Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 21 hours 37 min ago

US Government Staff Told To Treat Huawei as Blacklisted

Wed, 07/03/2019 - 06:08
A senior U.S. official told the Commerce Department's enforcement staff this week that China's Huawei should still be treated as blacklisted, days after U.S. President Donald Trump sowed confusion with a vow to ease a ban on sales to the firm. From a report: Trump surprised markets on Saturday by promising Chinese President Xi Jinping on the sidelines of the G20 summit in Japan that he would allow U.S. companies to sell products to Huawei Technologies. In May, the company was added to the so-called Entity List, which bans American firms from selling to it without special permission, as punishment for actions against U.S. national security interests. Trump's announcement on Saturday -- an olive branch to Beijing to revive stalled trade talks -- was cheered by U.S. chipmakers eager to maintain sales to Huawei, the world's largest telecoms equipment maker and a key U.S. customer. But Trump's comments also spawned confusion among industry players and government officials struggling to understand what Huawei policy he had unveiled. In an email to enforcement staff on Monday that was seen by Reuters, John Sonderman, Deputy Director of the Office of Export Enforcement, in the Commerce Department's Bureau of Industry and Security (BIS), sought to clarify how agents should approach license requests by firms seeking approval to sell to Huawei.

Security Flaws In a Popular Smart Home Hub Let Hackers Unlock Front Doors

Tue, 07/02/2019 - 18:10
In new research published Tuesday, security researchers Chase Dardaman and Jason Wheeler found three security flaws which, when chained together, could be abused to open a front door with a smart lock. TechCrunch reports: Dardaman and Wheeler began looking into the ZipaMicro, a popular smart home hub developed by Croatian firm Zipato, some months ago, but only released their findings once the flaws had been fixed. The researchers found they could extract the hub's private SSH key for "root" -- the user account with the highest level of access -- from the memory card on the device. Anyone with the private key could access a device without needing a password, said Wheeler. They later discovered that the private SSH key was hardcoded in every hub sold to customers -- putting at risk every home with the same hub installed. Using that private key, the researchers downloaded a file from the device containing scrambled passwords used to access the hub. They found that the smart hub uses a "pass-the-hash" authentication system, which doesn't require knowing the user's plaintext password, only the scrambled version. By taking the scrambled password and passing it to the smart hub, the researchers could trick the device into thinking they were the homeowner. All an attacker had to do was send a command to tell the lock to open or close. With just a few lines of code, the researchers built a script that locked and unlocked a smart lock connected to a vulnerable smart hub.

Elizabeth Warren Accuses Advisory Panel For FCC of Corruption

Tue, 07/02/2019 - 16:50
An anonymous reader quotes a report from CNET: A panel that provides policy advice to the Federal Communications Commission is "stacked with corporate insiders," Democratic presidential candidate Elizabeth Warren said Monday. She cited a blog post by the Project On Government Oversight (POGO), which showed more than half of all Communications Security, Reliability and Interoperability Council (CSRIC) members are direct employees of private companies or of industry trade groups. This could lead to allegations that rather than working for American consumers, the FCC is working for "giant telecom companies", Warren, a Democratic senator from Massachusetts, tweeted Monday. "This is the definition of corruption: industry members writing the rules to benefit themselves & their rich friends," she added in another tweet. Sen. Warren has called on FCC Chair Ajit Pai to "explain the extent to which CSRIC may be corrupted by corporate influence." A letter from Warren and Rep. Pramila Jayapal dated June 27, spotted earlier by The Hill, asks for information (PDF) from Pai on whether the panel is "inappropriately dominated by industry (pdf) insiders." "The industry-dominated personnel on the panel have recommended policies that are directly in line with the wishes of the companies from which their members are drawn," the letter says, adding that POGO says a lack of expertise among FCC members means they rely increasingly on the panel's recommendations.

