Skip to content

Monthly Archives: October 2018

SoGou ..Bad Spider! Go Away!

Been checking the logs for the culprit in high utilization and came across a likely suspect SoGou, a chinese state sponsored actor (I suspect) masquerading as a search engine

Spider user agent: Sogou web spider/4.0

IPs found so far
220.181.125.86
218.30.103.143
123.126.113.148

Distill Networks has the CIDR blocks as
220.181.125.0/24
123.126.51.64/27
123.126.51.96/28
123.126.68.25
61.135.189.74
61.135.189.75

robots.txt code (for what it is worth — many bad bots ignore it)

User-agent: Sogou web spider
Disallow: /

.htaccess

RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} \
sogou\
[NC]
RewriteRule .* - [F]

Space is important before nocase [NC]

I have a huge list I use. You can easily add to this wit this syntax. Just keep the chain under 500 entries after which you should start a new RewriteCond %{HTTP_USER_AGENT} \ rule
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} \
semrushbot|\
seoengworldbot|\
sogou\
[NC]
RewriteRule .* - [F]

EdgeOS / EdgeRouter – a Snapgear Firewall:

When McAfee bought secure computing, it pretty much spelled the demise of the Snapgear firewall. The Snapgear was one of the earlier Linux based firewall appliances and was quite stable before McAfee got a hold of it. Well all that is history. While there are numerous Snapgears still connected out there, it has not been patched in years and has many known vulnerabilities.

Several manufacturers have developed full UTM firewalls based on a proprietary versions of Linux – Cyberoam, Sophos, Fortinet Fortigate etc. for example. All are good and all require a paid subscription for firmware updates and to turn on UTM features.

Some of our customers just want a solid firewall without the paid UTM features and/or paid firmware subscription costs. Enter EdgeOS by Ubiquiti. Over the last couple of years it has become a very stable box. It is based on Debian Linux (actually Vyatta which is based on Debian Linux).

There are several router models and we have developed a EdgeRouter Comparison guide here. We are running a couple of these in our lab networks and our experience is generally positive. The units have excellent community based support.

Quick Observations to Share:

GUI vs. Command Line – The EdgeOS GUI is fairly good, but still many things need to done from the command line interface (CLI). That is OK if have Linux or Cisco experience, but can be a challenge for the harried SMB with a limited IT staff.

Firewall rules via the GUI take a bit of getting used and will be the subject of a future post.

Log viewing – generally take a bit of getting used to but do carry a wealth of information. This also will be the subject of a future post.

AntiVirus & URL Filtering -The question always arises about doing antivirus scanning and URL (content filtering). Since most sites are using HTTPS, antivirus scanning is pretty much useless at the gateway these days unless the router acts like a man-in-the-middle. It far better to do anti-virus/malware scanning at the endpoint. The same may be said for URL filtering, arguably, but I still prefer that at the gateway firewall. Using DPI (deep packet inspection), the EdgeOS can be configured to effectively block URL categories. That will be the subject of a future blog post.

In the meantime you can see the EdgeRouters on store here

Chinese Super Micro ‘spy chip’ story …

QUOTE

Chinese Super Micro ‘spy chip’ story gets even more strange as everyone doubles down
Bloomberg puts out related story while security experts cast doubt on research and quotes

The veracity of a bombshell yarn claiming Chinese agents managed to sneak spy chips into Super Micro servers used by Amazon, Apple and the US government is still being fiercely argued over five days after publication.

On Tuesday, the media outlet behind the claims, Bloomberg, responded to growing criticism of its report by publishing a new, related story about how a “major US telecommunications company” discovered a similar hardware hack in components from the computer manufacturer at the center of the story, Super Micro.

That latest piece comes after one of the experts in the original story gave an interview in which he expressed his concern about the finished piece and questioned whether Bloomberg had done sufficient fact checking before publishing.

The new article also comes in the wake of a second, even stronger denial of the key elements of the story by Apple – sent to US Congress committees – as well as statements from the intelligence wings of both the UK and US governments that push the idea that Bloomberg may have made a serious reporting mistake.

With clear and increasingly firm stances that stand in complete opposition to one another, security experts remain undecided as to whether the story is largely correct and China did insert spy chips into Super Micro motherboards; or whether the journalists behind the story wrongly extrapolated information and ended up publishing something incorrect.

