Virus shuts down factories of major iPhone component manufacturer TSMC

Apple touts the cybersecurity of its iPhone, but less can be said for the exclusive manufacturer who makes the processor for the iPhone. Semiconductor foundry TSMC, or Taiwan Semiconductor Manufacturing Company, was hit by a virus late Friday night, which forced it to shut down several factories according to Debbie Wu at Bloomberg. The virus and the shutdown were confirmed by TSMC representatives. It is not clear at this time which factories were hit, or whether those factories were producing the iPhone’s main processor. Apple is expected to unveil new iPhones this fall, and supply chain disruptions in the critical month of August could have significant adverse consequences for the rapid availability of the new phone before the key Christmas holiday. TSMC has grown to become the largest independent semiconductor foundry in the world, with profits last year of $11.6 billion. The company has benefitted from partnerships with
Continue reading "Virus shuts down factories of major iPhone component manufacturer TSMC"

Facebook launches a digital literacy library aimed at educators

Facebook this morning announced the launch of a new set of educational resources focused on helping young people think critically and behave thoughtfully online. The Digital Literacy Library, as the new site is being called, is aimed at educators of children aged 11 to 18, and address topics like privacy, reputation, identity exploration, security, safety, wellbeing and more. There are 830 million young people online, the company notes, which is why digital literacy is necessary. We’ve seen the results what can happen when people are lacking in digital literacy – they’re susceptible to believing hoaxes, propaganda and fake news is true; they risk their personal data by using insecure apps; they become addicted to social media and its feedback loop of likes; they bully and/or are bullied; and they don’t take steps to protect their online reputation which can have real-world consequences, to name a few things. However,
Continue reading "Facebook launches a digital literacy library aimed at educators"

Reddit breach exposes non-critical user data

Reddit announced today that it suffered a security breach in June that exposed some of its internal systems to the attackers, although what was accessed was not particularly sensitive. Notably the hack was accomplished by circumventing the two-factor authentication Reddit had in place via SMS interception — which should be a wake-up call to any who haven’t moved on from that method. A post by Reddit CTO Chris Slowe (as KeyserSosa, naturally) explained that they discovered the hack on June 19, and estimated it to have taken place between June 14 and 18. The attack “compromised a few of our employees’ accounts with our cloud and source code hosting providers,” he wrote, gaining “read-only access to some systems that contained backup data, source code and other logs.” Said access was gated behind two-factor authentication systems, but unfortunately they were of the type that occasionally or optionally allow SMS to
Continue reading "Reddit breach exposes non-critical user data"

What can we learn from the Dixons data breach that blew up after disclosure

European consumer electronics retailer Dixons Carphone’s apologetic admission yesterday that a 2017 data breach was in fact considerably worse than it first reported suggests disclosures of major breaches could get a bit more messy — at least under the early reign of the region’s tough new data protection framework, GDPR — as organizations scramble to comply with requirements to communicate serious breaches “without undue delay”. Although, to be clear, it’s not the regulation that’s the problem. Dixons’ handling of this particular security incident has come in for sharp criticism — and is most certainly not a textbook example of how to proceed. Dixons Carphone disclosed a breach of 5.9M payment cards and 1.2M customer records in mid June, saying it had discovered the unauthorized access to its systems during a security review. However this week the company revised upwards the number of customer records affected — to
Continue reading "What can we learn from the Dixons data breach that blew up after disclosure"

DHS launches a new cyber hub to coordinate against threats to US infrastructure

Among the many things the current administration has been criticized for is its lack of a unified strategy to combat cyber threats, especially in light of ongoing election interference and psy ops perpetrated by Russia. The Department of Homeland Security is advancing the ball with the creation of the National Risk Management Center, intended on protecting critical infrastructure from attacks and subversion by online adversaries. The NRMC was announced today at a cyber summit in New York held by the agency, where DHS Secretary Kirstjen Nielsen explained the purpose and justification for this new entity. Remarkably, she directly contradicted the ongoing soft-pedaling by the Executive of Russian operations targeting the country. “Let me be clear: Our intelligence community had it right. It was the Russians. It was directed from the highest levels. And we cannot and will not allow it to happen again,” she said.