'Motorola Has Let Me Down For the Last Time'

Tue, 07/02/2019 - 15:30
Jerry Hildenbrand, writing for AndroidCentral: If you're ever in the mood to think about a "how the mighty have fallen" story, you need to look no further than Motorola. The company used to be at the forefront of technology in everything digital, but buyouts, restructuring, and eventually becoming another OEM nameplate has left Motorola little more than a memory that old tech dudes like me will fondly look back with melancholy reflections of the good old days. If I sound bitter, it's because I am, just a little. [...] The company has had a very poor record regarding updates since it was sold to Lenovo; both the big grand Android platform updates and the important but overlooked security patch updates. This compounds the whole issue, as the only realistic chance Z2 Force owners have to get those critically important updates they have missed is when they are bundled into the Android 9 release. These patches have no glitz or glamour associated, but they are the types of updates that keep you and your personal information safer. I've mentioned it before and I'll say it again: manufacturers owe us security patches on a regular basis if they expect us to owe them our allegiance.

Oracle On Why It Thinks AWS Winning Pentagon's $10 Billion Jedi Cloud Contract Stinks

Tue, 07/02/2019 - 12:50
An anonymous reader quotes a report from The Register: Ahead of its first day in a U.S. federal claims court in Washington DC, Oracle has outlined its position against the Pentagon's award of the Joint Enterprise Defense Infrastructure (JEDI) cloud contract to Amazon Web Services. Big Red's lengthy filing questions the basis of Uncle Sam's procurement procedure as well as Amazon's hiring of senior Department of Defense staff involved in that procurement process. Oracle's first day in court is set for 10 July. The JEDI deal could be worth up to $10 billion over 10 years. The Department of Defense handed the contract to AWS after deciding that only Amazon and Microsoft could meet the minimum security standards required in time. Oracle's filing said that U.S. "warfighters and taxpayers have a vested interest in obtaining the best services through lawful, competitive means... Instead, DoD (with AWS's help) has delivered a conflict-ridden mess in which hundreds of contractors expressed an interest in JEDI, over 60 responded to requests for information, yet only the two largest global cloud providers can clear the qualification gates." The company said giving JEDI, with its "near constant technology refresh requirements", to just one company was in breach of procurement rules. It accused the DoD of gaming the metrics used in the process to restrict competition for the contract. Oracle also accused Amazon of breaking the rules by hiring two senior DoD staff, Deap Ubhi and Anthony DeMartino, who were involved in the JEDI procurement process. Ubhi is described as "lead PM." A third name is redacted in the publicly released filing. The DoD, which is expected to make an offer to settle the case in late August, said in a statement: "We anticipate a court decision prior to that time. The DoD will comply with the court's decision. While the acquisition and litigation processes are proceeding independently the JEDI implementation will be subject to the determination of the court." The 50-page filing can be found here (PDF).

Choice To Pay Ransomware Might Be Simpler Than You'd Think

Tue, 07/02/2019 - 10:50
The conventional wisdom about ransomware is that when local governments pay the ransom, it encourages more criminals to launch more attacks. But that's not necessarily the case, experts say. From a report:The costs of recovering from a ransomware attack are often greater than the cost of the ransom. The victims of ransomware attacks are typically targets of opportunity, and cities generally aren't the primary targets. Corporations are -- and they often pay up. "The fact is, paying a ransom does not create a market," said Forrester Research's Josh Zelonis. "There already is a market." Riviera Beach and Lake City, Florida, paid a combined $1.1 million in ransom over about a week in June. Meanwhile, Atlanta spent $17 million restoring systems rather than pay a $50,000 ransom last year. Baltimore is likely to spend $10 million restoring its own systems refusing to pay a $75,000 ransom this year. The disruption to its city services may cost another $8 million. For some cities, the best response might be to pay the ransom, then use the millions of dollars that would have been spent on recovery to strengthen cyber defenses before the next attack. "If you don't learn from the past, you will end up being ransomed again," said Deborah Golden, the new head of Deloitte's cyber consultancy. Whether a city pays, doesn't pay, or has yet to be attacked, prevention will often save money.

