Network security is an around-the-clock battle. Agency cybersecurity teams are left with skeleton staff, and many furloughed security experts may not come back. https://www.datacenterknowledge.com/security/shutdown-us-government-flirting-cybersecurity-disaster
Chris Duckett, ZDnet, 13 Jan 2019 Just because you can, doesn't mean that you should. https://www.zdnet.com/article/why-is-my-keyboard-connected-to-the-cloud/ selected text: Everything is becoming a thing connected to the Internet, but some things really shouldn't be. First cab off that rank should be input devices, because what sort of maniac thinks the advantages of a roaming cloud-based configuration outweighs the potential explosion in surface area to attack and compromise? That maniac is called Razer, and it has been connecting keyboards to its Synapse software for years. At last week's CES, Razer took it a step further when it announced it is adding support for users to use Alexa to control their peripherals. "Alexa, ask Chroma to change my lighting profile to FPS mode," Razer cheerily proclaims as an example of its upcoming functionality. For this to work, the software that usually controls keyboard and mice settings needs to be connected to Amazon Alexa. Also in Razer's favour is that it acknowledged it was responsible, which is more than can be said for Gigabyte. On 18 Dec 2018, SecureAuth detailed an exchange of when it discovered that software utilities for Gigabyte and Aorus motherboards had privilege escalation vulnerabilities. "There is ring0 memcpy-like functionality ... allowing a local attacker to take complete control of the affected system," SecureAuth said. In the end, SecureAuth said Gigabyte eventually responded by saying its products did not have any issues. If a vendor with the experience and sales of Gigabyte responds by denying responsibility for its software, it doesn't bode well for smaller players. If a bad actor was looking for a shortcut into a modern Windows system, trying to find your way in via Microsoft's code will be time wasting when the Camembert-like underbelly of a modern system is likely to be crap software from peripheral makers.
The USB Type-C authentication standard is moving forward in an effort to help protect systems against malicious USB devices. http://www.eweek.com/security/usb-type-c-to-become-more-secure-with-authentication-standard
Jeremy Kahn, Bloomberg Businessweek, 14 Jan 2019 Commuters inching through rush-hour traffic in the Holland Tunnel between Lower Manhattan and New Jersey don't know it, but a technology likely to be the future of communication is being tested right outside their car windows. Running through the tunnel is a fiber-optic cable that harnesses the power of quantum mechanics to protect critical banking data from potential spies. The cable's trick is a technology called quantum key distribution, or QKD. Any half-decent intelligence agency can physically tap normal fiber optics and intercept whatever messages the networks are carrying: They bend the cable with a small clamp, then use a specialized piece of hardware to split the beam of light that carries digital ones and zeros through the line. The people communicating have no way of knowing someone is eavesdropping, because they're still getting their messages without any perceptible delay. QKD solves this problem by taking advantage of the quantum physics notion that light—normally thought of as a wave—can also behave like a particle. At each end of the fiber-optic line, QKD systems, which from the outside look like the generic black-box servers you might find in any data center, use lasers to fire data in weak pulses of light, each just a little bigger than a single photon. If any of the pulses' paths are interrupted and they don't arrive at the endpoint at the expected nanosecond, the sender and receiver know their communication has been compromised. [Long item, PGN-truncated ...] https://www.bloombergquint.com/businessweek/the-super-secure-quantum-cable-hiding-in-the-holland-tunnel#gs.Bpu8HlON
A (*Wall Street Journal* reconstruction of the worst known hack into the nation's power system reveals attacks on hundreds of small contractors https://www.wsj.com/articles/americas-electric-grid-has-a-vulnerable-back-doorand-russia-walked-through-it-11547137112
Iranian hackers have been busy lately, ramping up an array of targeted attacks across the Middle East and abroad. And a report this week from the threat intelligence firm FireEye details a massive global data-snatching campaign, carried out over the last two years, that the firm has preliminarily linked to Iran. Using a classic tactic to undermine data security as it moves across the web, hackers have grabbed sensitive data like login credentials and business details from telecoms, Internet service providers, government organizations, and other institutions in the Middle East, North Africa, Europe, and North America. FireEye researchers say the targets and types of data stolen are consistent with Iranian government espionage interests—and that whoever is behind the massive assault now has a trove of data that could fuel future cyberattacks for years. https://www.wired.com/story/iran-dns-hijacking/
