Businesses

Cisco Slashes Thousands of Workers As It Announces Yearly Profit of $10.3 Billion (sfgate.com) 51

An anonymous reader quotes a report from SFGATE: Cisco Systems is laying off 7% of its workforce, the company announced in a filing with the Securities and Exchange Commission on Wednesday. It's the San Jose tech giant's second time slashing thousands of jobs this year. The networking and telecommunications company is vast, reporting to have 84,900 employees in July 2023 before it chopped at least 4,000 in February. That means the new 7% cut will likely affect at least 5,500 workers. Cisco spokesperson Robyn Blum said in an email to SFGATE that the layoff is meant to allow the company to invest in "key growth opportunities and drive more efficiency in our business." [...]

More hints about the layoff's potential reasoning showed up in a Wednesday blog post from CEO Chuck Robbins. The executive wrote that Cisco plans to consolidate its networking, security and collaboration teams into one organization and said the company is still integrating Splunk; Cisco closed its $28 billion acquisition of San Francisco-based data security and management company in March. Cisco also announced its earnings for its last fiscal year on Wednesday. Total revenue was slightly down year over year, to $53.8 billion, but the company still reported a $10.3 billion profit during the same period.

Encryption

NIST Finalizes Trio of Post-Quantum Encryption Standards (theregister.com) 20

"NIST has formally accepted three algorithms for post-quantum cryptography," writes ancient Slashdot reader jd. "Two more backup algorithms are being worked on. The idea is to have backup algorithms using very different maths, just in case a flaw in the original approach is discovered later." The Register reports: The National Institute of Standards and Technology (NIST) today released the long-awaited post-quantum encryption standards, designed to protect electronic information long into the future -- when quantum computers are expected to break existing cryptographic algorithms. One -- ML-KEM (PDF) (based on CRYSTALS-Kyber) -- is intended for general encryption, which protects data as it moves across public networks. The other two -- ML-DSA (PDF) (originally known as CRYSTALS-Dilithium) and SLH-DSA (PDF) (initially submitted as Sphincs+) -- secure digital signatures, which are used to authenticate online identity. A fourth algorithm -- FN-DSA (PDF) (originally called FALCON) -- is slated for finalization later this year and is also designed for digital signatures.

NIST continued to evaluate two other sets of algorithms that could potentially serve as backup standards in the future. One of the sets includes three algorithms designed for general encryption -- but the technology is based on a different type of math problem than the ML-KEM general-purpose algorithm in today's finalized standards. NIST plans to select one or two of these algorithms by the end of 2024. Despite the new ones on the horizon, NIST mathematician Dustin Moody encouraged system administrators to start transitioning to the new standards ASAP, because full integration takes some time. "There is no need to wait for future standards," Moody advised in a statement. "Go ahead and start using these three. We need to be prepared in case of an attack that defeats the algorithms in these three standards, and we will continue working on backup plans to keep our data safe. But for most applications, these new standards are the main event."
From the NIST: This notice announces the Secretary of Commerce's approval of three Federal Information Processing Standards (FIPS):
- FIPS 203, Module-Lattice-Based Key-Encapsulation Mechanism Standard
- FIPS 204, Module-Lattice-Based Digital Signature Standard
- FIPS 205, Stateless Hash-Based Digital Signature Standard

These standards specify key establishment and digital signature schemes that are designed to resist future attacks by quantum computers, which threaten the security of current standards. The three algorithms specified in these standards are each derived from different submissions in the NIST Post-Quantum Cryptography Standardization Project.

Apple

Apple To Open Payment Chip To Third Parties and Charge Fees (financialpost.com) 37

Apple will begin letting third parties use the iPhone's payment chip to handle transactions, a move that allows banks and other services to compete with the Apple Pay platform. From a report: The move, announced Wednesday, follows years of pressure from regulators, including those in the European Union. Apple said it will allow developers to use the component starting in iOS 18.1, an upcoming software update for the iPhone. The payment chip relies on a technology called NFC, or near-field communication, to share information when the phone is near another device.

