Japan

Missing Scissors Cause 36 Flight Cancellations In Japan (theregister.com) 166

An anonymous reader quotes a report from The Register: Thirty-six flights were cancelled at Japan's New Chitose airport on Saturday after a pair of scissors went missing. Japanese media report that retail outlets at the airport -- which serves the regional city of Chitose on Japan's northernmost island, Hokkaido -- are required to store scissors in a locker. When staff need to cut something, they withdraw the scissors and then replace them after they're done snipping. But last Saturday, an unnamed retailer at the airport was unable to find a pair of scissors. A lengthy search ensued, during which security checks for incoming passengers were paused for at least two hours.

Chaos ensued as queues expanded, passengers were denied entry, and airport authorities scrambled to determine whether the scissors had been swiped by somebody with malicious intent. The incident saw over 200 flights delayed, and 36 cancelled altogether. The mess meant some artists didn't appear at a music festival. Happily, the scissors were eventually found -- in the very same shop from which they had gone missing, and not in the hands of someone nefarious. But it took time for authorities to verify the scissors were the missing cutters and not another misplaced pair.

China

China Is Backing Off Coal Power Plant Approvals (apnews.com) 91

Approvals for new coal-fired power plants in China dropped by 80% in the first half of this year compared to last, according to an analysis from Greenpeace and the Shanghai Institutes for International Studies. The Associated Press reports: A review of project documents by Greenpeace East Asia found that 14 new coal plants were approved from January to June with a total capacity of 10.3 gigawatts, down 80% from 50.4 gigawatts in the first half of last year. Authorities approved 90.7 gigawatts in 2022 and 106.4 gigawatts in 2023, a surge that raised alarm among climate experts. China leads the world in solar and wind power installations but the government has said that coal plants are still needed for periods of peak demand because wind and solar power are less reliable. While China's grid gives priority to greener sources of energy, experts worry that it won't be easy for China to wean itself off coal once the new capacity is built.

"We may now be seeing a turning point," Gao Yuhe, the project lead for Greenpeace East Asia, said in a statement. "One question remains here. Are Chinese provinces slowing down coal approvals because they've already approved so many coal projects ...? Or are these the last gasps of coal power in an energy transition that has seen coal become increasingly impractical? Only time can tell." [...] Gao said that China should focus its resources on better connecting wind and solar power to the grid rather than building more coal power plants. Coal provides more than 60% of the country's electricity. "Coal plays a foundation role in China's energy security," Li Fulong, an official of National Energy Administration, said at a news conference in June.
The report notes that China is also looking to nuclear power to help reach its carbon reduction targets. The country approved five nuclear power projects on Monday with 11 units and a total cost of $28 billion.
Operating Systems

'Something Has Gone Seriously Wrong,' Dual-Boot Systems Warn After Microsoft Update (arstechnica.com) 144

Ars Technica's Dan Goodwin writes: Last Tuesday, loads of Linux users -- many running packages released as early as this year -- started reporting their devices were failing to boot. Instead, they received a cryptic error message that included the phrase: "Something has gone seriously wrong." The cause: an update Microsoft issued as part of its monthly patch release. It was intended to close a 2-year-old vulnerability in GRUB, an open source boot loader used to start up many Linux devices. The vulnerability, with a severity rating of 8.6 out of 10, made it possible for hackers to bypass secure boot, the industry standard for ensuring that devices running Windows or other operating systems don't load malicious firmware or software during the bootup process. CVE-2022-2601 was discovered in 2022, but for unclear reasons, Microsoft patched it only last Tuesday. [...]

With Microsoft maintaining radio silence, those affected by the glitch have been forced to find their own remedies. One option is to access their EFI panel and turn off secure boot. Depending on the security needs of the user, that option may not be acceptable. A better short-term option is to delete the SBAT Microsoft pushed out last Tuesday. This means users will still receive some of the benefits of Secure Boot even if they remain vulnerable to attacks that exploit CVE-2022-2601. The steps for this remedy are outlined here (thanks to manutheeng for the reference).

