News & Updates

The head of Germany’s BSI admitted that since now there is no proof espionage activity conducted through Huawei technology.

US first, and many other countries after, have decided to ban network equipment manufactured by the Chinese telecom giant Huawei.

In November 2018, the Wall Street Journal reported that the US Government is urging its allies, including Germany, to exclude Huawei from critical infrastructure and 5G architectures.

The United States is highlighting the risks for national security in case of adoption of Huawei equipment and is inviting internet providers and telco operators in allied countries to ban Huawei.

Chinese equipment is broadly adopted in many allied countries, including Germany, Italy an, Japan.  Currently main mobile network operators in Germany use Huawei technology for their infrastructure.

Now Germany’s IT watchdog has expressed its opinion about the ban of the Huawei technology, it has highlighted that there is no evidence that the equipment could be used by Chinese intelligence in cyber espionage activity.

On Friday, the head of Germany’s Federal Office for Information Security (BSI), Arne Schoenbohm admitted that since now there is no proof espionage activity conducted through Huawei technology.

“For such serious decisions like a ban, you need proof,” Arne Schoenbohm, told news weekly Spiegel, confirming that the BSI had no such evidence.

Huawei was already excluded by several countries from building their 5G internet networks. The United StatesAustralia, New Zealand, and Japan announced the exclusion of Huawei technology for their 5G internet networks.

Schoenbohm explained that BSI experts assessed the Huawei products from around the world and hasn’t found suspicious components or backdoors.
BSI experts also visited a recently opened Huawei Security Innovation Lab in Bonn, a center that will work closely with German customers, partners, research institutions as well as government and supervisory authorities.

Commenting on the opening of the laboratory, BSI President Arne Schönbohm said: “We welcome the opening of this laboratory, which will allow further and deeper technical exchange between Huawei and BSI to address the future challenges of cyber security”.

BSI huawei

Many security experts continue to express their concerns about Huawei products.

“I believe it’s wrong to suggest that the concerns about Chinese espionage are unfounded and easy to detect,” telecom security expert Ronja Kniep told AFP.

“Even if Huawei has no official relationship with the Chinese government, that doesn’t mean Chinese services aren’t using the company and its technology as vehicles for espionage.”

window._mNHandle = window._mNHandle || {};
window._mNHandle.queue = window._mNHandle.queue || [];
medianet_versionId = “3121199”;

try {
window._mNHandle.queue.push(function () {
window._mNDetails.loadTag(“762221962”, “300×250”, “762221962”);
});
}
catch (error) {}

Pierluigi Paganini

(SecurityAffairs –BSI, Huawei)

The post Germany’ BSI chief says ‘No Evidence’ of Huawei spying appeared first on Security Affairs.

Source: Security affairs

Siemens addressed several vulnerabilities in SINUMERIK controllers, including denial-of-service (DoS), privilege escalation and code execution issues.

Siemens has fixed several flaws in SINUMERIK controllers, some of them have been classified as “critical.” The list of vulnerabilities includes DoS, 
privilege escalation and code execution flaws.

Security experts at Kaspersky Lab discovered that SINUMERIK 808D, 828D and 840D controllers are affected by multiple vulnerabilities.

“The latest updates for SINUMERIK controllers fix multiple security vulnerabilities that could allow an attacker to cause Denial-of-Service conditions, escalate privileges, or to execute code from remote.” reads the security advisory published by Siemens.

“Siemens has released updates for several affected products, is working on updates for the remaining affected products and recommends specific countermeasures until fixes are available. Siemens recommends to update affected devices as soon as possible.”

Siemens SINUMERIK Controllers

The most serious flaw, tracked as CVE-2018-11466 and ranked with
CVSS score of 10, could be exploited by an unauthenticated attacker on the network to trigger a DoS condition on the integrated software firewall or execute arbitrary code in the context of the firewall by sending specially crafted packets to TCP port 102.

“Specially crafted network packets sent to port 102/tcp (ISO-TSAP) could allow a remote attacker to either cause a Denial-of-Service condition of the integrated software firewall or allow to execute code in the context of the software firewall.” continues the advisory.

“The security vulnerability could be exploited by an attacker with network access to the affected systems on port 102/tcp. Successful exploitation requires no user privileges and no user interaction. The vulnerability could allow an attacker to compromise confidentiality, integrity and availability of the system.”

