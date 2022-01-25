Proprietary Software, Security News, and DRM
Shouldn't there be a right to repairable broadband? • The Register
I heard an electric discharge, a bit like a Jacob's ladder, immediately before a deafening crack of thunder. I'd never been so close to a lightning strike! All of the lights in the house went bright, then dimmed, then went back to normal. "Uh-oh," I thought, "I'm in trouble now." Everything in the house had been hit by a nasty surge and the oft-spoken aphorism that broadband services are now a utility to rank with water and electricity was suddenly very, very, real to me.
But it was electricity I worried about first. I use top of the line surge protectors so my most sensitive devices – computers and monitors, of which I have many – all seemed fine. But I'd overlooked two other connections that come into nearly every home: the antenna and the phone line.
New book highlights open source tools and tips for personal cybersecurity | Opensource.com
The internet can be a dangerous place. Not a week goes by without a cyber attack taking place. Go H*ck Yourself: A Simple Introduction to Cyber Attacks and Defense by Bryson Payne shows you how many basic cyber attacks work, so you can learn to defend against them. Payne teaches how to perform a variety of hacks to show that they are easy to do.
The book’s eleven chapters begin with straightforward concepts, like using a browser’s inspect tool to make a password field display the password and gaining administrative access to a Windows or Mac using installation media. The third chapter explains how to use VirtualBox to create Kali Linux and Microsoft Windows virtual machines that will be used for the exercises in the following chapters.
diffoscope 209 released
The diffoscope maintainers are pleased to announce the release of diffoscope version 209. This version includes the following changes:
* Update R test fixture for R 4.2.x series. (Closes: #1008446)
* Update minimum version of Black to prevent test failure on Ubuntu jammy.
Researchers urged to avoid bug bounty firms after HackerOne hiccup
The call to bypass bug bounty firms came from American researcher Katie Moussouris, the founder of Luta Security, and a well-known figure in the infosec industry.
In a thread on Twitter, Moussouris said: "Technically [there is] nothing stopping all [crackers] who participate in bug bounties from refusing to submit bugs via bounty platforms except the threat of being kicked off said platforms (that refuse to employ them all yet use [crackers] as their sole income source) just sayin'. Email the bugs."
Satellite comms networks on alert after US govt warning
US federal agencies have warned of possible threats to American and international satellite communication (SATCOM) networks that could affect customers.
In a joint security alert, the US Cybersecurity and Infrastructure Security Agency (CISA) and FBI "strongly encourage" critical infrastructure operators, along with SATCOM network providers and customers, to put in place a series of mitigation steps to shore up their networks.
Best Open Source Security Tools in 2022
Rise As Court Data Breach Grows
It was about 11 p.m. when a restless software developer in Texas discovered that his hobby website, a free public records search engine, had been mentioned in a news story about a massive data breach.
To his horror, the article said the "shadowy website" judyrecords.com — his website — had published hundreds of thousands of the State Bar of California's confidential case files. The state bar declared that it had notified law enforcement.
Microsoft investigates Lapsus$'s boasts of Bing, Cortana code heist [Ed: What about listening devices (Cortana) data? Blackmail repository.]
The Lapsus$ extortion gang briefly alleged over the weekend it had compromised Microsoft.
The devil-may-care cyber-crime ring has previously boasted of breaking into Nvidia, Samsung, Ubisoft, and others. Its modus operandi is to infiltrate a big target's network, exfiltrate sensitive internal data, and then make demands to prevent the public release of this material – and perhaps just release some of it anyway.
"We are aware of the claims and are investigating," a Microsoft spokesperson told The Register on Monday.
On Saturday and Sunday, the crooks shared then deleted on Telegram screenshots suggesting they had broken into Microsoft's internal DevOps environment, as spotted by infosec bod Dominic Alvieri. The screenshot shows internal projects including Bing and Cortana's source code, and WebXT compliance engineering projects.
Devil-may-care Lapsus$ gang is not the aspirational brand infosec needs
The Lapsus$ cyber-crime gang, believed to be based in Brazil, until recently was best known for attacks on that country's Ministry of Health and Portuguese media outlets SIC Noticias and Expresso.
However, the gang is climbing up the ladder, swinging at larger targets in the tech industry. Over the past few weeks, those have included Nvidia, Samsung, and Argentine online marketplace operator Mercado Libre. Now, Lapsus$ is suspected of attacking game developer Ubisoft.
Lapsus$ in February compromised Nvidia, stealing a terabyte of data that included proprietary information and employee credentials, and dumping some of the data online. The crew also demanded the GPU giant remove limits on crypto-coin mining from its graphics cards, and open-source its drivers.
OpenSSL vulnerability can ‘definitely be weaponized,’ NSA cyber director says
A cryptographic vulnerability in the Tonelli Shanks modular algorithm, which is used in popular cryptographic library OpenSSL, can lead to denial-of-service attacks and can “definitely be weaponized” in the current threat environment, according to an NSA official.
