Dave Hamilton and Andrew Orr join host Kelly Guimont to discuss the WWDC Developer State of the Union, including some possible improvements.
Security
'RockYou2021' is the Biggest Password Leak Ever (So Far)
Someone posted a 100GB text file to a hacking forum recently. It contains 8.4 billion entries of passwords from data leaks and breaches.
Considering the fact that only about 4.7 billion people are online, numbers-wise the RockYou2021 compilation potentially includes the passwords of the entire global online population almost two times over. For that reason, users are recommended to immediately check if their passwords were included in the leak.
“Two times over” sounds like it’s a combination of old and new passwords alike. It’s also good to point out that no usernames or email addresses were included, so an attacker wouldn’t be able to do much with this password list.
$2.3 Million Bitcoin Seized from Colonial Pipeline Hackers
The U.S. Department of Justice seized about US$2.3 million in bitcoin ransom paid to the hackers behind the attack on Colonial Pipeline.
An affidavit filed on Monday said the FBI was in possession of a private key to unlock a bitcoin wallet that had received most of the funds. It was unclear how the FBI gained access to the key.
“unclear how the FBI gained access.” From other sources it sounds like the FBI used a subpoena and gained control over the rented cloud server the hackers were using. Private key sitting on the server, it seems.
WWDC 2021: Here are the Companies That Said "Oh S&@#!"
During Apple’s WWDC 2021 event on Monday, Andrew couldn’t help but notice the new ways in which the company is competing with rival services.
Justice Department Creates Cybersecurity Task Force
The U.S. Department of Justice has created a task force to coordinate and track federal cases that involve ransomware and other attacks.
How to Get Around macOS Security Using App Installers
Tenable Research found security issues related to macOS app installers, and they can be used to bypass default Mac security protections. So far, Apple hasn’t fixed it (emphasis mine).
Frustrated by the prevalence of these issues, we decided to write them up and make separate reports to both Apple and Microsoft. We wrote to Apple to recommend implementing a fix similar to what they did for CVE-2020–9817 and explained the additional LPE mechanism discovered.
We wrote to Microsoft to recommend a fix for the flaw in their installer. Both companies have rejected these submissions and suggestions.
Elcomsoft Cracks Latest Version of Encryption Tool ‘Veracrypt’
Elcomsoft, a company that sells forensics software, announced on Thursday that it has successfully cracked the latest version of Veracrypt.
You Have One Week to Opt Out of Amazon’s ‘Sidewalk’ Network Service
Amazon Sidewalk is the company’s network mesh service that shares your internet bandwidth with Amazon devices. You must opt out by June 8 if you don’t want this because the setting is turned on by default.
The new wireless mesh service will share a small slice of your Internet bandwidth with nearby neighbors who don’t have connectivity and help you to their bandwidth when you don’t have a connection.
By default, Amazon devices including Alexa, Echo, Ring, security cams, outdoor lights, motion sensors, and Tile trackers will enroll in the system.
Postal Workers Targeted With Phishing Campaign
Postal workers returning to the office after COVID-19 restrictions may find themselves targeted by a new phishing campaign.
The email-based campaign, observed by Cofense, is targeting employees with emails purporting to come from their CIO welcoming them back into offices.
The email looks legitimate enough, sporting the company’s official logo in the header, as well as being signed spoofing the CIO. The bulk of the message outlines the new precautions and changes to business operations the company is taking relative to the pandemic.
Meat Supplier JBS Hit With Cyber Attack, Data Not Affected
JBS SA shut down its computer networks for its operations in Australia and North America due to a cyberattack.
Backup servers were not affected, and the company is actively working to restore systems as soon as possible, according to a statement from JBS USA Monday. The processor said it’s not aware of any customer, supplier or employee data being compromised or misused.
macOS Big Sur 11.4 Patched a Ton of Security Flaws
Apple released new version of its operating systems and shared the security content for macOS Big Sur 11.4.
‘Have I Been Pwned’ Open Sourced, Partners With FBI
The popular service Have I Been Pwned has made its code open source, and it’s also partnering with the FBI. The agency will send compromised passwords discovered during investigations.
