Category: iT news

“We may be banning TikTok,” President Trump told reporters, saying an announcement could come as soon as this weekend.

He added there were other options – but how might a ban work?

One obvious starting place would be to order Apple and Google to remove the app from their online stores.

This might be done by adding TikTok’s owner Bytedance to a Commerce Department entity list, and forbidding US firms from working with it – a similar tactic was used to stop Google providing its apps to Huawei.

That would prevent new users from being able to download the app.

Existing users would be prevented from receiving notifications and installing updates, although they would still have the app on their devices.

One way to address this would be to tell Apple and Google to use a “kill switch” facility they both have, which lets them remotely wipe or prevent blacklisted apps from launching.

A Brazilian judge once threatened to force the two firms to use the power in 2014, but ultimately backed off.

Apple and Google would likely be loathe to take control of users’ smartphones in such a way and might even resist such an order.

So an easier alternative might be to compel local internet service providers to block access to TikTok’s servers.

This would have the added advantage of preventing TikTok’s videos being viewable via its website.

India took such a measure when it banned TikTok and dozens of other Chinese apps. And users have reported being unable to circumvent the block by using a virtual private network (VPN).

But it’s not clear how Mr Trump would enforce such an order.

A less draconian approach would be to ban TikTok from being installed onto federal employees’ work phones.

Congress has already voted in favour of the idea and the Senate is still considering it. But that would be a much less dramatic move than Trump seems to be hinting at.

A further possibility is that the Committee on Foreign Investment in the United States (Cifus) – which is chaired by the US Treasury – rules against Bytedance’s takeover of the app Musical.ly, whose users were migrated over to TikTok in 2018.

Musical.ly was owned by another Chinese start-up.

But Cifus has the power to review takeovers that potentially pose a national security risk. And because Bytedance did not seek clearance for the acquisition at the time, the committee was able to launch a post-deal probe last year.

If Cifus rejects the takeover, it could order Bytedance to shut down the service in the US.

The question is whether a spun-off TikTok would be allowed to continue under different ownership as an alternative, perhaps even with a rebrand.

Microsoft is reportedly in talks to acquire the business – some internet wags have already suggested it might be called Microsoft Teens (a play on the the firm’s Teams service).

The US tech giant would presumably be viewed as a more trustworthy guardian of the data the app collects, and assuage fears the China might still be somehow accessing its logs.

When asked about the prospect of such a deal, Microsoft declined to comment.

What does TikTok say?

“One hundred million Americans come to TikTok for entertainment and connection.

“We’ve hired nearly 1,000 people to our US team this year alone, and are proud to be hiring another 10,000 employees.

“TikTok US user data is stored in the US, with strict controls on employee access. TikTok’s biggest investors come from the US.

“We are committed to protecting our users’ privacy and safety as we continue working to bring joy to families and meaningful careers to those who create on our platform.”

TikTok Timeline

Image copyright
EPA

March 2012: Bytedance is established in China and launches Neihan Duanzi – an app to help Chinese users share memes

September 2016: Bytedance launches the short-form video app Douyin in China

August 2017: An international version of Douyin is launched under the brand TikTok in some parts of the world, but not the US at this time

November 2017: Bytedance buys lip-synch music app Musical.ly

May 2018: TikTok declared world’s most downloaded non-game iOS app over first three months of the year, by market research firm Sensor Tower

August 2018: Bytedance announces it is shutting down Musical.ly and is moving users over to TikTok

February 2019: TikTok fined in US over Musical.ly’s handling of under-13s’ data

October 2019: Facebook’s Mark Zuckerberg publicly criticises TikTok, accusing it of censoring protests

November 2019: Cifus opens national security investigation into TikTok

May 2020: TikTok hires Disney executive Kevin Meyer to become the division’s chief executive and chief operating officer of Bytedance

July 2020: US Secretary of State Mike Pompeo, and then President Trump, say TikTok may be banned

Garmin on Monday confirmed that many of its online services have been disrupted by a cyberattack on its systems that occurred on July 23, 2020.

Services disrupted by the attack, which encrypted data on the systems, included website functions, customer support, customer facing applications, and company communications, the company noted in a statement.

“We have no indication that any customer data, including payment information from Garmin Pay, was accessed, lost or stolen,” the company stated. “Additionally, the functionality of Garmin products was not affected, other than the ability to access online services.

Garmin specializes in GPS technology development of navigation and communications products. It serves the auto, aviation, fitness, marine, and outdoor markets.

The company estimated that operations would be back to normal “in a few days.” Garmin cautioned, however, that as systems are restored, there may be delays as backlogged information is processed.

No material impact is expected on operations or financial results due the outage, the company added.

Garmin’s damage assessment may be overly optimistic, though. “If the average data breach costs the victim [U.S.] $8.9 million, then in this case, it’s probably more than that,” asserted Chlo Messdaghi, vice president of strategy at Point3 Security, a provider of training and analytic tools to the security industry in Baltimore, Md.

“With WastedLocker, the attack also cripples the network and getting it up and running again becomes extremely expensive,” she told TechNewsWorld. WastedLocker is the ransomware believed to be used in the Garmin attack.

Customized Payload

The sortie on Garmin has the characteristics of a typical ransomware attack.

“The usual ransomware tactic by cybercriminals is to gain initial access to an organization, perform privilege escalation attacks to gain administrator access to the entire environment, find and delete backups if possible, then run their ransomware to encrypt as many computers as possible,” explained Chris Clements, vice president of solutions architecture at Cerberus Sentinel, a cybersecurity consulting and penetration testing company in Scottsdale, Ariz.

“Without confirmation, it’s impossible to say if the attackers here were able to locate and delete Garmin’s backups, but the resulting multi-day outage demonstrates that even with a highly secure backup strategy, ransomware attacks can be massively disruptive to victims,” he told TechNewsWorld.

