• Ar chevron_right

    Twitter hackers used “phone spear phishing” in mass account takeover / ArsTechnica · Friday, 31 July - 03:31

Twitter hackers used “phone spear phishing” in mass account takeover

Enlarge (credit: Tom Raftery )

The hackers behind this month’s epic Twitter breach targeted a small number of employees through a “phone spear phishing attack,” the social media site said on Thursday night. When the pilfered employee credentials failed to give access to account support tools, the hackers targeted additional workers who had the permissions needed to access the tools.

“This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems,” Twitter officials wrote in a post . “This was a striking reminder of how important each person on our team is in protecting our service. We take that responsibility seriously and everyone at Twitter is committed to keeping your information safe.

Thursday's update said that the hackers downloaded personal data from seven of the accounts, but didn't say which ones.

Read 8 remaining paragraphs | Comments

  • Ga chevron_right

    Vulnerability found in GRUB2 bootloader, nicknamed ‘BootHole’, comproming Secure Boot / GamingOnLinux · Wednesday, 29 July - 21:09 · 1 minute

Users of the popular bootloader may want to update their systems in order to mitigate the danger of this new exploit.

It’s been revealed that a series of bugs in GRUB2 compromises the chain of trust in a Secure Boot-enabled system. You can read about the full scope of the exploit here but the short of it is that arbitrary code can be executed by an attacker on virtually any system running GRUB2 and using Secure Boot. The attack allows modification of GRUB2’s configuration file and allows for privilege escalation which could potentially mean that intrusions can go undetected by booted operating systems.

Now, most of the risk comes from an attacker already having some level of privileges but this is still something that should give system administrators some pause. And while Windows systems are theoretically vulnerable as well, it’s far likelier that systems affected in the wild will be running Linux.

Researchers from Eclypsium were responsible for identifying this vulnerability and have responsibly disclosed the bug to maintainers and the wider ecosystem. Expect package updates in your distro sometime soon. Even then, updates aren’t a complete solution as the keys that Secure Boot rely upon also have to be updated and older ones blacklisted. The Debian project have a good overview of what should be done and I expect that other distributions will follow suit with their own advice on how to deal with this exploit.

GRUB2’s code has been audited since the initial disclosure and a series of other bugs have also been found in the last few weeks. While many users will ultimately be unaffected by this exploit it’s still a good reminder to keep your system up-to-date and keep an eye out for security advisories.

Article from - do not reproduce this article without permission. This RSS feed is intended for readers, not scrapers.
  • Ar chevron_right

    Chinese-made drone app in Google Play spooks security researchers / ArsTechnica · Friday, 24 July - 11:51 · 1 minute

A DJI Phantom 4 quadcopter drone.

Enlarge / A DJI Phantom 4 quadcopter drone. (credit: Andri Koolme )

The Android version of DJI Go 4—an app that lets users control drones—has until recently been covertly collecting sensitive user data and can download and execute code of the developers’ choice, researchers said in two reports that question the security and trustworthiness of a program with more than 1 million Google Play downloads.

The app is used to control and collect near real-time video and flight data from drones made by China-based DJI, the world's biggest maker of commercial drones. The Play Store shows that it has more than 1 million downloads, but because of the way Google discloses numbers, the true number could be as high as 5 million. The app has a rating of three-and-a-half stars out of a possible total of five from more than 52,000 users.

Wide array of sensitive user data

Two weeks ago, security firm Synactive reverse-engineered the app. On Thursday, fellow security firm Grimm published the results of its own independent analysis . At a minimum, both found that the app skirted Google terms and that, until recently, the app covertly collected a wide array of sensitive user data and sent it to servers located in mainland China. A worst-case scenario is that developers are abusing hard-to-identify features to spy on users.

Read 15 remaining paragraphs | Comments

  • Ar chevron_right

    Musk, Obama, Biden, Bezos, Gates—bitcoin scam hits Twitter in coordinated blitz / ArsTechnica · Wednesday, 15 July - 22:27

Cartoon image of Twitter-logo birds flying out of empty wallet.

Enlarge (credit: Aurich Lawson / Getty Images )

Twitter accounts of the rich and famous—including Elon Musk, Bill Gates, Jeff Bezos, and Joe Biden—were simultaneously hijacked on Wednesday and used to push cryptocurrency scams.

“I’m giving back to all my followers,” one now-deleted tweet from Musk’s account said. “I am doubling all payments sent to the Bitcoin address below. You send 0.1 BTC, I send 0.2 BTC back!” A tweet from the Bezos account said the same thing. “Everyone is asking me to give back, and now is the time,” a Gates tweet said. “I am doubling all payments sent to my BTC address for the next 30 minutes. You send $1,000, I send you back $2,000.

At this time this post went live, Musk’s account continued to pump out fraudulent tweets, despite the mass account hijackings being two hours old. What’s more, a screenshot tweeted by a security researcher showed that attackers have changed associated email addresses of some of the hijacked accounts.

