United States

US Says Russia Hacked Energy Grid, Punishes 19 for Meddling (apnews.com) 227

Associated Press: Pushing back harder on Russia, the Trump administration accused Moscow on Thursday of a concerted hacking operation targeting the U.S. energy grid, aviation systems and other infrastructure, and also imposed sanctions on Russians for alleged interference in the 2016 election. It was the strongest action to date against Russia by the administration, which has long been accused of being too soft on the Kremlin, and the first punishments for election meddling since President Donald Trump took office. The sanctions list included the 13 Russians indicted last month by special counsel Robert Mueller, whose Russia investigation the president has repeatedly sought to discredit. U.S. national security officials said the FBI, Department of Homeland Security and intelligence agencies had determined that Russian intelligence and others were behind a broad range of cyberattacks beginning a year ago that have infiltrated the energy, nuclear, commercial, water, aviation and manufacturing sectors. Further reading: Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors (US-Cert); U.S. blames Russia for cyber attacks on energy grid, other sectors (Reuters); U.S. says Russian hackers targeted American energy grid (Politico); Trump administration finally announces Russia sanctions over election meddling (CNN); U.S. sanctions on Russia cite 2016 election interference -- but remain largely symbolic (USA Today); U.S. Sanctions Russians Charged by Mueller for Election Meddling (Bloomberg); and Trump Administration Sanctions Russians for Election Meddling and Cyberattacks (The New York Times).

Intel Says 'Partitions' in New Chips Will Correct the Design Flaw that Created Spectre and Meltdown (geekwire.com) 68

Intel said on Thursday it is introducing hardware protections against the Spectre CPU flaw that was discovered last year. From a report: Starting with the Cascade Lake version of its Xeon server processors later this year, Intel will incorporate "protective walls" in its hardware that prevent malicious hackers from using speculative execution techniques to steal private information from the secure part of the processor. These fixes will also ship with the PC version of the Cascade Lake chips, but the tech industry has been much more concerned about the effect of these design flaws on server processors running in data centers and cloud vendors.

The new fixes allow Intel to still benefit from the performance advantages of speculative execution -- in which a processor guesses which upcoming instructions it will need to execute in order to speed things up -- without the security risks. The hardware changes address Variants 2 and 3 of the Spectre and Meltdown issues first disclosed in early January, and software fixes should continue to address Variant 1, Intel said.


Can AMD Vulnerabilities Be Used To Game the Stock Market? (vice.com) 106

Earlier this week, a little-known security firm called CTS Labs reported, what it claimed to be, severe vulnerabilities and backdoors in some AMD processors. While AMD looks into the matter, the story behind the researchers' discovery and the way they made it public has become a talking point in security circles. The researchers, who work for CTS Labs, only reported the flaws to AMD shortly before publishing their report online. Typically, researchers give companies a few weeks or even months to fix the issues before going public with their findings. To make things even stranger, a little bit over 30 minutes after CTS Labs published its report, a controversial financial firm called Viceroy Research published what they called an "obituary" for AMD. Motherboard reports: "We believe AMD is worth $0.00 and will have no choice but to file for Chapter 11 (Bankruptcy) in order to effectively deal with the repercussions of recent discoveries," Viceroy wrote in its report. CTS Labs seemed to hint that it too had a financial interest in the performance of AMD stock. "We may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports," CTS Labs wrote in the legal disclaimer section of its report.

On Twitter, rumors started to swirl. Are the researchers trying to make money by betting that AMD's share price will go down due to the news of the vulnerabilities? Or, in Wall Street jargon, were CTS Labs and Viceroy trying to short sell AMD stock? Security researcher Arrigo Triulzi speculated that Viceroy and CTS Lab were profit sharing for shorting, while Facebook's chief security officer Alex Stamos warned against a future where security research is driven by short selling.

[...] There's no evidence that CTS Labs worked with Viceroy to short AMD. But something like that has happened before. In 2016, security research firm MedSec found vulnerabilities in pacemakers made by St. Jude Medical. In what was likely a first, MedSec partnered with hedge fund Muddy Waters to bet against St. Jude Medical's stock. For Adrian Sanabria, director of research at security firm Threatcare and a former analyst at 451 Research, where he covered the cybersecurity industry, trying to short based on vulnerabilities just doesn't make much sense. While it could work in theory and could become more common in the future, he said in a phone call, "I don't think we've seen enough evidence of security vulnerabilities really moving the stock for it to really become an issue."
Further reading: Linus Torvalds slams CTS Labs over AMD vulnerability report (ZDNet).

