Slot Gacor
Biz & IT Archives ✔️ News For Finance
Home Archive by category Biz & IT
An ambitious plan to tackle ransomware faces long odds
Miragec | Getty Images

Schools, hospitals, the City of Atlanta. Garmin, Acer, the Washington, DC, police. At this point no one is safe from the scourge of ransomware. Over the past few years, skyrocketing ransom demands and indiscriminate targeting have escalated, with no relief in sight. Today a recently formed public-private partnership is taking the first steps toward a coordinated response.

The comprehensive framework, overseen by the Institute for Security and Technology’s Ransomware Task Force, proposes a more aggressive public-private response to ransomware, rather than the historically piecemeal approach. Launched in December, the task force counts Amazon Web Services, Cisco, and Microsoft among its members, along with the Federal Bureau of Investigation, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, and the United Kingdom National Crime agency. Drawing from the recommendations of cybersecurity firms, incident responders, nonprofits, government agencies, and academics, the report calls on the public and private sector to improve defenses, develop response plans, strengthen and expand international law enforcement collaboration, and regulate cryptocurrencies.

Specifics will matter, though, as will the level of buy-in from government bodies that can actually effect change. The US Department of Justice recently formed a ransomware-specific task force, and the Department of Homeland Security announced in February that it would expand its efforts to combat ransomware. But those agencies don’t make policy, and the United States has struggled in recent years to produce a truly coordinated response to ransomware.

“We need to start treating these issues as core national security and economic security issues, and not as little boutique issues,” says Chris Painter, a former Justice Department and White House cybersecurity official who contributed to the report as president of the Global Forum on Cyber Expertise Foundation. “I’m hopeful that we’re getting there, but it’s always been an uphill battle for us in the cyber realm trying to get people’s attention for these really big issues.”

Thursday’s report extensively maps the threat posed by ransomware actors and actions that could minimize the threat. Law enforcement faces an array of jurisdictional issues in tracking ransomware gangs; the framework discusses how the US could broker diplomatic relationships to involve more countries in ransomware response, and attempt to engage those that have historically acted as safe havens for ransomware groups.

“If we’re going after the countries that are not just turning a blind eye, but are actively endorsing this, it’ll pay dividends in addressing cybercrime far beyond ransomware,” Painter says. He admits that it won’t be easy, though. “Russia is always a tough one,” he says.

Some researchers are cautiously optimistic that if enacted the recommendations really could lead to increased collaboration between public and private organizations. “Larger task forces can be effective,” says Crane Hassold, senior director of threat research at the email security firm Agari. “The benefit of bringing the private sector into a task force is that we generally have a better understanding of the scale of the problem, because we see so much more of it every day. Meanwhile, the public sector is better at being able to take down smaller components of the cyberattack chain in a more surgical manner.”

The question, though, is whether the IST Ransomware Task Force and new US federal government organizations can translate the new framework into action. The report recommends the creation of an interagency working group led by the National Security Council, an internal US government joint ransomware task force, and an industry-led ransomware threat hub all overseen and coordinated by the White House.

“This really requires very decisive action at multiple levels,” says Brett Callow, a threat analyst at the antivirus firm Emsisoft. “Meanwhile frameworks are all well and good, but getting organizations to implement them is an entirely different matter. There are lots of areas where improvements can be made, but they are not going to be overnight fixes. It’ll be a long, hard haul.”

Callow argues that strict prohibitions on ransomware payments could be the closest thing to a panacea. If ransomware actors couldn’t make money off of the attacks, there would be no incentive to continue.

That solution, though, comes with years of baggage, especially given that critical organizations like hospitals and local governments may want the option of paying if dragging out an incident could disrupt basic services or even endanger human life. The framework stops short of taking a stand on the question of whether targets should be allowed to pay, but it advocates expanding resources so victims have alternatives.

While a framework offers a potential path forward, it does little to help with the urgency felt by ransomware victims today. Earlier this week, the ransomware gang Babuk threatened to leak 250 gigabytes of data stolen from the Washington Metropolitan Police Department—including information that could endanger police informants. No amount of recommendations will defuse that situation or the countless others that play out daily around the world.

Still, an ambitious, long-odds proposal is better than none at all. And the incentive to address the ransomware mess will only become greater with each new hack.

This story originally appeared on

Ford is adding artificial intelligence to its robotic assembly lines.
Enlarge / Ford is adding artificial intelligence to its robotic assembly lines.

In 1913, Henry Ford revolutionized car-making with the first moving assembly line, an innovation that made piecing together new vehicles faster and more efficient. Some hundred years later, Ford is now using artificial intelligence to eke more speed out of today’s manufacturing lines.

At a Ford Transmission Plant in Livonia, Mich., the station where robots help assemble torque converters now includes a system that uses AI to learn from previous attempts how to wiggle the pieces into place most efficiently. Inside a large safety cage, robot arms wheel around grasping circular pieces of metal, each about the diameter of a dinner plate, from a conveyor and slot them together.

Ford uses technology from a startup called Symbio Robotics that looks at the past few hundred attempts to determine which approaches and motions appeared to work best. A computer sitting just outside the cage shows Symbio’s technology sensing and controlling the arms. Toyota and Nissan are using the same tech to improve the efficiency of their production lines.

The technology allows this part of the assembly line to run 15 percent faster, a significant improvement in automotive manufacturing where thin profit margins depend heavily on manufacturing efficiencies.

“I personally think it is going to be something of the future,” says Lon Van Geloven, production manager at the Livonia plant. He says Ford plans to explore whether to use the technology in other factories. Van Geloven says the technology can be used anywhere it’s possible for a computer to learn from feeling how things fit together. “There are plenty of those applications,” he says.

AI is often viewed as a disruptive and transformative technology, but the Livonia torque setup illustrates how AI may creep into industrial processes in gradual and often imperceptible ways.

