Ubuntu Security Notice 5560-1 - Zhenpeng Lin discovered that the network packet scheduler implementation in the Linux kernel did not properly remove all references to a route filter before freeing it in some situations. A local attacker could use this to cause a denial of service or execute arbitrary code. It was discovered that the netfilter subsystem of the Linux kernel did not prevent one nft object from referencing an nft set in another nft table, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-5560-1August 10, 2022linux, linux-aws, linux-azure-4.15, linux-dell300x, linux-gcp-4.15,linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 18.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux: Linux kernel- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-azure-4.15: Linux kernel for Microsoft Azure Cloud systems- linux-dell300x: Linux kernel for Dell 300x platforms- linux-gcp-4.15: Linux kernel for Google Cloud Platform (GCP) systems- linux-kvm: Linux kernel for cloud environments- linux-oracle: Linux kernel for Oracle Cloud systems- linux-raspi2: Linux kernel for Raspberry Pi systems- linux-snapdragon: Linux kernel for Qualcomm Snapdragon processorsDetails:Zhenpeng Lin discovered that the network packet scheduler implementation inthe Linux kernel did not properly remove all references to a route filterbefore freeing it in some situations. A local attacker could use this tocause a denial of service (system crash) or execute arbitrary code.(CVE-2022-2588)It was discovered that the netfilter subsystem of the Linux kernel did notprevent one nft object from referencing an nft set in another nft table,leading to a use-after-free vulnerability. A local attacker could use thisto cause a denial of service (system crash) or execute arbitrary code.(CVE-2022-2586)It was discovered that the block layer subsystem in the Linux kernel didnot properly initialize memory in some situations. A privileged localattacker could use this to expose sensitive information (kernel memory).(CVE-2022-0494)Hu Jiahui discovered that multiple race conditions existed in the AdvancedLinux Sound Architecture (ALSA) framework, leading to use-after-freevulnerabilities. A local attacker could use these to cause a denial ofservice (system crash) or possibly execute arbitrary code. (CVE-2022-1048)It was discovered that the implementation of the 6pack and mkiss protocolsin the Linux kernel did not handle detach events properly in somesituations, leading to a use-after-free vulnerability. A local attackercould possibly use this to cause a denial of service (system crash).(CVE-2022-1195)Minh Yuan discovered that the floppy disk driver in the Linux kernelcontained a race condition, leading to a use-after-free vulnerability. Alocal attacker could possibly use this to cause a denial of service (systemcrash) or execute arbitrary code. (CVE-2022-1652)It was discovered that the Atheros ath9k wireless device driver in theLinux kernel did not properly handle some error conditions, leading to ause-after-free vulnerability. A local attacker could use this to cause adenial of service (system crash) or possibly execute arbitrary code.(CVE-2022-1679)Norbert Slusarek discovered that a race condition existed in the perfsubsystem in the Linux kernel, resulting in a use-after-free vulnerability.A privileged local attacker could use this to cause a denial of service(system crash) or possibly execute arbitrary code. (CVE-2022-1729)It was discovered that the Marvell NFC device driver implementation in theLinux kernel did not properly perform memory cleanup operations in somesituations, leading to a use-after-free vulnerability. A local attackercould possibly use this to cause a denial of service (system crash) orexecute arbitrary code. (CVE-2022-1734)Duoming Zhou discovered a race condition in the NFC subsystem in the Linuxkernel, leading to a use-after-free vulnerability. A privileged localattacker could use this to cause a denial of service (system crash) orpossibly execute arbitrary code. (CVE-2022-1974)Duoming Zhou discovered that the NFC subsystem in the Linux kernel did notproperly prevent context switches from occurring during certain atomiccontext operations. A privileged local attacker could use this to cause adenial of service (system crash). (CVE-2022-1975)Minh Yuan discovered that the floppy driver in the Linux kernel contained arace condition in some situations, leading to a use-after-freevulnerability. A local attacker could use this to cause a denial of service(system crash) or possibly execute arbitrary code. (CVE-2022-33981)Arthur Mongodin discovered that the netfilter subsystem in the Linux kerneldid not properly perform data validation. A local attacker could use thisto escalate privileges in certain situations. (CVE-2022-34918)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 18.04 LTS:   linux-image-4.15.0-1051-dell300x  4.15.0-1051.56   linux-image-4.15.0-1104-oracle  4.15.0-1104.115   linux-image-4.15.0-1117-raspi2  4.15.0-1117.125   linux-image-4.15.0-1125-kvm     4.15.0-1125.130   linux-image-4.15.0-1134-gcp     4.15.0-1134.150   linux-image-4.15.0-1135-snapdragon  4.15.0-1135.145   linux-image-4.15.0-1139-aws     4.15.0-1139.150   linux-image-4.15.0-1149-azure   4.15.0-1149.164   linux-image-4.15.0-191-generic  4.15.0-191.202   linux-image-4.15.0-191-generic-lpae  4.15.0-191.202   linux-image-4.15.0-191-lowlatency  4.15.0-191.202   linux-image-aws-lts-18.04       4.15.0.1139.139   linux-image-azure-lts-18.04     4.15.0.1149.119   linux-image-dell300x            4.15.0.1051.51   linux-image-gcp-lts-18.04       4.15.0.1134.150   linux-image-generic             4.15.0.191.176   linux-image-generic-lpae        4.15.0.191.176   linux-image-kvm                 4.15.0.1125.118   linux-image-lowlatency          4.15.0.191.176   linux-image-oracle-lts-18.04    4.15.0.1104.111   linux-image-raspi2              4.15.0.1117.114   linux-image-snapdragon          4.15.0.1135.136   linux-image-virtual             4.15.0.191.176After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-5560-1   CVE-2022-0494, CVE-2022-1048, CVE-2022-1195, CVE-2022-1652,   CVE-2022-1679, CVE-2022-1729, CVE-2022-1734, CVE-2022-1974,   CVE-2022-1975, CVE-2022-2586, CVE-2022-2588, CVE-2022-33981,   CVE-2022-34918Package Information:   https://launchpad.net/ubuntu/+source/linux/4.15.0-191.202   https://launchpad.net/ubuntu/+source/linux-aws/4.15.0-1139.150   https://launchpad.net/ubuntu/+source/linux-azure-4.15/4.15.0-1149.164   https://launchpad.net/ubuntu/+source/linux-dell300x/4.15.0-1051.56   https://launchpad.net/ubuntu/+source/linux-gcp-4.15/4.15.0-1134.150   https://launchpad.net/ubuntu/+source/linux-kvm/4.15.0-1125.130   https://launchpad.net/ubuntu/+source/linux-oracle/4.15.0-1104.115   https://launchpad.net/ubuntu/+source/linux-raspi2/4.15.0-1117.125   https://launchpad.net/ubuntu/+source/linux-snapdragon/4.15.0-1135.145

Ubuntu Security Notice USN-5560-1

It cost a researcher only $25 worth of parts to create a tool that allows custom code to run on the satellite dishes.

Since 2018, Elon Musk’s Starlink has launched more than 3,000 small satellites into orbit. This satellite network beams internet connections to hard-to-reach locations on Earth and has been a vital source of connectivity during Russia’s war in Ukraine. Thousands more satellites are planned for launch as the industry booms. Now, like any emerging technology, those satellite components are being hacked.