Microsoft Removes Antivirus Registry Key Check for Windows 10 Users (bleepingcomputer.com) 38

Microsoft has backtracked on a decision it took back in January when it conditioned that computers without a special registry key would not receive any more security updates. From a report: That particular "requirement" was introduced as part of the Meltdown and Spectre patching process. At the time, Microsoft said that antivirus vendors would have to add a key to the Windows Registry to signal that they are compatible with Microsoft's original Meltdown and Spectre patches. This was a big issue at the time because Microsoft detected during testing that some antivirus vendors would inject code into parts of the kernel that the company was trying to patch against Meltdown and Spectre flaws.

Jewelry Site Leaks Personal Details, Plaintext Passwords of 1.3 Million Users (thenextweb.com) 37

Chicago-based MBM Company's jewelry brand Limoges Jewelry has accidentally leaked the personal information for over 1.3 million people. This includes addresses, zip-codes, e-mail addresses, and IP addresses. The Germany security firm Kromtech Security, which found the leak via an unsecured Amazon S3 storage bucket, also claims the database contained plaintext passwords. The Next Web reports: In a press release, Kromtech Security's head of communicationis, Bob Diachenko, said: "Passwords were stored in the plain text, which is great negligence [sic], taking into account the problem with many users re-using passwords for multiple accounts, including email accounts." The [MSSQL database] backup file was named "MBMWEB_backup_2018_01_13_003008_2864410.bak," which suggests the file was created on January 13, 2018. It's believed to contain current information about the company's customers. Records held in the database have dates reaching as far back as 2000. The latest records are from the start of this year. Other records held in the database include internal mailing lists, promo-codes, and item orders, which leads Kromtech to believe that this could be the primary customer database for the company. Diachenko says there's no evidence a malicious third-party has accessed the dump, but that "that does not mean that nobody [has] accessed the data."

Sri Lanka Accuses Facebook of Failing To Control Hate Speech That Contributed To Deadly Riots (theguardian.com) 75

The Sri Lankan government is accusing Facebook of failing to control rampant hate speech that it says contributed to anti-Muslim riots last week that left three people dead and the country under a state of emergency. The accusations come after the country blocked Facebook and several other platforms last week in an effort to prevent the spread of hate speech. The Guardian reports: On Thursday Fernando, along with the Sri Lankan prime minister, Ranil Wickremesinghe, and communications officials, will meet a Facebook team that has flown to Colombo. The Sri Lankans will demand a new, faster system for taking down posts flagged as a national security risk by agencies in the country. "Facebook is not reacting as fast as we have wanted it to react," Fernando said. "In the past it has taken various number of days to review [flagged posts] or even to take down the pages." On Tuesday he highlighted a tweet from a user who claimed to have reported a Facebook post in the Sinhala language that read "Kill all Muslims, don't even let an infant of the dogs escape." The user claimed he received a reply six days later saying the post did not contravene a specific Facebook community standard. The extremist leader Amith Weerasinghe, who was arrested last week in Kandy after being accused of helping to instigate the violence, had amassed nearly 150,000 followers on his Facebook page before it was taken down last week.

Privacy-Busting Bugs Found in Popular VPN Services Hotspot Shield, Zenmate and PureVPN (zdnet.com) 60

A report by VpnMentor, a website which ranks VPN services, reveals several vulnerabilities in Hotspot Shield, Zenmate, and PureVPN -- all of which promise to provide privacy for their users. VpnMentor says it hired a team of three external ethical hackers to find vulnerabilities in three random popular VPNs. While one hacker wants to keep his identity private, the other two are known as File Descriptor and Paulos Yibelo. ZDNet: The research reveals bugs that can leak real-world IP addresses, which in some cases can identify individual users and determine a user's location. In the case of Hotspot Shield, three separate bugs in how the company's Chrome extension handles proxy auto-config scripts -- used to direct traffic to the right places -- leaked both IP and DNS addresses, which undermines the effectiveness of privacy and anonymity services. [...] AnchorFree, which makes Hotspot Shield, fixed the bugs, and noted that its mobile and desktop apps were not affected by the bugs. The researchers also reported similar IP leaking bugs to Zenmate and PureVPN.

