Bug

Mysterious Mac Pro Shutdowns Likely Caused By Chrome Update (tomshardware.com) 91

A faulty Google Chrome update is likely to blame for the issue Monday that resulted in Mac Pro workstations being rendered unusable at a number of Hollywood studios. "We recently discovered that a Chrome update may have shipped with a bug that damages the file system on MacOS machines," the company wrote in a forum post. "We've paused the release while we finalize a new update that addresses the problem." Variety reports: Reports of Mac Pro workstations refusing to reboot started to circulate among video editors late Monday. At the time, the common denominator among impacted machines seemed to be the presence of Avid's Media Composer software. The issue apparently knocked out dozens of machines at multiple studios, with one "Modern Family" reporting that the show's entire editing team was affected. Avid's leadership updated users of its software throughout the day, advising them to back up their work and not to reboot their machines.

The real culprit was apparently a recent release of Google's Keystone software, which is included in its Chrome browser to automatically download updates of the browser. On computers that had Apple's System Integrity Protection disabled, the update corrupted the computer's file system, making it impossible to reboot. System Integrity Protection is an Apple technology that is meant to ensure that malicious software doesn't corrupt core system files. Google advised affected users on how to uninstall the Chrome update, and also suggested that most users may not be at risk at all. "If you have not taken steps to disable System Integrity Protection and your computer is on OS X 10.9 or later, this issue cannot affect you," the forum post reads. A possible connection to Chrome was first detailed on the Mr. Macintosh blog Tuesday afternoon.
As for why several Hollywood studios were hit the hardest, one theory suggests it's because many of the video editors had to disable System Integrity Protection in order to work with external audio and video devices that are common in professional editing setups.

Variety also suggests that the hardware dongles used for licensing Avid may have played some role in the shut-downs.
Security

Hackers Looking Into Injecting Card Stealing Code on Routers, Rather Than Websites (zdnet.com) 25

Security researchers at IBM have found evidence that hackers have been working on creating malicious scripts they can deploy on commercial-grade "Layer 7" routers to steal payment card details. From a report: This discovery is a game-changer in what researchers call Magecart attacks, also known as web skimming. These are attacks where hackers plant malicious code on an online store that records and steals payment card details. Until now, Magecart-specific code was only delivered at the website level, hidden inside JavaScript or PHP files. However, this new discovery is an escalation of Magecart attacks to a new level, where the malicious code is injected at the router level, rather than being added by hackers on outdated websites.

Layer 7, or L7, routers are a type of commercial, heavy-duty router that's usually installed on large networks, such as hotels, malls, airports, casinos, government networks, public spaces, and others. They work like any other router, except with the added benefit of being able to manipulate traffic at the seventh layer (application level) of the OSI networking model -- meaning they can react to traffic based on more than just IP addresses, such as cookies, domain names, browser types, and more. In a report published today, researchers with the IBM X-Force Incident Response and Intelligence Services (IRIS) team said they found evidence that a well-known hacker group has been testing Magecart scripts to deploy on L7 routers.