China Is Forcing Tourists To Install Text-Stealing Malware at its Border

Tue, 07/02/2019 - 08:06
Foreigners crossing certain Chinese borders into the Xinjiang region, where authorities are conducting a massive campaign of surveillance and oppression against the local Muslim population, are being forced to install a piece of malware on their phones that gives all of their text messages as well as other pieces of data to the authorities, a collaboration by Motherboard, Suddeutsche Zeitung, the Guardian, the New York Times, and the German public broadcaster NDR has found. From the report: The Android malware, which is installed by a border guard when they physically seize the phone, also scans the tourist or traveller's device for a specific set of files, according to multiple expert analyses of the software. The files authorities are looking for include Islamic extremist content, but also innocuous Islamic material, academic books on Islam by leading researchers, and even music from a Japanese metal band. In no way is the downloading of tourists' text messages and other mobile phone data comparable to the treatment of the Uighur population in Xinjiang, who live under the constant gaze of facial recognition systems, CCTV, and physical searches. [...] The malware news shows that the Chinese government's aggressive style of policing and surveillance in the Xinjiang region has extended to foreigners, too. "[This app] provides yet another source of evidence showing how pervasive mass surveillance is being carried out in Xinjiang. We already know that Xinjiang residents -- particularly Turkic Muslims -- are subjected to round-the-clock and multidimensional surveillance in the region," Maya Wang, China senior researcher at Human Rights Watch, said. "What you've found goes beyond that: it suggests that even foreigners are subjected to such mass, and unlawful surveillance."

Senate Passes Cybersecurity Bill To Decrease Grid Digitization, Move Toward Manual Control

Mon, 07/01/2019 - 18:03
On June 27, the U.S. Senate passed a bipartisan cybersecurity bill that will study ways to replace automated systems with low-tech redundancies to protect the country's electric grid from hackers. Called The Securing Energy Infrastructure Act (SEIA), the bill establishes a two-year pilot program identifying new security vulnerabilities and researching and testing solutions, including "analog and nondigital control systems." The U.S Department of Energy would be required to report back to Congress on its findings. Utility Drive reports: The increase in distributed energy resources can serve load more efficiently, but also offers potential attackers more potential entry points. "Our connectivity is a strength that, if left unprotected, can be exploited as a weakness," Sen. Angus King, I-Maine, who sponsored the bill with Sen. Jim Risch, R-Idaho, said in a statement. Sens. Susan Collins, R-Maine, Martin Heinrich, D-N.M., and Mike Crapo, R-Idaho cosponsored the bill. The House measure is being introduced by Reps. Dutch Ruppersberger, D-Md., and John Carter, R-Texas.

Florida City Fires IT Employee After Paying Ransom Demand Last Week

Mon, 07/01/2019 - 17:25
Officials from Lake City, Florida, have fired an IT employee last week after the city was forced to approve a gigantic ransomware payment of nearly $500,000 last Monday. The employee, whose name was not released, was fired on Friday, according to local media reports, who cited the Lake City mayor. ZDNet reports: Lake City's IT network was infected with malware on June 10. The city described the incident as a "triple threat." In reality, an employee opened a document they received via email, which infected the city's network with the Emotet trojan, which later downloaded the TrickBot trojan, and later, the Ryuk ransomware. The latter spread to the city's entire IT network and encrypted files. Hackers eventually demanded a ransom to let the city regain access to its systems. The city's leadership approved a ransom payment last Monday, which was paid the next day, on Tuesday. The city's IT staff started decrypting files on the same day.