While common tactics were used by the attackers, their software appears to be customized for Garmin. “The ransomware payloads are customized per each individual client, so Garmin ransomware extensions were ‘garminwasted,’” explained Tom Pace, vice president for global enterprise solutions at BlackBerry.

“They are also selective in the assets they tend to target within victim environments to maximize damage and probability of a client making the ransom payment,” he told TechNewsWorld.

Although there have been a few high-visibility ransomware attacks, most of them are kept on the Q.T. That wasn’t the case with the Garmin intrusion. “The most notable distinguishing feature of this attack is how visible it is to the outside world,” observed Saryu Nayyar, CEO of Gurucul, a threat intelligence company in El Segundo, Calif.

“Garmin provides numerous services related to their devices and mapping software, and this attack had a substantial impact on those services, which is why people worldwide have taken notice,” Nayyar told TechNewsWorld.

Russian Connection

Reports on the ransomware attack have linked it to Russian hackers, primarily because of the malicious software used in the intrusion.

“Attribution is always a tricky issue, but in the case of WastedLocker, the ransomware actually signs itself as WastedLocker,” explained Ben Dynkin,
co-founder and CEO of Atlas Cyber Security, a provider of cybersecurity services in Great Neck, N.Y.

“While third parties can deploy this ransomware variant, it is a very reasonable assumption to attribute the activity to the Evil Corp cybercriminal syndicate,” he told TechNewsWorld. “The U.S. Treasury Department has clearly and unambiguously attributed the conduct of Evil Corp to Russian nationals in other operations.”

“We cannot make a definitive attribution that this is state sanctioned activity — even though there is some evidence that Russian military officials are involved with Evil Corp.,” he continued. “That means we can attribute this activity to Russian criminals, but not the Russian state.”

Garmin would be a typical target for Evil Corp, added Point3’s Messdaghi. “We haven’t seen any indications that Evil Corp has attacked small businesses or individuals,” she said. “They’re going after corporations with the wherewithal and motivation to pay to prevent business losses.”

$10 Million Ransom

It’s also been reported that the ransomware raiders have asked for $10 million to undo what they’ve done to Garmin’s system. So far, Garmin has been mum on making any ransom payments.

“It’s never recommended that companies pay extortion demands to cybercriminals, if at all possible,” Cerberus Sentinel’s Clements said. “Extortion payments both strengthen the cybercriminal operations responsible and encourage other organizations to attempt the same attacks.”

He acknowledged, however, that victims have little recourse but to pay the demands. “A common tactic employed by ransomware gangs is to find and delete any backups before running their encryption,” he explained. “This leaves the victim with the choice of paying the ransom or having to rebuild their environment and data from scratch.”

“In the best case of this scenario, rebuilding from scratch can takes months to complete and cost many times more than the ransom payment demand,” he continued. “In the worse cases, mission critical data that is encrypted can’t be restored and the only option for recovery is paying the extortion demands.”

However, paying off Evil Corp is more complicated than paying off the typical online extortionist. “Back in December 2019, the U.S. Treasury department delivered sanctions against the Evil Corp cybercriminal organization,” explained James McQuiggan, security awareness advocate at KnowBe4, a security awareness training provider in Clearwater, Fla.

“As part of those sanctions, no U.S. organizations are allowed to conduct transactions with the group,” he told TechNewsWorld. “Even if Garmin wanted to pay the ransom, they would have to collaborate with the U.S. Treasury, FBI, and other government agencies to send the funds.”

Those government agencies, though, may come under pressure to turn a blind eye to any sanction violations should Garmin not get all its systems online without the cooperation of Evil Corp.

“The problem is Garmin controls and maintains significant critical infrastructure and services used by pilots and others, perhaps even by the U.S. and other militaries,” BlackBerry’s Pace explained.

“If they can’t recover the data on their own and it will have a significant bearing on national security or critical infrastructure, the proverbial rock and a hard place dilemma would seem to present itself.”

---

John P. Mello Jr. has been an ECT News Network reporter
since 2003. His areas of focus include cybersecurity, IT issues, privacy, e-commerce, social media, artificial intelligence, big data and consumer electronics. He has written and edited for numerous publications, including the Boston Business Journal, the
Boston Phoenix, Megapixel.Net and Government
Security News. Email John.

Amazon’s Alexa mobile app has a new look.

The company on Monday introduced an updated version of the app that aims to give users a more personalized experience and moves all third-party “skill” suggestions off the main screen.

The app is being rolled out this month for iOS, Android and Fire devices, and should reach all users by the end of August.

At the top of the new main screen is a large, blue Alexa button with a reminder that tapping the button or saying “Alexa” will get the digital assistant revved up.

Below the blue button is a series of items based on an individual’s past use of the program, intended to make it easier for a user to pick up where they left off when they last used the app.

The app is more friendly to first-time users, making suggestions about what they can do with Alexa mobile.

“What they’re trying to do with the new design is help new users, users who may not have the competency of more tech savvy users,” said Mark N. Vena, a senior analyst with Moor Insights & Strategy.

“They see an opportunity to enhance their app and make it more usable and intuitive,” he told TechNewsWorld.

Eye on Newbies

Vena explained that the older Alexa mobile app could be confusing, especially when using it to control multiple smart home devices simultaneously, an affliction that isn’t limited to the Alexa app.

“At retail, the smart home category has exploded, but it is also the number one product at retail that gets returned,” he said. “They have a return rate of 20 to 25 percent, not because they don’t work, but because people can’t figure out how to use them.”

Amazon seems to have an eye on the future of the smart speaker market with the redesign of the Alexa mobile app.

“As smart speaker adoption continues to grow, the user base has begun to tilt more towards a less technically adept consumer who is less likely to use the app to create reminders and routines and download new skills and voice apps,” observed Kristen Hanich, an analyst with Parks Associates.

