Researchers Bypassed Windows Password Locks With Cortana Voice Commands ( 90

Two independent Israeli researchers found a way for an attacker to bypass the lock protection on Windows machines and install malware by using voice commands directed at Cortana, the multi-language, voice-commanded virtual assistant that comes embedded in Windows 10 desktop and mobile operating systems. From a report: Tal Be'ery and Amichai Shulman found that the always-listening Cortana agent responds to some voice commands even when computers are asleep and locked, allowing someone with physical access to plug a USB with a network adapter into the computer, then verbally instruct Cortana to launch the computer's browser and go to a web address that does not use https -- that is, a web address that does not encrypt traffic between a user's machine and the website. The attacker's malicious network adapter then intercepts the web session to send the computer to a malicious site instead, where malware downloads to the machine, all while the computer owner believes his or her machine is protected.

Facebook's VPN Service Onavo Protect Collects Personal Data -- Even When It's Switched Off ( 67

Security researcher Will Strafach took a look at Onavo Protect, a newly released VPN service from Facebook: I found that Onavo Protect uses a Packet Tunnel Provider app extension, which should consistently run for as long as the VPN is connected, in order to periodically send the following data to Facebook ( as the user goes about their day:
When user's mobile device screen is turned on and turned off.
Total daily Wi-Fi data usage in bytes (Even when VPN is turned off).
Total daily cellular data usage in bytes (Even when VPN is turned off).
Periodic beacon containing an "uptime" to indicate how long the VPN has been connected.

United States

US Calls Broadcom's Bid For Qualcomm a National Security Risk ( 91

An anonymous reader quotes a report from The New York Times (Warning: source may be paywalled; alternative source): The United States government said Broadcom's proposed acquisition of rival chipmaker Qualcomm could pose a national security risk and called for a full investigation into the hostile bid. The move complicates an already contentious deal and increases the likelihood that Broadcom, which is based in Singapore, will end its pursuit of Qualcomm. Such an investigation is often a death knell for a corporate acquisition. A government panel, the Committee on Foreign Investment in the United States, or Cfius, noted, in part, that the potential risk was related to Broadcom's relationships with foreign entities, according to a letter from a United States Treasury official. It also said that the deal could weaken "Qualcomm's technological leadership," giving an edge to Chinese companies like Huawei. "China would likely compete robustly to fill any void left by Qualcomm as a result of this hostile takeover," the official said in the letter. The letter and the public call for an investigation reflects a newly aggressive stance by Cfius. In most cases, the panel operates in secret and weighs in after a deal is announced. In this instance, Cfius, which is made up of representatives from multiple federal agencies, is taking a proactive role and investigating before an acquisition agreement has even been signed.

One Single Malicious Vehicle Can Block 'Smart' Street Intersections In the US ( 98

An anonymous reader shares a BleepingComputer report: Academics from the University of Michigan have shown that one single malicious car could trick US-based smart traffic control systems into believing an intersection is full and force the traffic control algorithm to alter its normal behavior, and indirectly cause traffic slowdowns and even block street intersections. The team's research focused on Connected Vehicle (CV) technology, which is currently being included in all cars manufactured across the globe. More precisely, it targets V2I (vehicle-to-infrastructure) protocols, and more precisely the I-SIG system implemented in the US.

The Michigan research team says the I-SIG system in its current default configuration is vulnerable to basic data spoofing attacks. Researchers say this is "due to a vulnerability at the signal control algorithm level," which they call "the last vehicle advantage." This means that the latest arriving vehicle can determine the traffic system's algorithm output. The research team says I-SIG doesn't come with protection from spoofing attacks, allowing one vehicle to send repeated messages to a traffic intersection, posing as the latest vehicle that arrived at the intersection. According to simulated traffic models, the Michigan team says that around a fifth of all cars that entered a test intersection took seven minutes to traverse the traffic junction that would have normally taken only half a minute. Researchers don't believe this bug could be exploited for actual gains in the real world, but the bugs' existence shows the protocol is poorly coded, even four years after first being proved unsecured.


Mysterious $15,000 'GrayKey' Promises To Unlock iPhone X For The Feds ( 106

Thomas Fox-Brewster, reporting for Forbes: Just a week after Forbes reported on the claim of Israeli U.S. government manufacturer Cellebrite that it could unlock the latest Apple iPhone models, another service has emerged promising much the same. Except this time it comes from an unkown entity, an obscure American startup named Grayshift, which appears to be run by long-time U.S. intelligence agency contractors and an ex-Apple security engineer. In recent weeks, its marketing materials have been disseminated around private online police and forensics groups, offering a $15,000 iPhone unlock tool named GrayKey, which permits 300 uses. That's for the online mode that requires constant connectivity at the customer end, whilst an offline version costs $30,000. The latter comes with unlimited uses. Another ad showed Grayshift claiming to be able to unlock iPhones running iOS 10 and 11, with iOS 9 support coming soon. It also claims to work on the latest Apple hardware, up to the iPhone 8 and X models released just last year. In a post from one private Google group, handed to Forbes by a source who asked to remain anonymous, the writer indicated they'd been demoed the technology and that it had opened an iPhone X.

