and, until recently, Symantec...

In communications earlier this month, Trustico notified DigiCert that 50,000 Symantec-issued certificates Trustico had resold should be mass revoked because of security concerns. When Jeremy Rowley, an executive vice president at DigiCert, asked for proof the certificates were compromised, the Trustico CEO emailed the private keys of 23,000 certificates, according to an account posted to a Mozilla security policy forum. The report produced a collective gasp among many security practitioners who said it demonstrated a shockingly cavalier treatment of the digital certificates that form one of the most basic foundations of website security... In a statement, Trustico officials said the keys were recovered from "cold storage," a term that typically refers to offline storage systems. "Trustico allows customers to generate a Certificate Signing Request and Private Key during the ordering process," the statement read. "These Private Keys are stored in cold storage, for the purpose of revocation."

"There's no indication the email was encrypted," reports Ars Technica, and the next day DigiCert sent emails to Trustico's 23,000+ customers warning that their certificates were being revoked, according to Bleeping Computer.

In a related development, Thursday Trustico's web site went offline, "shortly after a website security expert disclosed a critical vulnerability on Twitter that appeared to make it possible for outsiders to run malicious code on Trustico servers."

Equifax Identifies Additional 2.4 Million Customers Hit By Data Breach (nbcnews.com) 15

Credit score giant Equifax said on Thursday it had identified another 2.4 million U.S. consumers whose names and driver's license information were stolen in a data breach last year that affected half the U.S. population. From a report: The company said it was able confirm the identities of U.S. consumers whose driver's license information was taken by referencing other information in proprietary company records that the attackers did not steal. "Equifax will notify these newly identified U.S. consumers directly, and will offer identity theft protection and credit file monitoring services at no cost to them," the company said.

Germany Says Government Network Was Breached (bbc.com) 30

An anonymous reader shares a report from The Wall Street Journal (Warning: source may be paywalled; alternative source): German authorities said on Wednesday they were investigating a security breach of the government's highly protected computer network. The country's intelligence agencies were examining attacks on more than one government ministry, the interior ministry said, adding that the affected departments had been informed and that the attack had been isolated and brought under control. Earlier on Wednesday, the German news agency DPA reported that German security services had discovered a breach of the government's IT network in December and traced it back to state-sponsored Russian hackers. German companies have been the target of sustained attacks by state-sponsored hackers, mainly believed to be Chinese. In 2015, the Bundestag, parliament's lower house, suffered a extensive breach, leading to the theft of several gigabytes of data by what German security officials believe were Russian cyberthieves. Hackers believed to be part of the Russia-linked APT28 group sought to infiltrate the computer systems of several German political parties in 2016, Germany's domestic intelligence agency said in 2016.

US Response 'Hasn't Changed The Calculus' Of Russian Interference, NSA Chief Says (npr.org) 126

An anonymous reader shares an NPR report: The admiral in charge of both the nation's top electronic spying agency and the Pentagon's cybersecurity operations would seem a logical point man for countering Russia's digital intrusions in U.S. election campaigns. But National Security Agency and U.S. Cyber Command chief Adm. Michael Rogers told the Senate Armed Services Committee on Tuesday there is only so much he can do. That is because, according to Rogers, President Trump has not ordered him to go after the Russian attacks at their origin. Sen. Jack Reed of Rhode Island, the committee's ranking Democrat, asked Rogers, "Have you been directed to do so, given this strategic threat that faces the United States and the significant consequences you recognize already?" "No, I have not," Rogers replied. But the spy chief pushed back on suggestions that he should seek a presidential signoff. "I am not going to tell the president what he should or should not do," Rogers said when Connecticut Democrat Richard Blumenthal pressed him on whether Trump should approve that authority.

"I'm an operational commander, not a policymaker," he added. "That's the challenge for me as a military commander." Rogers agreed with Blumenthal's estimation that Russian cyber operatives continue to attack the U.S. with impunity and that Washington's response has fallen short. "It hasn't changed the calculus, is my sense," the spy chief told Blumenthal. "It certainly hasn't generated the change in behavior that I think we all know we need."