The change will allow outside providers to use the NFC chip for in-store payments, transit system fares, work badges, home and hotel keys, and reward cards. Support for government identification cards will come later, the company said. Users will also be able to set a third-party payment app as their default system, replacing Apple Pay. Apple had been reluctant to open up the chip to developers, citing security concerns. The change also threatens the revenue it generates from Apple Pay transactions. The company takes a cut of all payments made via the iPhone.

Encryption

Microsoft is Enabling BitLocker Device Encryption By Default on Windows 11 (theverge.com) 104

Microsoft is making BitLocker device encryption a default feature in its next major update to Windows 11. From a report: If you clean install the 24H2 version that's rolling out in the coming months, device encryption will be enabled by default when you first sign in or set up a device with a Microsoft account or work / school account.

Device encryption is designed to improve the security of Windows machines by automatically enabling BitLocker encryption on the Windows install drive and backing up the recovery key to a Microsoft account or Entra ID. In Windows 11 version 24H2, Microsoft is reducing the hardware requirements for automatic device encryption, opening it up to many more devices -- including ones running the Home version of Windows 11. Device encryption no longer requires Hardware Security Test Interface (HSTI) or Modern Standby, and encryption will also be enabled even if untrusted direct memory access (DMA) buses / interfaces are detected.

United States

Companies Prepare To Fight Quantum Hackers (wsj.com) 23

National-security authorities have warned for years that today's encryption will become vulnerable to hackers when quantum computers are widely available. Companies can now start to integrate new cryptographic algorithms into their products to protect them from future hacks. From a report: Some companies have already taken steps to replace current forms of encryption with post-quantum algorithms. The National Institute of Standards and Technology, an agency of the Commerce Department, published three new algorithms for post-quantum encryption Tuesday.

The three algorithms that NIST selected use different types of encryption to protect digital signatures that authenticates information, and cryptographic key exchange, which keeps data confidential. IBM researchers were part of teams that submitted algorithms that NIST selected. International Business Machines is working with companies in telecommunications, online payments and other industries on how to implement the new standards.

"Our digital economy is toast unless people go in and change the cryptography," said Scott Crowder, vice president of IBM's quantum adoption group. The new standards from NIST will be influential because they will replace encryption algorithms in use all over the world, said Joost Renes, principal cryptographer at NXP Semiconductors, a key provider of chips to the auto industry. NXP customers in different industries have been asking about the new encryption algorithms and want to make sure their suppliers are prepared to migrate to post-quantum cryptography, Renes said. He said NXP will start using the algorithms as soon as possible but declined to comment on when that will be. "You should really look at this as a kind of ongoing transition project which is going to take quite some time," he said.

Security

Six Ransomware Gangs Behind Over 50% of 2024 Attacks (theregister.com) 5

An anonymous reader shares a report: Despite a law enforcement takedown six months ago, LockBit 3.0 remains the most prolific encryption and extortion gang, at least so far, this year, according to Palo Alto Networks' Unit 42. Of the 53 ransomware groups whose underworld websites, where the crooks name their victims and leak stolen data, that the incident response team monitored, just six accounted for more than half of the total infections observed.

For its analysis, Unit 42 reviewed announcements posted on these crews' dedicated leak sites during the first six months of 2024 and counted 1,762 posts, which represents a 4.3 percent year-over-year increase from 2023. Before we get into the top six gangs' victims count, a note on how Unit 42 tracks nation-state and cybercrime groups: It combines a modifier with a constellation. And Scorpius is the lucky constellation that Unit 42 connects to ransomware gangs.

