An anonymous reader quotes a report from Motherboard: A group of bipartisan lawmakers, including the chairman of the intelligence committee, have asked ad networks such as Google and Twitter what foreign companies they provide user data to, over concerns that foreign intelligence agencies could be leveraging them to harvest sensitive information on U.S. users, including their location. "This information would be a goldmine for foreign intelligence services that could exploit it to inform and supercharge hacking, blackmail, and influence campaigns," a letter signed by Senators Ron Wyden, Mark Warner, Kirsten Gillibrand, Sherrod Brown, Elizabeth Warren, and Bill Cassidy, reads. The lawmakers sent the letter last week to AT&T, Verizon, Google, Twitter, and a number of other companies that maintain advertisement platforms.

The concerns center around the process of so-called real-time bidding, and the flow of "bidstream" data. Before an advertisement is displayed inside of an app or a browsing session, different companies bid to get their ad into that slot. As part of that process, participating companies obtain sensitive data on the user, even if they don't win the ad placement. "Few Americans realize that some auction participants are siphoning off and storing 'bidstream' data to compile exhaustive dossiers about them. In turn, these dossiers are being openly sold to anyone with a credit card, including to hedge funds, political campaigns, and even to governments," the letter continued. [...] The letter asked the ad companies to name the foreign-headquartered or foreign-majority owned firms that they have provided bidstream data from users in the U.S. to in the past three years. The other companies the lawmakers sent the letter to were Index Exchange, Magnite, OpenX, and PubMatic. Mark Tallman, assistant professor at the Department of Emergency Management and Homeland Security at the Massachusetts Maritime Academy, told Motherboard in an email that "It's difficult to imagine any policy solution or technical sorcery that can fully 'secure' consumers' private data such that applications and platforms can collect it, and the publishing and advertising industries can access it, while guaranteeing that cybercriminals and foreign intelligence agencies will never get it. Our adversaries already know that they can buy (or steal) data from our marketplace that they could only dream of collecting on such a broad swath of Americans twenty years ago."

A range of European Union institutions including the European Commission were hit by a significant cyber-attack last week. From a report: A spokesperson for the commission said that a number of EU bodies "experienced an IT security incident in their IT infrastructure." The spokesperson said forensic analysis of the incident is still in its initial phase and that it's too early to provide any conclusive information about the nature of the attack. "We are working closely with CERT-EU, the Computer Emergency Response Team for all EU institutions, bodies and agencies and the vendor of the affected IT solution," the spokesperson said. "Thus far, no major information breach was detected." The attack was serious enough for senior officials at the commission to be alerted, according to a person familiar with the matter. The same person said the incident was bigger than the usual attacks that regularly hit the EU. Another EU official said that staff had recently been warned about potential phishing attempts. Western institutions have uncovered at least two serious cyber-attacks recently.

Microsoft is starting to submerge its servers in liquid to improve their performance and energy efficiency. A rack of servers is now being used for production loads in what looks like a liquid bath. From a report: This immersion process has existed in the industry for a few years now, but Microsoft claims it's "the first cloud provider that is running two-phase immersion cooling in a production environment." The cooling works by completely submerging server racks in a specially designed non-conductive fluid. The fluorocarbon-based liquid works by removing heat as it directly hits components and the fluid reaches a lower boiling point (122 degrees Fahrenheit or 50 degrees Celsius) to condense and fall back into the bath as a raining liquid. This creates a closed-loop cooling system, reducing costs as no energy is needed to move the liquid around the tank, and no chiller is needed for the condenser either. "It's essentially a bath tub," explains Christian Belady, vice president of Microsoft's data center advanced development group, in an interview with The Verge. "The rack will lie down inside that bath tub, and what you'll see is boiling just like you'd see boiling in your pot. The boiling in your pot is at 100 degrees Celsius, and in this case it's at 50 degrees Celsius."

A data leak involving personal details of hundreds of millions of Facebook users is being reviewed by Ireland's Data Protection Commission (DPC). The BBC reports: The database is believed to contain a mix of Facebook profile names, phone numbers, locations and other facts about more than 530 million people. Facebook says the data is "old," from a previously-reported leak in 2019. But the Irish DPC said it will work with Facebook, to make sure that is the case.

Ireland's regulator is critical to such investigations, as Facebook's European headquarters is in Dublin, making it an important regulator for the EU. The most recent data dump appears to contain the entire compromised database from the previous leak, which Facebook said it found and fixed more than a year and a half ago. But the dataset has now been published for free in a hacking forum, making it much more widely available. It covers 533 million people in 106 countries, according to researchers who have viewed the data. That includes 11 million Facebook users in the UK and more than 30 million Americans. The DPC's deputy commissioner Graham Doyle said the recent data dump "appears to be" from the previous leak -- and that the data-scraping behind it had happened before the EU's GDPR privacy legislation was in effect.

