×
Government

Senate Votes To Reinstate ZTE Ban That's Nearly Shut Down the Company (theverge.com) 66

The U.S. Senate has voted to reinstate a ban on ZTE that prevents the Chinese telecom company from buying U.S. components and using U.S. software. As The Verge notes, "it's still not clear if the reversal will make it into law: it has to clear a conference with the House, and then avoid a veto from President Trump, who advocated for cutting a deal that would lift the ban." From the report: ZTE was hit with the trade ban by the U.S. Commerce Department in April after failing to following through with a punishment for violating sanctions on Iran and North Korea. That ban essentially shut down ZTE, which relies on U.S. parts like Qualcomm processors. Shortly thereafter, Trump said he would cut a deal to revive the company, and a deal was reached -- with additional penalties that the department said were uniquely stringent -- earlier this month.

But senators on both sides of the aisle immediately threatened to stop the deal and reinstate the ban, citing ZTE as a national security risk. And ultimately, a bipartisan group worked to get legislation introduced. The Senate voted 85 to 10 in support of reinstating the ban. It was included as an amendment on the National Defense Authorization Act, a must-pass piece of legislation that has already moved through the House.

IT

HPE Announces World's Largest ARM-based Supercomputer (zdnet.com) 46

The race to exascale speed is getting a little more interesting with the introduction of HPE's Astra -- what will be the world's largest ARM-based supercomputer. From a report: HPE is building Astra for Sandia National Laboratories and the US Department of Energy's National Nuclear Security Administration (NNSA). The NNSA will use the supercomputer to run advanced modeling and simulation workloads for things like national security, energy, science and health care.

HPE is involved in building other ARM-based supercomputing installations, but when Astra is delivered later this year, "it will hands down be the world's largest ARM-based supercomputer ever built," Mike Vildibill, VP of Advanced Technologies Group at HPE, told ZDNet. The HPC system is comprised of 5,184 ARM-based processors -- the Thunder X2 processor, built by Cavium. Each processor has 28 cores and runs at 2 GHz. Astra will deliver over 2.3 theoretical peak petaflops of performance, which should put it well within the top 100 supercomputers ever built -- a milestone for an ARM-based machine, Vildibill said.

Security

The 'World's Worst' Smart Padlock Is Even Worse Than Previously Thought (sophos.com) 110

Last week, cybersecurity company PenTest Partners managed to unlock TappLock's smart padlock within two seconds. They "found that the actual code and digital authentication methods for the lock were basically nonexistent," reports The Verge. "All someone would need to unlock the lock is its Bluetooth Low Energy MAC address, which the lock itself broadcasts." The company also managed to snap the lock with a pair of 12-inch bolt cutters.

Today, Naked Security reports that it gets much worse: "Tapplock's cloud-based administration tools were as vulnerable as the lock, as Greek security researcher Vangelis Stykas found out very rapidly." From the report: Stykas found that once you'd logged into one Tapplock account, you were effectively authenticated to access anyone else's Tapplock account, as long as you knew their account ID. You could easily sniff out account IDs because Tapplock was too lazy to use HTTPS (secure web connections) for connections back to home base -- but you didn't really need to bother, because account IDs were apparently just incremental IDs anyway, like house numbers on most streets. As a result, Stykas could not only add himself as an authorized user to anyone else's lock, but also read out personal information from that person's account, including the last location (if known) where the Tapplock was opened.

Incredibly, Tapplock's back-end system would not only let him open other people's locks using the official app, but also tell him where to find the locks he could now open! Of course, this gave him an unlocking speed advantage over Pen Test Partners -- by using the official app Stykas needed just 0.8 seconds to open a lock, instead of the sluggish two seconds needed by the lock-cracking app.

