An anonymous reader quotes a report from Ars Technica: Link previews are a ubiquitous feature found in just about every chat and messaging app, and with good reason. They make online conversations easier by providing images and text associated with the file that's being linked. Unfortunately, they can also leak our sensitive data, consume our limited bandwidth, drain our batteries, and, in one case, expose links in chats that are supposed to be end-to-end encrypted. Among the worst offenders, according to research published on Monday, were messengers from Facebook, Instagram, LinkedIn, and Line. More about that shortly.

The researchers behind Monday's report, Talal Haj Bakry and Tommy Mysk, found that Facebook Messenger and Instagram were the worst offenders. As the chart below shows, both apps download and copy a linked file in its entirety -- even if it's gigabytes in size. Again, this may be a concern if the file is something the users want to keep private. It's also problematic because the apps can consume vast amounts of bandwidth and battery reserves. Both apps also run any JavaScript contained in the link. That's a problem because users have no way of vetting the security of JavaScript and can't expect messengers to have the same exploit protections modern browsers have.

LinkedIn performed only slightly better. Its only difference was that, rather than copying files of any size, it copied only the first 50 megabytes. Haj Bakry and Mysk reported their findings to Facebook, and the company said that both apps work as intended. Meanwhile, when the Line app opens an encrypted message and finds a link, it appears to send the link to the Line server to generate a preview. "We believe that this defeats the purpose of end-to-end encryption, since LINE servers know all about the links that are being sent through the app, and who's sharing which links to whom," Haj Bakry and Mysk wrote. Discord, Google Hangouts, Slack, Twitter, and Zoom also copy files, but they cap the amount of data at anywhere from 15MB to 50MB. [This chart] provides a comparison of each app in the study.

At least 2,000 law enforcement agencies have tools to get into encrypted smartphones, according to new research, and they are using them far more than previously known. From a report: In a new Apple ad, a man on a city bus announces he has just shopped for divorce lawyers. Then a woman recites her credit card number through a megaphone in a park. "Some things shouldn't be shared," the ad says, "iPhone helps keep it that way." Apple has built complex encryption into iPhones and made the devices' security central to its marketing pitch. That, in turn, has angered law enforcement. Officials from the F.B.I. director to rural sheriffs have argued that encrypted phones stifle their work to catch and convict dangerous criminals. They have tried to force Apple and Google to unlock suspects' phones, but the companies say they can't. In response, the authorities have put their own marketing spin on the problem. Law enforcement, they say, is "going dark." Yet new data reveals a twist to the encryption debate that undercuts both sides: Law enforcement officials across the nation regularly break into encrypted smartphones.

That is because at least 2,000 law enforcement agencies in all 50 states now have tools to get into locked, encrypted phones and extract their data, according to years of public records collected in a report by Upturn, a Washington nonprofit that investigates how the police use technology. At least 49 of the 50 largest U.S. police departments have the tools, according to the records, as do the police and sheriffs in small towns and counties across the country, including Buckeye, Ariz.; Shaker Heights, Ohio; and Walla Walla, Wash. And local law enforcement agencies that don't have such tools can often send a locked phone to a state or federal crime lab that does. With more tools in their arsenal, the authorities have used them in an increasing range of cases, from homicides and rapes to drugs and shoplifting, according to the records, which were reviewed by The New York Times. Upturn researchers said the records suggested that U.S. authorities had searched hundreds of thousands of phones over the past five years. While the existence of such tools has been known for some time, the records show that the authorities break into phones far more than previously understood -- and that smartphones, with their vast troves of personal data, are not as impenetrable as Apple and Google have advertised. While many in law enforcement have argued that smartphones are often a roadblock to investigations, the findings indicate that they are instead one of the most important tools for prosecutions.

schwit1 quotes Input: A hacking group that has yet to identify itself found and stole more than 3 TB of private video from around the world — mainly collected from Singapore — and shared it on porn sites, according to reports from local media like The New Paper. While some of the footage was indeed pornographic in nature, other videos are more mundane.