"However, following this weekend's media reporting we are examining the matter to establish whether the dataset referred to is indeed the same as that reported in 2019," he added.

After 16 years of asinine questions and dubious answers, Yahoo Answers is shutting down next month. From a report: The company announced that starting April 20, users won't be able to post new questions or answer other people's questions; on May 4, the site will become inaccessible, and will redirect to the Yahoo homepage. Users who've posted questions and answers in the past can download their data via request before June 30, 2021, here. "While Yahoo Answered was once a key part of Yahoo's products and services, it has become less popular over the years as the needs of our members have changed," an announcement that went out to users, as spotted by the good people of the r/DataHoarder subreddit, said.

Web infrastructure and website security provider Cloudflare told The Record last week that a recent academic paper detailing a method to bypass the hCaptcha image-based challenge system does not impact its implementation. From the report: The research paper, published last month by two academics from the University of Louisiana at Lafayette, targets hCaptcha, a CAPTCHA service that replaced Google's reCAPTCHA in Cloudflare's website protection systems last year. In a paper titled "A Low-Cost Attack against the hCaptcha System," researchers said they devised an attack that uses browser automation tools, image recognition, image classifiers, and machine learning algorithms to download hCaptcha puzzles, identify the content of an image, classify the image, and then solve the CAPTCHA's challenge. Academics said their attack worked with a 95.93% accuracy rate and took around 18.76 seconds on average to crack an hCaptcha challenge.

A grand jury has indicted a California resident accused of stealing Shopify customer data on over a hundred merchants, TechCrunch reported Monday. From the report: The indictment charges Tassilo Heinrich with aggravated identity theft and conspiracy to commit wire fraud by allegedly working with two Shopify customer support agents to steal merchant and customer data from Shopify customers to gain a competitive edge and "take business away from those merchants," the indictment reads. The indictment also accuses Heinrich, believed to be around 18-years-old at the time of the alleged scheme, of selling the data to other co-conspirators to commit fraud. A person with direct knowledge of the security breach confirmed Shopify was the unnamed victim company referenced in the indictment.

Last September, Shopify, an online e-commerce platform for small businesses, revealed a data breach in which two "rogue members" of its third-party customer support team of "less than 200 merchants." Shopify said it fired the two contractors for engaging "in a scheme to obtain customer transactional records of certain merchants." Shopify said the contractors stole customer data, including names, postal addresses and order details, like which products and services were purchased. One merchant who received the data breach notice from Shopify said the last four digits of affected customers' payment cards were also taken, which the indictment confirms. Another one of the victims was Kylie Jenner's cosmetics and make-up company, Kylie Cosmetics, the BBC reported.

VentureBeat reports on a "next-generation security" technique that allows data to remain encrypted while it's being processed.

"A security process known as fully homomorphic encryption is now on the verge of making its way out of the labs and into the hands of early adopters after a long gestation period." Companies such as Microsoft and Intel have been big proponents of homomorphic encryption. Last December, IBM made a splash when it released its first homomorphic encryption services. That package included educational material, support, and prototyping environments for companies that want to experiment. In a recent media presentation on the future of cryptography, IBM director of strategy and emerging technology Eric Maass explained why the company is so bullish on "fully homomorphic encryption" (FHE)...

"IBM has been working on FHE for more than a decade, and we're finally reaching an apex where we believe this is ready for clients to begin adopting in a more widespread manner," Maass said. "And that becomes the next challenge: widespread adoption. There are currently very few organizations here that have the skills and expertise to use FHE." To accelerate that development, IBM Research has released open source toolkits, while IBM Security launched its first commercial FHE service in December...

Maass said in the near term, IBM envisions FHE being attractive to highly regulated industries, such as financial services and health care. "They have both the need to unlock the value of that data, but also face extreme pressures to secure and preserve the privacy of the data that they're computing upon," he said.
The Wikipedia entry for homomorphic encryption calls it "an extension of either symmetric-key or public-key cryptography."

An anonymous Slashdot reader shared this report from The Record: Code-hosting service GitHub is actively investigating a series of attacks against its cloud infrastructure that allowed cybercriminals to implant and abuse the company's servers for illicit crypto-mining operations, a spokesperson told The Record today.