DHS Secretary Nielsen in 2017.

Continue reading "DHS launches a new cyber hub to coordinate against threats to US infrastructure"

Dixons Carphone now says ~8.8M more customers affected by 2017 breach

A Dixons Carphone data breach that was disclosed earlier this summer was worse than initially reported. The company is now saying that personal data of 10 million customers could also have been accessed when its systems were hacked. The European electronics and telecoms retailer believes its systems were accessed by unknown and unauthorized person/s in 2017, although it only disclosed the breach in June, after discovering it during a review of its security systems. Last month it said 5.9M payment cards and 1.2M customer records had been accessed. But with its investigation into the breach “nearing completion”, it now says approximately 10M records containing personal data (but no financial information) may have been accessed last year — in addition to the 5.9M compromised payment cards it disclosed last month. “While there is now evidence that some of this data may have left our systems, these records do
Continue reading "Dixons Carphone now says ~8.8M more customers affected by 2017 breach"

Chinese “hackers” are sending malware via snail mail

In what amounts to one of the simplest but most baffling forms of social engineering, hackers from China have taken to sending CDs full of malware to state officials, leading the Multi-State Information Sharing and Analysis Center, a government security outfit, to release a warning detailing the scam. The trick is simple: a package arrives with a Chinese postmark containing a rambling message and a small CD. The CD, in turn, contains a set of Word files that include script-based malware. These scripts run when the victims access them on their computers, presumably resulting in compromised systems. “The MS-ISAC said preliminary analysis of the CDs indicate they contain Mandarin language Microsoft Word (.doc) files, some of which include malicious Visual Basic scripts,” wrote security researcher Brian Krebs. “So far, State Archives, State Historical Societies, and a State Department of Cultural Affairs have all received letters addressed specifically to
Continue reading "Chinese “hackers” are sending malware via snail mail"

How I made my own WireGuard VPN server

Some of you may have heard about VPN protocols that let you establish a connection between your device and a server, such as OpenVPN and IPsec. But there’s a brand new shiny protocol that promises to be faster and more secure at the same time — WireGuard. But WTF is a VPN anyway? A VPN is a virtual private network between a device in front of you and a server in a data center. If you want to hide your internet traffic from other people on your local network, you can create a tunnel between your device and a server. All your network traffic will go through this connection, and traffic is usually encrypted from one end to the other. It means that your overzealous IT department or the Great Firewall of China can’t block any service. And yet, it also means that the person who operates the server can
Continue reading "How I made my own WireGuard VPN server"

Idaho inmates hacked prison-issued tablets for $225,000 in credits

Inmates in Idaho successfully hacked the software of the prison-issued tablets to issue themselves nearly a quarter of a million dollars in credits on the devices that are often one of their only connections to the outside world. The tablets, made by prominent prison vendor JPay, give inmates the ability to use email, listen to music and transfer money, among other basic computing functions but charge fees for some services. The Associated Press reports that Idaho prison officials discovered 364 inmates leveraging a software vulnerability to increase their JPay account balances. In Idaho, the devices are the result of a partnership between JPay and CenturyLink. The latter company confirmed the software vulnerability but declined to offer further details beyond stating that it had since been resolved. Of the 364 inmates exploiting JPay, 50 inmates were able to issue themselves credits for more than $1,000. One inmate was able to
Continue reading "Idaho inmates hacked prison-issued tablets for $225,000 in credits"