Privacy

Toyota Confirms Breach After Stolen Data Leaks On Hacking Forum (bleepingcomputer.com) 7

Toyota confirmed a breach of its network after 240GB of data, including employee and customer information, was leaked on a hacking forum by a threat actor. The company has not provided details on how or when the breach occurred. BleepingComputer reports: ZeroSevenGroup (the threat actor who leaked the stolen data) says they breached a U.S. branch and were able to steal 240GB of files with information on Toyota employees and customers, as well as contracts and financial information. They also claim to have collected network infrastructure information, including credentials, using the open-source ADRecon tool that helps extract vast amounts of information from Active Directory environments.

"We have hacked a branch in United States to one of the biggest automotive manufacturer in the world (TOYOTA). We are really glad to share the files with you here for free. The data size: 240 GB," the threat actor claims. "Contents: Everything like Contacts, Finance, Customers, Schemes, Employees, Photos, DBs, Network infrastructure, Emails, and a lot of perfect data. We also offer you AD-Recon for all the target network with passwords." While Toyota hasn't shared the date of the breach, BleepingComputer found that the files had been stolen or at least created on December 25, 2022. This date could indicate that the threat actor gained access to a backup server where the data was stored.
"We are aware of the situation. The issue is limited in scope and is not a system wide issue," Toyota told BleepingComputer. The company added that it's "engaged with those who are impacted and will provide assistance if needed."
Windows

Windows 0-Day Was Exploited By North Korea To Install Advanced Rootkit (arstechnica.com) 14

North Korean hackers exploited a critical Windows vulnerability to deploy advanced malware, security researchers revealed. The zero-day flaw, patched by Microsoft last week, allowed attackers to gain system-level access and install a sophisticated rootkit called FudModule. Gen, the firm that discovered the attacks, identified the threat actors as Lazarus, a hacking group linked to North Korea. The exploit targeted individuals in cryptocurrency and aerospace industries, likely aiming to steal digital assets and infiltrate corporate networks. FudModule, first analyzed in 2022, stands out for its ability to operate deep within Windows, evading detection by security defenses. Earlier versions used vulnerable drivers for installation, while a newer variant exploited a bug in Windows' AppLocker service.
Businesses

Tech Giants Fight Indian Telcos' Bid To Regulate Internet Services, Pay For Network Usage (techcrunch.com) 14

Global technology giants are pushing back against attempts by India's telecom networks to bring internet services under stricter regulation, rejecting arguments that such measures are necessary to create a "level playing field" and address national security concerns. From a report: The Asia Internet Coalition (AIC), a powerful industry body that represents Amazon, Apple, Google, Meta, Microsoft, Netflix and Spotify, has forcefully argued against inclusion of the so-called over-the-top (OTT) services in the proposed regulatory framework for telecom operators. In a submission to the Telecom Regulatory Authority of India (TRAI), the AIC said there are fundamental differences in technology, operations and functionality between OTT services and traditional telecom operations.

[...] This resistance comes in response to a coordinated push by India's top telecom operators -- Bharti Airtel, Reliance Jio and Vodafone Idea -- to bring OTT services under a new authorization framework. Jio, India's largest telecom operator with more than 475 million subscribers, along with other telco operators have recommended that OTT providers contribute to network development costs based on their traffic consumption, turnover and user base.

Privacy

National Public Data Published Its Own Passwords (krebsonsecurity.com) 35

Security researcher Brian Krebs writes: New details are emerging about a breach at National Public Data (NPD), a consumer data broker that recently spilled hundreds of millions of Americans' Social Security Numbers, addresses, and phone numbers online. KrebsOnSecurity has learned that another NPD data broker which shares access to the same consumer records inadvertently published the passwords to its back-end database in a file that was freely available from its homepage until today. In April, a cybercriminal named USDoD began selling data stolen from NPD. In July, someone leaked what was taken, including the names, addresses, phone numbers and in some cases email addresses for more than 272 million people (including many who are now deceased). NPD acknowledged the intrusion on Aug. 12, saying it dates back to a security incident in December 2023. In an interview last week, USDoD blamed the July data leak on another malicious hacker who also had access to the company's database, which they claimed has been floating around the underground since December 2023.