Faced with such uncertainty, some are reaching for a unifying explanation: that Bloomberg was misled by some in the intelligence community that wish, for their own reasons, to raise the specter of Chinese interference in the global electronics supply chain. Bloomberg could be accurately reporting an intelligence misinformation campaign.

Another expert, another report

In its most recent story, Bloomberg claims to have seen “documents, analysis and other evidence” of Chinese interference: in this case “manipulated hardware” stemming from Super Micro that was discovered in the network of a large US telecoms company and pulled out in August.

The source of that report is named: Yossi Appleboum, CEO of security specialists Sepio Systems. Appleboum claims to have discovered “unusual communications” coming from a Super Micro server that was part of a data center audit ordered by the unnamed company.

Physical inspection of that board revealed “an implant built into the server’s Ethernet connector,” Appleboum says. Bloomberg knows the company affected but has chosen not to name it because of a non-disclosure agreement signed between Sepio Systems and the company in question.

While Bloomberg notes that the Ethernet implant “is different from the one described in the Bloomberg Businessweek report last week,” it argues that it shares “key characteristics” including the fact that the alteration was made at a Super Micro factory and it was designed to be invisible while extracting data.

The conclusion that the impact was introduced at the factory in China was reached by Appleboum, he claims. But notably he goes on to state that “he was told by Western intelligence contacts that the device was made at a Super Micro subcontractor factory in Guangzhou, a port city in southeastern China.”

Appleboum make a series of other interesting statements, including that the Sepio team had seen similar variations of the implant in other motherboards made in China, and that he had been informed by intelligence agents from other countries that they had been tracking the manipulation of Super Micro hardware for some time.
You know nothing, DHS

Bloomberg used the report to push back against a statement from the US Department of Homeland Security (DHS) in which it said it had “no reason to doubt” denials of its spy-chip original story. Bloomberg insists that there was an FBI investigation of the issue, but that it was run by the organization’s “cyber and counterintelligence teams, and that DHS may not have been involved.”

In other words, Bloomberg – seemingly surprised by the forceful denials of its story – is arguing that only a small group of people were aware of the investigations it wrote about and so claims of inaccuracy may come from people who simply do not know about them.

….

All of which is to say: after five days of fierce scrutiny, no one is any the wiser as to whether the story is true or not. We will have to see what this week brings.

Facebook mass hack last month was so totally overblown – only 30 million people affected

Abusing privacy is Facebook’s number one business!

QUOTE

Good news: 20m feared pwned are safe. Bad news: That’s still 30m profiles snooped…

Facebook users can relax and get back to interacting with quality content and authentic individuals on the social network.

Last month’s deliberate theft of private account records from the internet giant, initially believed to affect 50 million or maybe 90 million accounts, turns out to be nowhere near that bad. Cough.

On Friday, the data-harvesting biz said a mere 30 million people were robbed of their authentication tokens – which could and were used to log into their Facebook accounts. That’s only 1.34 per cent of Facebook’s total active users – which says more about the out-of-control size of the antisocial network than anything else.

“We now know that fewer people were impacted than originally thought,” said Guy Rosen, VP of product management, during a conference call for the media on Friday morning, Pacific Time.

Initial worries that the token pilfering might have led to the compromise of third-party apps implementing Facebook Login turn out to be completely unfounded. Rosen said Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps, advertising and developer accounts were not affected. Bullet dodged.

For one million of the token deprived, the attackers took no information. For 15 million, they obtained names, phone numbers, and email addresses, if present in their profiles. For the remaining 14 million, they accessed not only profile data fields, but quite a bit more:

Username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches.
Facebook users can relax and get back to interacting with quality content and authentic individuals on the social network.

Last month’s deliberate theft of private account records from the internet giant, initially believed to affect 50 million or maybe 90 million accounts, turns out to be nowhere near that bad. Cough.

On Friday, the data-harvesting biz said a mere 30 million people were robbed of their authentication tokens – which could and were used to log into their Facebook accounts. That’s only 1.34 per cent of Facebook’s total active users – which says more about the out-of-control size of the antisocial network than anything else.

“We now know that fewer people were impacted than originally thought,” said Guy Rosen, VP of product management, during a conference call for the media on Friday morning, Pacific Time.

