Ars Technica - Technology Lab

Hackers alter stolen regulatory data to sow mistrust in COVID-19 vaccine

Fri, 15 Jan 2021 22:40:48 GMT

Enlarge (credit: Getty Images)

Last month, the makers of one of the most promising coronavirus vaccines reported that hackers stole confidential documents they had submitted to a European Union regulatory body. On Friday, word emerged that the hackers have falsified some of the submissions’ contents and published them on the Internet.

Studies of the BNT162b2 vaccine jointly developed by pharmaceutical companies Pfizer and BioNTech found it’s 95 percent effective at preventing COVID-19 and is consistently effective across age, gender, race, and ethnicity demographics. Despite near-universal consensus among scientists that the vaccine is safe, some critics have worried it isn’t. The hackers appear to be trying to stoke those unsupported worries.

Data unlawfully accessed by the hackers “included internal/confidential email correspondence dating from November, relating to evaluation processes for COVID-19 vaccines,” the European Medicines Agency based in Amsterdam said in a statement. “Some of the correspondence has been manipulated by the perpetrators prior to publication in a way which could undermine trust in vaccines.”

Read 4 remaining paragraphs | Comments

How law enforcement gets around your smartphone’s encryption

Fri, 15 Jan 2021 17:54:24 GMT

Enlarge / Uberwachung, Symbolbild, Datensicherheit, Datenhoheit (credit: Westend61 | Getty Images)

Lawmakers and law enforcement agencies around the world, including in the United States, have increasingly called for backdoors in the encryption schemes that protect your data, arguing that national security is at stake. But new research indicates governments already have methods and tools that, for better or worse, let them access locked smartphones thanks to weaknesses in the security schemes of Android and iOS.

Cryptographers at Johns Hopkins University used publicly available documentation from Apple and Google as well as their own analysis to assess the robustness of Android and iOS encryption. They also studied more than a decade's worth of reports about which of these mobile security features law enforcement and criminals have previously bypassed, or can currently, using special hacking tools. The researchers have dug into the current mobile privacy state of affairs and provided technical recommendations for how the two major mobile operating systems can continue to improve their protections.

“It just really shocked me, because I came into this project thinking that these phones are really protecting user data well,” says Johns Hopkins cryptographer Matthew Green, who oversaw the research. “Now I’ve come out of the project thinking almost nothing is protected as much as it could be. So why do we need a backdoor for law enforcement when the protections that these phones actually offer are so bad?”

Read 19 remaining paragraphs | Comments

The NSA warns enterprises to beware of third-party DNS resolvers

Fri, 15 Jan 2021 12:58:02 GMT

Enlarge (credit: Getty Images)

DNS over HTTPS is a new protocol that protects domain-lookup traffic from eavesdropping and manipulation by malicious parties. Rather than an end-user device communicating with a DNS server over a plaintext channel—as DNS has done for more than three decades—DoH, as DNS over HTTPS is known, encrypts requests and responses using the same encryption websites rely on to send and receive HTTPS traffic.

Using DoH or a similar protocol known as DoT—short for DNS over TLS—is a no brainer in 2021, since DNS traffic can be every bit as sensitive as any other data sent over the Internet. On Thursday, however, the National Security Agency said in some cases Fortune 500 companies, large government agencies, and other enterprise users are better off not using it. The reason: the same encryption that thwarts malicious third parties can hamper engineers’ efforts to secure their networks.

“DoH provides the benefit of encrypted DNS transactions, but it can also bring issues to enterprises, including a false sense of security, bypassing of DNS monitoring and protections, concerns for internal network configurations and information, and exploitation of upstream DNS traffic,” NSA officials wrote in published recommendations. “In some cases, individual client applications may enable DoH using external resolvers, causing some of these issues automatically.”

Read 16 remaining paragraphs | Comments

Hackers used 4 zero-days to infect Windows and Android devices

Wed, 13 Jan 2021 21:16:15 GMT

Enlarge (credit: Getty Images)

Google researchers have detailed a sophisticated hacking operation that exploited vulnerabilities in Chrome and Windows to install malware on Android and Windows devices.

Some of the exploits were zero-days, meaning they targeted vulnerabilities that at the time were unknown to Google, Microsoft, and most outside researchers (both companies have since patched the security flaws). The hackers delivered the exploits through watering-hole attacks, which compromise sites frequented by the targets of interest and lace the sites with code that installs malware on visitors’ devices. The boobytrapped sites made use of two exploit servers, one for Windows users and the other for users of Android.