Automotive manufacturing is already heavily automated, but the robots that help assemble, weld, and paint vehicles are essentially powerful, precise automatons that endlessly repeat the same task but lack any ability to understand or react to their surroundings.

Adding more automation is challenging. The jobs that remain out of reach for machines include tasks like feeding flexible wiring through a car’s dashboard and body. In 2018, Elon Musk blamed Tesla Model 3 production delays on the decision to rely more heavily on automation in manufacturing.

Researchers and startups are exploring ways for AI to give robots more capabilities, for example enabling them to perceive and grasp even unfamiliar objects moving along conveyor belts. The Ford example shows how existing machinery can often be improved by introducing simple sensing and learning capabilities.

“This is very valuable,” says Cheryl Xu, a professor at North Carolina State University who works on manufacturing technologies. She adds that her students are exploring ways that machine learning can improve the efficiency of automated systems.

One key challenge, Xu says, is that each manufacturing process is unique and will require automation to be used in specific ways. Some machine learning methods can be unpredictable, she notes, and increased use of AI introduces new cybersecurity challenges.

The potential for AI to fine-tune industrial processes is huge, says Timothy Chan, a professor of mechanical and industrial engineering at the University of Toronto. He says AI is increasingly being used for quality control in manufacturing, since computer vision algorithms can be trained to spot defects in products or problems on production lines. Similar technology can help enforce safety rules, spotting when someone is not wearing the correct safety gear, for instance.

Chan says the key challenge for manufacturers is integrating new technology into a workflow without disrupting productivity. He also says it can be difficult if the workforce is not used to working with advanced computerized systems.

This doesn’t seem to be a problem in Livonia. Van Geloven, the Ford production manager, believes that consumer gadgets such as smartphones and game consoles have made workers more tech savvy. And for all the talk about AI taking blue collar jobs, he notes that this isn’t an issue when AI is used to improve the performance of existing automation. “Manpower is actually very important,” he says.

This story originally appeared on

More US agencies potentially hacked, this time with Pulse Secure exploits
Getty Images

At least five US federal agencies may have experienced cyberattacks that targeted recently discovered security flaws that give hackers free rein over vulnerable networks, the US Cybersecurity and Infrastructure Security Agency said on Friday.

The vulnerabilities in Pulse Connect Secure, a VPN that employees use to remotely connect to large networks, include one that hackers had been actively exploiting before it was known to Ivanti, the maker of the product. The flaw, which Ivanti disclosed last week, carries a severity rating of 10 out of a possible 10. The authentication bypass vulnerability allows untrusted users to remotely execute malicious code on Pulse Secure hardware, and from there, to gain control of other parts of the network where it’s installed.

Federal agencies, critical infrastructure, and more

Security firm FireEye said in a report published on the same day as the Ivanti disclosure that hackers linked to China spent months exploiting the critical vulnerability to spy on US defense contractors and financial institutions around the world. Ivanti confirmed in a separate post that the zeroday vulnerability, tracked as CVE-2021-22893, was under active exploit.

In March, following the disclosure of several other vulnerabilities that have now been patched, Ivanti released the Pulse Secure Connect Integrity Tool, which streamlines the process of checking whether vulnerable Pulse Secure devices have been compromised. Following last week’s disclosure that CVE-2021-2021-22893 was under active exploit, CISA mandated that all federal agencies run the tool

“CISA is aware of at least five federal civilian agencies who have run the Pulse Connect Secure Integrity Tool and identified indications of potential unauthorized access,” Matt Hartman, deputy executive assistant director at CISA, wrote in an emailed statement. “We are working with each agency to validate whether an intrusion has occurred and will offer incident response support accordingly.”

CISA said it’s aware of compromises of federal agencies, critical infrastructure entities, and private sector organizations dating back to June 2020.

They just keep coming

The targeting of the five agencies is the latest in a string of large-scale cyberattacks to hit sensitive government and business organizations in recent months. In December, researchers uncovered an operation that infected the software build and distribution system of network management tools maker SolarWinds. The hackers used their control to push backdoored updates to about 18,000 customers. Nine government agencies and fewer than 100 private organizations—including Microsoft, antivirus maker Malwarebytes, and Mimecast—received follow-on attacks.
In March, hackers exploiting newly discovered vulnerability in Microsoft Exchange compromised an estimated 30,000 Exchange servers in the US and as many as 100,000 worldwide.
Microsoft said that Hafnium, its name for a group operating in China, was behind the attacks. In the days that followed, hackers not affiliated by Hafnium began infecting the already-compromised servers to install a new strain of ransomware.
Two other serious breaches have also occurred, one against the maker of the Codecov software developer tool and the other against the seller of Passwordstate, a password manager used by large organizations to store credentials for firewalls, VPNs, and other network-connected devices. Both breaches are serious, because the hackers can use them to compromise the large number of customers of the companies’ products.

Ivanti said it’s helping to investigate and respond to exploits, which the company said have been “discovered on a very limited number of customer systems.”

“The Pulse team took swift action to provide mitigations directly to the limited number of impacted customers that remediates the risk to their system, and we plan to issue a software update within the next few days,” a spokesperson added.

A giant Verizon 5G logo in an expo hall.
Enlarge / A Verizon booth at Mobile World Congress Americas in Los Angeles in September 2018.

US mobile customers are almost never able to connect to millimeter-wave networks even though the cellular industry and Verizon in particular have spent years hyping the fastest form of 5G.

AT&T and T-Mobile customers with devices capable of using millimeter-wave networks were connected to mmWave 5G only 0.5 percent of the time during the 90-day period between January 16 and April 15, 2021, according to an OpenSignal report released today. Even on Verizon, the carrier with the most aggressive rollout of mmWave 5G, users with compatible devices spent 0.8 percent of their time on the high-frequency network that uses its large capacity to provide faster speeds than low- and mid-band spectrum.