More than 50,000 private IP-based cameras were accessed by hackers to amass the collection. Some were explicitly tagged with locations in Singapore, The New Paper reports, while others revealed their location as Singapore based on context clues such as book titles and home layout. Many show people (sometimes with their faces censored) in "various stages of undress or compromising positions...."

It's looking like poor security is the culprit. Clement Lee, a solutions architect for multinational software company Check Point Software Technologies, told The New Paper that the hacking of IP cameras is often due to "poor password management." IP cameras make it easy to access your video feeds from anywhere — which means it's also easy for hackers to access them from anywhere, once they've figured out your password...

The unfortunate fact of the matter is that internet-connected devices are inherently susceptible to hacking. Add lax encryption and lazy users to the mix and you have a recipe for disaster.

Video conferencing platform Zoom announced today plans to roll out end-to-end encryption (E2EE) capabilities starting next week. From a report: E2EE will allow Zoom users to generate individual encryption keys that will be used to encrypt voice or video calls between them and other conference participants. These keys will be stored locally and will not be shared with Zoom servers, meaning the software company won't be able to access or intercept any ongoing E2EE meetings. Support for E2EE calls will first be part of Zoom clients to be released next week. To use the new feature, users must update theri clients next week and enable support for E2EE calls at the account level. This green shield will contain a lock if E2EE is active. If the lock is absent, Zoom will use its default AES 256-bit GCM encryption scheme, which the company uses to secure current communications, but which the company can also intercept. Further reading: Zoom Adds Ability To Open Apps Like Dropbox And Slack, Event-Hosting Tools As Part Of Push Beyond Video Meetings.

The Xplora 4 smartwatch, made by Chinese outfit Qihoo 360 Technology Co, and marketed to children under the Xplora brand in the US and Europe, can covertly take photos and record audio when activated by an encrypted SMS message, says Norwegian security firm Mnemonic. The Register reports: This backdoor is not a bug, the finders insist, but a deliberate, hidden feature. Around 350,000 watches have been sold so far, Xplora says. Exploiting this security hole is non-trivial, we note, though it does reveal the kind of remotely accessible stuff left in the firmware of today's gizmos. "The backdoor itself is not a vulnerability," said infosec pros Harrison Sand and Erlend Leiknes in a report on Monday. "It is a feature set developed with intent, with function names that include remote snapshot, send location, and wiretap. The backdoor is activated by sending SMS commands to the watch."

The researchers suggest these smartwatches could be used to capture photos covertly from its built-in camera, to track the wearer's location, and to conduct wiretapping via the built-in mic. They have not claimed any such surveillance has actually been done. The watches are marketed as a child's first phone, we're told, and thus contain a SIM card for connectivity (with an associated phone number). Parents can track the whereabouts of their offspring by using an app that finds the wearer of the watch. Xplora contends the security issue is just unused code from a prototype and has now been patched. But the company's smartwatches were among those cited by Mnemonic and Norwegian Consumer Council in 2017 for assorted security and privacy concerns.

With the appropriate Android intent, an incoming encrypted SMS message received by the Qihoo SMS app could be directed through the command dispatcher in the Persistent Connection Service to trigger an application command, like a remote memory snapshot. Exploiting this backdoor requires knowing the phone number of the target device and its factory-set encryption key. This data is available to those to Qihoo and Xplora, according to the researchers, and can be pulled off the device physically using specialist tools. This basically means ordinary folks aren't going to be hacked, either by the manufacturer under orders from Beijing or opportunistic miscreants attacking gizmos in the wild, though it is an issue for persons of interest. It also highlights the kind of code left lingering in mass-market devices.

