Google rolls out Titan keys to Europe, Japan. Plus: Group Policy bug is a feature, not a flaw, says Microsoft

And Adobe in remote-code execution patch non-shocker


Roundup It's once again time for a security news summary. Let's get to it.

Student accused of hacking crimes cleared... to attend Swiss hackathon

A college student from Zimbabwe who was hit with eight criminal hacking counts will still get to represent his school at a UN hackathon.

Tatenda Christopher Chinyamakobvu was able to convince a judge to loosen his bail conditions after he was selected to attend the #Hack4SmartSustainableCities event in Switzerland.

Chinyamakobvu was one of a trio of students from Chinhoyi University of Technology who won a local coding contest by developing an application to help first-responders spot and assess the seriousness of emergency reports.

When he wasn't winning hackathons, however, authorities believe Chinyamakobvu was up to less-than-legal actions, breaking into a university records system in order to change his and other students' grades.

North Korea's "Hidden Cobra" group surfaces again

The notorious North Korean hacking operation known as "Hidden Cobra" is active once again.

US-Cert says the group, best known for targeting financial institutions as a way to get around economic sanctions against the Norks, is using an updated version of its "Hoplight" malware to infect targets.

Cash of the Titans: Google offers keys for sale internationally

Good news for Brits who have been coveting a new Titan security key. Google says it will be selling the USB-C version of the plug-in security key in the UK and seven other countries: Austria, Canada, France, Germany, Italy, Japan, Spain, and Switzerland.

While users in those countries could already get the USB-A and Bluetooth versions of the keys, the USB model had not been available. Just remember to read the instructions - if you use it on your phone you will need GPS enabled, as one Reg hack found after a frustrating couple of hours.

HackerOne discloses security hole in… HackerOne

Bug disclosure service HackerOne was in the rare position of publicizing one of its own security holes this week after a researcher discovered a flaw that was exposing some user email addresses.

A researcher using the handle msdian7 was given an $8,500 payout for discovering and reporting how an attacker could game the project invite feature on the site to view the hidden email addresses of other users. The flaw was traced back to a missing access control rule in HackerOne's new GraphQL system.

Tenable says Microsoft won't fix Group Policy bug

Security firm Tenable has gone public after Microsoft declined to patch a security issue in Windows.

Tenable says the flaw is in the Group Policy administration tool. An attacker who already had access could elevate their privileges using a customized profile file. This would allow the attacker to do things that would normally be limited by Group Policy settings.

"Bypassing User Group Policy is not the end of the world, but it’s also not something that should be allowed and depending on User Group Policy setup, could result in unfortunate security scenarios," notes Tenable's David Wells.

Microsoft, however, does not consider the bug serious, as the profiles are working as intended. Rather, admins should limit user access to those files.

That's a SlickWrap

A company that makes custom wrap decals for consumer electronics is getting roasted for its shoddy website security.

White-hat researcher Lynx tipped off The Register to this scathing analysis he wrote of the SlickWrap site and its security failings. The infosec bod found found, among other things, exposed customer info and emails from the company, as well as all of its support communications.

On top of that, the biz was said to have completely ignored the security warnings, and was accused of trying to cover evidence of the data exposure. SlickWrap didn't get back to us.

Adobe AfterEffects gets patch

Adobe AfterEffects has received a security update to address an arbitrary code execution flaw. While this isn't a particularly dangerous flaw (unless you constantly open untrusted AfterEffects files), it is worth getting patched if you rely on the video editing tool.

Dutch student cuffed for malware

Dutch publication NOS has the story of a 21 year-old student from Utrecht who was arrested and charged with creating trojan tools for other malware writers.

From the sound of it, the student was offering tools that let malware be placed within Word or Excel file macros. He faces at least a year behind bars.

In brief... The Romanian masterminds behind the Bayrob malware that infected thousands of Windows PC to steal millions of dollars have been sentenced... A so-called stalkerware app called KidsGuard for keeping tabs on children, and others, left its backend database open to the world to find... Watch out if you use the public link option for your WhatsApp group chats: Google and others can index them.

Tech investigator denied US visa

The head of an investigation company that develops technology for media outlets and investigators says he is being barred from the US.

Forensic Architecture boss Eyal Weizman said his visa to enter the US has been revoked because he was apparently linked to a threat to national security. The New York Times reported: "He said that the embassy official had told him that the threat that surfaced could be related to something he was involved in, people he had been in contact with, places he had visited, hotels at which he had stayed, or a pattern of relations among those."

Man charged for political DDoS attacks

A California bloke was charged with launching a series of distributed-denial-of-service attacks against a candidate running in the Democratic primary against would-be Representative Katie Hill (D-CA).

The FBI believes that Arthur Dam, who was listed as a consultant for Hill, deliberately timed the DDoS attacks to take down the rival's website at critical times during the race. Hill would narrowly win the primary and go on to win the seat. She has since resigned, for an unrelated sex scandal. ®


Other stories you might like

  • DuckDuckGo tries to explain why its browsers won't block some Microsoft web trackers
    Meanwhile, Tails 5.0 users told to stop what they're doing over Firefox flaw

    DuckDuckGo promises privacy to users of its Android, iOS browsers, and macOS browsers – yet it allows certain data to flow from third-party websites to Microsoft-owned services.

    Security researcher Zach Edwards recently conducted an audit of DuckDuckGo's mobile browsers and found that, contrary to expectations, they do not block Meta's Workplace domain, for example, from sending information to Microsoft's Bing and LinkedIn domains.

    Specifically, DuckDuckGo's software didn't stop Microsoft's trackers on the Workplace page from blabbing information about the user to Bing and LinkedIn for tailored advertising purposes. Other trackers, such as Google's, are blocked.

    Continue reading
  • Despite 'key' partnership with AWS, Meta taps up Microsoft Azure for AI work
    Someone got Zuck'd

    Meta’s AI business unit set up shop in Microsoft Azure this week and announced a strategic partnership it says will advance PyTorch development on the public cloud.

    The deal [PDF] will see Mark Zuckerberg’s umbrella company deploy machine-learning workloads on thousands of Nvidia GPUs running in Azure. While a win for Microsoft, the partnership calls in to question just how strong Meta’s commitment to Amazon Web Services (AWS) really is.

    Back in those long-gone days of December, Meta named AWS as its “key long-term strategic cloud provider." As part of that, Meta promised that if it bought any companies that used AWS, it would continue to support their use of Amazon's cloud, rather than force them off into its own private datacenters. The pact also included a vow to expand Meta’s consumption of Amazon’s cloud-based compute, storage, database, and security services.

    Continue reading
  • Atos pushes out HPC cloud services based on Nimbix tech
    Moore's Law got you down? Throw everything at the problem! Quantum, AI, cloud...

    IT services biz Atos has introduced a suite of cloud-based high-performance computing (HPC) services, based around technology gained from its purchase of cloud provider Nimbix last year.

    The Nimbix Supercomputing Suite is described by Atos as a set of flexible and secure HPC solutions available as a service. It includes access to HPC, AI, and quantum computing resources, according to the services company.

    In addition to the existing Nimbix HPC products, the updated portfolio includes a new federated supercomputing-as-a-service platform and a dedicated bare-metal service based on Atos BullSequana supercomputer hardware.

    Continue reading

Biting the hand that feeds IT © 1998–2022