Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 5 hours 44 min ago

Ask Slashdot: Do Older IT Workers Doing End-User Support Find It Gets Harder With Age?

Mon, 11/05/2018 - 17:10
Longtime Slashdot reader King_TJ writes: I've worked in I.T. for almost 30 years now in various capacities, from bench PC technician to web page designer, support specialist, network manager, and was self-employed for a while doing on-site service and consulting too. In all that time, I've always felt like I had a good handle on troubleshooting and problem-solving while providing good, friendly customer service at the same time. But recently, I've started feeling like there's just a little too much knowledge to keep straight in my brain. If I'm able to work on a project on my own terms, without interruptions or distractions? Sure, I can get almost anything figured out. But it's the stress of users needing immediate assistance with random problems, thrown out willy-nilly in the constant barrage of trouble tickets, that I'm starting to struggle with. For example, just this morning, a user had a question about whether or not she should open an email about quarantined junk mail to actually look through it. I briefly noted a screenshot she attached that showed a typical MS Office quarantined email message and replied that she could absolutely view them at her discretion. (I also noted that I tend to ignore and delete those myself, unless I'm actually expecting a specific piece of email that I didn't receive -- in case it was actually in the junk mail filter.) Well, that was the wrong answer, because that message was a nicely done phishing attempt; not a legit message -- and she tried to sign in through it. Then, I had to do a mad scramble to change her password and help her get the new one working on her phone and computer. With more time to think about what happened, I'm realizing now that I should have known the email was fake because we recently made some changes to our Office 365 environment so junk mail is going directly into Junk folders in Outlook -- and those types of messages aren't really coming in to people anymore. On top of that? We're trying to migrate people to using two-factor authentication so I was instructed to get this user on it while I'm changing her account info. Makes sense, but I had to dig all over to find our document with instructions on how to do that too. I just couldn't remember where they told me they saved the thing, several weeks ago, when they talked about creating the new document in one of our weekly meetings. Am I just getting old and starting to lose it? Is everybody feeling this way about I.T. support these days? Are things just changing at too quick a pace for anyone to stay on top of it all? I mean, in just the last few weeks, we've dealt with users failing to get their single sign-on passwords to work because something broke that only an upgrade to the latest build of Windows 10 corrected. We've had an office network go berserk and randomly drop people's Internet access, ability to print, etc. -- because one of the switches started intermittently failing under load. We've had online training to set up a new MDM solution, company-wide. And I had to single-handedly set up a new server running the latest version of vCenter for our ESXi servers. And all of that is while trying to get in some studying on the side to get my Security Plus cert., getting Macs with broken screens mailed out for service, a couple of new computers deployed, and accounts properly shut down for an employee who left, plus the usual grind of "mindless" tickets like requests to create new shared DropBox team folders for groups. It's a LOT to juggle, but I was pretty happy with my ability to keep all of it moving right along for years. Now -- I'm starting to have doubts.

Flaws in Self-Encrypting SSDs Let Attackers Bypass Disk Encryption

Mon, 11/05/2018 - 13:05
An anonymous reader writes: Researchers have found flaws that can be exploited to bypass hardware encryption in well known and popular SSD drives. Master passwords and faulty standards implementations allow attackers access to encrypted data without needing to know the user-chosen password. SSDs from Micron (Crucial) and Samsung are affected. These are SSDs that support hardware-level encryption via a local built-in chip, separate from the main CPU. Some of these devices have a factory-set master password that bypasses the user-set password, while other SSDs store the encryption key on the hard drive, from where it can be retrieved. The issue is worse on Windows, where BitLocker defers software-level encryption to hardware encryption-capable SSDs, meaning user data is vulnerable to attacks without the user's knowledge. More in the research paper.