Following last week's story on the breadth of the NPD breach, a reader alerted KrebsOnSecurity that a sister NPD property -- the background search service recordscheck.net -- was hosting an archive that included the usernames and password for the site's administrator. A review of that archive, which was available from the Records Check website until just before publication this morning (August 19), shows it includes the source code and plain text usernames and passwords for different components of recordscheck.net, which is visually similar to nationalpublicdata.com and features identical login pages. The exposed archive, which was named "members.zip," indicates RecordsCheck users were all initially assigned the same six-character password and instructed to change it, but many did not. According to the breach tracking service Constella Intelligence, the passwords included in the source code archive are identical to credentials exposed in previous data breaches that involved email accounts belonging to NPD's founder, an actor and retired sheriff's deputy from Florida named Salvatore "Sal" Verini.

Reached via email, Mr. Verini said the exposed archive (a .zip file) containing recordscheck.net credentials has been removed from the company's website, and that the site is slated to cease operations "in the next week or so." "Regarding the zip, it has been removed but was an old version of the site with non-working code and passwords," Verini told KrebsOnSecurity. "Regarding your question, it is an active investigation, in which we cannot comment on at this point. But once we can, we will [be] with you, as we follow your blog. Very informative." The leaked recordscheck.net source code indicates the website was created by a web development firm based in Lahore, Pakistan called creationnext.com, which did not return messages seeking comment. CreationNext.com's homepage features a positive testimonial from Sal Verini.

Programming

'GitHub Actions' Artifacts Leak Tokens, Expose Cloud Services and Repositories (securityweek.com) 19

Security Week brings news about CI/CD workflows using GitHub Actions in build processes. Some workflows can generate artifacts that "may inadvertently leak tokens for third party cloud services and GitHub, exposing repositories and services to compromise, Palo Alto Networks warns." [The artifacts] function as a mechanism for persisting and sharing data across jobs within the workflow and ensure that data is available even after the workflow finishes. [The artifacts] are stored for up to 90 days and, in open source projects, are publicly available... The identified issue, a combination of misconfigurations and security defects, allows anyone with read access to a repository to consume the leaked tokens, and threat actors could exploit it to push malicious code or steal secrets from the repository. "It's important to note that these tokens weren't part of the repository code but were only found in repository-produced artifacts," Palo Alto Networks' Yaron Avital explains...

"The Super-Linter log file is often uploaded as a build artifact for reasons like debuggability and maintenance. But this practice exposed sensitive tokens of the repository." Super-Linter has been updated and no longer prints environment variables to log files.

Avital was able to identify a leaked token that, unlike the GitHub token, would not expire as soon as the workflow job ends, and automated the process that downloads an artifact, extracts the token, and uses it to replace the artifact with a malicious one. Because subsequent workflow jobs would often use previously uploaded artifacts, an attacker could use this process to achieve remote code execution (RCE) on the job runner that uses the malicious artifact, potentially compromising workstations, Avital notes.

Avital's blog post notes other variations on the attack — and "The research laid out here allowed me to compromise dozens of projects maintained by well-known organizations, including firebase-js-sdk by Google, a JavaScript package directly referenced by 1.6 million public projects, according to GitHub. Another high-profile project involved adsys, a tool included in the Ubuntu distribution used by corporations for integration with Active Directory." (Avital says the issue even impacted projects from Microsoft, Red Hat, and AWS.) "All open-source projects I approached with this issue cooperated swiftly and patched their code. Some offered bounties and cool swag."

"This research was reported to GitHub's bug bounty program. They categorized the issue as informational, placing the onus on users to secure their uploaded artifacts." My aim in this article is to highlight the potential for unintentionally exposing sensitive information through artifacts in GitHub Actions workflows. To address the concern, I developed a proof of concept (PoC) custom action that safeguards against such leaks. The action uses the @actions/artifact package, which is also used by the upload-artifact GitHub action, adding a crucial security layer by using an open-source scanner to audit the source directory for secrets and blocking the artifact upload when risk of accidental secret exposure exists. This approach promotes a more secure workflow environment...

As this research shows, we have a gap in the current security conversation regarding artifact scanning. GitHub's deprecation of Artifacts V3 should prompt organizations using the artifacts mechanism to reevaluate the way they use it. Security defenders must adopt a holistic approach, meticulously scrutinizing every stage — from code to production — for potential vulnerabilities. Overlooked elements like build artifacts often become prime targets for attackers. Reduce workflow permissions of runner tokens according to least privilege and review artifact creation in your CI/CD pipelines. By implementing a proactive and vigilant approach to security, defenders can significantly strengthen their project's security posture.

