A data breach at HubSpot, a tool used by many companies to manage marketing campaigns and on-board new users, has affected BlockFi, Swan Bitcoin, NYDIG and Circle. From a report: However, all the companies said their operations were not affected and their treasuries were not at risk. HubSpot is a customer relationship management (CRM) tool used to store users' names, phone numbers and email addresses for marketing purposes, and measure the effectiveness of marketing campaigns. While user information was leaked to hackers, the affected companies said passwords and other internal information were not affected. In outreach emails seen by CoinDesk, the companies said HubSpot is an external tool and hackers did not gain access to internal systems. HubSpot said the breach was the result of a bad actor getting access to an employee account and using it to target stakeholders in the cryptocurrency industry. The company said 30 clients were affected, but has not published a full list.

ZDNet describes CafePress as "a U.S. platform offering print-on-demand products" like custom t-shirts, hats, and mugs.

"CafePress's past owner has been fined $500,000 over a litany of security failures and data breaches," ZDNet reported this week: CafePress became the subject of a US Federal Trade Commission (FTC) investigation surrounding how it handled security — and how the firm allegedly "failed to secure consumers' sensitive personal data and covered up a major breach." On March 15, the US regulator said that Residual Pumpkin is required to pay $500,000 in damages. According to the FTC's complaint (PDF), issued against the platform's former owner Residual Pumpkin Entity, LLC, and its current owner PlanetArt, LLC, there was a lack of "reasonable security measures" to prevent data breaches.

In addition, the FTC claims that CafePress kept user data for longer than necessary, stored personally identifiable information including Social Security numbers and password reset answers in cleartext, and did not patch against known system vulnerabilities. "As a result of its shoddy security practices, CafePress' network was breached multiple times," the FTC says. CafePress experienced a major security incident in 2019. An attacker infiltrated the platform in February 2019 and was able to access data belonging to millions of users. This included email addresses, poorly-encrypted passwords, names, home addresses, security questions and answers, some partial card payment records, phone numbers, and at least 180,000 unencrypted Social Security numbers....

According to the FTC, CafePress was notified a month after the breach and did patch the security flaw — but did not investigate the breach properly "for several months." Customers were also not told. Instead, CafePress implemented a forced password reset as part of its "policy" and only informed users in September 2019, once the data breach had been publicly reported. In a separate case in 2018, CafePress allegedly was made aware of shops being compromised. These accounts were closed — and the shopkeepers, the victims, were then charged $25 account closure fees.

The FTC also claims that the company "misled" users by using consumer email addresses for marketing, despite promises to the contrary.

The board members of the FIDO alliance include Amazon, Google, PayPal, RSA, and Apple and Microsoft (as well as Intel and Arm). It describes its mission as reducing the world's "over-reliance on passwords."

Today Wired reports that the group thinks "it has finally identified the missing piece of the puzzle" for finally achieving large-scale adoption of a password-supplanting technology: On Thursday, the organization published a white paper that lays out FIDO's vision for solving the usability issues that have dogged passwordless features and, seemingly, kept them from achieving broad adoption....

The paper is conceptual, not technical, but after years of investment to integrate what are known as the FIDO2 and WebAuthn passwordless standards into Windows, Android, iOS, and more, everything is now riding on the success of this next step.... FIDO is looking to get to the heart of what still makes passwordless schemes tough to navigate. And the group has concluded that it all comes down to the procedure for switching or adding devices. If the process for setting up a new phone, say, is too complicated, and there's no simple way to log in to all of your apps and accounts — or if you have to fall back to passwords to reestablish your ownership of those accounts — then most users will conclude that it's too much of a hassle to change the status quo.

The passwordless FIDO standard already relies on a device's biometric scanners (or a master PIN you select) to authenticate you locally without any of your data traveling over the Internet to a web server for validation. The main concept that FIDO believes will ultimately solve the new device issue is for operating systems to implement a "FIDO credential" manager, which is somewhat similar to a built-in password manager. Instead of literally storing passwords, this mechanism will store cryptographic keys that can sync between devices and are guarded by your device's biometric or passcode lock. At Apple's Worldwide Developer Conference last summer, the company announced its own version of what FIDO is describing, an iCloud feature known as "Passkeys in iCloud Keychain," which Apple says is its "contribution to a post-password world...."