File-Sharing Software On State Election Servers Could Expose Them To Intruders

Sun, 11/04/2018 - 12:20
An anonymous reader quotes a report from ProPublica: As recently as Monday, computer servers that powered Kentucky's online voter registration and Wisconsin's reporting of election results ran software that could potentially expose information to hackers or enable access to sensitive files without a password. The insecure service run by Wisconsin could be reached from internet addresses based in Russia, which has become notorious for seeking to influence U.S. elections. Kentucky's was accessible from other Eastern European countries. The service, known as FTP, provides public access to files -- sometimes anonymously and without encryption. As a result, security experts say, it could act as a gateway for hackers to acquire key details of a server's operating system and exploit its vulnerabilities. Some corporations and other institutions have dropped FTP in favor of more secure alternatives. Officials in both states said that voter-registration data has not been compromised and that their states' infrastructure was protected against infiltration. Still, Wisconsin said it turned off its FTP service following ProPublica's inquiries. Kentucky left its password-free service running and said ProPublica didn't understand its approach to security. "FTP is a 40-year-old protocol that is insecure and not being retired quickly enough," said Joseph Lorenzo Hall, the chief technologist at the Center for Democracy and Technology in Washington, D.C., and an advocate for better voting security. "Every communication sent via FTP is not secure, meaning anyone in the hotel, airport or coffee shop on the same public Wi-Fi network that you are on can see everything sent and received. And malicious attackers can change the contents of a transmission without either side detecting the change."

Old School 'Sniffing' Attacks Can Still Reveal Your Browsing History

Sun, 11/04/2018 - 09:17
An anonymous reader quotes a report from Motherboard: Most modern browsers -- such as Chrome, Firefox, and Edge, and even browsers such as FuzzyFox and DeterFox (different, security-focused versions of Firefox) -- have vulnerabilities that allow hosts of malicious websites to extract hundreds to thousands of URLs in a user's web history, per new research from the University of California San Diego. What's worse, the vulnerabilities are built into the way they structure links, meaning that major structural changes will have to take place in these browsers in order to protect user privacy. The only browser that was immune to the attacks was Tor Browser, as the browser does not keep track of a user's internet history. The vulnerabilities have to do with why, for instance, unclicked links appear blue while visited links appear violet: there's a different set of rules and style that apply to links depending on whether they've been visited or not. However, a bad actor building a web page can manipulate this faster loading time for visited links by "sniffing," or inferting your browsing history. In essence, sniffing is finding and exploiting proxies that reveal your web history. As outlined in the UC San Diego report, this sniffing could happen in a couple of ways: they could force the browser to reload multiple complex images or image transformations that differ based on whether you've visited a link or not, which would create drastic differences in the loading time for each. With this strategy, actors can test 60 sensitive URLs per second. Bad actors could exploit a "bytecode cache," which speeds up the loading time for revisiting a link that you've already visited. "By embedding a special script in a web page, the actor can test how long it takes for a web page to load and infer whether you've visited it or not," reports Motherboard. "Actors can probe 3,000 URLs per second with this method. When the vulnerability was reported to Google, the company marked the issue as "security-sensitive" but "low-priority."

GM Is Getting Into the Electric Bike Business

Sun, 11/04/2018 - 08:16
General Motors is planning to bring two new electric bikes to the market in 2019; one will be folding and the other will be compact. TechCrunch reports: The bikes will be "smart" and "connected" and somehow inspired by GM's OnStar, the company's subscription-based communications, in-vehicle security and emergency services feature found in cars. Hannah Parish, director of General Motors Urban Mobility Solutions, wouldn't elaborate what that might look like. We'll have to wait until next year. The bikes are also equipped with safety features including rechargeable front and rear LED lights. And the electric propulsion on the bikes were designed by GM engineers who created a proprietary drive system. For now, GM is focused on naming the e-bikes. And it's turning to the public to help. The company launched a brand-naming campaign Friday as part of its broader e-bike announcement. The company launched a website where people can suggest names for the e-bikes and have the chance to win up to $10,000.