Initial worries that the token pilfering might have led to the compromise of third-party apps implementing Facebook Login turn out to be completely unfounded. Rosen said Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps, advertising and developer accounts were not affected. Bullet dodged.

For one million of the token deprived, the attackers took no information. For 15 million, they obtained names, phone numbers, and email addresses, if present in their profiles. For the remaining 14 million, they accessed not only profile data fields, but quite a bit more:

Username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches.

….

“People’s privacy and security is incredibly important and we’re sorry this happened,” said Rosen.

That sorrow has limits. The Register asked Facebook whether it intends to pay for identity theft monitoring for the 30 million people affected, a common act of contrition following data thefts.

A Facebook spokesperson said, “Not at this time; the resources we are pointing people toward are based on the actual types of data accessed – including the steps they can take to help protect themselves from suspicious emails, text messages, or calls.”

Nonetheless, Facebook may end up opening the corporate coffers to make things right. The company offered no details about how many of those affected reside in the EU where the data protection regime (GDPR) allows for penalties that bring tears to the eyes of accountants.

“We’ll have to see what Facebook discloses about potential liability if any exists,” said Pravin Kothari, CEO of CipherCloud, in an email to The Register. “The calculations of the potential fines under GDPR are a bit mind-boggling with any possible impact to millions of users.

Made and Distributed in the U.S.A.: Online Disinformation

with Facebook’s help of course!

QUOTE

SAN FRANCISCO — When Christine Blasey Ford testified before Congress last month about Justice Brett M. Kavanaugh’s alleged sexual assault, a website called Right Wing News sprang into action on Facebook.

The conservative site, run by the blogger John Hawkins, had created a series of Facebook pages and accounts over the last year under many names, according to Facebook.

After Dr. Blasey testified, Right Wing News posted several false stories about her — including the suggestion that her lawyers were being bribed by Democrats — and then used the network of Facebook pages and accounts to share the pieces so that they proliferated online quickly, social media researchers said.

The result was a real-time spreading of disinformation started by Americans, for Americans.

What Right Wing News did was part of a shift in the flow of online disinformation, falsehoods meant to mislead and inflame. In 2016, before the presidential election, state-backed Russian operatives exploited Facebook and Twitter to sway voters in the United States with divisive messages. Now, weeks before the midterm elections on Nov. 6, such influence campaigns are increasingly a domestic phenomenon fomented by Americans on the left and the right.

“There are now well-developed networks of Americans targeting other Americans with purposefully designed manipulations,” said Molly McKew, an information warfare researcher at the New Media Frontier, a firm that studies social media.

Politics has always involved shadings of the truth via whisper campaigns, direct-mail operations and negative ads bordering on untrue. What is different this time is how domestic sites are emulating the Russian strategy of 2016 by aggressively creating networks of Facebook pages and accounts — many of them fake — that make it appear as if the ideas they are promoting enjoy widespread popularity, researchers said. The activity is also happening on Twitter, they said.

Reverb Press’s logo on its Facebook page shows that it has been verified by the social network.

The shift toward domestic disinformation raises potential free speech issues when Facebook and Twitter find and curtail such accounts that originate in the United States, an issue that may be sensitive before the midterms. “These networks are trying to manipulate people by manufacturing consensus — that’s crossing the line over free speech,” said Ryan Fox, a co-founder of New Knowledge, a firm that tracks disinformation.

This month, Twitter took down a network of 50 accounts that it said were being run by Americans posing as Republican state lawmakers. Twitter said the accounts were geared toward voters in all 50 states.

On Thursday, Facebook said it had identified 559 pages and 251 accounts run by Americans, many of which amplified false and misleading content in a coordinated fashion. The company said it would remove the pages and accounts. Among them were Right Wing News, which had more than 3.1 million followers, and left-wing pages that included the Resistance and Reverb Press, which had 240,000 and 816,000 followers.

Facebook said this amounted to the most domestic pages and accounts it had ever removed related to influence campaigns. The company said it had discovered the activity as part of its broader effort to root out election interference. Also, the pages had become more aggressive in using tactics like fake accounts and multiple pages to make themselves appear more popular.