The attacks have been going on since the fall of 2020 and have abused a GitHub feature called GitHub Actions, which allows users to automatically execute tasks and workflows once a certain event happens inside one of their GitHub repositories. In a phone call today, Dutch security engineer Justin Perdok told The Record that at least one threat actor is targeting GitHub repositories where GitHub Actions might be enabled. The attack involves forking a legitimate repository, adding malicious GitHub Actions to the original code, and then filing a Pull Request with the original repository in order to merge the code back into the original.

But the attack doesn't rely on the original project owner approving the malicious Pull Request. Just filing the Pull Request is enough for the attack, Perdok said. The Dutch security engineer told us attackers specifically target GitHub project owners that have automated workflows that test incoming pull requests via automated jobs. Once one of these malicious Pull Requests is filed, GitHub's systems will read the attacker's code and spin up a virtual machine that downloads and runs cryptocurrency-mining software on GitHub's infrastructure.

Perdok, who's had projects abused this way, said he's seen attackers spin up to 100 crypto-miners via one attack alone, creating huge computational loads for GitHub's infrastructure. The attackers appear to be happening at random and at scale. Perdok said he identified at least one account creating hundreds of Pull Requests containing malicious code.

US chipmaker AMD advised customers last week to disable a new performance feature if they plan to use CPUs for sensitive operations, as this feature is vulnerable to Spectre-like side-channel attacks. From a report: Called Predictive Store Forwarding (PSF), this feature was added to AMD CPUs part of the company's Zen 3 core architecture, a processor series dedicated to gaming and high-performance computing, which launched in November 2020. The feature implements a technique called speculative execution, which works by running multiple alternative CPU operations in advance to make results available faster, and then discarding "predicted" data once deemed unneeded.

An anonymous reader quotes a report from Ars Technica: Federal prosecutors have indicted a Kansas man for allegedly logging into a computer system at a public water system and tampering with the process for cleaning and disinfecting customers' drinking water. An indictment filed in US District Court for the District of Kansas said Wyatt A. Travnichek, 22, of Ellsworth County, Kansas, was an employee from January 2018 to January 2019 at the Ellsworth County Rural Water District No. 1. Also known as the Post Rock Water District, the facility serves more than 1,500 retail customers and 10 wholesale customers in eight Kansas counties. Part of Wyatt's responsibilities included remotely logging in to the water district's computer system to monitor the plant after hours.

In late March 2019, Wednesday's indictment said, Post Rock experienced a remote intrusion to its computer system that resulted in the shutdown of the facility's processes for ensuring water is safe to drink. "On or about March 27, 2019, in the District of Kansas, the defendant, Wyatt Travnichek, knowingly tampered with a public drinking water system, namely the Ellsworth County Rural Water District No. 1," prosecutors alleged. "To wit: he logged in remotely to Post Rock Rural Water District's computer system and performed activities that shut down processes at the facility which affect the facility's cleaning and disinfecting procedures with the intention of harming the Ellsworth County Rural Water District No. 1." Wednesday's indictment didn't say how Wyatt allegedly gained access to the Post Rock facility. "The indictment charges Wyatt with one count of tampering with a public water system and one count of reckless damage to a protected computer during unauthorized access," adds Ars. "If convicted, he faces a maximum sentence of 25 years in prison and $500,000 in fines."

lee1 writes: The UHI human interaction research group has been intensively studying a pervasive problem facing users of the web: the problem of tabs. How to organize them, preserve them, keep track of them. We have carefully considered the pros and cons of various approaches offered by different browsers, and by extensions: tab trees, second rows of tabs, vertical tabs, 3D tabs, musical tabs, you name it.

None of them were good enough.

Hitachi said on Wednesday it will buy U.S. software company GlobalLogic for $9.6 billion, including repayment of debt, as the Japanese industrial conglomerate pivots from electronics hardware to digital services. From a report: The deal is the biggest Japanese outbound acquisition of a U.S. hi-tech company on record, according to Refinitiv data. The acquisition is part of Hitachi's ongoing business portfolio overhaul, which includes the $7 billion acquisition of ABB's power grid business last year and a series of divestitures of its domestic hardware subsidiaries. Hitachi's stock tumbled 7% on the Tokyo Stock Exchange, its sharpest daily fall in more than a year, on the news.

chicksdaddy shares a report from The Security Ledger: Independent security researchers analyzing the widely used open source component netmask have discovered security vulnerabilities that could leave more than a quarter million open source applications vulnerable to attack, according to a report released Monday, The Security Ledger reports. According to a report by the site Sick Codes, the flaws open applications that rely on netmask to a wide range of malicious attacks including Server Side Request Forgeries (SSRF) and Remote- and Local File Includes (RFI, LFI) that could enable attackers to ferry malicious code into a protected network, or siphon sensitive data out of one. Even worse, the flaws appear to stretch far beyond a single open source module, affecting a wide range of open source development languages, researchers say.