FIDO's white paper also includes another component, a proposed addition to its specification that would allow one of your existing devices, like your laptop, to act as a hardware token itself, similar to stand-alone Bluetooth authentication dongles, and provide physical authentication over Bluetooth. The idea is that this would still be virtually phish-proof since Bluetooth is a proximity-based protocol and can be a useful tool as needed in developing different versions of truly passwordless schemes that don't have to retain a backup password. Christiaan Brand, a product manager at Google who focuses on identity and security and collaborates on FIDO projects, says that the passkey-style plan follows logically from the smartphone or multi-device image of a passwordless future. "This grand vision of 'Let's move beyond the password,' we've always had this end state in mind to be honest, it just took until everyone had mobile phones in their pockets," Brand says....

To FIDO, the biggest priority is a paradigm shift in account security that will make phishing a thing of the past.... When asked if this is really it, if the death knell for passwords is truly, finally tolling, Google's Brand turns serious, but he doesn't hesitate to answer: "I feel like everything is coalescing," he says. "This should be durable."
Such a change won't happen overnight, the article points out. "With any other tech migration (ahem, Windows XP), the road will inevitably prove arduous."

An anonymous reader shares a report: Early in March, a bunch of Facebook users got a mysterious, spam-like email titled "Your account requires advanced security from Facebook Protect" and telling them that they were required to turn on the Facebook Protect feature (which they could do by hitting a link in the email) by a certain date, or they would be locked out of their account. The program, according to Facebook, is a "security program for groups of people that are more likely to be targeted by malicious hackers, such as human rights defenders, journalists, and government officials." It's meant to do things like ensure those accounts are monitored for hacking threats and that they are protected by two-factor authentication (2FA).

Unfortunately, the email that Facebook sent from the address security@facebookmail.com resembled a rather common form of spam, and so it's probable that many people ignored it. It actually wasn't spam. In fact, it was real. The first deadline to hit for many people was Thursday, March 17th. And now, they are locked out of their Facebook accounts -- and are having trouble with the process that Facebook has provided to get them back in. Those who did not activate Facebook Protect before their deadline are apparently getting a message explaining why they can't get into their accounts and offering to help them turn it on. However, it's not always working.

The U.S. government is warning of "possible threats" to satellite communication networks amid fears that recent attacks on satellite networks in Europe, sparked by the war in Ukraine, could soon spread to the United States. From a reportL: A joint CISA-FBI advisory published this week urges satellite communication (SATCOM) network providers and critical infrastructure organizations that rely on satellite networks to bolster their cybersecurity defenses due to an increased likelihood of cyberattack, warning that a successful intrusion could create risk in their customer environments.

While the advisory did not name specific sectors under threat, the use of satellite communications is widespread across the United States. It's estimated that about eight million Americans rely on SATCOM networks for internet access. Ruben Santamarta, a cybersecurity expert who specializes in analyzing satellite communications systems, told TechCrunch that networks are used in a wide number of industries, including aviation, government, the media and the military, as well as gas facilities and electricity service stations that are located in remote places.

joshuark writes: In one of those in-your-face irony or karmic debt, Bleeping Computer reports that Microsoft Defender tags Office updates as ransomware. The article states: "Windows admins were hit today by a wave of Microsoft Defender for Endpoint false positives where Office updates were tagged as malicious in alerts pointing to ransomware behavior detected on their systems."

Further on, an explanation for the source of the karmic irony is: "The root cause of the false positives was a recently deployed update within service components for detecting ransomware alerts." Couldn't this have waited for April 1st?

Bleeping Computer goes on, "A Microsoft spokesperson was not available for comment when contacted by BleepingComputer earlier today."

Russian cyber attacks have so far struggled to successfully target Ukraine's critical national infrastructure, according to government officials. From a report: While they are aware of Russian intent to disrupt or infiltrate Ukrainian systems, according to the officials, they have continued to function and Ukraine has mounted a strong defense. Many denial-of-service attacks targeting Ukraine are of low sophistication and impact, the people said, who asked not to be identified discussing private information. The country's experience fending off major cyber attacks since 2015 may have helped prepare it for recent attempts, they added. The destructive "wiper" malware seen in Ukraine is more insidious and the officials said they are on alert for it appearing outside of the country. In the hours prior to Russia's invasion, some Ukrainian government agencies were targeted with the software, which deleted data held on infected computers. More aggressive network take-downs or attacks may not fit with Russian objectives, they added, and Russia could even be leaving the broadband network active for its own means to gather intelligence.