Researchers Find Critical Vulnerabilities in AMD's Ryzen and EPYC Processors, But They Gave the Chipmaker Only 24 Hours Before Making the Findings Public (cnet.com) 195

Alfred Ng, reporting for CNET: Researchers have discovered critical security flaws in AMD chips that could allow attackers to access sensitive data from highly guarded processors across millions of devices. Particularly worrisome is the fact that the vulnerabilities lie in the so-called secure part of the processors -- typically where your device stores sensitive data like passwords and encryption keys. It's also where your processor makes sure nothing malicious is running when you start your computer. CTS-Labs, a security company based in Israel, announced Tuesday that its researchers had found 13 critical security vulnerabilities that would let attackers access data stored on AMD's Ryzen and EPYC processors, as well as install malware on them. Ryzen chips power desktop and laptop computers, while EPYC processors are found in servers. The researchers gave AMD less than 24 hours to look at the vulnerabilities and respond before publishing the report. Standard vulnerability disclosure calls for 90 days' notice so that companies have time to address flaws properly. An AMD spokesperson said, "At AMD, security is a top priority and we are continually working to ensure the safety of our users as new risks arise. We are investigating this report, which we just received, to understand the methodology and merit of the findings," an AMD spokesman said. Zack Whittaker, a security reporter at CBS, said: Here's the catch: AMD had less than a day to look at the research. No wonder why its response is so vague.

ACLU Sues TSA Over Electronic Device Searches (techcrunch.com) 115

The American Civil Liberties Union of Northern California has filed a Freedom of Information Act lawsuit against the Transportation Security Administration over its alleged practices of searching the electronic devices of passengers traveling on domestic flights. "The federal government's policies on searching the phones, laptops, and tablets of domestic air passengers remain shrouded in secrecy," ACLU Foundation of Northern California attorney Vasudha Talla said in a blog post. "TSA is searching the electronic devices of domestic passengers, but without offering any reason for the search," Talla added. "We don't know why the government is singling out some passengers, and we don't know what exactly TSA is searching on the devices. Our phones and laptops contain very personal information, and the federal government should not be digging through our digital data without a warrant." TechCrunch reports: The lawsuit, which is directed toward the TSA field offices in San Francisco and its headquarters in Arlington, Virginia, specifically asks the TSA to hand over records related to its policies, procedures and/or protocols pertaining to the search of electronic devices. This lawsuit comes after a number of reports came in pertaining to the searches of electronic devices of passengers traveling domestically. The ACLU also wants to know what equipment the TSA uses to search, examine and extract any data from passengers' devices, as well as what kind of training TSA officers receive around screening and searching the devices. The ACLU says it first filed FOIA requests back in December, but TSA "subsequently improperly withheld the requested records," the ACLU wrote in a blog post today.

'Slingshot' Malware That Hid For Six Years Spread Through Routers 72

An anonymous reader quotes a report from Engadget: Security researchers at Kaspersky Lab have discovered what's likely to be another state-sponsored malware strain, and this one is more advanced than most. Nicknamed Slingshot, the code spies on PCs through a multi-layer attack that targets MikroTik routers. It first replaces a library file with a malicious version that downloads other malicious components, and then launches a clever two-pronged attack on the computers themselves. One, Canhadr, runs low-level kernel code that effectively gives the intruder free rein, including deep access to storage and memory; the other, GollumApp, focuses on the user level and includes code to coordinate efforts, manage the file system and keep the malware alive. Kaspersky describes these two elements as "masterpieces," and for good reason. For one, it's no mean feat to run hostile kernel code without crashes. Slingshot also stores its malware files in an encrypted virtual file system, encrypts every text string in its modules, calls services directly (to avoid tripping security software checks) and even shuts components down when forensic tools are active. If there's a common method of detecting malware or identifying its behavior, Slingshot likely has a defense against it. It's no wonder that the code has been active since at least 2012 -- no one knew it was there. Recent MikroTik router firmware updates should fix the issue. However, there's concern that other router makers might be affected.