Germany To Publish Standard on Modern Secure Browsers

Mon, 07/01/2019 - 12:01
Germany's cyber-security agency is working on a set of minimum rules that modern web browsers must comply with in order to be considered secure. From a report: The new guidelines are currently being drafted by the German Federal Office for Information Security (or the Bundesamt fur Sicherheit in der Informationstechnik -- BSI), and they'll be used to advise government agencies and companies from the private sector on what browsers are safe to use. A first version of this guideline was published in 2017, but a new standard is being put together to account for improved security measures added to modern browsers, such as HSTS, SRI, CSP 2.0, telemetry handling, and improved certificate handling mechanisms -- all mentioned in a new draft released for public debate last week. According to the BSI's new draft, to be considered "secure," a modern browser must follow the following requirements, among others: Must support TLS, must have a list of trusted certificates, must support extended validation (EV) certificates, must verify loaded certificates against a Certification Revocation List (CRL) or an Online Certificate Status Protocol (OCSP); the browser must use icons or color highlights to show when communications to a remote server is encrypted or in plaintext, connections to remote websites running on expired certificates must be allowed only after specific user approval; must support HTTP Strict Transport Security (HSTS) (RFC 6797). Further reading: Germany and the Netherlands To Build the First Ever Joint Military Internet.

Linux Usage on Azure Has Surpassed Windows, Microsoft Developer Reveals

Mon, 07/01/2019 - 08:00
An anonymous reader shares a report: Three and a half years ago, Mark Russinovich, Azure CTO, Microsoft's cloud, said, "One in four [Azure] instances are Linux." Next, in 2017, Microsoft revealed that 40% of Azure virtual machines (VM) were Linux-based. Then in the fall of 2018, Scott Guthrie, Microsoft's executive VP of the cloud and enterprise group, told me in an exclusive interview, "About half Azure VMs are Linux". Now, Sasha Levin, Microsoft Linux kernel developer, in a request that Microsoft be allowed to join a Linux security list, revealed that "the Linux usage on our cloud has surpassed Windows." Shocking you say? Not really. Linux is largely what runs enterprise computing both on in-house servers and on the cloud. Windows Server has been declining for years. In the most recent IDC Worldwide Operating Systems and Subsystems Market Shares report covering 2017, Linux had 68% of the market. Its share has only increased since then.

An Automation Tipping Point? The Rise of 'Robotics as a Service'

Sun, 06/30/2019 - 17:34
"Robotics-as-a-service (RaaS) is about to eat the world of work" argues Hooman Radfar, a partner at the startup studio Expa who's been "actively investing in and looking for new companies" catalyzing the change." Companies buy massive robots and software solutions that are customized -- at great cost -- to their specific needs. The massive conglomerates that sell these robots have dominated the field for decades, but that is about to change. One major factor driving this change is how dramatically globalization has reduced hardware production costs and capabilities. At the same time, cheap and powerful computing and cloud infrastructure are now also readily available and easy to spin up. As a result, vertical-specific, robotic-powered, solutions can today be offered as variable cost services versus being sold at a fixed cost. Just as cable companies include the costs of set-top boxes in their monthly bill, robots and their associated software will be bundled together and sold in a subscription package. This change to the robotics business model will have profound implications, radically transforming markets and at the same time changing the future of work. With a new variable cost model in place as a result of subscription packages, it's simple to calculate when a market is about to tip to favor RaaS. A market has hit its automation tipping point when an RaaS solution is introduced with a unit cost that is less than or equal to the unit cost for humans-in-the-loop to conduct the same task... One market that has already reached its automation tipping point is the enterprise building security market... Crop dusting ($70 billion), industrial cleaning ($78 billion), warehouse management ($21 billion), and many more service markets are tipping. When these sectors hit their automation tipping point, we will see the same level of industry disruption currently taking place in the building security market. The changes taking place in the enterprise will also deeply impact consumer markets, and ultimately society, in profound and potentially challenging ways. We are at the start of a massive shift in how work gets done. One study predicted the worldwide RaaSS market would be $34.7 within three years, according to the article, which also explores how the building security market is already being disrupted. "Instead of manning a building with three to four people, you can have one human managing a few remote robots" -- at a cost that's 30% cheaper. "Moreover, all the data and insights collected via these robots is organized and made available for building and security optimization. It isn't just cheaper, it's better. There's no turning back -- this market has hit its automation tipping point."

Ask Slashdot: What's Your 'Backup' Browser?