The bug — discovered by two Google employees, security researcher Tavis Ormandy and software engineer David Benjamin, and is being tracked under CVE-2022-0778 — affects the BN_mod_sqrt() function in OpenSSL, which is used to compute the modular square root and parses certificates that use elliptic curve public key encryption.
This process can be exploited if an attacker submits a certificate with broken curve parameters, thus triggering an infinite loop in the program and leading to a denial of service.
Exotic Lily is a business-like access broker for ransomware gangs [Ed: Microsoft Windows TCO]
TAG initially detected Exotic Lily – which the researchers describe as a "resourceful, financially motivated threat actor" – in September 2021 exploiting a zero-day flaw in Microsoft MSHTML (tracked as CVE-2021-40444). Further investigation discovered that the group was acting as an IAB working with a Russian gang known as FIN12 by cybersecurity vendors Mandiant and FireEye, Wizard Spider by CrowdStrike, and DEV-0193 by Microsoft.
The Windows malware on Ukraine CERT's radar
As Ukraine fights for survival against invading Russian forces, here's a taste of some of the malware the nation's Computer Emergency Response Team (CERT) is battling.
To start, the team earlier this month said miscreants had spammed out emails impersonating government agencies containing links to fake Windows antivirus updates. When these were downloaded and run by a victim, more malware was brought onto the machine, including Cobalt Strike Beacon, which can take over the PC with PowerShell scripts, log keystrokes, take screenshots, exfiltrate files, run other malicious code, attempt to traverse the network, and so on. Beacon is a legit tool developed by HelpSystems mainly for red-team professionals.
AvosLocker group is targeting US critical infrastructure, FBI says [Ed: AvosLocker = Microsoft Windows]
The advisory outlines various indicators of compromise (IoCs) that can help companies determine whether they have become AvosLocker victims, as well as a list of mitigation steps they can take. These range from developing a data recovery plan and implementing network segmentation to regularly backing up data, installing and updating antivirus software and installing updates and patches on operating systems.
FIDO Alliance says it has finally killed the password
Another flaw found in Western Digital's EdgeRover app • The Register
Users of Western Digital's EdgeRover app for Windows and Mac are advised to download an updated version to avoid a security flaw that might allow an attacker unauthorized access to directories and files.
The flaw, which was given the CVE identification number CVE-2022-22988, carries a Common Vulnerability Scoring System (CVSS) severity rating of 9.1, making it a critical weakness. It has now been addressed, however, with a modification to the way EdgeRover handles file and directory permissions.
Comcast shares its code to boost open source security
[Ed: Mindless openwashing]
iCloud and many other Apple services are down or experiencing issues – OSnews
Another great day to be a Linux user.
Pro-Ukraine sabotage renews scrutiny on open source security [Ed: This was malware shipped by Microsoft, stop blaming "open source"]
Procurement guy at Apple allegedly ripped off iPhone giant in $10m+ scam
A now-former Apple employee accused of causing the iGiant to lose more than $10m in a super-scam has been charged with conspiracy, laundering, and tax evasion.
Dhirendra Prasad, 52, of San Joaquin County, California, worked at Apple in the US from 2008 to 2018, spending most of his time as a procurer of components and services for his employer's products. It's claimed, among other things, he received bribes, put in parts orders for fake repairs, siphoned off components, and caused Apple to pay for stuff it never actually got, all while he profited on the side.
As prosecutors put it this month, Prasad allegedly exploited his position by "engaging in multiple different schemes to defraud Apple, including taking kickbacks, stealing parts, and causing Apple to pay for items and services it never received, resulting in a loss of more than $10,000,000." He allegedly evaded tax on these ill-gotten gains, which he also laundered [PDF] and helped in the evasion of tax.
Jury Finds Former Boeing Pilot Not Guilty of Fraud in 737 Max Case
A jury in Texas on Wednesday acquitted a former Boeing technical pilot, Mark A. Forkner, of defrauding two of the company’s customers, serving the federal government a defeat in its only criminal case against an individual connected to the troubled Boeing 737 Max jet.
Germany advises citizens to uninstall Kaspersky antivirus [Ed: All proprietary software should be removed, including American ones. They're using secrecy to do malicious things. Russia hasn't a monopoly on that.]
Germany's BSI federal cybersecurity agency has warned the country's citizens not to install Russian-owned Kaspersky antivirus, saying it has "doubts about the reliability of the manufacturer."
Russia-based Kaspersky has long been a target of suspicious rumors in the West over its ownership and allegiance to Russia's rulers.
In an advisory published today, the agency said: "The BSI recommends replacing applications from Kaspersky's virus protection software portfolio with alternative products."
It added: "A Russian IT manufacturer can carry out offensive operations itself, be forced to attack target systems against its will, or be spied on without its knowledge as a victim of a cyber operation, or be misused as a tool for attacks against its own customers."