[Note: This item comes from friend David Rosenthal. DLH] Cory Doctorow, Jan 14 2019 Dark markets have evolved to use encrypted messengers and dead-drops https://boingboing.net/2019/01/14/drone-serviced-dead-drops.html Cryptocurrencies and Tor hidden services ushered in a new golden age for markets in illegal goods, especially banned or circumscribed drugs: Bitcoin was widely (and incorrectly) viewed as intrinsically anonymous, while the marketplaces themselves were significantly safer and more reliable than traditional criminal markets, and as sellers realized real savings in losses due to law enforcement and related risks, the prices of their merchandise plummeted, while their profits soared. But much of the security of dark markets was an illusion. The anonymity of cryptocurrencies could often be pierced; the services themselves could be subverted by law enforcement in order to roll up many sellers and buyers at once; and the "last mile" problem of shipping illegal substances through the mails exposed buyers and sellers to real risks. The buyers and sellers in dark markets have responded to these revelations and new facts on the ground with a range of ingenious, high-tech countermeasures. Buyers are now more likely to conduct sales negotiations through encrypted messenger technologies, and each customer is assigned their own unique contact, staffed by a bot that can answer questions on pricing and availability and broker transactions. Many of these transactions now take place through "private cryptocurrencies" that have improved anonymity functions (there is a lot of development on these technologies). Delivery is now largely managed through single-use "dead drops" -- hidden-in-plain-sight caches that are pre-seeded by sellers, who sometimes use low-cost Bluetooth beacons to identify them (these beacons can be programmed to activate only in the presence of a wifi network with a specific name: a seller provides the buyer with a codeword and a GPS coordinate; the buyer goes to the assigned place and creates a wifi network on their phone with the codeword for its name, and this activates the Bluetooth beacon that guides the buyer to their merchandise). The logistics of these dead-drops are fascinating: there's a hierarchy on the distribution side, with procurers who source merchandise and smuggle it into each region; sellers who divide the smuggled goods into portions sized for individual transactions, and sellers, whose "product" is just a set of locations and secret words that they give to buyers. The hierarchy creates the need for auditing and traitor-tracing to prevent the different layers from ripping each other off. Dead drops are randomly audited and audits are verified by reporting on the contents of unique printed codes that accompany each drop. Distributors post cryptocurrency "security" (bonds) with sellers and lose their deposits when their dead drops fail. In a fascinating paper on the rise of these "dropgangs," Jonathan "smuggler" Logan identifies some key weaknesses in the scheme, including the persistence of trackable coins being spent by buyers at the end of the transaction (dropgang members are more likely to adopt private coins than buyers); and the lack of the buyer-and-seller reputation systems that the dark markets provide. Logan proposes that this can be resolved with "proofs of sale" that would be published on public forums, which increases the risk from law enforcement. Logan also proposes that ultrasonic chirps may replace Bluetooth beacons, with per-drop codephrases doing a call-and-response to help buyers home in on their purchases.
Zack Whittaker, TechCrunch, 09 Jan 2019 via ACM TechNews, 14 Jan 2019 A bug discovered in Google by security researcher Wietze Beukema can be exploited to generate misinformation by distributing rigged search results. Beukema said values from a Google search result's "knowledge graph" can be spliced together to spread false information, because the shareable URL entered into a search result can be segmented and added to the Web address of any other search query. A malefactor can easily put the contents of a knowledge card within a search result; the rigged query does not break HTTPS, so anyone can craft a link, send it in an email or tweet, or share it on Facebook without arousing the recipient's suspicions. Beukema said anyone can "generate normal-looking Google URLs that make controversial assertions," which can "either look bad on Google, or worse, people will accept them as being true." He also said his report of the bug to Google in December was closed with the company taking no corrective action. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-1deb4x2197c8x069056&
https://www.nytimes.com/2019/01/16/business/media/media-steve-brill-fake-news.html After raising $6 million, the start-up NewsGuard, co-founded by Steve Brill, has signed Microsoft as its first major client. The main goal: to combat the spread of false stories on the Internet.