Android

Google's Pixel 9 Lineup is a Pro Show (theverge.com) 34

Google unveiled its latest Pixel smartphone series on Tuesday, introducing four new models with enhanced AI capabilities and updated designs. The Pixel 9 lineup includes the standard Pixel 9, two Pro models, and a foldable device. The new Pixel phones feature flat sides and an elongated camera module on the rear, departing from the curved edges of previous generations. Screen sizes range from 6.3 inches on the standard Pixel 9 to 6.8 inches on the Pixel 9 Pro XL.

All models are powered by Google's new Tensor G4 processor and come with increased RAM, with Pro models boasting 16GB. The devices run on Android 14 and will receive seven years of OS updates and security patches. Google has significantly expanded the AI capabilities of the new Pixels. An updated on-device Gemini Nano model can now analyze images and speech in addition to text. New features include automatic screenshot cataloging and retrieval, and an AI-powered illustration generator called Pixel Studio. Camera improvements are a key focus, with all models receiving upgraded ultrawide lenses and the Pro versions featuring a new 42-megapixel selfie camera with autofocus. Google has introduced "Magic Editor," allowing users to transform parts of an image using text prompts and generative AI.

The Pixel 9 Pro Fold, Google's second-generation foldable device, is thinner than its predecessor at 5.1mm when unfolded. It features a larger 8-inch inner display with increased brightness, reaching up to 2,700 nits in peak mode. Pricing for the new Pixel lineup starts at $799 for the standard Pixel 9, representing a $100 increase from last year's model. The Pixel 9 Pro and Pro XL are priced at $999 and $1,099 respectively, while the Pixel 9 Pro Fold will retail for $1,799. The devices will be released in stages, with the Pixel 9 and 9 Pro XL available from August 22, followed by the 9 Pro in September and the Pro Fold on September 4.
United States

The Nation's Best Hackers Found Vulnerabilities in Voting Machines - But No Time To Fix Them (politico.com) 189

Hackers at the DEF CON conference in Las Vegas identified vulnerabilities in voting machines slated for use in the 2024 U.S. election, but fixes are unlikely to be implemented before November 5, organizers said. The annual "Voting Village" event, held away from the main conference floor due to security concerns, drew election officials and cybersecurity experts. Organizers plan to release a detailed report on the vulnerabilities found.

Catherine Terranova, an event organizer, said major systemic changes are difficult to make 90 days before an election, particularly given heightened scrutiny of election security in 2024. The process of addressing vulnerabilities involves manufacturer approval, recertification by authorities, and updating individual devices. This typically takes longer than the time remaining before the election, according to Scott Algeier, executive director of the Information Technology-Information Sharing and Analysis Center. The event comes amid ongoing concerns about foreign targeting of U.S. elections, including a recent hack of former President Donald Trump's campaign, reportedly by Iran.
Republicans

FBI Investigating After Trump Campaign Says It Was Hacked (thehill.com) 75

Over the weekend, former President Donald Trump's campaign said that it had been hacked, with internal documents reportedly obtained illegally by foreign sources to interfere with the 2024 election. While the Trump campaign claimed that Iran was responsible, it is unclear who exactly was behind the incident. The FBI said it was aware of the allegations and confirmed Monday that it is "investigating this matter." The Hill reports: U.S. agencies have thus far failed to comment on the claims that Iran was responsible for the hack, even as recent intelligence community reports have noted growing Iranian efforts to influence the U.S. election. "This is something we've raised for some time, raised concerns that Iranian cyber actors have been seeking to influence elections around the world including those happening in the United States," John Kirby, the White House's national security communications adviser, told reporters Monday. "These latest attempts to interfere in U.S. elections is nothing new for the Iranian regime, which from our vantage point has attempted to undermine democracies for many years now."

A report from the Office of the Director of National Intelligence released last month noted Iranian efforts designed to "fuel distrust in U.S. political institutions and increase social discord." "The IC has observed Tehran working to influence the presidential election, probably because Iranian leaders want to avoid an outcome they perceive would increase tensions with the United States. Tehran relies on vast webs of online personas and propaganda mills to spread disinformation," the report states, including being particularly active on exacerbating tensions over the Israel-Gaza conflict.