Equifax Extends Free Credit Monitoring -- But Outsources It To Experian

Sun, 11/04/2018 - 03:00
An anonymous reader quotes Krebs on Security: A year after offering free credit monitoring to all Americans on account of its massive data breach that exposed the personal information of nearly 148 million people, Equifax now says it has chosen to extend the offer by turning to a credit monitoring service offered by a top competitor -- Experian. And to do that, it will soon be sharing with Experian contact information that affected consumers gave to Equifax in order to sign up for the service... Equifax says it will share the name, address, date of birth, Social Security number and self-provided phone number and email address with Experian for anyone who signed up for its original TrustedID Premier offering. That is, unless those folks affirmatively opt-out of having that information transferred from Equifax to Experian. But not to worry, Equifax says: Experian already has most of this data. "Experian currently has and is using this information (except phone number and email address) in the fulfillment of the Experian file monitoring which is part of your current service with TrustedID Premier," Equifax wrote in its email. Krebs also points out the big problem with all credit monitoring services: "while they might let you know when someone has stolen your identity, they're not likely to prevent that from occurring in the first place." The best mechanism for preventing identity thieves from creating and abusing new accounts in your name is to freeze your credit file with Experian, Equifax and TransUnion. This process is now free for all Americans, and simply blocks potential creditors from viewing your credit file. Since very few creditors are willing to grant new lines of credit without being able to determine how risky it is to do so, freezing your credit file with the Big Three is a great way to stop all sorts of ID theft shenanigans... All three big bureaus tout their credit lock services as an easier and faster alternative to freezes -- mainly because these alternatives aren't as disruptive to their bottom lines.... TransUnion and Equifax both offer free credit lock services, while Experian's is free for 30 days and $19.99 for each additional month. However, TransUnion says those who take advantage of their free lock service agree to receive targeted marketing offers. What's more, TransUnion also pushes consumers who sign up for its free lock service to subscribe to its "premium" lock services for a monthly fee with a perpetual auto-renewal. Unsurprisingly, the bureaus' use of the term credit lock has confused many consumers; this was almost certainly by design. But here's one basic fact consumers should keep in mind about these lock services: Unlike freezes, locks are not governed by any law, meaning that the credit bureaus can change the terms of these arrangements when and if it suits them to do so.

Intel CPUs Impacted by New PortSmash Side-Channel Vulnerability

Fri, 11/02/2018 - 08:01
Intel processors are impacted by a new vulnerability that can allow attackers to leak encrypted data from the CPU's internal processes. From a report: The new vulnerability, which has received the codename of PortSmash, has been discovered by a team of five academics from the Tampere University of Technology in Finland and Technical University of Havana, Cuba. Researchers have classified PortSmash as a side-channel attack. In computer security terms, a side-channel attack describes a technique used for leaking encrypted data from a computer's memory or CPU, which works by recording and analyzing discrepancies in operation times, power consumption, electromagnetic leaks, or even sound to gain additional info that may help break encryption algorithms and recovering the CPU's processed data. Researchers say PortSmash impacts all CPUs that use a Simultaneous Multithreading (SMT) architecture, a technology that allows multiple computing threads to be executed simultaneously on a CPU core. [...] Researchers say they've already confirmed that PortSmash impacts Intel CPUs which support the company's Hyper-Threading (HT) technology, Intel's proprietary implementation of SMT.

Iranians Compromised a Highly Sensitive CIA Covert Communications System in 2011 by Using Google Search: Report

Fri, 11/02/2018 - 06:43
In 2011, Iran was able to use Google's search functionality to hack into a secret CIA communication network that was being used to contact agents and informants around the world -- a breach that appears to have triggered the exposure and execution of Agency sources in China and Iran, Yahoo News reported Friday.

Hackers Claim They Possess Details of 120 Million Facebook Accounts, Publish Private Messages From 81,000 of Them

Fri, 11/02/2018 - 06:00
Andrei Zakharov, reporting for BBC: Hackers appear to have compromised and published private messages from at least 81,000 Facebook users' accounts. The perpetrators told the BBC Russian Service that they had details from a total of 120 million accounts, which they were attempting to sell, although there are reasons to be sceptical about that figure. Facebook said its security had not been compromised. And the data had probably been obtained through malicious browser extensions. Facebook added it had taken steps to prevent further accounts being affected. The BBC understands many of the users whose details have been compromised are based in Ukraine and Russia. However, some are from the UK, US, Brazil and elsewhere. The hackers offered to sell access for 10 cents (8p) per account. However, their advert has since been taken offline. "We have contacted browser-makers to ensure that known malicious extensions are no longer available to download in their stores," said Facebook executive Guy Rosen. "We have also contacted law enforcement and have worked with local authorities to remove the website that displayed information from Facebook accounts."

Iran Allegedly Hit By Computer Virus More Violent Than Stuxnet

Fri, 11/02/2018 - 02:00
TTL0 shares a report from The Times of Israel: Iranian infrastructure and strategic networks have come under attack in the last few days by a computer virus similar to Stuxnet but "more violent, more advanced and more sophisticated," and Israeli officials are refusing to discuss what role, if any, they may have had in the operation, an Israeli TV report said Wednesday. "Remember Stuxnet, the virus that penetrated the computers of the Iranian nuclear industry?" the report on Israel's Hadashot news asked. Iran "has admitted in the past few days that it is again facing a similar attack, from a more violent, more advanced and more sophisticated virus than before, that has hit infrastructure and strategic networks." The Iranians, the TV report went on, are "not admitting, of course, how much damage has been caused." On Sunday, Gholamreza Jalali, the head of Iran's civil defense agency, said Tehran had neutralized a new version of Stuxnet, Reuters reported. Stuxnet penetrated Iran's nuclear program, "taking control and sabotaging parts of its enrichment processes by speeding up its centrifuges," the report notes. We'll update this story when more details become available.

