Archive for the ‘Biz & IT’ Category

Backdoored developer tool that stole credentials escaped notice for 3 months

April 16th, 2021
Backdoored developer tool that stole credentials escaped notice for 3 months

Enlarge (credit: Getty Images)

A publicly available software development tool contained malicious code that stole the authentication credentials that apps need to access sensitive resources, in the latest revelation of a supply chain attack that has the potential to backdoor the networks of countless organizations.

The Codecov Bash Uploader contained the backdoor from late January to the beginning of April, developers of the tool said on Thursday. The backdoor caused developer computers to send secret authentication tokens and other sensitive data to a remote site controlled by the hackers. The uploader works with development platforms including Github Actions, CircleCI, and Bitrise Step, all of which support having such secret authentication tokens in the development environment.

A pile of AWS and other cloud credentials

The Codecov bash uploader performs what is known as code coverage for large-scale software development projects. It allows developers to send coverage reports that, among other things, determine how much of a codebase has been tested by internal test scripts. Some development projects integrate Codecov and similar third-party services into their platforms, where there is free access to sensitive credentials that can be used to steal or modify source code.

Read 19 remaining paragraphs | Comments

Posted in bash updater, Biz & IT, codecov, software development, supply chain attack, Tech | Comments (0)

US government strikes back at Kremlin for SolarWinds hack campaign

April 15th, 2021
US government strikes back at Kremlin for SolarWinds hack campaign

Enlarge (credit: Matt Anderson Photography/Getty Images)

US officials on Thursday formally blamed Russia for backing one of the worst espionage hacks in recent US history and imposed sanctions designed to mete out punishments for that and other recent actions.

In a joint advisory, the National Security Agency, FBI, and Cybersecurity and Information Security Agency said that Russia’s Foreign Intelligence Service, abbreviated as the SVR, carried out the supply-chain attack on customers of the network management software from Austin, Texas-based SolarWinds.

The operation infected SolarWinds’ software build and distribution system and used it to push backdoored updates to about 18,000 customers. The hackers then sent follow-up payloads to about 10 US federal agencies and about 100 private organizations. Besides the SolarWinds supply-chain attack, the hackers also used password guessing and other techniques to breach networks.

Read 15 remaining paragraphs | Comments

Posted in Biz & IT, hacking, Policy, russia, sanctions, SolarWinds, Tech, Treasury Department | Comments (0)

100 million more IoT devices are exposed—and they won’t be the last

April 14th, 2021
100 million more IoT devices are exposed—and they won’t be the last

Enlarge (credit: Elena Lacey)

Over the last few years, researchers have found a shocking number of vulnerabilities in seemingly basic code that underpins how devices communicate with the Internet. Now, a new set of nine such vulnerabilities are exposing an estimated 100 million devices worldwide, including an array of Internet-of-things products and IT management servers. The larger question researchers are scrambling to answer, though, is how to spur substantive changes—and implement effective defenses—as more and more of these types of vulnerabilities pile up.

Dubbed Name:Wreck, the newly disclosed flaws are in four ubiquitous TCP/IP stacks, code that integrates network communication protocols to establish connections between devices and the Internet. The vulnerabilities, present in operating systems like the open source project FreeBSD, as well as Nucleus NET from the industrial control firm Siemens, all relate to how these stacks implement the “Domain Name System” Internet phone book. They all would allow an attacker to either crash a device and take it offline or gain control of it remotely. Both of these attacks could potentially wreak havoc in a network, especially in critical infrastructure, health care, or manufacturing settings where infiltrating a connected device or IT server can disrupt a whole system or serve as a valuable jumping-off point for burrowing deeper into a victim's network.

Read 12 remaining paragraphs | Comments

Posted in Biz & IT, Internet of things, IoT, name:wreck, TCP/IP | Comments (0)

Microsoft acquires Nuance—makers of Dragon speech rec—for $16 billion

April 12th, 2021
A man with his sleeves rolled up speaks into a headset while staring at a laptop.