via NNSquad https://www.technologyreview.com/s/612638/when-chinese-hackers-declared-war-on-the-rest-of-us/ Many thought the Internet would bring democracy to China. Instead, it empowered rampant government oppression, and now the censors are turning their attention to the rest of the world.
via NNSquad Last night, HackenProof published a report stating that a database containing resumes of over 200 million job seekers in China was exposed last month. The leaked info included not just the name and working experience of people, but also their mobile phone number, email, marriage status, children, politics, height, weight, driver license, and literacy level as well. https://thenextweb.com/security/2019/01/11/200-million-chinese-resumes-leak-in-huge-database-breach/
[Don't know why the headline highlights the Skype job interview. I think the meat is a few paragraphs in:] According to reporters, the source of the hack was identified as a LinkedIn ad for a developer position at another company to which one of the Redbanc employees applied. The hiring company, believed to be a front for the Lazarus Group operators who realized they baited a big fish, approached the Redbanc employee for an interview, which they conducted in Spanish via a Skype call. trendTIC reports that during this interview, the Redbanc employee was asked to download, install, and run a file named ApplicationPDF.exe, a program that would help with the recruitment process and generate a standard application form. But according to an analysis of this executable by Vitali Kremez, Director of Research at Flashpoint, the file downloaded and installed PowerRatankba, a malware strain previously linked to Lazarus Group hacks, according to a Proofpoint report published in December 2017." https://www.zdnet.com/article/north-korean-hackers-infiltrate-chiles-atm-network-after-skype-job-interview/
Unprecedented breach led to theft of personal details of a quarter of the city-state's population, inquiry finds https://www.wsj.com/articles/state-backed-hackers-sought-and-stole-singapore-leaders-medical-data-11547109852
"A bizarre $100 million lawsuit shows that companies can be collateral damage when governments publicly blame other countries for hacks." https://www.bloomberg.com/opinion/articles/2019-01-11/mondelez-lawsuit-shows-the-dangers-of-attributing-cyberattacks
D.C.-based Mothership Strategies rose in four years to become one of the top-paid consulting firms of the fall elections. https://www.washingtonpost.com/politics/how-a-little-known-democratic-firm-cashed-in-on-the-wave-of-midterm-money/2019/01/08/f91b04bc-fef5-11e8-862a-b6a6f3ce8199_story.html
https://www.washingtonpost.com/technology/2019/01/10/deepak-chopra-has-prescription-what-ails-technology "Chopra's prescription for what ails technology is more technology, just used in a different way. It goes way beyond meditation apps." The hackneyed aphorism that "more is better" should be replaced by an admonition to "close the wallet, turn off, and get some rest." Sliding sales resonate louder with any for-profit entity than Chopra's enunciation.
Chris Matyszczyk, ZDnet, 13 Jan 2019) How three rude iPhone users ruined an evening Is it now entirely acceptable to play videos on your phone in public, full volume and without headphones? It seems to be. https://www.zdnet.com/article/how-three-rude-iphone-users-ruined-an-evening/
"An Apple iOS remote jailbreak that can be achieved with no clicks required by the end user while maintaining persistence on the device, even after it is rebooted" implies a sinister payload. The rising zero-day price tag is apparently a good thing, no? Perhaps indicating that all the low-hanging, zero-day fruit have been harvested? Or, is it the case that the specific zero-day end-point breach path is so desirous that the purchaser will shell for exploit proof? Must be a high-priority target to specify a particular exploitation path. Apparently because it would be difficult to trace, detect or identify via a device's anti-virus or malware sniffing stack? Uncertain what constitutes "high-priority" in this case, unless Apple is expressing exploit curiosity existence, or investigations have reached an exploratory impasse. As a BS guess to achieve this exploit: Using either IMEI/MAC identifiers, or a target telephone number, a live device's network stack (TCP/IP or telecom signaling system) would probably have to initiate an exec(2) or invoke a signal handler to load a sibling payload from a known buffer address that's been force-fed into and written to the file system. How to achieve this without invoking a dynamic link loader is a mystery to me. This file then can be reloaded/initiated through some follow up protocol signal to effectively su(1) on the smellphone.
Please report problems with the web pages to the maintainer