An anonymous reader writes from a report via ZDNet: Three academics from Northeastern University and three researchers from IBM Research have discovered a new variation of the Spectre CPU vulnerability that can be exploited via browser-based code. The vulnerability, which researchers codenamed SplitSpectre, is a variation of the original Spectre v1 vulnerability discovered last year and which became public in January 2018. The difference in SplitSpectre is not in what parts of a CPU's microarchitecture the flaw targets, but how the attack is carried out. Researchers say a SplitSpectre attack is both faster and easier to execute, improving an attacker's ability to recover code from targeted CPUs. The research team says they were successfully able to carry out a SplitSpectre attack against Intel Haswell and Skylake CPUs, and AMD Ryzen processors, via SpiderMonkey 52.7.4, Firefox's JavaScript engine. The good news is that existing Spectre mitigations would thwart the SplitSpectre attacks.

The Secret Service is planning to test facial recognition surveillance around the White House, "with the goal of identifying 'subjects of interest' who might pose a threat to the president," reports The Verge. The document with the plans was published by the American Civil Liberties Union, describing "a test that would compare closed circuit video footage of public White House spaces against a database of images -- in this case, featuring employees who volunteered to be tracked." From the report: The test was scheduled to begin on November 19th and to end on August 30th, 2019. While it's running, film footage with a facial match will be saved, then confirmed by human evaluators and eventually deleted. The document acknowledges that running facial recognition technology on unaware visitors could be invasive, but it notes that the White House complex is already a "highly monitored area" and people can choose to avoid visiting. We don't know whether the test is actually in operation, however. "For operational security purposes we do not comment on the means and methods of how we conduct our protective operations," a spokesperson told The Verge.

The ACLU says that the current test seems appropriately narrow, but that it "crosses an important line by opening the door to the mass, suspicionless scrutiny of Americans on public sidewalks" -- like the road outside the White House. (The program's technology is supposed to analyze faces up to 20 yards from the camera.) "Face recognition is one of the most dangerous biometrics from a privacy standpoint because it can so easily be expanded and abused -- including by being deployed on a mass scale without people's knowledge or permission."

schwit1 shares a report from CBS News: Information sharing website Quora has announced a data breach which has exposed "approximately 100 million users'" personal data. The company said in a statement released Monday that it discovered the "unauthorized access to one of our systems by a malicious third party," on Friday. Chief Executive Adam D'Angelo wrote in the blog post that Quora had alerted law enforcement authorities and was "working rapidly to investigate the situation further and take the appropriate steps to prevent such incidents in the future." D'Angelo said Quora was working to alert the affected users of the site, whose names, email addresses and encrypted passwords, and public content such as their questions, answers and comments, were exposed through the breach. Those users would be required to reset their passwords, D'Angelo said.

Kubernetes has become the most popular cloud container orchestration system by far, so it was only a matter of time until its first major security hole was discovered. And the bug, CVE-2018-1002105, aka the Kubernetes privilege escalation flaw, is a doozy. It's a CVSS 9.8 critical security hole. From a report: With a specially crafted network request, any user can establish a connection through the Kubernetes application programming interface (API) server to a backend server. Once established, an attacker can send arbitrary requests over the network connection directly to that backend. Adding insult to injury, these requests are authenticated with the Kubernetes API server's Transport Layer Security (TLS) credentials. Can you say root? I knew you could. Worse still, "In default configurations, all users (authenticated and unauthenticated) are allowed to perform discovery API calls that allow this escalation." So, yes, anyone who knows about this hole can take command of your Kubernetes cluster.

The National Republican Congressional Committee was hacked this election cycle, it admitted Tuesday afternoon. From a report: "The NRCC can confirm that it was the victim of a cyber intrusion by an unknown entity. The cybersecurity of the Committee's data is paramount, and upon learning of the intrusion, the NRCC immediately launched an internal investigation and notified the FBI, which is now investigating the matter," NRCC spokesman Ian Prior said in a statement.

"To protect the integrity of that investigation, the NRCC will offer no further comment on the incident." The major breach included thousands of emails from four senior aides, according to Politico, which first reported the hacks. An outside vendor noticed and alerted the committee in April. The committee then launched an internal investigation and alerted the FBI.

An anonymous reader quotes a report from TechCrunch: Last Friday, Marriott sent out millions of emails warning of a massive data breach -- some 500 million guest reservations had been stolen from its Starwood database. One problem: the email sender's domain didn't look like it came from Marriott at all. Marriott sent its notification email from "email-marriott.com," which is registered to a third party firm, CSC, on behalf of the hotel chain giant. But there was little else to suggest the email was at all legitimate -- the domain doesn't load or have an identifying HTTPS certificate. In fact, there's no easy way to check that the domain is real, except a buried note on Marriott's data breach notification site that confirms the domain as legitimate. But what makes matters worse is that the email is easily spoofable.

Many others have sounded the alarm on Marriott's lackluster data breach response. Security expert Troy Hunt, who founded data breach notification site Have I Been Pwned, posted a long tweet thread on the hotel chain giant's use of the problematic domain. As it happens, the domain dates back at least to the start of this year when Marriott used the domain to ask its users to update their passwords. Williams isn't the only one who's resorted to defending Marriott customers from cybercriminals. Nick Carr, who works at security giant FireEye, registered the similarly named "email-mariott.com" on the day of the Marriott breach. "Please watch where you click," he wrote on the site. "Hopefully this is one less site used to confuse victims." Had Marriott just sent the email from its own domain, it wouldn't be an issue.