Sega Cancels Yakuza 6 Song of Life Free Demo After Gamers Unlocked Full Game (businessinsider.com) 43

Sega pulled the highly anticipated "Yakuza 6: The Song of Life" demo this week from the PlayStation Store after discovering some players had inadvertently gained access to the full game using the demo. From a report: This discovery came only hours after the demo was initially released for PlayStation 4. The Japanese video game company tweeted, "We are as upset as you are, and had hoped to have this demo available for everyone today. We discovered that some were able to use the demo to unlock the full game." [...] When the demo was initially released it required more than 36 GB of storage, to the surprise of many video game critics. Kotaku, an online entertainment publication, suggests that the demo was so large because it actually contained the entire game, but was supposed to restrict everything beyond the first few stages of the game.

Bill Gates: Cryptocurrency Is 'Rare Technology That Has Caused Deaths In a Fairly Direct Way' (cnbc.com) 161

An anonymous reader quotes a report from CNBC: During a recent "Ask Me Anything" session on Reddit, the Microsoft co-founder said that the main feature of cryptocurrencies is the anonymity they provide to buyers, and Gates thinks that can actually be harmful. "The government's ability to find money laundering and tax evasion and terrorist funding is a good thing," he wrote. "Right now, cryptocurrencies are used for buying fentanyl and other drugs, so it is a rare technology that has caused deaths in a fairly direct way." When a Reddit user pointed out that plain cash can also be used for illicit activities, Gates said that crypto stands out because it can be easier to use. "Yes -- anonymous cash is used for these kinds of things, but you have to be physically present to transfer it, which makes things like kidnapping payments more difficult," he wrote. Gates also warned that the wave of speculation surrounding cryptocurrencies is "super risky for those who go long."
Operating Systems

Apple To Suspend iTunes Store Support For 'Obsolete' First-Gen Apple TV (arstechnica.com) 123

The original Apple TV, first introduced in 2007, will no longer be able to connect to the iTunes Store due to new security changes to be implemented by Apple. The news comes from a support document, which also mentions that PCs running Windows XP or Windows Vista will lose access to the most recent version of iTunes. Ars Technica reports: According to the document, the "obsolete" original Apple TV won't be updated in the future to support access to the iTunes Store. After May 25, users will only be able to access iTunes on second-generation Apple TVs and newer streaming devices. The same security changes affecting the first-gen Apple TV will also affect Windows XP and Vista machines. Users on such devices can still run previous versions of iTunes, so they should still be able to play their music library without problems. However, affected users won't be able to make new iTunes purchases or re-download previous purchases. Only machines running Windows 7 or later after May 25 will have full access to iTunes, including the ability to make new purchases and re-download older purchases.

Pop-Up Cameras Could Soon Be a Mobile Trend (techcrunch.com) 58

An anonymous reader quotes a report from TechCrunch: There's an interesting concept making its way around Mobile World Congress. Two gadgets offer cameras hidden until activated, which offer a fresh take on design and additional privacy. Vivo built a camera into a smartphone concept that's on a little sliding tray and Huawei will soon offer a MacBook Pro clone that features a camera hidden under a door above the keyboard. This could be a glimpse of the future of mobile design. Cameras have long been embedded in laptops and smartphones much to the chagrin of privacy experts. Some users cover up these cameras with tape or slim gadgets to ensure nefarious players do not remotely activate the cameras. Others, like HP, have started to build in shutters to give the user more control. Both DIY and built-in options require substantial screen bezels, which the industry is quickly racing to eliminate.

With shrinking bezels, gadget makers have to look for new solutions like the iPhone X notch. Others still, like Vivo and Huawei, are look at more elegant solutions than carving out a bit of the screen. For Huawei, this means using a false key within the keyboard to house a hidden camera. Press the key and it pops up like a trapdoor. We tried it out and though the housing is clever, the placement makes for awkward photos -- just make sure you trim those nose hairs before starting your conference call. Vivo has a similar take to Huawei though the camera is embedded on a sliding tray that pops-up out of the top of the phone.