“If you look at volume, the majority of the information operations we see are domestic actors,” said Nathaniel Gleicher, Facebook’s head of security. He added that the company was struggling with taking down the domestic networks because of the blurry lines between free speech and disinformation.

Mr. Gleicher said that the accounts and pages that Facebook took down on Thursday violated its rules about online spam and that many of the domestic organizations probably had financial motivations for spreading disinformation. The organization can make money by getting people to click on links in Facebook that then direct users to websites filled with ads. Once someone visits the ad-filled website, those clicks means more ad revenue.

But while traditional spam networks typically use celebrity gossip or stories about natural disasters to get people to click on links that take them to ad-filled sites, these networks were now using political content to attract people’s attention.

Just say no to Facebook

Soldiers in Facebook’s War on Fake News Are Feeling Overrun

Facebook – the sharp tool of mob psychology

QUOTE

MANILA — The fictional news stories pop up on Facebook faster than Paterno Esmaquel II and his co-workers can stamp them out.

Rodrigo Duterte, the president of the Philippines, debated a Catholic bishop over using violence to stop illegal drugs — and won. Pope Francis called Mr. Duterte “a blessing.” Prince Harry and his new wife, Meghan Markle, praised him, too. None were true.

False news is so established and severe in the Philippines that one Facebook executive calls it “patient zero” in the global misinformation epidemic. To fight back in this country, the Silicon Valley social media giant has turned to Mr. Esmaquel and others who work for Rappler, an online news start-up with experience tackling fake stories on Facebook.

While Rappler’s fact checkers work closely with Facebook to investigate and report their findings, they believe the company could do much more.

Right – Facebook do more? Never – they rely on eyeballs for their advertising revenue. The best way to get more eyeballs/revenue is to allow spreading of sensationalist fake news.

“It’s frustrating,” said Marguerite de Leon, 32, a Rappler employee who receives dozens of tips each day about false stories from readers. “We’re cleaning up Facebook’s mess.”

On the front lines in the war over misinformation, Rappler is overmatched and outgunned — and that could be a worrying indicator of Facebook’s effort to curb the global problem by tapping fact-checking organizations around the world. Civil society groups have complained that Facebook’s support is weak. Others have said the company doesn’t offer enough transparency to tell what works and what doesn’t.

Facebook says it has made strides but acknowledges shortcomings. It doesn’t have fact checkers in many places, and is only beginning to roll out tools that would scrutinize visual memes, like text displayed over an image or a short video, sometimes the fastest ways that harmful misinformation can spread.

Paterno Esmaquel II, a Rappler reporter, said the false stories on Facebook just kept coming. “We kill one,” he said, “and another one crops up.”CreditJes Aznar for The New York Times

“This effort will never be finished, and we have a lot more to do,” said Jason Rudin, a Facebook product manager.

For fact checkers themselves, the work takes a toll. Members of Rappler’s staff have received death and rape threats. Rappler brought in a psychologist. It debated bulletproofing the windows and installed a second security guard.

The way to end this is to end Facebook and the way to end Facebook is to delete your account.

World’s largest CCTV maker leaves at least 9 million cameras open to public viewing

Made in China. Maybe it also has an ethernet hardware implant chip if all else fails. HHmmm I see a trend here.

QUOTE

Xiongmai’s cloud portal opens sneaky backdoor into servers

Yet another IoT device vendor has been found to be exposing their products to attackers with basic security lapses.

This time, it’s Chinese surveillance camera maker Xiongmai named and shamed this week by researchers with SEC Consult for the poor security in the XMEye P2P Cloud service. Among the problems researchers pointed to were exposed default credentials and unsigned firmware updates that could be delivered via the service.

As a result, SEC Consult warns, the cameras could be compromised to do everything from spy on their owners, to carry out botnet instructions and even to serve as an entry point for larger network intrusions.

“Our recommendation is to stop using Xiongmai and Xiongmai OEM devices altogether,” SEC Consult recommended.

“The company has a bad security track record including its role in Mirai and various other IoT botnets. There are vulnerabilities that have been published in 2017, which are still not fixed in the most recent firmware version.”

Enabled by default, the P2P Cloud service allows users to remotely connect to devices via either a web browser or an iOS/Android app and control the hardware without needing a local network connection.