Average download speeds on mmWave 5G were 232.7Mbps for AT&T, 215.3Mbps for T-Mobile, and 692.9Mbps for Verizon. You can see the average time connected to mmWave 5G and the average speeds in these charts from OpenSignal:

The “average time connected to mmWave 5G” chart represents the percentage of time connected to mmWave among users who have a mmWave 5G-capable device and have connected to mmWave at least once, OpenSignal told Ars today. That means the numbers aren’t driven down by devices that simply aren’t new enough to use mmWave 5G—the percentages for all three major carriers are under 1 percent when evaluating users who definitely have devices compatible with the mmWave networks.

“In Opensignal’s analytics, we consistently see our Verizon mmWave 5G users experiencing a higher average time connected to mmWave 5G than users on the other US carriers,” the report said. “In this 90-day period, our Verizon users saw a mean time connected to mmWave 5G of 0.8 percent compared with 0.5 percent on AT&T and T-Mobile. However, despite Verizon appearing to be ahead this result actually represents a statistical tie because of overlapping confidence intervals with AT&T.” All three major carriers have “plenty of scope to increase the availability of mmWave 5G services,” the report noted.

Overall 5G availability between 11% and 33%

Another report released by OpenSignal today said that—when counting 5G on all spectrum bands, not just mmWave—5G was available 33.1 percent of the time on T-Mobile, 20.5 percent of the time on AT&T, and 11.2 percent of the time on Verizon.

OpenSignal’s speed-test apps “collect billions of individual measurements every day from over 100 million devices worldwide,” producing “the vast majority of our data via automated tests that run in the background,” the testing firm says.

Verizon’s lead in mmWave 5G is not surprising because “Verizon’s 5G deployment strategy has placed a strong emphasis on mmWave while T-Mobile has focused on its 600 MHz and its 2.5 GHz spectrum assets for 5G services, and AT&T has mainly used low-band for 5G so far,” OpenSignal said.

mmWave use could rise in summer

mmWave 5G was never likely to become the primary form of mobile connectivity because the high-frequency radio waves don’t travel far and are easily blocked by walls and other obstacles. The pandemic has also limited opportunities for people to connect to mmWave 5G because the technology makes the most sense in heavily populated outdoor areas and at large events.

“With the pandemic, large groups of people were not congregating as much in city centers, sports stadiums, or shopping malls—so we haven’t yet seen the full benefit of mmWave 5G services,” OpenSignal VP of Analysis Ian Fogg told Ars in response to our questions. “Additionally, we will likely see seasonal differences in the time users spend connected to mmWave, given that mmWave sites are mostly located outdoors.”

Fogg noted that “the physics of high-frequency mmWave spectrum bands means signals that originate outdoors tend to stay outdoors” and that people obviously spend more time outdoors in the summer than the winter. However, “when we see more mmWave deployed inside large buildings such as shopping malls or metro systems, seasonality will reduce,” he said.

Those caveats mean that it’s too early to write off mmWave 5G as a major player in mobile Internet use. But so far, mmWave 5G is barely making a ripple on US mobile connectivity, and it is not clear whether it will ever become a big factor for smartphone users. The technology could end up helping many home-Internet users get faster speeds through point-to-point connections, but most people would prefer a wired connection. Moreover, the emergence of SpaceX Starlink’s low Earth orbit satellite service may reduce interest in mmWave 5G for home Internet, and availability for Verizon’s 5G Home service is very limited.

Massive hype, then reality

Verizon claimed in July 2019 that “5G Ultra Wideband,” its marketing name for mmWave, “has the potential to drive broad, systemic transformation that not only benefits consumers and enterprises, but humanity as a whole.”

Verizon wrote, with perhaps some hyperbole:

5G promises more than just a faster download. The fifth generation of wireless represents a technological breakthrough that has been likened to prior Industrial Revolutions involving electricity, the steam engine, and the personal computer. It has the potential to be a watershed moment in history, one that will fundamentally change the way we live, work, learn and play. The leap from 3G to 4G was huge, but the one from 4G to 5G will likely be transformational, upending entire industries and creating new ones overnight.

Anything would be possible with Verizon’s mmWave 5G, the company claimed. “At the end of the day, 5G Ultra Wideband is about unparalleled digital experiences. If people can dream it, Verizon 5G Ultra Wideband can help deliver it.”

Verizon had launched mmWave 5G in April 2019 in “select areas” of Minneapolis and Chicago, but reviewers had trouble even finding a signal. Later that year, it became clear that Verizon 5G wasn’t capable of covering an entire NFL stadium or an NBA arena.

In April 2018, AT&T boasted of 5G trials that produced “gigabit wireless speeds on mmWave spectrum in both line-of-sight and some non-line-of-sight conditions.” AT&T claimed at the time that mobile 5G would “bring to life experiences like virtual reality, future driverless cars, immersive 4K video, and more.” The company said its mmWave 5G signals were strong enough to withstand “rain, snow, or other weather events” and to “penetrate materials such as significant foliage, glass, and even walls better than initially anticipated.”

But when AT&T finally launched 5G, it was using lower spectrum bands and producing only 4G-like speeds. AT&T also deliberately tried to confuse customers by renaming its 4G LTE-Advanced service “5G E.”

5G hype used for lobbying and deregulation

Beginning in 2018, T-Mobile used the promise of 5G to lobby for government approval of its acquisition of Sprint, and then-Federal Communications Commission Chairman Ajit Pai claimed the need for 5G justified deregulation and big reductions in fees paid by carriers to local governments.