Bleedingbit Zero-Day Chip Flaws May Expose Majority of Enterprises To Remote Code Execution Attacks

Thu, 11/01/2018 - 16:50
Two new zero-day vulnerabilities called "Bleeding Bit" have been revealed by security firm Armis, impacting Bluetooth Low-Energy (BLE) chips used in millions of Cisco, Meraki, and Aruba wireless access points (APs). "Developed by Texas Instruments (TI), the vulnerable BLE chips are used by roughly 70 to 80 percent of business wireless access points today by way of Cisco, Meraki and Aruba products," reports ZDNet. From the report: The first vulnerability, CVE-2018-16986, impacts Cisco and Meraki APs using TI BLE chips. Attacks can remotely send multiple benign BLE broadcast messages, called "advertising packets," which are stored on the memory of the vulnerable chip. As long as a target device's BLE is turned on, these packets -- which contain hidden malicious code to be invoked later on -- can be used together with an overflow packet to trigger an overflow of critical memory. If exploited, attackers are able to trigger memory corruption in the chip's BLE stack, creating a scenario in which the threat actor is able to access an operating system and hijack devices, create a backdoor, and remotely execute malicious code. The second vulnerability, CVE-2018-7080, is present in the over-the-air firmware download (OAD) feature of TI chips used in Aruba Wi-Fi access point Series 300 systems. The vulnerability is technically a leftover development backdoor tool. This oversight, the failure to remove such a powerful development tool, could permit attackers to compromise the system by gaining a foothold into a vulnerable access point. "It allows an attacker to access and install a completely new and different version of the firmware -- effectively rewriting the operating system of the device," the company says. "The OAD feature doesn't offer a security mechanism that differentiates a "good" or trusted firmware update from a potentially malicious update."

Senator Introduces Bill That Would Send CEOs To Jail For Violating Consumer Privacy

Thu, 11/01/2018 - 14:10
Oregon Senator Ron Wyden has introduced the Consumer Data Protection Act that "would dramatically beef up Federal Trade Commission authority and funding to crack down on privacy violations, let consumers opt out of having their sensitive personal data collected and sold, and impose harsh new penalties on a massive data monetization industry that has for years claims that self-regulation is all that's necessary to protect consumer privacy," reports Motherboard. From the report: Wyden's bill proposes that companies whose revenue exceeds $1 billion per year -- or warehouse data on more than 50 million consumers or consumer devices -- submit "annual data protection reports" to the government detailing all steps taken to protect the security and privacy of consumers' personal information. The proposed legislation would also levy penalties up to 20 years in prison and $5 million in fines for executives who knowingly mislead the FTC in these reports. The FTC's authority over such matters is currently limited -- one of the reasons telecom giants have been eager to move oversight of their industry from the Federal Communications Commission to the FTC. "Today's economy is a giant vacuum for your personal information -- everything you read, everywhere you go, everything you buy and everyone you talk to is sucked up in a corporation's database," Wyden said in a statement. "But individual Americans know far too little about how their data is collected, how it's used and how it's shared." "It's time for some sunshine on this shadowy network of information sharing," Wyden said. "My bill creates radical transparency for consumers, gives them new tools to control their information and backs it up with tough rules with real teeth to punish companies that abuse Americans' most private information."

US Accuses China, Taiwan Firms With Stealing Secrets From Chip Giant Micron

Thu, 11/01/2018 - 11:25
US Attorney General Jeff Sessions announced charges Thursday against Chinese and Taiwan companies for theft of an estimate $8.75 billion worth of trade secrets from US semiconductor giant Micron. From a report: Sessions said the case was the latest in a series that are part of a state-backed program by Beijing to steal US industrial and commercial secrets. "Taken together, these cases and many others like them paint a grim picture of a country bent on stealing its way up the ladder of economic development and doing so at American expense," Session said. "This behavior is illegal. It is wrong. It is a threat to our national security. And it must stop." The indictment released in the US district court in San Jose, California alleges that Chinese state-owned Fujian Jinhua Integrated Circuit Co. and privately owned United Microelectronics Corporation of Taiwan, along with three UMC executives, conspired to steal Micron trade secrets to help UMC and Fujian Jinhua develop DRAM chips used in many computer processors. It said the three Taiwanese men -- Stephen Chen Zhengkun, He Jianting and Kenny Wang Yungming -- all previously worked at Micron and stole its technology when they joined UMC with the express purpose of transferring it to Fujian Jinhua, a two-year-old firm. Chen was originally a top executive at Micron, then moved to lead UMC, and subsequently became president of Fujian Jinhua.