Not your average hackers

The use of zero-days and complex infrastructure isn’t in itself a sign of sophistication, but it does show above-average skill by a professional team of hackers. Combined with the robustness of the attack code—which chained together multiple exploits in an efficient manner—the campaign demonstrates it was carried out by a “highly sophisticated actor.”

Read 7 remaining paragraphs | Comments

AT&T kills off the failed TV service formerly known as DirecTV Now

Wed, 13 Jan 2021 20:46:46 GMT

Enlarge / AT&T corporate offices on November 10, 2020, in El Segundo, California. (credit: Getty Images | AaronP/Bauer-Griffin)

AT&T is killing off the online-video service formerly known as DirecTV Now and introducing a no-contract option for the newer online service that replaced it.

AT&T unveiled DirecTV Now late in 2016, the year after AT&T bought the DirecTV satellite company. Prices originally started at $35 a month for the live-TV online service, and it had signed up 1.86 million subscribers by Q3 2018. But customers quickly fled as AT&T repeatedly raised prices and cut down on the use of promotional deals, leaving the service with just 683,000 subscribers at the end of Q3 2020.

In 2019, AT&T changed the name from DirecTV Now to AT&T TV Now, creating confusion among customers and its own employees because the company simultaneously unveiled another online streaming service called AT&T TV.

Read 11 remaining paragraphs | Comments

Hackers steal Mimecast certificate used to encrypt customers’ M365 traffic

Tue, 12 Jan 2021 22:10:39 GMT

Enlarge (credit: Getty Images)

Email management provider Mimecast said that hackers have compromised a digital certificate it issued and used it to target select customers who use it to encrypt data they sent and received through the company’s cloud-based service.

In a post published on Tuesday, the company said that the certificate was used by about 10 percent of its customer base, which—according to the company—numbers about 36,100. The “sophisticated threat actor” then likely used the certificate to target “a low single digit number” of customers using the certificate to encrypt Microsoft 365 data. Mimecast said it learned of the compromise from Microsoft.

Certificate compromises allow hackers to read and modify encrypted data as it travels over the Internet. For that to happen, a hacker must first gain the ability to monitor the connection going into and out of a target’s network. Typically, certificate compromises require access to highly fortified storage devices that store private encryption keys. That access usually requires deep-level hacking or insider access.

Read 4 remaining paragraphs | Comments

Parler’s amateur coding could come back to haunt Capitol Hill rioters

Tue, 12 Jan 2021 13:48:42 GMT

Enlarge / Parler? (credit: Getty Images)

By now, you may have heard of the hacker who says she scraped 99 percent of posts from Parler, the Twitter-wannabe site used by Trump supporters to help organize last Wednesday’s violent insurrection on Capitol Hill. What you may not know yet is the abysmal coding and security that made the scraping so easy.

To recap, the scraping was pulled off by a hacker who goes by the handle donk_enby. She originally set out to archive content posted to Parler last Wednesday in hopes of preserving self-incriminating material before account holders came to their senses and deleted it. By Sunday, donk_enby said she had collected roughly 80 terabytes of posts, including more than 1 million videos, many of which contained the GPS metadata identifying the exact locations of where the videos were shot.

“For the journalists DMing me to ask, in non-technical terms, I'd describe the current Parler archival situation as ‘a bunch of people running into a burning building trying to grab as many things as we can,’” donk_enby wrote on Twitter on Sunday. “Things will be available in a more accessible form later.”

Read 6 remaining paragraphs | Comments

Jared Mauch didn’t have good broadband—so he built his own fiber ISP

Tue, 12 Jan 2021 12:30:44 GMT

Jared Mauch installed about five miles' worth of this fiber cable. [credit: Jared Mauch ]

The old saying "if you want something done right, do it yourself" usually isn't helpful when your problem is not having good Internet service. But for one man in rural Michigan named Jared Mauch, who happens to be a network architect, the solution to not having good broadband at home was in fact building his own fiber-Internet service provider.

"I had to start a telephone company to get [high-speed] Internet access at my house," Mauch explained in a recent presentation about his new ISP that serves his own home in Scio Township, which is next to Ann Arbor, as well as a few dozen other homes in Washtenaw County.

Mauch, a senior network architect at Akamai in his day job, moved into his house in 2002. At that point, he got a T1 line when 1.5Mbps was "a really great Internet connection," he said. As broadband technology advanced, Mauch expected that an ISP would eventually wire up his house with cable or fiber. It never happened.

