The macOS Background Task Manager tool is supposed to spot potentially malicious software on your machine. But a researcher says it has troubling flaws.

One of your Mac's built-in malware detection tools may not be working quite as well as you think. At the Defcon hacker conference in Las Vegas, longtime Mac security researcher Patrick Wardle presented findings today about vulnerabilities in Apple's macOS Background Task Management mechanism, which could be exploited to bypass and, therefore, defeat the company's recently added monitoring tool.

There's no foolproof method for catching malware on computers with perfect accuracy because, at their core, malicious programs are just software, like your web browser or chat app. It can be difficult to tell the legitimate programs from the transgressors. So operating system makers like Microsoft and Apple, as well as third-party security companies, are always working to develop new detection mechanisms and tools that can spot potentially malicious software behavior in new ways.

Apple's Background Task Management tool focuses on watching for software “persistence.” Malware can be designed to be ephemeral and operate only briefly on a device or until the computer restarts. But it can also be built to establish itself more deeply and “persist” on a target even when the computer is shut down and rebooted. Lots of legitimate software needs persistence so all of your apps and data and preferences will show up as you left them every time you turn on your device. But if software establishes persistence unexpectedly or out of the blue, it could be a sign of something malicious. 

With this in mind, Apple added Background Task Manager in macOS Ventura, which launched in October 2022, to send notifications both directly to users and to any third-party security tools running on a system if a “persistence event” occurs. This way, if you know you just downloaded and installed a new application, you can disregard the message. But if you didn't, you can investigate the possibility that you've been compromised. 

“There should be a tool \[that notifies you\] when something persistently installs itself, it's a good thing for Apple to have added, but the implementation was done so poorly that any malware that’s somewhat sophisticated can trivially bypass the monitoring,” Wardle says about his Defcon findings. 

Apple could not immediately be reached for comment.

As part of his Objective-See Foundation, which offers free and open source macOS security tools, Wardle has offered a similar persistence event notification tool known as BlockBlock for years. “Because I've written similar tools, I know the challenges my tools have faced, and I wondered if Apple’s tools and frameworks would have the same issues to work through—and they do," he says. "Malware can still persist in a manner that is completely invisible.”

When Background Task Manager first debuted, Wardle discovered some more basic issues with the tool that caused persistence event notifications to fail. He reported them to Apple, and the company fixed the error. But the company didn't identify deeper issues with the tool.

“We went back and forth, and eventually, they fixed that issue, but it was like putting some tape on an airplane as it’s crashing,” Wardle says. “They didn't realize that the feature needed a lot of work.”

One of the bypasses Wardle presented on Saturday requires root access to a target's device, meaning that attackers need to have full control before they can stop users from receiving persistence alerts. The bug related to this potential attack is important to patch because hackers can sometimes gain this level of access to a target and might be motivated to stop notifications so they can install as much malware as they want on a system. 

More concerning is that Wardle also found two paths that don't require root access to disable the persistence notifications Background Task Manager is supposed to send to the user and to security monitoring products. One of these exploits takes advantage of a bug in how the alerting system communicates with the core of a computer's operating system known as the kernel. The other capitalizes on a capability that allows users, even those without deep system privileges, to put processes to sleep. Wardle found that this capability can be manipulated to disrupt persistence notifications before they can get to the user.

Wardle says he chose to release these bugs at Defcon without first notifying Apple because he had already notified the company about flaws in Background Task Manager that could have led it to improve the tool’s overall quality more comprehensively. He adds, too, that bypassing this monitoring simply brings the state of macOS security back to what it was a year ago, before this feature debuted. But he notes that it’s problematic when Apple releases monitoring tools that seem rushed or need more testing, because it can give users and security vendors a false sense of security.

An Apple Malware-Flagging Tool Is ‘Trivially’ Easy to Bypass

A pair of major data breaches rock the UK, North Korea hacks a Russian missile maker, and Microsoft’s Chinese Outlook breach sparks new problems.

Of course, generative AI tools are the talk of the security industry this year. And Microsoft is no exception. In fact, since 2018, the company has had an AI red team that attacks AI tools to find vulnerabilities and help prevent them from behaving badly.

Outside of Black Hat and Defcon coverage, we detailed the ins and outs of the data privacy that HIPPA provides people in the US, and explained how to use Google's new “Results About You” tool to get your personal information removed from search results.

But that’s not all. Each week, we round up the security news that we didn’t cover in depth ourselves. Click on the headlines to read the full stories. And stay safe out there.

Your keyboard may be exposing your secrets without you even knowing it. Researchers in the UK developed a deep-learning algorithm that can figure out what a person is typing just by listening to keystrokes. In a best-case scenario (for an attacker, that is), the algorithm is 95 percent accurate. The researchers even tested it over Zoom and found it performed with 93 percent accuracy.

Now, if you’re thinking the researchers tested the attack on the noisiest mechanical keyboard they could find, you’d be wrong. They performed their tests on a MacBook Pro. And the attack doesn’t even require fancy recording equipment—a phone’s microphone works just fine. Someone who successfully carries out the attack could use it to learn a target’s passwords or snoop on their conversations. These kinds of acoustic attacks aren’t new, but this research shows they’re getting frighteningly accurate and easier to pull off in the wild.