Sun, 06/30/2019 - 15:34
Slashdot's gotten over 17,000 votes in its poll about which web browser people use on their desktop. (The current leader? Firefox, with 53% of the vote, followed by Chrome with 30%.) But Slashdot reader koavf asks an interesting follow-up question: "What's everyone's go-to Plan B browser and why?" To start the conversation, here's how James Gelinas (a contributor at Kim Komando's tech advice site) recently reviewed the major browsers: He calls Chrome "a safe, speedy browser that's compatible with nearly every page on the internet" but also says that Chrome "is notorious as a resource hog, and it can drastically slow your computer down if you have too many tabs open." "Additionally, the perks of having your Google Account connected to your browser can quickly turn into downsides for the privacy-minded among is. If you're uncomfortable with your browser knowing your searching and spending behaviors, Chrome may not be the best choice for you." He calls Firefox "the choice for safety". "Predating Chrome by 6 years, Firefox was the top choice for savvy Netizens in the early Aughts. Although Chrome has captured a large segment of its user base, that doesn't mean the Fox is bad. In fact, Mozilla is greatly appreciated by fans and analysts for its steadfast dedication to user privacy... Speedwise, Firefox isn't a slouch either. The browser is lighter weight than Chrome and is capable of loading some websites even faster." He calls Apple's Safari and Microsoft Edge "the default choice...because both of these browsers come bundled with new computers." "Neither one has glaring drawbacks, but they tend to lack some of the security features and extensions found in more popular browsers. Speedwise, however, both Edge and Safari are able to gain the upper hand against their competition. When it comes to startup time and functions, the apps are extremely lightweight on your system's resources. This is because they're part of the Mac and Window's operating systems, respectively, and are optimized for performance in that environment." Finally, he gives the Tor browser an honorable mention. ("It's still one of the best anonymous web browsers available. It's so reliable, in fact, that people living under repressive governments often turn to it for their internet needs -- installing it on covert USB sticks to use on public computers.") And he awards a "dishonorable mention" to Internet Explorer. ("Not only is the browser no longer supported by Microsoft, but it's also vulnerable to a host of malware and adware threats.") But what do Slashdot's readers think? Putting aside your primary desktop browser -- what's your own go-to "Plan B" web browser, and why? Leave your best answers in the comments. What's your "backup" browser?

Linus Torvalds Sees Lots of Hardware Headaches Ahead

Sun, 06/30/2019 - 07:34
Linux founder Linus Torvalds "warns that managing software is about to become a lot more challenging, largely because of two hardware issues that are beyond the control of DevOps teams," reports DevOps.com. An anonymous reader shares their report about Torvalds remarks at the KubeCon + CloudNative + Open Source Summit China conference: The first, Torvalds said, is the steady stream of patches being generated for new cybersecurity issues related to the speculative execution model that Intel and other processor vendors rely on to accelerate performance... Each of those bugs requires another patch to the Linux kernel that, depending on when they arrive, can require painful updates to the kernel, Torvalds told conference attendees. Short of disabling hyperthreading altogether to eliminate reliance on speculative execution, each patch requires organizations to update both the Linux kernel and the BIOS to ensure security. Turning off hyperthreading eliminates the patch management issue, but also reduces application performance by about 15 percent. The second major issue hardware issue looms a little further over the horizon, Torvalds said. Moore's Law has guaranteed a doubling of hardware performance every 18 months for decades. But as processor vendors approach the limits of Moore's Law, many developers will need to reoptimize their code to continue achieving increased performance. In many cases, that requirement will be a shock to many development teams that have counted on those performance improvements to make up for inefficient coding processes, he said.