“The new app design will better support the actions users take when opening and using their Alexa app,” she told TechNewsWorld. This means allowing users to more easily control their music and allowing users to pick up what they left off doing on their smart speaker or display.”

“De-emphasizing the third-party skills helps Amazon create more real-estate in their app for personalization,” she added.

Redesign Overdue

Personalization is critical for an app like Alexa mobile, maintained Rob Enderle, president and principal analyst at the Enderle Group.

“They should learn who you are, what you want, and to deal with the nuances in your speech,” he told TechNewsWorld. “Once they learn how to deal with you as a person, you should have much better experience with the app and be more willing to use it.”

He said that the redesign makes the app less of a voice front-end for Google and more like what it was originally marketed as — a digital assistant.

He noted that a facelift for Alexa mobile is long overdue, but added, “Interest in these kinds of apps have dropped off in general, mostly because people got frustrated with how they work.”

One of the problems Alexa mobile has faced is its device position, something Apple and Google don’t have to sweat about because they control the operating systems on most smart phones. “That’s something Amazon is looking for this update to address,” said Jonathan Collins, a research director at ABI Research.

A mobile app, though, may have less value in the Alexa universe than it would have in some other ecosystems. “Alexa’s primary strength has been in the smart home with dedicated devices,” Collins told TechNewsWorld. “With an Alexa home environment, much of the functionality offered by handset integration is less useful.”

Nevertheless, the app can still be a key component for the Alexa ecosystem.

“The smartphone is not the central point of interaction for a lot of Alexa commands, but with Alexa, we interact with a lot of services that have a smart phone component,” said Ross Rubin, the principal analyst Reticle Research.

“So in many ways, this app remake is more about the bridge to those services,” he told TechNewsWorld.

Voice Apps Relegated

Under the redesign, the app’s advanced features — Reminders, Routines, Skills and Settings — have been moved under a “more” button on the home screen. In addition, third-party voice apps have also banished from the main screen.

“Discoverability remains a problem for a lot of these voice apps,” Parks’ Hanich said. “It’s difficult to find what you’re looking for unless you go digging through the Alexa app.”

Quality is another issue with the apps. ” The issue is similar to what the smartphone app stores experienced early on,” Hanich explained. “They were originally flooded with low quality experimental designs that didn’t provide value to consumers.”

“Many were never updated after being released,” she explained. “While there are quite a few high quality voice apps available, there’s still a very large number of low quality apps in the Alexa Skills Store.”

Rubin noted that for years both Amazon and Google have been touting the number of skills you can activate via their agents, but it’s been very difficult to drive usage of those skills.

“It’s tough to remember them,” he said. “It’s tough to find them. So in this new interface, those things have been emphasized a lot less.”

“Amazon is focusing on a core number of things that people most often use Alexa for because the promise of voice control is convenience, but it’s difficult to make it scale over a wide array of functions that may not be top-of-mind for users,” he added.

Lack of Promotion

Enderle noted that Amazon hasn’t exactly set up the skill apps for success.

“No one is really marketing this stuff anymore,” he noted. “To change behavior, you have to keep reminding people that these alternatives are in place, otherwise they don’t use them, and if they don’t use them,, then what’s the point in continuing to develop them?”

“If you’re not promoting the apps and you’re going to make it harder for people to get to them, that’s not a formula for success,” added Enderle.

As the smart home market grows, distinctions between digital assistants will become fuzzier.

“Digital assistants are blending into the background, becoming less identified with a category of product — like the smart speaker — as they were at the beginning,” Rubin explained.

“That’s only going to accelerate because Apple, Google and Amazon are working toward a home automation standard that will allow more interoperability among their ecosystems,” he continued.

“They need to do that because that’s the best way to incentivize builders to put the technology into new construction,” he said. “You can’t build a house assuming someone is an iPhone user or Alexa user or a Google user.”

---

John P. Mello Jr. has been an ECT News Network reporter
since 2003. His areas of focus include cybersecurity, IT issues, privacy, e-commerce, social media, artificial intelligence, big data and consumer electronics. He has written and edited for numerous publications, including the Boston Business Journal, the
Boston Phoenix, Megapixel.Net and Government
Security News. Email John.

Image copyright
EPA

President Donald Trump has announced he is banning the Chinese-owned video-sharing app TikTok in the US.

He told reporters he could sign an executive order as early as Saturday.

US security officials have expressed concern that the app, owned by Chinese firm ByteDance, could be used to collect the personal data of Americans.

The fast-growing app has up to 80 million active monthly users in America and the ban would be a major blow for ByteDance.

Media playback is unsupported on your device

“As far as TikTok is concerned, we’re banning them from the United States,” Mr Trump told reporters aboard Air Force One.

TikTok spokesperson Hilary McQuaide declined to comment on the move but said the company was “confident in the long-term success of TikTok”, the Washington Post reports.

If you are a Windows or Linux user, brace yourself for a long siege of vulnerability nightmares. The fix will be long and treacherous and could brick your computers.

Eclypsium researchers Wednesday released details of a set of newly discovered vulnerabilities dubbed “BootHole” that opens up billions of Windows and Linux devices to attacks.

This is a serious vulnerability with a Common Vulnerability Scoring System (CVSS) rating of 8.2. The highest assigned rating on this severity scale is 10.

The BootHole vulnerability in the GRUB2 bootloader opens up Windows and Linux devices using Secure Boot to attack. To mitigate the attack surface, all operating systems using GRUB2 with Secure Boot must release new installers and bootloaders, the researchers warned.

Attackers exploiting this vulnerability could gain near-total control of the compromised device. The majority of laptops, desktops, servers, and workstations are affected, as well as network appliances and other special-purpose equipment used in industrial, healthcare, financial, and other industries, according to the report.

Researchers warned that mitigating this vulnerability will require the specific vulnerable program to be signed and deployed. They also advised that vulnerable programs should be revoked to prevent adversaries from using older, vulnerable versions in an attack.

