UK Cyber Security Agency Backs Apple, Amazon China Hack Denials

An anonymous reader quotes a report from Reuters: Britain’s national cyber security agency said on Friday it had no reason to doubt the assessments made by Apple and Amazon challenging a Bloomberg report that their systems contained malicious computer chips inserted by Chinese intelligence services. “We are aware of the media reports but at this stage have no reason to doubt the detailed assessments made by AWS and Apple,” said the National Cyber Security Centre, a unit of Britain’s eavesdropping agency, GCHQ. AWS refers to Amazon Web Services, the company’s cloud-computing unit.

“The NCSC engages confidentially with security researchers and urges anybody with credible intelligence about these reports to contact us,” it said. Apple’s recently retired general counsel, Bruce Sewell, told Reuters he called the FBI’s then-general counsel James Baker last year after being told by Bloomberg of an open investigation into Super Micro Computer, a hardware maker whose products Bloomberg said were implanted with malicious Chinese chips. “I got on the phone with him personally and said, ‘Do you know anything about this?,” Sewell said of his conversation with Baker. “He said, ‘I’ve never heard of this, but give me 24 hours to make sure.’ He called me back 24 hours later and said ‘Nobody here knows what this story is about.'”

Will Chromebooks Someday Threaten Windows?

“There are signs that Chromebooks are a bigger long-term threat to Microsoft than you might imagine,” reports ITWorld, arguing that “long term, they’ll likely be a serious competitor.” The reason? Chromebooks sell big in education. They’ve unseated the Mac in schools. Two years ago, for the first time, Chromebooks outsold Macs in schools. Schools are a great market for Google, but Chromebooks are also Trojan horses. Children and teens use them for schoolwork and more. And when they get Chromebooks, they also get free subscriptions to Google’s G suite of apps. If kids grow up using G Suite and Chromebooks, there’s a reasonable chance they’ll use them when they get older.

Where I live, in Cambridge, Mass., the public Cambridge Rindge and Latin High School gives out free Chromebooks to every one of the more than 2,000 teens in the school, in a bid to close the digital divide between families who can afford to buy computers for their children and those who can’t… Cambridge isn’t unique. According to a 2017 article in The New York Times, “More than half the nation’s primary- and secondary-school students — more than 30 million children — use Google education apps like Gmail and Docs… And Chromebooks, Google-powered laptops that initially struggled to find a purpose, are now a powerhouse in America’s schools. Today they account for more than half the mobile devices shipped to schools….”

Weak Passwords To Be Banned In California

The BBC has reported that default passwords such as “admin” and “password” will be illegal for electronics firms to use in California from 2020. The state has passed a law that sets higher security standards for net-connected devices made or sold in the region. It demands that each gadget be given a unique password when it is made. Before now, easy-to-guess passwords have helped some cyber-attacks spread more quickly and cause more harm.

Chinese Spy Chips

Anthony James is vice president at CipherCloud and former CMO at TrapX, whose researchers previously discovered the Chinese-generated Zombie Zero nation‐state sponsored Zero Day attack.

Apple Insiders Say Nobody Internally Knows What’s Going On With Bloomberg’s China Hack Story

An anonymous reader quotes a report from BuzzFeed News: Multiple senior Apple executives, speaking with BuzzFeed News on the condition of anonymity so that they could speak freely all denied and expressed confusion with a report earlier this week that the company’s servers had been compromised by a Chinese intelligence operation. On Thursday morning, Bloomberg Businessweek published a bombshell investigation. The report — the result of more than a year of reporting and over 100 interviews with intelligence and company sources — alleged that Chinese spies compromised and infiltrated almost 30 U.S. companies including Apple and Amazon by embedding a tiny microchip inside company servers. Both Amazon and Apple issued uncharacteristically strong and detailed denials of Bloomberg’s claims.

Reached by BuzzFeed News multiple Apple sources — three of them very senior executives who work on the security and legal teams — said that they are at a loss as to how to explain the allegations. These people described a massive, granular, and siloed investigation into not just the claims made in the story, but into unrelated incidents that might have inspired them. A senior security engineer directly involved in Apple’s internal investigation described it as “endoscopic,” noting they had never seen a chip like the one described in the story, let alone found one. “I don’t know if something like this even exists,” this person said, noting that Apple was not provided with a malicious chip or motherboard to examine. “We were given nothing. No hardware. No chips. No emails.” Equally puzzling to Apple execs is the assertion that it was party to an FBI investigation — Bloomberg wrote that Apple “reported the incident to the FBI.” A senior Apple legal official told BuzzFeed News the company had not contacted the FBI, nor had it been contacted by the FBI, the CIA, the NSA or any government agency in regards to the incidents described in the Bloomberg report. This person’s purview and responsibilities are of such a high level that it’s unlikely they would not have been aware of government outreach.

Burgerville Fast Food Chain Suffers Major Credit Card Breach

Thousands of Burgerville customers have been informed that critical credit and debit card information may have been compromised during a cyberattack in late August. The Vancouver-based fast-food chain says anyone who used plastic at its restaurants between September 2017 through last week should carefully watch their card statements for unauthorized charges. In addition, the chain recommends customers obtain a copy of their credit report to look for unauthorized information and consider freezing their credit. Commenting on the news are the following security experts:

UK Accuses GRU Of Cyberattacks

Yesterday the UK and several other nations released statements regarding the recent cyber-attacks and linking them to a foreign military unit, saying they are operating under different names including Sednit.

2018 Flare-On Challenge Solutions

We are pleased to announce the conclusion of the fifth annual
Flare-On Challenge. The numbers are in and we can safely say that this
was by far the most difficult challenge we’ve ever hosted. We plan to
reduce the difficulty next year, so it may be that the 114 people who
solved this year’s challenge solved not only the most difficult
Flare-On to date, but the most difficult Flare-On there ever will be.
The prize for these amazing and dedicated Reverse Engineers is a magic
decoder buckle and coin insert. It can be used to decode and encode
secret messages using a pre-shared key. It is based on a crypto system
known as a Diana Cipher. They will be shipping soon.

A strange spam, (Fri, Oct 5th)

So, the other day, I got one of the strangest e-mails I think I’ve ever received. We’ve talked about the spams where the attacker uses a password found from a previous password breach, but this one was even stranger. In this case, the author promised to stop spamming me if I would send a payment to a specific cryptocurrency wallet. I’m not sure about the business model behind this. Needless to say, I didn’t pay and I haven’t yet looked to see if anyone has sent money to that wallet. What I did was add a new spamassassin rule to send e-mails like these straight to the bit bucket. Can any of of readers explain this one to me? I know that we as security professionals often (unfairly and inappropriately) joke about users being the weakest link in our security programs (probably worth a diary of its own at some point), but even my parents wouldn’t fall for this one (or worst case, calling and asking me about it before they clicked). Have any of the rest of you seen this or any other really odd spam or extortion attempts? If you have specific e-mails you want to share with us use our contact form.

Elastic closed 94% up in first day of trading on NYSE, raised $252M at a $2.5B valuation in its IPO

When consumers think of search, they mainly think of Google, but under the hood of enterprises and other organizations, there are hundreds of other kinds of challenges that require search technology. Today, one of the bigger companies providing search functionality, Elastic, saw just how valuable that business can be, by way of a very strong debut as a public company. Elastic today opened up at $70, a pop of 94 percent on its initial public offering at $36 on Thursday night, and after an active day of trades, $70 is where it closed, too.