But Verizon said that Pai overturning local rules and fees would have no impact on the pace of its 5G rollout. T-Mobile was publicly casting doubt on the usefulness of mmWave 5G by at least April 2019, when Chief Technology Officer Neville Ray wrote that millimeter-wave spectrum used for 5G “will never materially scale beyond small pockets of 5G hotspots in dense urban environments.” Verizon subsequently acknowledged that mmWave isn’t for widespread coverage.

Verizon had to tamp down 5G claims

In July 2020, Light Reading wrote that “Verizon appears to be the only US operator with plans to significantly expand its 5G network in millimeter wave (mmWave) spectrum,” as T-Mobile and AT&T weren’t showing much enthusiasm for the high-frequency radio waves.

While 5G is deployed on a mix of low to high-frequency spectrum, Verizon said in May 2020 that non-mmWave 5G would only provide small improvements compared to 4G in the near term. Verizon said that customers will eventually see “dramatic improvements” but didn’t say when that would happen.

In July 2020, after a complaint from AT&T to the advertising industry’s self-regulating body, Verizon reluctantly agreed to stop running ads that falsely implied the carrier’s 5G mobile service was available throughout the United States. The National Advertising Division said that during its investigation, Verizon did not dispute that its “5G coverage is primarily restricted to outdoor locations in certain neighborhoods and varies from block to block.”

Verizon has since launched 5G more broadly on the same spectrum bands used for 4G. But Verizon is now in third place in average 5G download speed, according to OpenSignal.

“Our T-Mobile users saw average 5G download speeds of 71.3Mbps, ahead of AT&T users’ score of 54.9Mbps and Verizon on 47.7Mbps,” OpenSignal’s 5G report said. “Our T-Mobile users’ average 5G download speed has increased by an impressive 13.2Mbps compared to our January 5G report, while our users on AT&T and Verizon saw their average speeds more or less stationary at 54.9Mbps and 47.7Mbps, respectively.”

Including both 5G and previous-generation networks, average download speeds were 33.2Mbps on AT&T, 28.9Mbps on Verizon, and 28.8Mbps on T-Mobile, an OpenSignal report in January 2021 found. While T-Mobile leads the three carriers in overall 5G availability at 33.1 percent, OpenSignal’s January report found that 4G was available between 96 and 98 percent of the time on all three major carriers.

A woman watches a mask—a part used in wafer conception—at a show room of the 12-inch United Microelectronics Corp (UMC) factory in Tainan, southern Taiwan.
Enlarge / A woman watches a mask—a part used in wafer conception—at a show room of the 12-inch United Microelectronics Corp (UMC) factory in Tainan, southern Taiwan.
Sam Yeh | Getty

United Microelectronics Corporation (UMC), the world’s fourth-largest contract chipmaker, is expanding its capacity to produce mature technology chips in exchange for financial guarantees, in response to the shortage gripping the global semiconductor supply chain.

UMC said it would add capacity for manufacturing 20,000 wafers a month at 28 nm, one of the process technology nodes worst-hit by the global chip shortage, at an existing fabrication plant, or “fab,” in Tainan.

The investment will drive up the company’s capital spending for this year by 53 percent to $2.3 billion, but it is made under a deal that commits several of UMC’s largest customers to pay deposits upfront and guarantee certain orders at a fixed price.

The deal is highly unusual for contract chipmakers. The flexibility to allocate capacity to orders from different customers has long been a cornerstone of their profitability.

But that model has come under fire as first automakers and now a growing range of other sectors have been unable to secure enough chips from foundries such as UMC and Taiwan Semiconductor Manufacturing Company (TSMC), the global industry leader.

UMC said the deal was an “innovative, win-win” arrangement. “This will strengthen our financial position to capture the market opportunity,” Jason Wang, UMC president, told investors.

TSMC said this month it would invest $100 billion in new capacity over three years. Intel recently announced a $20 billion investment program under which it wants to challenge TSMC in offering contract chipmaking services.

But the global chip shortage is expected to continue unabatedly. UMC said its capacity utilization rate was 100 percent in the first quarter and would remain there for the time being. The company expects average selling prices of its chips to rise 10 percent this year compared with 2020.

“There is a supply-demand imbalance in mature nodes,” said Liu Chi-tung, UMC chief financial officer. “We have seen lots of capacity expansion in advanced nodes, but companies have not addressed the mature nodes. There are lots of critical components on those nodes.”

SK Hynix, the world’s second-largest memory chipmaker, plans to bring forward some of its planned capital expenditure for next year to the second half of this year to meet surging chip demand.

The South Korean company said on Wednesday that demand was stronger than expected and forecast the imbalance in demand and supply to worsen in coming quarters. It expects D-Ram chip supplies to remain tight throughout the year and forecast a faster than expected recovery in demand and prices for Nand memory chips.

While the UMC deal is aimed at battling the shortage, it is expected to take at least two years to take shape, highlighting the depth of the constraints on the semiconductor supply chain.

Although the fab dedicated for the capacity expansion already exists, mass production is expected to start only in the second quarter 2023 because key tools are in short supply too. “We are working with our suppliers. There is a lead time for equipment,” Wang said.

© 2021 The Financial Times Ltd. All rights reserved Not to be redistributed, copied, or modified in any way.

Ransomware attack on DC Police threatens safety of cops and informants
Getty Images

Ransomware operators have delivered a stunning ultimatum to Washington, DC’s Metropolitan Police Department: pay them $50 million or they’ll leak the identities of confidential informants to street gangs.

Babuk, as the group calls itself, said on Monday that it had obtained 250GB of sensitive data after hacking the MPD network. The group’s site on the darkweb has posted dozens of images of what appear to be sensitive MPD documents. One screenshot shows a Windows directory titled Disciplinary Files. Each of the 28 files shown lists a name. A check of four of the names shows they all belong to MPD officers.

