MIT Researchers Discover New Flaw in Apple M1 CPUs That Can’t Be Patched

source: thehackernews.com  |  image: pexels.com

A novel hardware attack dubbed PACMAN has been demonstrated against Apple’s M1 processor chipsets, potentially arming a malicious actor with the capability to gain arbitrary code execution on macOS systems.

It leverages “speculative execution attacks to bypass an important memory protection mechanism, ARM Pointer Authentication, a security feature that is used to enforce pointer integrity,” MIT researchers Joseph Ravichandran, Weon Taek Na, Jay Lang, and Mengjia Yan said in a new paper.

What’s more concerning is that “while the hardware mechanisms used by PACMAN cannot be patched with software features, memory corruption bugs can be,” the researchers added.

The vulnerability is rooted in pointer authentication codes (PACs), a line of defense introduced in arm64e architecture that aims to detect and secure against unexpected changes to pointers — objects that reference an address location in memory.

PACs aim to solve a common problem in software security, such as memory corruption vulnerabilities, which are often exploited by overwriting control data in memory (i.e., pointers) to redirect code execution to an arbitrary location controlled by the attacker.

Continue reading “MIT Researchers Discover New Flaw in Apple M1 CPUs That Can’t Be Patched”

Self-driving cars could be potential crime witnesses

source: axios.com, contributed by FAN Bill Amshey  |  image:  pixabay.com

 

The police in San Francisco see camera-laden autonomous vehicles as potential witnesses in their criminal investigations, setting off alarm bells for privacy advocates, VICE reports.

Why it matters: As Axios has reported, self-driving cars capture and store huge databases of images so that they can train their algorithms and become better drivers. What that means is that bystanders are often captured in the footage, raising privacy concerns.

Continue reading “Self-driving cars could be potential crime witnesses”

Cyber warfare gets real for satellite operators

source: spacenews.com  |  image: pixabay.com

Recent network attacks in Ukraine have been ‘an eye opener for everybody’

WASHINGTON — The U.S. government on March 17 advised satellite operators to put their guard up in the wake of a cyberattack that disrupted internet services in Europe provided by Viasat’s KA-SAT.

“Given the current geopolitical situation, the Cybersecurity and Infrastructure Security Agency requests that all organizations significantly lower their threshold for reporting and sharing indications of malicious cyber activity,” said CISA, an organization within the Department of Homeland Security. 

Following CISA’s advisory, the Satellite Industry Association on March 18 issued a statement of “commitment to cybersecurity best practices” and expressed concern about “evolving attacks by criminals, terrorists, and nation states.”

Continue reading “Cyber warfare gets real for satellite operators”

Blue, yellow and gray zone: The cyber factor in Ukraine

source: c4isrnet.com  |  image: pexels.com

 

WASHINGTON — As Russia massed troops along its border with Ukraine over the last few months, it was unclear whether Russian President Vladimir Putin would invade. But if he did, experts warned, Russia would bombard the nation with a series of cyberattacks to sow confusion and weaken its resolve.

On Feb. 24, Putin unveiled his plans. Moscow’s war machine rolled into the Eastern European nation. The combined Russian air, land and sea assault was preceded by waves of cyberattacks, the sort of gray-zone meddling analysts and defense officials had foreseen. Websites were hamstrung. Malware coursed through computers. Communications were hampered.

But the full-fledged cyberwar some feared has not materialized. There has been no digital devastation of critical infrastructure, no damning disinformation.

“Apparently, it’s less than we thought would have happened at this point,” said Charles Munns, a retired U.S. Navy vice admiral who has advised the Defense and Energy departments. “It’s more of a 20th century invasion, with tanks and missiles and airplanes.”

A brief cyber history of Ukraine

Both Russia and Ukraine have a history with cyberattacks — the former leveraging the domain to wreak havoc, and the latter often finding itself on the receiving end.

Continue reading “Blue, yellow and gray zone: The cyber factor in Ukraine”

War in Ukraine Brings Out Scammers Trying to Exploit Donations

source: cnet.com | Photo by Katie Godowski from Pexels

 

The world has responded to Russia’s invasion of Ukraine with an outpouring of support for the Ukrainian people. That hasn’t escaped the notice of scammers, who are all too willing to take advantage of people’s desire to help.

One scam email sports a logo in the blue and yellow colors of the Ukrainian flag. It asks for donations to a humanitarian organization in the form of US dollars and a handful of cryptocurrencies. Other bogus emails ask recipients to send money to help children or to buy weapons for the Ukrainian military.

Fake charity websites are popping up, too. Researchers at ESET, a Slovakia-based antivirus company, said they’d discovered a handful of sites using the colors of Ukraine’s flag and dramatic images of soldiers and explosions. The websites solicit “aid,” ESET said, but they don’t provide specifics as to how the money will be used.