Internet security analysts have spotted a spike in backdoor infections on WordPress websites hosted on GoDaddy's Managed WordPress service, all featuring an identical backdoor payload. The case affects internet service resellers such as MediaTemple, tsoHost, 123Reg, Domain Factory, Heart Internet, and Host Europe Managed WordPress. BleepingComputer reports: The discovery comes from Wordfence, whose team first observed the malicious activity on March 11, 2022, with 298 websites infected by the backdoor within 24 hours, 281 of which were hosted on GoDaddy. The backdoor infecting all sites is a 2015 Google search SEO-poisoning tool implanted on the wp-config.php to fetch spam link templates from the C2 that are used to inject malicious pages into search results. The campaign uses predominately pharmaceutical spam templates, served to visitors of the compromised websites instead of the actual content.

The goal of these templates is likely to entice the victims to make purchases of fake products, losing money and payment details to the threat actors. Additionally, the actors can harm a website's reputation by altering its content and making the breach evident, but this doesn't seem to be the actors' aim at this time. The intrusion vector hasn't been determined, so while this looks suspiciously close to a supply chain attack, it hasn't been confirmed. [...] In any case, if your website is hosted on GoDaddy's Managed WordPress platform, make sure to scan your wp-config.php file to locate potential backdoor injections. Wordfence also reminds admins that while removing the backdoor should be the first step, removing spam search engine results should also be a priority.

Google's Threat Analysis Group has observed a financially-motivated threat actor working as an intermediary for the Russian hackers, including the Conti ransomware gang. From a report: The group, which Google refers to as "Exotic Lily," acts as an initial access broker, finding vulnerable organizations and selling access to their networks to the highest bidder. By contracting out the initial access to a victim's network, ransomware gangs like Conti can focus on the execution phase of an attack. In the case of Exotic Lily, this initial access was gained through email campaigns, in which the group masqueraded as legitimate organizations and employees through the use of domain and identity spoofing. In the majority of cases, a spoofed domain was nearly identical to the real domain name of an existing organization, but changed the top-level domains to ".us," ".co" or ".biz." In order to appear as legitimate employees, Exotic Lily set up social media profiles and AI-generated images of human faces. The attackers, which Google believes are operating from Central or Eastern Europe due to the threat actors' working hours, would then send spear-phishing emails under the pretext of a business proposal, before ultimately uploading a payload to a public file-sharing service such as WeTransfer or Microsoft OneDrive.

"A little noticed side effect of all the sanctions Russia is under for its invasion of Ukraine is that related to IT," writes Slashdot reader quonset. "U.S. sanctions prohibit any technology transfers to the country, including computer chips. However, another issue is Russia is now cut off from cloud storage companies in the West. As a result, Russia is two months away from using up all its domestic storage capacity. Four options have been proposed to counter this issue. BleepingComputer reports: Last week, the Ministry of Digital Development amended the Yarovaya Law (2016) to suspend a yearly requirement for telecom operators to increase storage capacity allocations by 15% for anti-terrorist surveillance purposes. Another move that could free up space would be to demand ISPs abandon media streaming services and other online entertainment platforms that eat up precious resources. Thirdly, there's the option of buying out all available storage from domestic data processing centers. However, this will likely lead to further problems for entertainment providers who need additional storage to add services and content. Russia is also considering seizing IT servers and storage left behind by companies who pulled out of Russia and integrating them into public infrastructure. There is one more option mentioned in the report and it has to do with China. Russia could "tap into Chinese cloud service providers and IT system sellers," reports BleepingComputer, although China has yet to decide how much it's willing to help Russia.

