Intel

Intel Says Newer Chips Also Hit by Unwanted Reboots After Patch (zdnet.com)

Intel says the unexpected reboots triggered by patching older chips affected by Meltdown and Spectre are happening to its newer chips, too. From a report: Intel confirmed in an update late Wednesday that not only are its older Broadwell and Haswell chips tripping up on the firmware patches, but newer CPUs through to the latest Kaby Lake chips are too. The firmware updates do protect Intel chips against potential Spectre attacks, but machines with Ivy Bridge, Sandy Bridge, Skylake, and Kaby Lake architecture processors are rebooting more frequently once the firmware has been updated, Intel said. Intel has also updated its original Meltdown-Spectre advisory with a new warning about the stability issues and recommends OEMs and cloud providers test its beta silicon microcode updates before final release. These beta releases, which mitigate the Spectre Variant 2 CVE-2017-5715 attack on CPU speculative execution, will be available next week.
Mozilla

Mozilla Restricts All New Firefox Features To HTTPS Only (bleepingcomputer.com) 230

An anonymous reader shares a report: In a groundbreaking statement earlier this week, Mozilla announced that all web-based features that will ship with Firefox in the future must be served on over a secure HTTPS connection (a "secure context"). "Effective immediately, all new features that are web-exposed are to be restricted to secure contexts," said Anne van Kesteren, a Mozilla engineer and author of several open web standards. This means that if Firefox will add support for a new standard/feature starting tomorrow, if that standard/feature carries out communications between the browser and an external server, those communications must be carried out via HTTPS or the standard/feature will not work in Firefox. The decision does not affect already existing standards/features, but Mozilla hopes all Firefox features "will be considered on a case-by-case basis," and will slowly move to secure contexts (HTTPS) exclusively in the future.
Japan

Days After Hawaii's False Missile Alarm, a New One in Japan (nytimes.com) 66

An anonymous reader shares a report: Japan's public broadcaster on Tuesday accidentally sent news alerts that North Korea had launched a missile and that citizens should take shelter -- just days after the government of Hawaii had sent a similar warning to its citizens. The broadcaster, NHK, corrected itself five minutes later and apologized for the error on its evening news (Editor's note: the link may be paywalled; alternative source). The initial texts cited J-Alert, a system used by the government to issue warnings to its citizens about missiles, tsunamis and other natural disasters. But NHK later said that the system was not to blame for the false alarm. Makoto Sasaki, a spokesman for NHK, apologized, saying that "staff had mistakenly operated the equipment to deliver news alerts over the internet."
Nintendo

Hackers Seem Close To Publicly Unlocking the Nintendo Switch (arstechnica.com) 87

Ars Technica reports that "hackers have been finding partial vulnerabilities in early versions of the [Nintendo] Switch firmware throughout 2017." They have discovered a Webkit flaw that allows for basic "user level" access to some portions of the underlying system and a service-level initialization flaw that gives hackers slightly more control over the Switch OS. "But the potential for running arbitary homebrew code on the Switch really started looking promising late last month, with a talk at the 34th Chaos Communication Congress (34C3) in Leipzig Germany," reports Ars. "In that talk, hackers Plutoo, Derrek, and Naehrwert outlined an intricate method for gaining kernel-level access and nearly full control of the Switch hardware." From the report: The full 45-minute talk is worth a watch for the technically inclined, it describes using the basic exploits discussed above as a wedge to dig deep into how the Switch works at the most basic level. At one point, the hackers sniff data coming through the Switch's memory bus to figure out the timing for an important security check. At another, they solder an FPGA onto the Switch's ARM chip and bit-bang their way to decoding the secret key that unlocks all of the Switch's encrypted system binaries. The team of Switch hackers even got an unexpected assist in its hacking efforts from chipmaker Nvidia. The "custom chip" inside the Switch is apparently so similar to an off-the-shelf Nvidia Tegra X1 that a $700 Jetson TX1 development kit let the hackers get significant insight into the Switch's innards. More than that, amid the thousand of pages of Nvidia's public documentation for the X1 is a section on how to "bypass the SMMU" (the System Memory Management Unit), which gave the hackers a viable method to copy and write a modified kernel to the Switch's system RAM. As Plutoo put it in the talk, "Nvidia backdoored themselves."
Security

Many Enterprise Mobile Devices Will Never Be Patched Against Meltdown, Spectre (betanews.com) 103

Mark Wilson shares a report from BetaNews: The Meltdown and Spectre bugs have been in the headlines for a couple of weeks now, but it seems the patches are not being installed on handsets. Analysis of more than 100,000 enterprise mobile devices shows that just a tiny percentage of them have been protected against the vulnerabilities -- and some simply may never be protected. Security firm Bridgeway found that just 4 percent of corporate phones and tablets in the UK have been patched against Spectre and Meltdown. Perhaps more worryingly, however, its research also found that nearly a quarter of enterprise mobile devices will never receive a patch because of their age. Organizations are advised to check for the availability of patches for their devices, and to install them as soon as possible. Older devices that will never be patched -- older than Marshmallow, for example -- should be replaced to ensure security, says Bridgeway.
Security