Israel-Based Vendor Cellebrite Can Unlock Every iPhone, including the Current-Gen iPhone X, That's On the Market: Forbes (forbes.com) 146

Cellebrite, an Israel-based company, knows of ways to unlock every iPhone that's on the market, right up to the iPhone X, Forbes reported on Monday, citing sources. From the report: Cellebrite, a Petah Tikva, Israel-based vendor that's become the U.S. government's company of choice when it comes to unlocking mobile devices, is this month telling customers its engineers currently have the ability to get around the security of devices running iOS 11 . That includes the iPhone X, a model that Forbes has learned was successfully raided for data by the Department for Homeland Security back in November 2017, most likely with Cellebrite technology.

The Israeli firm, a subsidiary of Japan's Sun Corporation, hasn't made any major public announcement about its new iOS capabilities. But Forbes was told by sources (who asked to remain anonymous as they weren't authorized to talk on the matter) that in the last few months the company has developed undisclosed techniques to get into iOS 11 and is advertising them to law enforcement and private forensics folk across the globe. Indeed, the company's literature for its Advanced Unlocking and Extraction Services offering now notes the company can break the security of "Apple iOS devices and operating systems, including iPhone, iPad, iPad mini, iPad Pro and iPod touch, running iOS 5 to iOS 11." Separately, a source in the police forensics community told Forbes he'd been told by Cellebrite it could unlock the iPhone 8. He believed the same was most probably true for the iPhone X, as security across both of Apple's newest devices worked in much the same way.


Scientists Say Space Aliens Could Hack Our Planet (nbcnews.com) 293

Scientists are worried that space aliens might send messages that worm their way into human society -- not to steal our passwords but to bring down our culture. "Astrophysicists Michael Hippke and John Learned argue in a recent paper that our telescopes might pick up hazardous messages sent our way -- a virus that shuts down our computers, for example, or something a bit like cosmic blackmail: 'Do this for us, or we'll make your sun go supernova and destroy Earth,'" reports NBC News. "Or perhaps the cosmic hackers could trick us into building self-replicating nanobots, and then arrange for them to be let loose to chew up our planet or its inhabitants." From the report: The astrophysicists also suggest that the extraterrestrials could show their displeasure (what did we do?) by launching a cyberattack. Maybe you've seen the 1996 film "Independence Day," in which odious aliens are vanquished by a computer virus uploaded into their machinery. That's about as realistic as sabotaging your neighbor's new laptop by feeding it programs written for the Commodore 64. In other words, aliens that could muster the transmitter power (not to mention the budget) to try wiping us out with code are going to have a real compatibility problem.

Yet there is a way that messages from space might be disruptive. Extraterrestrials could simply give us some advanced knowledge -- not as a trade, but as a gift. How could that possibly be a downer? Imagine: You're a physicist who has dedicated your career to understanding the fundamental structure of matter. You have a stack of reprints, a decent position, and a modicum of admiration from the three other specialists who have read your papers. Suddenly, aliens weigh in with knowledge that's a thousand years ahead of yours. So much for your job and your sense of purpose. If humanity is deprived of the opportunity to learn things on its own, much of its impetus for novelty might evaporate. In a society where invention and discovery are written out of the script, progress and improvement would suffer.


Hackers Are Selling Legitimate Code-signing Certificates To Evade Malware Detection (zdnet.com) 50

Zack Whittaker, writing for ZDNet Security researchers have found that hackers are using code-signing certificates more to make it easier to bypass security appliances and infect their victims. New research by Recorded Future's Insikt Group found that hackers and malicious actors are obtaining legitimate certificates from issuing authorities in order to sign malicious code. That's contrary to the view that in most cases certificates are stolen from companies and developers and repurposed by hackers to make malware look more legitimate. Code-signing certificates are designed to give your desktop or mobile app a level of assurance by making apps look authentic. Whenever you open a code-signed app, it tells you who the developer is and provides a high level of integrity to the app that it hasn't been tampered with in some way. Most modern operating systems, including Macs , only run code-signed apps by default.