Netmask is a widely used package that allows developers to evaluate whether a IP address attempting to access an application was inside or outside of a given IPv4 range. Based on an IP address submitted to netmask, the module will return true or false about whether or not the submitted IP address is in the defined "block." According to the researcher using the handle "Sick Codes," the researchers discovered that netmask had a big blind spot. Specifically: it evaluates certain IP addresses incorrectly: improperly validating so-called "octal strings" rendering IPv4 addresses that contain certain octal strings as integers. For example, the IP4 address 0177.0.0.1 should be evaluated by netmask as the private IP address 127.0.0.1, as the octal string "0177" translates to the integer "127." However, netmask evaluates it as a public IPv4 address: 177.0.0.1, simply stripping off the leading zero and reading the remaining parts of the octal string as an integer.

The implications for modules that are using the vulnerable version of netmask are serious. According to Sick Codes, remote attackers can use SSRF attacks to upload malicious files from the public Internet without setting off alarms, because applications relying on netmask would treat a properly configured external IP address as an internal address. Similarly, attackers could also disguise remote IP addresses local addresses, enabling remote file inclusion (RFI) attacks that could permit web shells or malicious programs to be placed on target networks. But researchers say much more is to come. The problems identified in netmask are not unique to that module. Researchers have noted previously that textual representation of IPv4 addresses were never standardized, leading to disparities in how different but equivalent versions of IPv4 addresses (for example: octal strings) are rendered and interpreted by different applications and platforms.

In January, Ubiquiti Networks sent out a notification to its customers informing them of a security breach and asking all users to change their account passwords and turn on two-factor authentication. "We recently became aware of unauthorized access to certain of our information technology systems hosted by a third party cloud provider," Ubiquiti said at the time. Now, according to Krebs on Security, a whistleblower "alleges Ubiquiti massively downplayed a 'catastrophic' incident to minimize the hit to its stock price, and that the third-party cloud provider claim was a fabrication." From the report: "It was catastrophically worse than reported, and legal silenced and overruled efforts to decisively protect customers," [the source] wrote in a letter to the European Data Protection Supervisor. "The breach was massive, customer data was at risk, access to customers' devices deployed in corporations and homes around the world was at risk."

According to [the source], the hackers obtained full read/write access to Ubiquiti databases at Amazon Web Services (AWS), which was the alleged "third party" involved in the breach. Ubiquiti's breach disclosure, he wrote, was "downplayed and purposefully written to imply that a 3rd party cloud vendor was at risk and that Ubiquiti was merely a casualty of that, instead of the target of the attack." In reality, [the source] said, the attackers had gained administrative access to Ubiquiti's servers at Amazon's cloud service, which secures the underlying server hardware and software but requires the cloud tenant (client) to secure access to any data stored there. "They were able to get cryptographic secrets for single sign-on cookies and remote access, full source code control contents, and signing keys exfiltration," [the source] said.

[The source] says the attacker(s) had access to privileged credentials that were previously stored in the LastPass account of a Ubiquiti IT employee, and gained root administrator access to all Ubiquiti AWS accounts, including all S3 data buckets, all application logs, all databases, all user database credentials, and secrets required to forge single sign-on (SSO) cookies. Such access could have allowed the intruders to remotely authenticate to countless Ubiquiti cloud-based devices around the world. According to its website, Ubiquiti has shipped more than 85 million devices that play a key role in networking infrastructure in over 200 countries and territories worldwide. Instead of asking customers to change their passwords when they next log on, [the source] says Ubiquiti should've immediately invalidated all of its customer's credentials and forced a reset on all accounts, mainly because the intruders already had credentials needed to remotely access customer IoT systems.

Duo, the authentication service Cisco acquired for $2.35 billion in 2018, today announced its plans to launch a passwordless authentication service that will allow users to log in to their Duo-protected services through security keys or platform biometrics like Apple's Face ID or Microsoft's Windows Hello. The infrastructure-agnostic service will go into public preview in the summer. From a report: "Cisco has strived to develop passwordless authentication that meets the needs of a diverse and evolving workforce and allows the broadest set of enterprises to securely progress towards a passwordless future, regardless of their IT stack," said Gee Rittenhouse, SVP and GM of Cisco's Security Business Group. "It's not an overstatement to say that passwordless authentication will have the most meaningful global impact on how users access data by making the easiest path the most secure." If you're using Duo or a similar product today, chances are that you are using both passwords and a second factor to log into your work applications. But users are notoriously bad about their password hygiene -- and to the despair of any IT department, they also keep forgetting them.

dotancohen writes: Late Sunday night, on March 28, 2021, Nikita Popov, a core PHP committer, released a statement indicating that two malicious commits had been pushed to the php-src Git repository. These commits were pushed to create a backdoor that would have effectively allowed attackers to achieve remote code execution through PHP and an HTTP header. "The incident is alarming considering PHP remains the server-side programming language to power over 79% of the websites on the Internet," adds BleepingComputer.