Trump Issues Order To Block Broadcom's Takeover of Qualcomm (bloomberg.com) 227

Bloomberg reports that President Donald Trump issued an executive order today blocking Broadcom from acquiring Qualcomm, "scuttling a $117 billion deal that had been subject to U.S. government scrutiny on national security grounds." From the report: The president acted on a recommendation by the Committee on Foreign Investment in the U.S., which reviews acquisitions of American firms by foreign investors. The decision to block the deal was unveiled just hours after Broadcom Chief Executive Officer Hock Tan met with security officials at the Pentagon in a last-ditch effort to salvage the transaction. "There is credible evidence that leads me to believe that Broadcom Ltd." by acquiring Qualcomm "might take action that threatens to impair the national security of the United States," Trump said in the order released Monday evening in Washington.

Data Breach Victims Can Sue Yahoo in the United States, Federal Judge Rules (reuters.com) 13

Yahoo has been ordered by a federal judge to face much of a lawsuit in the United States claiming that the personal information of all 3 billion users was compromised in a series of data breaches. From a report: In a decision on Friday night, U.S. District Judge Lucy Koh in San Jose, California rejected a bid by Verizon Communications, which bought Yahoo's Internet business last June, to dismiss many claims, including for negligence and breach of contract. Koh dismissed some other claims. She had previously denied Yahoo's bid to dismiss some unfair competition claims.

[...] The plaintiffs amended their complaint after Yahoo last October revealed that the 2013 breach affected all 3 billion users, tripling its earlier estimate. Koh said the amended complaint highlighted the importance of security in the plaintiffs' decision to use Yahoo. 'Plaintiffs' allegations are sufficient to show that they would have behaved differently had defendants disclosed the security weaknesses of the Yahoo Mail System," Koh wrote. She also said the plaintiffs could try to show that liability limits in Yahoo's terms of service were "unconscionable," given the allegations that Yahoo knew its security was deficient but did little.


Coming Soon to a Front Porch Near You: Package Delivery Via Drone (wsj.com) 110

After lagging behind other countries for years, commercial drones in the U.S. are expected to begin limited package deliveries within months, according to federal regulators and industry officials. [Editor's note: the link may be paywalled; an alternative source was not immediately available] From a report: The momentum partly stems from stepped-up White House pressure, prompting closer cooperation between the government and companies such as Amazon.com seeking authorizations for such fledgling businesses. The upshot, according to these officials, is newfound confidence by both sides that domestic package-delivery services finally appear on the verge of taking off. Earlier promises of progress turned out to be premature. The green light could be delayed again if proponents can't overcome nagging security concerns on the part of local or national law-enforcement agencies. Proposed projects also may end up stymied if Federal Aviation Administration managers don't find creative ways around legislative and regulatory restrictions such as those mandating pilot training for manned aircraft. But some proponents of delivery and other drone applications "think they might be ready to operate this summer," Jay Merkle, a senior FAA air-traffic control official, said during a break at an unmanned-aircraft conference in Baltimore last week that highlighted the agency's pro-business approach.

New Traces of Hacking Team in the Wild (welivesecurity.com) 19

Previously unreported samples of Hacking Team's infamous surveillance tool -- the Remote Control System (RCS) -- are in the wild, and have been detected by ESET systems in fourteen countries. From a report: Our analysis of the samples reveals evidence suggesting that Hacking Team's developers themselves are actively continuing the development of this spyware. Since being founded in 2003, the Italian spyware vendor Hacking Team gained notoriety for selling surveillance tools to governments and their agencies across the world. The capabilities of its flagship product, the Remote Control System (RCS), include extracting files from a targeted device, intercepting emails and instant messaging, as well as remotely activating a device's webcam and microphone. The company has been criticized for selling these capabilities to authoritarian governments -- an allegation it has consistently denied. When the tables turned in July 2015, with Hacking Team itself suffering a damaging hack, the reported use of RCS by oppressive regimes was confirmed. With 400GB of internal data -- including the once-secret list of customers, internal communications, and spyware source code -- leaked online, Hacking Team was forced to request its customers to suspend all use of RCS, and was left facing an uncertain future.