A series of data breaches rocked the United Kingdom this week. On August 8, the Electoral Commission, the independent body responsible for overseeing elections and regulating political finances, revealed a cyberattack had exposed the data of 40 million voters to hackers. The organization has been unable to determine whether data was taken; however, it says that full names, emails, phone numbers, home addresses, and data provided during contact with the body could be impacted. “The attack has not had an impact on the electoral process,” the commission said. (Elections are run by local councils.)

The commission has, however, been criticized for how it communicated the cyberattack: The incident happened in August 2021 but was detected only in October 2022, and then finally communicated to the public nine months later. It has also been reported the breach may be linked to an unpatched Microsoft Exchange zero-day.

But that wasn’t all. The same day, the Police Service of Northern Ireland (PSNI) accidentally published the names and roles of 10,000 officers and staff in response to a Freedom of Information request. The breach, arguably, has more significant ramifications than that of the Electoral Commission. Officers working in intelligence and security services were included in the breach, which stayed online for three hours. The PSNI blamed “human error” for the breach, and the British data regulator, the Information Commissioner’s Office, has opened an investigation. (Previously, the regulator has issued guidance on making sure information is not accidentally disclosed via spreadsheets.) Since the breach, officers have expressed concerns about their safety, and the police service has been reviewing moving people to different roles for safety reasons.

North Korean hackers don’t just steal cryptocurrency, they also may have stolen Russia’s missile secrets. According to Reuters, the state-linked hacking group Lazarus breached the networks of NPO Mashinostroyeniya, a major Russian missile manufacturer, in late 2021. The breach wasn’t detected until May 2022. A researcher with the cybersecurity firm SentinelOne who discovered the breach said that the hackers would have had “the ability to read email traffic, jump between networks, and extract data,” Reuters reports.

It is unclear what exactly the Lazarus hackers stole while inside the NPO network, although North Korea did announce several updates to its missile program following the breach, so the two may be linked.

Last month, Microsoft revealed damning news: China-based hackers stole a digital key that the company uses to cryptographically sign tokens that are assigned to users when they log in to their Outlook email accounts. The hackers used this stunning access to break into the Outlook accounts of at least 25 organizations, including government bodies. But that’s only the start of the problems for Microsoft.

US senator Ron Wyden, an Oregon Democrat, sent a letter this week demanding three federal inquiries into Microsoft’s “negligent cybersecurity practices,” _The Wall Street Journal_ reports. Wyden also asked that the Cyber Safety Review Board, which the Biden administration created to investigate cybersecurity incidents, also look into the incident. And according to Bloomberg News, the review board is already planning to do just that.

Wyden’s letter, which is dated July 27, demands that the Department of Justice, the Federal Trade Commission, and the Cybersecurity and Infrastructure Security Agency all launch investigations. Microsoft, for its part, tells the _Journal_ that it plans to fully cooperate with any federal inquiries into the hack.

A New Attack Reveals Everything You Type With 95 Percent Accuracy

GitHub has spent two years researching and slowly rolling out its multifactor authentication system. Soon it will be mandatory for all 100 million users—with no opt-out.

You’ve heard the advice for years: Turn on two-factor authentication everywhere it’s offered. It’s long been clear that using only a username and password to secure digital accounts isn’t enough. But layering on an additional authentication “factor”—like a randomly generated code or a physical token—makes the keys to your kingdom much tougher to guess or steal. And the stakes are high for both individuals and institutions trying to protect their valuable and sensitive networks and data from targeted hacking or opportunist criminals.

Even with all its benefits, though, it often takes a little tough love to get people to actually turn on two-factor authentication, often known as 2FA. At the Black Hat security conference in Las Vegas yesterday, John Swanson, director of security strategy at GitHub, presented findings from the dominant software development platform's two-year effort to research, plan, and then start rolling out mandatory two-factor for all accounts. And the effort has taken on ever-increasing urgency as software supply chain attacks proliferate and threats to the software development ecosystem grow.

“There’s a lot of talk about exploits and zero days and build pipeline compromises in terms of the software supply chain, but at the end of the day, the easiest way to compromise the software supply chain is to compromise an individual developer or engineer,” Swanson told WIRED ahead of his conference presentation. “We believe that 2FA is a really impactful way to work on preventing that.”

Companies like Apple and Google have made concerted efforts to push their massive user bases toward 2FA, but Swanson points out that companies with a hardware ecosystem, like phones and computers, in addition to software have more options for easing the transition for customers. Web platforms like GitHub need to use tailored strategies to make sure two-factor isn't too onerous for users all over the world who all have different circumstances and resources.

For example, receiving randomly generated codes for two-factor via SMS text messages is less secure than generating those codes in a dedicated mobile app, because attackers have methods for compromising targets' phone numbers and intercepting their text messages. Primarily as a cost-saving measure, companies like X, formerly known as Twitter, have curtailed their SMS two-factor offerings. But Swanson says that he and his GitHub colleagues studied the choice carefully and concluded that it was more important to offer multiple two-factor options than to take a hard line on SMS code delivery. Any second factor is better than nothing. GitHub also offers and more strongly promotes alternatives like using a code-generating authentication app, mobile push message-based authentication, or a hardware authentication token. The company also recently added support for passkeys.