Read 37 remaining paragraphs | Comments

SolarWinds malware has "curious” ties to Russian-speaking hackers

Mon, 11 Jan 2021 19:44:37 GMT

Enlarge (credit: Getty Images)

The malware used to hack Microsoft, security company FireEye, and at least a half-dozen federal agencies has “interesting similarities” to malicious software that has been circulating since at least 2015, researchers said on Monday.

Sunburst is the name security researchers have given to malware that infected about 18,000 organizations when they installed a malicious update for Orion, a network management tool sold by Austin, Texas-based SolarWinds. The unknown attackers who planted Sunburst in Orion used it to install additional malware that burrowed further into select networks of interest. With infections that hit the Departments of Justice, Commerce, Treasury, Energy, and Homeland Security, the hack campaign is among the worst in modern US history.

The National Security Agency, the FBI, and two other federal agencies last week said that the Russian government was “likely” behind the attack, which began no later than October 2019. While several news sources, citing unnamed officials, have reported the intrusions were the work of the Kremlin’s SVR, or Foreign Intelligence Service, researchers continue to look for evidence that definitively proves or disproves the statements.

Read 7 remaining paragraphs | Comments

New York City proposes regulating algorithms used in hiring

Sun, 10 Jan 2021 11:55:10 GMT

Enlarge (credit: John Lamb | Getty Images)

In 1964, the Civil Rights Act barred the humans who made hiring decisions from discriminating on the basis of sex or race. Now, software often contributes to those hiring decisions, helping managers screen résumés or interpret video interviews.

That worries some tech experts and civil rights groups, who cite evidence that algorithms can replicate or magnify biases shown by people. In 2018, Reuters reported that Amazon scrapped a tool that filtered résumés based on past hiring patterns because it discriminated against women.

Legislation proposed in the New York City Council seeks to update hiring discrimination rules for the age of algorithms. The bill would require companies to disclose to candidates when they have been assessed with the help of software. Companies that sell such tools would have to perform annual audits to check that their people-sorting tech doesn’t discriminate.

Read 14 remaining paragraphs | Comments

Reddit’s largest remaining Trump community banned for "inciting violence” [Updated]

Fri, 08 Jan 2021 22:56:48 GMT

Enlarge / The image currently at the top of r/donaldtrump. (credit: Reddit)

On Friday, Reddit joined this week's response to violent online rhetoric as spearheaded by President Donald Trump and removed its "r/donaldtrump" community, the site's largest existing community dedicated specifically to Trump. Visiting any of that community's pages now leads to a simple message pointing to Reddit's rules about "inciting violence," which starts by saying, "Do not post violent content."

Without a citation of specific Reddit threads or a formal announcement from Reddit administrators clarifying the move, users may be left wondering about the exact reason for the removal. It's possible, for example, that the community page was punished for reposting Trump's speeches and statements from earlier in the week, which alternated between false claims about election fraud, calls to action by his followers in response to his claims about fraud, or sympathetic statements about the seditionists who stormed the US Capitol on Wednesday.

While searching through r/donaldtrump archives is a bit unwieldy (owing to how such archives are maintained at sites like archive.is), cursory searches point to the community hosting pre-protest conversations about the January 6 protest, usually with titles pointing to Trump's direct request that his followers from across the nation attend. The issue may also have come from multiple claims at r/donaldtrump shortly before its shutdown about Wednesday's seditionists being disguised as "antifa," despite a majority of Capitol building invaders being identified with clear links to white nationalist organizations and calls for a violent January 6 protest.

Read 4 remaining paragraphs | Comments

Hackers can clone Google Titan 2FA keys using a side channel in NXP chips

Fri, 08 Jan 2021 12:59:47 GMT

Enlarge (credit: Google)

There’s wide consensus among security experts that physical two-factor authentication keys provide the most effective protection against account takeovers. Research published today doesn’t change that, but it does show how malicious attackers with physical possession of a Google Titan key can clone it.

There are some steep hurdles to clear for an attack to be successful. A hacker would first have to steal a target’s account password and to also gain covert possession of the physical key for as many as 10 hours. The cloning also requires up to $12,000 worth of equipment, custom software, and an advanced background in electrical engineering and cryptography. That means the key cloning—were it ever to happen in the wild—would likely be done only by a nation-state pursuing its highest-value targets.