"In the malicious commits [1, 2] the attackers published a mysterious change upstream, 'fix typo' under the pretense this was a minor typographical correction. However, taking a look at the added line 370 where zend_eval_string function is called, the code actually plants a backdoor for obtaining easy Remote Code Execution (RCE) on a website running this hijacked version of PHP."

According to Popov, the first commit was detected a couple hours after it was made, and the changes were reverted right away. "Although a complete investigation of the incident is ongoing, according to PHP maintainers, this malicious activity stemmed from the compromised git.php.net server, rather than compromise of an individual's Git account," reports BleepingComputer. "As a precaution following this incident, PHP maintainers have decided to migrate the official PHP source code repository to GitHub."

An anonymous reader writes: The New Zealand Ministry of Health has launched a "sweeping review" of the nation's COVID vaccine-booking system, after a data breach led to exposure of personal information for more than 700 patients. A whistleblower reported over the weekend that they could access information about other patients, which was "readily accessible within the public-facing code of the website" -- apparently hard coded.

As a response, the Ministry of Health has ordered a review of all systems made by the developer, Valentia Technologies, which also makes software used by the Ambulance service, many GP practices, and the managed isolation and quarantine system. "It is not a coding error. It is incompetence. The developer who developed this is incompetent ... This is basic stuff," said the man who spotted the booking system problem.

"The source code of the website, flagged a few concerning features, including someone's name, and an NHI number hard coded into the website, for what reason? I don't know," he said. "We could see everyone's details. We skimmed through, we didn't look at names, but their names, dates of birth, NHI numbers for those who entered them, contact details, where they were getting their vaccinations, what time they were vaccinated."

He said it appeared that Canterbury DHB had used a modified internal system to create the booking system. "You can tell by the source code, this was never meant to be a public facing website. This was only for people to use on like iPads, in doctors' surgeries, it was not supposed to be for this."

Suspected Russian hackers gained access to email accounts belonging to the Trump administration's head of the Department of Homeland Security and members of the department's cybersecurity staff whose jobs included hunting threats from foreign countries, The Associated Press reported Monday, citing sources. From the report: The intelligence value of the hacking of then-acting Secretary Chad Wolf and his staff is not publicly known, but the symbolism is stark. Their accounts were accessed as part of what's known as the SolarWinds intrusion, and it throws into question how the U.S. government can protect individuals, companies and institutions across the country if it can't protect itself. The short answer for many security experts and federal officials is that it can't -- at least not without some significant changes. "The SolarWinds hack was a victory for our foreign adversaries, and a failure for DHS," said Sen. Rob Portman of Ohio, top Republican on the Senate's Homeland Security and Governmental Affairs Committee. "We are talking about DHS's crown jewels."

In his "Technically Incorrect" column, Chris Matyszczyk shares one employee's gripe about their new lockdown-incuded online workplace: Writing to New York magazine's The Cut — specifically workplace advice columnist Alison Green — the employee expressed frustration about their boss's so-called Zoom Happy Hours. "These aren't really happy hours," the employee says. "They're more 'work meetings with alcohol on Zoom,' and while they're framed as not 'technically' obligatory, they definitely are, and I get pointed comments if I choose to not attend."

Worse, they're not in actual working hours. Their boss, though, believes everyone's in lockdown, so what's the difference...? This particular boss has decreed the (not really) optional Happy Hour is between 5 p.m. and 7:30 p.m...

I was struck by new research from the University of Sydney. The academic title is: "Collecting experimental network data from interventions on critical links in workplace networks." But drift to the press release and you find: "Benefits of team-building exercises jeopardized if not truly voluntary." Lead researcher Dr. Petr Matous described the situation quite baldly: "Many workers told us that they despise team building activities and see them as a waste of time."
The researchers recommend employers try to encourage a good relationship between two employees — but to let them ultimately work it out for themselves. And Matyszczyk believes this approach makes even more sense on Zoom. "If you're on a Zoom Happy Hour with, say, 50 people, there's still only one actual conversation. Even if you want to participate, it's hard to get a word in and have it instantly understood, never mind appreciated."

That is, unless your boss decides to distribute all the online Happy Hour participants into smaller "breakout rooms"...