CIA Vault7 Leaker To Be Charged For Leaking More Classified Data While in Prison

Thu, 11/01/2018 - 08:46
US prosecutors are preparing new charges against a former CIA coder who was indicted earlier this year in June for leaking classified CIA material to WikiLeaks, in what later become known as the Vault7 leaks. From a report: According to new court documents filed late Wednesday, October 31, US prosecutors plan to file three new charges against Joshua Schulte for allegedly leaking more classified data while in detention at the New York Metropolitan Correctional Center (MCC). Prosecutors say they first learned of Schulte's behavior back in May, when they found out that "Schulte had distributed the Protected Search Warrant Materials to his family members for purposes of dissemination to other third parties, including members of the media." The prosecution held a court hearing in May and initially warned the suspect about his actions, a warning they found Schulte ignored. The US government says that "in or about early October 2018, the Government learned that Schulte was using one or more smuggled contraband cellphones to communicate clandestinely with third parties outside of the MCC." A search of his housing unit performed by FBI agents revealed "multiple contraband cellphones (including at least one cellphone used by Schulte that is protected with significant encryption); approximately 13 email and social media accounts (including encrypted email accounts); and other electronic devices."

Google Won't Let You Sign In If You Disabled JavaScript In Your Browser

Thu, 11/01/2018 - 05:00
An anonymous reader quotes a report from ZDNet: Google announced today four new security features for securing Google accounts. These four updates are meant to bolster protections before and after users sign into accounts, but also in the case of recovering after a hack. According to Google's Jonathan Skelker, the first of these protections that Google has rolled out today comes into effect even before users start typing their username and password. In the coming future, Skelker says that Google won't allow users to sign into accounts if they disabled JavaScript in their browser. The reason is that Google uses JavaScript to run risk assessment checks on the users accessing the login page, and if JavaScript is disabled, this allows crooks to pass through those checks undetected. This change is likely to impact only a very small number of users -- around 0.01 percent according to Google's data -- but it will likely impact bots harder, as many of them run through headless browsers where this feature is turned off for performance reasons. Google also plans to pull data from Google Play Protect and list all malicious apps that are still installed on a user's Android smartphone. Google's Jonathan Skelker says they will be notifying you "whenever you share any data from your Google Account," expanding on the notifications it sends when you've granted access to sensitive information, like Gmail data or your Google Contacts. "Last but not least is a security feature that Google plans to use after an account hack," reports ZDNet. "This feature is already live and is a new set of procedures for regaining access and re-securing compromised profiles. The procedure is detailed in this Google support page, and besides just helping users regain access to accounts, it will also help them check financial activity related to Google Pay accounts, review new files added to Gmail or Drive, and secure other accounts at other services that are tied to the main Google account."

Tiny Twitter Thumbnail Tweaked To Transport Different File Types

Wed, 10/31/2018 - 12:45
Security researcher David Buchanan has found that Twitter image uploads can be polyglot files, meaning they can be valid simultaneously in multiple formats, such as a .jpg, a .rar archive and a .zip archive. From a report: Using some Python code he wrote, he created a thumbnail image of William Shakespeare overlaid with the words, "Unzip Me" and posted it to Twitter. The .jpg image is also a valid .zip file, so if you download it, you can unzip it and extract the contents, a multipart .rar archive of the text of Shakespeare's plays. [...] Twitter performs some processing on uploaded images, which has the potential to mess with the data. But Buchanan found that his multi-format file survived this process. It may be that image itself (excluding the rather bulky metadata) is light enough not to trigger any compression or post-upload processing.

'Open Source Creators: Red Hat Got $34 Billion and You Got $0. Here's Why.'