The bottom line is that, one way or another, all 100 million GitHub users are going to end up turning on 2FA if they haven't already. Before starting the rollout, Swanson and his team spent significant time studying the two-factor user experience. They overhauled the onboarding flow to make it harder for users to misconfigure their two-factor, a leading cause of customers getting locked out of their accounts. The process included more emphasis on things like downloading backup recovery codes so people have a safety net to get into their accounts if they lose access. The company also examined its support capacity to ensure that it could field questions and concerns smoothly. 

Since those improvements, Swanson says, the company has seen a 38 percent increase in users downloading their recovery codes and a 42 percent reduction in 2FA-related support tickets. GitHub users are also making 33 percent fewer attempts to recover locked accounts. In other words, account lockouts appear to be down by a third.

Swanson says the results have been very heartening as the company has started rolling out mandatory two-factor to batches of users in recent months. The effort will continue throughout 2023 and beyond. But all the concern and care that has gone into the process has a specific goal in mind.

“As we approach enrollment for a user, they receive a number of emails spread out over about 45 days, and they also receive site banners when they visit the site that inform them of the changes and the requirements,” Swanson says. “Then they have an option right at the end of the 45 days for a one-time, seven-day opt-out if they must. Maybe they’re on vacation or need to do something ultra-critical to help ease that enforcement point. But after the seven days, you are blocked from accessing github.com. There is no option for an opt-out at this point.”

In their two-factor campaigns, Apple and Google have left some wiggle room for users who want to intentionally and deliberately leave 2FA off. But other than a legitimate and insurmountable accessibility issue, Swanson says GitHub has no plans for lenience. And no one has raised such a concern so far.

“We take every measure we can to try and make folks aware and avoid problems. But at some point, we feel like we have an obligation—and a responsibility—to support the broader software ecosystem and help it be secure,” Swanson says. “And we think this is an important way of doing it.”

Swanson emphasizes that digital platforms need to promote two-factor adoption across the board, but that they first need to conduct research, carefully plan, and expand their support capacity before mandating the protection.

“Though we want folks to join us on this journey, this isn’t something that organizations should take lightly. You need to prepare and get the user experience right,” he says. “If our intent is to normalize 2FA for the broader community, the worst thing we could do is fail and fail visibly.”

GitHub’s Hardcore Plan to Roll Out Two-Factor Authentication (2FA)

In 2008, Boston’s transit authority sued to stop MIT hackers from presenting at the Defcon hacker conference on how to get free subway rides. Today, four teens picked up where they left off.

In early August of 2008, almost exactly 15 years ago, the Defcon hacker conference in Las Vegas was hit with one of the worst scandals in its history. Just before a group of MIT students planned to give a talk at the conference about a method they’d found to get free rides on Boston’s subway system—known as the Massachusetts Bay Transit Authority—the MBTA sued them and obtained a restraining order to prevent them from speaking. The talk was canceled, but not before the hackers’ slides were widely distributed to conference attendees and published online.

In the summer of 2021, 15-year-olds Matty Harris and Zachary Bertocchi were riding the Boston subway when Harris told Bertocchi about a Wikipedia article he’d read that mentioned this moment in hacker history. The two teenagers, both students at Medford Vocational Technical High School in Boston, began musing about whether they could replicate the MIT hackers’ work, and maybe even get free subway rides.

They figured it had to be impossible. “We assumed that because that was more than a decade earlier, and it had got heavy publicity, that they would have fixed it,” Harris says.

Bertocchi skips to the end of the story: “They didn’t.”

The Boston subway hackers (from left to right) Scott Campbell, 16; Noah Gibson, 17; Matty Harris, 17; and Zack Bertocchi, 17.Photograph: Roger Kisby

Now, after two years of work, that pair of teens and two fellow hacker friends, Noah Gibson and Scott Campbell, have presented the results of their research at the Defcon hacker conference in Las Vegas. In fact, they not only replicated the MIT hackers’ 2008 tricks, but took them a step further. The 2008 team had hacked Boston’s Charle Ticket magstripe paper cards to copy them, change their value, and get free rides—but those cards went out of commission in 2021. So the four teens extended other research done by the 2008 hacker team to fully reverse engineer the CharlieCard, the RFID touchless smart cards the MBTA uses today. The hackers can now add any amount of money to one of these cards or invisibly designate it a discounted student card, a senior card, or even an MBTA employee card that gives unlimited free rides. “You name it, we can make it,” says Campbell.

To demonstrate their work, the teens have gone so far as create their own portable “vending machine”—a small desktop device with a touchscreen and an RFID card sensor—that can add any value they choose to a CharlieCard or change its settings, and they’ve built the same functionality into an Android app that can add credit with a tap. They demonstrate both tricks in the video below:

In contrast to the Defcon subway-hacking blowup of 2008—and in a sign of how far companies and government agencies have come in their relationship with the cybersecurity community—the four hackers say the MBTA didn’t threaten to sue them or try to block their Defcon talk. Instead, it invited them to the transit authority headquarters last year to deliver a presentation on the vulnerabilities they’d found. Then the MBTA politely asked that they obscure part of their technique to make it harder for other hackers to replicate.

