Enlarge / Be sure you know what you're getting into before buying and using unfamiliarly branded smartphones—especially international models not originally intended for your country. (credit: Clover No. 7 Photography via Getty Images)

The Lithuanian National Cyber Security Centre (NCSC) recently published a security assessment of three recent-model Chinese-made smartphones—Huawei's P40 5G, Xiaomi's Mi 10T 5G, and OnePlus' 8T 5G. Sufficiently determined US shoppers can find the P40 5G on Amazon and the Mi 10T 5G on Walmart.com—but we will not be providing direct links to those phones, given the results of the NCSC's security audit.

The Xiaomi phone includes software modules specifically designed to leak data to Chinese authorities and to censor media related to topics the Chinese government considers sensitive. The Huawei phone replaces the standard Google Play application store with third-party substitutes the NCSC found to harbor sketchy, potentially malicious repackaging of common applications.

The OnePlus 8T 5G—arguably, the best-known and most widely marketed phone of the three—was the only one to escape the NCSC's scrutiny without any red flags raised.

Enlarge (credit: Icons8 Team)

Quebec-based provider of telephony services VoIP.ms is facing an aggressive Distributed Denial of Service (DDoS) cyber attack, causing a disruption in phone calls and services. The incident began around September 16 and has put a strain on the VoIP provider's systems, websites, and operations.

VoIP.ms serves over 80,000 customers across 125 countries, many of whom are now facing issues with voice calls.

Voice calls and services disrupted by DDoS attack

Last week, Canadian voice-over-IP service provider VoIP.ms announced that it became aware of an issue that was preventing customers from accessing its website and was working toward a solution. Fast-forward to today: the issue is ongoing and has been attributed to a persistent DDoS attack.

Enlarge (credit: Dmitry Chernyshov)

A code execution bug in Apple's macOS allows remote attackers to run arbitrary commands on your device. And the worst part is, Apple hasn't fully patched it yet, as tested by Ars.

Those shortcut files can take over your Mac

Independent security researcher Park Minchan has discovered a vulnerability in the macOS that lets threat actors execute commands on your computer. Shortcut files that have the inetloc extension are capable of embedding commands inside. The flaw impacts macOS Big Sur and prior versions.

"A vulnerability in the way macOS processes inetloc files causes it to run commands embedded inside, the commands it runs can be local to the macOS allowing the execution of arbitrary commands by the user without any warning / prompts," explains Minchan. "Originally, inetloc files are shortcuts to an Internet location, such as an RSS feed or a telnet location; and contain the server address and possibly a username and password for SSH and telnet connections; can be created by typing a URL in a text editor and dragging the text to the Desktop."

Enlarge / It probably shouldn't be considered "surprising" when a Linux certification entity reports that Linux certifications are highly desirable. (credit: Linux Foundation)

The Linux Foundation released its 2021 Open Source Jobs Report this month, which aims to inform both sides of the IT hiring process about current trends. The report accurately foreshadows many of its conclusions in the first paragraph, saying "the talent gap that existed before the pandemic has worsened due to an acceleration of cloud-native adoption as remote work has gone mainstream." In other words: job-shopping Kubernetes and AWS experts are in luck.

The Foundation surveyed roughly 200 hiring managers and 750 open source professionals to find out which skills—and HR-friendly resume bullet points—are in the greatest demand. According to the report, college-degree requirements are trending down, but IT-certification requirements and/or preferences are trending up—and for the first time, "cloud-native" skills (such as Kubernetes management) are in higher demand than traditional Linux skills.

The hiring priority shift from traditional Linux to "cloud-native" skill sets implies that it's becoming more possible to live and breathe containers without necessarily understanding what's inside them—but you can't have Kubernetes, Docker, or similar computing stacks without a traditional operating system beneath them. In theory, any traditional operating system could become the foundation of a cloud-native stack—but in practice, Linux is overwhelmingly what clouds are made of.

Enlarge / The seal of the Federal Bureau of Investigation (FBI) is seen at the J. Edgar Hoover building in Washington, D.C. (credit: Andrew Harrer/Bloomberg)

For three weeks during the REvil ransomeware attack this summer, the FBI secretly withheld the key that would have decrypted data and computers on up to 1,500 networks, including those run by hospitals, schools, and businesses.

The FBI had penetrated the REvil gang’s servers to obtain the key, but after discussing it with other agencies, the bureau decided to wait before sending it to victims for fear of tipping off the criminals, The Washington Post reports. The FBI hadn’t want to tip off the REvil gang and had hoped to take down their operations, sources told the Post.