Sophos threat researcher Nick Gregory discovered a hole in Linux's netfilter firewall program that's "exploitable to achieve kernel code execution (via ROP [return-oriented programming]), giving full local privilege escalation, container escape, whatever you want." ZDNet reports: Behind almost all Linux firewalls tools such as iptables; its newer version, nftables; firewalld; and ufw, is netfilter, which controls access to and from Linux's network stack. It's an essential Linux security program, so when a security hole is found in it, it's a big deal. [...] This problem exists because netfilter doesn't handle its hardware offload feature correctly. A local, unprivileged attacker can use this to cause a denial-of-service (DoS), execute arbitrary code, and cause general mayhem. Adding insult to injury, this works even if the hardware being attacked doesn't have offload functionality! That's because, as Gregory wrote to a security list, "Despite being in code dealing with hardware offload, this is reachable when targeting network devices that don't have offload functionality (e.g. lo) as the bug is triggered before the rule creation fails."

This vulnerability is present in the Linux kernel versions 5.4 through 5.6.10. It's listed as Common Vulnerabilities and Exposures (CVE-2022-25636), and with a Common Vulnerability Scoring System (CVSS) score of 7.8), this is a real badie. How bad? In its advisory, Red Hat said, "This flaw allows a local attacker with a user account on the system to gain access to out-of-bounds memory, leading to a system crash or a privilege escalation threat." So, yes, this is bad. Worse still, it affects recent major distribution releases such as Red Hat Enterprise Linux (RHEL) 8.x; Debian Bullseye; Ubuntu Linux, and SUSE Linux Enterprise 15.3. While the Linux kernel netfilter patch has been made, the patch isn't available yet in all distribution releases.

Seven long, long years ago, Google started offering users a way to buy a domain without having to deal with a host provider. Now, Google Domains is at last out of beta as a full-fledged product. Engadget: Google says, to date, millions of people have used the service to manage a domain. It has added more features and tools to Domains over the years. Folks in 26 countries can now use the full version of the service. [...] To mark the occasion of Domains becoming a fully formed entity, Google's offering new and returning users a discount until April 15th.

DigitalOcean, in a blog post: I am excited to announce that DigitalOcean has acquired the CSS-Tricks website, a learning site with 6,500 articles, videos, guides and other content focused on frontend development. CSS-Tricks will broaden and complement our existing library of content, furthering DigitalOcean's reach with both frontend and full-stack developers, and supports our community strategy, a key differentiator for DigitalOcean in the cloud computing space. CSS-Tricks will continue operating as a standalone site supported by DigitalOcean, and CSS-Tricks founder Chris Coyier will support CSS-Tricks in an advisory capacity.

At DigitalOcean we take great pride in our commitment to the developer and startup communities. We truly believe that our community is bigger than just us, and we have demonstrated this through our creation of more than 6,000 high-quality developer tutorials and approximately 30,000 community-generated questions & answers, hosting of community-focused events such as deploy, and support of the open source community through Hacktoberfest and other initiatives.

Germany warned against using anti-virus software from Moscow-based Kaspersky Lab due to risks it could be exploited by Russia for a cyber attack. From a report: The Federal Office for Information Security, or BSI, issued the warning on Tuesday, saying that companies and authorities with special security status and operators of critical infrastructure could be "particularly at risk." The danger has increased since Russia's invasion of Ukraine, the Bonn-based agency said in a press release, citing threats made by Moscow against NATO, the European Union and Germany. In 2017, the U.S. government banned all use of Kaspersky Lab software in federal information systems, citing concerns about the firm's links to the Russian government and espionage. The company denied any wrongdoing in that case and pushed back against Germany's move now.

Newly discovered data-destroying malware was observed earlier today in attacks targeting Ukrainian organizations and deleting data across systems on compromised networks. BleepingComputer reports: "This new malware erases user data and partition information from attached drives," ESET Research Labs explained. "ESET telemetry shows that it was seen on a few dozen systems in a limited number of organizations." While designed to wipe data across Windows domains it's deployed on, CaddyWiper will use the DsRoleGetPrimaryDomainInformation() function to check if a device is a domain controller. If so, the data on the domain controller will not be deleted. This is likely a tactic used by the attackers to maintain access inside the compromised networks of organizations they hit while still heavily disturbing operations by wiping other critical devices.

While analyzing the PE header of a malware sample discovered on the network of an undisclosed Ukrainian organization, it was also discovered that the malware was deployed in attacks the same day it was compiled. "CaddyWiper does not share any significant code similarity with HermeticWiper, IsaacWiper, or any other malware known to us. The sample we analyzed was not digitally signed," ESET added. "Similarly to HermeticWiper deployments, we observed CaddyWiper being deployed via GPO, indicating the attackers had prior control of the target's network beforehand."