The hackers say the MBTA hasn’t actually fixed the vulnerabilities they discovered and instead appears to be waiting for an entirely new subway card system that it plans to roll out in 2025. When WIRED reached out to the MBTA, its director of communications, Joe Pesaturo, responded in a statement that “the MBTA was pleased that the students reached out and worked collaboratively with the fare collection team.”

“It should be noted that the vulnerability identified by the students does NOT pose an imminent risk affecting safety, system disruption, or a data breach,” Pesaturo added. “The MBTA's fraud detection team has increased monitoring to account for this vulnerability \[and\] does not anticipate any significant financial impact to the MBTA. This vulnerability will not exist once the new fare collection system goes live, due to the fact that it will be an account-based system versus today’s card-based system.”

The high schoolers say that when they started their research in 2021, they were merely trying to replicate the 2008 team’s CharlieTicket hacking research. But when the MBTA phased out those magstripe cards just months later, they wanted to understand the inner workings of the CharlieCards. After months of trial and error with different RFID readers, they were eventually able to dump the contents of data on the cards and begin deciphering them.

Unlike credit or debit cards, whose balances are tracked in external databases rather than on the cards themselves, CharlieCards actually store about a kilobyte of data in their own memory, including their monetary value. To prevent that value from being changed, each line of data in the cards’ memory includes a “checksum,” a string of characters computed from the value using the MBTA’s undisclosed algorithm.

The hackers figured out how to reproduce a “checksum” calculation intended to prevent the value stored on CharlieCards from being changed, circumventing that anti-hacking protection.Photograph: Roger Kisby

By comparing identical lines of memory on different cards and looking at their checksum values, the hackers began to figure out how the checksum function worked. They were eventually able to compute checksums that allowed them to change the monetary value on a card, along with the checksum that would cause a CharlieCard reader to accept it as valid. They computed a long list of checksums for every value so that they could arbitrarily change the balance of the card to whatever amount they chose. At the MBTA’s request, they’re not releasing that table, nor the details of their checksum reverse engineering work.

Not long after they made this breakthrough, in December of last year, the teens read in the _Boston Globe_ about another hacker, an MIT grad and penetration tester named Bobby Rauch, who had figured out how to clone CharlieCards using an Android Phone or a Flipper Zero handheld radio-hacking device. With that technique, Rauch said he could simply copy a CharlieCard before spending its value, effectively obtaining unlimited free rides. When he demonstrated the technique to the MBTA, however, it claimed it could spot the cloned cards when they were used and deactivate them.

Early this year, the four teenagers showed Rauch their techniques, which went beyond cloning to include more granular changes to a card’s data. The older hacker was impressed and offered to help them report their findings to the MBTA—without getting sued.

In working with Rauch, the MBTA had created a vulnerability disclosure program to cooperate with friendly hackers who agreed to share cybersecurity vulnerabilities they found. The teens say they were invited to a meeting at the MBTA that included no fewer than 12 of the agency’s executives, all of whom seemed grateful for their willingness to share their findings. The MBTA officials asked the high schoolers to not reveal their findings for 90 days and to hold details of their checksum hacking techniques in confidence, but otherwise agreed that they wouldn’t interfere with any presentation of their results. The four teens say they found the MBTA’s chief information security officer, Scott Margolis, especially easy to work with. “Fantastic guy,” say Bertocchi.

The teens say that as with Rauch’s cloning technique, the transit authority appears to be trying to counter their technique by detecting altered cards and blocking them. But they say that only a small fraction of the cards they’ve added money to have been caught. “The mitigations they have aren’t really a patch that seals the vulnerability. Instead, they play whack-a-mole with the cards as they come up,” says Campbell.

“We’ve had some of our cards get disabled, but most get through,” adds Harris.

So are all four of them using their CharlieCard-hacking technique to roam the Boston subway system for free? “No comment.”

For now, the hacker team is just happy to be able to give their talk without the heavy-handed censorship that the MBTA attempted with its lawsuit 15 years ago. Harris argues that the MBTA likely learned its lesson from that approach, which only drew attention to the hackers’ findings. “It’s great that they’re not doing that now—that they’re not shooting themselves in the foot. And it’s a lot less stressful for everyone,” Harris says.

He’s also glad, on the other hand, that the MBTA took such a hardline approach to the 2008 talk that it got his attention and kickstarted the group’s research almost a decade and a half later. “If they hadn’t done that,” Harris says, “we wouldn’t be here.”

_Update 5 pm ET, August 10, 2023: Added a statement form an MBTA spokesperson._

Teens Hacked Boston Subway’s CharlieCard to Get Infinite Free Rides—and This Time Nobody Got Sued

As the international tech giant moves toward Russian ownership, the leak raises concerns about the volume of data it has on its users.

