A backdoor that researchers found hiding inside open source code targeting four German companies was the work of a professional penetration tester. The tester was checking clients’ resilience against a new class of attacks that exploits public repositories used by millions of software projects worldwide. But it could have been bad. Very bad.
Dependency confusion is a new form of supply-chain attack that came to the forefront in March 2021, when a researcher demonstrated he could use it to execute unauthorized code of his choice on networks belonging to Apple, Microsoft, and 33 other companies. The researcher, Alex Birsan, received $130,000 in bug bounties and credit for developing the new attack form.
A few weeks later, a different researcher uncovered evidence that showed that Amazon, Slack, Lyft, Zillow, and other companies had been targeted in attacks that used the same technique. The release of more than 200 malicious packages into the wild indicated the attack Birsan devised appealed to real-world threat actors.
Read 14 remaining paragraphs | Comments
In the snowy streets of the north Ukrainian town of Trostyanets, the Russian missile system fires rockets every second. Tanks and military vehicles are parked on either side of the blasting artillery system, positioned among houses and near the town’s railway system. The weapon is not working alone, though. Hovering tens of meters above it and recording the assault is a Ukrainian drone. The drone isn’t a sophisticated military system, but a small, commercial machine that anyone can buy.
Since Vladimir Putin invaded Ukraine at the end of February, drones of all shapes and sizes have been used by both sides in the conflict. At one end of the scale are large military drones that can be used for aerial surveillance and to attack targets on the ground. In contrast, small commercial drones can be flown by people without any specific training and carried around in a suitcase-sized box. While both types of drones have been used in previous conflicts, the current scale of small, commercial drone use in Ukraine is unprecedented.
Drone videos shared and posted to social media depict the brutality of the war and reveal what has happened during battles. Drones have captured fighting in the destroyed Ukrainian city of Bucha, with lines of tanks moving around streets and troops moving alongside them. Commercial drones have helped journalists document the sheer scale of destruction in Kyiv and Mariupol, flying over burnt-out buildings that have been reduced to rubble.
Read 12 remaining paragraphs | Comments
For more than a decade, we’ve been promised that a world without passwords is just around the corner, and yet year after year, this security nirvana proves out of reach. Now, for the first time, a workable form of passwordless authentication is about to become available to the masses in the form of a standard adopted by Apple, Google, and Microsoft that allows for cross-platform and cross-service passkeys.
Password-killing schemes pushed in the past suffered from a host of problems. A key shortcoming was the lack of a viable recovery mechanism when someone lost control of phone numbers or physical tokens and phones tied to an account. Another limitation was that most solutions ultimately failed to be, in fact, truly passwordless. Instead, they gave users options to log in with a face scan or fingerprint, but these systems ultimately fell back on a password, and that meant that phishing, password reuse, and forgotten passcodes—all the reasons we hated passwords to begin with—didn’t go away.
What’s different this time is that Apple, Google, and Microsoft all seem to be on board with the same well-defined solution. Not only that, but the solution is easier than ever for users, and it’s less costly for big services like Github and Facebook to roll out. It has also been painstakingly devised and peer-reviewed by experts in authentication and security.
Read 20 remaining paragraphs | Comments
It’s not the kind of security discovery that happens often. A previously unknown hacker group used a novel backdoor, top-notch tradecraft, and software engineering to create an espionage botnet that was largely invisible in many victim networks.
The group, which security firm Mandiant is calling UNC3524, has spent the past 18 months burrowing into victims’ networks with unusual stealth. In cases where the group is ejected, it wastes no time reinfecting the victim environment and picking up where things left off. There are many keys to its stealth, including:
In a post, Mandiant researchers Doug Bienstock, Melissa Derr, Josh Madeley, Tyler McLellan, and Chris Gardner wrote:
Read 11 remaining paragraphs | Comments