Unfortunately, SEC Consult explained, shortcomings in both the devices themselves and the service, such as unencrypted connections and default passwords (owners are not required to change the defaults when setting up the device) mean that in many cases, accessing and compromising camera could be a cinch.

Additionally, SEC Consult notes, the Xiongmai devices do not require that firmware updates be signed, meaning it would be possible for an attacker to install malware-laden firmware updates to build a botnet or stage further attacks on the local network.

“This is either possible by modifying the filesystems, contained in a firmware update, or modifying the ‘InstallDesc’ file in a firmware update file,” researchers explain.

“The ‘InstallDesc’ is a text file that contains commands that are executed during the update.”

On top of it all, SEC Consult accuses Xiongmai of a pattern of ignoring security warnings and failing to take basic precautions.

The research house claims that not only were its latest warnings to the company ignored, but Xiongmai has a history of bad security going all the way back to its days as fodder for the notorious Mirai botnet. As such, the researchers advise companies stop using any OEM hardware that is based on the Xiongmai hardware. The devices can be identified by their web interface, error page, or product pages advertising the EMEye service.

China back at hacking

Note to Trump – sometimes diplomacy is better than chest thumping.

QUOTE

The Obama-era cyber détente with China was nice, wasn’t it? Yeah well it’s obviously over now
Middle Kingdom is a rising threat once again – research

Infosec pros might have already noticed some familiar IP address ranges in their system logs – China has returned to the cyber-attack arena.

That’s the conclusion of threat intel outfit CrowdStrike, which released its midyear threat report this week (downloadable here with free registration). The firm’s Falcon OverWatch team said that from January to June, state actors were responsible for 48 per cent of intrusion cases, and China is climbing back up the charts.

CTO and co-founder Dmitri Alperovitch tweeted: “CrowdStrike can now confirm that China is back (after a big drop-off in activity in 2016) to being the predominant nation-state intrusion threat in terms of volume of activity against Western industry. MSS is now their #1 cyber actor.”

MSS refers to the Ministry of State Security, which will likely be even more motivated to digitally disrupt the US since a deputy division director was arrested in Belgium in April and extradited to face charges in America.

Alperovitch said that the 2015 Obama-era non-hacking pact had led to a decline in hostile activity, at least at the state level.

Alex Stamos, formerly CSO at Facebook, concurred with Alperovitch: “Most IR professionals I have spoken to believed that there was a real drop in commercially-motivated hacking from the Chinese after the deal.”

That was then. The increasing political hostility between China and the US (and countries like Australia which have followed the US’s lead) is reflected in the online world, CrowdStrike reckoned. “OverWatch data identifies China as the most prolific nation-state threat actor during the first half of 2018.”

Intrusions were attempted against “biotech, defence, mining, pharmaceutical, professional services, transportation, and more”, the report claimed.

The “Chinese threat” has been a CrowdStrike theme for some time: in September, Alperovitch made the same point to Fox Business in a TV interview. He said “every major sector of the economy is being targeted” by the Middle Kingdom.

“Primarily they’re focused on stealing intellectual property… in order to counteract in part the trade tariffs we’re putting into place on them.”

By comparison to the rising Chinese attack traffic, the report’s other key findings were relatively unremarkable: online crims are turning to crack networks to install cryptocurrency miners, with legal and insurance industries a favourite target; the biotech sector is a favoured target for industrial espionage; and criminal actors who once may have used less sophisticated tools are now adopting “tactics, techniques and procedures” learned from nation-state actors.

New Evidence of Hacked Supermicro Hardware Found in U.S. Telecom

One needs to wonder about all those routers and firewalls from the majors that are produced in China.
Also, I think this will do more damage to “Brand China” than dubious tariffs.
And in case you missed it, Bloomberg’s original story “The Big Hack” (excellent read), can he had here

The discovery shows that China continues to sabotage critical technology components bound for America.

A major U.S. telecommunications company discovered manipulated hardware from Super Micro Computer Inc. in its network and removed it in August, fresh evidence of tampering in China of critical technology components bound for the U.S., according to a security expert working for the telecom company.

The security expert, Yossi Appleboum, provided documents, analysis and other evidence of the discovery following the publication of an investigative report in Bloomberg Businessweek that detailed how China’s intelligence services had ordered subcontractors to plant malicious chips in Supermicro server motherboards over a two-year period ending in 2015.