Today, Lennert Wouters, a security researcher at the Belgian university KU Leuven, will reveal one of the first security breakdowns of Starlink’s user terminals, the satellite dishes (dubbed Dishy McFlatface) that are positioned on people’s homes and buildings. At the Black Hat security conference in Las Vegas, Wouters will detail how a series of hardware vulnerabilities allow attackers to access the Starlink system and run custom code on the devices.

To access the satellite dish’s software, Wouters physically stripped down a dish he purchased and created a custom hacking tool that can be attached to the Starlink dish. The hacking tool, a custom circuit board known as a modchip, uses off-the-shelf parts that cost around $25. Once attached to the Starlink dish, the homemade printed circuit board (PCB) is able to launch a fault injection attack—temporarily shorting the system—to help bypass Starlink’s security protections. This “glitch” allows Wouters to get into previously locked parts of the Starlink system.

Wouters is now making his hacking tool open source on GitHub, including some of the details needed to launch the attack. “As an attacker, let’s say you wanted to attack the satellite itself,” Wouters explains, “You could try to build your own system that allows you to talk to the satellite, but that’s quite difficult. So if you want to attack the satellites, you would like to go through the user terminal as that likely makes your life easier.”

The researcher notified Starlink of the flaws last year and the company paid Wouters through its bug bounty scheme for identifying the vulnerabilities. Wouters says that while SpaceX has issued an update to make the attack harder (he changed the modchip in response), the underlying issue can’t be fixed unless the company creates a new version of the main chip. All existing user terminals are vulnerable, Wouters says.

Starlink says it plans to release a “public update” following Wouters’ presentation at Black Hat this afternoon, but declined to share any details about that update with WIRED prior to publication.

Starlink’s internet system is made up of three major parts. First, there are the satellites that move in low Earth orbit, around 340 miles above the surface, and beam down connections to the surface. The satellites communicate with two systems on Earth: gateways that send internet connections up to the satellites, and the Dishy McFlatface dishes people can buy. Wouters’ research focuses on these user terminals, which originally were round, but newer models are rectangular.

There have been multiple teardowns of Starlink’s user terminals since the company started selling them. Engineers on YouTube have opened up their terminals, exposing their components and how they work. Others discuss the technical specs on Reddit. However, Wouters, who previously created hardware that can unlock a Tesla in 90 seconds, looked at the security of the terminal and its chips. “The user terminal was definitely designed by capable people,” Wouters says.

His attacks against the user terminal involved multiple stages and technical measures before he finally created the now open source circuit board that can be used to glitch the dish. Broadly, the attack using the custom circuit board works by bypassing signature verification security checks, which look to prove that the system is launching correctly and hasn’t been tampered with. “We’re using this to accurately time when to inject the glitch,” Wouters says.

Starting in May 2021, Wouters began testing the Starlink system, getting 268-Mbps download speeds and 49-Mbps upload speeds on his university building’s roof. Then it was time to open the device up. Using a combination of a “heat gun, prying tools, isopropyl alcohol, and a lot of patience,” he was able to remove the large metal cover from the dish and access its internal components.

Photograph: Lennert Wouters

Under the 59-cm diameter hood is a large PCB that houses a system-on-chip, including a custom quad-core ARM Cortex-A53 processor, the architecture of which isn’t publicly documented, making it harder to hack. Among other items on the board are radio frequency equipment, power over ethernet systems, and a GPS receiver. Opening up the dish allowed Wouters to understand how it boots up and download its firmware.

To design the modchip, Wouters scanned the Starlink dish and created the design to fit over the existing Starlink board. The modchip requires soldering to the existing Starlink PCB and connecting it using a few wires. The modchip itself is made up of a Raspberry Pi microcontroller, flash storage, electronic switches, and a voltage regulator. When creating the user terminal’s board, Starlink engineers printed “Made on Earth by humans” across it. Wouters’ modchip reads: “Glitched on Earth by humans.”

To get access to the dish’s software, Wouters used his custom system to bypass security protections by using the voltage fault injection attack. When the Starlink dish is turning on, it uses a series of different bootloader stages. Wouters’ attack runs the glitch against the first bootloader, known as the ROM bootloader, which is burned onto the system-on-chip and can’t be updated. The attack then deploys patched firmware on later bootloaders, which allows him to take control of the dish.

“From a high-level view, there are two obvious things that you could try to attack: the signature verification or the hash verification,” Wouters says. The glitch works against the signature verification process. “Normally you want to avoid shorts,” he says. “In this case we do it on purpose.”

Initially, Wouters attempted to glitch the chip at the end of its boot cycle—when the Linux operating system has fully loaded—but ultimately found it easier to cause the glitch at the start of the boot. This way was more reliable, Wouters says. To get the glitch to work, he says, he had to stop decoupling capacitors, which are used to smooth out the power supply, from operating. Essentially, the attack disables the decoupling capacitors, runs the glitch to bypass the security protections, and then enables the decoupling capacitors.

This process allows the researcher to run a patched version of Starlink’s firmware during the boot cycle and ultimately allows access to its underlying systems. In response to the research, Wouters says, Starlink offered him researcher-level access to the device’s software, although he says he declined as he had gone too deep with the work and wanted to build the modchip. (During testing, he hung the modified dish out of this research lab’s window and used a plastic bag as a makeshift waterproofing system.)

Starlink also issued a firmware update, Wouters says, that makes the attack harder, but not impossible, to execute. Anyone wanting to break into the dish in this way would have to put a lot of time and effort into doing so. While the attack isn’t as devastating as being able to take down satellite systems or connectivity, Wouters says it can be used to learn more about how the Starlink network operates.

“What I am working on now is communicating with the backend servers,” Wouters explains. Despite making the details of the modchip available for download on Github, Wouters does not have any plans to sell finished modchips, nor is he providing people with patched user terminal firmware or the exact details of the glitch he used.

As an increasing amount of satellites are launched—Amazon, OneWeb, Boeing, Telesat, and SpaceX are creating their own constellations—their security will come under greater scrutiny. In addition to providing homes with internet connections, the systems can also help to get ships online, and play a role in critical infrastructure. Malicious hackers have already shown that satellite internet systems are a target. As Russian troops invaded Ukraine, alleged Russian military hackers targeted the Via-Sat satellite system, deploying wiper malware that bricked people’s routers and knocked them offline. Around 30,000 internet connections in Europe were disrupted, including more than 5,000 wind turbines.

“I think it’s important to assess how secure these systems are because they are critical infrastructure,” Wouters says. “I don’t think it's very far-fetched that certain people would try to do this type of attack because it is quite easy to get access to a dish like this.”

_Update 5 pm ET August 10, 2022:_ After Wouters’ conference talk, Starlink published a six-page PDF explaining how it secures its systems. “We find the attack to be technically impressive, and is the first attack of its kind that we are aware of in our system,” the paper says. “We expect attackers with invasive physical access to be able to take malicious actions on behalf of a single Starlink kit using its identity, so we rely on the design principle of ‘least privilege’ to constrain the effects in the broader system.”

Starlink reiterates that the attack needs physical access to a user terminal and emphasizes its secure boot system, which was compromised by the glitching process, is only impacted on that one device. Wider parts of the overall Starlink system are not impacted. “Normal Starlink users do not need to be worried about this attack affecting them, or take any action in response,” Starlink says.