Nokia's CTO Accuses Huawei of Both 'Sloppiness' and 'Real Obfuscation'

Sun, 06/30/2019 - 06:34
Nokia's CTO Marcus Weldon "told the BBC that the UK should be wary of using the Chinese hardware" -- though Nokia rushed to assure the BBC that Weldon's remarks do "not reflect the official position of Nokia." Forbes reports: On the security front, Weldon referred to analysis suggesting Huawei equipment was far more likely to have vulnerabilities than technology from Nokia or Ericsson. "We read those reports and we think okay, we're doing a much better job than they are," Weldon said, describing Huawei's failings as serious and claiming Nokia's alternatives to be a safer bet. "Some of it seems to be just sloppiness, honestly, that they haven't patched things, they haven't upgraded. But some of it is real obfuscation, where they make it look like they have the secure version when they don't...." The comments from Nokia's CTO came in light of research from Finite State, which published a scathing report claiming that "Huawei devices quantitatively pose a high risk to their users. In virtually all categories we examined, Huawei devices were found to be less secure than those from other vendors making similar devices." And this included the potential backdoors that lie at the heart of the U.S. government's security case against the Chinese company. "Out of all the firmware images analyzed, 55% had at least one potential backdoor," Finite State found. "These backdoor access vulnerabilities allow an attacker with knowledge of the firmware and/or with a corresponding cryptographic key to log into the device." Nokia's later statement insisted that their company "is focused on the integrity of its own products and services and does not have its own assessment of any potential vulnerabilities associated with its competitors."

Sting Finds Ransomware Data Recovery Firms Are Just Paying The Ransom

Sat, 06/29/2019 - 23:34
"ProPublica recently reported that two U.S. firms, which professed to use their own data recovery methods to help ransomware victims regain access to infected files, instead paid the hackers. Now there's new evidence that a U.K. firm takes a similar approach." An anonymous reader quotes their report: Fabian Wosar, a cyber security researcher, told ProPublica this month that, in a sting operation he conducted in April, Scotland-based Red Mosquito Data Recovery said it was "running tests" to unlock files while actually negotiating a ransom payment. Wosar, the head of research at anti-virus provider Emsisoft, said he posed as both hacker and victim so he could review the company's communications to both sides. Red Mosquito Data Recovery "made no effort to not pay the ransom" and instead went "straight to the ransomware author literally within minutes," Wosar said. "Behavior like this is what keeps ransomware running." Since 2016, more than 4,000 ransomware attacks have taken place daily, or about 1.5 million per year, according to statistics posted by the U.S. Department of Homeland Security. Law enforcement has failed to stem ransomware's spread, and culprits are rarely caught... But clients who don't want to give in to extortion are susceptible to firms that claim to have their own methods of decrypting files. Often, victims are willing to pay more than the ransom amount to regain access to their files if they believe the money is going to a data recovery firm rather than a hacker, Wosar said. Red Mosquito charged their client four times the actual ransom amount, according to the report -- though after ProPublica followed up, the company "did not respond to emailed questions, and hung up when we called the number listed on its website." The company then also "removed the statement from its website that it provides an alternative to paying hackers. It also changed 'honest, free advice' to 'simple free advice,' and the 'hundreds' of ransomware cases it has handled to 'many.'"

AMD Cites 'Factual Errors', 'Omissions' in Critical Report on Its China Venture

Sat, 06/29/2019 - 15:34
Thursday the Wall Street Journal wrote a piece about AMD's joint venture with Chinese holding coming THATIC -- titled "How a Big U.S. Chip Maker Gave China the 'Keys to the Kingdom'." The article argues that AMD "essentially granted China access to advanced processor IP that could be used to threaten U.S. national security," reports Forbes. But they add that the same day, AMD executive Harry Wolin wrote an angry blog post in response, complaining that the story "contains several factual errors and omissions and does not portray an accurate picture." Forbes reports: From Wolin's post, "Starting in 2015, AMD diligently and proactively briefed the Department of Defense, the Department of Commerce and multiple other agencies within the U.S. Government before entering into the joint ventures. AMD received no objections whatsoever from any agency to the formation of the joint ventures or to the transfer of technology -- technology which was of lower performance than other commercially available processors. In fact, prior to the formation of the joint ventures and the transfer of technology, the Department of Commerce notified AMD that the technology proposed was not restricted or otherwise prohibited from being transferred. Given this clear feedback, AMD moved ahead with the joint ventures." Not only does AMD claim it had the green light from multiple government entities to enter into the deal, the post claims that the WSJ article is simply wrong. "The Wall Street Journal story omits important factual details, including the fact that AMD put significant protections in place to protect its intellectual property (IP) and prevent valuable IP from being misused or reverse engineered to develop future generations of processors."