Network

Cloudflare Relaunches Its Security-Focused Mobile VPN Warp (cloudflare.com) 19

tearmeapart writes (edited to add more details): Cloudflare is opening up its security and speed-focused mobile VPN service called WARP and WARP Plus to the general public. WARP is a mobile app for Android and Apple to establish a VPN to CloudFlare's huge global network. Cloudflare is promising:
1. No user-identifiable log data to disk;
2. No selling browsing data;
3. No need to provide any personal information
4. Regularly get audited.
This is the second time Cloudflare is launching Warp. The VPN builds on Cloudflare's existing mobile app 1.1.1.1, which encrypts domain name system connections. But Warp goes beyond this protection to encrypt the whole journey from your device to a web server and back -- even if the website itself still isn't offering HTTPS web encryption. And all of this happens quickly, without draining your battery, and without complicated setup. In an interview with Wired, Cloudflare CEO Matthew Prince said: Yeah, what we thought was going to be easy back in April turned out to be a lot harder than we expected. We had been testing this primarily in San Francisco and Austin and London, which is where the teams that were working on this are based. But as soon as users started to get anywhere that didn't have a fairly reliable internet connection, just all hell broke loose. The report adds: In describing the hurdles Cloudflare faced getting Warp off the ground, John Graham-Cumming, the company's chief technology officer, and Dane Knecht, its head of product strategy, note that many of the challenges came from dealing with interoperability issues between mobile device models, operating system versions, and different mobile network and Wi-Fi configurations around the world. For example, Warp is built on a newer secure communication protocol for VPNs known as WireGuard, which isn't ubiquitous yet and therefore isn't always natively supported by devices. The team also faced challenges dealing with web protocols and standards that are implemented inconsistently across different wireless carriers and internet service providers around the world. Cloudflare's 1.1.1.1 focuses on encrypting DNS connections specifically, but Warp aims to encompass everything in one protected tunnel. Keeping everything together as data traverses the labyrinth of servers that make up the internet, including Cloudflare's own massive network, was tough. Warp is free to use without any bandwidth caps or limitations. But Warp Plus, which is being offered through a monthly subscription fee, offers a "faster version of Warp that you can optionally pay for. The fee for Warp Plus varies by region and is designed to approximate what a McDonald's Big Mac would cost in the region. On iOS, the Warp Plus pricing as of the publication of this post is still being adjusted on a regional basis, but that should settle out in the next couple days. Warp Plus uses Cloudflare's virtual private backbone, known as Argo, to achieve higher speeds and ensure your connection is encrypted across the long haul of the Internet. We charge for it because it costs us more to provide," the company said in the blog post.
IOS

Apple Says a Bug May Grant 'Full Access' To Third-Party Keyboards By Mistake (techcrunch.com) 52

Apple is warning users of a bug in iOS 13 and iPadOS involving third-party keyboards. From a report: In a brief advisory posted Tuesday, the tech giant said the bug impacts third-party keyboards which have the ability to request "full access" permissions. iOS 13 was released last week. Both iOS 13.1 and iPadOS 13.1, the new software version for iPads, are out today. Third-party keyboards can either run as standalone, or with "full access" they can talk to other apps or get internet access for additional features, like spell check. But "full access" also allows the keyboard maker to capture to its servers keystroke data or anything you type -- like emails, messages or passwords. This bug, however, may allow third-party keyboards to gain full access permissions -- even if it was not approved.
Desktops (Apple)

Mysterious Avid Issue Knocks Out Mac Pro Workstations Across Hollywood (variety.com) 98

A possible computer virus attack has knocked out Mac Pro workstations for many film and TV editors across Los Angeles. According to Variety, the issue -- which is causing the workstations to refuse to reboot -- is widespread among users of Mac Pro computers running older versions of Apple's operating system as well as Avid's Media Composer software. From the report: Avid said in a statement that it was aware of the issue: "Avid is aware of the reboot issue affecting Apple Mac Pro devices running some Avid products, which arose late yesterday. This issue is top priority for our engineering and support teams, who have been working diligently to determine and resolve the root cause. As we learn more, we will immediately publish information -- directly to our customers and via our community forums and social media platforms -- in order to resolve this issue for all affected customers and prevent any further issues."

"A lot of L.A. post shops and people out on shows having their Macs slowly crash," reported video post-production consultant Matt Penn on Twitter. Freelance film editor Marcus Pun reposted a message from a popular Avid Facebook user group, advising users not to turn off their workstations. Other users reported that multiple computers at their company were affected by the issue, with social media chatter indicating that a number of different companies, and even major shows like "Modern Family," were affected by the issue.
UPDATE: The issue appears to be caused by a Google Chrome update gone haywire.
Security

Russian State Hackers Rarely Share Code With One Another (zdnet.com) 31

Russia's state-sponsored hacking groups rarely share code with one another, and when they do, it's usually within groups managed by the same intelligence service, a new joint report published today reveals. From a report: This report, co-authored by Check Point and Intezer Labs, is a first of its kind in its field. The two companies looked at nearly 2,000 malware samples that were previously linked to Russia state-sponsored hacking groups, in order to get an idea of how these malware samples related to each other. Their investigation found 22,000 connections and 3.85 million pieces of code that were shared among the malware strains. The conclusion of this vast research effort was the revelation that Russian APTs (advanced persistent threat, a term used to describe government-backed hacking groups) don't usually share code with one another. Furthermore, in the rare instances they do, code reuse usually occurs inside the same intelligence service, showing that Russia's three main agencies that are in charge of foreign cyber-espionage operations don't collaborate for their campaigns.
Security

