Security

What got breached this week? Ticket portals, DNA sites, and Atlanta's police cameras

Also, Apple tightens up its certificate requirements


Roundup This week brought new charges for Marcus Hutchins, a novel way to sneak malware into archives, and shady hotspots for World Cup fans.

There was also plenty of other security bits that didn't quite make the headlines. Here are some of the best.

Apple wants to be cert-ain on certs

Apple is going to make it harder for sites to be trusted on Safari.

The Cupertino phone seller said this week that, come Fall, it will put stricter requirements on sites that want their certificates to be accepted.

"Publicly-trusted Transport Layer Security (TLS) server authentication certificates issued after October 15, 2018 must meet our Certificate Transparency (CT) policy to be evaluated as trusted on Apple platforms," Apple says.

"Certificates that fail to comply will this policy will result in a failed TLS connection, which can break an app’s connection to Internet services or Safari’s ability to seamlessly connect."

This means that certificates will now have to have at least two signed certificate timestamps from a CT log. That was previously only required for Extended Valuation certificates.

Ticketfly falls to hackers

Last week, ticketing site Ticketfly said it was the victim of an attack that left it unable to handle ticketing for some events over the weekend. This week, the site shed more light on the matter when it revealed that information on some 27 million accounts was harvested in the attack.

"In consultation with third-party forensic cybersecurity experts we can now confirm that credit and debit card information was not accessed," Ticketfly said.

"However, information including names, addresses, email addresses and phone numbers connected to approximately 27 million Ticketfly accounts was accessed. "

Ticketfly notes that many of its users have multiple accounts with different email addresses, so fewer than 27 million actual people are affected by the breach. Also, no credit card information or passwords were accessed.

Still, anyone who has a Ticketfly account will need to reset their password, and re-used passwords on other sites should also be changed.

Thanks for getting scammed, now tell your friends!

It's bad enough to fall victim to a support scam, but one group is making matters even worse by tricking their marks into recording video endorsements.

Australia's ABC has the story of a group called 'Macpatchers' that uses fake tech support pages to get users to install remote access malware.

From there, the scammers trick the users into paying for unnecessary (and useless) support software and service. Finally, the scammers asked the victims to read a script saying they were satisfied with their experience.

Why? Because unbeknownst to the users, their webcams were turned on and recording them. The video clips were captured by the scammers and used to compile 'testimonial' videos that would make their dodgy support operations seem more legit.

While many Reg readers have no doubt tired of being the unpaid support staff for friends and family, stories like this underscore how important it is to be there to help of the less tech-savvy people in your life when they have problems or questions. The alternative is letting them play right into the hands of scammers.

MyHeritage coughs up user details

It's the notice nobody who uses a geneology site wants to see: MyHeritage has confirmed it suffered a massive breach of user data.

The testing site says a security researcher informed it earlier this week that a file containing the usernames and hashed passwords of every person who signed up for their service through October of last year was out in the wild.

Fortunately, we don't have to run any panicked thinkpieces about people having their "DNA hacked" anytime soon. The database only contained user email addresses and hashed passwords, no other personally identifiable information was accessed, and the site uses third-party services to process card data.

"Other types of sensitive data such as family trees and DNA data are stored by MyHeritage on segregated systems, separate from those that store the email addresses, and they include added layers of security," the company said in its mea culpa.

"We have no reason to believe those systems have been compromised."

Atlanta ransomware infection worse than feared

Earlier this year, a ransomware outbreak hit the city of Atlanta, GA, taking down a number of the city's central IT services.

Now, it seems the outbreak was even worse than previously thought, and it could have a long-term impact on the city.

In addition to costing more than $2.5m to clean up, the city says the infection resulted in the loss of police dashcam footage. That footage includes evidence the city planned to use for criminal cases.

Police Chief Erika Shields told the Atlanta Journal Constitution that the city will hopefully still be able to proceed with the cases.

"But the dashcam doesn’t make the cases for us. There’s got to be the corroborating testimony of the officer," Shields was quoted as saying.

"There will be other pieces of evidence. It’s not something that makes or breaks cases for us."