Crime

Are Banks Doing Enough to Protect Customers from Zelle Scams? US Launches Federal Probe (yahoo.com) 82

"Zelle payments can't be reversed once they're sent," notes the Los Angeles Times — which could be why they're popular with scammers. "You can't simply stop the payment (like a check) or dispute it (like a credit card). Now, the federal regulator overseeing financial products is probing whether banks that offer Zelle to their account holders are doing enough to protect them against scams. Two major banks — JPMorgan Chase and Wells Fargo — disclosed in their security filings in the last week that they'd been contacted by the Consumer Financial Protection Bureau. According to the Wall Street Journal, which reported the filings Wednesday, the CFPB is exploring whether banks are moving quickly enough to shut down scammers' accounts and whether they're doing enough to identify and prevent scammers from signing up for accounts in the first place...

A J.D. Power survey this year found that 3% of the people who'd used Zelle said they had lost money to scammers, which was less than the average for peer-to-peer money transfer services such as Venmo, CashApp and PayPal. The chief executive of Early Warning Services, which runs Zelle, told a Senate subcommittee in July that only 0.1% of the transactions on Zelle involved a scam or fraud; in 2023, the company said, that percentage was 0.05%. But Zelle operates at such a large scale — 120 million users, 2.9 billion transactions and $806 billion transferred in 2023, according to Early Warning Services — that even a tiny percentage of scam and fraud problems translates into a large number of users and dollars... From 2022 to 2023, Zelle cut the rate of scams by nearly 50% even as the volume of transactions grew 28%, resulting in less money scammed in 2023 than in 2022, said Ben Chance, the chief fraud risk management officer for Zelle. The company didn't disclose the amounts involved, but if 0.05% of the $806 billion transferred in 2023 involved scam or fraud, that would translate to $403 million.

Do Zelle users get reimbursed for scams? Only in certain cases, and this is where the banks that offer Zelle have drawn the most heat. If you use Zelle to pay a scammer, banks say, that's a payment you authorized, so they're not obliged under law to refund your money... Some banks, such as Bank of America, say they will put a freeze on transfers by a suspected scammer as soon as a report comes in, then investigate and, if the report is substantiated, seize and return the money. But that works only if the scam is reported right away, before the scammer has the chance to withdraw the funds — which many will do immediately, said Iskander Sanchez-Rola, director of innovation at the cybersecurity company Gen.

Transportation

Kia and Hyundai's New Anti-Theft Software is Lowering Car-Stealing Rates (cnn.com) 43

An anonymous reader shared this report from CNN: More than a year after Hyundai and Kia released new anti-theft software updates, thefts of vehicles with the new software are falling — even as thefts overall remain astoundingly high, according to a new analysis of insurance claim data. The automakers released the updates starting last February, after a tenfold increase in thefts of certain Hyundai and Kia models in just the past three years — sparked by a series of social media posts that showed people how to steal the vehicles. "Whole vehicle" theft claims — insurance claims for the loss of the entire vehicle — are 64% lower among the Hyundai and Kia cars that have had the software upgrade, compared to cars of the same make, model and year without the upgrade, according to the Highway Loss Data Institute. "The companies' solution is extremely effective," Matt Moore, senior vice president of HLDI, an industry group backed by auto insurers, said in a statement...

Between early 2020 and the first half of 2023, thefts of Hyundai and Kia models rose more than 1,000%.

The article points out that HDLI's analysis covered 2023, and "By the end of that year, only about 30% of vehicles eligible for the security software had it installed. By now, around 61% of eligible Hyundai vehicles have the software upgrade, a Hyundai spokesperson said."