The code also shows how Yandex can combine data from multiple services. McCrea says in one complex process, an adult’s search data may be pulled from the Yandex search tool, AppMetrica, and the company’s taxi app to predict whether they have children in their household. Some of the code categorizes whether children may be over or under 13. (Yandex’s Cherevko says people can order taxis with children’s seats, which is a sign they may be “interested in specific content that might be interesting for someone with a child.”)

One element within the Crypta code indicates just how all of this data can be pulled together. A user interface exists that acts as a profile about someone: It shows marital status, their predicted income, whether they have children, and three interests—which include broad topics such as appliances, food, clothes, and rest. Cherevko says this is an “internal Yandex tool” where employees can see how Crypta’s algorithms classify them, and they can only access their own information. “We have not encountered any incidents related to access abuse,” he says.

Government Influence

Yandex is going through a breakup. In November 2022, the company’s Netherlands-based parent organization, Yandex NV, announced it will separate itself from the Russian business, following Russia’s invasion of Ukraine. Internationally, the company, which will change its name, is planning to develop self-driving technologies and cloud computing, while divesting itself from search, advertising, and other services in Russia. Various Russian businessmen have been linked to the potential sale. (At the end of July, Yandex NV said it plans to propose its restructuring to shareholders later this year.)

While the uncoupling is being worked out, Russia has been trying to consolidate its control of the internet and increasing censorship. A slew of new laws requires more companies and government services in the country to use home-grown tech. For instance, this week, Finland and Norway’s data regulators blocked Yandex’s international taxi app from sending data back to Russia due to a new law, which comes into force in September, that will allow the Federal Security Service (FSB) access to taxi data.

These nationalization efforts coupled with the planned ownership change at Yandex are creating concerns that the Kremlin may soon be able to use data gathered by the company. Stanislav Shakirov, the CTO of Russian digital rights group Roskomsvoboda and founder of tech development organization Privacy Accelerator, says historically Yandex has tried to resist government demands for data and has proved better than other firms. (In June, it was fined 2 million rubles ($24,000) for not handing data to Russian security services.) However, Shakirov says he thinks things are changing. “I am inclined to believe that Yandex will be attempted to be nationalized and, as a consequence, management and policy will change,” Shakirov says. “And as a consequence, user data will be under much greater threat than it is now.”

Bakunov, the former Yandex engineer, who reviewed some of McCrea’s findings at WIRED’s request, says he is scared by the potential for the misuse of data going forward. He says it looks like Russia is a “new generation” of a “failed state,” highlighting how it may use technology. “Yandex here is the big part of these technologies,” he says. “When we built this company, many years ago, nobody thought that.” The company’s head of privacy, Cherevko, says that within the restructuring process, “control of the company will remain in the hands of management.” And its management makes decisions based on its “core principles.”

But the leaked code shows, in one small instance, that Yandex may already share limited information with one Russian government-linked company. Within Crypta are five “matchers” that sync fingerprinting events with telecoms firms—including the state-backed Rostelecom. McCrea says this indicates that the fingerprinting events could be accessible to parts of the Russian state. “The shocking thing is that it exists,” McCrea says. “There's nothing terribly shocking within it.” (Cherevko says the tool is used for improving the quality of advertising, helping it to improve its accuracy, and also identifying scammers attempting to conduct fraud.)

Overall, McCrea says that whatever happens with the company, there are lessons about collecting too much data and what can happen to it over time when circumstances change. “Nothing stays harmless forever,” she says.

Leaked Yandex Code Breaks Open the Creepy Black Box of Online Advertising

The legacy electronics manufacturer is creating IoT honeypots with its products to catch real-world threats and patch vulnerabilities in-house.

Internet-of-things devices have been plagued by security issues and unfixed vulnerabilities for more than a decade, fueling botnets, facilitating government surveillance, and exposing institutional networks and individual users around the world. But many manufacturers have been slow to improve their practices and invest in raising the bar. At the Black Hat security conference in Las Vegas today, researchers from Panasonic laid out the company's strategy for improving IoT defenses based on a five-year project to gather and analyze data on how the company's own products are attacked.

The researchers use Panasonic home appliances and other internet-connected electronics made by the company to create honeypots that lure real-world attackers to exploit the devices. This way Panasonic can capture current strains of malware and analyze them. Such IoT threat intelligence work is rare from a legacy manufacturer, but Panasonic says it would like to share its findings and collaborate with other companies so the industry can start to compile a broader view of the latest threats across products.

“Attack cycles are becoming faster. And now the malware is becoming all the more complicated and complex,” says Yuki Osawa, chief engineer at Panasonic who spoke with WIRED ahead of the conference through an interpreter. “Traditionally, IoT malware is rather simple. What we are afraid of most is that some kind of a cutting-edge, most-advanced type of malware will also target IoT. So there is importance to protect \[against\] malware even after the product is shipped."

Panasonic calls its efforts to track threats and develop countermeasures Astira, a portmanteau of the Buddhist demigods known as “asura” and “threat intelligence.” And insights from Astira feed into the IoT security solution known as Threat Resilience and Immunity Module, or Threim, which works to detect and block malware on Panasonic devices. In an analysis of Panasonic products running ARM processors, Osawa says, the malware detection rate was about 86 percent for 1,800 malware samples from the ASTIRA honeypots.