Other images appeared to show persons-of-interest names and photos, a screenshot of a folder named Gang Database, chief’s reports, lists of arrests, and a document listing the name and address of a confidential informant.

“Drain the informants”

“We advise [sic] you to contact us as soon as possible, to prevent leakage,” a post on the site says. “If no response is received within 3 days, we will start to contact gangs in order to drain the informants.”

In an email, MPD Public Information Officer Hugh Carew wrote: “We are aware of unauthorized access on our server. While we determine the full impact and continue to review activity, we have engaged the FBI to fully investigate this matter.” Carew didn’t answer questions seeking additional details about the breach.

In a videotaped message published on Tuesday night, Metropolitan Police Chief Robert J. Contee III said that with the assistance of local and federal partners, MPD has identified and blocked the mechanism that allowed the intrusion. He provided no new details about the breach or the ongoing investigation into it.

“Our partners are currently fully engaged in assessing the scope and impact,” he said. “In the course of the review, if it is discovered that personal information of our members or others was compromised, we will follow up with that information.”

The chief then went on to encourage people to “maintain good cyber hygiene.”

As bad as it gets

The incident underscores the growing brazenness of ransomware operators. Once content with merely locking up victims’ data and demanding a ransom in exchange for the key, they eventually introduced a dual-revenue model that charged for the key but also promised to publish sensitive documents online unless the ransom was paid. In recent weeks, at least one gang has started contacting customers and suppliers of victims to warn them their data may be spilled if the victims don’t pay up.

Threatening to identify confidential informants to organized criminal gangs—as Babuk appears to be doing now—hits a new low, said Brett Callow, a threat analyst who follows ransomware at security firm Emsisoft.

“That’s as bad as it gets,” he told Ars. “Can you imagine the potential for lawsuits if an informant were to be harmed as a direct result of the breach?”

Babuk is a relatively new ransomware enterprise that appeared in January. Not much is known about the group other than it has Russian-speaking team members, and Emsisoft researchers found a severe bug in the group’s decryptor software that caused data loss. The group’s darkweb site claims to have breached almost a dozen other companies.

Last week, a US Justice Department memo showed the agency convening a new task force to respond to the recent surge in ransomware attacks, particularly on hospitals and other critical US organizations. Acting Deputy Attorney General John Carlin will lead the task force, which is made up of agents and prosecutors from the FBI and Justice Department.

The leak might pose a threat not just to confidential informants but also to ongoing investigations. Federal prosecutors last year dropped narcotics charges against six suspects after crucial evidence was destroyed in a ransomware infection.

Actively exploited Mac 0-day neutered core OS security defenses
Getty Images

When Apple released the latest version 11.3 for macOS on Monday, it didn’t just introduce support for new features and optimizations. More importantly, the company fixed a zero-day vulnerability that hackers were actively exploiting to install malware without triggering core Mac security mechanisms, some that were in place for more than a decade.

Together, the defenses provide a comprehensive set of protections designed to prevent users from inadvertently installing malware on their Macs. While one-click and even zero-click exploits rightfully get lots of attention, it’s far more common to see trojanized apps that disguise malware as a game, update, or other desirable piece of software.

Protecting users from themselves

Apple engineers know that trojans represent a bigger threat to most Mac users than more sophisticated exploits that surreptitiously install malware with minimal or no interaction from users. So a core part of Mac security rests on three related mechanisms:

  • File Quarantine requires explicit user confirmation before a file downloaded from the Internet can execute.
  • Gatekeeper blocks the installation of apps unless they’re signed by a developer known to Apple.
  • Mandatory App Notarization permits apps to be installed only after Apple has scanned them for malware.

Earlier this year, a piece of malware well known to Mac security experts began exploiting a vulnerability that allowed it to completely suppress all three mechanisms. Called Shlayer, it has an impressive record in the three years since it appeared.

Last September, for instance, it managed to pass the security scan that Apple requires for apps to be notarized. Two years ago, it was delivered in a sophisticated campaign that used novel steganography to evade malware detection. And last year, Kaspersky said Shlayer was the most detected Mac malware by the company’s products, with almost 32,000 different variants identified.

Clever evasion

Shlayer’s exploitation of the zero-day, which started no later than January, represented yet another impressive feat. Rather than using the standard Mach-O format for a Mac executable, the executable component in this attack was the macOS equivalent of a bash script, which executes a series of line commands in a particular order.

Normally, scripts downloaded from the Internet are classified as application bundles and are subject to the same requirements as other types of executables. A simple hack, however, allowed scripts to completely shirk those requirements.

By removing the info.plist—a structured text file that maps the location of files it depends on—the script no longer registered as an executable bundle to macOS. Instead, the file was treated as a PDF or other type of non-executable file that wasn’t subject to Gatekeeper and the other mechanisms.

One of the attacks began with the display of an ad for a fake Adobe Flash update:


The videos below show what a big difference the exploit made once someone took the bait and clicked download. The video immediately below depicts what the viewer saw with the restrictions removed. The one below that shows how much more suspicious the update would have looked had the restrictions been in place.

Shlayer attack with exploit of CVE-2021-30657.
Shlayer attack without exploit of CVE-2021-30657.

The bug, which is tracked as CVE-2021-30657, was discovered and reported to Apple by security researcher Cedric Owens. He said he stumbled upon it as he was using a developer tool called Appify while performing research for a “red team” exercise, in which hackers simulate a real attack in an attempt to find previously overlooked security weaknesses.

“I found that Appify was able to turn a shell script into a double clickable ‘app’ (really just a shell script inside of the macOS app directory structure but macOS treated it as an app),” he wrote in a direct message. “And when executed it bypasses Gatekeeper. I actually reported it pretty quickly after discovering it and did not use it in a live red team exercise.”