The car companies told CNN that more than 2 million Hyundai and Kia vehicles have gotten the update (part of a $200 million class action settlement reached in May of 2023).
Security

Some Def Con Attendees Forgive Crowdstrike - and Some Blame Microsoft Windows (techcrunch.com) 93

Fortune reports that Crowdstrike "is enjoying a moment of strange cultural cachet at the annual Black Hat security conference, as throngs of visitors flock to its booth to snap selfies and load up on branded company shirts and other swag." (Some attendees "collectively shrugged at the idea that Crowdstrike could be blamed for a problem with a routine update that could happen to any of the security companies deeply intertwined with Microsoft Windows.") Others pointed out that Microsoft should take their fair share of the blame for the outage, which many say was caused by the design of Windows in its core architecture that leads to malware, spyware and driver instability. "Microsoft should not be giving any third party that level of access," said Eric O'Neill, a cybersecurity expert, attorney and former FBI operative. "Microsoft will complain, well, it's just the way that the technology works, or licensing works, but that's bullshit, because this same problem didn't affect Linux or Mac. And Crowdstrike caught it super-early."
Their article notes that Crowdstrike is one of this year's top sponsors of the conference. Despite its recent missteps, Crowdstrike had one of the biggest booths, notes TechCrunch, and "As soon as the doors opened, dozens of attendees started lining up." They were not all there to ask tough questions, but to pick up T-shirts and action figures made by the company to represent some of the nation-state and cybercriminal grups it tracks, such as Scattered Spider, an extortion racket allegedly behind last year's MGM Resorts and Okta cyberattacks; and Aquatic Panda, a China-linked espionage group.

"We're here to give you free stuff," a CrowdStrike employee told people gathered around a big screen where employees would later give demos. A conference attendee looked visibly surprised. "I just thought it would be dead, honestly. I thought it would be slower over there. But obviously, people are still fans, right?"

For CrowdStrike at Black Hat, there was an element of business as usual, despite its global IT outage that caused widespread disruption and delays for days — and even weeks for some customers. The conference came at the same time as CrowdStrike released its root cause analysis that explained what happened the day of the outage. In short, CrowdStrike conceded that it messed up but said it's taken steps to prevent the same incident happening again. And some cybersecurity professionals attending Black Hat appeared ready to give the company a second chance....

TechCrunch spoke to more than a dozen conference attendees who visited the CrowdStrike booth. More than half of attendees we spoke with expressed a positive view of the company following the outage. "Does it lower my opinion of their ability to be a leading-edge security company? I don't think so," said a U.S. government employee, who said he uses CrowdStrike every day.

Although TechCrunch does note that one engineer told his parent company they might consider Crowdstrike competitor Sophos...
Crime

Cyber-Heist of 2.9 Billion Personal Records Leads to Class Action Lawsuit (theregister.com) 18

"A lawsuit has accused a Florida data broker of carelessly failing to secure billions of records of people's private information," reports the Register, "which was subsequently stolen from the biz and sold on an online criminal marketplace." California resident Christopher Hofmann filed the potential class-action complaint against Jerico Pictures, doing business as National Public Data, a Coral Springs-based firm that provides APIs so that companies can perform things like background checks on people and look up folks' criminal records. As such National Public Data holds a lot of highly personal information, which ended up being stolen in a cyberattack. According to the suit, filed in a southern Florida federal district court, Hofmann is one of the individuals whose sensitive information was pilfered by crooks and then put up for sale for $3.5 million on an underworld forum in April.

If the thieves are to be believed, the database included 2.9 billion records on all US, Canadian, and British citizens, and included their full names, addresses, and address history going back at least three decades, social security numbers, and the names of their parents, siblings, and relatives, some of whom have been dead for nearly 20 years.

Hofmann's lawsuit says he 'believes that his personally identifiable information was scraped from non-public sources," according to the article — which adds that Hofmann "claims he never provided this sensitive info to National Public Data...