Russian hackers already targeted a Missouri senator up for reelection in 2018

A Democratic senator seeking reelection this fall appears to be the first identifiable target of Russian hacking in the 2018 midterm race. In a new story on the Daily Beast, Andrew Desiderio and Kevin Poulsen reported that Democratic Missouri Senator Claire McCaskill was targeted in a campaign-related phishing attack. That clears up one unspecified target from last week’s statement by Microsoft’s Tom Burt that three midterm election candidates had been targeted by Russian phishing campaigns. The report cites its own forensic research in determining the attacker is likely Fancy Bear, a hacking group believed to be affiliated with Russian military intelligence. “We did discover that a fake Microsoft domain had been established as the landing page for phishing attacks, and we saw metadata that suggested those phishing attacks were being directed at three candidates who are all standing for elections in the midterm elections,” Burt said during the Aspen
Continue reading "Russian hackers already targeted a Missouri senator up for reelection in 2018"

Congress members demand answers from Amazon about facial recognition software

When we called the ACLU’s Amazon’s Rekognition press release an “attention-grabbing stunt” when we wrote about it earlier today, well, consider that attention grabbed. Several Democratic members of Congress have responded with a strongly worded letter to founder Jeff Bezos.

Reps. Jimmy Gomez and John Lewis issued a letter to Bezos, after the ACLU noted that the facial recognition software falsely associated 28 images of Congress members with mugshots in a criminal database. Lewis, a pivotal figure in America’s civil rights moment, was among those falsely matched in the ACLU’s testing — particularly notable as the testing appeared to have a particular bias against people of color.

“The results of the ACLU’s test of Amazon’s ‘Rekognition’ software are deeply troubling,” Lewis wrote in a statement. “As a society, we need technology to help resolve human problems, not to add to the mountain of injustices presently facing people of color

Continue reading "Congress members demand answers from Amazon about facial recognition software"

Virtu teams up with Google to bring its end-to-end encryption service to Google Drive

Virtu, which is best known for its email encryption service for both enterprises and consumers, is announcing a partnership with Google today that will bring the company’s encryption technology to Google Drive. Only a few years ago, the company was still bolting its solution on top of Gmail without Google’s blessing, but these days, Google is fully on board with Virtu’s plans. Its new Data Protection for Google Drive extends its service for Gmail to Google’s online file storage service. It ensures that files are encrypted before upload, which ensures the files remain protected, even when they are shared outside of an organization. The customer remains in full control of the encryption keys, so Google, too, has no access to these files, and admins can set and manage access policies by document, folder and team drive. Virtu’s service uses the Trusted Data Format, an open standard the company’s
Continue reading "Virtu teams up with Google to bring its end-to-end encryption service to Google Drive"

Google takes on Yubico and builds its own hardware security keys

Google today announced it is launching its own hardware security keys for two-factor authentication. These so-called Titan Security Keys will go up against similar keys from companies like Yubico, which Google has long championed as the de facto standard for hardware-based two-factor authentication for Gmail and other services. The FIDO-compatible Titan keys will come in two versions. One with Bluetooth support for mobile devices and one that plugs directly into your computer’s USB port. In terms of looks and functionality, those keys look quite a lot like the existing keys from Yubico, though our understanding is that these are Google’s own designs. Unsurprisingly, the folks over at Yubico got wind of today’s announcement ahead of time and have already posted a reaction to today’s news (and the company is exhibiting at Google Cloud Next, too, which may be a bit awkward after today’s announcement). “Yubico strongly believes there are security
Continue reading "Google takes on Yubico and builds its own hardware security keys"

Google Cloud introduces shielded VMs for additional security

While we might like to think all of our applications are equal in our eyes, in reality some are more important than others and require an additional level of security. To meet those requirements, Google introduced shielded virtual machines at Google Next today. As Google describes it, “Shielded VMs leverage advanced platform security capabilities to help ensure your VMs have not been tampered with. With Shielded VMs, you can monitor and react to any changes in the VM baseline as well as its current runtime state.” These specialized VMs run on GCP and come with a set of partner security controls to defend against things like rootkits and bootkits, according to Google. There are a whole bunch of things that happen even before an application launches inside a VM, and each step in that process is vulnerable to attack. That’s because as the machine starts up, before you even
Continue reading "Google Cloud introduces shielded VMs for additional security"

