My Weekly RoundUp #130

A lot has happened on last week, folks!

But, first, don’t panic!

Don’t Panic: The comprehensive Ars Technica guide to the coronavirus

More than 100,000 people have been infected with a new coronavirus that has spread widely from its origin in China over the past few months. More than 3,000 have already died. Our comprehensive guide for understanding and navigating this global public health threat is below.

This is a rapidly developing epidemic, and we will update this guide regularly to keep you as prepared and informed as possible.

ArsTechnica

“The Hitchhiker’s Guide To The Galaxy” turns 42

EVERY YEAR the world celebrates the anniversaries of masterworks and maestros. In 2020 there will be a host of events and publications commemorating the lives of Ludwig van Beethoven, Raphael, Charles Dickens, Anne Brontë and William Wordsworth. Such milestones usually come in neat multiples of 50. The 42nd anniversary of anything is rarely observed.

The Economist

Privacy

No, Facebook’s is not telling you everything

In 2018, following the Cambridge Analytica scandal, Facebook announced the “Download Your Information” feature allowing users to download all the information that the company have on them since the creation of the account. All of it? It doesn’t seem so. Concerns were quickly raised when Facebook released the feature, that the information was inaccurate and incomplete.

Privacy International recently tested the feature to download all ‘Ads and Business’ related information (You can accessed it by Clicking on Settings > Your Facebook Information > Download Your Information). This is meant to tell users which advertisers have been targeting them with ads and under which circumstances. We found that information provided is less than accurate. To put it simply, this tool is not what Facebook claims. The list of advertisers is incomplete and changes over time.

Privacy International

Project Svalbard, Have I Been Pwned and its Ongoing Independence

This is going to be a lengthy blog post so let me use this opening paragraph as a summary of where Project Svalbard is at: Have I Been Pwned is no longer being sold and I will continue running it independently. After 11 months of a very intensive process culminating in many months of exclusivity with a party I believed would ultimately be the purchaser of the service, unexpected changes to their business model made the deal infeasible. It wasn’t something I could have seen coming nor was it anything to do with HIBP itself, but it introduced a range of new and insurmountable barriers. So that’s the tl;dr, let me now share as much as I can about what’s been happening since April 2019 and how the service will operate in the future.

Troy Hunt

Cybersecurity

This Unpatchable Flaw Affects All Intel CPUs Released in Last 5 Years

All Intel processors released in the past 5 years contain an unpatchable vulnerability that could allow hackers to compromise almost every hardware-enabled security technology that are otherwise designed to shield sensitive data of users even when a system gets compromised.

The vulnerability, tracked as CVE-2019-0090, resides in the hard-coded firmware running on the ROM (“read-only memory”) of the Intel’s Converged Security and Management Engine (CSME), which can’t be patched without replacing the silicon.

The Hacker News

Hackers Can Clone Millions of Toyota, Hyundai, and Kia Keys

Researchers from KU Leuven in Belgium and the University of Birmingham in the UK earlier this week revealed new vulnerabilities they found in the encryption systems used by immobilizers, the radio-enabled devices inside of cars that communicate at close range with a key fob to unlock the car’s ignition and allow it to start. Specifically, they found problems in how Toyota, Hyundai, and Kia implement a Texas Instruments encryption system called DST80.

Wired

Expert publicly discloses Zoho ManageEngine zero-day on Twitter

A security expert has disclosed details about a zero-day vulnerability in a Zoho enterprise product via Twitter, a circumstance that could cause serious problems to customers of the company.

The flaw affects Zoho ManageEngine Desktop Central endpoint management solution that helps organizations in managing servers, laptops, desktops, smartphones, and tablets from a central location.


Alleged Vault 7 leaker trial finale: Want to know the CIA’s password for its top-secret hacking tools? 123ABCdef

[…]
The password for the Confluence virtual machine that held all the hacking tools that were stolen and leaked? That’ll be 123ABCdef. And the root login for the main DevLAN server? mysweetsummer.

It actually gets worse than that. Those passwords were shared by the entire team and posted on the group’s intranet. IRC chats published during the trial even revealed team members talking about how terrible their infosec practices were, and joked that CIA internal security would go nuts if they knew. Their justification? The intranet was restricted to members of the Operational Support Branch (OSB): the elite programming unit that makes the CIA’s hacking tools.

TheRegister

Researchers Claim CIA Was Behind 11-Year-Long Hacking Attacks Against China

Qihoo 360, one of the most prominent cybersecurity firms, today published a new report accusing the U.S. Central Intelligence Agency (CIA) to be behind an 11-year-long hacking campaign against several Chinese industries and government agencies.

The targeted industry sectors include aviation organizations, scientific research institutions, petroleum, and Internet companies—which, if true, gives the CIA the ability to do “unexpected things.”

According to the researchers, these cyberattacks were carried out between September 2008 and June 2019, and most of the targets were located in Beijing, Guangdong, and Zhejiang.

“We speculate that in the past eleven years of infiltration attacks, the CIA may have already grasped the most classified business information of China, even of many other countries in the world,” the researchers said.

The Hacker News

Critical MediaTek rootkit affecting millions of Android devices has been out in the open for months

On the first Monday of every month, Google publishes the Android Security Bulletin, a page that discloses all the security vulnerabilities and their patches submitted by Google themselves or other third-parties. Today was no exception: Google just made public the Android Security Bulletin for March 2020. One of the vulnerabilities that are documented in the latest bulletin is CVE-2020-0069, a critical security exploit, specifically a rootkit, that affects millions of devices with chipsets from MediaTek, the large Taiwanese chip design company. Although the March 2020 Android Security Bulletin is seemingly the first time that CVE-2020-0069 has been publicly disclosed, details of the exploit have actually been sitting openly on the Internet—more specifically, on the XDA-Developers forums—since April of 2019. Despite MediaTek making a patch available a month after discovery, the vulnerability is still exploitable on dozens of device models. Even worse, the vulnerability is actively being exploited by hackers

XDA

How Shodan Has Been Improved to Help Protect Energy Utilities

Shodan is a well-known security hacking tool that has even been showcased on the popular Mr. Robot TV show. While Shodan can potentially be used by hackers, it can also be used for good to help protect critical infrastructure, including energy utilities.