The Hacking of Starlink Terminals Has Begun

Regulators are close to stopping Meta from sending EU data to the US, bringing a years-long privacy battle to a head.

Facebook faces trouble in Europe—and Meta wants you to know about it. Every three months since June 2018, the company has used its financial results to warn that it could be forced to stop running Facebook and Instagram across the continent—potentially pulling its apps from millions of people and thousands of businesses—if it can’t send data between the EU and the US.

Whether Meta’s bluffing will become clear soon enough.

Data regulators are on the verge of making a historic ruling in a years-long case, and they are expected to say Facebook’s data transfers across the Atlantic should be blocked. For years, Meta has fought against European privacy activists over how data is sent to the US, with courts ruling multiple times that European data isn’t properly protected and can potentially be snooped on by the NSA and other US intelligence agencies.

While the case focuses on Meta, it has widespread ramifications, potentially impacting thousands of businesses across Europe that rely upon the services of Google, Amazon, Microsoft, and more. At the same time, US and European negotiators are scrambling to finalize a long-awaited new data-sharing deal that will limit what information US intelligence agencies can get their hands on. If negotiators can’t get it right, people’s privacy will remain at risk and billions of dollars of trade will be put in jeopardy.

At the start of July, the Irish Data Protection Commission, Facebook’s main data regulator in Europe, issued a draft decision that would block Meta from sending data across the Atlantic. While the specifics of that draft decision aren’t known, if it is enacted, it could create a Facebook blackout across Europe.

Under the GDPR, Europe’s data law, countries across the continent get 30 days to scrutinize Ireland’s Meta decision and respond with any potential changes or complaints. That time is now up. A spokesperson for the Irish regulator says “some” objections have been received from a “small” number of other countries and it is working to address these. Experts say these are likely to be minor points of law, rather than overturning the entire decision.

So, how likely is it that Meta will actually pull its services from Europe? In reality, the chances are probably pretty slim. Meta has said it has “no desire” to leave the continent, going as far as publishing a blog post titled “Meta Is Absolutely Not Threatening to Leave Europe.” Europe’s 30-plus countries are a large market for Meta, and stopping services, even temporarily, could be costly. (A close comparison is when the company briefly banned news posts in Australia in early 2021, following a row with publishers.) While Meta may not leave Europe, it may have to make changes to how it stores and transfers data once the final decision from the Irish regulator is published, although there is no set timeline. It may also face a fine.

“My guess is that Meta is going to have to look at some form of geo-siloing if they want to continue to operate in the EU,” says Calli Schroeder, global privacy counsel at the Electronic Privacy Information Center, a nonprofit digital rights research organization. Schroeder, who previously worked with companies on international data transfers, says this approach could mean Meta would have to create its own servers and data centers in the EU that aren’t connected to its broader databases.

Harshvardhan Pandit, a computer science research fellow at Trinity College Dublin who is researching the GDPR, says that as data authorities are still considering Meta’s case and a final decision hasn’t been published yet, they could include several caveats or steps that Meta should take to fall in line. For instance, one recent data protection decision in Europe gave a six-month period for a company to make changes to its business.

“I think the most pragmatic solution would be for them to create the European infrastructure, like Google or Amazon, which have quite a few data centers here,” Pandit says, adding that Meta could also introduce more encryption to how it stores data and maximize how much it keeps in the EU. All these measures would be costly, though. Jack Gilbert, director and associate general counsel at Meta, says that the issue “is in the process of being resolved.” Facebook did not respond specifically to questions about its plan to respond to the Irish decision.

European officials have twice ruled that systems put in place to share data between the EU and US don’t properly protect people’s data—the complaints have been ongoing since the early 2010s. European courts ruled that international data-sharing agreements weren’t up to scratch first in 2015 and then again in July 2020, when the Privacy Shield agreement was ruled illegal.

“All that the EU is asking for when organizations transfer data to other countries is to protect that data in line with the GDPR,” says Nader Henein, a research vice president specializing in privacy and data protection at Gartner. “The issue is that laws in the US that protect the data of ‘nonresident aliens’ are woefully insufficient and make it very difficult for organizations like Facebook to comply with local law and the GDPR.”

While Meta is the focus of the most high-profile complaint, it isn’t the only company impacted by a lack of clarity on how companies in Europe can send data to the US. “The data transfer issue is not Meta-specific,” David Wehner, Meta’s chief strategy officer, said in a July earnings call. “It relates to how in general data is transferred for all US and EU companies back and forth to the US.”

The impacts of the July 2020 decision to get rid of Privacy Shield are now being felt. Since January of this year, multiple European data regulators have ruled that using Google Analytics, the company’s traffic-monitoring service for websites, falls foul of the GDPR. Danish authorities went even further: Schools can’t use Chromebooks without restrictions being put in place. “There is a ton of legal uncertainty, and there is a significant compliance risk,” says Gabriela Zanfir-Fortuna, vice president of global privacy at Future of Privacy Forum, a nonprofit think tank.

Politicians are well aware of the problems. In March, US president Joe Biden and European Commission president Ursula von der Leyen announced a new Trans-Atlantic Data Privacy Framework, which will change the way data is sent between the EU and US. The deal, which will be introduced by executive order, will limit what data US intelligence agencies can access and will create a new system where Europeans can complain if they think they’ve been illegally spied upon by US agencies.

However, since the deal was announced, no specifics—including any legal texts—have been published. In June, officials said the deal could be published in the coming weeks, but so far, there has been little public progress. The US Department of Commerce says discussions are still taking place, including a meeting between both sides last week. (A European Commission spokesperson says work on the new agreement is ongoing, but they do not have a timeline that can be shared.) The longer the negotiations take, the more blocking orders will drop. “Obviously, if that framework is not complete, we would be in jeopardy of being able to transfer data,” Facebook’s Wehner said earlier this year.

The deal is likely to take a while yet. “Realistically, at this point, we're looking at a potential adequacy decision for this Trans-Atlantic data transfers framework sometime next year—maybe the first quarter of next year,” Zanfir-Fortuna says. Once the details have been published, EU officials will spend months scrutinizing the specifics to see if they fall in line with court orders.

And they won’t be the only ones pouring over it. Privacy activists and lawyers will also be looking at the agreement and could launch further legal challenges if they find that data moving from Europe to the US still isn’t protected strongly enough. “The continued challenges are not unwarranted, particularly considering the Snowden revelations and the prevalence of Big Tech firms coming out of the US,” Schroeder says. “As a whole, America really needs to make sure we rise to the challenge of showing that we can be good stewards of the industry that we're trying to be leaders in.”

Will Europe Force a Facebook Blackout?

Plus: A crypto-heist extravaganza, a peek at an NSO spyware dashboard, and more.

Cryptocurrency tracing has become a key tool for police investigating everything from fraud and ransomware to child abuse. But its accuracy may soon be put to the test.

This week, we reported on new court filings from the legal team representing Roman Sterlingov, who’s been in jail for 15 months, accused of laundering $336 million in cryptocurrency as the alleged owner and operator of dark-web crypto mixer Bitcoin Fog. Sterlingov not only maintains he is innocent, but his defense attorney claims that the blockchain analysis that served as evidence that Sterlingov set up Bitcoin Fog is flawed.