Apple fixed the vulnerability with Monday’s release of macOS 11.3. Owens said that the flaw appears to have existed since the introduction of macOS 10.15 in June 2019, which is when notarization was introduced.

Owens discussed the bug with Patrick Wardle, a Mac security expert who previously worked at Jamf, a Mac enterprise security provider. Wardle then reached out to Jamf researchers, who uncovered the Shlayer variant that was exploiting the vulnerability before it was known to Apple or most of the security world.

“One of our detections alerted us to this new variant, and upon closer inspection we discovered its use of this bypass to allow it to be installed without an end user prompt,” Jamf researcher Jaron Bradley told me. “Further analysis leads us to believe that the developers of the malware discovered the zeroday and adjusted their malware to use it, in early 2021.”

Wardle developed a proof-of-concept exploit that showed how the Shlayer variant worked. After being downloaded from the Internet, the executable script appears as a PDF file named Patrick’s Resume. Once someone doubleclicks on the file, it launches a file called The exploit could just as easily execute a malicious file.

Patrick Wardle

In a 12,000-word deep-dive that delves into the causes and effects of the exploits, Wardle concluded:

Though this bug is now patched, it clearly (yet again) illustrates that macOS is not impervious to incredible shallow, yet hugely impactful flaws. How shallow? Well that fact that a legitimate developer tool (appify) would inadvertently trigger the bug is beyond laughable (and sad).

And how impactful? Basically macOS security (in the context of evaluating user launched applications, which recall, accounts for the vast majority of macOS infections) was made wholly moot.

Bradley published a post that recounted how the exploit looked and worked.

Many people consider malware like Shlayer unsophisticated because it relies on tricking its victims. To give Shlayer its due, the malware is highly effective, in large part because of its ability to suppress macOS defenses designed to tip-off users before they accidentally infect themselves. Those who want to know if they’ve been targeted by this exploit can download this python script written by Wardle.

Illustration of Internet data, with long strings of numbers laid out on a grid.

The US Department of Defense puzzled Internet experts by apparently transferring control of tens of millions of dormant IP addresses to an obscure Florida company just before President Donald Trump left the White House, but the Pentagon has finally offered a partial explanation for why it happened. The Defense Department says it still owns the addresses but that it is using a third-party company in a “pilot” project to conduct security research.

“Minutes before Trump left office, millions of the Pentagon’s dormant IP addresses sprang to life,” was the title of a Washington Post article on Saturday. Literally three minutes before Joe Biden became president, a company called Global Resource Systems LLC “discreetly announced to the world’s computer networks a startling development: It now was managing a huge unused swath of the Internet that, for several decades, had been owned by the US military.”

The number of Pentagon-owned IP addresses announced by the company rose to 56 million by late January and 175 million by April, making it the world’s largest announcer of IP addresses in the IPv4 global routing table.

“The theories were many,” the Post article said. “Did someone at the Defense Department sell off part of the military’s vast collection of sought-after IP addresses as Trump left office? Had the Pentagon finally acted on demands to unload the billions of dollars worth of IP address space the military has been sitting on, largely unused, for decades?”

The Post said it got an answer from the Defense Department on Friday in the form of a statement from the director of “an elite Pentagon unit known as the Defense Digital Service.” The Post wrote:

Brett Goldstein, the DDS’s director, said in a statement that his unit had authorized a “pilot effort” publicizing the IP space owned by the Pentagon.

“This pilot will assess, evaluate, and prevent unauthorized use of DoD IP address space,” Goldstein said. “Additionally, this pilot may identify potential vulnerabilities.”

Goldstein described the project as one of the Defense Department’s “many efforts focused on continually improving our cyber posture and defense in response to advanced persistent threats. We are partnering throughout DoD to ensure potential vulnerabilities are mitigated.”

“SWAT team of nerds”

The 6-year-old DDS consists of “82 engineers, data scientists, and computer scientists” who “worked on the much-publicized ‘hack the Pentagon‘ program” and a variety of other projects tackling some of the hardest technology problems faced by the military, a Department of Defense article said in October 2020. Goldstein has called the unit a “SWAT team of nerds.”

The Defense Department did not say what the unit’s specific objectives are in its project with Global Resource Systems, “and Pentagon officials declined to say why Goldstein’s unit had used a little-known Florida company to carry out the pilot effort rather than have the Defense Department itself ‘announce’ the addresses through BGP [Border Gateway Protocol] messages—a far more routine approach,” the Post said.

Still, the government’s explanation piqued the interest of Doug Madory, director of Internet analysis at network-security company Kentik.

“I interpret this to mean that the objectives of this effort are twofold,” Madory wrote in a blog post Saturday. “First, to announce this address space to scare off any would-be squatters, and secondly, to collect a massive amount of background Internet traffic for threat intelligence.”

New company remains mysterious

The Washington Post and Associated Press weren’t able to dig up many details about Global Resource Systems. “The company did not return phone calls or emails from The Associated Press. It has no web presence, though it has the domain,” an AP story yesterday said. “Its name doesn’t appear on the directory of its Plantation, Florida, domicile, and a receptionist drew a blank when an AP reporter asked for a company representative at the office earlier this month. She found its name on a tenant list and suggested trying email. Records show the company has not obtained a business license in Plantation.” The AP apparently wasn’t able to track down people associated with the company.

The AP said that the Pentagon “has not answered many basic questions, beginning with why it chose to entrust management of the address space to a company that seems not to have existed until September.” Global Resource Systems’ name “is identical to that of a firm that independent Internet fraud researcher Ron Guilmette says was sending out email spam using the very same Internet routing identifier,” the AP continued. “It shut down more than a decade ago. All that differs is the type of company. This one’s a limited liability corporation. The other was a corporation. Both used the same street address in Plantation, a suburb of Fort Lauderdale.”