A recently released tool is letting anyone exploit an unusual Mac vulnerability to bypass Apple's trusted T2 security chip and gain deep system access. The flaw is one researchers have also been using for more than a year to jailbreak older models of iPhones. But the fact that the T2 chip is vulnerable in the same way creates a new host of potential threats. Worst of all, while Apple may be able to slow down potential hackers, the flaw is ultimately unfixable in every Mac that has a T2 inside. From a report: In general, the jailbreak community haven't paid as much attention to macOS and OS X as it has iOS, because they don't have the same restrictions and walled gardens that are built into Apple's mobile ecosystem. But the T2 chip, launched in 2017, created some limitations and mysteries. Apple added the chip as a trusted mechanism for securing high-value features like encrypted data storage, Touch ID, and Activation Lock, which works with Apple's "Find My" services. But the T2 also contains a vulnerability, known as Checkm8, that jailbreakers have already been exploiting in Apple's A5 through A11 (2011 to 2017) mobile chipsets. Now Checkra1n, the same group that developed the tool for iOS, has released support for T2 bypass.

On Macs, the jailbreak allows researchers to probe the T2 chip and explore its security features. It can even be used to run Linux on the T2 or play Doom on a MacBook Pro's Touch Bar. The jailbreak could also be weaponized by malicious hackers, though, to disable macOS security features like System Integrity Protection and Secure Boot and install malware. Combined with another T2 vulnerability that was publicly disclosed in July by the Chinese security research and jailbreaking group Pangu Team, the jailbreak could also potentially be used to obtain FileVault encryption keys and to decrypt user data. The vulnerability is unpatchable, because the flaw is in low-level, unchangeable code for hardware. "The T2 is meant to be this little secure black box in Macs -- a computer inside your computer, handling things like Lost Mode enforcement, integrity checking, and other privileged duties," says Will Strafach, a longtime iOS researcher and creator of the Guardian Firewall app for iOS. "So the significance is that this chip was supposed to be harder to compromise -- but now it's been done."

Members of the intelligence-sharing alliance Five Eyes, along with government representatives for Japan and India, have published a statement over the weekend calling on tech companies to come up with a solution for law enforcement to access end-to-end encrypted communications. From a report: The statement is the alliance's latest effort to get tech companies to agree to encryption backdoors. The Five Eyes alliance, comprised of the US, the UK, Canada, Australia, and New Zealand, have made similar calls to tech giants in 2018 and 2019, respectively. Just like before, government officials claim tech companies have put themselves in a corner by incorporating end-to-end encryption (E2EE) into their products. If properly implemented, E2EE lets users have secure conversations -- may them be chat, audio, or video -- without sharing the encryption key with the tech companies. Representatives from the seven governments argue that the way E2EE encryption is currently supported on today's major tech platforms prohibits law enforcement from investigating crime rings, but also the tech platforms themselves from enforcing their own terms of service. Signatories argue that "particular implementations of encryption technology" are currently posing challenges to law enforcement investigations, as the tech platforms themselves can't access some communications and provide needed data to investigators.

Facebook executives have sharply ramped up their criticism of Apple in recent months, contesting the iPhone maker's restrictions on gaming apps and ad targeting, as well as its cut of in-app purchases. Now, emboldened by Apple software changes that suggest it is starting to bend, Facebook wants something else: the option to make its Messenger app the default messaging tool on iPhones [Editor's note: the link is paywalled; alternative source]. From a report: "We feel people should be able to choose different messaging apps and the default on their phone," Stan Chudnovsky, the Facebook vice president in charge of its Messenger app, told The Information. "Generally, everything is moving this direction anyway." Chudnovksy said Facebook has asked Apple over the years to consider opening up default messaging. Apple has never agreed. Apple's Messages app is a core feature of its mobile software that encourages people to keep buying its devices, and the app's encryption of messages is also a cornerstone of the company's privacy pitch to consumers. Google's rival Android mobile operating system already lets users choose their default messaging app.