Busy North Korean Hackers Have New Malware To Target ATMs (arstechnica.com) 25

Hackers widely believed to work for North Korea's hermit government have developed a new strain of malware that steals data used at automatic teller machines in India, researchers from Kaspersky Lab said on Monday. Ars Technica reports: One piece of malware, dubbed ATMDtrack by researchers with the Moscow-based security firm, has been targeting Indian ATMs since last Summer. It allows its operators to read and store data associated with cards that are inserted into infected ATMs. As researchers with the Moscow-based security firm investigated further, they found that the ATM malware was part of a larger remote-access trojan that carries out traditional espionage activities. Dubbed "Dtrack," it was used as recently as this month to target financial institutions and research centers.

Dtrack payloads were carefully encrypted with utilities known as packers, which made it hard for researchers to forensically analyze the malware. As the researchers analyzed the memory of infected devices, they found that that both ATMDtrack and Dtrack shared unique code sequences. When company researchers peeled away the layers of encryption and began analyzing the final payload, they saw pieces of code that were first used in a 2013 attack that wiped the hard drives of South Korean banks and broadcasters. The campaign, known as DarkSeoul, was eventually tied to Lazarus Group, the main hacking arm of the North Korean government.

Bug

Startups Are Using Insect Larvae To Produce Protein-Rich Ingredients For Animals (nytimes.com) 57

An anonymous reader quotes a report from The New York Times: AgriProtein is among a small number of start-ups that are using insect larvae to produce protein-rich ingredients for animal feed. This nascent industry could help feed a growing human population in a way that's less damaging to the environment. Protix opened one of the world's largest insect farms in June in the Netherlands, while other producers, including Enviroflight, Ynsect and AgriProtein, are building large facilities to turn billions of insects into animal protein every month. Large farming companies like Cargill and Wilbur-Ellis are also investing in this sector. By breeding insects in vertical farms, these companies can produce large amounts of feed in less space than traditional farms, their proponents say. Proponents say this industry makes sense from a biological standpoint because insects are part of the natural diet of many animals, especially chicken and fish.

Despite the possibilities, the insect protein industry faces many challenges. Regulatory hurdles have hampered its growth in Europe and the United States, where black soldier fly products can be used to feed poultry and some fish species but not other animals, and there is no regulatory approval for the use of other insect species for this purpose. But companies are confident that regulators in the United States will lift those restrictions soon.
The report notes that black soldier fly larvae is favored by the "insect protein" industry because it "can become 200 times bigger after eating organic waste for 10 days."
Yahoo!

Yahoo Data-Breach Settlement: You'll Get $100, If You're Lucky 36

People who had Yahoo accounts between 2012 and 2016 can now apply for a cash payment of $100, but the final amount you receive could be more or less than $100 depending on how many people file claims. From a report: It's also possible to file claims for up to $25,000 if you can document actual out-of-pocket losses and lost time due to the breach. However, actual payouts for all claims could be much lower if the total amount claimed exceeds what's available from the $117.5 million settlement. The settlement class potentially includes up to 194 million people, so these amounts would be paid in full only if the vast majority of eligible people don't ask for money. The settlement website lets all class members choose from at least two years of free credit monitoring services or the $100 cash payment. While that amount isn't guaranteed, just like in the Equifax settlement, at least the Yahoo settlement website makes that clear up front.
Security

Cloudflare Has a New Plan To Fight Bots -- and Climate Change (techcrunch.com) 28

Cloudflare is ratcheting up its fight against bots with a new "fight mode," which it says will frustrate and disincentivize bot operators from their malicious activity. From a report: Bots are notorious for scraping websites and abusing developer access to download gobs of user data. All too often bots try to game the system by scraping concert or airline ticket prices to buy in bulk at their lowest price and sell them off for higher. Worse, some imitate real users and brute-force their way into websites with lists of stolen passwords. Cloudflare gets three billion bot requests each day. Now the company said it's "decided to fight back."