Google introduces ‘Context-aware’ access to supplement traditional logons

We know by now that usernames and passwords are a poor way of securing applications and online services, but they remain for the most part a key tool in the security arsenal. The trouble is that with all of the security breaches in recent years from Equifax to Anthem to Target (and many others), people’s credentials have been widely shared on the internet black market. Google wants to help fix that problem and today at Google Next, it announced Context-aware access, a new program that looks beyond your credentials to other factors to help determine if it’s really you or someone pretending to be you. Context-aware access lets administrators define a set of information that could help them more accurately ascertain the identity of the person trying to access your service. “Context-aware access allows organizations to define and enforce granular access to GCP APIs, resources, G Suite, and third-party SaaS
Continue reading "Google introduces ‘Context-aware’ access to supplement traditional logons"

Facebook’s chief legal officer to leave this year

Facebook’s chief legal officer Colin Stretch has announced he’ll be out by the end of the year.  In the inevitable Facebook post explaining why he’s moving on, Stretch writes that after he and his wife made a decision to move back to DC from California “a few years ago… we knew it would be difficult for me to remain in this role indefinitely”. “As Facebook embraces the broader responsibility Mark [Zuckerberg] has discussed in recent months, I’ve concluded that the company and the Legal team need sustained leadership in Menlo Park,” he adds, saying he’ll stay to the end of the year to help with the transition. Facebook has had a very awkward two years so far as politically charged scandals go. First revelations about the massive Kremlin-fueled election interference which it totally missed. Then the massive Cambridge Analytica data misuse debacle which Facebook also claims to have totally missed, even
Continue reading "Facebook’s chief legal officer to leave this year"

Chrome rolls out for all users ‘not secure’ markers on unencrypted pages

Google officially announced version 68 of the Chrome browser today, formalizing its plans to fulfill its past pledge to mark all unencrypted (non-HTTPS) pages as “not secure.” This move comes nearly two years after Chrome announced its slow-burning plan to promote the use of secured (HTTPS) pages across the browser. In previous updates, the browser had already begun to mark critical HTTP pages — like those that collect bank and personal information — as “not secure.” But to move toward its goal of assumed security on its browser, Chrome announced today that it plans to begin removing the “Secure” marker on HTTPS sites this September and begin marking all unencrypted sites with a red “Not secure” marker this October. Previously, according to Chrome, the number of HTTP sites across the internet was too high to feasibly mark all of the encrypted sites in this way, but with the increase
Continue reading "Chrome rolls out for all users ‘not secure’ markers on unencrypted pages"

How to Avoid ATM Fraud When You Travel

Travel inherently includes some security risks, because part of security is knowing how things are supposed to work, so you can recognize what’s sketchy. Go to a new city and you might fall for a taxi scam, get pickpocketed—or get your money stolen by an ATM skimmer. We talked to Daniel Smith, security researcher at… Read more...

Google makes it easier for G Suite admins to investigate security breaches

Google is announcing a fair number of updates to G Suite at its Next conference today, most of which focus on the user experience. In addition to those, though, the company also launched a new security investigation tool for admins that augments the existing tools for preventing and detecting potential security issues. The new tool builds on those and adds remediation features to the G Suite security center. “The overall goal of the security center in G Suite is to provide administrators with the visibility and control they need to prevent, detect and remediate security issues,” said David Thacker, Google’s VP of product management for G Suite. “Earlier this year, we launched the first major components of this security center that help admins prevent and detect issues.” Now with this third set of tools in line, G Suite admins can get a better understanding of the threats they are
Continue reading "Google makes it easier for G Suite admins to investigate security breaches"