Siemens also fixed the CVE-2018-11457 in the integrated web server, the flaw can be exploited by a network attacker with access to TCP port 4842 to execute code with elevated privileges by sending specially crafted packets.

“The security vulnerability could be exploited by an attacker with network access to the affected devices on port 4842/tcp. Successful exploitation requires no privileges and no user interaction. The vulnerability could allow an attacker to compromise confidentiality, integrity and availability of the webserver.” continues the advisory.

Another critical flaw tracked as CVE-2018-11462 could be exploited to elevate privileges, except to root.

The last critical vulnerability, tracked as CVE-2018-11458, affects the integrated VNC server, it could be exploited to execute arbitrary code with elevated privileges via specially crafted network packets on port 5900. 

Siemens also fixed three high-severity flaws that allow local code execution, and three medium-severity privilege escalation and DoS bugs.

The good news is that Siemens is not aware of attacks exploiting the above flaws. 

window._mNHandle = window._mNHandle || {};
window._mNHandle.queue = window._mNHandle.queue || [];
medianet_versionId = “3121199”;

try {
window._mNHandle.queue.push(function () {
window._mNDetails.loadTag(“762221962”, “300×250”, “762221962”);
});
}
catch (error) {}

Pierluigi Paganini

(Security Affairs – Siemens, Sinumerik)

The post Siemens addresses multiple critical flaws in SINUMERIK Controllers appeared first on Security Affairs.

Source: Security affairs

By Waqas

A couple of weeks ago, a hacker going by the online handle of TheHackerGiraffe hacked over 50,000 printers for the sake of promoting PewDiePie’s YouTube channel and urging users to subscribe to his channel. Now, the same hacker has struck again and claims to have hacked over 100,000 printers globally. This time with the help of another […]

This is a post from HackRead.com Read the original post: PewDiePie fan hacker compromise 100,000 printers

Source: https://www.hackread.com/feed/

Honorees Rus Yusupov (L) and Colin Kroll accept the Breakthrough Award for Emerging Technology onstage at the Variety Breakthrough of the Year Awards during the 2014 International CES at The Las Vegas Hotel & Casino on January 9, 2014 in Las Vegas, Nevada.

Enlarge / Honorees Rus Yusupov (L) and Colin Kroll accept the Breakthrough Award for Emerging Technology onstage at the Variety Breakthrough of the Year Awards during the 2014 International CES at The Las Vegas Hotel & Casino on January 9, 2014 in Las Vegas, Nevada. (credit: Jeff Bottari/Getty Images for Variety)

Colin Kroll, co-founder of the popular smartphone-based trivia game HQ Trivia, was found dead at his New York apartment on Sunday, local media reported.

A New York Police Department spokesman told Ars that Kroll died of a drug overdose.

Citing anonymous police sources, 
the New York Post says Kroll was found with marijuana and heroin near his body. He was 34.

In 2012, Kroll also co-founded Vine, a popular video looping app that was quickly acquired by Twitter and shuttered four years later.

HQ Trivia issued this tweet on Sunday afternoon:

Fellow co-founder Rus Yusupov also tweeted:

HQ Trivia is a live online game that awards cash prizes that became incredibly popular in the months after its August 2017 debut, but its popularity has since waned.

Read on Ars Technica | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

By Uzair Amir

Another day, another email scam – This time, wicked scammers have stolen over $1,000,000 from Save the Children, an international non-governmental organization based in London, United Kingdom. This happened after scammers compromised email address of one of the Save the Children employees and generated fake invoices and other documents to trick the charity organization into sending 1 million […]

This is a post from HackRead.com Read the original post: Wicked scammers steal $1 million from Save the Children charity

Source: https://www.hackread.com/feed/

Ryan Zinke

Enlarge / US Secretary of the Interior Ryan Zinke arrives at the US Capitol prior to the service for former President George H. W. Bush on December 03, 2018 in Washington, DC. (credit: Photo by Shawn Thew – Pool/Getty Images)

President Trump announced Friday via Twitter that Interior Secretary Ryan Zinke will step down from his post in the coming weeks. Zinke has headed the Department of the Interior (DOI) since 2017 and overseen some of the more significant rollbacks in environmental policy in the US.