“We use the technology to immunize our IoT devices just like protecting humans from the Covid-19 infection,” Osawa says. “These anti-malware functions are built in, no installation required, and are very lightweight. It doesn’t affect the capability of the device itself.”

Osawa emphasizes that the ability to push patches to IoT devices is important—a capability that is often lacking in the industry as a whole. But he notes that Panasonic doesn't always see firmware updates as a feasible solution to dealing with IoT security issues. This is because, in the company's view, end users don't have adequate education about the need to install updates on their embedded devices, and not all updates can be delivered automatically without user involvement.

For this reason, Panasonic's approach melds shipping patches with built-in malware detection and defense. And Osawa emphasizes that Panasonic views it as the manufacturer's responsibility to develop a security strategy for its products rather than relying on third-party security solutions to defend IoT. He says that this way, vendors can determine a “reasonable level of security” for each product based on its design and the threats it faces. And he adds that by deploying its own solutions out of the box, manufacturers can avoid having to share trade secrets with outside organizations.

“Manufacturers ourselves have to be responsible for developing and providing these security solutions,” Osawa says. “I’m not saying that we’re going to do everything ourselves but we need to have a firm collaboration with third-party security solution vendors. The reason why we make it built in is that inside of the devices are secrets, and we don’t have to open it. We can keep it black box and still we can provide the security as well.”

Developing threat intelligence capabilities for IoT is a crucial step in improving the state of defense for the devices overall. But independent security researchers who have long railed against IoT's black box model of security through obscurity may take issue with Panasonic's strategy.

Panasonic Warns That IoT Malware Attack Cycles Are Accelerating

Security researchers accessed an internal camera inside the Deckmate 2 shuffler to learn the exact deck order—and the hand of every player at a poker table.

In September last year, a scandal blew up the world of high-stakes, livestreamed poker: In a hand at Las Vegas’ Hustler Live Casino, which broadcast its games on YouTube, a relative novice holding nothing but a jack of clubs and a four of hearts successfully called the bluff of a veteran player. No one could possibly think that poor hand might be good enough to call a bluff, thousands of outraged poker players argued, unless the person holding it had some extra knowledge that her opponent's hand was even worse—in other words, she must have been cheating.

Three months later, Hustler Live Casino published a postmortem of its investigation into the incident, finding “no credible evidence” of foul play. It also noted that if there were cheating, it was most likely some sort of secret communication between the player and a staff member in the production booth who could see the players' hands in real time. But when Joseph Tartaro, a researcher and consultant with security firm IOActive, read that report, he zeroed in on one claim in particular—a statement ruling out any possibility that the automated card-shuffling machine used at the table, a device known as the Deckmate, could have been hacked. “The Deckmate shuffling machine is secure and cannot be compromised,” the report read.

To Tartaro, regardless of what happened in the Hustler Live hand, that assertion of the shuffler's perfect security was an irresistible invitation to prove otherwise. “At that point, it's a challenge,” Tartaro says. “Let's look at one of these things and see how realistic it really is to cheat.”

IOActive’s card shuffler hackers (from left to right) Ethan Shackelford, Enrique Nissim, and Joseph Tartaro.Photograph: Roger Kisby

Today, at the Black Hat security conference in Las Vegas, Tartaro and two IOActive colleagues, Enrique Nissim and Ethan Shackelford, will present the results of their ensuing months-long investigation into the Deckmate, the most widely used automated shuffling machine in casinos today. They ultimately found that if someone can plug a small device into a USB port on the most modern version of the Deckmate—known as the Deckmate 2, which they say often sits under a table next to players’ knees, with its USB port exposed—that hacking device could alter the shuffler’s code to fully hijack the machine and invisibly tamper with its shuffling. They found that the Deckmate 2 also has an internal camera designed to ensure that every card is present in the deck, and that they could gain access to that camera to learn the entire order of the deck in real time, sending the results from their small hacking device via Bluetooth to a nearby phone, potentially held by a partner who then could then send coded signals to the cheating player.

In sum, their shuffler hacking technique gives a cheater “100 percent full control,” says Tartaro, who demonstrates IOActive’s findings in the video below. “Basically, it allows us to do more or less whatever we want … We can, for example, just read the constant data from the camera so we can know the deck order, and when that deck goes out into play, we know exactly the hand that everyone is going to have.”

For now, the IOActive researchers say they haven't yet had time to engineer a technique that would cause the Deckmate to put the deck in the exact order of their choosing—although they're certain that too would be possible. Regardless, they argue, merely knowing the full card order, rather than changing it, offers an even more practical cheating strategy, one that's far harder to detect.

Tartaro says the technique could be used to cheat in any number of card games, but that it would be particularly powerful in Texas Hold'em, the popular version of poker played in most casinos, including in the notorious Hustler Live Casino hand. That's because in Texas Hold'em, knowing the order of a deck would allow someone to predict the exact makeup of everyone's hand, independent of any decisions they make in the game. Even if a dealer cuts the deck before dealing, as most do in high-stakes casino games, Tartaro says the cheating player would still be able to immediately figure out the order of the cards on the top of the deck and in every player's hands as soon as the three “flop” cards are exposed—the public-facing, shared cards dealt out at the beginning of a Hold'em hand.

