Security News This Week: An Unfixable Flaw Threatens 5 Years of Intel Chips
As the novel coronavirus continues to propagate, phishing scams that pose as Covid-19 advice do as well. The trend started over a month ago, but it's only going to get worse. Abide by these tips to avoid them, and also please keep washing those hands.
In non-pandemic news, researchers figured out how to clone the mechanical keys of tens of millions of cars from Toyota, Hyundai, and Kia, making theft a much simpler matter. Some recently released Russian disinformation shows how the Kremlin's professional trolls are adapting to Facebook's defenses. And a very bad bill called the EARN IT act represents the most serious threat to strong end-to-end encryption in years.
We took a look at how North Korea launders cryptocurrency, and how they recently got caught. (And yes, they go after traditional banks too). We recommended our favorite virtual private networks, with the usual caveats that you shouldn't put too much trust in any VPN. Although new open source VPN software called WireGuard has a chance to change our minds.
Plus, there's more! Every Saturday we round up the security and privacy stories that we didn’t break or report on in depth but think you should know about. Click on the headlines to read them, and stay safe out there.
Ever since speculative execution bugs Spectre and Meltdown upended security for the majority of computers a little over two years ago, newly discovered hardware flaws seem to bedevil Intel every few months. This time it's a flaw in Intel's Converged Security and Management Engine's mask ROM, a particularly nasty spot for a bug because it can't be patched with a firmware update. "Because this vulnerability allows a compromise at the hardware level, it destroys the chain of trust for the platform as a whole," wrote security firm Positive Technologies in a blog post announcing the issue. Intel argues that pulling off an attack would require local access, specialized gear, and a high level of skill, making it relatively impractical in the real world. Given the potential impact, though, it's still a concerning flaw—one that affects every Intel CPU and chipset released in the last five years.
Leaving a database exposed on the internet is bad enough as it is. It's worse when that database includes personally identifiable information, like home addresses and emails. And worse still when someone outside the company actually finds and accesses those details. Verizon Media has checked all three, with a database of 900,000 customers left vulnerable. Data breaches happen all the time, but that by no means excuses them. There are some steps you can take to protect yourself when they happen, but the onus is on corporations to make sure they don't in the first place.
Oh, hello again. Nearly a year ago, J. Crew suffered a so-called credential stuffing attack that impacted the the online accounts of fewer than 10,000 customers. It did, though, include some payment information, like the type of credit or debit card used and the last four digits of the card numbers, plus expiration dates and associated addresses. Not ideal! Regulators may raise an eyebrow at how long it took J. Crew to come forward with this one.
Visser Precision provides precision parts for the aerospace and automotive industries, with heavy hitters like Tesla, SpaceX, and Lockheed Martin on its client list. It also reportedly got hit by a ransomware attack that resulted in the theft of at least some of its data. The ransomware reportedly involved, DoppelPaymer, doesn't just encrypt files; it steals them first so that hackers can retain a copy. Increasingly, ransomware attacks include a threat of leaking that privileged info if companies don't pay up.
Chinese Security Firm Attributes Attacks to the CIA
It's maybe not surprising that the CIA actually uses its trove of Vault 7 hacking tools—and more—to sneak past the defenses of US adversaries. But it's certainly rare to see the agency get publicly called out, as Chinese security firm Qihoo 360 did this week. US security firms regularly attribute, or at least strongly imply, attacks to Chinese hacking groups like APT10. Regardless of whether Qihoo 360 actually has the goods, it'll be interesting to see if other countries feel similarly emboldened to start calling out US hackers, especially when the US itself has become more aggressive with its own "naming and shaming" campaigns.
Read more: https://www.wired.com/story/unfixable-intel-flaw-j-crew-breach-virgin-media-security-news/