• chevron_right

      Hackers spent 2+ years looting secrets of chipmaker NXP before being detected / ArsTechnica · Tuesday, 28 November - 12:56 · 1 minute

    A cartoon man runs across a white field of ones and zeroes.

    Enlarge (credit: Getty Images )

    A prolific espionage hacking group with ties to China spent over two years looting the corporate network of NXP, the Netherlands-based chipmaker whose silicon powers security-sensitive components found in smartphones, smartcards, and electric vehicles, a news outlet has reported.

    The intrusion, by a group tracked under names including "Chimera" and "G0114," lasted from late 2017 to the beginning of 2020, according to Netherlands-based NCR, which cited “several sources” familiar with the incident. During that time, the threat actors periodically accessed employee mailboxes and network drives in search of chip designs and other NXP intellectual property. The breach wasn’t uncovered until Chimera intruders were detected in a separate company network that connected to compromised NXP systems on several occasions. Details of the breach remained a closely guarded secret until now.

    No material damage

    NCR cited a report published (and later deleted) by security firm Fox-IT, titled Abusing Cloud Services to Fly Under the Radar . It documented Chimera using cloud services from companies including Microsoft and Dropbox to receive data stolen from the networks of semiconductor makers, including one in Europe that was hit in “early Q4 2017.” Some of the intrusions lasted as long as three years before coming to light. NCR said the unidentified victim was NXP.

    Read 11 remaining paragraphs | Comments

    • chevron_right

      How China gets free intel on tech companies’ vulnerabilities / ArsTechnica · Thursday, 7 September - 13:14

    image related to hacking and China

    Enlarge (credit: Wired staff; Getty Images)

    For state-sponsored hacking operations, unpatched vulnerabilities are valuable ammunition. Intelligence agencies and militaries seize on hackable bugs when they're revealed—exploiting them to carry out their campaigns of espionage or cyberwar—or spend millions to dig up new ones or to buy them in secret from the hacker gray market.

    But for the past two years, China has added another approach to obtaining information about those vulnerabilities: a law that simply demands that any network technology business operating in the country hand it over. When tech companies learn of a hackable flaw in their products, they’re now required to tell a Chinese government agency—which, in some cases, then shares that information with China's state-sponsored hackers, according to a new investigation. And some evidence suggests foreign firms with China-based operations are complying with the law, indirectly giving Chinese authorities hints about potential new ways to hack their own customers.

    Read 22 remaining paragraphs | Comments

    • chevron_right

      Microsoft Signing Key Stolen by Chinese / Schneier · Sunday, 6 August, 2023 - 17:05 · 1 minute

    A bunch of networks, including US Government networks , have been hacked by the Chinese. The hackers used forged authentication tokens to access user email, using a stolen Microsoft Azure account consumer signing key. Congress wants answers . The phrase “ negligent security practices ” is being tossed about—and with good reason. Master signing keys are not supposed to be left around, waiting to be stolen.

    Actually, two things went badly wrong here. The first is that Azure accepted an expired signing key, implying a vulnerability in whatever is supposed to check key validity. The second is that this key was supposed to remain in the the system’s Hardware Security Module—and not be in software. This implies a really serious breach of good security practice. The fact that Microsoft has not been forthcoming about the details of what happened tell me that the details are really bad.

    I believe this all traces back to SolarWinds . In addition to Russia inserting malware into a SolarWinds update, China used a different SolarWinds vulnerability to break into networks. We know that Russia accessed Microsoft source code in that attack. I have heard from informed government officials that China used their SolarWinds vulnerability to break into Microsoft and access source code, including Azure’s.

    I think we are grossly underestimating the long-term results of the SolarWinds attacks. That backdoored update was downloaded by over 14,000 networks worldwide. Organizations patched their networks, but not before Russia—and others—used the vulnerability to enter those networks. And once someone is in a network, it’s really hard to be sure that you’ve kicked them out.

    Sophisticated threat actors are realizing that stealing source code of infrastructure providers, and then combing that code for vulnerabilities, is an excellent way to break into organizations who use those infrastructure providers. Attackers like Russia and China—and presumably the US as well—are prioritizing going after those providers.

    News articles .

    • chevron_right

      US senator blasts Microsoft for “negligent cybersecurity practices” / ArsTechnica · Thursday, 27 July, 2023 - 20:29

    US senator blasts Microsoft for “negligent cybersecurity practices”

    Enlarge (credit: Getty Images)

    A US senator is calling on the Justice Department to hold Microsoft responsible for “negligent cybersecurity practices” that enabled Chinese espionage hackers to steal hundreds of thousands of emails from cloud customers, including officials in the US Departments of State and Commerce.

    “Holding Microsoft responsible for its negligence will require a whole-of-government effort,” Ron Wyden (D-Ore.) wrote in a letter . It was sent on Thursday to the heads of the Justice Department, Cybersecurity and Infrastructure Security Agency, and the Federal Trade Commission.

    Bending over backward

    Wyden’s remarks echo those of other critics who say Microsoft is withholding key details about a recent hack. In disclosures involving the incident so far, Microsoft has bent over backwards to avoid saying its infrastructure—including the Azure Active Directory , a supposedly fortified part of Microsoft’s cloud offerings that large organizations use to manage single sign-on and multifactor authentication—was breached. The critics have said that details Microsoft has disclosed so far lead to the inescapable conclusion that vulnerabilities in code for Azure AD and other cloud offerings were exploited to pull off the successful hack.