"The Florida firm stands accused of negligently storing the database in a way that was accessible to the thieves, without encrypting its contents nor redacting any of the individuals' sensitive information." Hofmann, on behalf of potentially millions of other plaintiffs, has asked the court to require National Public Data to destroy all personal information belonging to the class-action members and use encryption, among other data protection methods in the future... Additionally, it seeks unspecified monetary relief for the data theft victims, including "actual, statutory, nominal, and consequential damages."
Government

How America's FBI Sabotaged Tech-Stealing Spies from the USSR (politico.com) 27

FBI agent Rick Smith remembered seeing that Austrian-born Silicon Valley entrepreneur one year earlier — walking into San Francisco's Soviet Consulate in the early 1980s. Their chance reunion at a bar "would sow the seeds for a major counterintelligence campaign," writes a national security journalist in Politico, describing the collaboration as "an FBI-led operation that sold the Soviet Bloc millions in secretly sabotaged U.S. hi-tech."

The Austrian was already selling American tech goods to European countries, and "By the early 1980s, the FBI knew the Soviet Union was desperate for cutting-edge American technology, like the U.S.-produced microchips then revolutionizing a vast array of digital devices, including military systems..." Moscow's spies worked assiduously to steal such dual use tech or purchase it covertly. The Soviet Union's ballistic missile programs, air defense systems, electronic spying platforms, and even space shuttles, depended on it.... But such tech-focused sanctions-evasion schemes by America's foes offer opportunities for U.S. intelligence, too — including the opportunity to launch ultra-secret sabotage campaigns to alter sensitive technologies before they reach their final destination... Working under the FBI's direction, the Austrian agreed to pose as a crook, a man willing to sell prohibited technology to the communist Eastern Bloc... [T]he FBI and the Austrian would seed faulty tech to Moscow and its allies; drain the Soviet Bloc's coffers; expose its intelligence officers and secret American conspirators; and reveal to American counterspies exactly what tech the Soviets were after...

[T]he Soviet Bloc would unknowingly purchase millions of dollars' worth of sabotaged U.S. goods. Communist spies, ignorant that they were being played, would be feted with a literal parade in a Warsaw Pact capital for their success in purchasing this forbidden technology from the West... The Austrian's connections now presented a major opportunity. The Bulgarians, and their East German and Russia allies, were going to get that forbidden tech. But not before the FBI tampered with it first...

Some of the tech was subtly altered before the Bulgarians could get their hands on it. Some was rendered completely unusable. Some of it was shipped unadulterated to keep the operation humming — and allay any suspicions from the Eastern Bloc about what might be going on. And some of it never made its way to the Bulgarians at all. In one case, the bureau intercepted a $400,000 order of computer hardware from the San Jose-based firm Proquip and shipped out 6,000 pounds of sandbags instead.... Some suffered what appeared to be "accidental" wear-and-tear during the long journey to the Eastern Bloc, recalled Ed Appel [a former senior FBI official]. Other times, the FBI would tamper with the electronics so they would experience "chance" voltage overloads once Soviet Bloc operatives plugged them in. The sabotage could also be more subtle, designed to degrade machine parts or microchips over time, or to render hi-tech tools that required intense precision slightly, if imperceptibly, inaccurate.

The article concludes that "While the Soviet Union might have imploded over three decades ago... Russia's intelligence services are still scouring the globe for prohibited U.S. tech, particularly since Moscow's February 2022 invasion of Ukraine...

"Russia has reportedly even covertly imported household items like refrigerators and washing machines to rip out the microchips within them for use in military equipment."
Crime

North Korean Group Infiltrated 100-Plus Firms with Imposter IT Pros (csoonline.com) 16

"CrowdStrike has continued doing what gave it such an expansive footprint in the first place," writes CSO Online — "detecting cyber threats and protecting its clients from them."

They interviewed Adam Meyers, CrowdStrike's SVP of counter adversary operations, whose team produced their 2024 Threat Hunting Report (released this week at the Black Hat conference). Of seven case studies presented in the report, the most daring is that of a group CrowdStrike calls Famous Chollima, an alleged DPRK-nexus group. Starting with a single incident in April 2024, CrowdStrike discovered that a group of North Koreans, posing as American workers, had been hired for multiple remote IT worker jobs in early 2023 at more than thirty US-based companies, including aerospace, defense, retail, and technology organizations.