Security

75% of Malware Uploaded on 'No-Distribute' Scanners Is Unknown To Researchers (bleepingcomputer.com) 14

Catalin Cimpanu, writing for BleepingComputer: Three-quarters of malware samples uploaded to "no-distribute scanners" are never shared on "multiscanners" like VirusTotal, and hence, they remain unknown, US-based security firm Recorded Future reports, to security firms and researchers for longer periods of time. Although some antivirus products will eventually detect this malware at runtime or at one point or another later in time, this leaves a gap in terms of operational insight for security firms hunting down up-and-coming malware campaigns.
Desktops (Apple)

macOS Breaks Your OpSec by Caching Data From Encrypted Hard Drives (bleepingcomputer.com) 135

Apple's macOS surreptitiously creates and caches thumbnails for images and other file types stored on password-protected / encrypted containers (hard drives, partitions), according to macOS security experts Wojciech Regula and Patrick Wardle. From a report: The problem is that these cached thumbnails are stored on non-encrypted hard drives, in a known location and can be easily retrieved by malware or forensics tools, revealing some of the content stored on encrypted containers. On macOS, these thumbnails are created by Finder and QuickLook. Finder is the default macOS file explorer app, similar to Windows Explorer. Whenever a user navigates to a new folder, Finder automatically loads icons for the files located in those folders. For images, these icons are gradually replaced by thumbnails that show a preview of the image at a small scale.
Australia

Australia Discontinues Its National Biometric ID Project (gizmodo.com.au) 41

The Australian Criminal Intelligence Commission's (ACIC) biometrics project, which adds facial recognition to a national crime database, is being discontinued following reports of delays and budget blowouts. From a report: This announcement comes after the project was suspended earlier this month and NEC Australia staff were escorted out of the building by security on Monday June 4. [...] ACIC contracted the NEC for the $52 million Biometric Identification Services project with the view of replacing the fingerprint identification system that is currently in place. The aim of the project, which was supposed to run until 2021, was to include palm print, foot prints and facial recognition to aid in police investigations. The Australian government stated that it wanted to provide Australians with a single digital identity by 2025.
Security

US Government Finds New Malware From North Korea (engadget.com) 92

Days after the historic North Korea-United States summit, the Department of Homeland Security issued a report on Thursday warning of a new variant of North Korean malware to look out for. Called Typeframe, the malware is able to download and install additional malware, proxies and trojans; modify firewalls; and connect to servers for additional instructions. Engadget reports: Since last May, the DHS has issued a slew of alerts and reports about North Korea's malicious cyber activity. The department also pointed out that North Korea has been hacking countries around the world since 2009. And of course, don't forget that the U.S. also labeled that country as the source of Wannacry cyberattack, which notably held data from the UK's National Health Service hostage, and wreaked havoc across Russia and Ukraine. CNN was first to report the news.
Open Source

'Open Source Security' Loses in Court, Must Pay $259,900 To Bruce Perens (theregister.co.uk) 116

Bruce Perens co-founded the Open Source Initiative with Eric Raymond -- and he's also Slashdot reader #3872. Now he's just won a legal victory in court. "Open Source Security, maker of the grsecurity Linux kernel patches, has been directed to pay Bruce Perens and his legal team almost $260,000 following a failed defamation claim," reports The Register. Slashdot reader Right to Opine writes: The order requires Spengler and his company to pay $259,900.50, with the bill due immediately rather than allowing a wait for the appeal of the case. The Electronic Frontier Foundation's attorneys will represent Perens during OSS/Spengler's appeal of the case.

Perens was sued for comments on his blog and here on Slashdot that suggested that OSS's Grsecurity product could be in violation of the GPL license on the Linux kernel. The court had previously ruled that Perens' statements were not defamatory, because they were statements by a non-attorney regarding an undecided issue in law. It is possible that Spengler is personally liable for any damages his small company can't pay, since he joined the case as an individual in order to preserve a claim of false light (which could not be brought by his company), removing his own corporate protection.

Programming

Eric Raymond Shares 'Code Archaeology' Tips, Urges Bug-Hunts in Ancient Code (itprotoday.com) 106

Open source guru Eric Raymond warned about the possibility of security bugs in critical code which can now date back more than two decades -- in a talk titled "Rescuing Ancient Code" at last week's SouthEast Linux Fest in North Carolina. In a new interview with ITPro Today, Raymond offered this advice on the increasingly important art of "code archaeology". "Apply code validators as much as you can," he said. "Static analysis, dynamic analysis, if you're working in Python use Pylons, because every bug you find with those tools is a bug that you're not going to have to bleed through your own eyeballs to find... It's a good thing when you have a legacy code base to occasionally unleash somebody on it with a decent sense of architecture and say, 'Here's some money and some time; refactor it until it's clean.' Looks like a waste of money until you run into major systemic problems later because the code base got too crufty. You want to head that off...."

"Documentation is important," he added, "applying all the validators you can is important, paying attention to architecture, paying attention to what's clean is important, because dirty code attracts defects. Code that's difficult to read, difficult to understand, that's where the bugs are going to come out of apparent nowhere and mug you."