China's Xiaomi Confirms It Will Enter US Smartphone Market By the End of This Year or Early Next Year ( 61

Sensing an opening, Chinese smartphone maker Xiaomi says it plans to enter the U.S. smartphone market in late 2018 or 2019. From a report: The news comes just several weeks after rival Huawei, which appeared to have a head start, had its hopes dashed when a partnership with AT&T was scuttled. While both companies said the parting was mutual, the decision came after intense political blowback from U.S. politicians who worried that Huawei's technology poses security risks for U.S. businesses and customers. Today, the Wall Street Journal reported that Xiaomi chair Lei Jun told one of its reporters: "We've always been considering entering the U.S. market. We plan to start entering the market by end 2018, or by early 2019." In general, while Chinese tech companies have become massive primarily by succeeding on their home turf, they are facing challenges in exporting that success to Western markets.

Thieves Steal 600 Powerful Bitcoin-Mining Computers In Iceland ( 88

The Associated Press reports of a Bitcoin heist in Iceland where thieves stole some 600 computers used to "mine" bitcoin and other virtual currencies. "Some 11 people were arrested, including a security guard, in what Icelandic media have dubbed the 'Big Bitcoin Heist,'" reports the Associated Press. From the report: The powerful computers, which have not yet been found, are worth almost $2 million. But if the stolen equipment is used for its original purpose -- to create new bitcoins -- the thieves could turn a massive profit in an untraceable currency without ever selling the items. Three of four burglaries took place in December and a fourth took place in January, but authorities did not make the news public earlier in hopes of tracking down the thieves. Police tracking the stolen computers are monitoring electric consumption across the country in hopes the thieves will show their hand, according to an industry source who spoke on condition of anonymity because he is not allowed to speak to the media. Unusually high energy usage might reveal the whereabouts of the illegal bitcoin mine. Authorities this week called on local internet providers, electricians and storage space units to report any unusual requests for power.

New LTE Attacks Can Snoop On Messages, Track Locations, and Spoof Emergency Alerts ( 28

An anonymous reader quotes a report from ZDNet: A slew of newly discovered vulnerabilities can wreak havoc on 4G LTE network users by eavesdropping on phone calls and text messages, knocking devices offline, and even spoofing emergency alerts. Ten attacks detailed in a new paper by researchers at Purdue University and the University of Iowa expose weaknesses in three critical protocol operations of the cellular network, such as securely attaching a device to the network and maintaining a connection to receive calls and messages. Those flaws can allow authentication relay attacks that can allow an adversary to connect to a 4G LTE network by impersonating an existing user -- such as a phone number. Although authentication relay attacks aren't new, this latest research shows that they can be used to intercept message, track a user's location, and stop a phone from connecting to the network. By using common software-defined radio devices and open source 4G LTE protocol software, anyone can build the tool to carry out attacks for as little as $1,300 to $3,900, making the cost low enough for most adversaries. The researchers aren't releasing the proof-of-concept code until the flaws are fixed, however.

GitHub Survived the Biggest DDoS Attack Ever Recorded ( 144

A 1.35 terabit-per-second DDoS attack hit GitHub all at once last Wednesday. "It was the most powerful distributed denial of service attack recorded to date -- and it used an increasingly popular DDoS method, no botnet required," reports Wired. From the report: GitHub briefly struggled with intermittent outages as a digital system assessed the situation. Within 10 minutes it had automatically called for help from its DDoS mitigation service, Akamai Prolexic. Prolexic took over as an intermediary, routing all the traffic coming into and out of GitHub, and sent the data through its scrubbing centers to weed out and block malicious packets. After eight minutes, attackers relented and the assault dropped off. "We modeled our capacity based on fives times the biggest attack that the internet has ever seen," Josh Shaul, vice president of web security at Akamai told WIRED hours after the GitHub attack ended. "So I would have been certain that we could handle 1.3 Tbps, but at the same time we never had a terabit and a half come in all at once. It's one thing to have the confidence. It's another thing to see it actually play out how you'd hope."

Akamai defended against the attack in a number of ways. In addition to Prolexic's general DDoS defense infrastructure, the firm had also recently implemented specific mitigations for a type of DDoS attack stemming from so-called memcached servers. These database caching systems work to speed networks and websites, but they aren't meant to be exposed on the public internet; anyone can query them, and they'll likewise respond to anyone. About 100,000 memcached servers, mostly owned by businesses and other institutions, currently sit exposed online with no authentication protection, meaning an attacker can access them, and send them a special command packet that the server will respond to with a much larger reply.