Enlarge / In this 2011 photo, Dr. Michael A. Lee uses Dragon Medical voice-recognition software to enter his notes after seeing a patient. (credit: David Ryan via Getty Images)

Earlier today, Microsoft announced its plans to purchase Nuance for $56 per share—23 percent above Nuance's closing price last Friday. The deal adds up to a $16 billion cash outlay and a total valuation for Nuance of about $19.7 billion, including that company's assumed debt.

Who is Nuance?

Nuance is a well-known player in the field of natural language recognition. The company's technology is the core of Apple's Siri personal assistant. Nuance also sells well-known personal speech-recognition software Dragon NaturallySpeaking, which is invaluable to many people with a wide range of physical disabilities.

Dragon NaturallySpeaking, originally released in 1997, was one of the first commercially available continuous dictation products—meaning software that did not require the user to pause briefly between words. In 2000, Dragon Systems was acquired by ScanSoft, which acquired Nuance Communications in 2005 and rebranded itself as Nuance.

Read 7 remaining paragraphs | Comments

Posted in AI, Biz & IT, healthcare, microsoft, Tech | Comments (0)

Malicious cheats for Call of Duty: Warzone are circulating online

April 3rd, 2021
Gloved hands manipulate a laptop with a skull and crossbones on the display.

Enlarge (credit: CHUYN / Getty Images)

Criminals have been hiding malware inside publicly available software that purports to be a cheat for Activision’s Call of Duty: Warzone, researchers with the game maker warned earlier this week.

Cheats are programs that tamper with in-game events or player interactions so that users gain an unfair advantage over their opponents. The software typically works by accessing computer memory during gameplay and changing health, ammo, score, lives, inventories, or other information. Cheats are almost always forbidden by game makers.

On Wednesday, Activision said that a popular cheating site was circulating a fake cheat for Call of Duty: Warzone that contained a dropper, a term for a type of backdoor that installs specific pieces of malware chosen by the person who created it. Named Warzone Cheat Engine, the cheat was available on the site in April 2020 and again last month.

Read 5 remaining paragraphs | Comments

Posted in Activision, Biz & IT, Call of Duty, cheats, gaming, Gaming & Culture, malware, Tech | Comments (0)

Feds say hackers are likely exploiting critical Fortinet VPN vulnerabilities

April 2nd, 2021
Feds say hackers are likely exploiting critical Fortinet VPN vulnerabilities

Enlarge (credit: Getty Images)

The FBI and the Cybersecurity and Infrastructure Security Agency said that advanced hackers are likely exploiting critical vulnerabilities in the Fortinet FortiOS VPN in an attempt to plant a beachhead to breach medium and large-sized businesses in later attacks.

“APT actors may use these vulnerabilities or other common exploitation techniques to gain initial access to multiple government, commercial, and technology services,” the agencies said Friday in a joint advisory. “Gaining initial access pre-positions the APT actors to conduct future attacks.” APT is short for advanced persistent threat, a term used to describe well-organized and well-funded hacking groups, many backed by nation states.

Breaching the mote

Fortinet FortiOS SSL VPNs are used mainly in border firewalls, which cordon off sensitive internal networks from the public Internet. Two of the three already-patched vulnerabilities listed in the advisory—CVE-2018-13379 and CVE-2020-12812—are particularly severe because they make it possible for unauthenticated hackers to steal credentials and connect to VPNs that have yet to be updated.

Read 5 remaining paragraphs | Comments

Posted in Biz & IT, exploits, fortinet fortios, Tech, vpns, vulnerabilities | Comments (0)

Feds say man broke into public water system and shut down safety processes

April 1st, 2021
Kitchen sink with running water

Enlarge (credit: Getty Images)

Federal prosecutors have indicted a Kansas man for allegedly logging into a computer system at a public water system and tampering with the process for cleaning and disinfecting customers’ drinking water.