An anonymous reader quotes a report from Ars Technica: Cryptographic keys generated with older software now owned by technology company Rambus are weak enough to be broken instantly using commodity hardware, a researcher reported on Monday. This revelation is part of an investigation that also uncovered a handful of weak keys in the wild. The software comes from a basic version of the SafeZone Crypto Libraries, which were developed by a company called Inside Secure and acquired by Rambus as part of its 2019 acquisition of Verimatrix, a Rambus representative said. That version was deprecated prior to the acquisition and is distinct from a FIPS-certified version that the company now sells under the Rambus FIPS Security Toolkit brand.

Researcher Hanno Bock said that the vulnerable SafeZone library doesn't sufficiently randomize the two prime numbers it used to generate RSA keys. (These keys can be used to secure Web traffic, shells, and other online connections.) Instead, after the SafeZone tool selects one prime number, it chooses a prime in close proximity as the second one needed to form the key. "The problem is that both primes are too similar," Bock said in an interview. "So the difference between the two primes is really small." The SafeZone vulnerability is tracked as CVE-2022-26320. Cryptographers have long known that RSA keys that are generated with primes that are too close together can be trivially broken with Fermat's factorization method. French mathematician Pierre de Fermat first described this method in 1643. Fermat's algorithm was based on the fact that any number can be expressed as the difference between two squares. When the factors are near the root of the number, they can be calculated easily and quickly. The method isn't feasible when factors are truly random and hence far apart. The security of RSA keys depends on the difficulty of factoring a key's large composite number (usually denoted as N) to derive its two factors (usually denoted as P and Q). When P and Q are known publicly, the key they make up is broken, meaning anyone can decrypt data protected by the key or use the key to authenticate messages.

So far, Bock has identified only a handful of keys in the wild that are vulnerable to the factorization attack. Some of the keys belong to printers originally branded as Fuji Xerox and now belonging to Canon. Printer users can use the keys to generate a Certificate Signing Request. The creation date for the keys was 2020 or later. The weak Canon keys are tracked as CVE-2022-26351. Bock also found four vulnerable PGP keys, typically used to encrypt email, on SKS PGP key servers. A user ID tied to the keys implied they were created for testing, so he doesn't believe they're in active use. Bock said he believes all the keys he found were generated using software or methods not connected to the SafeZone library. If true, other software that generates keys might be easily broken using the Fermat algorithm. It's plausible also that the keys were generated manually, "possibly by people aware of this attack creating test data." The researcher found the keys by searching through billions of public keys that he either had access to, were shared with him by other researchers, or that were available through certificate transparency programs. UPDATE: The headline incorrectly stated that a "600-Year-Old Algorithm" was used. It's been changed to "379-Year-Old-Algorithm" to reflect the updated headline on Ars.

Microsoft has begun testing promotions for some of its other products in the File Explorer app on devices running its latest Windows 11 Insider build. From a report: The new Windows 11 "feature" was discovered by a Windows user and Insider MVP who shared a screenshot of an advertisement notification displayed above the listing of folders and files to the File Explorer, the Windows default file manager. As shown in the screenshot, Microsoft will use such ads to promote other Microsoft products, for instance, about how to "write with confidence across documents, email, and the web with advanced writing suggestions from Microsoft Editor. As you can imagine, the reaction to this was adverse, to say the least, with some saying that "File Explorer one of the worst places to show ads," while others added that this is the way to go if Microsoft wants "people ditching Explorer for something else."

Amid the ongoing disruption from Russia, some ethical hackers in Ukraine are feeling lost as bug bounty platform HackerOne has allegedly withheld their payouts. From a report: The loss due to the sudden halt is said to have mounted to hundreds and thousands of dollars. A few of the affected ethical hackers -- also known as cybersecurity researchers -- have taken the issue to social media. Some of them have also written to the platform to get clarity on why exactly it has disabled their payments in the middle of the humanitarian catastrophe in the country. Ethical hackers normally earn payouts ranging from tens and hundreds to over millions of dollars in the form of rewards through bug bounty platforms for reporting flaws in various Internet-based solutions. However, HackerOne is said to have suddenly stopped payouts for some Ukrainian hackers.