For a final word of advice, Raymond suggested that it might be time to consider moving away from some legacy programming languages as well. "I've been a C programmer for 35 years and have written C++, though I don't like it very much," he said. "One of the things I think is happening right now is the dominance of that pair of languages is coming to an end. It's time to start looking beyond those languages for systems programming. The reason is we've reached a project scale, we've reached a typical volume of code, at which the defect rates from the kind of manual memory management that you have to do in those languages are simply unacceptable anymore... think it's time for working programmers and project managers to start thinking about, how about if we not do this in C and not incur those crazy downstream error rates."

Raymond says he prefers Go for his alternative to C, complaining that Rust has a high entry barrier, partly because "the Rust people have not gotten their act together about a standard library."
The Courts

The Silk Road's Alleged Right-Hand Man Will Finally Face a US Court (arstechnica.com) 73

It's been nearly five years since the FBI surrounded Ross Ulbricht in the science fiction section of a San Francisco library, arrested him, and grabbed the laptop from which he had run the dark web drug bazaar known as the Silk Road. Ulbricht went on trial in a New York courtroom, and is currently serving a life sentence without parole. But even now, the Silk Road saga still hasn't ended: Half a decade after Ulbricht's arrest, his alleged advisor, mentor and right-hand man Roger Clark will finally face a US court, too. From a report: On Friday, the FBI, IRS, DHS, and prosecutors in the Southern District of New York announced the extradition of 56-year-old Canadian man Roger Clark from a Thai jail cell to New York to face newly unsealed charges for his role in Silk Road's operation. The indictment accuses Clark, who allegedly went by the pseudonyms Variety Jones, Cimon, and Plural of Mongoose in his role as Silk Road's consigliere, of crimes ranging from narcotics trafficking to money laundering. But even those charges don't capture the outsize role Clark is believed to have played in building and managing the Silk Road, from security audits to marketing, and even reportedly encouraging Ulbricht to use violence to maintain his empire.

"As Ulbricht's right-hand man, Roger Clark allegedly advised him of methods to thwart law enforcement during the operation of this illegal ploy, pocketing hundreds of thousands of dollars in the process," writes FBI assistant director William Sweeney in a press statement. "Today's extradition of Roger Clark shows that despite alleged attempts to operate under the radar, he was never out of our reach."

Security

Inside the Private Event Where Microsoft, Google, Salesforce and Other Rivals Share Security Secrets (geekwire.com) 48

News outlet GeekWire takes us inside Building 99 at Microsoft, where security professionals of the software giant, along with those of Amazon, Google, Netflix, Salesforce, Facebook (and others), companies that fiercely compete with one another, gathered earlier this week to share their learnings for the greater good. From the story: As the afternoon session ended, the organizer from Microsoft, security data wrangler Ram Shankar Siva Kumar, complimented panelist Erik Bloch, the Salesforce security products and program management director, for "really channeling the Ohana spirit," referencing the Hawaiian word for "family," which Salesforce uses to describe its internal culture of looking out for one another. It was almost enough to make a person forget the bitter rivalry between Microsoft and Salesforce. Siva Kumar then gave attendees advice on finding the location of the closing reception. "You can Bing it, Google it, whatever it is," he said, as the audience laughed at the rare concession to Microsoft's longtime competitor.

It was no ordinary gathering at Microsoft, but then again, it's no ordinary time in tech. The Security Data Science Colloquium brought the competitors together to focus on one of the biggest challenges and opportunities in the industry. Machine learning, one of the key ingredients of artificial intelligence, is giving the companies new superpowers to identify and guard against malicious attacks on their increasingly cloud-oriented products and services. The problem is that hackers are using many of the same techniques to take those attacks to a new level. "The challenge is that security is a very asymmetric game," said Dawn Song, a UC Berkeley computer science and engineering professor who attended the event. "Defenders have to defend across the board, and attackers only need to find one hole. So in general, it's easier for attackers to leverage these new techniques." That helps to explain why the competitors are teaming up.
In a statement, Erik Bloch, Director Security PM at Salesforce, said, "This is what the infosec and security industry needs more of. Our customers are shared, and so is our responsibility to protect them.
China

Chinese Cyber-Espionage Group Hacked Government Data Center (bleepingcomputer.com) 36