The blog post also notes protection and mitigation features from Palo Alto Networks....
Operating Systems

DOS's Last Stand? On a Modern Thinkpad X13 with an Intel 10th-Gen Core CPU (yeokhengmeng.com) 73

Slashdot reader yeokm1 is the Singapore-based embedded security researcher whose side projects include installing Linux on a 1993 PC and building a ChatGPT client for MS-DOS.

Today he writes: When one thinks of modern technologies like Thunderbolt, 2.5 Gigabit Ethernet and modern CPUs, one would associate them with modern operating systems. How about DOS?

It might seem impossible, however I did an experiment on a relatively modern 2020 Thinkpad and found that it can still run MS-DOS 6.22. MS-DOS 6.22 is the last standalone version of DOS released by Microsoft in June 1994. This makes it 30 years old today.

I'll share the steps and challenges in locating a modern laptop capable of doing so — and the challenge of making the 30-year-old OS work on it with audio and networking functions. This is likely among the final generation of laptops able to run DOS natively.

Displays

Apple is Building a $1,000 Display on a Voice-Controlled Robot Arm (yahoo.com) 43

Apple is building "a pricey tabletop home device" which uses "a thin robotic arm to move around a large screen," using actuators "to tilt the display up and down and make it spin 360 degree," according to Bloomberg's Mark Gurman. Citing "people with knowledge of the matter," Gurman writes that Apple assigned "several hundred people" to the project: The device is envisioned as a smart home command center, videoconferencing machine and remote-controlled home security tool, said the people... The project — codenamed J595 — was approved by Apple's executive team in 2022 but has started to formally ramp up in recent months, they said... Apple has now decided to prioritize the device's development and is aiming for a debut as early as 2026 or 2027, according to the people.

The company is looking to get the price down to around $1,000. But with years to go before an expected release, the plans could theoretically change... The idea is for the tabletop product to be primarily controlled using the Siri digital assistant and upcoming features in Apple Intelligence. The device could respond to commands, such as "look at me," by repositioning the screen to focus on the person saying the words — say, during a video call. It also could understand different voices and adjust its focus accordingly. Current models in testing run a customized version of the iPad operating system...

The company also is working on robots that move around the home and has discussed the idea of a humanoid version. Those projects are being led, in part, by Hanns Wolfram Tappeiner, a robotics expert who now has about 100 former car team engineers reporting to him. In a job listing published this month, Apple said it has a team "working to leverage and build upon groundbreaking machine learning robotics research, thereby enabling development of generalizable and reliable robot systems." The company said it's seeking experts with experience in "robot manipulation" and creating AI models for robot control.

The article calls points out that Apple "still gets roughly half its revenue from the iPhone," and calls the robotics effort "one of a few avenues Apple is pursuing to generate new sources of revenue" — and to "capitalize" on its AI technology. (Apple is also working on both smart eyeglasses and augmented reality galsses.)
AI

'AI-Powered Remediation': GitHub Now Offers 'Copilot Autofix' Suggestions for Code Vulnerabilities (infoworld.com) 18

InfoWorld reports that Microsoft-owned GitHub "has unveiled Copilot Autofix, an AI-powered software vulnerability remediation service."

The feature became available Wednesday as part of the GitHub Advanced Security (or GHAS) service: "Copilot Autofix analyzes vulnerabilities in code, explains why they matter, and offers code suggestions that help developers fix vulnerabilities as fast as they are found," GitHub said in the announcement. GHAS customers on GitHub Enterprise Cloud already have Copilot Autofix included in their subscription. GitHub has enabled Copilot Autofix by default for these customers in their GHAS code scanning settings.

Beginning in September, Copilot Autofix will be offered for free in pull requests to open source projects.

During the public beta, which began in March, GitHub found that developers using Copilot Autofix were fixing code vulnerabilities more than three times faster than those doing it manually, demonstrating how AI agents such as Copilot Autofix can radically simplify and accelerate software development.

"Since implementing Copilot Autofix, we've observed a 60% reduction in the time spent on security-related code reviews," says one principal engineer quoted in GitHub's announcement, "and a 25% increase in overall development productivity."

