Enlarge (credit: Getty Images)

At least two security-sensitive companies—Twilio and Cloudflare—were targeted in a phishing attack by an advanced threat actor who had possession of home phone numbers of not just employees but employees' family members as well.

In the case of Twilio, a San Francisco-based provider of two-factor authentication and communication services, the unknown hackers succeeded in phishing the credentials of an undisclosed number of employees and, from there, gained unauthorized access to the company's internal systems, the company said . The threat actor then used that access to data in an undisclosed number of customer accounts.

Two days after Twilio's disclosure, content delivery network Cloudflare, also headquartered in San Francisco, revealed it had also been targeted in a similar manner. Cloudflare said that three of its employees fell for the phishing scam, but that the company's use of hardware-based MFA keys prevented the would-be intruders from accessing its internal network.

Enlarge / Supply-chain attacks, like the latest PyPi discovery, insert malicious code into seemingly functional software packages used by developers. They're becoming increasingly common. (credit: Getty Images)

Researchers have discovered yet another set of malicious packages in PyPi , the official and most popular repository for Python programs and code libraries. Those duped by the seemingly familiar packages could be subject to malware downloads or theft of user credentials and passwords.

Check Point Research, which reported its findings Monday , wrote that it didn't know how many people had downloaded the 10 packages, but it noted that PyPi has 613,000 active users, and its code is used in more than 390,000 projects. Installing from PyPi through the pip command is a foundational step for starting or setting up many Python projects. PePy , a site that estimates Python project downloads, suggests most of the malicious packages saw hundreds of downloads.

Such supply-chain attacks are becoming increasingly common, especially among open source software repositories that support a wide swath of the world's software. Python's repository is a frequent target, with researchers finding malicious packages in September 2017 ; June , July , and November 2021; and June of this year. But trick packages have also been found in RubyGems in 2020 , NPM in December 2021 , and many more open source repositories.

Enlarge (credit: Intel)

Intel’s latest generation of CPUs contains a vulnerability that allows attackers to obtain encryption keys and other confidential information protected by the company’s software guard extensions, the advanced feature that acts as a digital vault for security users’ most sensitive secrets.

Abbreviated as SGX, the protection is designed to provide a fortress of sorts for the safekeeping of encryption keys and other sensitive data, even when the operating system or a virtual machine running on top is maliciously compromised. SGX works by creating trusted execution environments that protect sensitive code and the data it works with from monitoring or tampering by anything else on the system.

Cracks in Intel’s foundational security

SGX is a cornerstone of the security assurances many companies provide to users. Servers used to handle contact discovery for the Signal Messenger, for instance, rely on SGX to ensure the process is anonymous. Signal says running its advanced hashing scheme provides a “general recipe for doing private contact discovery in SGX without leaking any information to parties that have control over the machine, even if they were to attach physical hardware to the memory bus.”

Enlarge (credit: Elena Lacey | Getty Images)

If you have paid casual attention to crypto news over the past few years, you probably have a sense that the crypto market is unregulated—a tech-driven Wild West in which the rules of traditional finance do not apply.

If you were Ishan Wahi, however, you would probably not have that sense.

Wahi worked at Coinbase, a leading crypto exchange, where he had a view into which tokens the platform planned to list for trading—an event that causes those assets to spike in value. According to the US Department of Justice, Wahi used that knowledge to buy those assets before the listings, then sell them for big profits. In July, the DOJ announced that it had indicted Wahi, along with two associates, in what it billed as the “first ever cryptocurrency insider trading tipping scheme.” If convicted, the defendants could face decades in federal prison.

Enlarge (credit: Kentaroo Tryman | Getty Images )

Small businesses are cutting back marketing spending due to Apple’s sweeping privacy changes that have made it harder to target new customers online, in a growing trend that has led to billions of dollars in lost revenues for platforms like Facebook.

Apple last year began forcing app developers to get permission to track users and serve them personalized adverts on iPhones and iPads in changes that have transformed the online advertising sector.

Many small companies which are reliant on online ads to attract new customers told the Financial Times they did not initially notice the full impact of Apple’s restrictions until recent months, when price inflation squeezed consumer demand in major markets worldwide.

Enlarge / Ahhh, the easy button! (credit: Aurich Lawson | Getty Images)

This is the second episode in our exploration of "no-code" machine learning. In our first article , we laid out our problem set and discussed the data we would use to test whether a highly automated ML tool designed for business analysts could return cost-effective results near the quality of more code-intensive methods involving a bit more human-driven data science.