Instead, REvil went dark on July 13 before the FBI could step in. For reasons that haven’t been explained, the FBI didn’t cough up the key until July 21.

Enlarge (credit: Raphael Rychetsky)

Iowa-based provider of agriculture services NEW Cooperative Inc. has been hit by a ransomware attack, forcing it to take its systems offline. The BlackMatter group that is behind the attack has put forth a $5.9 million ransom demand. The farming cooperative is seen stating the attack could significantly impact the public supply of grain, pork, and chicken if it cannot bring its systems back online.

BlackMatter says it doesn’t hit “critical infrastructure”

Ransomware group BlackMatter has hit NEW Cooperative and is demanding $5.9 million to provide a decryptor, according to screenshots shared online by threat intel analysts.

"Your website says you do not attack critical infrastructure. We are critical infrastructure... intertwined with the food supply chain in the US. If we are not able to recover very shortly, there is going to be very very public disruption to the grain, pork, and chicken supply chain," a NEW Cooperative representative appears to be telling BlackMatter during a private negotiation chat.

Enlarge / If Alaska's native Ursus arctos population could be enlisted for cyber defense patrols, attackers might need paws for reflection before committing a criminal breach. (credit: Jared Lloyd via Getty Images)

Last week, Alaska's Department of Health and Social Services (DHSS) disclosed a security breach apparently made by a sophisticated nation-state level attacker.

According to DHSS—which contracted with well-known security firm Mandiant to investigate the breach—the attackers gained a foothold inside DHSS' network via one of its public-facing websites, from which it pivoted to deeper resources.

A months-long saga

This is not the first report of the DHSS breach. The organization first publicly announced the intrusion on May 18, with a June update announcing a multipronged investigation, and one more in August on completion of the first of three investigatory steps.

Enlarge (credit: Tom Roberts)

Epik has now confirmed that an "unauthorized intrusion" did in fact occur into its systems. The announcement follows last week's incident of hacktivist collective Anonymous leaking 180 GB of data stolen from online service provider Epik. To mock the company's initial response to the data breach claims, Anonymous had altered Epik's official knowledge base, as reported by Ars.

Epik is a domain registrar and web services provider known to serve right-wing clients, some of which have been turned down by more mainstream IT providers due to the objectionable and sometimes illicit content hosted by the clients. Epik's clients have included the Texas GOP, Parler, Gab, and 8chan, among others.

Epik hack impacts millions of non-customers, too

Turns out, the leaked data dump contains 15,003,961 email addresses belonging to both Epik's customers and non-customers, and not everyone is pleased with the news. This occurred as Epik had scraped WHOIS records of domains, even those not owned by the company, and stored these records. In doing so, the contact information of those who have never transacted with Epik directly was also retained in Epik's systems.

Enlarge / An anti-government graffiti that reads in Farsi "Death to the dictator" is sprayed at a wall north of Tehran on September 30, 2009. (credit: Getty Images)

Amid ever-increasing government Internet control, surveillance, and censorship in Iran, a new Android app aims to give Iranians a way to speak freely.

Nahoft, which means “hidden” in Farsi, is an encryption tool that turns up to 1,000 characters of Farsi text into a jumble of random words. You can send this mélange to a friend over any communication platform—Telegram, WhatsApp, Google Chat, etc.—and then they run it through Nahoft on their device to decipher what you’ve said.

Released last week on Google Play by United for Iran, a San Francisco–based human rights and civil liberties group, Nahoft is designed to address multiple aspects of Iran's Internet crackdown. In addition to generating coded messages, the app can also encrypt communications and embed them imperceptibly in image files, a technique known as steganography. Recipients then use Nahoft to inspect the image file on their end and extract the hidden message.

Enlarge / Screenshot from the Starlink order page, with the street address blotted out. (credit: SpaceX Starlink)

SpaceX's Starlink satellite-broadband service will emerge from beta in October, CEO Elon Musk said last night. Musk provided the answer of "next month" in response to a Twitter user who asked when Starlink will come out of beta.

SpaceX began sending email invitations to Starlink's public beta in October 2020. The service is far from perfect, as trees can disrupt the line-of-sight connections to satellites and the satellite dishes go into "thermal shutdown" in hot areas. But for people in areas where wired ISPs have never deployed cable or fiber, Starlink is still a promising alternative, and service should improve as SpaceX launches more satellites and refines its software.