Elsewhere, we highlighted Microsoft’s newly bolstered Morse bug-hunting team, which aims to catch flaws in the company’s software before they cause problems for the company’s 1 billion users. We dove into the spectacular failure of a new post-quantum encryption algorithm. We listed all the big security updates you need to be on top of from July, and we detailed all the data that Amazon’s Ring cameras collect about you.

Finally, a new report from cybersecurity company Mandiant found an attack on Albania’s government has the hallmarks of state-sponsored Iranian hacking—a notable moment of escalation in the history of cyberwar, given that Albania is a NATO member. And we got into the weeds of a Slack error that exposed hashed passwords for five years.

But that’s not all. Each week, we highlight the news we didn’t cover in-depth ourselves. Click on the headlines below to read the full stories. And stay safe out there.

This is not a test. Software used to transmit US government-issued emergency alerts on television and radio contains flaws that could allow an attacker to broadcast false messages, according to the Federal Emergency Management Agency and the security researcher who found the vulnerabilities. The company that makes the software, Digital Alert Systems, has issued patches, and FEMA has alerted the TV and radio networks that use the software to update their devices immediately. Of course, patches may not be universally adopted, leaving the system at risk. There’s no evidence that an attacker has exploited the flaws so far. But considering the mayhem false emergency alerts can cause, we’ll just have to hope that it stays that way.

One major theft of cryptocurrency in a week would be bad, and this week saw two. First, thanks to a flaw in the Nomad bridge—a type of application that lets users move digital tokens across blockchains that are prime hacker targets—“hundreds” of people were able to steal a collective $190 million in cryptocurrencies. Nomad now says that anyone who returns 90 percent of the funds they swiped will be considered a “white hat” and can keep the remaining 10 percent as a bounty. Some $22 million of the stolen funds had been recovered so far.

The second crypto hack of the week came just a day later, on Tuesday night, with hackers draining around 8,000 “hot” wallets (cryptocurrency storage apps that are connected to the internet) connected to the Solana ecosystem, allowing them to steal around $5 million worth of crypto. Solana said in a tweet that the exploit was due to a bug in “software used by several software wallets popular among users of the network,” not the Solana network or its cryptography.

It’s one thing to be told what NSO Group’s spyware can do, but it’s quite another to see it for yourself. Reporters at Israel’s _Haaretz_ got their hands on never-before-seen screenshots of Syaphan, a prototype of NSO’s now-infamous Pegasus spyware, which has retained much of the look and functionality of its precursor. The screenshots show that operators have the ability to access call logs and messages and remotely enable cameras and microphones to turn an infected device into a real-time spying tool.

Government use of Pegasus and other spyware has resulted in a growing number of scandals, particularly in Europe. Yesterday, Panagiotis Kontoleon, the head of Greece’s intelligence service, and Grigoris Dimitriadis, general secretary of the prime minister’s office, resigned. Their departures follow a complaint filed by Nikos Androulakis, the head of the socialist PASOK party, who alleged that his phone had been targeted by Predator spyware created by Cytrox, which is based in neighboring North Macedonia. Greece’s prime minister’s office maintains, however, that the resignations and the spyware allegations are unconnected. “In no case does it have anything to do with Predator (spyware), to which neither he nor the government are in any way connected, as has been categorically stated,” it said in a statement.

Remember a few months ago when everyone was mad at DuckDuckGo? Well, that thing you were angry about has now been (mostly) fixed, according to the company. Back in May, security researcher Zach Edwards found that DuckDuckGo’s privacy browsers—not its search engine, for which the company is better known—allowed some third-party Microsoft tracking scripts. DuckDuckGo, which has a partnership with Microsoft, says it has expanded its 3rd-Party Tracker Loading Protection to include 21 more domains, thus blocking the bulk of Microsoft tracking scripts on websites accessed via its mobile DuckDuckGo Privacy Browser or while using its Privacy Essentials extension, which can be used with all major browsers. However, DuckDuckGo will still allow advertisers to track clicks from DuckDuckGo through scripts from the bat.bing.com domain. Is it perfect? No—even DuckDuckGo admits that. But it’s still a privacy improvement over mainstream browsers and search engines.

The US Emergency Alert System Has Dangerous Flaws

By Owais Sultan
This guide will introduce you to a machine learning career. You will get a complete understanding of the…
This is a post from HackRead.com Read the original post: Machine Learning: How To Become A Machine Learning Engineer?

****This guide will introduce you to a machine learning career. You will get a complete understanding of the profession and the necessary steps.******Machine Learning: Guide To The Profession**

**Machine learning** (ML) is an industry that plays a significant role in developing information technologies. Creating autonomous solutions is becoming more and more widespread In all areas of life.

Indeed.com **called** the profession the best in his report. How to become a part of this world? What is needed for this? We answer each question in the article.

**Machine learning engineer: the sense of work**

A machine learning engineer creates self-contained software that works without third-party intervention. Do you remember recommendations from YouTube or Amazon? It is just one example of machine learning implementation.

Another example is the Microsoft Face Tracking app from **Brights**. The application helps determine the most appropriate Microsoft product for the user based on his previous choice.

In practice, a machine learning engineer’s set of activities typically includes:

*   Implementing solutions
*   Collecting data by running experiments 
*   Finalizing and improving solutions to get maximum performance
*   Developing various solutions to problems, and providing a flow between databases and server systems.

**Machine learning engineer skills, knowledge, and more  **

Job responsibilities, knowledge, and requirements for a machine learning engineer vary by company. At the same time, successfully designing and **self-learning systems** require two sets of skills in any organization. Let’s consider each separately.

**Data Science **

To develop machine learning algorithms, you must process large amounts of data, understand it, systematize it, and draw the correct conclusions. Keep an eye on the **best data science tools** out there.

**Software engineering **

The specialist must be able to design systems, understand various data structures, understand computability, and computer architecture.

**Your steps to getting a profession**

1.  **Define your goal.** Understanding the purpose will help you to choose your study program. In addition, realizing the goal will motivate you to overcome the inevitable difficulties in any career path.
2.  **Learn primary programming languages.** No matter how you would like it otherwise, **without knowledge of coding**, you will not be able to gain access to the profession. It would help if you also learned the basics of computer science. Without this stage, you will be unable to quickly and efficiently implement machine learning solutions in production.
3.  **Learn to work with big masses of information.** It will help you experiment, analyze the information received, and find the best solutions.
4.  **Don’t stop learning.** Learn to understand the ideas and meaning of machine learning. Describe special tools, and remember that their names depend on what area you want to work in.
5.  **Put your knowledge into practice.** In any business, and machine learning more than ever, it is essential to put knowledge into practice. It will also be a huge plus in your job search.

**Can you learn machine learning without coding?**

In any case, a machine learning engineer must know primary **programming languages**—just accept it. Knowing 2-3 widespread languages will help you open doors to many companies.

You can have strong knowledge of mathematics and statistics to work with data and do tests and experiments. Still, you cannot make your machine learning decisions in production without an excellent base in coding. 

Basic knowledge of software engineering is also essential because it helps to implement many decisions fast and effectively.  

**Are machine learning engineers in demand?**

In the US, machine learning job growth is up 35% in 2020, according to a **LinkedIn report**. Specialists are needed in different industries: from the public sector to entertainment. According to forecasts, the number of open positions will only grow until 2029.

