Crypto Money Laundering Service Takedown
StrongARMing Huawei / Google Puts Ads On Mobile Search Pages / Another SandboxEscaper ZeroDay / 14 Years Of G-Suite Plaintext Passwords Found
Subscribe free to this blog, the RSS feed, the Alexa Skill for your Flash Briefing, listen to the Podcast … or watch on YouTube.
Tom Warren at The Verge: ARM cuts ties with Huawei, threatening future chip designs
Chip designer ARM has suspended business with Huawei, threatening the Chinese company’s ability to create its own chips. BBC News reports that ARM employees have been instructed to halt “all active contracts, support entitlements, and any pending engagements” with Huawei due to the US trade ban. The US has banned any US companies from doing business with the Chinese telecom giant without permission from the American government, but ARM is based in the UK and owned by the Japanese SoftBank group.
ARM is concerned it is affected by the US ban, with an internal memo reportedly revealing that its chip designs include “US origin technology.” ARM develops some processor designs in Austin, Texas and San Jose, California, which could place it under the US restrictions. Huawei relies on ARM for chip architecture designs for its own Kirin processors, and it pays to license these. Without the licenses, Huawei will not be able to continue manufacturing its own processors using ARM designs and its HiSilicon fabless semiconductor company.
“ARM is complying with all of the latest regulations set forth by the US government,” says an ARM spokesperson in a statement to The Verge. The company is not commenting any further about its decision. We’ve also reached out to Huawei to comment.
The rest of this article is at The Verge.
Jon Brodkin at Ars Technica: T-Mobile/Sprint merger faces big trouble at DOJ, despite FCC approval
The Department of Justice’s antitrust staff has recommended blocking T-Mobile’s attempted purchase of Sprint, Reuters reported today, citing an anonymous source.
DOJ staff “fear that after the deal T-Mobile will no longer aggressively seek to cut prices and improve service to woo customers away from market leaders Verizon and AT&T,” Reuters wrote. A final decision is expected to come in about a month.
To block the merger, the DOJ would have to sue in federal court and convince a judge that the merger violates antitrust law. DOJ staff recommendations can influence agency decisions on whether to file antitrust lawsuits, but aren’t automatically followed. The DOJ’s decision will be made by antitrust chief Makan Delrahim, a Trump appointee.
Read 6 remaining paragraphs over at Ars Technica.
Engadget reports: Google Search redesign adds website names and logos to results page
Google is bringing a new Search layout to mobile, and it’s rolling out the changes beginning today. Now, when you search on your mobile device, you’ll see a website name and logo at the top of each results card. If Google has a “useful ad” to show you, it will appear with a bolded ad label and the web address. The new design will also allow Google to add new actions, like the ability to buy movie tickets or play podcasts, to the results page.
The company hopes the changes will make it easier to identify where information is coming from. “Over the years, the amount and format of information available on the web has changed drastically — from the proliferation of images and video, to the availability of 3D objects you can now view in AR,” the company said in a blog post, adding that it’s time for Search results to change too.
While these changes are coming to mobile, there’s a good chance we’ll see them carry over to desktop, too. And this update could pave the way for some of the more advanced changes Google teased at its I/O developer conference earlier this month. The company said it’s bringing computer vision and augmented reality to Search and that we’ll start seeing 3D images popping up in the results. So while the changes appear subtle, they could be the first of many that we’ll see.
Read More from Google.
John Fokker at McAfee: Crypto Currency Laundering Service, BestMixer.io, Taken Down by Law Enforcement
A much overlooked but essential part in financially motivated (cyber)crime is making sure that the origins of criminal funds are obfuscated or made to appear legitimate, a process known as money laundering. ’Cleaning’ money in this way allows the criminal to spend their loot with less chance of being caught. In the physical world, for instance, criminals move large sums of cash into offshore accounts and create shell companies to obfuscate the origins of their funds. In the cyber underground where Bitcoin is the equivalent of cash money, it works a bit differently. As Bitcoin has an open ledger on which every transaction is recorded, it makes it a bit more challenging to obfuscate funds.
When a victim pays a criminal after being extorted with ransomware, the ransom transaction in Bitcoin and all additional transactions can then be tracked through the open ledger. This makes following the money a powerful investigative technique, but criminals have come up with an inventive method to make tracking more difficult; a mixing service.
A mixing service will cut up a sum of Bitcoins into hundreds of smaller transactions and mixes different transactions from other sources for obfuscation and will pump out the input amount, minus a fee, to a certain output address. Mixing Bitcoins that are obtained legally is not a crime but, other than the mathematical exercise, there no real benefit to it.
The legality changes when a mixing service advertises itself as a success method to avoid various anti-money laundering policies via anonymity. This is actively offering a money laundering service.
Read more about this take-down at McAfee.
Tara Seals at Threatpost: Windows Zero-Day Drops on Twitter, Developer Promises 4 More
SandboxEscaper has released her latest local privilege-escalation exploit for Windows.
A Windows zero-day exploit dropped by developer SandboxEscaper would allow local privilege-escalation (LPE), by importing legacy tasks from other systems into the Task Scheduler utility.
It’s the latest zero-day from SandboxEscaper, who said that she has four more in the hopper that she’d like to sell for $60,000 to non-Western buyers.
Read about this and a lot more over at Threatpost.com
Lindsey O’Donnell at Threatpost: G Suite users’ passwords stored in plain-text for more than 14 years
Google said it had stored G Suite enterprise users’ passwords in plain text since 2005 marking a giant security faux pas.
Google stored G Suite passwords in plaintext for almost 15 years, the cloud giant acknowledged on Tuesday evening.
G Suite, Google’s brand of cloud computing, productivity and collaboration tools, software and products, has more than 5 million users as of February. Google said that it recently discovered the passwords for a “subset of enterprise G Suite customers” stored in plain text since 2005.
“This practice did not live up to our standards,” Suzanne Frey, VP of engineering for Google Cloud Trust, said in a post. “To be clear, these passwords remained in our secure encrypted infrastructure. This issue has been fixed and we have seen no evidence of improper access to or misuse of the affected passwords.”
Even more information about this Google issue at Threatpost.
Keep Your Smart Home Safe: Here’s What You Can Do Today to Secure Your Products
The Internet of Things (IoT) is transforming the way we live, work and play. You can find it in the fitness trackers you might be wearing to monitor step count and heart rate. Or the car you may be driving. But more than anywhere else, you’ll see IoT at home in an increasing array of gadgets: from voice-activated smart speakers to internet-connected baby monitors.
It’s estimated that 14.2 billion connected “things” like these are in use globally in 2019, which will rise to 25 billion in a couple of years’ time. There’s just one problem: if not properly secured, they could present hackers with new opportunities to sneak into your smart home through the cyber-front door.
So what are the risks — and how can you protect your home?
Find out more over at Trend Micro’s security blog.
© 2019 WHTS