The announcement also notes that Copilot Autofix "leverages the CodeQL engine, GPT-4o, and a combination of heuristics and GitHub Copilot APIs." Code scanning tools detect vulnerabilities, but they don't address the fundamental problem: remediation takes security expertise and time, two valuable resources in critically short supply. In other words, finding vulnerabilities isn't the problem. Fixing them is...

Developers can keep new vulnerabilities out of their code with Copilot Autofix in the pull request, and now also pay down the backlog of security debt by generating fixes for existing vulnerabilities... Fixes can be generated for dozens of classes of code vulnerabilities, such as SQL injection and cross-site scripting, which developers can dismiss, edit, or commit in their pull request.... For developers who aren't necessarily security experts, Copilot Autofix is like having the expertise of your security team at your fingertips while you review code...

As the global home of the open source community, GitHub is uniquely positioned to help maintainers detect and remediate vulnerabilities so that open source software is safer and more reliable for everyone. We firmly believe that it's highly important to be both a responsible consumer of open source software and contributor back to it, which is why open source maintainers can already take advantage of GitHub's code scanning, secret scanning, dependency management, and private vulnerability reporting tools at no cost. Starting in September, we're thrilled to add Copilot Autofix in pull requests to this list and offer it for free to all open source projects...

While responsibility for software security continues to rest on the shoulders of developers, we believe that AI agents can help relieve much of the burden.... With Copilot Autofix, we are one step closer to our vision where a vulnerability found means a vulnerability fixed.

Sci-Fi

An Insider's Perspective Into the Pentagon's UFO Hunt (nytimes.com) 123

In his new memoir, Imminent, former senior intelligence official Luis Elizondo claims that a supersecret program has been retrieving technology and biological remains of nonhuman origin for decades, warning that these phenomena could pose a serious national security threat or even an existential threat to humanity. The New York Times reports: Luis Elizondo made headlines in 2017 when he resigned as a senior intelligence official running a shadowy Pentagon program investigating U.F.O.s and publicly denounced the excessive secrecy, lack of resources and internal opposition that he said were thwarting the effort. Elizondo's disclosures at the time created a sensation. They were buttressed by explosive videos and testimony from Navy pilots who had encountered unexplained aerial phenomena, and led to congressional inquiries, legislation and a 2023 House hearing in which a former U.S. intelligence official testified that the federal government has retrieved crashed objects of nonhuman origin.

Now Elizondo, 52, has gone further in a new memoir. In the book he asserted that a decades-long U.F.O. crash retrieval program has been operating as a supersecret umbrella group made up of government officials working with defense and aerospace contractors. Over the years, he wrote, technology and biological remains of nonhuman origin have been retrieved from these crashes. "Humanity is, in fact, not the only intelligent life in the universe, and not the alpha species," Elizondo wrote. The book, "Imminent: Inside the Pentagon's Hunt for U.F.O.s," is being published by HarperCollins on Aug. 20 after a yearlong security review by the Pentagon.

Privacy

National Public Data Confirms Breach Exposing Social Security Numbers (bleepingcomputer.com) 56

BleepingComputer's Ionut Ilascu reports: Background check service National Public Data confirms that hackers breached its systems after threat actors leaked a stolen database with millions of social security numbers and other sensitive personal information. The company states that the breached data may include names, email addresses, phone numbers, social security numbers (SSNs), and postal addresses.

In the statement disclosing the security incident, National Public Data says that "the information that was suspected of being breached contained name, email address, phone number, social security number, and mailing address(es)." The company acknowledges the "leaks of certain data in April 2024 and summer 2024" and believes the breach is associated with a threat actor "that was trying to hack into data in late December 2023." NPD says they investigated the incident, cooperated with law enforcement, and reviewed the potentially affected records. If significant developments occur, the company "will try to notify" the impacted individuals.