If you haven't read that article, you should go back and at least skim it . If you're all set, let's review what we'd do with our heart attack data under "normal" (that is, more code-intensive) machine learning conditions and then throw that all away and hit the "easy" button.

As we discussed previously, we're working with a set of cardiac health data derived from a study at the Cleveland Clinic Institute and the Hungarian Institute of Cardiology in Budapest (as well as other places whose data we've discarded for quality reasons). All that data is available in a repository we've created on GitHub, but its original form is part of a repository of data maintained for machine learning projects by the University of California-Irvine. We're using two versions of the data set: a smaller, more complete one consisting of 303 patient records from the Cleveland Clinic and a larger (597 patient) database that incorporates the Hungarian Institute data but is missing two of the types of data from the smaller set.

Enlarge / Never put a GriftHorse on your phone. (credit: John Lamparsky | Getty Images)

Google has taken increasingly sophisticated steps to keep malicious apps out of Google Play. But a new round of takedowns involving about 200 apps and more than 10 million potential victims shows that this longtime problem remains far from solved—and in this case, potentially cost users hundreds of millions of dollars.

Researchers from the mobile security firm Zimperium say the massive scamming campaign has plagued Android since November 2020. As is often the case, the attackers were able to sneak benign-looking apps like "Handy Translator Pro," "Heart Rate and Pulse Tracker," and “Bus - Metrolis 2021” into Google Play as fronts for something more sinister. After downloading one of the malicious apps, a victim would receive a flood of notifications, five an hour, that prompted them to "confirm" their phone number to claim a prize. The “prize” claim page loaded through an in-app browser, a common technique for keeping malicious indicators out of the code of the app itself. Once a user entered their digits, the attackers signed them up for a monthly recurring charge of about $42 through the premium SMS services feature of wireless bills. It's a mechanism that normally lets you pay for digital services or, say, send money to a charity via text message. In this case, it went directly to crooks.

The techniques are common in malicious Play Store apps, and premium SMS fraud in particular is a notorious issue. But the researchers say it's significant that attackers were able to string these known approaches together in a way that was still extremely effective—and in staggering numbers—even as Google has continuously improved its Android security and Play Store defenses.

Read 7 remaining paragraphs | Comments

Enlarge / A Cruise robotaxi test vehicle in San Francisco. (credit: Cruise)

The autonomous vehicle developers Cruise and Waymo both got a little closer to running true driverless robotaxi services in and around San Francisco. In May, both Waymo and Cruise applied to the California Department of Motor Vehicles for deployment permits (as opposed to the testing permits that have allowed non-commercial operations). On Thursday, the DMV issued autonomous deployment permits to both companies, which is a necessary step if the robotaxis are to charge passengers for their rides.

San Franciscans might have to be night owls to catch a Cruise; the DMV's authorization gives Cruise permission to operate on surface streets within a geofenced area of San Francisco between the hours of 10 pm and 6 am. Cruise's autonomous vehicles are allowed to operate in light rain and light fog, but they aren't allowed to exceed 30 mph (48 km/h).

Waymo is allowed to operate over a wider area; the DMV's authorization is "within parts of San Francisco and San Mateo counties." These robotaxis are also trusted to cope with light rain and light fog and are approved for speeds of up to 65 mph (105 km/h).

Read 2 remaining paragraphs | Comments

Enlarge / The security of Facebook's popular messaging app leaves several rather important devils in its details. (credit: WhatsApp )

Yesterday, independent newsroom ProPublica published a detailed piece examining the popular WhatsApp messaging platform's privacy claims. The service famously offers "end-to-end encryption," which most users interpret as meaning that Facebook, WhatsApp's owner since 2014, can neither read messages itself nor forward them to law enforcement.

This claim is contradicted by the simple fact that Facebook employs about 1,000 WhatsApp moderators whose entire job is—you guessed it—reviewing WhatsApp messages that have been flagged as "improper."

End-to-end encryption—but what’s an “end”?

security and privacy page seems easy to misinterpret.' src='https://cdn.arstechnica.net/wp-content/uploads/2021/09/whatsapp-end-to-end-screenshot-640x141.png' >

This snippet from WhatsApp's security and privacy page seems easy to misinterpret. (credit: Jim Salter )

The loophole in WhatsApp's end-to-end encryption is simple: the recipient of any WhatsApp message can flag it. Once flagged, the message is copied on the recipient's device and sent as a separate message to Facebook for review.

Read 14 remaining paragraphs | Comments