Microsoft Claims Unauthorized Repairing of Its Devices Would Be a Security Risk

Sat, 06/29/2019 - 11:41
In comments submitted to America's Federal Trade Commission, Microsoft says repairing its devices could jeopardize protections from the Trusted Platform Module (TPM) security chip. "Don't believe them," argues a group of information security professionals who support the right to repair. Slashdot reader chicksdaddy quotes their report: The statement was submitted ahead of Nixing the Fix, an FTC workshop on repair restrictions that is scheduled for mid-July... "The unauthorized repair and replacement of device components can result in the disabling of key hardware security features or can impede the update of firmware that is important to device security or system integrity," Microsoft wrote... "If the TPM or other hardware or software protections were compromised by a malicious or unqualified repair vendor, those security protections would be rendered ineffective and consumers' data and control of the device would be at risk. Moreover, a security breach of one device can potentially compromise the security of a platform or other devices connected to the network...." As we know: Firms like Microsoft, Lexmark, LG, Samsung and others use arguments like this all the time and then not too subtly imply that their authorized repair professionals are more trustworthy and honest than independent competitors. But that's just hot air. They have no data to back up those assertions and there's no way that their repair technicians are more trustworthy than owners, themselves... There's nothing inherent in repair or the things called for in right to repair laws like providing diagnostic software, diagnostic codes, schematics and replacement parts that puts the integrity of the TPM or the trust model it anchors at risk. Nor does the TPM require that the devices it secures remain pristine: using the same hardware and software configuration as when they were sold by the OEM. After all, TPMs are in Dell computers. Dell makes diagnostic software and diagnostic codes and schematics available for their hardware and I haven't heard Microsoft or anybody else suggest that a TPM on a repairable Dell laptop is any less secure than the TPM on an unrepairable Microsoft Surface.

Trump Relaxes US Ban On Selling To Huawei In Surprise G20 Concession

Sat, 06/29/2019 - 09:34
hackingbear tipped us off to a breaking news story. CNN reports: US President Donald Trump has appeared to soften his tone on Chinese communications giant Huawei, suggesting that he would allow the company to once again purchase U.S. technology. Speaking at a press conference in Osaka, Saturday, Trump said that the U.S. sells a "tremendous amount of product" to Huawei. "That's okay, we will keep selling that product," said Trump. "The (U.S.) companies were not exactly happy that they couldn't sell." Forbes points out "While it's not a lifting of the blanket ban, it will significantly benefit the Chinese manufacturer." ZDNet reports: This news just broke with comments made by Trump, including "U.S. companies can sell their equipment to Huawei. We're talking about equipment where there's no great national security problem with it." The details of this statement are still pending, but it is likely that 5G infrastructure equipment may still not be part of this access deal while the smartphone segment may be where we see open access. One Daily Beast contributor argues the action "appears to be a surrender to publicly issued Chinese demands." But TechCrunch writes that "any mutual trust has been broken and things are unlikely to be the same again."

New Mac Malware Abuses Recently Disclosed Gatekeeper Zero-Day

Sat, 06/29/2019 - 02:00
puddingebola writes: In May, security researcher Filippo Cavallarin made public a vulnerability in macOS's Gatekeeper. The vulnerability can allow an attacker to use a symlink and an NFS server to bypass Gatekeepers authentication and run malicious code. The malware has been named OSX/Linker and has been tied to the same group that operates the OSX/Surfbuyer adware. All macOS versions are affected, including the latest 10.14.5, and Apple has yet to release a patch to this day, a full month after Cavallarin's public disclosure.