“Nevertheless, this work shows that the Google Titan Security Key (or other impacted products) would not avoid [an] unnoticed security breach by attackers willing to put enough effort into it,” researchers from security firm NinjaLab wrote in a research paper published Thursday. “Users that face such a threat should probably switch to other FIDO U2F hardware security keys, where no vulnerability has yet been discovered.”

Read 17 remaining paragraphs | Comments

DoJ says SolarWinds hackers breached its Office 365 system and read email

Thu, 07 Jan 2021 02:27:45 GMT

Enlarge (credit: Gregory Varnum)

The US Justice Department has become the latest federal agency to say its network was breached in a long and wide-ranging hack campaign that’s believed to have been backed by the Russian government.

In a terse statement issued Wednesday, Justice Department spokesman Marc Raimondi said that the breach wasn’t discovered until December 24, which is nine days after the the hack campaign came to light. The hackers, Raimondi said, took control of the department’s Office 365 system and accessed email sent or received from about 3 percent of accounts. The department has more than 100,000 employees.

Investigators believe the campaign started when the hackers took control of the software distribution platform of SolarWinds, an Austin, Texas-based maker of network management software that’s used by hundreds of thousands of organizations. The attackers then pushed out a malicious update that was installed by about 18,000 of those customers. Only a fraction of the 18,000 customers received a follow-on attack that used the backdoored SolarWinds software to view, delete, or alter data stored on those networks.

Read 5 remaining paragraphs | Comments

Feds say that Russia was "likely” behind months-long hack of US agencies

Wed, 06 Jan 2021 04:06:12 GMT

Enlarge / Side view of colorful St. Basil's Cathedral in Moscow on Red Square in front of the Kremlin, Russia. (credit: Getty Images)

Hackers working for the Russian government were “likely” behind the software supply chain attack that planted a backdoor in the networks of 180,000 private companies and governmental bodies, officials from the US National Security Agency and three other agencies said on Tuesday.

The assessment—made in a joint statement that also came from the FBI, the Cybersecurity and Infrastructure Security Agency, and the Office of the Director of National Intelligence—went on to say that the hacking campaign was a “serious compromise that will require a sustained and dedicated effort to remediate.”

Russia, Russia, Russia

The statement is at odds with tweets from US President Donald Trump disputing the Russian government’s involvement and downplaying the severity of the attack, which compromised the software distribution system of Austin, Texas-based SolarWinds and used it to push a malicious update to almost 200,000 of its customers.

Read 10 remaining paragraphs | Comments

Telegram feature exposes your precise address to hackers

Tue, 05 Jan 2021 21:40:31 GMT

Enlarge (credit: Getty Images)

If you’re using an Android device—or in some cases an iPhone—the Telegram messenger app makes it easy for hackers to find your precise location when you enable a feature that allows users who are geographically close to you to connect. The researcher who discovered the disclosure vulnerability and privately reported it to Telegram developers said they have no plans to fix it.

The problem stems from a feature called People Nearby. By default, it’s turned off. When users enable it, their geographic distance is shown to other people who have it turned on and are in (or are spoofing) the same geographic region. When People Nearby is used as designed, it’s a useful feature with few if any privacy concerns. After all, a notification that someone is 1 kilometer or 600 meters away still leaves stalkers guessing where, precisely, you are.

Stalking made simple

Independent researcher Ahmed Hassan, however, has shown how the feature can be abused to divulge exactly where you are. Using readily available software and a rooted Android device, he’s able to spoof the location his device reports to Telegram servers. By using just three different locations and measuring the corresponding distance reported by People Nearby, he is able to pinpoint a user’s precise location.

Read 9 remaining paragraphs | Comments

Comcast data cap blasted by lawmakers as it expands into 12 more states

Tue, 05 Jan 2021 19:10:15 GMT

Enlarge / A Comcast van in Sunnyvale, California, in November 2018. (credit: Getty Images | Andrei Stanescu)

Dozens of state lawmakers from Massachusetts urged Comcast to halt enforcement of its 1.2TB monthly data cap, saying the cap hurts low-income people during the pandemic and is unnecessary because of Comcast's healthy network capacity.

"Network capacity is not an issue for Comcast or a valid excuse to charge customers more," 71 state lawmakers wrote in the letter last week, one day before Comcast brought its data cap to Massachusetts and other states where it wasn't already enforced. "Comcast itself claims it has plenty of capacity across its network, including areas where no caps are currently imposed... It is inconceivable that Comcast would choose to impose this 'cap and fee' plan during a pandemic, when many Massachusetts residents are forced to work and attend school from home via the Internet."