23,000 HTTPS Certs Axed After CEO Emails Private Keys ( 72

An anonymous reader quotes Ars Technica: A major dust-up on an Internet discussion forum is touching off troubling questions about the security of some browser-trusted HTTPS certificates when it revealed the CEO of a certificate reseller emailed a partner the sensitive private keys for 23,000 TLS certificates. The email was sent on Tuesday by the CEO of Trustico, a UK-based reseller of TLS certificates issued by the browser-trusted certificate authorities Comodo and, until recently, Symantec...

In communications earlier this month, Trustico notified DigiCert that 50,000 Symantec-issued certificates Trustico had resold should be mass revoked because of security concerns. When Jeremy Rowley, an executive vice president at DigiCert, asked for proof the certificates were compromised, the Trustico CEO emailed the private keys of 23,000 certificates, according to an account posted to a Mozilla security policy forum. The report produced a collective gasp among many security practitioners who said it demonstrated a shockingly cavalier treatment of the digital certificates that form one of the most basic foundations of website security... In a statement, Trustico officials said the keys were recovered from "cold storage," a term that typically refers to offline storage systems. "Trustico allows customers to generate a Certificate Signing Request and Private Key during the ordering process," the statement read. "These Private Keys are stored in cold storage, for the purpose of revocation."

"There's no indication the email was encrypted," reports Ars Technica, and the next day DigiCert sent emails to Trustico's 23,000+ customers warning that their certificates were being revoked, according to Bleeping Computer.

In a related development, Thursday Trustico's web site went offline, "shortly after a website security expert disclosed a critical vulnerability on Twitter that appeared to make it possible for outsiders to run malicious code on Trustico servers."

Equifax Identifies Additional 2.4 Million Customers Hit By Data Breach ( 15

Credit score giant Equifax said on Thursday it had identified another 2.4 million U.S. consumers whose names and driver's license information were stolen in a data breach last year that affected half the U.S. population. From a report: The company said it was able confirm the identities of U.S. consumers whose driver's license information was taken by referencing other information in proprietary company records that the attackers did not steal. "Equifax will notify these newly identified U.S. consumers directly, and will offer identity theft protection and credit file monitoring services at no cost to them," the company said.

Germany Says Government Network Was Breached ( 30

An anonymous reader shares a report from The Wall Street Journal (Warning: source may be paywalled; alternative source): German authorities said on Wednesday they were investigating a security breach of the government's highly protected computer network. The country's intelligence agencies were examining attacks on more than one government ministry, the interior ministry said, adding that the affected departments had been informed and that the attack had been isolated and brought under control. Earlier on Wednesday, the German news agency DPA reported that German security services had discovered a breach of the government's IT network in December and traced it back to state-sponsored Russian hackers. German companies have been the target of sustained attacks by state-sponsored hackers, mainly believed to be Chinese. In 2015, the Bundestag, parliament's lower house, suffered a extensive breach, leading to the theft of several gigabytes of data by what German security officials believe were Russian cyberthieves. Hackers believed to be part of the Russia-linked APT28 group sought to infiltrate the computer systems of several German political parties in 2016, Germany's domestic intelligence agency said in 2016.

US Response 'Hasn't Changed The Calculus' Of Russian Interference, NSA Chief Says ( 126

An anonymous reader shares an NPR report: The admiral in charge of both the nation's top electronic spying agency and the Pentagon's cybersecurity operations would seem a logical point man for countering Russia's digital intrusions in U.S. election campaigns. But National Security Agency and U.S. Cyber Command chief Adm. Michael Rogers told the Senate Armed Services Committee on Tuesday there is only so much he can do. That is because, according to Rogers, President Trump has not ordered him to go after the Russian attacks at their origin. Sen. Jack Reed of Rhode Island, the committee's ranking Democrat, asked Rogers, "Have you been directed to do so, given this strategic threat that faces the United States and the significant consequences you recognize already?" "No, I have not," Rogers replied. But the spy chief pushed back on suggestions that he should seek a presidential signoff. "I am not going to tell the president what he should or should not do," Rogers said when Connecticut Democrat Richard Blumenthal pressed him on whether Trump should approve that authority.

"I'm an operational commander, not a policymaker," he added. "That's the challenge for me as a military commander." Rogers agreed with Blumenthal's estimation that Russian cyber operatives continue to attack the U.S. with impunity and that Washington's response has fallen short. "It hasn't changed the calculus, is my sense," the spy chief told Blumenthal. "It certainly hasn't generated the change in behavior that I think we all know we need."