Researchers Uncover Android Malware With Never-Before-Seen Spying Capabilities (arstechnica.com) 102

An anonymous reader quotes a report from Ars Technica: According to a report published Tuesday by antivirus provider Kaspersky Lab, "Skygofree" is most likely an offensive security product sold by an Italy-based IT company that markets various surveillance wares. With 48 different commands in its latest version, the malware has undergone continuous development since its creation in late 2014. It relies on five separate exploits to gain privileged root access that allows it to bypass key Android security measures. Skygofree is capable of taking pictures, capturing video, and seizing call records, text messages, gelocation data, calendar events, and business-related information stored in device memory. Skygofree also includes the ability to automatically record conversations and noise when an infected device enters a location specified by the person operating the malware. Another never-before-seen feature is the ability to steal WhatsApp messages by abusing the Android Accessibility Service that's designed to help users who have disabilities or who may temporarily be unable to fully interact with a device. A third new feature: the ability to connect infected devices to Wi-Fi networks controlled by attackers. Skygofree also includes other advanced features, including a reverse shell that gives malware operators better remote control of infected devices. The malware also comes with a variety of Windows components that provide among other things a reverse shell, a keylogger, and a mechanism for recording Skype conversations.
Bug

Now Meltdown Patches Are Making Industrial Control Systems Lurch (theregister.co.uk) 98

Patches for the Meltdown vulnerability are causing stability issues in industrial control systems. From a report: SCADA vendor Wonderware admitted that Redmond's Meltdown patch made its Historian product wobble. "Microsoft update KB4056896 (or parallel patches for other Operating System) causes instability for Wonderware Historian and the inability to access DA/OI Servers through the SMC," an advisory on Wonderware's support site explains. Rockwell Automation revealed that the same patch had caused issues with Studio 5000, FactoryTalk View SE, and RSLinx Classic (a widely used product in the manufacturing sector). "In fairness [this] may be RPC [Remote Procedure Call] change related," said cybersecurity vulnerability manager Kevin Beaumont.
Google

Google Starts Certificate Program To Fill Empty IT Jobs (axios.com) 215

An anonymous reader shares a report: There are 150,000 open IT jobs in the U.S., and Google wants to make it easier to fill them. Today the company is announcing a certificate program on the Coursera platform to help give people with no prior IT experience the basic skills they need to get an entry-level IT support job in 8 to 12 months. Why it matters: Entry-level IT jobs are are typically higher-paying than similar roles in other fields. But they're harder to fill because, while IT support roles don't require a college degree, they do require prior experience. The median annual wage for a computer network support specialist was $62,670 in May 2016 The median annual wage for a computer user support specialist was $52,160 in May 2016. The impetus: Natalie Van Kleef Conley, head recruiter of Google's tech support program, was having trouble finding IT support specialists so she helped spearhead the certificate program. It's also part of Google's initiative to help Americans get skills needed to get a new job in a changing economy, the company told us.
The Almighty Buck

Canadian Charged With Running LeakedSource.com, Selling Stolen Info (reuters.com) 27

A Canadian man accused of operating the LeakedSource.com website, a major repository of stolen online credentials, has been arrested and charged with trafficking in billions of stolen personal identity records, the Royal Canadian Mounted Police (RCMP) said on Monday. From a report: The site, which was shut down in early 2017, had collected details from a string of major breaches and made them accessible and searchable for a fee. The man, 27-year-old Jordan Evan Bloom, is due to appear in a Toronto court on Monday to hear charges that as administrator of the site he collected some C$247,000 from the sale of stolen records and associated passwords.
Network

Lenovo Discovers and Removes Backdoor In Networking Switches (bleepingcomputer.com) 42

An anonymous reader writes: Lenovo engineers have discovered a backdoor in the firmware of RackSwitch and BladeCenter networking switches. The company released firmware updates last week. The Chinese company said it found the backdoor after an internal security audit of firmware for products added to its portfolio following the acquisitions of other companies. Lenovo says the backdoor affects only RackSwitch and BladeCenter switches running ENOS (Enterprise Network Operating System).

The backdoor was added to ENOS in 2004 when ENOS was maintained by Nortel's Blade Server Switch Business Unit (BSSBU). Lenovo claims Nortel appears to have authorized the addition of the backdoor "at the request of a BSSBU OEM customer." In a security advisory regarding this issue, Lenovo refers to the backdoor under the name of "HP backdoor." The backdoor code appears to have remained in the firmware even after Nortel spun BSSBU off in 2006 as BLADE Network Technologies (BNT). The backdoor also remained in the code even after IBM acquired BNT in 2010. Lenovo bought IBM's BNT portfolio in 2014.