Supermicro, semivulnerable

Researchers say that some servers from Supermicro could be vulnerable to firmware attacks, thanks to poorly-guarded hardware settings.

Security firm Eclypsium found that Supermicro boxes are not set to properly limit access to the firmware, potentially leaving the descriptor region vulnerable to being completely re-written.

"In general, the flash descriptor region should be “immutable” once the system completes the manufacturing process and is ready for production use. This helps establish the firmware stored in the SPI flash as a root of trust for the system," Eclypsium explains.

"By insecurely configuring the descriptor, malicious software with administrative privilege in the host OS may be permitted to modify the contents of firmware code and data that the host processor would otherwise never need to directly read or write."

In practice, this means that a malware infection already present on the system could use those vulnerabilities to further embed itself in the firmware layer, allowing the infection to become harder to detect and potentially crippling the entire server.

Eclypsium says it is working with Supermicro to shore up security and fix the vulnerabilities where needed. ®

Send us news
18 Comments

Huawei CFO Meng Wanzhou admits lying about Iran deal, gets to go home

US drops charges, extradition attempt halted

Huawei finance chief Meng Wanzhou has reached a deal with the US Justice Department to drop the fraud and conspiracy charges against her in exchange for admitting that she made false statements about her company's business dealings with Iran.

The deferred prosecution agreement will end Uncle Sam's attempt to extradite Meng to the United States. It will allow her to depart Canada, where she has been detained since 2018, and return to China, easing a major source of diplomatic tension between Canada, China, and the US.

After Canadian authorities arrested Meng at the Vancouver airport in December, 2018, on behalf of the Americans, the US Justice Department indicted her and her manufacturing giant for violating US sanctions on Iran by misrepresenting Huawei's relationship with Hong Kong-based Skycom, which operated in Iran.

Continue reading

For the nth time, China bans cryptocurrencies

Coin prices drop after People's Bank reiterates crackdown

China has once again banned cryptocurrencies.

It's not even the first time this month Beijing's done so, let alone the first time ever, yet word of the reiterated crackdown sent coin prices tumbling, which may have been the ultimate goal.

Bitcoin fell by 5.5 per cent, Ethererum by 7.4 per cent, and Dogecoin by 14.9 per cent, for instance, after this latest announcement and have since rebounded somewhat.

Continue reading

Frustrated dev drops three zero-day vulns affecting Apple iOS 15 after six-month wait

Security Bounty program scolded for broken promises

Upset with Apple's handling of its Security Bounty program, a bug researcher has released proof-of-concept exploit code for three zero-day vulnerabilities in Apple's newly released iOS 15 mobile operating system.

The bug hunter, posting on Thursday to Russia-based IT blog Habr under the name "IllusionOfChaos" and to Twitter under the same moniker, expressed frustration with Apple's handling of vulnerability reports.

"I've reported four 0-day vulnerabilities this year between March 10 and May 4, as of now three of them are still present in the latest iOS version (15.0) and one was fixed in 14.7, but Apple decided to cover it up and not list it on the security content page," the researcher wrote.

Continue reading

Yugabyte's double-decker DBaaS follows Cochroach in distributed RDBMS

Hopes to lure users with promise of relieving operational burden

Distributed relational database Yugabyte has launched a database-as-a-service product following a rush of inspiration from Facebook, Google and the world of FOSS.

While the open-source DBaaS impressed one analyst, it will have to cope with competition from well-funded CockroachDB, which has had its DBaaS on the market for nearly three years.

Yugabyte is sort of a double-decker database. It is inspired by Google Spanner underneath and compatible with PostgreSQL on top. As Yugabyte founder and CTO Karthik Ranganathan, a former Facebook technical lead, explained to The Register earlier this year:

Continue reading

EurekAI... Neural network leads chemists to discover 'four new materials'

All said to conduct lithium atoms, may be useful for electric car batteries

Chemists have discovered four new materials based on ideas generated from a neural network, according to research published in Nature.

Uncovering new materials is challenging. Scientists have to search for combinations of molecules that lead to useful compounds that can be manufactured.