Catalin Cimpanu, writing for BleepingComputer: A Chinese-linked cyber-espionage unit has hacked a data center belonging to a Central Asian country and has embedded malicious code on government sites. The hack of the data center happened sometime in mid-November 2017, according to a report published by Kaspersky Lab earlier this week. Experts assigned the codename of LuckyMouse to the group behind this hack, but they later realized the attackers were an older Chinese threat actor known under various names in the reports of other cyber-security firms, such as Emissary Panda, APT27, Threat Group 3390, Bronze Union, ZipToken, and Iron Tiger.
Security

17 Backdoored Images Downloaded 5 Million Times Removed From Docker Hub (bleepingcomputer.com) 36

An anonymous reader writes: "The Docker team has pulled 17 Docker container images that have been backdoored and used to install reverse shells and cryptocurrency miners on users' servers for the past year," reports Bleeping Computer. "The malicious Docker container images have been uploaded on Docker Hub, the official repository of ready-made Docker images that sysadmins can pull and use on their servers, work, or personal computers." The images, downloaded over 5 million times, helped crooks mine Monero worth over $90,000 at today's exchange rate. Docker Hub is now just the latest package repository to feature backdoored libraries, after npm and PyPl. Docker Hub is now facing criticism for taking months to intervene after user reports, and then going on stage at a developer conference and claiming they care about security.
The Courts

6 Fitbit Employees Charged With Stealing Trade Secrets From Jawbone (mercurynews.com) 80

Six current and former Fitbit employees were charged in a federal indictment Thursday filed in San Jose for allegedly being in possession of trade secrets stolen from competitor Jawbone, according to information from the Department of Justice. From a report: The indictment charges the six people -- Katherine Mogal, 52, of San Francisco; Rong Zhang, 45, of El Cerrito; Jing Qi Weiden, 39, of San Jose; Ana Rosario, 33, of Pacifica; Patrick Narron, 41, of Boulder Creek; and Patricio Romano, 37, of Calabasas -- with violating confidentiality agreements they had signed as former employees of Jawbone after they accepted employment with Fitbit, according to an announcement from Acting U.S. Attorney Alex G. Tse and Homeland Security Investigations Special Agent in Charge Ryan L. Spradlin. San Francisco-based companies Fitbit and Jawbone were competitors in making wearable fitness trackers until Jawbone, once valued at $3.2B, went out of business in 2017. Each of the defendants worked for Jawbone for at least one year between May 2011 and April 2015, and had signed a confidentiality agreement with the company, according to the Department of Justice.
Security

How the World Cup Plays Out Among Hackers (axios.com) 28

The World Cup began today in Russia, and hackers were watching the games. From a report: In prior years, Cybersecurity firm Akamai has seen declines in cyberattacks while the World Cup games are in play -- "at least until games are out of reach," said Patrick Sullivan, Akamai director of security technology. Once games are well in hand, attacks from the losing team's nation spike well above normal. Often, said Sullivan, that takes the form of attacks designed to take down news stories in the victor's country that tout a home-team win. Sullivan notes activists frequently use various forms of cyber attacks during major sporting events to protest the host nation -- often targeting sponsors to get their point across. He points to protestors upset with the amount of money spent in the recent Brazillian World Cup as an example.
EU

Kaspersky Halts Europol Partnership After Controversial EU Parliament Vote (bleepingcomputer.com) 104

An anonymous reader writes: Kaspersky Lab announced it was temporarily halting its cooperation with Europol following the voting of a controversial motion in the European Parliament. The Russian antivirus vendor will also stop working on the NoMoreRansom project that provided free ransomware decrypters for ransomware victims.

The company's decision comes after the EU Parliament voted a controversial motion that specifically mentions Kaspersky as a "confirmed as malicious" software and urges EU states to ban it as part of a joint EU cyber defense strategy. The EU did not present any evidence for its assessment that Kaspersky is malicious, but even answered user questions claiming it has no evidence. The motion is just a EU policy and has no legislative power, put it is still an official document. Kaspersky software has been previously banned from Government systems in the US, UK, Netherlands, and Lithuania.