Appleboum previously worked in the technology unit of the Israeli Army Intelligence Corps and is now co-chief executive officer of Sepio Systems in Gaithersburg, Maryland. His firm specializes in hardware security and was hired to scan several large data centers belonging to the telecommunications company. Bloomberg is not identifying the company due to Appleboum’s nondisclosure agreement with the client. Unusual communications from a Supermicro server and a subsequent physical inspection revealed an implant built into the server’s Ethernet connector, a component that’s used to attach network cables to the computer, Appleboum said.

The executive said he has seen similar manipulations of different vendors’ computer hardware made by contractors in China, not just products from Supermicro. “Supermicro is a victim — so is everyone else,” he said. Appleboum said his concern is that there are countless points in the supply chain in China where manipulations can be introduced, and deducing them can in many cases be impossible. “That’s the problem with the Chinese supply chain,” he said.


The more recent manipulation is different from the one described in the Bloomberg Businessweek report last week, but it shares key characteristics: They’re both designed to give attackers invisible access to data on a computer network in which the server is installed; and the alterations were found to have been made at the factory as the motherboard was being produced by a Supermicro subcontractor in China.

….

The manipulation of the Ethernet connector appeared to be similar to a method also used by the U.S. National Security Agency, details of which were leaked in 2013. In e-mails, Appleboum and his team refer to the implant as their “old friend,” because he said they had previously seen several variations in investigations of hardware made by other companies manufacturing in China.

In Bloomberg Businessweek’s report, one official said investigators found that the Chinese infiltration through Supermicro reached almost 30 companies, including Amazon.com Inc. and Apple Inc. Both Amazon and Apple also disputed the findings. The U.S. Department of Homeland Security said it has “no reason to doubt” the companies’ denials of Bloomberg Businessweek’s reporting.

People familiar with the federal investigation into the 2014-2015 attacks say that it is being led by the FBI’s cyber and counterintelligence teams, and that DHS may not have been involved. Counterintelligence investigations are among the FBI’s most closely held and few officials and agencies outside of those units are briefed on the existence of those investigations.

Appleboum said that he’s consulted with intelligence agencies outside the U.S. that have told him they’ve been tracking the manipulation of Supermicro hardware, and the hardware of other companies, for some time.
….
Hardware manipulation is extremely difficult to detect, which is why intelligence agencies invest billions of dollars in such sabotage. The U.S. is known to have extensive programs to seed technology heading to foreign countries with spy implants, based on revelations from former CIA employee Edward Snowden. But China appears to be aggressively deploying its own versions, which take advantage of the grip the country has over global technology manufacturing.

Three security experts who have analyzed foreign hardware implants for the U.S. Department of Defense confirmed that the way Sepio’s software detected the implant is sound. One of the few ways to identify suspicious hardware is by looking at the lowest levels of network traffic. Those include not only normal network transmissions, but also analog signals — such as power consumption — that can indicate the presence of a covert piece of hardware.

In the case of the telecommunications company, Sepio’s technology detected that the tampered Supermicro server actually appeared on the network as two devices in one. The legitimate server was communicating one way, and the implant another, but all the traffic appeared to be coming from the same trusted server, which allowed it to pass through security filters.

In other words – by passing the firewall

Appleboum said one key sign of the implant is that the manipulated Ethernet connector has metal sides instead of the usual plastic ones. The metal is necessary to diffuse heat from the chip hidden inside, which acts like a mini computer. “The module looks really innocent, high quality and ‘original’ but it was added as part of a supply chain attack,” he said.

The goal of hardware implants is to establish a covert staging area within sensitive networks, and that’s what Appleboum and his team concluded in this case. They decided it represented a serious security breach, along with multiple rogue electronics also detected on the network, and alerted the client’s security team in August, which then removed them for analysis. Once the implant was identified and the server removed, Sepio’s team was not able to perform further analysis on the chip.

The threat from hardware implants “is very real,” said Sean Kanuck, who until 2016 was the top cyber official inside the Office of the Director of National Intelligence. He’s now director of future conflict and cyber security for the International Institute for Strategic Studies in Washington. Hardware implants can give attackers power that software attacks don’t.