Its new "bot fight mode," which Cloudflare today enabled as a free opt-in feature for all accounts, will detect and serve bots with deliberately computationally intensive challenges. As the bot tries to crunch the impossible puzzle -- effectively a small bit of code only visible to the bot -- the bot's server will max out its processing power, churning up cloud resources and driving up costs for the bot operator. While the company says its efforts will dissuade bot activities in the long run, it recognizes its efforts in the short term will result in cloud servers working overtime, thus consuming more electricity and requiring more cooling -- all of which contribute to greater energy consumption.

IOS

iOS 13 Ships With Known Lockscreen Bypass Flaw That Exposes Contacts (arstechnica.com) 19

An anonymous reader quotes a report from Ars Technica: Apple released iOS 13 with a bunch of new features. But it also released the new OS with something else: a bug disclosed seven days ago that exposes contact details without requiring a passcode or biometric identification first. Independent researcher Jose Rodriguez published a video demonstration of the flaw exactly one week ago. It can be exploited by receiving a FaceTime call and then using the voiceover feature from Siri to access the contact list. From there, an unauthorized person could get names, phone numbers, email addresses, and any other information stored in the phone's contacts list. An Apple representative told Ars the bypass will be fixed in iOS 13.1, scheduled for release on Sept. 24.
Advertising

VPN Apps With 500M+ Installs Caught Serving Disruptive Ads To Android Users (thenextweb.com) 14

New submitter screwdriver1 shares a report from The Next Web: In a yet another instance of Android adware, New Zealand-based independent security researcher Andy Michael found four apps with cumulative downloads of over 500 million that not only serve ads while running the background, but are also placed outside the apps, including the home screen. The apps in question are Hotspot VPN, Free VPN Master, Secure VPN, and Security Master by Cheetah Mobile. It's notable that all these apps originate from Hong Kong and China, where citizens have typically relied on VPNs to get around the Great Firewall. The apps are live on the Play Store to this date. But in an interesting twist, the apps containing the adware were all VPN or antivirus apps, suggesting that developers are increasingly banking on users' trust in security-related apps to commit "outside ad fraud."

Google has a strict policy with regards to adware and disruptive ads in general. "We don't allow apps that contain deceptive or disruptive ads. Ads must only be displayed within the app serving them. We consider ads served in your app as part of your app. The ads shown in your app must be compliant with all our policies." The company, when reached for a response, said it would take action on the apps if they're indeed found in violation of its policies.
Some VPN apps lie to us and Google shouldn't allow it.
Security

47% of Organizations Have Cyber Insurance, Up From 34% in 2017: Study (zdnet.com) 28

Cyberattacks are now considered by most execs to be the top business concern, far outranking economic uncertainty, brand damage, and regulation, according to a survey by insurance consultancy Marsh and tech giant Microsoft. From a report: The global survey of over 1,500 business leaders illustrates the rapid change in business leaders' perceived risks to their organizations and shows that having a cyber insurance policy is now more common than two years ago. In 2017, Marsh and Microsoft found that 62% of respondents saw cyberattacks as a top-five risk, whereas this year 79% do. The share of respondents who see cyber attacks as the number one risk has also risen from 6% to 22% over two years. This year, the second most widely considered top-five risk is economic uncertainty, followed by brand damage, regulation, and loss of key personnel. [...] According to Marsh and Microsoft's survey, 47% of organizations have cyber insurance [PDF], up from 34% in 2017. Additionally, 57% of large firms with annual revenues of over $1bn report having cyber insurance compared with 36% of organizations with revenues below $100m. Nearly all respondents, totaling 89%, are confident their cyber insurance policy would cover the cost of a cyber event.
Botnet

World's Most Destructive Botnet Returns With Stolen Passwords and Email In Tow (arstechnica.com) 30

An anonymous reader quotes a report from Ars Technica: If you've noticed an uptick of spam that addresses you by name or quotes real emails you've sent or received in the past, you can probably blame Emotet. It's one of the world's most costly and destructive botnets -- and it just returned from a four-month hiatus. A post published on Tuesday by researchers from Cisco's Talos security team helps explain how Emotet continues to threaten so many of its targets.