Ring's latest home security camera is an autonomous drone, called the Always Home Cam, that can fly around inside your home to give you a perspective of any room you want when you're not home. "Once it's done flying, the Always Home Cam returns to its dock to charge its battery," reports The Verge. "It is expected to cost $249.99 when it starts shipping next year." From the report: Jamie Siminoff, Ring's founder and "chief inventor," says the idea behind the Always Home Cam is to provide multiple viewpoints throughout the home without requiring the use of multiple cameras. In an interview ahead of the announcement, he said the company has spent the past two years on focused development of the device, and that it is an "obvious product that is very hard to build." Thanks to advancements in drone technology, the company is able to make a product like this and have it work as desired.

The Always Home Cam is fully autonomous, but owners can tell it what path it can take and where it can go. When you first get the device, you build a map of your home for it to follow, which allows you to ask it for specific viewpoints such as the kitchen or bedroom. The drone can be commanded to fly on demand or programmed to fly when a disturbance is detected by a linked Ring Alarm system. The charging dock blocks the camera's view, and the camera only records when it is in flight. Ring says the drone makes an audible noise when flying so it is obvious when footage is being recorded. Ring also rolled out new hardware for the automotive market with three different devices focused on car owners: Ring Car Alarm, Car Cam, and Car Connect.

The company also said they've added opt-in end-to-end video encryption, as well as the option to completely disable the "Neighbors" feed, which allows users to view local crime in real time and discuss it with people nearby.

Last week, voters and election administrators who emailed Leanne Jackson, the clerk of rural Hamilton County in central Texas, received bureaucratic-looking replies. "Re: official precinct results," one subject line read. The text supplied passwords for an attached file. But Jackson didn't send the messages. From a report: Instead, they came from Sri Lankan and Congolese email addresses, and they cleverly hid malicious software inside a Microsoft Word attachment. By the time Jackson learned about the forgery, it was too late. Hackers continued to fire off look-alike replies. Jackson's three-person office, already grappling with the coronavirus pandemic, ground to a near standstill. "I've only sent three emails today, and they were emails I absolutely had to send," Jackson said Friday. "I'm scared to" send more, she said, for fear of spreading the malware. The previously unreported attack on Hamilton illustrates an overlooked security weakness that could hamper the November election: the vulnerability of email systems in county offices that handle the voting process from registration to casting and counting ballots. Although experts have repeatedly warned state and local officials to follow best practices for computer security, numerous smaller locales like Hamilton appear to have taken few precautionary measures.

U.S. Department of Homeland Security officials have helped local governments in recent years to bolster their infrastructure, following Russian hacking attempts during the last presidential election. But desktop computers used each day in small rural counties to send routine emails, compose official documents or analyze spreadsheets can be easier targets, in part because those jurisdictions may not have the resources or know-how to update systems or afford security professionals familiar with the latest practices. A ProPublica review of municipal government email systems in swing states found that dozens of them relied on homebrew setups or didn't follow industry standards. Those protocols include encryption to ensure email passwords are secure and measures that confirm that people sending emails are who they purport to be. At least a dozen counties in battleground states didn't use cloud-hosted email from firms like Google or Microsoft. While not a cure-all, such services improve protections against email hacks.

An anonymous reader quotes a report from The New York Times: Iranian hackers, most likely employees or affiliates of the government, have been running a vast cyberespionage operation equipped with surveillance tools that can outsmart encrypted messaging systems -- a capability Iran was not previously known to possess, according to two digital security reports released Friday. The operation not only targets domestic dissidents, religious and ethnic minorities and antigovernment activists abroad, but can also be used to spy on the general public inside Iran, said the reports byCheck Point Software Technologies, a cybersecurity technology firm, andthe Miaan Group, a human rights organization that focuses on digital security in the Middle East.