Plugging this vulnerability hole will likely be a long process. It will take considerable time for IT departments within organizations to complete patching, the researchers said.

Eclypsium has coordinated the responsible disclosure of this vulnerability with a wide variety of industry entities, including OS vendors, computer manufacturers, and the Computer Emergency Response Team (CERT). A number of these organizations are listed in the report and were part of Wednesday’s coordinated disclosure.

“This is probably the most widespread and severe vulnerability that we have found at Eclypsium. Many of the issues we found in the past were specific to a given vendor or model, whereas this issue is pervasive. This vulnerability in Secure Boot affects the default configuration of most systems deployed in the past decade, Jesse Michael, principal researcher for Eclypsium, told TechNewsWorld.

This vulnerability was assigned CVE-2020-10713 GRUB2.

Finding and Patching Holes in the Boot

The Eclypsium researchers stumbled on the trail of BootHole vulnerabilities somewhat by accident while doing some routinely proactive exploring, according to Michael.

“We were exploring any weak links in the whole secure boot infrastructure. Since we had previously seen a similar issue
with Secure Boot and the Kaspersky boot loader, we thought we should take a deeper look at that area. We did some fuzzing on GRUB2, which is widely used by most Linux distributions, and found a vulnerability that turned out to be much larger than we expected,” he said.

Fuzzing, or fuzz testing, is an automated software testing technique to find hackable software bugs. Testers randomly provide different permutations of data into a target program until one of those permutations reveals a vulnerability.

Researchers have yet to see bad guys exploiting this specific vulnerability in the wild, he noted. But threat actors have been using malicious Unified Extensible Firmware Interface (UEFI) bootloaders.

“This sort of attack has been used by malware, including wipers and ransomware, for a long time, and Secure Boot was designed to protect against this technique. The BootHole vulnerability makes most devices susceptible even when Secure Boot is enabled. Previous threat actors used malware tampering with legacy OS bootloaders including APT41 Rockboot, LockBit, FIN1 Nemesis, MBR-ONI, Petya/NotPetya, and Rovnix,” Michael noted.

What BootHole Does

Attackers can leverage the GRUB2 bootloader that most Linux systems and Windows computers use to gain arbitrary code execution during the boot process. This can happen even when Secure Boot is enabled. Attackers exploiting this vulnerability can install persistent and stealthy bootkits or malicious bootloaders that could give them near-total control over the victim device, according to Eclypsium’s report.

What makes this BootHole vulnerability even more threatening is its ability to affect systems using Secure Boot, even if they are not using GRUB2. Almost all signed versions of GRUB2 are vulnerable. This means that nearly every Linux distribution is affected. In addition, GRUB2 supports other operating systems, kernels, and hypervisors such as Xen.

This problem also extends to any Windows device that uses Secure Boot with the standard Microsoft Third-Party UEFI Certificate Authority. Thus, BootHole affects the majority of laptops, desktops, servers, and workstations. The vulnerability also threatens network appliances and other special purpose equipment used in industrial, healthcare, financial, and other industries. This vulnerability makes these devices susceptible to attackers such as the threat actors recently discovered using malicious UEFI bootloaders, noted researchers at Eclypsium.

If the Secure Boot process is compromised, attackers can control how the operating system is loaded and subvert all higher-layer security controls. Recent research identified ransomware in the wild using malicious EFI bootloaders as a way to take control of machines at the time of boot. Previously threat actors used malware tampering with legacy OS bootloaders including APT41 Rockboot, LockBit, FIN1 Nemesis, MBR-ONI, Petya/NotPetya, and Rovnix, noted the report.

Circular Firing Squad

Attackers can also use a vulnerable bootloader against the system, the report writers added. For example, if BootHole finds a valid bootloader with a vulnerability, it can replace a piece of malware in the device’s existing bootloader with the vulnerable version.

The bootloader would be allowed by Secure Boot and give the malware complete control over the system and the operating system itself. Mitigating this requires very active management of the dbx database used to identify malicious or vulnerable code.

---

---

Additionally, trying to fix the vulnerabilities that BootHole seeks can be potentially deadly to the hardware and software. Updates and fixes to the Secure Boot process can be particularly complex. The complexity poses the additional risk of inadvertently breaking machines.

The boot process by nature involves a variety of players and components including device OEMs, operating system vendors, and administrators. The boot process’s fundamental nature makes any sort of problems along the way poses a high risk of rendering a device unusable. As a result, updates to Secure Boot are typically slow and require extensive industry testing.

Buffer Contributor

The BootHole vulnerability is a buffer overflow that occurs in GRUB2 when parsing the grub configuration file, according to Eclypsium’s researchers. The GRUB2 configuration file (grub.cfg) is merely a text file. It is typically not signed like other files and executable code.

This vulnerability enables arbitrary code execution within GRUB2 and ultimately control over the booting of the operating system. As a result, an attacker could modify the contents of the GRUB2 configuration file to ensure that attack code is run before the operating system is loaded. In this way, attackers gain persistence on the device, according to the report.

To pull off such an intrusion, the attacker would need elevated privileges. But it would provide the attacker with a powerful additional escalation of privilege and persistence on the device. This would occur with or without Secure Boot enabled and properly performing signature verification on all loaded executables.

Challenging Mitigation Effort

Eclypsium warned that plugging BootHole will require the release of new installers and bootloaders for all versions of Linux and potentially Windows. Vendors will have to release new versions of their bootloader shims signed by the Microsoft Third-Party UEFI CA.

Until all affected versions are added to the dbx revocation list, an attacker would be able to use a vulnerable version of shim and GRUB2 to attack the system. This means that every device that trusts the Microsoft Third-Party UEFI CA will be vulnerable for that period of time.