Privacy

India To Add Facial Authentication For Its Aadhaar Card Security (reuters.com) 20

India will build facial recognition into its national identity card in addition to fingerprints after a series of breaches in the world's biggest biometric identification programme, the government said on Monday. From a report: A local newspaper reported this month that access to the "Aadhaar" database which has identity details of more than 1 billion citizens was being sold for just $8 on social media. The Unique Identification Authority of India (UIDAI), which issues the identity cards, said it would add face recognition software as an additional layer of security from July. Card holders will be required to match their photographs with that stored in the data base for authentication in addition to fingerprints and iris scans, the agency said in a statement.
Communications

The Tech Failings of Hawaii's Missile Alert 231

Over the weekend, Hawaii incorrectly warned citizens of a missile attack via their phones. According to The Washington Post, the error was a result of a staffer picking the wrong option -- missile alert instead of test missile alert -- from a drop down software menu. Hawaiian officials say they have already changed protocols to avoid a repeat of the scenario. The report goes on to add: Part of what worsened the situation Saturday was that there was no system in place at the state emergency agency for correcting the error, HEMA (Hawaii Emergency Management Agency) spokesman Richard Rapoza said. The state agency had standing permission through FEMA to use civil warning systems to send out the missile alert -- but not to send out a subsequent false alarm alert, he said. Though the Hawaii Emergency Management Agency posted a follow-up tweet at 8:20 a.m. saying there was "NO missile threat," it wouldn't be until 8:45 a.m. that a subsequent cellphone alert was sent telling people to stand down. Motherboard notes that new regulations require telecom companies to offer a testing system for local and state alert originators, but because of lobbying by Verizon and CTIA, this specific regulation does not go into effect until March 2019.

In a piece, The Atlantic argues that the 90-character messages sent by the system aren't suited to the way we use our devices.
Virtualization

VMware Bug Allowed Root Access (arstechnica.com) 32

c4231 quotes Ars Technica: While everyone was screaming about Meltdown and Spectre, another urgent security fix was already in progress for many corporate data centers and cloud providers who use products from Dell's EMC and VMware units. A trio of critical, newly reported vulnerabilities in EMC and VMware backup and recovery tools -- EMC Avamar, EMC NetWorker, EMC Integrated Data Protection Appliance, and vSphere Data Protection -- could allow an attacker to gain root access to the systems or to specific files, or inject malicious files into the server's file system. These problems can only be fixed with upgrades. While the EMC vulnerabilities were announced late last year, VMware only became aware of its vulnerability last week.
Cellphones

Text Message Scammer Gets Five Years in Prison (reuters.com) 69

36-year-old Fraser Thompson is going to prison, according to Reuters, after receiving a five-year sentence for "defrauding" cellphone customers out of millions of dollars. An anonymous reader quotes Reuters: Prosecutors said Thompson engaged in a scheme to sign up hundreds of thousands of cellphone customers for paid text messaging services without their consent. The customers were subsequently forced to pay more than $100 million for unsolicited text messages that included trivia, horoscopes and celebrity gossip, according to the prosecutors. They said the scheme was headed by Darcy Wedd, Mobile Messenger's former chief executive, who was found guilty by a jury in December but has not yet been sentenced. "They ripped off everyday cellphone users, $10 a month, netting over $100 million in illegal profits, of which Thompson personally received over $1.5 million," Manhattan U.S. Attorney Geoffrey S. Berman said in a statement.
Thompson was ordered to forfeit $1.5 million in "fraud proceeds," according to the article, and was convicted of conspiracy, wire fraud, identity theft and money laundering.

Seven other people also pleaded guilty to participating in the scam -- and one has already been sentenced to 33 months in prison.
Businesses

Following Other Credit Cards, Visa Will Also Stop Requiring Signatures (siliconbeat.com) 170

An anonymous reader quotes SiliconBeat: Visa, the largest U.S. credit card issuer, became the last of the major credit card companies to announce its plan to make signatures optional... Visa joined American Express, Discover, and Mastercard in the phase-out. Mastercard was the first one to announce the move in October, and American Express and Discover followed suit in December... However, this change does not apply to every credit card in circulation; older credit cards without EMV chips will still require signatures for authentication... Since 2011, Visa has deployed more than 460 million EMV chip cards and EMV chip-enabled readers at more than 2.5 million locations.
"Businesses that accepted EMV cards reported a 66 percent decline in fraud in the first two years of EMV deployment," the article notes -- suggesting a future where fewer shoppers are signing their receipts.

"In Canada, Australia and most of Europe, credit cards have long abandoned the signature for the EMV chip and a PIN to authenticate the transaction, like one does with a debit card."

Slashdot Top Deals