1.  **Why is learning Python important in Data Science?**
2.  **How the Internet can get smarter by combining AI and ML**
3.  **Cybersecurity Automation: How Can Businesses Benefit From It**
4.  **Incorporating machine learning in data mapping for improved results**
5.  **How chat platforms are using Machine Learning for content moderation?**

Owais takes care of Hackread's social media from the very first day. At the same time He is pursuing for chartered accountancy and doing part time freelance writing.

Machine Learning: How To Become A Machine Learning Engineer?

WordPress Ecwid Ecommerce Shopping Cart plugin versions 6.10.23 and below suffer from a cross site request forgery vulnerability.

Description: Cross-Site Request Forgery to Settings/Options Update

Affected Plugin: Ecwid Ecommerce Shopping Cart

Plugin Slug: ecwid-shopping-cart

Affected Versions: <= 6.10.23

CVE ID: CVE-2022-2432

CVSS Score: 8.8 (High)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Researcher/s: Marco Wotschka

Fully Patched Version: 6.10.24

Ecwid Ecommerce Shopping Cart is a plugin offered by Lightspeed that allows site owners to set up an eCommerce store on a WordPress website and then sync it across various services such as Amazon and social media. It also offers ad integration and access to marketing tools. As part of the plugin’s functionality, there were some more advanced settings that could be managed. Unfortunately, this was implemented insecurely making it possible for attackers to update these settings via a forged request.

More specifically, the plugin provides the following admin_post action hooked to the ‘ecwid_update_plugin_params‘ function for that purpose:

[Please view this code snippet on our blog here.] (https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VVHxgx1rX_sqW1H4wDd41pXybW1PHNH54NjWySN4jRWbD5js6JV3Zsc37CgGRrW4wJp7s4LR8_8W5GZxc55cBM_qW8hSV9n7QFM8MW16sCxG5h4mMrW8RWrLm7fnSqrW70Vz_q4PPYx1W6cGQ985xBh94W4KV7Yy3dzXV8W8bTSFR1sB2J5N60tSb8sMfWmW3Qhxq480ZZDvW6qNFsM4YqZm2W47Fl6f537-gRW8G9Mq25QpGZZW2B_hWM7ZNSZrW8jJ9gf8MSG0pW3c2FG27vDxqyW24KmsZ1HxD3TW6BS5rM4h9TL_W4My4sZ2R5dngW7nrf8C81zMWXW1bBRCq4lYLdfW5Wd9gF2rjpt7W2b9RlV7CGYQ8W4sgGCX98nMgqW1FPwLN10ndByW6yw5YW7rm4RLW1l8_qC5kZvHYW5kyvmH8qjwnbW6cS_Sd2f9WPjM-RF9H50XrYW6d-cP13xx9gWW8Jr_cw26btsNW30S0Xr6gZ41G36ft1 )

An initial check in the ‘ecwid_update_plugin_params‘ function ensures that the current user is allowed to manage site options, which is a capability that belongs to administrators. However, the nonce check performed shortly after is only executed if a nonce is set due to how the function uses && to combine the checks to validate that a nonce is present in the request and to verify that the nonce is valid. This means that if the wp-nonce parameter is not supplied in the request, the verification step is skipped. This makes the functionality susceptible to Cross-Site Request Forgery attacks in vulnerable versions.

[Please view this code snippet on our blog here.] (https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VVHxgx1rX_sqW1H4wDd41pXybW1PHNH54NjWySN4jRWbD5js6JV3Zsc37CgK04W67C43l5f9PlsW1vTzZ291zXDyW7lwxqt5S_SqhW8qMCLs5Vs8hTMlVtTSW5m53W8jPcbS3cs9wpW6xWDF_2xbLMZN7RfvGrn4vjHVXqXzJ3XzQ-1W3SsZJk5qWZY5W7tNvtn7z-pFSW2T45NG8qgmVjW4mZN5T8CCQR4W4X-xkp3MRyMBW8bQV2l1QmfF2W1N6yKt2SKNJxV9hRB01Dr8M4N4LKmRgHfRR-N5f00LN8JsxlVQCRGg9b5QQgVm1Wrc2NkSRpN22l9qWLg4rRW20bJdN7F1XgdN36zDyK1TZzNW6Fk9mV1Y1vkJW7zJyHY4w7XrNW6YPJyL4yxX2PW6qVHnh960fF3W8yZq6C8Nfqr_VkfJpP34G9dBW7J4NVS8plYskN1tn7-6tGsPRW3vNTQ14zxQXMW2gFKwm8yhK853nT51 )

This makes it possible for an attacker to change the ecwid_store_id, which uniquely identifies the store and is needed for support requests as well as for embedding the store on other sites. Another site option that could be modified is the site’s ecwid_store_page_id, which is the storefront page in the WordPress installation. Both of these settings may result in a loss of availability of the storefront if changed to an invalid store ID. There are several other settings that could be affected in addition to those two. The plugin does not provide a direct link to the settings page in any of its menus and a warning on the page suggests that modifying these settings may significantly affect the plugin functionality.

The Importance of Properly Implementing Nonces

Nonces are a critical component used to prevent Cross-Site Request Forgery vulnerabilities. As such, it’s important to ensure they are properly implemented throughout plugin and theme code to prevent unauthorized execution of that code. Fortunately, WordPress provides several mechanisms to create and validate proper nonces.

Nonce Creation

The first step to proper nonce implementation is nonce creation.

One option to properly implement nonce creation involves the wp_nonce_url() function. This function expects a target URL as well as an action and an optional nonce name. The nonce will be added to a URL and can be verified by a nonce validation function that is executed in the same or subsequent function. This makes it possible for developers to provide links to perform actions such as deletion of posts with a proper nonce that allows the code to verify that the action was initiated from within the site as opposed to a click on a link elsewhere, such as in an email.

An additional option is adding a nonce to a form to secure any submissions originating from that form. The function wp_nonce_field() is frequently used in these cases and expects an action string. This will add a hidden input field to the form. Upon form submission, the created nonce can be checked and verified.

Finally, a nonce can also be generated using wp_create_nonce(), which accepts an action string argument and returns just a nonce. This can be implemented in a variety of different ways and allows more flexibility as a developer to implement nonce validation. We frequently see this function contained in HTML on setting pages that is later used to validate the origin of the request when saving those settings.

Remember that nonces are specific to individual users and sessions and are invalidated after 24 hours, or on logout.

Nonce Validation

The second step to proper nonce implementation involves nonce verification. A plugin can implement an appropriate nonce on a form or settings update, but without proper validation of that nonce, there won’t be adequate protection.

The first option to properly validate a nonce involves the use of the check_admin_referer() function. This function accepts the protected action as well as the name of the nonce as an argument and checks the nonce as well as the referer, thus helping to ensure that the nonce provided is correct and that the request was initiated from an admin page.

When implementing an AJAX action, the check_ajax_referer() function can be used. This will verify the nonce but will not check the referer like the check_admin_referer() function does although it will validate that the request is an AJAX request.

A final option for validating a nonce is the more general wp_verify_nonce() function. With this function, an action and nonce name will need to be supplied, and it will verify that the proper nonce was set. This provides the most flexible implementation of nonce validation for developers.