---

---

This configuration file is an external file commonly located in the EFI System Partition and can therefore be modified by an attacker with administrator privileges without altering the integrity of the signed vendor shim and GRUB2 bootloader executables.

The buffer overflow allows the attacker to gain arbitrary code execution within the UEFI execution environment, which could be used to run malware, alter the boot process, directly patch the OS kernel, or execute any number of other malicious actions.

This vulnerability is not architecture specific. It is in a common code path and was also confirmed using a signed ARM64 version of GRUB2.

Canonical’s security team found additional vulnerabilities related to the GRUB2 code in response to the Eclypsium report, the Eclypsium report noted. That will further impact on the mitigation path.

“Those vulnerabilities discovered by the Canonical security team were all of medium severity. There were also dozens of further vulnerabilities identified by other organizations that do not yet have individual CVEs assigned, said Michael.

What’s Needed to Fix

Full mitigation will require coordinated efforts from affected open-source projects, Microsoft, and the owners of affected systems, among others. The list of tasks to fix BootHole, according to the report, will include:

• Updates to GRUB2 to address the vulnerability.
• Linux distributions and other vendors using GRUB2 will need to update their installers, bootloaders, and shims.
• New shims will need to be signed by the Microsoft 3rd Party UEFI CA.
• Administrators of affected devices will need to update installed versions of operating systems in the field as well as installer images, including disaster recovery media.
• Eventually the UEFI revocation list (dbx) needs to be updated in the firmware of each affected system to prevent running this vulnerable code during boot.

More Bugaboos Possible

Full deployment of this revocation process to enterprises will likely be very slow, researchers suggested. UEFI-related updates have a history of making devices unusable. So, vendors will need to be very cautious to prevent the fix from turning computers into bricks.

For example, if the revocation list (dbx) is updated, the system will not load. So vendors will have to apply revocation list updates over time to prevent breaking systems that have yet to be updated.

Also, cases exist where updating the dbx can be difficult. The edge conditions involve computers with dual-boot or deprovisioned setups.

Other circumstances can further complicate matters. For instance, enterprise disaster recovery processes can run into issues where approved recovery media no longer boots on a system if dbx updates have been applied.

Another situation is when a device swap is needed due to failing hardware. New systems of the same model may have already had dbx updates applied and will fail when attempting to boot previously-installed operating systems. So before dbx updates are pushed out to enterprise fleet systems, recovery and installation media must be updated and verified as well.

Few Workarounds

With the report’s dire warnings about boot fixes bricking hardware, few potential workarounds exist to prevent the cure being worse than the attack results. Michael expects attacks will occur that take advantage of this, if they haven’t already.

“If left without action or mitigation, this will leave a gaping hole on all affected systems,” he said. “There could be unexpected consequences to the cure as well.”

Revocation updates are not common, and this is going to be the largest revocation ever done. Bugs in this rarely used part of firmware, could cause systems to behave unexpectedly after the update. In order to avoid such issues, the revocation will not happen automatically.
“This forces security teams to carefully manage this issue using manual intervention,” cautioned Michael.

Workarounds may need to be tweaked by various vendors to be effective for their products. Bootloader vulnerabilities have been found in the past that vendors successfully patched, according to Charles King, principal analyst at Pund-IT.

For example, one was revealed in March that affected LG phones, and in June the company announced
that it had issued a patch for phones going back seven years.

What’s Worse: Meltdown and Spectre or BootHole?

The Meltdown and Spectre vulnerabilities of 2019 impacted confidentiality. They allow an attacker to steal secrets.

This vulnerability impacts integrity and availability, as well as confidentiality. Therefore, BootHole has the potential for much broader damage, according to Michael.

Using the industry-standard CVSS severity score, Meltdown and Spectre were classified as Medium severity vulnerabilities, and BootHole is rated as a High severity vulnerability, he said.

While the BootHole vulnerability occurs in software (system firmware), Meltdown and Spectre exploited hardware flaws that were baked into many CPUs. A major challenge with Meltdown and Spectre has been that fixes often significantly impact CPU performance, noted King.

“It seems unlikely that BootHole fixes will similarly impact system or device performance,” he told TechNewsWorld.

As to which vulnerability is more dangerous is relative. Just because a vulnerability exists does not mean that people will find a way to effectively exploit it. Though Meltdown and Spectre attracted a great deal of attention when they were revealed several years ago, he has not seen any reports of successful exploits, King said.

What to Do

Most users will want to deploy the updates that vendors are coming out with beginning on July 29, Michael suggested. In addition to the automatic updates released by OS vendors, manual action will be needed to revoke the old, vulnerable versions of grub.

“Until this is done, systems will remain vulnerable,” he warned.

Enterprise security teams should also consider threat hunting or monitoring activities that look at the bootloaders present on operational systems, suggested Michael. This should reveal which systems have suspicious-looking bootloaders and grub configuration files.

“Considering the complexity of deploying these updates to an enterprise, such monitoring may be an important workaround to buy time while updates are tested and deployed,” Michael concluded.

The Eclypsium report is available here.

---

Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open-source technologies. He is an esteemed reviewer of Linux distros and other open-source software. In addition, Jack extensively covers business technology and privacy issues, as well as developments in e-commerce and consumer electronics. Email Jack.

At 8:15 a.m. local time on the morning of Aug. 6, 1945 the first atomic bomb — codenamed “Little Boy” — was dropped from the B-29 “Enola Gay” on the Japanese city of Hiroshima. It was the first of only two times that an atomic weapon had been used in wartime, and while even 75 years later the event remains controversial. It was a testament to the technological process that occurred during the Second World War.

When the war broke out on Sept. 1, 1939 with Germany’s invasion of Poland, few could have expected the technological leaps that would occur over the next six years. Military historians have largely focused on the advancement in small arms, and the development of superior tanks and other killing machines, and for good reason.