CrowdStrike's threat hunters discovered that after obtaining employee-level access to victim networks, the phony workers performed at minimal enough levels to keep their jobs while attempting to exfiltrate data using Git, SharePoint, and OneDrive and installing remote monitoring and management (RMM) tools RustDesk, AnyDesk, TinyPilot, VS Code Dev Tunnels, and Google Chrome Remote Desktop. The workers leveraged these RMM tools with company network credentials, enabling numerous IP addresses to connect to victims' systems.

CrowdStrike's OverWatch hunters, a team of experts conducting analysis, hunted for RMM tooling combined with suspicious connections surfaced by the company's Falcon Identity Protection module to find more personas and additional indicators of compromise. CrowdStrike ultimately found that over 100 companies, most US-based technology entities, had hired Famous Chollima workers. The OverWatch team contacted victimized companies to inform them about potential insider threats and quickly corroborated its findings.

Thanks to Slashdot reader snydeq for sharing the news.
Security

'Sinkclose' Flaw in Hundreds of Millions of AMD Chips Allows Deep, Virtually Unfixable Infections (wired.com) 57

An anonymous reader quotes a report from Wired: Security flaws in your computer's firmware, the deep-seated code that loads first when you turn the machine on and controls even how its operating system boots up, have long been a target for hackers looking for a stealthy foothold. But only rarely does that kind of vulnerability appear not in the firmware of any particular computer maker, but in the chips found across hundreds of millions of PCs and servers. Now security researchers have found one such flaw that has persisted in AMD processors for decades, and that would allow malware to burrow deep enough into a computer's memory that, in many cases, it may be easier to discard a machine than to disinfect it. At the Defcon hacker conference tomorrow, Enrique Nissim and Krzysztof Okupski, researchers from the security firm IOActive, plan to present a vulnerability in AMD chips they're calling Sinkclose. The flaw would allow hackers to run their own code in one of the most privileged modes of an AMD processor, known as System Management Mode, designed to be reserved only for a specific, protected portion of its firmware. IOActive's researchers warn that it affects virtually all AMD chips dating back to 2006, or possibly even earlier.

Nissim and Okupski note that exploiting the bug would require hackers to already have obtained relatively deep access to an AMD-based PC or server, but that the Sinkclose flaw would then allow them to plant their malicious code far deeper still. In fact, for any machine with one of the vulnerable AMD chips, the IOActive researchers warn that an attacker could infect the computer with malware known as a "bootkit" that evades antivirus tools and is potentially invisible to the operating system, while offering a hacker full access to tamper with the machine and surveil its activity. For systems with certain faulty configurations in how a computer maker implemented AMD's security feature known as Platform Secure Boot -- which the researchers warn encompasses the large majority of the systems they tested -- a malware infection installed via Sinkclose could be harder yet to detect or remediate, they say, surviving even a reinstallation of the operating system. Only opening a computer's case, physically connecting directly to a certain portion of its memory chips with a hardware-based programming tool known as SPI Flash programmer and meticulously scouring the memory would allow the malware to be removed, Okupski says. Nissim sums up that worst-case scenario in more practical terms: "You basically have to throw your computer away."
In a statement shared with WIRED, AMD said it "released mitigation options for its AMD EPYC datacenter products and AMD Ryzen PC products, with mitigations for AMD embedded products coming soon."