In the case of today’s disclosure, the nonce was created on the settings form itself with wp_create_nonce():

[Please view this code snippet on our blog here.] (https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VVHxgx1rX_sqW1H4wDd41pXybW1PHNH54NjWySN4jRWbD5js6JV3Zsc37CgF42W98C5CQ5NDR3nN58bq_96Ch4zW3GRvs_6bwRX5W3tsvrb2ShCghW3x06W68pRQH9W3Dg71b6v1HrYN1qR5fbY2lRlW1k5j_14xFFJHW7X-WLl1rqWk4W2Xtb8w2ZQV1fW60H5QG1l9dtQW4FrrX83gDD31W6PL9cT6F_6LvW370m6b2hcXrhW87SST67k_CFgW5-p6J61CRPtqW41Q3yy1ZncNXW3tf7LN7M0RtnVB_kYq1ywQZZW5nCmTg91v6g7W7d0m-m6FkNhhW7ZJZnp8SNnfqW8slWGB5dKbwfW6hRPqV27VwPwN6VYg76H73KcW5RSHN32P4qKzW87nrK28tmgf3W9kClqb5c9kpxW4sNhxd6ZtC1NW4W6S6N4tX1hSW8VG37Z822PTvW3vQSg86XJbffMW8y1Kj7SkzW8qWmSB1p6tWz33Jt1 )

As you can see, this statement will call wp_verify_nonce() but only if the nonce is set due to the if (isset($_POST['wp-nonce']) check and the use of && in combination with the wp_verify_nonce() function. Therefore, if the nonce is omitted, this check will not take place.

[Please view this code snippet on our blog here.] (https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VVHxgx1rX_sqW1H4wDd41pXybW1PHNH54NjWySN4jRWbD5js6JV3Zsc37CgYDJW4r9V7C4zvxxJW8nbMdr8F-cRDW2rwyLJ1CP2WHW4J-5Pl31WzP1W6DVyjb8Z3jqdN4stQLdG_ZkNW4mglnq1G8sRNW5mXcDc3VtGGNW4FY3bS3VJv8bW81wTgx9bFbTPV1C4Hj2mqjn2W34wsp890BqJ4W3mYsyR7j1ZmkW3N5y145YdY3JW1y9Jw7794yXvN8-B_JcFVNZ3W7qmWfy4_SYqlW8phV2n20Y2n1VY28TM2d1DnBVmThSG3kLmm9W3w1Qb8274pyfW3DMgQT1d69drW1Z_vwR8tNJ00W5VhJ9W1WWjw5V21_7j12XCNfW4nmmL65HjtPhW6bzWt73Vyc5XW49_SzN8D05kRW1p_M0l1RcrzgN5kXSx6thPmgW6kq5wb8y9lv7W2wb9d72F0qKFW6RJdQV89RNSpN1_lhTsk65Q51P1 )

This serves as an important reminder to not only properly implement nonces and validation checks but also to ensure that the check fails when the nonce value is empty or otherwise not present.

As a final important note: never rely on nonce checks alone. Developers should always remember to include a capability check using a function like current_user_can() in order to ensure the user initiating the action is indeed allowed to perform it. Nonces should never be used for authentication, authorization or any form of access control as they are simply intended to verify the origin of the request, and do not perform any authorization.

Timeline

June 24, 2022 – Initial outreach to the plugin developer.

July 11, 2022 – We escalate the issue to the WordPress.org plugins team and send them the full disclosure details.

July 13, 2022 – The vulnerability is patched in version 6.10.24.

Conclusion

In today’s post, we covered a vulnerability in the Ecwid Ecommerce Shopping Cart plugin that could be used to trick site administrators into updating plugin settings due to improper nonce verification. The vulnerability was patched by ensuring that a proper nonce was set and by verifying it.

Please remember that due to the nature of Cross-Site Request Forgery vulnerabilities, it is not possible to provide adequate protection via the Wordfence firewall without blocking legitimate requests. As such, we highly recommend updating to version 6.10.24 or higher of Ecwid Ecommerce Shopping Cart to ensure that your site is protected against any exploits targeting this vulnerability.

If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both of these products include hands-on support in case you need further assistance.

If you have any friends or colleagues who are using this plugin, please share this announcement with them and encourage them to update to the latest patched version of Ecwid Ecommerce Shopping Cart as soon as possible.

WordPress Ecwid Ecommerce Shopping Cart 6.10.23 Cross Site Request Forgery

The popular security devices are tracking (and sharing) more than you might think.

Jolynn Dellinger, a senior lecturing fellow focusing on privacy and ethics at Duke University’s school of law, says recording audio when someone is on the street is a “serious problem” for privacy and may change how people behave. “We operate with a sense of obscurity, even in public,” Dellinger says. “We are in danger of increasing surveillance of everyday life in a way that is not consistent with either our expected views or really what’s best for society.” In October 2021, a British woman won a court case that said her neighbor’s Ring cameras, which overlooked her house and garden, broke data laws.

Ring’s privacy policy says it can save videos of subscribers to its Ring Protect Plan, a paid service that provides an archive of 180 days of video and audio captured. The company says people can log in to the service to delete the videos, but the company may ultimately keep them anyway. “Deleted Content and Ring Protect Recordings may be stored by Ring in order to comply with certain legal obligations and are not retrievable without a valid court order,” the privacy policy says.

Ring can also keep videos shared to its Neighbors’ app—an app where people and law enforcement agencies can share alerts about “crimes” and post their videos of what is happening around the homes. (There are rules about what people are allowed to post.)

Ring’s privacy policy and terms of service allow it to use all this information it collects in multiple ways. It lists 14 ways the company can use your data—from improving the service Ring provides and protecting against fraud to conducting consumer research and complying with legal requirements. Its privacy policy includes the ambiguous statement: “We also may use the personal information we collect about you in other ways for which we provide specific notice at the time of collection and obtain your consent if required by applicable law.” Ring spokesperson Sarah Rall says this could apply if the company added features or use cases that are not already covered by its privacy policy. “We would provide additional notice or get permission as needed,” Rall says.

While Ring’s privacy policies apply to those who purchase its devices, people who are captured in footage or audio don’t have a chance to agree to them. “Privacy, security, and customer control are foundational to Ring, and we take the protection of our customers’ personal and account information seriously,” Rall says.

Ultimately, you agree to give Ring permission to control the “content” you share—including audio and video—while you own the intellectual property to it. The company’s terms of service say you give it an “unlimited, irrevocable, fee free and royalty-free, perpetual, worldwide right” to store, use, copy, or modify content you share through Neighbors or elsewhere online. (Audio recording can be turned off in Ring’s settings.)

“When I went out to buy a security camera last year, I looked for ones only that did local storage,” says Jen Caltrider, the lead researcher on Mozilla’s Privacy Not Included, which evaluates the privacy and security of products. Caltrider says people should try to keep as much control of their data as possible and not store files in the cloud unless they need to. “I don’t want any company having this data that I can’t control. I want to be able to control it.”

How Ring Works With Police

Ring’s deals with police forces—both in the US and the UK—have proved controversial. For years, the company has partnered with law enforcement agencies, providing them with cameras and doorbells that can be given to residents. By the start of 2021, Ring had partnered with more than 2,000 US law enforcement and fire departments. Documents have shown how Ring also controls the public messaging of police departments it has partnered with. “There is nothing mandating Ring build a tool that is easily accessible and helpful to police,” Guariglia says.