How Are Sysadmins Handling Spectre/Meltdown Patches? (hpe.com) 49

Esther Schindler (Slashdot reader #16,185) writes that the Spectre and Meltdown vulnerabilities have become "a serious distraction" for sysadmins trying to apply patches and keep up with new fixes, sharing an HPE article described as "what other sysadmins have done so far, as well as their current plans and long-term strategy, not to mention how to communicate progress to management." Everyone has applied patches. But that sounds ever so simple. Ron, an IT admin, summarizes the situation succinctly: "More like applied, applied another, removed, I think re-applied, I give up, and have no clue where I am anymore." That is, sysadmins are ready to apply patches -- when a patch exists. "I applied the patches for Meltdown but I am still waiting for Spectre patches from manufacturers," explains an IT pro named Nick... Vendors have released, pulled back, re-released, and re-pulled back patches, explains Chase, a network administrator. "Everyone is so concerned by this that they rushed code out without testing it enough, leading to what I've heard referred to as 'speculative reboots'..."

The confusion -- and rumored performance hits -- are causing some sysadmins to adopt a "watch carefully" and "wait and see" approach... "The problem is that the patches don't come at no cost in terms of performance. In fact, some patches have warnings about the potential side effects," says Sandra, who recently retired from 30 years of sysadmin work. "Projections of how badly performance will be affected range from 'You won't notice it' to 'significantly impacted.'" Plus, IT staff have to look into whether the patches themselves could break something. They're looking for vulnerabilities and running tests to evaluate how patched systems might break down or be open to other problems.

The article concludes that "everyone knows that Spectre and Meltdown patches are just Band-Aids," with some now looking at buying new servers. One university systems engineer says "I would be curious to see what the new performance figures for Intel vs. AMD (vs. ARM?) turn out to be."

New Tech Industry Lobbying Group Argues 'Right to Repair' Laws Endanger Consumers (securityledger.com) 146

chicksdaddy brings this report from Security Ledger: The Security Innovation Center, with backing of powerful tech industry groups, is arguing that letting consumers fix their own devices will empower hackers. The group released a survey last week warning of possible privacy and security risks should consumers have the right to repair their own devices. It counts powerful electronics and software industry organizations like CompTIA, CTIA, TechNet and the Consumer Technology Association as members... In an interview with The Security Ledger, Josh Zecher, the Executive Director of The Security Innovation Center, acknowledged that Security Innovation Center's main purpose is to push back on efforts to pass right to repair laws in the states.

He said the group thinks such measures are dangerous, citing the "power of connected products and devices" and the fact that they are often connected to each other and to the Internet via wireless networks. Zecher said that allowing device owners or independent repair professionals to service smart home devices and connected appliances could expose consumer data to hackers or identity thieves... Asked whether Security Innovation Center was opposed to consumers having the right to repair devices they purchased and owned, Zecher said the group did oppose that right on the grounds of security, privacy and safety... "People say 'It's just my washing machine. Why can't I fix it on my own?' But we saw the Mirai botnet attack last year... Those kinds of products in the wrong hands can be used to do bad things."


Signal, WhatsApp Co-Founder Launch 'Open Source Privacy Technology' Nonprofit (thenextweb.com) 45

An anonymous reader quotes The Next Web:One of the first messaging services to offer end-to-end encryption for truly private conversations, Signal has largely been developed by a team that's never grown larger than three full-time developers over the years it's been around. Now, it's getting a shot in the arm from the co-founder of a rival app. Brian Acton, who built WhatsApp with Jan Koum into a $19 billion business and sold it to Facebook, is pouring $50 million into an initiative to support the ongoing development of Signal. Having left WhatsApp last fall, he's now free to explore projects whose ideals he agrees with, and that includes creating truly private online services.
"Starting with an initial $50,000,000 in funding, we can now increase the size of our team, our capacity, and our ambitions," wrote Signal founder Moxie Marlinspike (a former Twitter executive).

Acton will now also serve as the executive chairman of the newly-formed Signal Foundation, which according to its web site will "develop open source privacy technology that protects free expression and enables secure global communication."

Slashdot Top Deals