End of Flash? Its Usage Among Chrome Users Has Declined From 80% in 2014 to Under 8% as of Early 2018 ( 114

An anonymous reader writes: The percentage of daily Chrome users who've loaded at least one page containing Flash content per day has gone down from around 80% in 2014 to under 8% in early 2018. These statistics on Flash's declining numbers were shared with the public by Parisa Tabriz, Director of Engineering at Google, one of the Google bigwigs in charge of Chrome's security. Google plans to ship Flash disabled-by-default with Chrome 76 (July 2019) and remove it completely in Chrome 87 (December 2020).

Amazon Buys Smart Doorbell Maker Ring For a Reported $1 Billion ( 90

hyperclocker shares a report from CNBC: Amazon is buying smart doorbell maker Ring, a deal that will allow the company to expand its home security and in-house delivery services. In an email statement to CNBC, Ring's spokesperson confirmed the deal, saying: "We'll be able to achieve even more by partnering with an inventive, customer-centric company like Amazon. We look forward to being a part of the Amazon team as we work toward our vision for safer neighborhoods." Amazon is expected to keep Ring as an independent business, much like it has with its other acquisitions, like Zappos and Twitch, according to GeekWire, which earlier reported details of the deal. Financial details of the move were not disclosed, but Reuters reported it could be worth more than $1 billion, making it one of the largest acquisitions in Amazon's history.

Bill Gates: Cryptocurrency Is 'Rare Technology That Has Caused Deaths In a Fairly Direct Way' ( 161

An anonymous reader quotes a report from CNBC: During a recent "Ask Me Anything" session on Reddit, the Microsoft co-founder said that the main feature of cryptocurrencies is the anonymity they provide to buyers, and Gates thinks that can actually be harmful. "The government's ability to find money laundering and tax evasion and terrorist funding is a good thing," he wrote. "Right now, cryptocurrencies are used for buying fentanyl and other drugs, so it is a rare technology that has caused deaths in a fairly direct way." When a Reddit user pointed out that plain cash can also be used for illicit activities, Gates said that crypto stands out because it can be easier to use. "Yes -- anonymous cash is used for these kinds of things, but you have to be physically present to transfer it, which makes things like kidnapping payments more difficult," he wrote. Gates also warned that the wave of speculation surrounding cryptocurrencies is "super risky for those who go long."

Microsoft Updates Guideline on Windows Driver Security ( 17

An anonymous reader shares a report: Microsoft has released an updated guide on driver security. This new guide offers advice that developers could use to ensure Windows drivers are secured against basic attacks and preventable flaws. The new guide -- also available as a one-document PDF -- is authored by Microsoft's Don Marshall and comes to replace an older help page. [...] While the driver security checklist is a must-read for any software developer and not just driver authors, the guide on assessing "threat modeling for drivers" is also something that software engineers should take a peek at.

Chrome OS Could Be Getting Containers for Running Linux VMs ( 57

Chromebook users may soon have a simpler way to run their favorite Linux distribution and applications on Google's Chrome OS hardware. From a report: As spotted by Chrome Unboxed, there's a newly merged commit in Chromium Gerrit describing a "new device policy to allow Linux VMs on Chrome OS." A related entry suggests support could come with Chrome OS version 66, which is due out in stable release around April 24, meaning Google might announce it at its annual IO developer conference, which starts on May 8. Developers can already use a tool called Crouton to install and run Linux on Chrome OS, but there is a security trade-off because Chrome OS needs to be switched to developer mode to use it. There's also a Crouton extension called Xiwi to enable using an OS in a browser window on Chrome OS. However, it too requires developer mode to be enabled. A recent commit suggests Chrome developers are working on a project called Crostini that may solve the developer mode problem by allowing Linux VMs to run inside a container.
Operating Systems

Apple To Suspend iTunes Store Support For 'Obsolete' First-Gen Apple TV ( 123

The original Apple TV, first introduced in 2007, will no longer be able to connect to the iTunes Store due to new security changes to be implemented by Apple. The news comes from a support document, which also mentions that PCs running Windows XP or Windows Vista will lose access to the most recent version of iTunes. Ars Technica reports: According to the document, the "obsolete" original Apple TV won't be updated in the future to support access to the iTunes Store. After May 25, users will only be able to access iTunes on second-generation Apple TVs and newer streaming devices. The same security changes affecting the first-gen Apple TV will also affect Windows XP and Vista machines. Users on such devices can still run previous versions of iTunes, so they should still be able to play their music library without problems. However, affected users won't be able to make new iTunes purchases or re-download previous purchases. Only machines running Windows 7 or later after May 25 will have full access to iTunes, including the ability to make new purchases and re-download older purchases.

Slashdot Top Deals