The IOActive team also looked at the earlier model of the Deckmate, known as the Deckmate 1, which has no external USB port and no internal camera. The researchers say that the earlier model, which was the one actually used in the Hustler Live Casino game, could nonetheless still be hacked to cheat in a game if a rogue casino staffer or maintenance person had an opportunity to open the shuffler's case and access a particular chip that stores its code. In that case, despite the lack of an internal camera, the cheater could still hack the shuffler to reorder cards—or they could simply prevent the Deckmate from shuffling the deck when a dealer picks up everyone's cards after a hand, giving the cheater information about the location of those previously played cards. "A skilled player with that little bit of an edge would 100 percent clean up," says Tartaro.

Hackers Rig Casino Card-Shuffling Machines for ‘Full Control’ Cheating

Security researchers set up a remote machine and recorded every move cybercriminals made—including their login details.

Plenty of people tried to access the system. Over the past three years, it has captured 21 million login attempts, with more than 2,600 successful logins by attackers brute-forcing the weak password they purposefully used on the system. They recorded 2,300 of these successful logins, gathered 470 files that were uploaded, and analyzed 339 of the videos with useful footage. (Some recordings were just a couple of seconds long, and proved less useful.) “We cataloged the techniques, the tooling, everything done on these systems,” Bilodeau says.

Bergeron and Bilodeau have grouped the attackers into five broad categories based on character types from the role-playing game Dungeons and Dragons. Most common were the rangers: once these attackers were inside the trap RDP session, they would immediately start exploring the system, removing Windows antivirus tools, delving into folders, looking at the network it was on and other elements of the machine. Rangers wouldn’t take any action, Bergeron says. “It's basic recon,” she says, suggesting they may be evaluating the system for others to enter it.

Barbarians were the next most frequent kind of attackers. These use multiple hacking tools, such as Masscan and NLBrute, to brute-force their way into other computers, the researchers say. They work through a list of IP addresses, usernames, and passwords, trying to break into the machines. Similarly, the group they call wizards use their access to the RDP to launch attacks against other insecure RDPs—potentially masking their identity across many layers. “They use the RDP access as a portal to connect to other computers,” Bergeron says.

The thieves, meanwhile, do what their name implies. They try to make money out of the RDP access in any way possible. They use traffic monetization websites and install crypto miners, the researchers say. They might not earn a lot in one go, but multiple compromises can add up.

The final group Bergeron and Bilodeau observed is the most haphazard: the bards. These people, the researchers say, may have purchased access to the RDP and are using it for a variety of reasons. One person the researchers watched Googled the “strongest virus ever,” Bergeron says, while another tried to access Google Ads.

Others simply tried (and failed) to find porn. “We can see the beginner level he is in, as he searched for porn on YouTube—nothing appears, of course,” Bergeron says, since YouTube doesn’t permit pornography. Multiple sessions were spotted trying to access porn, the researchers say, and these users were always writing in Farsi, indicating they may be trying to access porn in places where it is blocked. (The researchers weren’t able to determine conclusively where many of those accessing the RDP were doing so from.)

Despite this, watching the attackers reveals the way they behave, including some more peculiar actions. Bergeron, who has a PhD in criminology, says the attackers were sometimes “very slow” at doing their work. Often she was “getting impatient” while watching them, she says. “I’m like: ‘Come on, you're not good at that’ or 'Go faster’ or ‘Go deeper,’ or ‘You can do better.’”

A Clever Honeypot Tricked Hackers Into Revealing Their Secrets

You can also set up alerts for whenever your home address, phone number, or email address appears in Search.

In 2022, Google launched the “Results about you” tool to help people remove personal info from the company’s search results. With billions of searches happening daily on Google, finding your private phone number or home address indexed for the world to see can be quite shocking. Luckily, new updates to “Results about you” make it easier to discover when your data pops up in Search.

Previously, you had to proactively find the links of sites hosting your personal data to report and request the removal of identifiable information. Now, you’ll be able to set up alerts for whenever your email, home address, or phone number appear on Google. At first, this update will only be available in the US and scan for results just in English.

“Results about you” is accessible in your browser or through the mobile app. For browsers, log into Google or create an account, then visit this webpage to get started. If you’re using the app (Android, Apple), tap on your profile icon, then select the option from the menu.

After the update fully rolls out, here’s where you’ll find tabs labeled **Results to review** and **Reviewed**. Input the personal data you’d like to be notified about if it appears in Search, and results containing that info will appear in the “Results to review” section. The mobile app can send you a push notification when new results are added.

_Google’s “Results about you” tool is currently in beta._

Courtesy of Google

For more detailed directions about what info you’ll need in order to submit the removal request to Google, check out my article that steps you through the complete process. Once your request is submitted, use the “Results about you” tool to track whether the request is in progress, approved, or denied. Here’s three things worth keeping in mind:

*   This is just a request. The people at Google reviewing your request could decide to do nothing, remove the result when associated with your name, or completely remove the result.
*   Some of the other personal info that you can request for removal includes social security numbers, credit cards, handwritten signatures, medical records, and login credentials.
*   Google can remove the search result to lessen traffic, but you have to contact the owner or hosting service behind the webpage where it’s posted to get the data scrubbed completely.