    Read 13 remaining paragraphs | Comments

    • chevron_right

      Wisconsin Governor Hacks the Veto Process / Schneier · Saturday, 8 July, 2023 - 00:18 · 2 minutes

    In my latest book, A Hacker’s Mind , I wrote about hacks as loophole exploiting. This is a great example: The Wisconsin governor used his line-item veto powers—supposedly unique in their specificity—to change a one-year funding increase into a 400-year funding increase.

    He took this wording:

    Section 402. 121.905 (3) (c) 9. of the statues is created to read: 121.903 (3) (c) 9. For the limit for the 2023-24 school year and the 2024-25 school year, add $325 to the result under par. (b).

    And he deleted these words, numbers, and punctuation marks:

    Section 402. 121.905 (3) (c) 9. of the statues is created to read: 121.903 (3) (c) 9. For the limit for the 2023 -24 school year and the 20 24 25 school year , add $325 to the result under par. (b).

    Seems to be legal:

    Rick Champagne, director and general counsel of the nonpartisan Legislative Reference Bureau, said Evers’ 400-year veto is lawful in terms of its form because the governor vetoed words and digits.

    “Both are allowable under the constitution and court decisions on partial veto. The hyphen seems to be new, but the courts have allowed partial veto of punctuation,” Champagne said.

    Definitely a hack. This is not what anyone thinks about when they imagine using a line-item veto.

    And it’s not the first time. I don’t know the details, but this was certainly the same sort of character-by-character editing:

    Mr Evers’ Republican predecessor once deploying it to extend a state programme’s deadline by one thousand years.

    A couple of other things:

    One, this isn’t really a 400-year change. Yes, that’s what the law says. But it can be repealed. And who knows that a dollar will be worth—or if they will even be used—that many decades from now.

    And two, from now all Wisconsin lawmakers will have to be on the alert for this sort of thing. All contentious bills will be examined for the possibility of this sort of delete-only rewriting. This sentence could have been reworded, for example:

    For the 2023-2025 school years, add $325 to the result under par. (b).

    The problem is, of course, that legalese developed over the centuries to be extra wordy in order to limit disputes. If lawmakers need to state things in the minimal viable language, that will increase court battles later. And that’s not even enough. Bills can be thousands of words long. If any arbitrary characters can be glued together by deleting enough other characters, bills can say anything the governor wants.

    The real solution is to return the line-item veto to what we all think it is: the ability to remove individual whole provisions from a law before signing it.

    • chevron_right

      Unexpected 3DS update breaks many common homebrew hacking methods / ArsTechnica · Tuesday, 23 May, 2023 - 17:37

    A few of the 3DS variations that were once supported by Nintendo.

    Enlarge / A few of the 3DS variations that were once supported by Nintendo. (credit: Mark Walton)

    It has been years since Nintendo stopped producing its Nintendo 3DS line of portable hardware and months since the company officially shut down the 3DS eShop for new downloadable game purchases. But those facts haven't stopped the company from issuing a new firmware update that seems at least partly focused on impeding some of the most common methods for installing homebrew software on the defunct console.

    Monday night's surprise release of 3DS firmware Ver. 11.17.0-50 is the first official system update for the console since last September and the fifth update since the hardware was officially discontinued in 2020. The official patch notes for the sudden update cover the now-standard (if vague) promise of "further improvements to overall system stability and other minor adjustments [that] have been made to enhance the user experience."

    But console hacking groups quickly noticed that downloading the update ruined many of the documented hacking methods that could previously be used to install custom 3DS firmware.

    Read 6 remaining paragraphs | Comments

    • chevron_right

      On the Poisoning of LLMs / Schneier · Monday, 22 May, 2023 - 20:08

    Interesting essay on the poisoning of LLMs—ChatGPT in particular:

    Given that we’ve known about model poisoning for years, and given the strong incentives the black-hat SEO crowd has to manipulate results, it’s entirely possible that bad actors have been poisoning ChatGPT for months. We don’t know because OpenAI doesn’t talk about their processes, how they validate the prompts they use for training, how they vet their training data set, or how they fine-tune ChatGPT. Their secrecy means we don’t know if ChatGPT has been safely managed.

    They’ll also have to update their training data set at some point. They can’t leave their models stuck in 2021 forever.

    Once they do update it, we only have their word— pinky-swear promises —that they’ve done a good enough job of filtering out keyword manipulations and other training data attacks, something that the AI researcher El Mahdi El Mhamdi posited is mathematically impossible in a paper he worked on while he was at Google .

    • chevron_right

      FBI Disables Russian Malware / Schneier · Wednesday, 10 May, 2023 - 15:26

    Reuters is reporting that the FBI “had identified and disabled malware wielded by Russia’s FSB security service against an undisclosed number of American computers, a move they hoped would deal a death blow to one of Russia’s leading cyber spying programs.”

    The headline says that the FBI “sabotaged” the malware, which seems to be wrong.

    Presumably we will learn more soon.

    • chevron_right

      AI Hacking Village at DEF CON This Year / Schneier · Monday, 8 May, 2023 - 15:33

    At DEF CON this year, Anthropic, Google, Hugging Face, Microsoft, NVIDIA, OpenAI and Stability AI will all open up their models for attack.

    The DEF CON event will rely on an evaluation platform developed by Scale AI, a California company that produces training for AI applications. Participants will be given laptops to use to attack the models. Any bugs discovered will be disclosed using industry-standard responsible disclosure practices.