×
Security

US Government Finds New Malware From North Korea (engadget.com) 77

Days after the historic North Korea-United States summit, the Department of Homeland Security issued a report on Thursday warning of a new variant of North Korean malware to look out for. Called Typeframe, the malware is able to download and install additional malware, proxies and trojans; modify firewalls; and connect to servers for additional instructions. Engadget reports: Since last May, the DHS has issued a slew of alerts and reports about North Korea's malicious cyber activity. The department also pointed out that North Korea has been hacking countries around the world since 2009. And of course, don't forget that the U.S. also labeled that country as the source of Wannacry cyberattack, which notably held data from the UK's National Health Service hostage, and wreaked havoc across Russia and Ukraine. CNN was first to report the news.
Programming

Eric Raymond Shares 'Code Archaeology' Tips, Urges Bug-Hunts in Ancient Code (itprotoday.com) 99

Open source guru Eric Raymond warned about the possibility of security bugs in critical code which can now date back more than two decades -- in a talk titled "Rescuing Ancient Code" at last week's SouthEast Linux Fest in North Carolina. In a new interview with ITPro Today, Raymond offered this advice on the increasingly important art of "code archaeology". "Apply code validators as much as you can," he said. "Static analysis, dynamic analysis, if you're working in Python use Pylons, because every bug you find with those tools is a bug that you're not going to have to bleed through your own eyeballs to find... It's a good thing when you have a legacy code base to occasionally unleash somebody on it with a decent sense of architecture and say, 'Here's some money and some time; refactor it until it's clean.' Looks like a waste of money until you run into major systemic problems later because the code base got too crufty. You want to head that off...."

"Documentation is important," he added, "applying all the validators you can is important, paying attention to architecture, paying attention to what's clean is important, because dirty code attracts defects. Code that's difficult to read, difficult to understand, that's where the bugs are going to come out of apparent nowhere and mug you."

For a final word of advice, Raymond suggested that it might be time to consider moving away from some legacy programming languages as well. "I've been a C programmer for 35 years and have written C++, though I don't like it very much," he said. "One of the things I think is happening right now is the dominance of that pair of languages is coming to an end. It's time to start looking beyond those languages for systems programming. The reason is we've reached a project scale, we've reached a typical volume of code, at which the defect rates from the kind of manual memory management that you have to do in those languages are simply unacceptable anymore... think it's time for working programmers and project managers to start thinking about, how about if we not do this in C and not incur those crazy downstream error rates."

Raymond says he prefers Go for his alternative to C, complaining that Rust has a high entry barrier, partly because "the Rust people have not gotten their act together about a standard library."
Security

Inside the Private Event Where Microsoft, Google, Salesforce and Other Rivals Share Security Secrets (geekwire.com) 48

News outlet GeekWire takes us inside Building 99 at Microsoft, where security professionals of the software giant, along with those of Amazon, Google, Netflix, Salesforce, Facebook (and others), companies that fiercely compete with one another, gathered earlier this week to share their learnings for the greater good. From the story: As the afternoon session ended, the organizer from Microsoft, security data wrangler Ram Shankar Siva Kumar, complimented panelist Erik Bloch, the Salesforce security products and program management director, for "really channeling the Ohana spirit," referencing the Hawaiian word for "family," which Salesforce uses to describe its internal culture of looking out for one another. It was almost enough to make a person forget the bitter rivalry between Microsoft and Salesforce. Siva Kumar then gave attendees advice on finding the location of the closing reception. "You can Bing it, Google it, whatever it is," he said, as the audience laughed at the rare concession to Microsoft's longtime competitor.

It was no ordinary gathering at Microsoft, but then again, it's no ordinary time in tech. The Security Data Science Colloquium brought the competitors together to focus on one of the biggest challenges and opportunities in the industry. Machine learning, one of the key ingredients of artificial intelligence, is giving the companies new superpowers to identify and guard against malicious attacks on their increasingly cloud-oriented products and services. The problem is that hackers are using many of the same techniques to take those attacks to a new level. "The challenge is that security is a very asymmetric game," said Dawn Song, a UC Berkeley computer science and engineering professor who attended the event. "Defenders have to defend across the board, and attackers only need to find one hole. So in general, it's easier for attackers to leverage these new techniques." That helps to explain why the competitors are teaming up.
In a statement, Erik Bloch, Director Security PM at Salesforce, said, "This is what the infosec and security industry needs more of. Our customers are shared, and so is our responsibility to protect them.
China

Chinese Cyber-Espionage Group Hacked Government Data Center (bleepingcomputer.com) 36