Rings’ terms of service say that the company may “access, use, preserve and/or disclose” videos and audio to “law enforcement authorities, government officials, and/or third parties” if it is legally required to do so or needs to in order to enforce its terms of service or address security issues. Government officials could include any “regulatory agency or legislative committee that issues a legally binding request for information,” Rall says. For the six months between January and June 2022, Ring says it had more than 3,500 law enforcement requests in the US.

All the Data Amazon's Ring Cameras Collect About You

At Black Hat USA, Igal Gofman plans to address how machine identities in the cloud and the explosion of SaaS apps are creating risks for IAM, amid escalating attention from attackers.

Cybercriminals always look for blind spots in access management, be they misconfigurations, poor credentialing practices, unpatched security bugs, or other hidden doors to the corporate castle. Now, as organizations continue their modernizing drift to the cloud, bad actors are taking advantage of an emerging opportunity: access flaws and misconfigurations in how organizations use cloud providers' identity and access management (IAM) layers.

In a talk on Wednesday, Aug. 10 at Black Hat USA entitled "IAM The One Who Knocks," Igal Gofman, head of research for Ermetic, will offer a view into this emerging risk frontier. "Defenders need to understand that the new perimeter is not the network layer as it was before. Now it's really IAM — it's management layer that governs all," he tells Dark Reading.

**Complexity, Machine Identities = Insecurity**

The most common pitfall that security teams step into when implementing cloud IAM is not recognizing the sheer complexity of the environment, he notes. That includes understanding the ballooning amount of permissions and access that software-as-a-service (SaaS) apps have created.

"Adversaries continue to put their hands on tokens or credentials, either via phishing or some other approach," explains Gofman. "At one time, those didn't give much to the attacker beyond what was on a local machine. But now, those security tokens have much more access, because everyone in the last few years moved to the cloud, and have more access to cloud resources."

The complexity issue is particularly piquant when it comes to machine entities — which, unlike humans, are always working. In the cloud context, they're used to access cloud APIs using API keys; enable serverless applications; automate security roles (i.e., cloud access service brokers or CASBs); integrate SaaS apps and profiles with each other using service accounts; and more.

Given that the average company now uses hundreds of cloud-based apps and databases, this mass of machine identities presents a highly complex web of interwoven permissions and access that underpin organizations' infrastructures, which is difficult to gain visibility into and thus difficult to manage, Gofman says. That's why adversaries are seeking to exploit these identities more and more.

"We are seeing a rise in the use of non-human identities, which have access to different resources and different services internally," he notes. "These are services that speak with other services. They have permissions, and usually broader access than humans. The cloud providers are pushing their users to use those, because at the basic level they consider them to be more secure. But, there are some exploitation techniques that can be used to compromise environments using those non-human identities."

Machine entities with management permissions are particularly attractive for adversaries to use, he adds.

"This is one of the main vectors we see cybercriminals targeting, especially in Azure," he explains. "If you don't have an intimate understanding of how to manage them within the IAM, you're offering up a security hole."

**How to Boost IAM Security in the Cloud**

From a defensive standpoint, Gofman plans to discuss the many options that organizations have for getting their arms around the problem of implementing effective IAM in the cloud. For one, organizations should make use of cloud providers' logging capabilities to build a comprehensive view of who — and what — exists in the environment.

"These tools are not actually used extensively, but they're good options to better understand what's going on in your environment," he explains. "You can use logging to reduce the attack surface too, because you can see exactly what users are using, and what permissions they have. Admins can also compare stated policies to what is actually being used within a given infrastructure, too."

He also plans to break down and compare the different IAM services from the top three public cloud providers — Amazon Web Services, Google Cloud Platform, and Microsoft Azure — and their security approaches, all of which are slightly different. Multi-cloud IAM is an added wrinkle for corporations using different clouds from different providers, and Gofman notes that understanding the subtle differences between the tools they offer can go a long way to shoring up defenses.

Organizations can also use a variety of third-party, open source tools to gain better visibility across the infrastructure, he notes, adding that he and his co-presenter Noam Dahan, research lead at Ermetic, plan to demo one option.

"Cloud IAM is super-important," Gofman says. "We're going to speak about the dangers, the tools that can be used, and the importance of understanding better what permissions are used and what permission are not used, and how and where admins can identify blind spots."

Cyberattackers Increasingly Target Cloud IAM as a Weak Link

A month after the algorithms were revealed, some companies have already begun incorporating the future standards into their products and services.

A month after the National Institute of Standards and Technology (NIST) revealed the first quantum-safe algorithms, Amazon Web Services (AWS) and IBM have swiftly moved forward. Google was also quick to outline an aggressive implementation plan for its cloud service that it started a decade ago.

It helps that IBM researchers contributed to three of the four algorithms, while AWS had a hand in two. Google contributed to one of the submitted algorithms, SPHINCS+.

A long process that started in 2016 with 69 original candidates ends with the selection of four algorithms that will become NIST standards, which will play a critical role in protecting encrypted data from the vast power of quantum computers.

NIST's four choices include CRYSTALS-Kyber, a public-private key-encapsulation mechanism (KEM) for general asymmetric encryption, such as when connecting websites. For digital signatures, NIST selected CRYSTALS-Dilithium, FALCON, and SPHINCS+. NIST will add a few more algorithms to the mix in two years.

Vadim Lyubashevsky, a cryptographer who works in IBM's Zurich Research Laboratories, contributed to the development of CRYSTALS-Kyber, CRYSTALS-Dilithium, and Falcon. Lyubashevsky was predictably pleased by the algorithms selected, but he had only anticipated NIST would pick two digital signature candidates rather than three.

Ideally, NIST would have chosen a second key establishment algorithm, according to Lyubashevsky. "They could have chosen one more right away just to be safe," he told Dark Reading. "I think some people expected McEliece to be chosen, but maybe NIST decided to hold off for two years to see what the backup should be to Kyber."

**IBM's New Mainframe Supports NIST-Selected Algorithms**

After NIST identified the algorithms, IBM moved forward by specifying them into its recently launched z16 mainframe. IBM introduced the z16 in April, calling it the "first quantum-safe system," enabled by its new Crypto Express 8S card and APIs that provide access to the NIST APIs.

IBM was championing three of the algorithms that NIST selected, so IBM had already included them in the z16. Since IBM had unveiled the z16 before the NIST decision, the company implemented the algorithms into the new system. IBM last week made it official that the z16 supports the algorithms.

Anne Dames, an IBM distinguished engineer who works on the company's z Systems team, explained that the Crypto Express 8S card could implement various cryptographic algorithms. Nevertheless, IBM was betting on CRYSTAL-Kyber and Dilithium, according to Dames.

"We are very fortunate in that it went in the direction we hoped it would go," she told Dark Reading. "And because we chose to implement CRYSTALS-Kyber and CRYSTALS-Dilithium in the hardware security module, which allows clients to get access to it, the firmware in that hardware security module can be updated. So, if other algorithms were selected, then we would add them to our roadmap for inclusion of those algorithms for the future."

A software library on the system allows application and infrastructure developers to incorporate APIs so that clients can generate quantum-safe digital signatures for both classic computing systems and quantum computers.

"We also have a CRYSTALS-Kyber interface in place so that we can generate a key and provide it wrapped by a Kyber key so that could be used in a potential key exchange scheme," Dames said. "And we've also incorporated some APIs that allow clients to have a key exchange scheme between two parties."