MoviePass Wants To Gather a Whole Lot of Data About Its Users (fortune.com) 162

An anonymous reader writes: MoviePass CEO Mitch Lowe thinks his service's rapid growth will continue, projecting earlier this month that MoviePass will have 5 million subscribers by the end of 2018, and account for around 20% of all movie ticket purchases. But some of those future subscribers might be concerned about his company's tactics, which Lowe recently said includes tracking users' location before and after a trip to the movies. Lowe's comments, originally reported by Media Play News, were made at the Entertainment Finance Forum on March 2 in Hollywood. They came during a panel titled "Data is the New Oil: How Will MoviePass Monetize It?" Lowe's answer to that question, in part, was that "our bigger vision is to build a night at the movies," including by guiding users to a meal before or after seeing a film.

Lowe said that was possible because "we get an enormous amount of information. Since we mail you the card, we know your home address . . . we know the makeup of that household, the kids, the age groups, the income. It's all based on where you live. It's not that we ask that. You can extrapolate that. "Then," Lowe continued, "Because you are being tracked in your GPS by the phone . . . we watch how you drive from home to the movies. We watch where you go afterwards, and so we know the movies you watch. We know all about you. We don't sell that data. What we do is we use that data to market film."


Chinese Police Begin Tracking Citizens With Face-Recognizing Smart Glasses (reuters.com) 112

An anonymous reader quotes Reuters: At a highway check point on the outskirts of Beijing, local police are this week testing out a new security tool: smart glasses that can pick up facial features and car registration plates, and match them in real-time with a database of suspects. The AI-powered glasses, made by LLVision, scan the faces of vehicle occupants and the plates, flagging with a red box and warning sign to the wearer when any match up with a centralized "blacklist".

The test -- which coincides with the annual meeting of China's parliament in central Beijing -- underscores a major push by China's leaders to leverage technology to boost security in the country... Wu Fei, chief executive of LLVision, said people should not be worried about privacy concerns because China's authorities were using the equipment for "noble causes", catching suspects and fugitives from the law. "We trust the government," he told Reuters at the company's headquarters in Beijing.

This weekend while China's President Xi Jinping is expected to push through a reform allowing him to stay in power indefinitely, Reuters reports that the Chinese goverment is pushing the use of cutting-edge technology "to track and control behavior that goes against the interests of the ruling Communist Party online and in the wider world... A key concern is that blacklists could include a wide range of people stretching from lawyers and artists to political dissidents, charity workers, journalists and rights activists...

"The new technologies range from police robots for crowd control, to drones to monitor border areas, and artificially intelligent systems to track and censor behavior online," Reuters reports, citing one Hong Kong researcher who argues that China now sees internet and communication technologies "as absolutely indispensable tools of social and political control."

Debian 9.4 Released (debian.org) 78

An anonymous reader quotes Debian.org: The Debian project is pleased to announce the fourth update of its stable distribution Debian 9 (codename "stretch"). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems... Please note that the point release does not constitute a new version of Debian 9 but only updates some of the packages included. There is no need to throw away old "stretch" media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.
Phoronix adds that Debian 9.4 "has a new upstream Linux kernel release, various dependency fixes for some packages, an infinite loop fix in Glade, several CVE security fixes, a larger stack size for NTP, a new upstream release of their NVIDIA proprietary driver package, Python 3 dependency fixes, and other security fixes."

Massive DDOS Attacks Are Now Targeting Google, Amazon, and the NRA (pcmag.com) 121

PC Magazine reports: A new way to amplify DDoS attacks has been spotted harassing Google, Amazon, Pornhub and even the National Rifle Association's main website after striking Github last week. The attacks, which exploit vulnerable "memcached servers," have been trying to hose down scores of new targets with a flood of internet traffic, according to Chinese security firm Qihoo 360... Github was the first high-profile victim and suffered a 1.35 Tbps assault -- or what was then the biggest DDoS attack on record. But days later, an unnamed U.S. service provider fended off a separate assault, which measured at 1.7 Tbps. Unfortunately, the amplified DDoS attacks haven't stopped. They've gone on to strike over 7,000 unique IP addresses in the last seven days, Qihoo 360 said in a blog post... Gaming sites including Rockstargames.com, Minecraft.net, and Playstation.net have been among those hit...