Traditional methods rely on fiddling around with known materials, and although these techniques narrow down the search for materials that work well, they don’t always produce something useful, according to Matt Rosseinsky, a chemistry professor at England's University of Liverpool who co-wrote the research paper.

Continue reading

Scientists took cues from helicopter seeds to invent tiny microchips that float on wind

'Microfliers' could carry sensors to monitor air pollution and more

Video As autumn arrives in the northern hemisphere, scientists have shown how tiny connected semiconductors can be distributed on the wind in a similar way to the seasonal spreading of airborne seeds.

Researchers led by Professor John Rogers of the US's Northwestern University designed printed circuits able to manifest rotational behaviours, as seen in helicopter and spinner seeds, that enhance the stability and flying behaviour.

In a paper published in Nature this week, they argue that simple electronics can be integrated into the designs, with one example containing a circuit to detect airborne particles.

Continue reading

With just over two weeks to go, Microsoft punts Windows 11 to Release Preview

What's that coming over the hill? Is it new hardware? Is it new hardware?

Microsoft has followed up a lacklustre Surface hardware event with a Windows 11 Release Preview for Windows Insiders.

Assuming, of course, those Insiders are possessed of an "eligible PC" – for Microsoft does not appear to be backing down on its vendor-delighting and customer-frustrating hardware requirements for the new operating system.

The build in question is 22000.194, which emerged last week in the Beta Channel to the disappointment of users trying to run Windows 11 on a virtual machine that is not to Microsoft's liking. Its arrival in Release Preview yesterday, just over two weeks from general availability on 5 October, is an indicator that fans should expect little more than patches and updates until then.

Continue reading

Fukushima studies show wildlife is doing nicely without humans, thank you very much

Biodiversity increasing, endangered species gradually returning despite radioactive terror pig presence

Studies of biodiversity around the former Fukushima nuclear power plant in Japan have shown that a decade after the nuclear incident there in March 2011, the local wildlife, at least, is mostly thriving.

The incident at the Fukushima Daiichi site – in which three of the site's six reactors suffered meltdowns due to damage from an earthquake-induced tsunami – was one of only two events in history to be rated at level 7 on the International Nuclear and Radiological Event Scale (the other being Chernobyl).

This scale is not related to the quantity of radioactive material released (although that was considerable), but by the number of people affected by the event. Following the incident, 154,000 people were evacuated from the area surrounding the plant due to the risk of radioactive contamination, a number second only to the 335,000 evacuated from the environs of the Chernobyl plant in 1986.

Continue reading

HPE campaigns against 'cloud first' push in UK public sector

Because HPE does not do public cloud? No, no, it is 'for the good'

Comment Hewlett Packard Enterprise has posted a "UK Public Sector Manifesto" with nine themes, alongside a campaign hyping the value of hybrid cloud.

The bugbear for HPE is that UK government introduced a "cloud first" policy in 2013.

The current version was revised in 2017 but it mandates that central government, when buying new IT services, must consider a cloud solution – and specifically a public cloud, rather than "a community, hybrid or private deployment model" – before any other option.

Continue reading

Tech contractors fume over payday outage at Giant Pay after it sniffs 'suspicious activity'

Technical difficulties, please stand by

Giant Pay – an umbrella company used by contractors across the UK – has confirmed "suspicious activity" on its platform is behind a days-long ongoing outage that has left folk fretting about whether they'll get paid this month.

In an update on its website today, the firm said: "Upon detection of suspicious activity on our network on 22nd September 2021, we immediately assembled a response team including IT data experts and specialist lawyers, and we are currently working with the highest priority to resolve this issue.

"As part of the investigation and as a measure of caution, we have proactively taken our systems offline and suspended all services temporarily." It also confirmed it had contacted regulatory authorities and assured contractors they would get paid.

Continue reading

Parking is expensive. It can cost an arm, a leg, and a Windows licence

Activate Windows and put up a parking lot

Bork!Bork!Bork! Sometimes only the freshest of borks will do, and sometimes the best laid plans of administrators can go awry.

Continue reading