Wed, 10/31/2018 - 07:21
Donald Fischer, who served as a product manager for Red Hat Enterprise Linux during its creation and early years of growth, writes: Red Hat saw, earlier than most, that the ascendance of open source made the need to pay for code go away, but the need for support and maintenance grew larger than ever. Thus Red Hat was never in the business of selling software, rather it was in the business of addressing the practical challenges that have always come along for the ride with software. [...] As an open source developer, you created that software. You can keep your package secure, legally documented, and maintained; who could possibly do it better? So why does Red Hat make the fat profits, and not you? Unfortunately, doing business with large companies requires a lot of bureaucratic toil. That's doubly true for organizations that require security, legal, and operational standards for every product they bring in the door. Working with these organizations requires a sales and marketing team, a customer support organization, a finance back-office, and lots of other "business stuff" in addition to technology. Red Hat has had that stuff, but you haven't. And just like you don't have time to sell to large companies, they don't have time to buy from you alongside a thousand other open source creators, one at a time. Sure, big companies know how to install and use your software. (And good news! They already do.) But they can't afford to put each of 1100 npm packages through a procurement process that costs $20k per iteration. Red Hat solved this problem for one corner of open source by collecting 2,000+ open source projects together, adding assurances on top, and selling it as one subscription product. That worked for them, to the tune of billions. But did you get paid for your contributions?

US Indicts Chinese Hacker-Spies In Conspiracy To Steal Aerospace Secrets

Tue, 10/30/2018 - 19:30
An anonymous reader quotes a report from Gizmodo: The U.S. Justice Department has charged two Chinese intelligence officers, six hackers, and two aerospace company insiders in a sweeping conspiracy to steal confidential aerospace technology from U.S. and French companies. For more than five years, two Chinese Ministry of State Security (MSS) spies are said to have run a team of hackers focusing on the theft of designs for a turbofan engine used in U.S. and European commercial airliners, according to an unsealed indictment dated October 25. In a statement, the DOJ said a Chinese state-owned aerospace company was simultaneously working to develop a comparable engine. The MSS officers involved were identified as Zha Rong, a division director in the Jiangsu Province regional department (JSSD), and Chai Meng, a JSSD section chief. At the direction of the MSS officers, the hackers allegedly infiltrated a number of U.S.-based aerospace companies, including California-based Capstone Turbine, among others in Arizona, Massachusetts, and Oregon, the DOJ said. The officers are also said to have recruited at least two Chinese employees of a French aerospace manufacturer -- insiders who allegedly aided the conspiracy by, among other acts, installing Sakula, a remote access trojan, onto company computers.

Red Hat Enterprise Linux 7.6 Released

Tue, 10/30/2018 - 15:20
Etcetera writes: Fresh on the heels of the IBM purchase announcement, Red Hat released RHEL 7.6 today. Business press release is here and full release notes are here. It's been a busy week for Red Hat, as Fedora 29 also released earlier this morning. No doubt CentOS and various other rebuilds will begin their build cycles shortly. The release offers improved security, such as support for the Trusted Platform Module (TPM) 2.0 specification for security authentication. It also provides enhanced support for the open-source nftables firewall technology. "TPM 2.0 support has been added incrementally over recent releases of Red Hat Enterprise Linux 7, as the technology has matured," Steve Almy, principal product manager, Red Hat Enterprise Linux at Red Hat, told eWEEK. "The TPM 2.0 integration in 7.6 provides an additional level of security by tying the hands-off decryption to server hardware in addition to the network bound disk encryption (NBDE) capability, which operates across the hybrid cloud footprint from on-premise servers to public cloud deployments."

Apple's New T2 Security Chip Will Prevent Hackers From Eavesdropping On Your Microphone

Tue, 10/30/2018 - 14:03
An anonymous reader quotes a report from TechCrunch: Buried in Apple's latest range of MacBooks -- including the MacBook Pro out earlier this year and the just-announced MacBook Air -- is the new T2 security chip, which helps protect the device's encryption keys, storage, fingerprint data and secure boot features. Little was known about the chip until today. According to its newest published security guide, the chip comes with a hardware microphone disconnect feature that physically cuts the device's microphone from the rest of the hardware whenever the lid is closed. "This disconnect is implemented in hardware alone, and therefore prevents any software, even with root or kernel privileges in macOS, and even the software on the T2 chip, from engaging the microphone when the lid is closed," said the support guide. The camera isn't disconnected, however, because its "field of view is completely obstructed with the lid closed." Apple said the new feature adds a "never before seen" level of security for its Macs, without being quite so blunt as to say: Macs get malware too.