The AP did find out that the Defense Department still owns the IP addresses, saying that “a Defense Department spokesman, Russell Goemaere, told the AP on Saturday that none of the newly announced space has been sold.”

Bigger than China Telecom and Comcast

Network experts were stumped by the emergence of Global Resource Systems for a while. Madory called it “a great mystery.”

At 11:57 am EST on January 20, three minutes before the Trump administration officially came to an end, “[a]n entity that hadn’t been heard from in over a decade began announcing large swaths of formerly unused IPv4 address space belonging to the US Department of Defense,” Madory wrote. Global Resource Systems is labeled AS8003 and GRS-DOD in BGP records.

Madory wrote:

By late January, AS8003 was announcing about 56 million IPv4 addresses, making it the sixth largest AS [autonomous system] in the IPv4 global routing table by originated address space. By mid-April, AS8003 dramatically increased the amount of formerly unused DoD address space that it announced to 175 million unique addresses.

Following the increase, AS8003 became, far and away, the largest AS in the history of the Internet as measured by originated IPv4 space. By comparison, AS8003 now announces 61 million more IP addresses than the now-second biggest AS in the world, China Telecom, and over 100 million more addresses than Comcast, the largest residential Internet provider in the US.

In fact, as of April 20, 2021, AS8003 is announcing so much IPv4 space that 5.7 percent of the entire IPv4 global routing table is presently originated by AS8003. In other words, more than one out of every 20 IPv4 addresses is presently originated by an entity that didn’t even appear in the routing table at the beginning of the year.

In mid-March, “astute contributors to the NANOG listserv highlighted the oddity of massive amounts of DoD address space being announced by what appeared to be a shell company,” Madory noted.

DoD has “massive ranges” of IPv4 space

The Defense Department “was allocated numerous massive ranges of IPv4 address space” decades ago, but “only a portion of that address space was ever utilized (i.e. announced by the DoD on the Internet),” Madory wrote. Expanding on his point that the Defense Department may want to “scare off any would-be squatters,” he wrote that “there is a vast world of fraudulent BGP routing out there. As I’ve documented over the years, various types of bad actors use unrouted address space to bypass blocklists in order to send spam and other types of malicious traffic.”

On the Defense Department’s goal of collecting “background Internet traffic for threat intelligence,” Madory noted that “there is a lot of background noise that can be scooped up when announcing large ranges of IPv4 address space.”

Potential routing problems

The emergence of previously dormant IP addresses could lead to routing problems. In 2018, AT&T unintentionally blocked its home-Internet customers from Cloudflare’s new DNS service because the Cloudflare service and the AT&T gateway were using the same IP address of

Madory wrote:

For decades, Internet routing operated with a widespread assumption that ASes didn’t route these prefixes on the Internet (perhaps because they were canonical examples from networking textbooks). According to their blog post soon after the launch [of DNS resolver], Cloudflare received “~10Gbps of unsolicited background traffic” on their interfaces.

And that was just for 512 IPv4 addresses! Of course, those addresses were very special, but it stands to reason that 175 million IPv4 addresses will attract orders of magnitude more traffic [from] misconfigured devices and networks that mistakenly assumed that all of this DoD address space would never see the light of day.

Madory’s conclusion was that the new statement from the Defense Department “answers some questions,” but “much remains a mystery.” It isn’t clear why the Defense Department didn’t simply announce the address space itself instead of using an obscure outside entity, and it’s unclear why the project came “to life in the final moments of the previous administration,” he wrote.

But something good might come out of it, Madory added: “We likely won’t get all of the answers anytime soon, but we can certainly hope that the DoD uses the threat intel gleaned from the large amounts of background traffic for the benefit of everyone. Maybe they could come to a NANOG conference and present about the troves of erroneous traffic being sent their way.”

Promotional image of tablet synced with smartphone.

AirDrop, the feature that allows Mac and iPhone users to wirelessly transfer files between devices, is leaking user emails and phone numbers, and there’s not much anyone can do to stop it other than to turn it off, researchers said.

AirDrop uses Wi-Fi and Bluetooth Low Energy to establish direct connections with nearby devices so they can beam pictures, documents, and other things from one iOS or macOS device to another. One mode allows only contacts to connect, a second allows anyone to connect, and the last allows no connections at all.

A matter of milliseconds

To determine if the device of a would-be sender should connect with other nearby devices, AirDrop broadcasts Bluetooth advertisements that contain a partial cryptographic hash of the sender’s phone number and email address. If any of the truncated hashes matches any phone number or email address in the address book of the receiving device or the device is set to receive from everyone, the two devices will engage in a mutual authentication handshake over Wi-Fi. During the handshake, the devices exchange the full SHA-256 hashes of the owners’ phone numbers and email addresses.

Hashes, of course, can’t be converted back into the cleartext that generated them, but depending on the amount of entropy or randomness in the cleartext, they are often possible to figure out. Hackers do this by performing a “brute-force attack,” which throws huge numbers of guesses and waits for the one that generates the sought-after hash. The less the entropy in the cleartext, the easier it is to guess or crack, since there are fewer possible candidates for an attacker to try.

The amount of entropy in a phone number is so minimal that this cracking process is trivial since it takes milliseconds to look up a hash in a precomputed database containing results for all possible phone numbers in the world. While many email addresses have more entropy, they too can be cracked using the billions of email addresses that have appeared in database breaches over the past 20 years.

“This is an important finding since it enables attackers to get hold of rather personal information of Apple users that in later steps can be abused for spear phishing attacks, scams, etc. or simply being sold,” said Christian Weinert, one of the researchers at Germany’s Technical University of Darmstadt who found the vulnerabilities. “Who doesn’t want to directly message, say, Donald Trump on WhatsApp? All attackers need is a Wi-Fi-enabled device in proximity of their victim.”