Spam sent by Emotet often appears to come from a person the target has corresponded with in the past and quotes the bodies of previous email threads the two have participated in. Emotet gets this information by raiding the contact lists and email inboxes of infected computers. The botnet then sends a follow-up email to one or more of the same participants and quotes the body of the previous email. It then adds a malicious attachment. The result: malicious messages that are hard for both humans and spam filters to detect. The use of previously sent emails isn't new, since Emotet did the same thing before it went silent in early June. But with its return this week, the botnet is relying on the trick much more. About 25% of spam messages Emotet sent this week include previously sent emails, compared with about 8% of spam messages sent in April.
"To make sending the spam easier, Emotet also steals the usernames and passwords for outgoing email servers," the report adds. "Those passwords are then turned over to infected machines that Emotet control servers have designated as spam emitters. The Talos researchers found almost 203,000 unique pairs that were collected over a 10-month period."

Malwarebytes says Emotet has brought back another tactic where it refers to targets by name in subject lines. "Once opened, the documents attached to the emails claim that, effective September 20, 2019, users can only read the contents after they have agreed to a licensing agreement for Microsoft Word," reports Ars Technica. "And to do that, according to a post from security firm Cofense, users must click on an Enable Content button that turns on macros in Word."

"After Office macros are enabled, Emotet executables are downloaded from one of five different payload locations," Cofense researchers Alan Rainer and Max Gannon wrote. "When run, these executables launch a service that looks for other computers on the network. Emotet then downloads an updated binary and proceeds to fetch TrickBot if a (currently undetermined) criteria of geographical location and organization are met."
Security

Two Years Later, Hackers Are Still Breaching Local Government Payment Portals 5

Two years after hackers first started targeting local government payment portals, attacks are still going on, with eight cities having had their Click2Gov payment portals compromised in the last month alone, security researchers from Gemini Advisory have revealed in a report shared with ZDNet today. From the news report: These new hacks have allowed hackers to get their hands on over 20,000 payment card details belonging to US citizens, which are now being traded on the dark web, the cyber-security firm said. Click2Gov is a web-based portal sold by Central Square, formerly known as Superion, to US and Canadian municipalities, small and large alike. It comes as a cloud-based offering and in a self-hosted version. Once up and running, Click2Gov provides a self-service portal where US citizens can pay taxes and bills. Such portals are widespread across the US and are not only used by locals, but also by Americans living across the country to pay bills and taxes for property they own in other cities or states. In 2017, a hacker group began targeting self-hosted Click2Gov portals that had been lagging behind with software patches.
IOS

Apple's iOS 13 Just Launched But iOS 13.1, iPadOS Arrive Next Week (cnet.com) 51

Apple's latest iPhone software, iOS 13, is now available -- but on Tuesday, you'll already be able to download the first update, iOS 13.1. And you'll be able to revitalize your iPad with Apple's software created for its tablets. From a report: Apple may be best known for its hardware, but it's really the seamless integration of its devices with its software that's set it apart from rivals. The company's ability to control every aspect of its products -- something that began when Steve Jobs and Steve Wozniak founded Apple in 1976 -- has been key in making Apple the most powerful company in tech. The company's mobile software, iOS, gets revamped every year and launches when its latest phones hit the market. Starting Tuesday, you'll also be able to download the first update to the software, as well as the new iPadOS software tailored for Apple's tablets. iOS 13 brings a dedicated dark mode, a new swipe keyboard and a revamped Photos app (complete with video editing tools). iOS 13.1 will bring bug fixes and will let you share your ETA with friends and family members through Apple Maps. Siri shortcuts can be added to automations, and you can set up triggers to run any shortcut automatically.
Security

Exposed RDP Servers See 150K Brute-Force Attempts Per Week (techrepublic.com) 51

Slashdot reader Cameyo shares a report from TechRepublic: Remote Desktop Protocol (RDP) is -- to the frustration of security professionals -- both remarkably insecure and indispensable in enterprise computing. The September 2019 Patch Tuesday round closed two remote code execution bugs in RDP, while the high-profile BlueKeep and DejaBlue vulnerabilities from earlier this year have sent IT professionals in a patching frenzy. With botnets brute-forcing over 1.5 million RDP servers worldwide, a dedicated RDP security tool is needed to protect enterprise networks against security breaches. Cameyo released on Wednesday an open-source RDP monitoring tool -- appropriately titled RDPmon -- for enterprises to identify and secure against RDP attacks in its environment. The tool provides a visualization of the total number of attempted RDP connections to servers, as well as a view of the currently running applications, the number of RDP users, and what programs those users are running, likewise providing insight to the existence of unapproved software. RDPmon operates entirely on-premise, the program data is not accessible to Cameyo.