Continue reading “War in Ukraine Brings Out Scammers Trying to Exploit Donations”

Free Cybersecurity Tools and Services List

Published by CISA

 

source: pewresearch.org  | image by pixabay.com

 

Asked to ‘imagine a better world online,’ experts hope for a ubiquitous – even immersive – digital environment that promotes fact-based knowledge, offers better defense of individuals’ rights, empowers diverse voices and provides tools for technology breakthroughs and collaborations to solve the world’s wicked problems

 

This report is the second of two analyzing the insights of hundreds of technology experts who responded in the summer of 2021 to a canvassing of their predictions about the evolution of online public spaces and their role in democracy in the coming years. In response to the primary research question, many said they expect that these forums will be significantly improved by 2035 if reformers, big technology firms, governments and activists tackle the problems created by misinformation, disinformation and toxic discourse. At the same time, they expressed ongoing concerns about the destructive forces in culture and technology that could continue to plague online life and disrupt beneficial change in the coming years.

Continue reading “Free Cybersecurity Tools and Services List Published by CISA”

IRS Will Require Facial Recognition Scans to Access Your Taxes Online

 

source: gizmodo.com, contributed by Artemus FAN, Stephen Page  |  image:  stockvault.com

You will have to submit sensitive government documents, your Social Security number, credit history, and a face scan to ID.me, a third-party company.

 

Editor’s note: This article has been updated to clarify that you can still file and pay taxes without logging into an IRS account or providing biometric data. This contradicts information an IRS spokesperson previously provided to Gizmodo. See the full details in the frustrating correction below.

Online tax filers in the United States will soon be required to submit a selfie to a third-party identity verification company using facial recognition tech in order to access their IRS accounts.

Starting this summer, according to an IRS spokesperson, users with an IRS.gov account will no longer be able to log in with a simple username and password. Instead, they will need to provide a government identification document, a selfie, and copies of their bills to Virginian-based identity verification firm ID.me to confirm their identity. That change, first noticed by Krebs on Security, marks a major shift for the Internal Revenue Service, which previously allowed users to access their IRS accounts without submitting personal biometric data.

Continue reading “IRS Will Require Facial Recognition Scans to Access Your Taxes Online”

Apple AirTags – ‘A perfect tool for stalking’

 

source:  bbc.com  |  image: pixabay.com

 

Amber Norsworthy lives in Mississippi with her four children.

It had just turned 3pm when she got home on 27 December. She received a notification on her phone.

“My phone made a ding that I’d never heard before”, she says.

The notification told her that an unknown device had been following her movements.

Ms Norsworthy, who’s 32, went on to the ‘Find My’ app on her iPhone.

“It showed me my whole route. It said ‘the last time the owner saw your location was 15:02’ and I was like, ‘that’s now, I’m at home’.”

She rang the police, who told her they didn’t know what to do. She has yet to find the device, which she believes is somewhere in her car. She says Apple Support was able to confirm it was an AirTag. “I watch my surroundings very closely now,” she says.

Top 15 cybersecurity predictions for 2022

 

 

source: securitymagazine.com. |  image by pexels.com.

Over the past several years, cybersecurity risk management has become top of mind for boards. And rightly so. Given the onslaught of ransomware attacks and data breaches that organizations experienced in recent years, board members have increasingly realized how vulnerable they are. 

This year, in particular, the public was directly impacted by ransomware attacks, from gasoline shortages, to meat supply, and even worse, hospitals and patients that rely on life-saving systems. The attacks reflected the continued expansion of cyber-physical systems — all of which present new challenges for organizations and opportunities for threat actors to exploit.

There should be a shared sense of urgency about staying on top of the battle against cyberattacks. Security columnist and Vice President and Ambassador-At-Large in Cylance’s Office of Security & Trust, John McClurg, in his latest Cyber Tactics column, explained it best: “It’s up to everyone in the cybersecurity community to ensure smart, strong defenses are in place in the coming year to protect against those threats.”

As you build your strategic planning, priorities and roadmap for the year ahead, security and risk experts offer the following cybersecurity predictions for 2022.

Prediction #1: Increased Scrutiny on Software Supply Chain Security, by John Hellickson, Cyber Executive Advisor,Coalfire

“As part of the executive order to improve the nation’s cybersecurity previously mentioned, one area of focus is the need to enhance software supply chain security. There are many aspects included that most would consider industry best practice of a robust DevSecOps program, but one area that will see increased scrutiny is providing the purchaser, the government in this example, a software bill of materials. This would be a complete list of all software components leveraged within the software solution, along with where it comes from. The expectation is that everything that is used within or can affect your software, such as open source, is understood, versions tracked, scrutinized for security issues and risks, assessed for vulnerabilities, and monitored, just as you do with any in-house developed code. This will impact organizations that both consume and those that deliver software services. Considering this can be very manual and time-consuming, we could expect that Third-Party Risk Management teams will likely play a key role in developing programs to track and assess software supply chain security, especially considering they are usually the front line team who also receives inbound security questionnaires from their business partners.”

Continue reading “Top 15 cybersecurity predictions for 2022”