The company also noted that it released patches for its EPYC processors earlier this year. It did not answer questions about how it intends to fix the Sinkclose vulnerability.
Security

Cow and Calf Die After Hackers Attack Farm's Milking Robot (agrarheute.com) 39

According to Agrarheute, hackers launched a cyberattack on a Swiss farmer's computer system, disrupting the flow of vital data from a milking robot. Tragically, this led to the death of a cow and her calf. From the report (translated from German into English): According to the CSO, hackers attacked the computers of a farmer from Hagendorn. The dairy farmer's milking robot was also connected to these computers. When the animal owner stopped receiving milking data, he initially suspected a dead zone. But then he learned from the manufacturer of his milking system that he had been hacked. Apparently it was a ransomware attack. The hackers demanded $10,000 to decrypt the data. The farmer considered whether he should give in to the cyber criminals' demands. At first he thought the data on the amount of milk produced was bearable. In addition, the milking robot also worked without a computer or network connection. The cows could therefore continue to be milked.

For one cow , however, the cyberattack ended tragically. The farmer normally receives vital data from his cows via the system. This is particularly important and critical for pregnant animals. One cow's calf died in the womb. Because the computer was paralyzed, Bircher was unable to recognize the emergency in time. They tried everything to at least save the cow, but in the end it had to be put down. Overall, the attack caused monetary damages amounting to the equivalent of over 6,400 euros, mainly due to veterinary costs and the purchase of a new computer. However, the hackers came away empty-handed.

Programming

Agile is Killing Software Innovation, Says Moxie Marlinspike (theregister.com) 184

There's a rot at the heart of modern software development that's destroying innovation, and infosec legend Moxie Marlinspike believes he knows exactly what's to blame: Agile development. Marlinspike argued that Agile methodologies, widely adopted over the past two decades, have confined developers to "black box abstraction layers" that limit creativity and understanding of underlying systems.

"We spent the past 20 years onboarding people into software by putting them into black box abstraction layers, and then putting them into organizations composed of black box abstraction layers," Marlinspike said. He contended this approach has left many software engineers unable to do more than derivative work, lacking the deep understanding necessary for groundbreaking developments. Thistle Technologies CEO Window Snyder echoed these concerns, noting that many programmers now lack knowledge of low-level languages and machine code interactions. Marlinspike posited that security researchers, who routinely probe beneath surface-level abstractions, are better positioned to drive innovation in software development.
Security

Sellafield, World's Largest Store of Plutonium, Apologizes After Guilty Plea Over String of Cybersecurity Failings (theguardian.com) 27

Bruce66423 writes: Sellafield [U.K.'s largest nuclear site] has apologised after pleading guilty to criminal charges relating to a string of cybersecurity failings at Britain's most hazardous nuclear site, which it admitted could have threatened national security.

Among the failings at the vast nuclear waste dump in Cumbria was the discovery that 75% of its computer servers were vulnerable to cyber-attacks, Westminster magistrates court in London heard. Information that could threaten national security was left exposed for four years, the nuclear watchdog revealed, and Sellafield said it had been performing critical IT health checks that were not, in fact, being carried out.

The Guardian's investigation also revealed concerns about external contractors being able to plug memory sticks into Sellafield's system while unsupervised and that its computer servers were deemed so insecure that the problem was nicknamed Voldemort after the Harry Potter villain because it was so sensitive and dangerous.

The good news is that the problem has been spotted. The bad news is that there can be no meaningful punishment for a government owned company. One can only hope that they will do better in the future.

Microsoft

Microsoft Researchers Report Iran Hackers Targeting US Officials Before Election (reuters.com) 35

Microsoft researchers said on Friday that Iran government-tied hackers tried breaking into the account of a "high ranking official" on the U.S. presidential campaign in June, weeks after breaching the account of a county-level U.S. official. From a report: The breaches were part of Iranian groups' increasing attempts to influence the U.S. presidential election in November, the researchers said in a report that did not provide any further detail on the "official" in question.

The report follows recent statements by senior U.S. Intelligence officials that they'd seen Iran ramp up use of clandestine social media accounts with the aim to use them to try to sow political discord in the United States. Iran's mission to the United Nations in New York told Reuters in a statement that its cyber capabilities were "defensive and proportionate to the threats it faces" and that it had no plans to launch cyber attacks.

Slashdot Top Deals