The reports, which were reviewed by The New York Times in advance of their release, say that the hackers have successfully infiltrated what were thought to be secure mobile phones and computers belonging to the targets, overcoming obstacles created by encrypted applications such as Telegram and, according to Miaan, even gaining access to information on WhatsApp. Both are popular messaging tools in Iran. The hackers also have created malware disguised as Android applications, the reports said. [...] According to the report by Check Point's intelligence unit, the cyberespionage operation was set up in 2014, and its full range of capabilities went undetected for six years. Miaan traced the first the operation to February 2018 from a malicious email targeting a Sufi religious group in Iran after a violent confrontation between its members and Iranian security forces. It traced the malware used in that attack and further attacks in June 2020 to a private technology firm in Iran's northeast city of Mashhad named Andromedaa. Miaan researchers determined that Andromedaa had a pattern of attacking activists, ethnic minority groups and separatist opposition groups but also had developed phishing and malware tools that could target the general public.

The hackers appeared to have a clear goal: stealing information about Iranian opposition groups in Europe and the United States and spying on Iranians who often use mobile applications to plan protests, according to the Miaan report. [...] According to Check Point, the hackers use a variety of infiltration techniques, including phishing, but the most widespread method is sending what appear to be tempting documents and applications to carefully selected targets. [...] The spyware enabled the attackers to gain access to almost any file, log clipboard data, take screenshots and steal information. According to Miaan, one application empowered hackers to download data stored on WhatsApp. In addition, the attackers discovered a weakness in the installation protocols of several encrypted applications including Telegram, which had always been deemed relatively secure, enabling them to steal the apps' installation files. These files, in turn, allow the attackers to make full use of the victims' Telegram accounts. "Although the attackers cannot decipher the encrypted communications of Telegram, their strategy makes it unnecessary," the report adds. "Rather, they use the stolen installation files to create Telegram logins to activate the app in the victims' names on another device. This enables the attackers to secretly monitor all Telegram activity of the victims."

An anonymous reader quotes a report from Motherboard: After searching through some of the tens of millions of encrypted messages pulled from Encrochat devices, Dutch police have launched a new investigation team that will look specifically into corruption, the police force announced on Wednesday. In some cases authorities are looking to identify police who leaked information to organized criminals. The news broadens the scope of the Encrochat investigations, which have focused heavily on drug trafficking and organized crime more generally. Earlier this year, French authorities hacked into Encrochat phones en masse to retrieve message content, and then shared those communications with various other law enforcement agencies.

"Criminal investigations into possible corruption are currently underway and there are likely to be more in the near future. In addition to investigations into drug trafficking and money laundering, investigations into corruption are also given top priority," Chief of Police Henk van Essen said in a Politie press release.

Encrochat was an encrypted phone company that took base Android units, made physical alterations to them, and added its own software. Encrochat devices sent messages with end-to-end encryption, meaning only the intended recipient was supposed to be able to read them. The phones also had a remote wipe feature, letting users destroy communications if they lost physical control of the device, as well as a dual-boot system that let users open an innocuous looking operating system, or the second one containing their more sensitive information. The phones were particularly popular with criminals, including drug traffickers and hitmen. There are indications Encrochat may have had legitimate users too, however. Other Encrochat customers are allegedly those involved in corruption, including police themselves, the press release suggests.

An anonymous reader quotes a report: IEEE Spectrum got an exclusive look at General Motors' wireless battery management system. It's a first in any EV anywhere (not even Tesla has one). The wireless technology, created with Analog Devices, Inc., will be standard on a full range of GM EVs, with the company aiming for at least 1 million global sales by mid-decade. Those vehicles will be powered by GM's proprietary Ultium batteries, produced at a new US $2.3 billion plant in Ohio, in partnership with South Korea's LG Chem. Unlike today's battery modules, which link up to an on-board management system through a tangle of orange wiring, GM's system features RF antennas integrated on circuit boards. The antennas allow the transfer of data via a 2.4-gigahertz wireless protocol similar to Bluetooth but with lower power. Slave modules report back to an onboard master, sending measurements of cell voltages and other data. That onboard master can also talk through the cloud to GM.