Catalin Cimpanu, writing for BleepingComputer: A Chinese-linked cyber-espionage unit has hacked a data center belonging to a Central Asian country and has embedded malicious code on government sites. The hack of the data center happened sometime in mid-November 2017, according to a report published by Kaspersky Lab earlier this week. Experts assigned the codename of LuckyMouse to the group behind this hack, but they later realized the attackers were an older Chinese threat actor known under various names in the reports of other cyber-security firms, such as Emissary Panda, APT27, Threat Group 3390, Bronze Union, ZipToken, and Iron Tiger.
Security

17 Backdoored Images Downloaded 5 Million Times Removed From Docker Hub (bleepingcomputer.com) 35

An anonymous reader writes: "The Docker team has pulled 17 Docker container images that have been backdoored and used to install reverse shells and cryptocurrency miners on users' servers for the past year," reports Bleeping Computer. "The malicious Docker container images have been uploaded on Docker Hub, the official repository of ready-made Docker images that sysadmins can pull and use on their servers, work, or personal computers." The images, downloaded over 5 million times, helped crooks mine Monero worth over $90,000 at today's exchange rate. Docker Hub is now just the latest package repository to feature backdoored libraries, after npm and PyPl. Docker Hub is now facing criticism for taking months to intervene after user reports, and then going on stage at a developer conference and claiming they care about security.
Apple

Apple Maps Was Down For All Users Earlier Today (engadget.com) 74

An anonymous reader shares a report: Apple Maps is down and has been for a few hours today, 9to5Mac reports. Users are noting on Twitter and Apple Support that the service isn't working on phones, Apple Watch or CarPlay and searches for certain places or points of interest result in a "No Results Found" response. Apple has noted on its system status site that all users are experiencing issues with both Maps search and navigation. Update: It is functional again.
Security

How the World Cup Plays Out Among Hackers (axios.com) 28

The World Cup began today in Russia, and hackers were watching the games. From a report: In prior years, Cybersecurity firm Akamai has seen declines in cyberattacks while the World Cup games are in play -- "at least until games are out of reach," said Patrick Sullivan, Akamai director of security technology. Once games are well in hand, attacks from the losing team's nation spike well above normal. Often, said Sullivan, that takes the form of attacks designed to take down news stories in the victor's country that tout a home-team win. Sullivan notes activists frequently use various forms of cyber attacks during major sporting events to protest the host nation -- often targeting sponsors to get their point across. He points to protestors upset with the amount of money spent in the recent Brazillian World Cup as an example.
Businesses

Most Organizations Are Not Fully Embracing DevOps (betanews.com) 294

An anonymous reader shares a report: Although many businesses have begun moving to DevOps-style processes, eight out of 10 respondents to a new survey say they still have separate teams for managing infrastructure/operations and development. The study by managed cloud specialist 2nd Watch of more than 1,000 IT professionals indicates that a majority of companies have yet to fully commit to the DevOps process. 78 percent of respondents say that separate teams are still managing infrastructure/operations and application development. Some organizations surveyed are using infrastructure-as-code tools, automation or even CI/CD pipelines, but those techniques alone do not define DevOps.
EU

Kaspersky Halts Europol Partnership After Controversial EU Parliament Vote (bleepingcomputer.com) 104

An anonymous reader writes: Kaspersky Lab announced it was temporarily halting its cooperation with Europol following the voting of a controversial motion in the European Parliament. The Russian antivirus vendor will also stop working on the NoMoreRansom project that provided free ransomware decrypters for ransomware victims.

The company's decision comes after the EU Parliament voted a controversial motion that specifically mentions Kaspersky as a "confirmed as malicious" software and urges EU states to ban it as part of a joint EU cyber defense strategy. The EU did not present any evidence for its assessment that Kaspersky is malicious, but even answered user questions claiming it has no evidence. The motion is just a EU policy and has no legislative power, put it is still an official document. Kaspersky software has been previously banned from Government systems in the US, UK, Netherlands, and Lithuania.

Privacy

Comey, Who Investigated Hillary Clinton For Using Personal Email For Official Business, Used His Personal Email For Official Business (buzzfeed.com) 437

An anonymous reader shares a report: Former FBI Director James Comey, who led the investigation into Hillary Clinton's use of personal email while secretary of state, also used his personal email to conduct official business, according to a report from the Justice Department on Thursday. The report also found that while Comey was "insubordinate" in his handling of the email investigation, political bias did not play a role in the FBI's decision to clear Clinton of any criminal wrongdoing.

The report from the office of the inspector general "identified numerous instances in which Comey used a personal email account (a Gmail account) to conduct FBI business." In three of the five examples, investigators said Comey sent drafts he had written from his FBI email to his personal account. In one instance, he sent a "proposed post-election message for all FBI employees that was entitled 'Midyear thoughts,'" the report states. In another instance, Comey again "sent multiple drafts of a proposed year-end message to FBI employees" from his FBI account to his personal email account.