Earlier this month, HackerOne CEO Marten Mickos had announced, "[A]s we work to comply with the new sanctions, we'll withdraw all programmes for customers based in Russia, Belarus, and the occupied areas of Ukraine." On Monday, he clarified that the restrictions were for sanctioned regions - Russia and Belarus, not mentioning any clear details about the status of Ukraine. "That's a really weird situation," said independent security researcher Bob Diachenko, who has been associated with the San Francisco, California-based platform for the last two-three years now. The security researcher tweeted on Sunday that HackerOne stopped paying bounties worth around $3,000 for the flaws he reported. Alongside stopping payouts, HackerOne has removed its 'Clear' status from all Ukraine accounts. The status essentially allows ethical hackers to participate in private programmes run by various companies to earn a minimum of $2,000 for a high-severity vulnerability or $5,000 for a critical one. It requires background-check for researchers to participate in the listed programmes.

"News of a fresh Spectre BHB vulnerability that only impacts Intel and Arm processors emerged this week," reports Tom's Hardware, "but Intel's research around these new attack vectors unearthed another issue.

"One of the patches that AMD has used to fix the Spectre vulnerabilities has been broken since 2018." Intel's security team, STORM, found the issue with AMD's mitigation. In response, AMD has issued a security bulletin and updated its guidance to recommend using an alternative method to mitigate the Spectre vulnerabilities, thus repairing the issue anew....

Intel's research into AMD's Spectre fix begins in a roundabout way — Intel's processors were recently found to still be susceptible to Spectre v2-based attacks via a new Branch History Injection variant, this despite the company's use of the Enhanced Indirect Branch Restricted Speculation (eIBRS) and/or Retpoline mitigations that were thought to prevent further attacks. In need of a newer Spectre mitigation approach to patch the far-flung issue, Intel turned to studying alternative mitigation techniques. There are several other options, but all entail varying levels of performance tradeoffs. Intel says its ecosystem partners asked the company to consider using AMD's LFENCE/JMP technique. The "LFENCE/JMP" mitigation is a Retpoline alternative commonly referred to as "AMD's Retpoline."

As a result of Intel's investigation, the company discovered that the mitigation AMD has used since 2018 to patch the Spectre vulnerabilities isn't sufficient — the chips are still vulnerable. The issue impacts nearly every modern AMD processor spanning almost the entire Ryzen family for desktop PCs and laptops (second-gen to current-gen) and the EPYC family of datacenter chips....

In response to the STORM team's discovery and paper, AMD issued a security bulletin (AMD-SB-1026) that states it isn't aware of any currently active exploits using the method described in the paper. AMD also instructs its customers to switch to using "one of the other published mitigations (V2-1 aka 'generic retpoline' or V2-4 aka 'IBRS')." The company also published updated Spectre mitigation guidance reflecting those changes [PDF]....

AMD's security bulletin thanks Intel's STORM team by name and noted it engaged in the coordinated vulnerability disclosure, thus allowing AMD enough time to address the issue before making it known to the public.
Thanks to Slashdot reader Hmmmmmm for submitting the story...

"Companies critical to U.S. national interests will now have to report when they're hacked or they pay ransomware, according to new rules approved by Congress," reports the Associated Press: The rules are part of a broader effort by the Biden administration and Congress to shore up the nation's cyberdefenses after a series of high-profile digital espionage campaigns and disruptive ransomware attacks. The reporting will give the federal government much greater visibility into hacking efforts that target private companies, which often have skipped going to the FBI or other agencies for help. "It's clear we must take bold action to improve our online defenses," Sen. Gary Peters, a Michigan Democrat who leads the Senate Homeland Security and Government Affairs Committee and wrote the legislation, said in a statement on Friday.

The reporting requirement legislation was approved by the House and the Senate on Thursday and is expected to be signed into law by President Joe Biden soon. It requires any entity that's considered part of the nation's critical infrastructure, which includes the finance, transportation and energy sectors, to report any "substantial cyber incident" to the government within three days and any ransomware payment made within 24 hours....

The legislation designates the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency as the lead agency to receive notices of hacks and ransomware payments.... The new rules also empower CISA to subpoena companies that fail to report hacks or ransomware payments, and those that fail to comply with a subpoena could be referred to the Justice Department for investigation.