The upshot is cradle-to-grave monitoring of battery health and operation, including real-time data from drivers in wildly different climates or usage cases. That all-seeing capability includes vast inventories of batteries -- even before workers install them in cars on assembly lines. GM can essentially plug-and-play battery modules for a vast range of EVs, including heavy-duty trucks and sleek performance cars, without having to redesign wiring harnesses or communications systems for each. That can help the company speed models to market and ensure the profitability that has eluded most EV makers. GM engineers and executives said they've driven the cost of Ultium batteries, with their nickel-cobalt-manganese-aluminum chemistry, below the $100 per kilowatt-hour mark -- long a Holy Grail for battery development. And GM has vowed that it will turn a profit on every Ultium-powered car it makes. The system features end-to-end encryption and the software and battery nodes can be reprogrammed over-the-air.

"Repurposing partially spent batteries also gets easier because there's no need to overhaul the management system or fiddle with hard-to-recycle wiring," the report adds. "Wireless packs can go straight into their new roles, typically as load-balancing workhorses for the grid."

An anonymous reader quotes a report from The Verge: Today, the Trump administration released its fifth Space Policy Directive, this one designed to come up with a list of best practices for the space industry on how to protect their spacecraft from cyber threats. The goal is to encourage the government and space industry to create their space vehicles with cybersecurity plans in place, incorporating tools like encryption software and other protections when designing, building, and operating their vehicles. [...] To combat these threats, Space Policy Directive 5 lays out guidelines that companies should try to adhere to as they launch satellites and other vehicles to space. The administration is recommending operators use various types of software to ensure that the data they receive from their spacecraft is encrypted. The directive also encourages companies to use trusted supply chains and oversee the safety of their ground systems -- the facilities they use to send signals and retrieve data from their spacecraft. The report also recommends protecting against jamming and spoofing of satellites. "Sometimes the jamming can be fairly crude; other cases, some of the spoofing can be fairly sophisticated if somebody's trying to get on board," one official said. "So there's a whole range of things that you need to look at kind of end-to-end."

Ultimately, the directive says that government agencies should work with commercial companies to further refine what these best cybersecurity practices should be, especially since many in the space industry already implement these strategies when building and launching vehicles. [...] SPD-5 is the latest policy directive from the Trump administration designed to shape the U.S. space agenda. Trump's first directive instructed NASA to send humans back to the Moon, while other directives have focused on coming up with a way to oversee space traffic and streamlining regulations for space licenses.

Bridgefy, a popular messaging app for conversing with one another when internet connections are heavily congested or completely shut down, is a privacy disaster that can allow moderately-skilled hackers to take a host of nefarious actions against users, according to a paper published on Monday. The findings come after the company has for months touted the app as a safe and reliable way for activists to communicate in large gatherings. Ars Technica reports: By using Bluetooth and mesh network routing, Bridgefy lets users within a few hundred meters -- and much further as long as there are intermediary nodes -- to send and receive both direct and group texts with no reliance on the Internet at all. Bridgefy cofounder and CEO Jorge Rios has said he originally envisioned the app as a way for people to communicate in rural areas or other places where Internet connections were scarce. And with the past year's upswell of large protests around the world -- often in places with hostile or authoritarian governments -- company representatives began telling journalists that the app's use of end-to-end encryption (reiterated here, here, and here) protected activists against governments and counter protesters trying to intercept texts or shut down communications.

[R]esearchers said that the app's design for use at concerts, sports events, or during natural disasters makes it woefully unsuitable for more threatening settings such as mass protests. They wrote: "Though it is advertised as 'safe' and 'private' and its creators claimed it was secured by end-to-end encryption, none of aforementioned use cases can be considered as taking place in adversarial environments such as situations of civil unrest where attempts to subvert the application's security are not merely possible, but to be expected, and where such attacks can have harsh consequences for its users. Despite this, the Bridgefy developers advertise the app for such scenarios and media reports suggest the application is indeed relied upon."