Government

Cops Are Confident iPhone Hackers Have Found a Workaround to Apple's New Security Feature (vice.com) 125

Joseph Cox, and Lorenzo Franceschi-Bicchierai, reporting for Motherboard: Apple confirmed to The New York Times Wednesday it was going to introduce a new security feature, first reported by Motherboard. USB Restricted Mode, as the new feature is called, essentially turns the iPhone's lightning cable port into a charge-only interface if someone hasn't unlocked the device with its passcode within the last hour, meaning phone forensic tools shouldn't be able to unlock phones. Naturally, this feature has sent waves throughout the mobile phone forensics and law enforcement communities, as accessing iPhones may now be substantially harder, with investigators having to rush a seized phone to an unlocking device as quickly as possible.

That includes GrayKey, a relatively new and increasingly popular iPhone cracking tool. But forensics experts suggest that Grayshift, the company behind the tech, is not giving up yet. "Grayshift has gone to great lengths to future proof their technology and stated that they have already defeated this security feature in the beta build. Additionally, the GrayKey has built in future capabilities that will begin to be leveraged as time goes on,' a June email from a forensic expert who planned to meet with Grayshift, and seen by Motherboard, reads, although it is unclear from the email itself how much of this may be marketing bluff. "They seem very confident in their staying power for the future right now," the email adds. A second person, responding to the first email, said that Grayshift addressed USB Restricted Mode in a webinar several weeks ago.

Intel

Another Day, Another Intel CPU Security Hole: Lazy State (zdnet.com) 110

Steven J. Vaughan-Nichols, writing for ZDNet: The latest Intel revelation, Lazy FP state restore, can theoretically pull data from your programs, including encryption software, from your computer regardless of your operating system. Like its forebears, this is a speculative execution vulnerability. In an interview, Red Hat Computer Architect Jon Masters explained: "It affects Intel designs similar to variant 3-a of the previous stuff, but it's NOT Meltdown." Still, "it allows the floating point registers to be leaked from another process, but alas that means the same registers as used for crypto, etc." Lazy State does not affect AMD processors.

This vulnerability exists because modern CPUs include many registers (internal memory) that represent the state of each running application. Saving and restoring this state when switching from one application to another takes time. As a performance optimization, this may be done "lazily" (i.e., when needed) and that is where the problem hides. This vulnerability exploits "lazy state restore" by allowing an attacker to obtain information about the activity of other applications, including encryption operations.
Further reading: Twitter thread by security researcher Colin Percival, BleepingComputer, and HotHardware.
Businesses

Cybercrime is Costing Africa's Businesses Billions (qz.com) 47

An anonymous reader shares a report: Sophisticated malware, software security breaches, mobile scams -- the list of cybercrime threats is growing. Yet African nations continue to fall short of protecting themselves and must constantly grapple with the impact. A new study from IT services firm Serianu shows the pervasive nature of cybercrime across the continent, affecting businesses, individuals, families, financial institutions, and government agencies. The study shows how weak security architectures, the scarcity of skilled personnel and a lack of awareness and strict regulations have increased vulnerability.

Cybercrime cost the continent an estimated $3.5 billion in 2017. The report found more than 90% of African businesses were operating below the cybersecurity "poverty line" -- meaning they couldn't adequately protect themselves against losses. At least 96% of online-related security incidents went unreported and 60% of organizations didn't keep up to date with cybersecurity trends and program updates. (In addition, at least 90% of parents didn't understand what measures to take to protect their children from cyber-bullying.)

Security

Britain's Dixons Carphone Discovers Data Breach Affecting 5.9 Million Payment Cards (betanews.com) 32

Mark Wilson shares a report from BetaNews: Another week, another cyberattack. This time around, it's the Dixons Carphone group which says it has fallen victim to not one but two major breaches. The bank card details of 5.9 million customers have been accessed by hackers in the first breach. In the second, the personal records of 1.2 million people have been exposed. Dixons Carphone says that it is investigating an attack on its card processing system at Currys PC World and Dixons Travel in which there was an attempt to compromise 5.9 million cards. The company stressed that the vast majority -- 5.8 million -- of these cards were protected by chip and PIN, and that the data accessed did not include PINS, CVVs or any other authentication data that could be used to make payments or identify the card owners. The report goes on to mention that 105,000 non-EU issued payment cards, which were not chip and PIN protected, were also affected. The company says it will be contacting those customers affected by the breaches.
Microsoft

A Vulnerability in Cortana, Now Patched, Allowed Attacker To Access a Locked Computer, Change Its Password (bleepingcomputer.com) 59