World War II was the first conflict to see the use of jet aircraft, although it wasn’t until the Korean War that jets actually went head-to-head against one another. WWII saw the introduction of the assault rifle and notably the missile.

Yet, this most horrible of conflicts should also be remembered for how much progress was made during the war and can still be seen in the world today.

The Manhattan Project

Easily, the most significant advance during the Second World War was the ultra-secret project to develop the atomic bomb. It isn’t hyperbole to suggest that it truly involved the brightest minds on the planet.

“The importance of the Manhattan Project as leaps forward in science and technology cannot be overstated,” said Dr. David J. Ulbrich, associate professor of military history at Norwich University.

“The United States needed to win the race against Japan and Germany to create an atomic bomb,” Ulbrich told TechNewsWorld.

“This wartime priority made the research and development process much faster than in peacetime,” he added. “Warfare thus created the ultimate crisis motivation and thus removed limits on money and resources that existed in peacetime.”

---

The project involved several hundred thousand people — including those who pushed the brooms and guarded the scientists and other staff. It was also the most costly military undertaking at that point in history.

“This entire project cost an estimated US$2 billion in 1940s dollars — which amounted to nearly one percent of all American expenditures of $300 billion during the Second World War,” explained Ulbrich.

“That is a massive commitment of resources to a single weapon,” he noted. “During the Great Depression in the 1930s, the U.S. military could not even afford to provide small arms for training, nor could the U.S. military find the money for research and development of airplanes and warships.”

More Than an American Effort

It is easy today to think of American theoretical physicist J. Robert Oppenheimer leading the efforts, and he is of course remembered for his quote of the Bhagavad Gita in describing the explosion at the Trinity test site in New Mexico on July 16, “Now I am become Death, the destroyer of worlds.”

The technology used to develop the bomb was notable, as well as the international effort to create it.

“The Manhattan Project was a truly monumental and historic endeavor — the collaboration between governments, industry, and the science community, with the pointed goal of developing nuclear weapons during World War II, was unprecedented at the time, and actually spurred R&D in energy, technology, and other advanced sectors,” suggested Gilbert Michaud, assistant professor in the online Master of Public Administration Program at the Voinovich School of Leadership and Public Affairs at Ohio University.

“For instance, lessons learned in nuclear fission in the 1940s helped, in part, lead to nuclear energy as a viable electricity generation asset in the 1950s and to this day,” Michaud told TechNewsWorld.

---

The challenges of making an atomic bomb also involved many scientific questions from how neutrons could be made to split nuclei of atoms into smaller fragments and cause chain reactions.

“The challenges are involved technological questions about how to harness, control, and detonate the incredible power released by splitting the nuclei and causing the chain reactions,” said Ulrich.

The Birth of the Computer and More

Had it not been for the Manhattan Project it is doubtful today’s Internet would exist — and not only because the Internet’s origins were to ensure that a decentralized computer network could survive an atomic attack. But the project was also the catalyst for the development of computers.

“The process of testing, observing, analyzing, replicating, and recording the science and technology behind the atomic bomb required new methods and devices to be created,” Ulrich added. “For example, researchers needed to make faster and more accurate mathematical calculations than could be done by humans, and the computers provided the answer. Computers could make calculations around the clock with no worries about mistakes caused by fatigue or human errors.”

Those early computers used during World War II were massive analog devices, but their success in the Manhattan Project and numerous other wartime activities ensured these machines could evolve in the post-war era.

“Analog computers gave way to digital computers being developed later in the 1940s,” explained Ulrich.

“The science and technology developments used to split atoms for military purposes also laid the foundation for harnessing that same power for peaceful purposes in the post-World War II era,” he added.

Other lessons from the Manhattan Project experiments further yielded non-military applications in medicine and science, such as cancer treatments using radiation, clearer understanding of photosynthesis, and increased understanding of radiation’s effects on the environment.

“This is what we policy scholars call a ‘focusing event’ — basically referring to how a crisis, such as war, and the efforts of Manhattan Project in particular, worked to enhance attention, spark new developments, and accelerate new priorities,” said Michaud. “The Manhattan Project snowballed into the Atomic Energy Act of 1946, broader advancements in technology and electricity generation, and even the establishment of research sites that still operate today, such as the U.S. Department of Energy’s Oak Ridge National Laboratory in Tennessee.”

On the Road

Of course, the Manhattan Project was one — albeit a major — part of the effort to ensure victory over the evils of Nazi Germany and Imperial Japan. The “Arsenal of Democracy” was as much about the trucks as the tanks or guns. In fact, it must be noted that Germany’s invasion of the Soviet Union in 1941 was conducted with more horses than the French Emperor Napoleon had used in 1812.

The United States didn’t rely on horses but instead on horsepower from GM, Ford, Chrysler and others. Those efforts cannot be overstated!

“Many scholars have pointed to the 2-1/2-ton GMC as one of the primary contributors of the Allied success in World War II,” said John Adams-Graf, editor of Military Vehicles
magazine.

“Whereas the Germans may have perfected the ‘Blitzkrieg’ style of armored warfare, the Allies perfected moving armies over great distances,” Adams-Graf told TechNewsWorld.

In addition, as the Germans discovered — most notably in the 1944 Battle of the Bulge offensive — tanks aren’t enough if you can’t keep them fueled. This is where the Allied trucks proved so crucial in keeping the troops supplied.

---

“An army that is based on armored vehicles requires a lot of fuel and support,” said Adams-Graf. “The farther out from their base of supply, the more vulnerable they became. Trucks made the longer lines of logistical support possible.”

The Germans may not have had the trucks, but they did have the Autobahn, which American military planners saw — and it was also used as a blueprint for the national highway plan developed in the 1950s. Anyone taking a long road trip should remember that also is a result of innovations developed and studied during the war.

Flying High

Aircraft technology saw tremendous leaps and bounds during the Second World War, most notably in the development of jet aircraft.