SpaceX has said it is serving over 100,000 Starlink users in a dozen countries from more than 1,700 satellites. The company has been taking preorders for post-beta service and said in May that "over half a million people have placed an order or put down a deposit for Starlink."

Enlarge (credit: Austin Distel)

SushiSwap's chief technology officer says the company's MISO platform has been hit by a software supply chain attack. SushiSwap is a community-driven decentralized finance (DeFi) platform that lets users swap, earn, lend, borrow, and leverage cryptocurrency assets all from one place. Launched earlier this year, Sushi's newest offering, Minimal Initial SushiSwap Offering (MISO), is a token launchpad that lets projects launch their own tokens on the Sushi network.

Unlike cryptocurrency coins that need a native blockchain and substantive groundwork, DeFi tokens are an easier alternative to implement, as they can function on an existing blockchain. For example, anybody can create their own "digital tokens" on top of the Ethereum blockchain without having to recreate a new cryptocurrency altogether.

Attacker steals $3 million in Ethereum via one GitHub commit

In a Twitter thread today, SushiSwap CTO Joseph Delong announced that an auction on MISO launchpad had been hijacked via a supply chain attack. An "anonymous contractor" with the GitHub handle AristoK3 and access to the project's code repository had pushed a malicious code commit that was distributed on the platform's front-end.

Enlarge (credit: Carl Court / Getty Images)

Telegram has exploded as a hub for cybercriminals looking to buy, sell, and share stolen data and hacking tools, new research shows, as the messaging app emerges as an alternative to the dark web.

An investigation by cyber intelligence group Cyberint, together with the Financial Times, found a ballooning network of hackers sharing data leaks on the popular messaging platform, sometimes in channels with tens of thousands of subscribers, lured by its ease of use and light-touch moderation.

In many cases, the content resembled that of the marketplaces found on the dark web, a group of hidden websites that are popular among hackers and accessed using specific anonymizing software.

Enlarge (credit: Microsoft)

New versions of Microsoft Office aren't as big a deal as they used to be, thanks to the continuously updated (and continuously paid-for) versions of the apps that come with a Microsoft 365 subscription. But for everyone else, there's still Office 2021, an upgrade to Office 2019 that's coming to both Windows and macOS on October 5, Microsoft announced today. Office 2021 will add the same features as the Office Long-Term Servicing Channel (or LTSC—catchy!) release, which is available today.

Compared to Office 2019, the last "perpetual" version of Office, the new version includes Dark Mode support, support for version 1.3 of the OpenDocument format, new Excel functions and formulas, improved slide show recording for PowerPoint, and various user-interface tweaks and enhancements. Microsoft lists most of the new features here.

The company plans to offer five years of "Mainstream Support" for Office 2021 without any extended support beyond that. The end date for Office 2021 support is in October of 2026, just a year after support ends for the Windows versions of Office 2016 and Office 2019.

Enlarge (credit: Tom Roberts)

Hacktivist collective Anonymous claims to have obtained gigabytes of data from Epik, which provides domain name, hosting, and DNS services for a variety of clients. These include the Texas GOP, Gab, Parler, and 8chan, among other right-wing sites. The stolen data has been released as a torrent. The hacktivist collective says that the data set, which is over 180GB in size, contains a "decade's worth of data from the company."

Anonymous says the data set is "all that's needed to trace actual ownership and management of the fascist side of the Internet that has eluded researchers, activists, and, well, just about everybody." If this information is correct, Epik's customers' data and identities could now fall into the hands of activists, researchers, and just about anyone curious enough to take a peek.

Decades of Epik stuff, now in a torrent near you

Epik is a domain registrar and web services provider known to serve right-wing clients, some of which have been turned down by more mainstream IT providers due to the objectionable and sometimes illicit content hosted by the clients.

Enlarge (credit: Getty Images)

Microsoft has been working to make passwordless sign-in for Windows and Microsoft accounts a reality for years now, and today those efforts come to fruition: The Verge reports that starting today, users can completely remove their passwords from their Microsoft accounts and opt to rely on Microsoft Authenticator or some other form of verification to sign in on new devices. Microsoft added passwordless login support for work and school accounts back in March, but this is the first time the feature has been offered for regular, old individual Microsoft accounts.

Passwordless accounts improve security by taking passwords out of the equation entirely, making it impossible to get any kind of access to your full account information without access to whatever you use to verify your identity for two-factor authentication. Even if you protect your Microsoft account with two-factor authentication, an attacker who knows your Microsoft account password could still try that password on other sites to see if you've reused it anywhere. And some forms of two-factor authentication, particularly SMS-based 2FA, have security problems of their own.