Privacy

Comey, Who Investigated Hillary Clinton For Using Personal Email For Official Business, Used His Personal Email For Official Business (buzzfeed.com) 446

An anonymous reader shares a report: Former FBI Director James Comey, who led the investigation into Hillary Clinton's use of personal email while secretary of state, also used his personal email to conduct official business, according to a report from the Justice Department on Thursday. The report also found that while Comey was "insubordinate" in his handling of the email investigation, political bias did not play a role in the FBI's decision to clear Clinton of any criminal wrongdoing.

The report from the office of the inspector general "identified numerous instances in which Comey used a personal email account (a Gmail account) to conduct FBI business." In three of the five examples, investigators said Comey sent drafts he had written from his FBI email to his personal account. In one instance, he sent a "proposed post-election message for all FBI employees that was entitled 'Midyear thoughts,'" the report states. In another instance, Comey again "sent multiple drafts of a proposed year-end message to FBI employees" from his FBI account to his personal email account.

Government

Cops Are Confident iPhone Hackers Have Found a Workaround to Apple's New Security Feature (vice.com) 126

Joseph Cox, and Lorenzo Franceschi-Bicchierai, reporting for Motherboard: Apple confirmed to The New York Times Wednesday it was going to introduce a new security feature, first reported by Motherboard. USB Restricted Mode, as the new feature is called, essentially turns the iPhone's lightning cable port into a charge-only interface if someone hasn't unlocked the device with its passcode within the last hour, meaning phone forensic tools shouldn't be able to unlock phones. Naturally, this feature has sent waves throughout the mobile phone forensics and law enforcement communities, as accessing iPhones may now be substantially harder, with investigators having to rush a seized phone to an unlocking device as quickly as possible.

That includes GrayKey, a relatively new and increasingly popular iPhone cracking tool. But forensics experts suggest that Grayshift, the company behind the tech, is not giving up yet. "Grayshift has gone to great lengths to future proof their technology and stated that they have already defeated this security feature in the beta build. Additionally, the GrayKey has built in future capabilities that will begin to be leveraged as time goes on,' a June email from a forensic expert who planned to meet with Grayshift, and seen by Motherboard, reads, although it is unclear from the email itself how much of this may be marketing bluff. "They seem very confident in their staying power for the future right now," the email adds. A second person, responding to the first email, said that Grayshift addressed USB Restricted Mode in a webinar several weeks ago.

Bitcoin

The CIA 'Can Neither Confirm Nor Deny' It Has Documents on Satoshi Nakamoto (vice.com) 66

An anonymous reader shares a report: Who is Satoshi Nakamoto? Ever since this pseudonymous person or group unleashed Bitcoin on the world in 2008, Nakamoto's real identity has been one of the biggest mysteries in the cryptocurrency world. And based on a response to my recent Freedom of Information Act (FOIA) request, if the CIA knows anything, it's not talking. [...] In 2016, Alexander Muse, a blogger who mostly writes about entrepreneurship, wrote a blog post that claimed the NSA had identified the real identity of Satoshi Nakamoto using stylometry, which uses a person's writing style as a unique fingerprint, and then searched emails collected under the PRISM surveillance program to identify the real Nakamoto. Muse said the identity was not shared with him by his source at the Department of Homeland Security. [...] I figured it couldn't hurt to ask some other three-letter agencies what they know about Nakamoto. [...] I received a terse reply that informed me that "the request has been rejected, with the agency stating that it can neither confirm nor deny the existence of the requested documents."
Intel

Another Day, Another Intel CPU Security Hole: Lazy State (zdnet.com) 110

Steven J. Vaughan-Nichols, writing for ZDNet: The latest Intel revelation, Lazy FP state restore, can theoretically pull data from your programs, including encryption software, from your computer regardless of your operating system. Like its forebears, this is a speculative execution vulnerability. In an interview, Red Hat Computer Architect Jon Masters explained: "It affects Intel designs similar to variant 3-a of the previous stuff, but it's NOT Meltdown." Still, "it allows the floating point registers to be leaked from another process, but alas that means the same registers as used for crypto, etc." Lazy State does not affect AMD processors.

This vulnerability exists because modern CPUs include many registers (internal memory) that represent the state of each running application. Saving and restoring this state when switching from one application to another takes time. As a performance optimization, this may be done "lazily" (i.e., when needed) and that is where the problem hides. This vulnerability exploits "lazy state restore" by allowing an attacker to obtain information about the activity of other applications, including encryption operations.
Further reading: Twitter thread by security researcher Colin Percival, BleepingComputer, and HotHardware.

Slashdot Top Deals