The letter said the lawmakers "strongly urge Comcast to discontinue this plan, and to reconsider any future attempts at imposing a data cap or any perversion of the principles of net neutrality in Massachusetts." The lawmakers also pointed out a statement by Comcast executive Tony Werner, who said the increased broadband traffic caused by the pandemic "has all been within the capability of the network."

Read 9 remaining paragraphs | Comments

Cryptocurrency stealer for Windows, macOS, and Linux went undetected for a year

Tue, 05 Jan 2021 15:00:32 GMT

Enlarge (credit: George / Getty Images)

Soaring cryptocurrency valuations have broken record after record over the past few years, turning people with once-modest holdings into overnight millionaires. One determined ring of criminals has tried to join the party using a wide-ranging operation that for the past 12 months has used a full-fledged marketing campaign to push custom-made malware written from scratch for Windows, macOS, and Linux devices.

The operation, which has been active since at least January 2020, has spared no effort in stealing the wallet addresses of unwitting cryptocurrency holders, according to a report published by security firm Intezer. The scheme includes three separate trojanized apps, each of which runs on Windows, macOS, and Linux. It also relies on a network of fake companies, websites, and social media profiles to win the confidence of potential victims.

Uncommonly stealthy

The apps pose as benign software that’s useful to cryptocurrency holders. Hidden inside is a remote access trojan that was written from scratch. Once an app is installed, ElectroRAT—as Intezer has dubbed the backdoor—then allows the crooks behind the operation to log keystrokes, take screenshots, upload, download, and install files, and execute commands on infected machines. In a testament to their stealth, the fake cryptocurrency apps went undetected by all major antivirus products.

Read 8 remaining paragraphs | Comments

Hackers are exploiting a backdoor built into Zyxel devices. Are you patched?

Mon, 04 Jan 2021 22:10:25 GMT

Enlarge (credit: Zyxel)

Hackers are attempting to exploit a recently discovered backdoor built into multiple Zyxel device models that hundreds of thousands of individuals and businesses use as VPNs, firewalls, and wireless access points.

The backdoor comes in the form of an undocumented user account with full administrative rights that’s hardcoded into the device firmware, a researcher from Netherlands-based security firm Eye Control recently reported. The account, which uses the username zyfwp, can be accessed over either SSH or through a Web interface.

A serious vulnerability

The researcher warned that the account put users at considerable risk, particularly if it were used to exploit other vulnerabilities such as Zerologon, a critical Windows flaw that allows attackers to instantly become all-powerful network administrators.

Read 9 remaining paragraphs | Comments

Ticketmaster admits it hacked rival company before it went out of business

Mon, 04 Jan 2021 18:57:08 GMT

(credit: Pixy)

Ticketmaster has agreed to pay a $10 million criminal fine after admitting its employees repeatedly used stolen passwords and other means to hack a rival ticket sales company.

The fine, which is part of a deferred prosecution agreement Ticketmaster entered with federal prosecutors, resolves criminal charges filed last week in federal court in the eastern district of New York. Charges include violations of the Computer Fraud and Abuse Act, computer intrusion for commercial advantage or private financial gain, computer intrusion in furtherance of fraud, conspiracy to commit wire fraud, and wire fraud.

In the settlement, Ticketmaster admitted that an employee who used to work for a rival company emailed the login credentials for multiple accounts the rival used to manage presale ticket sales. At a San Francisco meeting attended by at least 14 employees of Ticketmaster or its parent company Live Nation, the employee used one set of credentials to log in to an account to demonstrate how it worked.

Read 6 remaining paragraphs | Comments

Google employees kick off union membership drive for 120,000 workers

Mon, 04 Jan 2021 17:15:37 GMT

Enlarge / Exterior view of a Googleplex building, the corporate headquarters of Google and parent company Alphabet, May 2018. (credit: Getty Images | zphotos)

More than 225 workers at Google have formally launched a company-wide union membership drive, following an increasing drive toward organization inside the company over the past several years.

All 120,000 people who work for Google parent company Alphabet, including temporary, contract, and part-time workers, will be eligible for membership in the Alphabet Workers Union, according to a joint statement from the union and the Communications Workers of America, of which it is a part.

"Our company's motto used to be, 'don't be evil,'" the chair and vice chair of the new union wrote in a New York Times op-ed. "An organized workforce will help us live up to it."

Read 8 remaining paragraphs | Comments