Customers of Cameyo's paid platform can also utilize the RDP Port Shield feature, also released Wednesday, which opens RDP ports for authenticated users by setting IP address whitelists in Windows Firewall when users need to connect. RDP was designed with the intent to be run inside private networks, not accessible over the internet. Despite that, enterprise use of RDP over the internet is sufficiently widespread that RDP servers are a high-profile, attractive target for hackers.
The report says Cameyo found that Windows public cloud machines on default settings -- that is, with port 3389 open -- experience more than 150,000 login attempts per week.
Encryption

The FBI Tried To Plant a Backdoor in an Encrypted Phone Network (vice.com) 29

The FBI tried to force the owner of an encrypted phone company to put a backdoor in his devices, Motherboard has learned. From the report: The company involved is Phantom Secure, a firm that sold privacy-focused BlackBerry phones and which ended up catering heavily to the criminal market, including members of the Sinaloa drug cartel, formerly run by JoaquÃn "El Chapo" Guzman. The news signals some of the tactics law enforcement may use as criminals continue to leverage encrypted communications for their own ends. It also comes as Canadian media reported that a former top official in the Royal Canadian Mounted Police (RCMP), who has been charged with leaking state secrets, offered to sell information to Vincent Ramos, Phantom's CEO.

"He was given the opportunity to do significantly less time if he identified users or built in/gave backdoor access," one source who knows Ramos personally and has spoken with him about the issue after his arrest told Motherboard. A backdoor is a general term for some form of technical measure that grants another party, in this case the FBI, surreptitious access to a computer system. What exactly the FBI was technically after is unclear, but the desire for a backdoor was likely to monitor Phantom's clients.

Security

Crypto-mining Malware Saw New Life Over the Summer as Monero Value Tripled (zdnet.com) 10

Malware that mines cryptocurrency made a comeback over the summer, with an increased number of campaigns being discovered and documented by cyber-security firms. From a report: The primary reason for this sudden resurgence is the general revival of the cryptocurrency market, which saw trading prices recover after a spectacular crash in late 2018. Monero, the cryptocurrency of choice of most crypto-mining malware operations, was one of the many cryptocurrencies that were impacted by this market slump. The currency also referred to as XMR, has gone down from an exchange rate that orbited around $300 - $400 in late 2017 to a meager $40 - $50 at the end of 2018. But as the Monero trading price recovered throughout 2018, tripling its value from $38 at the start of the year, to nearly $115 over the summer, so have malware campaigns.

These are criminal operations during which hackers infect systems with malware that's specifically designed to secretly mine Monero behind the computer owner's back. Starting with the end of May, the number of reports detailing crypto-mining campaigns published by cyber-security firms has exploded, with a new report published each week, and sometimes new campaigns being uncovered on a daily basis.

Security

Researchers Uncover 125 Vulnerabilities Across 13 Routers and NAS Devices (helpnetsecurity.com) 26

Independent Security Evaluators (ISE) discovered a total of 125 different security vulnerabilities across 13 IoT devices, likely affecting millions of consumers. Help Net Security reports: In nearly all the devices (12 of the 13), ISE achieved its goal of obtaining remote root-level access. The table below shows the types of vulnerabilities that ISE identified in the targets. All 13 of the devices evaluated by ISE had at least one web application vulnerability such as cross-site scripting (XSS), operating system command injection (OS CMDi), or SQL injection (SQLi) that could be leveraged by an attacker to get remote access to the device's shell or gain access to the device's administrative panel. ISE obtained root shells on 12 of the devices, allowing complete control over the device.

Six of them can be remotely exploited without authentication: the Asustor AS-602T, Buffalo TeraStation TS5600D1206, TerraMaster F2-420, Drobo 5N2, Netgear Nighthawk R9000, and TOTOLINK A3002RU. "We found that many of these issues were trivial to exploit and should have been discovered even in a rudimentary vulnerability assessment," says ISE founder Stephen Bono. "This indicates that these manufacturers likely undergo no such assessment whatsoever, that the bug bounty programs they employ are ineffective, that vulnerability disclosures sent to them are not addressed, or more likely, all of the above."

Slashdot Top Deals