Trump said a successor to Zinke would be named in the coming week. Reuters speculates current Interior Deputy Secretary and former oil, gas, and water industry lobbyist David Bernhardt is a likely candidate for the job. According to Politico, Bernhardt played an active role in weakening endangered species protections to make it easier for oil and gas drilling to occur on ecologically sensitive land.

Zinke’s time in office was marked by a similar effort to stymie the environmental protections put in place by the Obama administration in the name of oil and gas interests. In one of his most controversial moves, Zinke reopened vast tracts of federal waters that had previously been off-limits to offshore oil and gas drilling. The secretary drew sharp criticism for opening up federal waters adjacent to states that didn’t want offshore drilling, while exempting Florida from the same treatment after a meeting from the state’s Republican governor.

Read 5 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

LIGO's February 11, 2016, press conference in Washington, DC, where they announced the first direct detection of gravitational waves.

Enlarge / LIGO’s February 11, 2016, press conference in Washington, DC, where they announced the first direct detection of gravitational waves. (credit: Saul Loeb/AFP/Getty Images)

Just last month, we told you about a small group of Danish physicists who were casting doubt on the original gravitational wave signal detected by the Laser Interferometer Gravitational-Wave Observatory (LIGO), saying it was an “illusion.” The researchers alleged that the collaboration mistook patterns in the noise for a signal. Now Quanta is reporting that two independent analyses have been completed that confirm that detection. This should lay any doubts about the momentous discovery to rest.

“We see no justification for lingering doubts about the discovery of gravitational waves,” the authors of one of the papers, Martin Green and John Moffat of the Perimeter Institute for Theoretical Physics, told Quanta. That paper appeared in Physics Letters B in September. A second paper by Alex Nielsen of the Max Planck Institute for Gravitational Physics in Hannover, Germany, and three coauthors, was posted to the physics preprint site arXiv.org last month and is under review by the Journal of Cosmology and Astroparticle Physics.

But some drama still remains. Andrew Jackson, group spokesman for the skeptical physicists at the Niels Bohr Institute in Copenhagen, Denmark, is refusing to accept the results of the two independent groups’ analyses. Quanta‘s Natalie Wolchover writes:

Read 11 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

U.S. Ballistic Missile Defense Systems Fail Cybersecurity Audit

US DoD Inspector General’s report revealed United States’ ballistic missile defense systems (BMDS) fail to implements cyber security requirements.

The U.S. Department of Defense Inspector General published a report this week that revealed that lack of adequate cybersecurity for the protection of the United States’ ballistic missile defense systems (BMDS).

Ballistic missile defense systems are crucial components of the US Defense infrastructure, they aim to protect the country from short, medium, intermediate and long-range ballistic missiles.

BMDS United States ballistic missile defense systems BMDS

Experts warn of cyber attacks against these systems launched by nation-state actors.

Back on March 14, 2014, the DoD Chief Information Officer announced the DoD plans of implementing the National Institute of Standards and Technology (NIST) security controls to improve cybersecurity of systems.

More than four years later the situation is worrisome, according to a new DoD report the BMDS facilities have failed to implement security controls requested by the standard.

“We determined whether DoD Components implemented security controls and processes at DoD facilities to protect ballistic missile defense system (BMDS) technical information on classified networks from insider and external cyber threats.” reads the DoD report.

“We analyzed only classified networks because BMDStechnical information was not managed on unclassifiednetworks. The classified networks processed, stored, andtransmitted both classified and unclassified BMDStechnical information.”

The report states the BMDS did not implement security controls such as multifactor authentication, vulnerability assessment and mitigation, server rack security, protection of classified data stored on removable media, encrypting transmitted technical information, physical facility security such as cameras and sensors. Operators at BMDS facilities did not perform routine assessments to verify the level of cybersecurity implemented.

We determined that officials from … the did not consistently implement security controls and processes to protect BMDS technical information.” continues the report.

In a BMDS facility, users used single-factor authentication for up to 14 days during account creation, in another facility users were allowed to access a system that does not even support multifactor authentication.

The report also shows the failure in patch management for systems in many facilities. For some facilities, there were found vulnerabilities that had not been patched since their discovery in 2013.