“Aircraft and weapons development advanced exponentially during World War II — major advancements included jet engines, guided bombs, air-to-air and surface-to-air missiles, cruise missiles, radar, and operational helicopters,” explained Jeff Duford, curator at the National Museum of the United States Air Force.

It wasn’t just the ability to fly faster or to be better armed. Some of the technology truly created the era of the jetsetters and is what allowed tourists to explore the world like never before. But it meant overcoming a serious issue first.

---

“As aircraft flew higher and higher, the limits of the human body at high altitude became an increasing problem,” Duford told TechNewsWorld.

“In the 1930s, U.S. Army Air Corps personnel at Wright Field, Ohio developed solutions for this problem, one of which was cabin pressurization,” he added. “By the end of World War II, cutting-edge aircraft like the B-29 Superfortress were pressurized, which greatly increased crew comfort, efficiency, and endurance.”

First Step to the Moon

It would be another 25 years before Neil Armstrong would take the first small step for a man on the moon, but the giant leap to the moon arguably began in 1944 when Nazi Germany developed its V-1 rockets, which were used in a terror campaign against London.

Neither the V-1 nor its follow-up V-2 were the miracle weapons that turned the tide of war for the Germans, but the technology was used by both the Soviet and Americans in the early days of the space race.

“On a practical level, German V-2 rockets in World War II foreshadowed the intercontinental ballistic missiles of the Cold War Era,” noted Ulrich.

“They also opened up possibilities of sending man-made vehicles outside the earth’s atmosphere and maybe even to the moon,” he added.

“It’s fair to say that the German V-2 rocket of WWII was a technological ancestor of the giant Saturn rockets of NASA’s moon program,” suggested Dr. Douglas Lantry, historian at the National Museum of the United States Air Force.

“[The rockets] shared the basic functional aspect of liquid propellants in large quantities mixed and ignited to create terrific thrust,” Lantry told TechNewsWorld.

“Their most important difference was that the V-2 was a ballistic missile and a terror weapon, while the much more powerful multi-stage Saturn was a space launch vehicle used for peaceful exploration,” added Lantry.

On a scientific methodology level, the German V-1 and V-2 rockets also paved the way for problem-solving processes.

---

“Germany’s engineers like Wernher von Braun took the knowledge and lessons during World War II and then applied those to bigger, more ambitious projects after the war ended,” said Ulrich.

“Yes, the engineers and scientists developed new gadgets, but more importantly than that, they adapted habits of mind that enabled them about to think bigger, faster, and farther innovations than the V-2 rocket’s 200-mile range, the 55-mile flight ceiling, and 3,850 miles per hour speed,” Ulrich explained.

That was really not that far of a leap to the bigger, faster rockets used during the Cold War.

“Saturn benefited from the engineering, organizational, and promotional talent of von Braun, who also developed the V-2. Postwar research and development using vast American resources allowed von Braun to become the chief creator of rockets that sent astronauts to the moon,” said Lantry.

From Swords to Plowshares

The true lasting impact of the technological advances of the Second World War are seen in the ability to take commercial jets around the world, the ever-bigger cruise ships (at least if that industry is able to survive the Covid-19 pandemic) and of course in the massive skyscrapers seen in cities all over the globe.

With peace came a new world of opportunity that lead to the Internet and much more.

“The incredible scientific and technological achievements during World War II opened people’s eyes about what could be developed or invented, given enough resources and commitment,” said Ulrich.

Simply put, no problem seemed too hard or too big to solve.

“Scientists and engineers became what amounted to the high priests in a materialistic religion that worshipped gadgets and concepts,” added Ulrich. “Other activities, such as improving manufacturing processes or building suburbs, interstate highway systems, and inexpensive houses, were also much easier to conceive.

“During World War II, America figured ways to build 1,200 major warships, 300,000 aircraft, 675,000 ‘deuce and a half’ trucks, and 25 billion rounds of .30-caliber ammunition. Meanwhile, they researched and developed the atomic bomb. So, the post-war years saw Americans quickly put their wartime techniques to work in massive peacetime projects.”

---

Peter Suciu has been an ECT News Network reporter since 2012. His areas of focus include cybersecurity, mobile phones, displays, streaming media, pay TV and autonomous vehicles. He has written and edited for numerous publications and websites, including Newsweek, Wired and FoxNews.com.
Email Peter.

Image copyright
Getty Images

The Australian government has unveiled its plan to force tech giants such as Google and Facebook to pay news outlets for their content.

Treasurer Josh Frydenberg said the “world-leading” draft code of conduct aimed to give publishers “a level playing field to ensure a fair go”.

Many news outlets have shut or shed jobs this year amid falling profits.

Facebook and Google strongly oppose the proposal, even suggesting they could walk away from Australia’s news market.

Mr Frydenberg said the code of conduct – drafted by Australia’s competition regulator – would be debated by parliament.

It could impose “substantial penalties” worth hundreds of millions of dollars on tech companies which fail to comply, he said.

What’s in the draft code?

The Australian Competition and Consumer Commission draft calls on tech companies to pay for content, though it does define what it is worth.

It would allow news companies to negotiate as a bloc with tech giants for content which appears in their news feeds and search results.

If negotiations fail, the matter could be arbitrated by the Australian Communications and Media Authority.

The draft code covers other matters too, including notifying news companies of changes to algorithms.

Penalties could be up to A$10m (£5m; $7m) per breach, or 10% of the company’s local turnover.

The code will initially focus on Google and Facebook but could be expanded to other tech companies, the treasurer said.

What are the arguments?

Mr Frydenberg said: “Nothing less than the future of the Australian media landscape is at stake with these changes.”

“Today’s draft legislation will draw the attention of many regulatory agencies and many governments around the world,” he said.

Australia’s biggest media companies have lobbied hard for the proposal.