Read 5 remaining paragraphs | Comments

  • Ar chevron_right

    Hong Kong downloads of Signal surge as residents fear crackdown / ArsTechnica · Wednesday, 8 July - 16:20 · 1 minute

Hong Kong downloads of Signal surge as residents fear crackdown

Enlarge (credit: d3sign / Getty)

The secure chat app Signal has become the most downloaded app in Hong Kong on both Apple's and Google's app stores, Bloomberg reports , citing data from App Annie. The surging interest in encrypted messaging comes days after the Chinese government in Beijing passed a new national security law that reduced Hong Kong's autonomy and could undermine its traditionally strong protections for civil liberties.

The 1997 handover of Hong Kong from the United Kingdom to China came with a promise that China would respect Hong Kong's autonomy for 50 years following the handover. Under the terms of that deal, Hong Kong residents should have continued to enjoy greater freedom than people on the mainland until 2047. But recently, the mainland government has appeared to renege on that deal.

Civil liberties advocates see the national security law approved last week as a major blow to freedom in Hong Kong. The New York Times reports that "the four major offenses in the law—separatism, subversion, terrorism and collusion with foreign countries—are ambiguously worded and give the authorities extensive power to target activists who criticize the party, activists say." Until now, Hong Kongers faced trial in the city's separate, independent judiciary. The new law opens the door for dissidents to be tried in mainland courts with less respect for civil liberties or due process.

Read 3 remaining paragraphs | Comments

  • Ar chevron_right

    Microsoft is adding Linux, Android, and firmware protections to Windows / ArsTechnica · Tuesday, 23 June - 20:26

Screenshot of antivirus protection.

Enlarge (credit: okubax )

Microsoft is moving forward with its promise to extend enterprise security protections to non-Windows platforms with the general release of a Linux version and a preview of one for Android. The software maker is also beefing up Windows security protections to scan for malicious firmware.

The Linux and Android moves—detailed in posts published on Tuesday here , here , and here —follow a move last year to ship antivirus protections to macOS . Microsoft disclosed the firmware feature last week.

Premium pricing

All the new protections are available to users of Microsoft Advanced Threat Protection and require Windows 10 Enterprise Edition. Public pricing from Microsoft is either non-existent or difficult to find, but according to this site , costs range from $30 to $72 per machine per year to enterprise customers.

Read 7 remaining paragraphs | Comments

  • Ar chevron_right

    Intel will soon bake anti-malware defenses directly into its CPUs / ArsTechnica · Monday, 15 June - 13:00 · 1 minute

A mobile PC processor code-named Tiger Lake. It will be the first CPU to offer a security capability known as Control-Flow Enforcement Technology.

Enlarge / A mobile PC processor code-named Tiger Lake. It will be the first CPU to offer a security capability known as Control-Flow Enforcement Technology. (credit: Intel)

The history of hacking has largely been a back-and-forth game, with attackers devising a technique to breach a system, defenders constructing a countermeasure that prevents the technique, and hackers devising a new way to bypass system security. On Monday, Intel is announcing its plans to bake a new parry directly into its CPUs that’s designed to thwart software exploits that execute malicious code on vulnerable computers.

Control-Flow Enforcement Technology, or CET, represents a fundamental change in the way processors execute instructions from applications such as Web browsers, email clients, or PDF readers. Jointly developed by Intel and Microsoft, CET is designed to thwart a technique known as return-oriented programming , which hackers use to bypass anti-exploit measures software developers introduced about a decade ago. While Intel first published its implementation of CET in 2016 , the company on Monday is saying that its Tiger Lake CPU microarchitecture will be the first to include it.

ROP, as return-oriented programming is usually called, was software exploiters’ response to protections such as Executable Space Protection and address space layout randomization , which made their way into Windows, macOS, and Linux a little less than two decades ago. These defenses were designed to significantly lessen the damage software exploits could inflict by introducing changes to system memory that prevented the execution of malicious code. Even when successfully targeting a buffer overflow or other vulnerability, the exploit resulted only in a system or application crash, rather than a fatal system compromise.

Read 9 remaining paragraphs | Comments

  • Ar chevron_right

    Researchers say online voting tech used in 5 states is fatally flawed / ArsTechnica · Wednesday, 10 June - 18:07 · 1 minute

Voting machines are shown at a polling location on June 9, 2020 in West Columbia, South Carolina.

Enlarge / Voting machines are shown at a polling location on June 9, 2020 in West Columbia, South Carolina. (credit: Sean Rayford/Getty Images)

OmniBallot is election software that is used by dozens of jurisdictions in the United States. In addition to delivering ballots and helping voters mark them, it includes an option for online voting. At least three states—West Virginia, Delaware, and New Jersey—have used the technology or are planning to do so in an upcoming election. Four local jurisdictions in Oregon and Washington state use the online voting feature as well. But new research from a pair of computer scientists, MIT's Michael Specter and the University of Michigan's Alex Halderman, finds that the software has inadequate security protections, creating a serious risk to election integrity.

Democracy Live, the company behind OmniBallot, defended its software in an email response to Ars Technica. "The report did not find any technical vulnerabilities in OmniBallot," wrote Democracy Live CEO Bryan Finney.

This is true in a sense—the researchers didn't find any major bugs in the OmniBallot code. But it also misses the point of their analysis. The security of software not only depends on the software itself but also on the security of the environment on which the system runs. For example, it's impossible to keep voting software secure if it runs on a computer infected with malware. And millions of PCs in the United States are infected with malware.

Read 35 remaining paragraphs | Comments