“Although the vulnerability was initially identified in 2013, the still had not mitigated the vulnerability by our review in April 2018. Of the unmitigated vulnerabilities, the included only in a POA&M and could not provide an explanation for not including the remaining vulnerabilities in its POA&M” continues the report.

According to the report, facilities were also failing in encrypting data that was being stored on removable devices, they also failed in using systems that kept track of what data was being copied. 

“In addition, officials did not encrypt data stored on removable media. The system owner for the [redacted] and the Information System Security Officer for [redacted] stated that their components did not encrypt data stored on removable media because the [redacted] did not require the use of encryption,” continues the report. “Although the [redacted] did not require data stored on removable media to be encrypted, system owners and Information System Security Officers have a responsibility to implement and enforce Federal and DoD cybersecurity policies and procedures for encrypting data stored on removable media. In May 2018, the [redacted] directed [redacted] to begin encrypting data stored on removable media using Federal Information Processing Standard 140-2 certified methods by October 9, 2018, as a condition to operate on the [redacted].”

The report also reported physical security issues such as server racks not being locked, open doors to restricted locations, and the absence of security cameras at required locations.

The report also includes the following recommendations: 

  • using multifactor authentication;
  • mitigating vulnerabilities in a timely manner;
  • protecting data on removable media;
  • implementing intrusion detection capabilities

window._mNHandle = window._mNHandle || {};
window._mNHandle.queue = window._mNHandle.queue || [];
medianet_versionId = “3121199”;

try {
window._mNHandle.queue.push(function () {
window._mNDetails.loadTag(“762221962”, “300×250”, “762221962”);
});
}
catch (error) {}

Pierluigi Paganini

(Security Affairs – United States’ ballistic missile defense systems (BMDS), DoD)

The post US ballistic missile defense systems (BMDS) open to cyber attacks appeared first on Security Affairs.

Source: Security affairs

One of Antelope Valley Transit Authority's 79 electric buses.

Enlarge / One of Antelope Valley Transit Authority’s 79 electric buses. (credit: Megan Geuss)

California’s Air Resources Board (CARB) unanimously approved a regulation last Friday that would compel the state’s public transit agencies to build zero-emissions fleets by 2040. According to the San Francisco Chronicle, the regulation would also prohibit transit agencies from investing in diesel- or gas-powered buses after 2029. Buses usually last about 12 years before they need to be replaced, the Chronicle noted.

In a press release on Friday, CARB noted that the transportation sector contributes 40 percent of the state’s greenhouse gas emissions, and 80 to 90 percent of the state’s smog-creating pollutants. “Full implementation of the regulation adopted today is expected to reduce greenhouse gas emissions by 19 million metric tons from 2020 to 2050—the equivalent of taking 4 million cars off the road,” CARB wrote.

Battery-electric and fuel cell buses are two potential avenues for investment, CARB noted. The air resources board added that roughly 12,000 gas- or diesel-burning buses are on California’s roads today, but only 153 zero-emissions buses operate in California. Based on orders placed by transit agencies, about a thousand such buses are expected to be in service by 2020.

Read 3 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Huawei Watch GT review: When hardware and software don’t mesh

Enlarge (credit: Valentina Palladino)

Only a handful of wearable operating systems exists today. Dominating the market are watchOS and Wear OS, unsurprisingly so, as they accompany the two most popular smartphone operating systems. But there are a few challengers out there, like Samsung’s Tizen and Fitbit OS, that give users other options.

Variety is good, so I’m always interested in testing out wearables that don’t run the most popular OSes. Huawei’s latest smartwatch, the Huawei Watch GT, falls into this category, as it runs the company’s LiteOS rather than WearOS. While the Chinese company has primarily focused on its smartphone business this year, going the extra mile to put its own OS on this smartwatch shows that it’s serious about wearables (at least, for the time being).

So what do the Huawei Watch GT and LiteOS have to offer? Essentially, the device is a simplified smartwatch that has all the hardware bells and whistles you’d expect from a a high-end Wear OS device or an Apple Watch—things like an AMOLED display, a continuous heart-rate monitor, an embedded GPS, and more. But in practice, its feature set and its real-world abilities don’t exactly match its relatively high, $230 price tag.

Read 39 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/