The Almighty Buck

US Fines T-Mobile $60 Million, Its Largest Penalty Ever, Over Unauthorized Data Access (reuters.com) 12

The U.S. Committee on Foreign Investment (CFIUS) fined T-Mobile $60 million, its largest penalty ever, for failing to prevent and report unauthorized access to sensitive data tied to violations of a mitigation agreement from its 2020 merger with Sprint. "The size of the fine, and CFIUS's unprecedented decision to make it public, show the committee is taking a more muscular approach to enforcement as it seeks to deter future violations," reports Reuters. From the report: T-Mobile said in a statement that it experienced technical issues during its post-merger integration with Sprint that affected "information shared from a small number of law enforcement information requests." It stressed that the data never left the law enforcement community, was reported "in a timely manner" and was "quickly addressed." The failure of T-Mobile to report the incidents promptly delayed CFIUS' efforts to investigate and mitigate any potential harm to U.S. national security, they added, without providing further details. "The $60 million penalty announcement highlights the committee's commitment to ramping up CFIUS enforcement by holding companies accountable when they fail to comply with their obligations," one of the U.S. officials said, adding that transparency around enforcement actions incentivizes other companies to comply with their obligations.
Security

Thousands of Corporate Secrets Were Left Exposed. This Guy Found Them All 7

Security researcher Bill Demirkapi unveiled a massive trove of leaked developer secrets and website vulnerabilities at the Defcon conference in Las Vegas. Using unconventional data sources, Demirkapi identified over 15,000 exposed secrets, including credentials for Nebraska's Supreme Court IT systems and Stanford University's Slack channels.

The researcher also discovered 66,000 websites with dangling subdomain issues, making them vulnerable to attacks. Among the affected sites was a New York Times development domain. Demirkapi's tack involved scanning VirusTotal's database and passive DNS replication data to identify vulnerabilities at scale. He developed an automated method to revoke exposed secrets, working with companies like OpenAI to implement self-service deactivation of compromised API keys.
Microsoft

Microsoft Temporarily Pumps the Brakes on Its Intrusive Windows 11 Ads (windowscentral.com) 32

Microsoft says it will temporarily cease its contentious Windows 11 upgrade campaign following user backlash. The tech giant had been bombarding Windows 10 users with full-screen popups urging them to switch operating systems. Starting with April's security update, these intrusive notifications will be discontinued. Microsoft says it will unveil a revised upgrade strategy in the coming months, as Windows 10 support nears its October 2025 end date.
Transportation

Intel and Karma Partner To Develop Software-Defined Car Architecture (arstechnica.com) 53

An anonymous reader quotes a report from Ars Technica: Intel is partnering with Karma Automotive to develop an all-new computing platform for vehicles. The new software-defined vehicle architecture should first appear in a high-end electric coupe from Karma in 2026. But the partners have bigger plans for this architecture, with talk of open standards and working with other automakers also looking to make the leap into the software-defined future. [...] In addition to advantages in processing power and weight savings, software-defined vehicles are easier to update over-the-air, a must-have feature since Tesla changed that paradigm. Karma and Intel say their architecture should also have other efficiency benefits. They give the example of security monitoring that remains active even when the vehicle is turned off; they move this to a low-powered device using "data center application orchestration concepts."

Intel is also contributing its power management SoC to get the most out of inverters, DC-DC converters, chargers, and as you might expect, the domain controllers use Intel silicon as well, apparently with some flavor of AI enabled. [...] Karma's first car to use the software-defined vehicle architecture will be the Kayeva, a $300,000 two-door with 1,000 hp (745 kW) on tap, which is scheduled to arrive in two years. But Intel and Karma want to offer the architecture to others in the industry. "For Tier 1s and OEMs not quite ready to take the leap from the old way of doing things to the new, Karma Automotive will play as an ally, helping them make that transition," said [Karma President Marques McCammon].
"Together, we're harnessing the combined might of Intel's technological prowess and Karma's ultra-luxury vehicle expertise to co-develop a revolutionary software-defined vehicle architecture," said McCammon. "This isn't just about realizing Karma's full potential; it's about creating a blueprint for the entire industry. We're not just building exceptional vehicles, we're paving the way for a new era of automotive innovation and offering a roadmap for those ready to make the leap."
Security

Researchers Hack Electronic Shifters With a Few Hundred Dollars of Hardware 125

An anonymous reader quotes a report from Wired: Professional cycling has, in its recent history, been prone to a shocking variety of cheating methods and dirty tricks.Performance-enhancing drugs.Tacks strewn on race courses. Even stealthy motors hidden inside of wheel hubs. Now, for those who fail to download a software patch for their gear shifters -- yes, bike components now get software updates -- there may be hacker saboteurs to contend with, too. At the Usenix Workshop on Offensive Technologies earlier this week, researchers from UC San Diego and Northeastern University revealed a technique that would allow anyone with a few hundred dollars of hardware to hack Shimano wireless gear-shifting systems (Warning: source may be paywalled; alternative source) of the kind used by many of the top cycling teams in the world, including in recent events like the Olympics and the Tour de France. Their relatively simple radio attack would allow cheaters or vandals to spoof signals from as far as 30 feet away that trigger a target bike to unexpectedly shift gears or to jam its shifters and lock the bike into the wrong gear.