The researchers are: Martin R. Albrecht, Jorge Blasco, Rikke Bjerg Jensen, and Lenka Marekova from Royal Holloway, University of London. After reverse engineering the app, they devised a series of devastating attacks that allow hackers -- in many cases with only modest resources and moderate skill levels -- to take a host of nefarious actions against users. The attacks allow for: deanonymizing users; building social graphs of users' interactions, both in real time and after the fact; decrypting and reading direct messages; impersonating users to anyone else on the network; completely shutting down the network; and performing active man-in-the-middle attacks, which allow an adversary not only to read messages, but to tamper with them as well. "The key shortcoming that makes many of these attacks possible is that Bridgefy offers no means of cryptographic authentication, which one person uses to prove she's who she claims to be," the report adds. "Instead, the app relies on a user ID that's transmitted in plaintext to identify each person. Attackers can exploit this by sniffing the ID over the air and using it to spoof another user."

The app also uses PKCS #1, an outdated way of encoding and formatting messages so that they can be encrypted with the RSA cryptographic algorithm. "This encoding method, which was deprecated in 1998, allows attackers to perform what's known as a padding oracle attack to derive contents of an encrypted message," reports Ars.

At the Black Hat security conference, researchers from the Taiwanese cybersecurity firm CyCraft revealed at least seven Taiwanese chip firms have been breached over the past two years, reports Wired: The series of deep intrusions — called Operation Skeleton Key due to the attackers' use of a "skeleton key injector" technique — appeared aimed at stealing as much intellectual property as possible, including source code, software development kits, and chip designs. And while CyCraft has previously given this group of hackers the name Chimera, the company's new findings include evidence that ties them to mainland China and loosely links them to the notorious Chinese state-sponsored hacker group Winnti, also sometimes known as Barium, or Axiom. "This is very much a state-based attack trying to manipulate Taiwan's standing and power," says Chad Duffy, one of the CyCraft researchers who worked on the company's long-running investigation...

The researchers found that, in at least some cases, the hackers appeared to gain initial access to victim networks by compromising virtual private networks, though it wasn't clear if they obtained credentials for that VPN access or if they directly exploited vulnerabilities in the VPN servers. The hackers then typically used a customized version of the penetration testing tool Cobalt Strike, disguising the malware they planted by giving it the same name as a Google Chrome update file. They also used a command-and-control server hosted on Google's or Microsoft's cloud services, making its communications harder to detect as anomalous....

Perhaps the most remarkable of those new clues came from essentially hacking the hackers. CyCraft researchers observed the Chimera group exfiltrating data from a victim's network and were able to intercept an authentication token from their communications to a command-and-control server. Using that same token, CyCraft's analysts were able browse the contents of the cloud server, which included what they describe as a "cheat sheet" for the hackers, outlining their standard operating procedure for typical intrusions. That document was notably written in simplified Chinese characters, used in mainland China but not Taiwan...
"It's possible that what they're seeing is just a small fragment of a larger picture," says the director of Kaspersky's Global Research & Analysis Team, who tells Wired the group has also attacked telecoms, tech firms, and a broad range of other Taiwanese companies.

But in the same article one of CyCraft's researchers argues the group could be looking for even more exploits. "If you have a really deep understanding of these chips at a schematic level, you can run all sorts of simulated attacks on them and find vulnerabilities before they even get released."

A few quintillion possible decryption keys stand between a man and his cryptocurrency. From a report: In October, Michael Stay got a weird message on LinkedIn. A total stranger had lost access to his bitcoin private keys -- and wanted Stay's help getting his $300,000 back. It wasn't a total surprise that The Guy, as Stay calls him, had found the former Google security engineer. Nineteen years ago, Stay published a paper detailing a technique for breaking into encrypted zip files. The Guy had bought around $10,000 worth of bitcoin in January 2016, well before the boom. He had encrypted the private keys in a zip file and had forgotten the password. He was hoping Stay could help him break in. In a talk at the Defcon security conference this week, Stay details the epic attempt that ensued.

