Earlier this week, the non-profit certificate authority, which issues HTTPS certs for free, announced a plan to disable some three million certificates tainted by a software bug. The programming blunder, in Let’s Encrypt’s automated certificate management software, affects users who create a certificate for a domain and then, some days later, create more related certificates – the code bungled the rechecking process that needed to take place. Website owners were told to fix their certs as soon as possible because mass revocation would begin on March 4, at 16:00 PT (00:00 UTC).

…

Let’s Encrypt to revoke 3 million certificates on March 4 due to software bug Let’s Encrypt issued 3,048,289 TLS certificates without checking the CAA field for the requesting domain. More specifically, the bug impacted Boulder, the server software the Let’s Encrypt project uses to verify users and their domains before issuing a TLS certificate.

Source: zdnet.com

…

Dr. Schmidt is the chairman of the National Security Commission on Artificial Intelligence and the Defense Innovation Board. He is the former chairman and C.E.O. of Google. Silicon Valley leaders may be putting too much faith in the private sector to ensure U.S. global leadership in new technology.

America’s companies and universities innovate like no other places on earth. We are garage start-ups, risk-taking entrepreneurs and intrepid scholars exploring new advances in science and technology. But that is only part of the story.

…

The intellectual property had an estimated value of $1 billion to the US company it belonged to. A Chinese scientist has been issued a prison sentence of two years for stealing next-generation battery technology from his US employer. The former associate scientist, Hongjin Tan, has also been ordered to pay $150,000 in restitution and will spend three years on supervised release, the US Department of Justice (DoJ) said on Thursday.

…

We used the California Consumer Privacy Act to see what information the controversial facial recognition company has collected on me. What goes unsaid here is that Clearview claims to do these things by building an extremely large database of photos of ordinary U.S. citizens, who are not accused of any wrongdoing, and making that database searchable for the thousands of clients to whom it has already sold the technology. I am in that database, and you probably are too.

…

US Congress passed legislation offering $1 billion to help telecom carriers “rip and replace” equipment from Chinese giants Huawei and ZTE. On Thursday, US lawmakers have passed legislation that plans to give $1 billion to telecom carriers to “rip and replace” equipment from Chinese tech giants Huawei and ZTE.

Source: securityaffairs.co

…

The complaint in question is centered around Operation Rubicon, the focus of a recent investigation by the Washington Post, ZDF, and SRF into Swiss company Crypto AG. Crypto AG is a seller of encoded and encrypted devices deemed suitable — and secure enough — for confidential government communications. It is estimated that over 100 governments worldwide have been counted as Crypto AG clients over the course of decades.

…

Researchers have discovered a new means to target voice-controlled devices by propagating ultrasonic waves through solid materials in order to interact with and compromise them using inaudible voice commands without the victims’ knowledge. Called ‘SurfingAttack,’ the attack leverages the unique properties of acoustic transmission in solid materials — such as tables — to ‘enable multiple rounds of interactions between the voice-controlled device and the attacker over a longer distance and without the need to be in line-of-sight.’

…

There have been a few moments in the past few years, when a conspiracy theory is suddenly demonstrated to be based in fact. Once upon a time, it was an absurd suggestion that the NSA had data taps in AT&T buildings across the country. Just like Snowden’s revelations confirmed those conspiracy theories, a news in February confirmed some theories about Crypto AG, a Swiss cryptography vendor.

…

Experts from Cybaze/ Yoroi Zlab spotted a new sample of the Karkoff implant that was employed in past campaigns associated with Iran-linked APT34 group. Experts from Cybaze/ Yoroi Zlab spotted a new sample of the Karkoff implant that was employed in past campaigns associated with Iran-linked APT34 group. In November 2018, researchers from Cisco Talos tracked and detailed a “DNSEspionage” campaign against targets in Lebanon and UAE.