It was a “watershed moment” in efforts to end “free-riding” by the tech companies, News Corp Australia executive chairman Michael Miller said on Friday.

Google’s local managing director, Mel Silva, said the company was “deeply disappointed” and argued the move would discourage innovation.

“The government’s heavy-handed intervention threatens to impede Australia’s digital economy and impacts the services we can deliver to Australians,” she said.

Facebook has previously suggested it could remove Australian news from its platform if such requirements were imposed – arguing the cost to its business would be negligible.

What next?

The code of conduct will be subject to a month-long consultation period before being debated in parliament “shortly after” August, Mr Frydenberg said.

If legislation is passed, the code is designed to be reviewed after a year.

Twitter has permanently banned white nationalist David Duke for repeatedly violating its rules about “hateful conduct”.

The social network changed its policy in March and no longer lets people share links to articles that include “hateful content” or incite violence.

The Anti-Defamation League (ADL), an anti-hate organisation, describes Duke as “perhaps America’s most well-known racist and anti-Semite”.

He was banned from YouTube in June.

Duke’s final tweet linked to an interview he had conducted with Germar Rudolf, who was convicted of Holocaust denial in Germany where it is a criminal offence.

His penultimate tweet promised to expose the “systemic racism lie”, while another claimed to expose the “incitement of violence against white people” by Jewish-owned media.

Duke founded the Knights of the Ku Klux Klan in the 1970s.

He pleaded guilty to tax fraud in 2002 and spent a year in a US prison.

Scotland is developing its own coronavirus contact-tracing app, which it hopes to have ready for use in the autumn.

It follows the failure of an NHS-branded app in England, which was trialled on the Isle of Wight.

On Thursday, Northern Ireland became the first part of the UK to deploy a contact-tracing app.

Both Scotland and Northern Ireland decided to adapt software already being used in the Republic of Ireland.

Contact-tracing apps are designed to help prevent a second wave of the coronavirus.

They work by logging when two people have been in close proximity to each other for a substantial period of time.

If one of the users is later diagnosed as having the disease, an alert can be sent to others they have recently been close to, telling them that they should also get tested and/or self-isolate.

In May, Apple and Google updated their mobile phone operating systems to include a framework for contact tracing.

It carries the process out on the handsets themselves, making it more difficult for the authorities or potentially hackers to de-anonymise the records and use them for other means.

However, it means governments and epidemiologists also cannot access the data centrally to analyse it.

Media playback is unsupported on your device

England initially opted to design a centralised contact-tracing app, despite the Apple-Google framework being more widely supported by European countries.

In June, after a trial on the Isle of Wight which highlighted significant shortcomings, England said it would switch to the Apple-Google model.

Since Scotland is adapting the Republic of Ireland app, which uses the Apple-Google framework, it will also be compatible with the apps used Northern Ireland and Gibraltar.

Scotland’s Health Secretary Jeane Freeman said existing manual contact tracing would continue to be used alongside the app.

“We also know that not everyone uses a mobile phone or will be able to access the app, which is why this software is very much there to complement existing contact-tracing methods,” she said.

Scotland’s app will be developed by Nearform, which worked on the Republic of Ireland’s contact-tracing app.

Image copyright
Reuters

The unprecedented hacking of celebrity Twitter accounts this month was caused by human error and a spear-phishing attack on Twitter employees, the company has confirmed.

Spear-phishing is a targeted attack designed to trick people into handing out information such as passwords.

Twitter said its staff were targeted through their phones.

The successful attempt let attackers tweet from celebrity accounts and access their private direct messages.

The accounts of Microsoft founder Bill Gates, Democratic presidential hopeful Joe Biden and reality star Kim Kardashian West were compromised, and shared a Bitcoin scam.

It reportedly netted the scammers more than $100,000 (£80,000).

The attack has raised concerns about the level of access that Twitter employees, and subsequently the hackers, have to user accounts.

Twitter acknowledged that concern in its statement, saying that it was “taking a hard look” at how it could improve its permissions and processes.

“Access to these tools is strictly limited and is only granted for valid business reasons,” the company said.

Not all the employees targeted in the spear-phishing attack had access to the in-house tools, Twitter said – but they did have access to the internal network and other systems.

Once the attackers had acquired user credentials to let them inside Twitter’s network, the next stage of their attack was much easier.

They targeted other employees who had access to account controls.

Analysis

By Joe Tidy, cyber-security reporter

Twitter isn’t clarifying whether or not their employees were duped by an email or a phone call. The consensus in the information security community is that it was the latter.

Phonecall spear-phishing, commonly known as vishing, is bread and butter for the sort of hackers who are suspected of this attack.

The criminals obtained the phone numbers of a handful of Twitter staff and, by using friendly persuasion and trickery, got them to hand over usernames and passwords that gave them an initial foothold into the internal system.

• Twitter hack: What went wrong and why it matters
• FBI investigates major Twitter hack

As Twitter puts it, the scammers “exploited human vulnerabilities”. You can imagine how it possibly went:

Hacker to Twitter employee: “Hi, I’m new to the department and I’ve locked myself out of the Twitter internal portal, can you do me a huge favour and give me the login again?”

The fact that Twitter staff were susceptible to these basic attacks is embarrassing for a company built on being at the forefront of digital technology and internet culture.

Twitter said the initial spear-phishing attempt happened on 15 July – the same day the accounts were compromised, suggesting the accounts were accessed within hours.

“This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems,” the company said.

“This was a striking reminder of how important each person on our team is in protecting our service.”

Media playback is unsupported on your device

Twitter did not state whether the attack involved voice calls, despite a previous report from Bloomberg stating that at least one Twitter employee was contacted by attackers through a phone call.

Phishing is most commonly done by email and text message, encouraging recipients to click on links that take them to websites with fake log-in screens.

Spear-phishing is a version of the scam targeted at one person or a specific company, and is usually heavily customised to make it more believable.