Dames noted that clients might use Kyber to generate digital signatures on documents. "Think about code signing servers, things like that, or documents signing services, where people would like to actually use the digital signature capability to ensure the authenticity of the document or of the code that's being used," she said.

**AWS Engineers Algorithms Into Services**

During Amazon's AWS re:Inforce security conference last week in Boston, the cloud provider emphasized its post-quantum cryptography (PQC) efforts. According to Margaret Salter, director of applied cryptography at AWS, Amazon is already engineering the NIST standards into its services.

During a breakout session on AWS' cryptography efforts at the conference, Salter said AWS had implemented an open source, hybrid post-quantum key exchange based on a specification called s2n-tls, which implements the Transport Layer Security (TLS) protocol across different AWS services. AWS has contributed it as a draft standard to the Internet Engineering Task Force (IETF).

Salter explained that the hybrid key exchange brings together its traditional key exchanges while enabling post-quantum security. "We have regular key exchanges that we've been using for years and years to protect data," she said. "We don't want to get rid of those; we're just going to enhance them by adding a public key exchange on top of it. And using both of those, you have traditional security, plus post quantum security."

Last week, Amazon announced that it deployed s2n-tls, the hybrid post-quantum TLS with CRYSTALS-Kyber, which connects to the AWS Key Management Service (AWS KMS) and AWS Certificate Manager (ACM). In an update this week, Amazon documented its stated support for AWS Secrets Manager, a service for managing, rotating, and retrieving database credentials and API keys.

**Google's Decade-Long PQC Migration**

While Google didn't make implementation announcements like AWS in the immediate aftermath of NIST's selection, VP and CISO Phil Venables said Google has been focused on PQC algorithms "beyond theoretical implementations" for over a decade. Venables was among several prominent researchers who co-authored a technical paper outlining the urgency of adopting PQC strategies. The peer-reviewed paper was published in May by Nature, a respected journal for the science and technology communities.

"At Google, we're well into a multi-year effort to migrate to post-quantum cryptography that is designed to address both immediate and long-term risks to protect sensitive information," Venables wrote in a blog post published following the NIST announcement. "We have one goal: ensure that Google is PQC ready."

Venables recalled an experiment in 2016 with Chrome where a minimal number of connections from the Web browser to Google servers used a post-quantum key-exchange algorithm alongside the existing elliptic-curve key-exchange algorithm. "By adding a post-quantum algorithm in a hybrid mode with the existing key exchange, we were able to test its implementation without affecting user security," Venables noted.

Google and Cloudflare announced a "wide-scale post-quantum experiment" in 2019 implementing two post-quantum key exchanges, "integrated into Cloudflare's TLS stack, and deployed the implementation on edge servers and in Chrome Canary clients." The experiment helped Google understand the implications of deploying two post-quantum key agreements with TLS.

Venables noted that last year Google tested post-quantum confidentiality in TLS and found that various network products were not compatible with post-quantum TLS. "We were able to work with the vendor so that the issue was fixed in future firmware updates," he said. "By experimenting early, we resolved this issue for future deployments."

**Other Standards Efforts**

The four algorithms NIST announced are an important milestone in advancing PQC, but there's other work to be done besides quantum-safe encryption. The AWS TLS submission to the IETF is one example; others include such efforts as Hybrid PQ VPN.

"What you will see happening is those organizations that work on TLS protocols, or SSH, or VPN type protocols, will now come together and put together proposals which they will evaluate in their communities to determine what's best and which protocols should be updated, how the certificates should be defined, and things like things like that," IBM's Dames said.

Dustin Moody, a mathematician at NIST who leads its PQC project, shared a similar view during a panel discussion at the RSA Conference in June. "There's been a lot of global cooperation with our NIST process, rather than fracturing of the effort and coming up with a lot of different algorithms," Moody said. "We've seen most countries and standards organizations waiting to see what comes out of our nice progress on this process, as well as participating in that. And we see that as a very good sign."

Amazon, IBM Move Swiftly on Post-Quantum Cryptographic Algorithms Selected by NIST

By Deeba Ahmed
This hasn’t been a great week for the crypto community. On Monday, the Nomad bridge got exploited and…
This is a post from HackRead.com Read the original post: Thousands of GitHub Repositories Cloned in Supply Chain Attack

This hasn’t been a great week for the crypto community. On Monday, the Nomad bridge got exploited and lost nearly $200 million. Then on Wednesday, Hackread.com **reported** that roughly 8,000 Solana blockchain wallets were hacked, and approx. $8 million worth of crypto drained from its wallets.

Now, the GitHub developer platform has become the victim of a malware attack in which the attackers cloned thousands of repositories. This supply chain attack allows attackers to exfiltrate data and perform RCE.

**GitHub Facing Widespread Malware Attack**

According to developer **Stephen Lucy**, around 35,000 GitHub repositories have been cloned with malware. The incident was reported on Wednesday when the developer was confronted with the issue while reviewing a GitHub project found through Google search (search phrase= ovz1.j19544519.pr46m.vps.myjinoru).

Lucy noticed a malicious URL included in the code, and when GitHub repositories were scanned for this URL, it gave over 35,000 results.

It is however worth noting that crypto repositories weren’t targeted in the malware attack. However, these are among the impacted repositories. GitHub was notified about the issue on August 3.

**More Github Security News**

*   **New backdoor malware hits Slack and Github platforms**
*   **GitHub Will Now Support Security Keys for SSH Git Operations**
*   **Hackers use Github bot to steal $1,200 in ETH within 100 seconds**
*   **GitHub: Hackers Stole OAuth Access Tokens to Target Dozens of Firms**
*   **Hackers can spoof commit metadata to create false GitHub repositories**

**Were the Repositories Hacked?**

Bleeping Computer **wrote** that the repositories weren’t hacked, but actually, these were copied with their clones. These clones were modified to insert malware.

For your information, cloning open source code is common among developers. But, in this case, the attackers injected malicious code/links into genuine GitHub projects to target innocent users.

Furthermore, over 13,000 search results were obtained from a single repository identified as ‘redhat-operator-ecosystem.’ The malicious link exfiltrated the environment variables, which contain sensitive data like **Amazon AWS credentials**, API keys, and crypto keys, and also contained a one-line backdoor. The malware also lets remote attackers execute arbitrary code on those systems that install/run the clones.

The attack has impacted many crypto projects. These include Golang, Bash, Python, Docker, JavaScript, and Kubernetes. GitHub confirmed that the original repositories weren’t compromised, and the clones have been quarantined and cleaned.

This attack is difficult to spot because genuine GitHub user accounts are spoofed on commits. It is possible because GitHub requires an email address to attribute commits to users, and they can sign commits with GPG.

Since fakes of legit projects can retain past commits and pull requests from genuine users, it becomes difficult to detect fakes. This supply chain attack will not affect those using original GitHub projects.

1.  Iran’s Largest Steel Producer Hit By Crippling Cyberattack
2.  Access:7 Supply Chain Flaws Impact ATMs, Medical, IoT devices
3.  DDoS Attacks by Hacktivists Disrupted Russian Alcohol Supply Chain
4.  VirusTotal Reveals Apps Most Exploited by Hackers to Spread Malware
5.  Cloud video platform abused in web skimmer attack against real estate sites

Tag

#amazon