“Manufacturers that overlook this concern are ignoring a potentially serious problem,” Kanuck said. “Capable cyber actors — like the Chinese intelligence and security services — can access the IT supply chain at multiple points to create advanced and persistent subversions.”

One of the keys to any successful hardware attack is altering components that have an ample power supply to them, a daunting challenge the deeper into a motherboard you go. That’s why peripherals such as keyboards and mice are also perennial favorites for intelligence agencies to target, Appleboum said.

In the wake of Bloomberg’s reporting on the attack against Supermicro products, security experts say that teams around the world, from large banks and cloud computing providers to small research labs and startups, are analyzing their servers and other hardware for modifications, a stark change from normal practices. Their findings won’t necessarily be made public, since hardware manipulation is typically designed to access government and corporate secrets, rather than consumer data.

National security experts say a key problem is that, in a cybersecurity industry approaching $100 billion in revenue annually, very little of that has been spent on inspecting hardware for tampering. That’s allowed intelligence agencies around the world to work relatively unimpeded, with China holding a key advantage.

“For China, these efforts are all-encompassing,” said Tony Lawrence, CEO of VOR Technology, a Columbia, Maryland-based contractor to the intelligence community. “There is no way for us to identify the gravity or the size of these exploits — we don’t know until we find some. It could be all over the place — it could be anything coming out of China. The unknown is what gets you and that’s where we are now. We don’t know the level of exploits within our own systems.”

Google Caught with Hand in Cookie Jar Backs Down

“Google backtracks—a bit—on controversial Chrome sign-in feature…Privacy-conscious users were unhappy at being signed in to browser without consent”

Look, just like Facebook, your private data is Google’s bread and butter. If people do not understand this by now, I am not sure what else will make them do so.
Quote

Google will partially revert a controversial change made in Chrome 69 that unified signing in to Google’s online properties and Chrome itself and which further preserved Google’s cookies even when users chose to clear all cookies. Chrome 70, due in mid-October, will retain the unified signing in by default, but it will allow those who want to opt out to do so.

Chrome has long had the ability to sign in with a Google account. Doing this offers a number of useful features; most significantly, signed-in users can enable syncing of their browser data between devices, so tabs open on one machine can be listed and opened on another, passwords saved in the browser can be retrieved online, and so on. This signing in uses a regular Google account, the same as would be used to sign in to Gmail or the Google search engine.

Prior to Chrome 69, signing in to the browser was independent of signing in to a Google online property. You could be signed in to Gmail, for example, but signed out of the browser to ensure that your browsing data never gets synced and stored in the cloud. Chrome 69 unified the two: signing in to Google on the Web would automatically sign you in to the browser, using the same account. Similarly, signing out of a Google property on the Web would sign you out of the browser.

Google’s Adrienne Porter Felt, an engineering manager on the Chrome team, tweeted that the change was made to address some confusion on shared systems such as family computers. Prior to the change, Chrome users would remember to sign out of Google’s Web properties but leave the browser itself signed in with their account and hence sync any browser data, even if it was generated by other users of the machine. With the change, merely signing out of Google on the Web is enough to prevent this syncing.

Felt stressed that actually enabling syncing required an additional step; merely signing in to the browser isn’t enough to have your browsing history sent to the cloud, so nobody should find their private browsing data sent to Google accidentally.
Nonetheless…

Nonetheless, some Chrome users were unhappy at the change. Chrome 69 offers no way to decouple this unified logging in, so one errant click would be enough to enable syncing and send a ton of personal data to Google’s servers.

On top of this, Chrome 69 handles Google’s own cookies specially. When choosing to clear all the browser’s stored cookies, those cookies used to sign in to Google on the Web were being preserved, rendering them unremovable.

In response, Google is making changes to Chrome 70. The default behavior will remain as it is in Chrome 69, with signing in to the Web having the effect of signing in to the browser. However, there will now be an option to separate the two, allowing those who never want the browser signed in to do so. Further, the Google sign-in cookies will no longer be given special treatment and will be removed as normal when choosing to clear all the cookies. Chrome 70 is also going to make it clearer when syncing has been enabled.

Google hopes that this change will retain convenience for most Chrome users while also providing the separation that its most privacy-conscious users require.

 

Yeah – right – until they sneak something else into chrome to spy