In the past, criticism of Google’s privacy features focused on how these tools placed the onus on users to defend themselves. By streamlining aspects of the removal process for personal information and enabling proactive notifications, the company is making small, but important, moves toward less burdensome privacy controls.

“Results about you” is a free tool worth using, but if you have concerns about online doxxing, it might be worth considering a paid service as well, like DeleteMe, that tries to thwart online data brokers. Want to go even more incognito online? Try some of WIRED’s tips for disappearing from the internet.

How to Remove Your Info From Google With the 'Results About You' Tool

The vulnerability could allow attackers to take advantage of an information leak to steal sensitive details like private messages, passwords, and encryption keys.

Intel is releasing fixes for a processor vulnerability that affects many models of its chips going back to 2015, including some that are currently sold, the company revealed today. The flaw does not impact Intel’s latest processor generations. The vulnerability could be exploited to circumvent barriers meant to keep data isolated, and therefore private, on a system. This could allow attackers to grab valuable and sensitive data from victims, including financial details, emails, and messages, but also passwords and encryption keys.

It’s been more than five years since the Spectre and Meltdown processor vulnerabilities sparked a wave of revisions to computer chip designs across the industry. The flaws represented specific bugs but also conceptual data protection vulnerabilities in the schemes chips were using to make data available for processing more quickly and speed that processing. Intel has invested heavily in the years since these so-called speculative execution issues surfaced to identify similar types of design issues that could be leaking data. But the need for speed remains a business imperative, and both researchers and chip companies still find flaws in efficiency measures.

This latest vulnerability, dubbed Downfall by Daniel Moghimi, the Google researcher who discovered it, occurs in chip code that can use an instruction known as Gather to access scattered data more quickly in memory. Intel refers to the flaw as Gather Data Sampling after one of the techniques Moghimi developed to exploit the vulnerability. Moghimi will present his findings at the Black Hat security conference in Las Vegas on Wednesday.

“Memory operations to access data that is scattered in memory are very useful and make things faster, but whenever things are faster there’s some type of optimization—something the designers do to make it faster,” Moghimi says. “Based on my past experience working on these types of vulnerabilities, I had an intuition that there could be some kind of information leak with this instruction.”

The vulnerability affects the Skylake chip family, which Intel produced from 2015 to 2019; the Tiger Lake family, which debuted in 2020 and will discontinue early next year; and the Ice Lake family, which debuted in 2019 and was largely discontinued in 2021. Intel's current generation chips—including those in the Alder Lake, Raptor Lake, and Sapphire Rapids families—are not affected, because attempts to exploit the vulnerability would be blocked by defenses Intel has added recently.

The fixes are being released with an option to disable them because of the potential that they could have an intolerable impact on performance for certain enterprise users. “For most workloads, Intel has not observed reduced performance due to this mitigation. However, certain vectorization-heavy workloads may see some impact,” Intel said in a statement.

Releasing fixes for vulnerabilities like Downfall is always complicated, because in most cases, they must funnel through each manufacturer who makes devices that incorporate the affected chips, before actually reaching computers. These device-makers take code provided by Intel and create tailored patches that can then be downloaded by users. After years of releasing fixes in this complex ecosystem, Intel is practiced at coordinating the process, but it still takes time. Moghimi first disclosed Downfall to Intel a year ago.

“Over the past few years, the process with Intel has improved, but broadly in the hardware industry we need agility in how we address and respond to these kinds of issues,” Moghimi says. “Companies need to be able to respond faster and speed up the process of issuing firmware fixes, microcode fixes, because waiting one year is a big window when anyone else could find and exploit this.”

Moghimi also notes that it is difficult to detect Downfall attacks, because they mostly manifest as benign software activity. He adds, though, that it might be possible to develop a detection system that monitors hardware behavior for signs of abuse like unusual cache activity.

Intel says that it would be “complex” and difficult to carry out Downfall attacks in real-world conditions, but Moghimi emphasizes that it took him only a few weeks to develop proofs of concept for the attack. And he says that relative to other speculative execution vulnerabilities and related bugs, Downfall would be one of the more doable flaws for a motivated and well-resourced attacker to exploit.

“This vulnerability enables an attacker to essentially spy on other processes and steal data by analyzing the data leak over time for a combination of patterns that indicates the information the attacker is looking for, like login credentials or encryption keys,” Moghimi says. He adds that it would likely take time, on the scale of hours or even weeks, for an attacker to develop the pattern or fingerprint of the data they're looking for, but the payoff would be significant.

“I probably could have sold my findings to one of these exploit brokers—you could develop it into an exploit—but I'm not in that business. I’m a researcher,” Moghimi says.

He adds that Downfall seems to only impact Intel chips, but that it's possible similar types of flaws are lurking on processors made by other manufacturers. “Even though this particular release is not affecting other manufacturers directly," Moghimi says, "they need to learn from it and invest a lot more in verification.”

Source

Wired