An indictment filed in US District Court for the District of Kansas said Wyatt A. Travnichek, 22, of Ellsworth County, Kansas, was an employee from January 2018 to January 2019 at the Ellsworth County Rural Water District No. 1. Also known as the Post Rock Water District, the facility serves more than 1,500 retail customers and 10 wholesale customers in eight Kansas counties. Part of Wyatt’s responsibilities included remotely logging in to the water district’s computer system to monitor the plant after hours.

Logging in with harmful intent

In late March 2019, Wednesday’s indictment said, Post Rock experienced a remote intrusion to its computer system that resulted in the shutdown of the facility’s processes for ensuring water is safe to drink.

Read 7 remaining paragraphs | Comments

Posted in Biz & IT, Industrial Control Systems, Policy, scada, Tech, unauthorized access, water treatment | Comments (0)

North Korean hackers return, target infosec researchers in new operation

April 1st, 2021
North Korean hackers return, target infosec researchers in new operation

Enlarge

In January, Google and Microsoft outed what they said was North Korean government-sponsored hackers targeting security researchers. The hackers spent weeks using fake Twitter profiles—purportedly belonging to vulnerability researchers—before unleashing an Internet Explorer zero-day and a malicious Visual Studio Project, both of which installed custom malware.

Now, the same hackers are back, a Google researcher said on Wednesday, this time with a new batch of social media profiles and a fake company that claims to offer offensive security services, including penetration testing, software security assessments, and software exploits.

Once more with feeling

The homepage for the fake company is sleek and looks no different from countless real security companies all over the world.

Read 5 remaining paragraphs | Comments

Posted in Biz & IT, hacking, lazarus, North Korea, Security Researchers, Tech | Comments (0)

Ubiquiti breach puts countless cloud-based devices at risk of takeover

March 31st, 2021
Stylized image of rows of padlocks.

Enlarge (credit: Getty Images)

Network devices-maker Ubiquiti has been covering up the severity of a data breach that puts customers’ hardware at risk of unauthorized access, KrebsOnSecurity has reported, citing an unnamed whistleblower inside the company.

In January, the maker of routers, Internet-connected cameras, and other networked devices, disclosed what it said was “unauthorized access to certain of our information technology systems hosted by a third-party cloud provider.” The notice said that, while there was no evidence the intruders accessed user data, the company couldn’t rule out the possibility that they obtained users’ names, email addresses, cryptographically hashed passwords, addresses, and phone numbers. Ubiquiti recommended users change their passwords and enable two-factor authentication.

Device passwords stored in the cloud

Tuesday’s report from KrebsOnSecurity cited a security professional at Ubiquiti who helped the company respond to the two-month breach beginning in December 2020. The individual said the breach was much worse than Ubiquiti let on and that executives were minimizing the severity to protect the company’s stock price.

Read 5 remaining paragraphs | Comments

Posted in Biz & IT, Data breaches, Internet of things, IoT, routers, Tech, ubiquit | Comments (0)

How to achieve Smart Home nirvana (or, home automation without subscription)

March 31st, 2021

What comes to mind when you think of a Smart Home? Wi-Fi enabled light bulbs, video doorbells, cloud-connected robot vacuums, or smart fridges perhaps? Brands like Google/Nest or everything enabled with Amazon’s Alexa? While often providing some genuine convenience, these devices are also usually designed to invite and lock users into manufacturers' ecosystems. Create a cool piece of hardware, you’ll make one sale. Create a cool piece of hardware that extracts recurring monthly service fees for cloud storage or to unlock extra functionality, and you’ll have sales for life.

Compounding our collective frustration, these ecosystems are often incompatible with each other and require multiple different apps for control. Not only are subscriptions and upselling part of the game, the underlying business models for these products are built around planned obsolescence and mining user data.

Luckily, aspirational smart home folks in 2021 have at least one viable alternative: Home Assistant. This piece of open-source software is the proverbial ring “that in the darkness binds them.” It is the glue for smart home gear spanning all sorts of manufacturers from behemoths like Google to minnows like Shelly. It’s a project that has set out to change all of the smart home pitfalls listed above by putting local control, privacy, and interoperability first.

Read 74 remaining paragraphs | Comments

Posted in Biz & IT, Features | Comments (0)