…

A Manhattan jury heard conflicting portrayals of Joshua Schulte, a former CIA coder accused of sending the anti-secrecy group WikiLeaks a large portion of the agency’s computer hacking arsenal tools the agency had used to conduct espionage operations overseas. Schulte left a trail of evidence despite learned attempts to erase his digital fingerprints, Assistant U.S. Attorney Matthew Laroche said in closing arguments. Schulte became disgruntled at the CIA, he said, and took meticulous steps to plan and cover up the 2016 theft.

…

The company wanted to offer people end-to-end encryption for iCloud two years ago, according to Reuters. Apple reversed course on a plan to enable people to fully encrypt backups of their iPhone data on its iCloud service after the FBI aired concerns that it would hurt investigations, Reuters reported Tuesday. About two years ago, Apple reportedly told the FBI it wanted to make hacking its cloud storage service more difficult by offering people end-to-end encryption.

…

Partially driven by the upcoming inclusion of Cyber Security by the IMO (International Maritime Organisation), 2019 was a really busy year for maritime security testing at PTP. What can we all learn from a year of evaluating the security of ships? We’ve been involved in all sorts of ship testing, here are a few examples: What are the common (in)security themes we keep finding?

There is a distinct lack of understanding and interaction between IT and OT installers/engineers on board and in the yard. The OT systems are often accessible from the IT systems and vice versa, often through deliberate bypass of security features by those on board, or through poor design / poor password management / weak patch management.

…

The controversial facial recognition company Clearview AI has notified its customers that a bad actor had “gained unauthorized access” to its entire customer list, which includes some of the most powerful law enforcement agencies in the United States. According to the notification obtained by the Daily Beast, the stolen information includes customer names, the user accounts that the customers had set up, and even the number of searches that they ran through the service. Details are rather sparse about the nature of the incident and it’s not immediately clear how it unfolded.

…

Through the analysis of collected ransomware bitcoin wallets and ransom notes, the FBI states that victims have paid over $140 million to ransomware operators over the past six years. At the RSA security conference this week, FBI Special Agent Joel DeCapuaexplained how he used bitcoin wallets and ransom notes that were collected by the FBI, shared by private partners, or found on VirusTotalto compute how much money was paid in ransom paymentsover6 years. According to DeCapua between 10/0/1/2013 and 11/07/2019, there have been approximately $144,350,000 in bitcoins paid toransomware actors as part of a ransom.

…

Clearview AI, the controversial facial recognition startup that’s gobbled up more than three billion of our photos by scraping social media sites and any other publicly accessible nook and cranny it can find, has lost its entire list of clients to hackers – including details about its many law enforcement clients.

Source: sophos.com

…

FBI suggests using longer passwords combining multiple words into a long string of at least 15 characters instead of short passwords with special characters Recent guidance from the National Institute of Standards and Technology (NIST) highlights that the password length is much more important than password complexity. The recommendations are part of the Protected Voices initiative launched by the FBI to help 2020 political campaigns and American voters protect against online foreign interference. The FBI, the Department of Homeland Security, and the Office of the Director of National Intelligence have provided guidance and information as part of the Protected Voices campaign.

…

The European Commission has decided to adopt for its staff the popular cross-platform encrypted messaging service Signal for its communications. The news was first reported earlier this month by the Politico website, a message issued on the commission’s internal messaging boards asked employees of the European Commission to use Signal. Of course, Signal have to be used only to send non-classified, but sensitive information, because classified documents must be transmitted through more secure channels.

…

On Monday, networking hardware maker Zyxel released security updates to plug a critical security hole in its network attached storage (NAS) devices that is being actively exploited by crooks who specialize in deploying ransomware. Today, Zyxel acknowledged the same flaw is present in many of its firewall products. This week’s story on the Zyxel patch was prompted by the discovery that exploit code for attacking the flaw was being sold in the cybercrime underground for $20,000.

…

It was reported yesterday that French sporting retail giant Decathlon leaked over 123 million records through an improperly secured ElasticSearch server, leaving customer and employee details exposed. The leak was spotted by security researchers Noam Rotem and Ran Locar at VPNmentor on 12th February, Decathlon were notified four days later, the leak was investigated, and the server pulled down shortly after.

Source: itsecurityguru.org

…