The security community is also steadily addressing the linchpin to all the assaults: the vulnerable memcached servers. About 100,000 of these online storage systems were publicly exposed over a week ago. But the server owners have since patched or firewalled about 60,000 of them, Radware security researcher Daniel Smith said. That leaves 40,000 servers open to exploitation. Smith points to how the coding behind the attack technique has started to circulate online through free tools and scripts.

Meanwhile, Slashdot reader darthcamaro shares an article about "the so-call 'kill switch'" that some vendors have been debating: "The 'kill switch' was immediately obvious to everyone who worked on mitigating this DDoS attack," John Graham-Cumming, CTO of CloudFlare said. "We chose not to use or test this method because it would be unethical and likely illegal since it alters the state of a remote machine without authorization."

SgxSpectre Attack Can Extract Data From Intel SGX Enclaves (bleepingcomputer.com) 28

An anonymous reader quotes BleepingComputer: A new variation of the Spectre attack has been revealed this week by six scientists from the Ohio State University. Named SgxSpectre, researchers say this attack can extract information from Intel SGX enclaves. Intel Software Guard eXtensions (SGX) is a feature of modern Intel processors that allow an application to create so-called enclaves. This enclave is a hardware-isolated section of the CPU's processing memory where applications can run operations that deal with extremely sensitive details, such as encryption keys, passwords, user data, and more... Neither Meltdown and Spectre were able to extract data from SGX enclaves. This is where SgxSpectre comes in.

According to researchers, SgxSpectre works because of specific code patterns in software libraries that allow developers to implement SGX support into their apps. Vulnerable SGX development kits include the Intel SGX SDK, Rust-SGX, and Graphene-SGX. Academics say an attacker can leverage the repetitive code execution patterns that these SDKs introduce in SGX enclaves and watch for small variations of cache size. This allows for side-channel attacks that allow a threat actor to infer and slowly recover data from secure enclaves.

Intel's recent Spectre patches don't necessarily help, as an attacker can work around these fixes. Intel says an update for the Intel SGX SDK that adds SgxSpectre mitigations will be released on March 16. Apps that implement Google's Retpoline anti-Spectre coding techniques are safe, researchers say.


In a Remarkable Turn of Events, Hackers -- Not Users -- Lost Money in Attempted Cryptocurrency Exchange Heist (bleepingcomputer.com) 56

The hackers who attempted to hack Binance, one of the largest cryptocurrency exchanges on the Internet, have ended up losing money in a remarkable turn of events. It all began on Thursday, when thousands of user accounts started selling their Bitcoin and buying an altcoin named Viacoin (VIA). The incident, BleepingComputer reports, looked like a hack, and users reacted accordingly. But this wasn't a hack, or at least not your ordinary hack. The report adds: According to an incident report published by the Binance team, in preparation for yesterday's attack, the hackers ran a two-month phishing scheme to collect Binance user account credentials. Hackers used a homograph attack by registering a domain identical to binance.com, but spelled with Latin-lookalike Unicode characters. More particularly, hackers registered the [redacted].com domain -- notice the tiny dots under the "i" and "a" characters.

Phishing attacks started in early January, but the Binance team says it detected evidence that operations ramped up around February 22, when the campaign reached its peak. Binance tracked down this phishing campaign because the phishing pages would immediately redirect phished users to the real Binance login page. This left a forensic trail in referral logs that Binance developers detected. After getting access to several accounts, instead of using the login credentials to empty out wallets, hackers created "trading API keys" for each account. With the API keys in hand, hackers sprung their main attack yesterday. Crooks used the API keys to automate transactions that sold Bitcoin held in compromised Binance accounts and automatically bought Viacoin from 31 other Binance accounts that hackers created beforehand, and where they deposited Viacoin, ready to be bought. But hackers didn't know one thing -- Binance's secret weapon -- an internal risk management system that detected the abnormal amount of Bitcoin-Viacoin sale orders within the span of two minutes and blocked all transactions on the platform. Hackers tried to cash out the 31 Binance accounts, but by that point, Binance had blocked all withdrawals.

Slashdot Top Deals