Catalin Cimpanu, reporting for BleepingComputer: Microsoft has patched a vulnerability in the Cortana smart assistant that could have allowed an attacker with access to a locked computer to use the smart assistant and access data on the device, execute malicious code, or even change the PC's password to access the device in its entirety. The issue was discovered by Cedric Cochin, Cyber Security Architect and Senior Principle Engineer at McAfee. Cochin privately reported the problems he discovered to Microsoft in April. The vulnerability is CVE-2018-8140, which Microsoft classified as an elevation of privilege, and patched yesterday during the company's monthly Patch Tuesday security updates. Further reading: Microsoft Explains How it Decides Whether a Vulnerability Will Be Patched Swiftly or Left For a Version Update.
Microsoft

Microsoft Explains How it Decides Whether a Vulnerability Will Be Patched Swiftly or Left For a Version Update (zdnet.com) 45

Microsoft has published a new draft document clarifying which security bugs will get a rapid fix and which it will let stew for a later release. From a report: The document outlines the criteria the Microsoft Security Response Center uses to decide whether a reported vulnerability gets fixed swiftly, usually in a Patch Tuesday security update, or left for a later version update. Microsoft said in a blogpost the document is intended to offer researchers "better clarity around the security features, boundaries and mitigations which exist in Windows and the servicing commitments which come with them." The criteria revolve around two key questions: "Does the vulnerability violate a promise made by a security boundary or a security feature that Microsoft has committed to defending?"; and, "Does the severity of the vulnerability meet the bar for servicing?" If the answer to both questions is 'yes', the bug will be patched in a security update, but if the answer to both is 'no', the vulnerability will be considered for the next version or release of the affected product or feature.
United Kingdom

UK Watchdog Issues $334K Fine For Yahoo's 2014 Data Breach (theregister.co.uk) 29

An anonymous reader quotes a report from The Register: Yahoo's U.K. limb has finally been handed a $334,300 (250,000 GBP) fine for the 2014 cyber attack that exposed data of half a million Brit users. Today, the Information Commissioner's Office issued Yahoo U.K. Services Ltd a $334,300 (250,000 GBP) fine following an investigation that focused on the 515,121 U.K. accounts that the London-based branch of the firm had responsibility for. The ICO said "systemic failures" had put user data at risk as the U.K. arm of Yahoo did not take appropriate technical and organizational measures to prevent a data breach of this size.

In particular, the watchdog said there should have been proper monitoring systems in place to protect the credentials of Yahoo employees who could access customer's data, and to ensure that instructions to transfer very large quantities of personal data from Yahoo's servers would be flagged for investigation. It also noted that, as a data controller, Yahoo U.K. services Ltd had a responsibility to ensure its processors -- in this case Yahoo, whose U.S. servers held the data on U.K. users -- complied with data protection standards.

Security

5% of All Monero Currently In Circulation Has Been Mined Using Malware (bleepingcomputer.com) 37

An anonymous reader writes: According to a report released yesterday, criminal groups have mined an approximate total of 798,613.33 Monero coins (XMR) using malware on infected devices. That's over $108 million in US currency, just from coin-mining operations alone. This sum also represents around 5% of all the Monero currently in circulation -- 15,962,350 XMR. Furthermore, during the past year, infected devices were responsible for 19,503,823.54 hashes/second, which is roughly 2% of the entire hashing power of the Monero network. The total hashrate of roughly 19MH/s would result in approximately $30,443 per day based on today's current exchange rates and network difficulty," researchers said. "Similarly, the top three hash-rates will mine approximately $2,737, $2,022 and $1,596 per day, respectively."
Chrome

Google Disables Inline Installation For Chrome Extensions (venturebeat.com) 100

An anonymous reader writes: Google today announced that Chrome will no longer support inline installation of extensions. New extensions lose inline installation starting today, existing extensions will lose the ability in three months, and in early December the inline install API will be removed from the browser with the release of Chrome 71. Critics have pointed out such moves make the Chrome Web Store a walled garden, while Google insists pushing users to the store ultimately protects them.
Bug

Bugs Allowed Hackers To Make Malware Look Like Apple Software (vice.com) 72

An anonymous reader shares a report: For years, hackers could hide malware alongside legitimate Apple code and sneak it past several popular third-party security products for Mac computers, according to new research. This is not a flaw in MacOS but an issue in how third-party security tools implemented Apple's APIs. A researcher from security firm Okta found that several security products for Mac -- including Little Snitch, xFence, and Facebook's OSquery -- could be tricked into believing malware was Apple code, and let it past their defenses. "I can take malicious code and make it look like it's signed by Apple," Josh Pitts, the security researcher at Okta who discovered these bugs, told Motherboard. In a blog post published Tuesday, Pitts explained that the issue lies with how the third-party security tools implemented Apple's code-signing APIs when dealing with Mac's executable files known as Universal or Fat files.

Slashdot Top Deals