At the RSA Conference in San Francisco, Michael Mylrea, Director of Cybersecurity R&D (ICS, IoT, IIoT) at GE Global Research, led a session titled “Shodan 2.0: The World’s Most Dangerous Search Engine Goes on the Defensive,” where he outlined how Shodan has been enabled to help utilities identify risks in critical energy infrastructure. Shodan, to the uninitiated, is a publicly available search engine tool that crawls the internet looking for publicly exposed devices.

Infosecurity Magazine

Let’s Encrypt to Revoke Millions of TLS Certs

Popular free certificate authority Let’s Encrypt said it will revoke 3 million Transport Layer Security (TLS) certificates Wednesday, because of a Certificate Authority Authorization (CAA) bug. The move could mean that millions of websites and machine identities that rely on those certificates to protect sensitive data flow could be identified as insecure, or rendered unavailable.

Certificate users contacted by Threatpost said they were notified of the revocation Tuesday and given 24 hours to resolve the issue.

“I manage 200 domains across 20 servers and have until the end of the day to fix the problem,” said Mark Engelhardt, IT consultant with Intuitive Engineering, in Montpelier, Vt. “Let’s Encrypt did not handle this in an ideal fashion at all.”

ThreatPost

Technology

[email protected] takes up the fight against COVID-19/2019-NCOV

We need your help! [email protected] is joining researchers around the world working to better understand the 2019 Coronavirus (2019-nCoV) to accelerate the open science effort to develop new life-saving therapies. By downloading [email protected], you can donate your unused computational resources to the [email protected] Consortium, where researchers working to advance our understanding of the structures of potential drug targets for 2019-nCoV that could aid in the design of new therapies. The data you help us generate will be quickly and openly disseminated as part of an open science collaboration of multiple laboratories around the world, giving researchers new tools that may unlock new opportunities for developing lifesaving drugs.

[email protected]

Tech firms push telework as Amazon employee confirmed with coronavirus

The spread of the novel coronavirus is doing for tech firms what no other argument for remote work apparently could, as Google, Facebook, and others are asking employees to stay home while they do their jobs.

Those policies are looking ever more like sensible precautions, as this week Amazon has confirmed that an employee based in Seattle tested positive for the virus. The employee apparently went home feeling sick on February 25 and has not returned to the office since. Two Amazon employees based in Italy also are confirmed to have contracted the virus.

Ars Technica

Canada’s Auditor General: “Our Main IT System Is Running on DOS”

Canada’s auditor general has said outdated technology, staffing issues, and a chronic lack of funding are making it difficult for his office to fulfill its mandate. 

Speaking at a meeting of the country’s Public Accounts committee on Thursday, Sylvain Ricard bemoaned the fact that his office was forced to rely on antiquated computer systems that pose a security threat.

Ricard, who took up the auditor general position in March 2019, told the committee: “Our main IT system is running on DOS. That creates all sorts of issues for us, both in a security perspective and an operational perspective because they’re not supported anymore.”

Infosecurity Magazine

Science

[email protected] Search for Alien Life Project Shuts Down After 21 Years

[email protected] has announced that they will no longer be distributing new work to clients starting on March 31st as they have enough data and want to focus on completing their back-end analysis of the data.

[email protected] is a distributed computing project where volunteers contribute their CPU resources to analyze radio data from the Arecibo radio telescope in Puerto Rico and the Green Bank Telescope in West Virginia for signs of extraterrestrial intelligence (SETI). 

Run by the Berkeley SETI Research Center since 1999, [email protected] has been a popular project where people from all over the world have been donating their CPU resources to process small chunks of data, or “jobs”, for interesting radio transmissions or anomalies. This data is then sent back to the researchers for analysis.

BleepingComputer

Honeywell claims to have created the most powerful quantum computer to date

Last year was big for quantum computers. Google claimed that it had achieved quantum supremacy, but IBM was skeptical of it. Now, Honeywell claims that it has created the world’s most powerful quantum computer to date.

With a breakthrough in technology after the demonstration of the firm’s charge coupled device (QCCD), the industry giant has announced that by mid-2020, it will be releasing a quantum computer with a quantum volume of at least 64, which is twice that of IBM Q’s System One.

Honeywell wrote:

Our quantum computer will be the most powerful available because it will have at least double the quantum volume of alternatives.

Neowin

Entertainment


Neil Gaiman narrates teaser for forthcoming Sandman audio drama

Last summer, we reported that a TV adaptation of Neil Gaiman’s seminal graphic novel series, The Sandman, was in development at Netflix. Now comes news that we’ll be getting a multi-part audio drama adaptation of the series in the interim, via Audible Original. Audio adaptations of beloved properties used to be a rare occurrence—NPR’s 1981 radio drama of the original Star Wars trilogy springs to mind. But in an era where we’re all plugging into podcasts on a regular basis, such adaptations make a new kind of sense.

ArsTechnica

Related posts

  1. Technology Roundup #17
  2. Cybersecurity Roundup #17
  3. Technology Roundup #16
  4. Privacy Roundup #15
  5. Weekly Cybersecurity Roundup #14