Microsoft has offered passwordless authentication for Windows 10 and Microsoft accounts for a while now, and if you're already taking advantage of those features, nothing about how you sign in to your devices has to change. You just need to visit the Microsoft Account site, go to the Security tab, select "Advanced security options," and turn on the passwordless account feature to remove your password entirely.

Enlarge (credit: Getty Images)

A security flaw in Travis CI potentially exposed the secrets of thousands of open source projects that rely on the hosted continuous integration service. Travis CI is a software-testing solution used by over 900,000 open source projects and 600,000 users. A vulnerability in the tool made it possible for secure environment variables—signing keys, access credentials, and API tokens of all public open source projects—to be exfiltrated.

Worse, the dev community is upset about the poor handling of the vulnerability disclosure process and the brief "security bulletin" it had to force out of Travis.

Environment variables injected into pull request builds

Travis CI is a popular software-testing tool due to its seamless integration with GitHub and Bitbucket. As the makers of the tool explain:

Enlarge (credit: Aurich Lawson | Getty Images)

Apple has released several security updates this week to patch a "FORCEDENTRY" vulnerability on iOS devices. The "zero-click, zero-day" vulnerability has been actively exploited by Pegasus, a spyware app developed by the Israeli company NSO Group, which has been known to target activists, journalists, and prominent people around the world.

Tracked as CVE-2021-30860, the vulnerability needs little to no interaction by an iPhone user to be exploited—hence the name "FORCEDENTRY."

Discovered on a Saudi activist’s iPhone

In March, researchers at The Citizen Lab decided to analyze the iPhone of an unnamed Saudi activist who was targeted by NSO Group's Pegasus spyware. They obtained an iTunes backup of the device, and a review of the dump revealed 27 copies of a mysterious GIF file in various places—except the files were not images.

Enlarge / This isn't how the OMIGOD vulnerability works, of course—but lightning is much more photogenic than maliciously crafted XML. (credit: Aurich Lawson | Getty Images)

Cloud security vendor Wiz—which recently made news by discovering a massive vulnerability in Microsoft Azure's CosmosDB-managed database service—has found another hole in Azure.

The new vulnerability impacts Linux virtual machines on Azure. They end up with a little-known service called OMI installed as a byproduct of enabling any of several logging reporting and/or management options in Azure's UI.

At its worst, the vulnerability in OMI could be leveraged into remote root code execution—although thankfully, Azure's on-by-default, outside-the-VM firewall will limit it to most customers' internal networks only.

Enlarge / If you don't maintain good relationships with bug reporters, you may not get to control the disclosure timeline. (credit: mhatzapa via Getty Images / Jim Salter)

The Washington Post reported earlier today that Apple's relationship with third-party security researchers could use some additional fine tuning. Specifically, Apple's "bug bounty" program—a way companies encourage ethical security researchers to find and responsibly disclose security problems with its products—appears less researcher-friendly and slower to pay than the industry standard.

The Post says it interviewed more than two dozen security researchers who contrasted Apple's bug bounty program with similar programs at competitors including Facebook, Microsoft, and Google. Those researchers allege serious communication issues and a general lack of trust between Apple and the infosec community its bounties are supposed to be enticing—"a bug bounty program where the house always wins," according to Luta Security CEO Katie Moussouris.

Poor communication and unpaid bounties

Software engineer Tian Zhang appears to be a perfect example of Moussouris' anecdote. In 2017, Zhang reported a major security flaw in HomeKit, Apple's home automation platform. Essentially, the flaw allowed anyone with an Apple Watch to take over any HomeKit-managed accessories physically near them—including smart locks, as well as security cameras and lights.

Enlarge / The security of Facebook's popular messaging app leaves several rather important devils in its details. (credit: WhatsApp)

Yesterday, independent newsroom ProPublica published a detailed piece examining the popular WhatsApp messaging platform's privacy claims. The service famously offers "end-to-end encryption," which most users interpret as meaning that Facebook, WhatsApp's owner since 2014, can neither read messages itself nor forward them to law enforcement.

This claim is contradicted by the simple fact that Facebook employs about 1,000 WhatsApp moderators whose entire job is—you guessed it—reviewing WhatsApp messages that have been flagged as "improper."

End-to-end encryption—but what’s an “end”?

The loophole in WhatsApp's end-to-end encryption is simple: The recipient of any WhatsApp message can flag it. Once flagged, the message is copied on the recipient's device and sent as a separate message to Facebook for review.