Sender leakage vs. receiver leakage

In a paper presented in August at the USENIX Security Symposium, Weinert and researchers from TU Darmstadt’s SEEMOO lab devised two ways to exploit the vulnerabilities.

The easiest and most powerful method is for an attacker to simply monitor the discovery requests that other nearby devices send. Since the sender device always discloses its own hashed phone number and email address every time it scans for available AirDrop receivers, the attacker need only wait for nearby Macs to open the share menu or nearby iOS devices to open the share sheet. The attacker need not have the phone number, email address, or any other prior knowledge of the target.

A second method works largely in reverse. An attacker can open a share menu or share sheet and see if any nearby devices respond with their own hashed details. This technique isn’t as powerful as the first one because it works only if the attacker’s phone number or email address is already in the receiver’s address book.

Still, the attack could be useful when the attacker is someone whose phone number or email address is well known to many people. A manager, for instance, could use it to get the phone number or email address of any employees who have the manager’s contact information stored in their address books.

In an email, Weinert wrote:

What we call “sender leakage” (i.e., somebody who intends to share a file leaks their hashed contact identifiers) could be exploited by planting “bugs” (small Wi-Fi enabled devices) in public hot spots or other places of interest.

Say, you plant such a bug in a conference room or an event where politicians, celebrities, or other “VIPs” come together (e.g., Oscar Awards). As soon as one of them opens the sharing pane on an Apple device, you can get hold of at least their private mobile phone number.

From a reporter perspective a scenario for what we call “receiver leakage”: Say you have been in email contact with a celebrity to cover a story. In case the celebrity has therefore stored your email address, you can easily get hold of their private mobile phone number when being in proximity (e.g., during an interview). In this case, the celebrity [does] not even have to open the sharing pane or otherwise touch their device!

Two years of silence from Apple

The researchers say they privately notified Apple of their findings in May 2019. A year and a half later, they presented Apple with “PrivateDrop,” a reworked AirDrop they developed that uses private set intersection, a cryptographic technique that allows two parties to perform contact discovery process without disclosing vulnerable hashes. The implementation of PrivateDrop is publicly available on GitHub.

“Our prototype implementation of PrivateDrop on iOS/macOS shows that our privacy-friendly mutual authentication approach is efficient enough to preserve AirDrop’s exemplary user experience with an authentication delay well below one second,” the researchers wrote in a post summarizing their work.

As of this week, Apple has yet to indicate if it has plans to adopt PrivateDrop or employ some other way to fix the leakage. Apple representatives didn’t respond to an email seeking comment for this post.

What this means is that every time someone opens a sharing panel in either macOS or iOS, they’re leaking hashes that, at a minimum, disclose their phone numbers and likely their email addresses, too. And in some cases, just having AirDrop enabled at all may be enough to leak these details.

Weinert said that, for now, the only way to prevent the leakage is to set AirDrop discovery to “no one” in the system settings menu and to also refrain from opening the sharing pane. When using AirDrop at home or other familiar settings, this advice may be overkill. It may make more sense when using a computer at a conference or other public venue.

Backdoored password manager stole data from as many as 29K enterprises
Getty Images

As many as 29,000 users of the Passwordstate password manager downloaded a malicious update that extracted data from the app and sent it to an attacker-controlled server, the app maker told customers.

In an email, Passwordstate creator Click Studios told customers that bad actors compromised its upgrade mechanism and used it to install a malicious file on user computers. The file, named “moserware.secretsplitter.dll,” contained a legitimate copy of an app called SecretSplitter, along with malicious code named “Loader,” according to a brief writeup from security firm CSIS Group.

CSIS Group

The Loader code attempts to retrieve the file archive at https://passwordstate-18ed2.kxcdn[.]com/ so it can retrieve an encrypted second-stage payload. Once decrypted, the code is executed directly in memory. The email from Click Studios said that the code “extracts information about the computer system, and select Passwordstate data, which is then posted to the bad actors’ CDN Network.”

The Passwordstate update compromise lasted from April 20 at 8:33 am UTC to April 22 at 12:30 am. The attacker server was shut down on April 22 at 7:00 am UTC.

The dark side of password managers

Security practitioners regularly recommend password managers because they make it easy for people to store long, complex passwords that are unique to hundreds or even thousands of accounts. Without use of a password manager, many people resort to weak passwords that are reused for multiple accounts.

The Passwordstate breach underscores the risk posed by password managers because they represent a single point of failure that can lead to the compromise of large numbers of online assets. The risks are significantly lower when two-factor authentication is available and enabled because extracted passwords alone aren’t enough to gain unauthorized access. Click Studios says that Passwordstate provides multiple 2FA options.

The breach is especially concerning because Passwordstate is sold primarily to corporate customers who use the manager to store passwords for firewalls, VPNs, and other enterprise applications. Click Studios says Passwordstate is “trusted by more than 29,000 Customers and 370,000 Security and IT Professionals around the world, with an install base spanning from the largest of enterprises, including many Fortune 500 companies, to the smallest of IT shops.”

Another supply-chain attack

The Passwordstate compromise is the latest high-profile supply-chain attack to come to light in recent months. In December, a malicious update for the SolarWinds network management software installed a backdoor on the networks of 18,000 customers. Earlier this month, an updated developer tool called the Codecov Bash Uploader extracted secret authentication tokens and other sensitive data from infected machines and sent them to a remote site controlled by the hackers.

First-stage payloads uploaded to VirusTotal here and here showed that at the time this post was going live, none of the 68 tracked endpoint protection programs detected the malware. Researchers so far have been unable to obtain samples of the follow-on payload.

Anyone who uses Passwordstate should immediately reset all the stored passwords, particularly those for firewalls, VPNs, switches, local accounts, and servers.

Representatives from Click Studios didn’t respond to an email seeking comment for this post.