Why is the FBI getting involved? Because Bryan A. Vorndran, the FBI’s Assistant Director, Cyber Division, said, “We are excited to be partnering with HIBP on this important project to protect victims of online credential theft. It is another example of how important public/private partnerships are in the fight against cybercrime.”
DHS Releases Cybersecurity Rules for Pipeline Operators
Today, the Department of Homeland Security’s Transportation Security Administration (TSA) announced a Security Directive for critical pipeline companies.
The Security Directive will require critical pipeline owners and operators to report confirmed and potential cybersecurity incidents to the DHS Cybersecurity and Infrastructure Security Agency (CISA) and to designate a Cybersecurity Coordinator, to be available 24 hours a day, seven days a week.
It will also require critical pipeline owners and operators to review their current practices as well as to identify any gaps and related remediation measures to address cyber-related risks and report the results to TSA and CISA within 30 days.
WebKit Flaw Crashes Safari, Could Lead to Further Exploits
A WebKit flaw on iOS and macOS can cause Safari to crash and could lead to further malicious attacks.
The vulnerability stems from what security researchers call a type confusion bug in the WebKit implementation of AudioWorklet, an interface that allows developers to control, manipulate, render, and output audio and decrease latency. Exploiting the vulnerability gives an attacker the basic building blocks to remotely execute malicious code on affected devices.
1Password Browser Extension Now Supports Touch ID, Windows Hello
AgileBits announced on Wednesday that its 1Password browser extension supports biometric unlocking for Touch ID and others.
Flaw Found in M1 Chip Lets Apps Secretly Communicate
A security researcher found a flaw baked into M1 chips that could let any two apps to secretly exchange data.
LastPass Introduces Improved Multi-Factor Authenticator App
LastPass by LogMeIn announced on Wednesday that it enhanced its mobile authenticator app and integrates with VPN providers Cisco, Palo Alto Networks, and OpenVPN for businesses. However, the authenticator app is available to all LastPass users.
With this update, the LastPass Authenticator will offer a refreshed user interface that now offers search functionality to reduce user complexity and streamline the authentication experience.
Major Browsers Vulnerable to Cross-Browser Tracking Exploit
Chrome, Firefox, Safari, and Tor are vulnerable to a type of cross-browser tracking that can identify users.
Did the Government Take Down the DarkSide Ransomware Group?
DarkSide is the group behind the ransomware attack affecting Colonial Pipeline, and recently said it lost control of its web servers.
What’s Wrong With AirTags? Stalkers and Security
One report about AirTag on Thursday show that more security researchers are exploring the device, and another says it is a “gift to stalkers.”
President Biden Signs Order to Improve U.S. Cybersecurity
After the attack on Colonial Pipeline, President Biden has signed an executive order to improve the nation’s cybersecurity.
The executive order requires IT service providers to share certain breach information with the government, modernizes and implements stronger cybersecurity standards in the federal government, establishes security standards for development of software sold to the government and will create an “energy star” label so that consumers can better determine whether software was developed securely.
Security Researcher Hacks Apple’s ‘Find My’ Network
Researcher Fabian Bräunlein found that Apple’s Find My location network can be used to “upload arbitrary data to the internet.”
Being inherent to the privacy and security-focused design of the Find My Offline Finding system, it seems unlikely that this misuse can be prevented completely.
CIDA Warns of New Ransomware ‘FiveHands’
FiveHands has been around since January but was recently used in a successful attack against an unknown organization.
Attackers were targeting unpatched SonicWall Secure Mobile Access SMA 100 remote access products, for which patches were released in February. The publicly available tools the group users including the SoftPerfect Network Scanner for Discovery and Microsoft’s own remote administration program, PsExec.exe and its related ServeManager.exe.
Password Managers: How Do They Work? – TMO Daily Observations 2021-05-11
Andrew Orr and Bryan Chaffin join host Kelly Guimont dig deep into password managers, how they work, and why you need one.