[...] "If we find the password successfully, I will thank you," The Guy wrote with a smiley face. After an initial analysis, Stay estimated that he would need to charge $100,000 to break into the file. The Guy took the deal. After all, he'd still be turning quite the profit. "It's the most fun I've had in ages. Every morning I was excited to get to work and wrestle with the problem," says Stay, who today is the chief technology officer of the blockchain software development firm Pyrofex. "The zip cipher was designed decades ago by an amateur cryptographer -- the fact that it has held up so well is remarkable." But while some zip files can be cracked easily with off-the-shelf tools, The Guy wasn't so lucky. That's partly why the work was priced so high. Newer generations of zip programs use the established and robust cryptographic standard AES, but outdated versions -- like the one used in The Guy's case -- use Zip 2.0 Legacy encryption that can often be cracked. The degree of difficulty depends on how it's implemented, though. "It's one thing to say something is broken, but actually breaking it is a whole different ball of wax," says Johns Hopkins University cryptographer Matthew Green.

An anonymous reader quotes a report from MarketWatch: TikTok skirted a privacy safeguard in Google's Android operating system to collect unique identifiers from millions of mobile devices, data that allows the app to track users online without allowing them to opt out, a Wall Street Journal analysis has found. The tactic, which experts in mobile-phone security said was concealed through an unusual added layer of encryption, appears to have violated Google policies limiting how apps track people and wasn't disclosed to TikTok users. TikTok ended the practice in November, the Journal's testing showed.

The identifiers collected by TikTok, called MAC addresses, are most commonly used for advertising purposes. The White House has said it is worried that users' data could be obtained by the Chinese government and used to build detailed dossiers on individuals for blackmail or espionage. In a statement, a spokesperson said the company is "committed to protecting the privacy and safety of the TikTok community. Like our peers, we constantly update our app to keep up with evolving security challenges." The company said "the current version of TikTok does not collect MAC addresses."

A consumer advocacy group is suing Zoom and seeking millions of dollars in damages, accusing the company of misleading its users about the strength of its encryption protections. From a report: The nonprofit group Consumer Watchdog is also accusing the videoconferencing company of deceiving users about the extent of its links with China and the fact that some calls between people in North America were routed through servers in China. That raises the danger Beijing could steal or demand access to the contents of those calls, according to a copy of the lawsuit, which was shared exclusively with The Cybersecurity 202.

Those phony claims "lull[ed] consumers and businesses into a false sense of security" and helped Zoom to soar in popularity during the early months of the pandemic, according the lawsuit, which was filed late yesterday in Washington D.C. Superior Court. The consumer group fears that if Zoom isn't punished, other companies will be incentivized to make false claims about their security and privacy protections to attract users and stand out against competitors.

"As controversy rages over the governance of Google's Istio service mesh, Microsoft has seen an opportunity to offer a simple and truly open alternative," reports InfoWorld: Microsoft has announced that it will release its own open source service mesh — called Open Service Mesh (OSM) — and transfer it to the Cloud Native Computing Foundation (CNCF) as soon as possible. This sets the Redmond-based company apart from its cloud rival Google, which recently announced that its own Istio service mesh will no longer be part of the vendor-neutral CNCF and will instead sit under Google's own Open Usage Commons foundation.

The service mesh has quickly become a vital part of the modern cloud native computing stack, as it essentially enables communication, monitoring, and load balancing between disparate parts of today's microservices-based architecture. This differs from the popular container orchestration service Kubernetes in its level of granularity. When run in tandem with Kubernetes, a service mesh enables deeper security policy and encryption enforcement and automated load balancing and circuit breaking functionality...

With this launch Microsoft is not only aligning itself with the open governance side of the debate which has been raging through the open source software community for the past few months, but is also looking to solve a customer pain point.