The trick would, the researchers say, easily be enough to hamper a rival on a climb or, if timed to certain intense moments of a race, even cause dangerous instability. "The capability is full control of the gears. Imagine you're going uphill on a Tour de France stage: If someone shifts your bike from an easy gear to a hard one, you're going to lose time," says Earlence Fernandes, an assistant professor at UCSD's Computer Science and Engineering department. "Or if someone is sprinting in the big chain ring and you move it to the small one, you can totally crash a person's bike like that." [...] The researchers' technique exploits the increasingly electronic nature of modern high-end bicycles, which now have digital components like power meters, wireless control of fork suspensions, and wireless shifters. "Modern bicycles are cyber-physical systems," the researchers note in their Usenix paper. Almost all professional cyclists now use electronic shifters, which respond to digital signals from shifter controls on the bike's handlebars to move a bicycle's chain from gear to gear, generally more reliably than mechanical shifting systems. In recent years, those wired electronic shifters have transitioned again to wireless versions that pair via a radio connection, such as the popular Di2 wireless shifters sold by the Japanese cycling component firm Shimano, which the researchers focused on.
Shimano says it has developed a firmware update to patch the exploit but it won't be available widely until late August. The update is intended to improve wireless transmission across Shimano Di2 component platforms, though specific details about the fix and how it prevents the identified attacks have not been disclosed for security reasons.
Microsoft

German Cyber Agency Wants Changes in Microsoft, CrowdStrike Products After Tech Outage (wsj.com) 50

An anonymous reader shares a report: Since last month's blue-screen deluge, CrowdStrike has published analyses of what went wrong and said it hired third-party security companies to review its product. Now, Germany's powerful cybersecurity agency is seizing the moment and hoping to rattle tech and cyber companies into altering their products to head off another mega-meltdown. In particular, the Bonn-based Federal Office for Information Security is taking aim at the access Microsoft gives security providers to its Windows kernel, a core part of its operating system. As well, the German agency is looking for fundamental changes in the way CrowdStrike and other cyber firms design their tools, in hopes of curbing that access.

"The most important thing is to prevent [that] this can happen again," said Thomas Caspers, director general for technology strategy at the BSI, as the agency is known. Leveraging the dread that filled Silicon Valley following the July outage, the BSI is planning to organize a conference this year gathering major tech firms, where it hopes they will commit to restricting access to the kernel, a change Caspers says is crucial to stopping similar failures. "We expect each company to be very specific about what they will do based on what we agreed on," he said.

Android

Google Sold Android Phones With Hidden Insecure Feature, Companies Find (washingtonpost.com) 30

Google's master software for some Android phones includes a hidden feature that is insecure and could be activated to allow remote control or spying on users, according to a security company that found it inside phones at a U.S. intelligence contractor. From a report: The feature appears intended to give employees at stores selling Pixel phones and other models deep access to the devices so they can demonstrate how they work, according to researchers at iVerify who shared their findings with The Washington Post. The discovery and Google's lack of explanation alarmed the intelligence contractor, data analysis platform vendor Palantir Technologies, to the extent that it has stopped issuing Android phones to employees, Palantir told The Post.

"Mobile security is a very real concern for us, given where we're operating and who we're serving," Palantir Chief Information Security Officer Dane Stuckey said. "This was very deleterious of trust, to have third-party, unvetted insecure software on it. We have no idea how it got there, so we made the decision to effectively ban Androids internally." The security company said it contacted Google about its findings more than 90 days ago and that the tech giant has not indicated whether it would remove or fix the application. On Wednesday night, Google told The Post that it would issue an update to remove the application. "Out of an abundance of precaution, we will be removing this from all supported in-market Pixel devices with an upcoming Pixel software update," said company spokesperson Ed Fernandez. He said distributors of other Android phones would also be notified.

Slashdot Top Deals