Security researcher Marc Rogers (also a BBC contributor) tweeted this morning "I guess theres no hiding it now. We lost Dan Kaminsky yesterday. One of the brightest lights in infosec and probably the kindest soul I knew. The vacuum he leaves behind is impossible to measure. Please keep speculation to yourself and be respectful of his family and friends."

In later tweets, Rogers says he was proud that Kaminsky was his friend, adding "I could literally wrote a book of Dan Kaminsky tales. From shenanigans at events all over the world, to parties and just crazy stuff that happened at the spur of a moment. But most about his crazy brilliant kind generous ideas and offers of help and support. He was one of a kind."

Even the stories in Kaminsky's Wikipedia entry are impressive: He is known among computer security experts for his work on DNS cache poisoning, and for showing that the Sony Rootkit had infected at least 568,200 computers and for his talks at the Black Hat Briefings.

In June 2010, Kaminsky released Interpolique, a beta framework for addressing injection attacks such as SQL injection and cross-site scripting in a manner comfortable to developers.

On June 16, 2010, he was named by ICANN as one of the Trusted Community Representatives for the DNSSEC root.
"Dan was a force of nature," adds Marc Rogers on Twitter. "A hacker who saw not just 1 or 2 moves ahead but so many you sometimes wondered if he was playing the same game: I asked him for a demo. He brought a record turntable he used to move a VM forwards & backwards in time like a DJ scratching."

The Met Office is working with Microsoft to build a weather forecasting supercomputer in the UK. From a report: They say it will provide more accurate weather forecasting and a better understanding of climate change. The UK government said in February 2020 it would invest $1.6bn in the project. It is expected to be one of the top 25 supercomputers in the world when it is up and running in the summer of 2022. Microsoft plans to update it over the next decade as computing improves. "This partnership is an impressive public investment in the basic and applied sciences of weather and climate," said Morgan O'Neill, assistant professor at Stanford University, who is independent of the project. "Such a major investment in a state-of-the-art weather and climate prediction system by the UK is great news globally, and I look forward to the scientific advances that will follow." The Met Office said the technology would increase their understanding of the weather -- and will allow people to better plan activities, prepare for inclement weather and get a better understanding of climate change.

chicksdaddy shares a report from The Security Ledger: Websites for customers of agricultural equipment maker John Deere contained vulnerabilities that could have allowed a remote attacker to harvest sensitive information on the company's customers including their names, physical addresses and information on the Deere equipment they own and operate, The Security Ledger reported. The researcher known as "Sick Codes" published two advisories on Thursday warning about the flaws in the myjohndeere.com website and the John Deere Operations Center website and mobile applications. In a conversation with Security Ledger, the researcher said that a he was able to use VINs (vehicle identification numbers) taken from a farm equipment auction site to identify the name and physical address of the owner. Furthermore, a flaw in the myjohndeere.com website could allow an unauthenticated user to carry out automated attacks against the site, possibly revealing all the user accounts for that site.

Sick Codes disclosed both flaws to John Deere and also to the U.S. Government's Cybersecurity and Infrastructure Security Agency (CISA), which monitors food and agriculture as a critical infrastructure sector. The information obtained from the John Deere websites, including customer names and addresses, could put the company afoul of data security laws like California's CCPA or the Personal Information Protection Act in Deere's home state of Illinois. However, the national security consequences of the company's leaky website could be far greater. Details on what model combines and other equipment is in use on what farm could be of very high value to an attacker, including nation-states interested in disrupting U.S. agricultural production at key junctures, such as during planting or harvest time.

The consolidated nature of U.S. farming means that an attacker with knowledge of specific, Internet connected machinery in use by a small number of large-scale farming operations in the midwestern United States could launch targeted attacks on that equipment that could disrupt the entire U.S. food supply chain, researchers warn. The Agriculture sector and firms that supply it, like Deere, lag other industries in cyber security preparedness and resilience. A 2019 report (PDF) released by Department of Homeland Security concluded that the "adoption of advanced precision agriculture technology and farm information management systems in the crop and livestock sectors is introducing new vulnerabilities" (and that) "potential threats to precision agriculture were often not fully understood or were not being treated seriously enough by the front-line agriculture producers."

Still smarting from last month's dump of phone numbers belonging to 500 million Facebook users, the social media giant has a new privacy crisis to contend with: a tool that, on a massive scale, links Facebook accounts with their associated email addresses, even when users choose settings to keep them from being public. Wired reports: A video circulating on Tuesday showed a researcher demonstrating a tool named Facebook Email Search v1.0, which he said could link Facebook accounts to as many as 5 million email addresses per day. The researcher -- who said he went public after Facebook said it didn't think the weakness he found was "important" enough to be fixed -- fed the tool a list of 65,000 email addresses and watched what happened next. "As you can see from the output log here, I'm getting a significant amount of results from them," the researcher said as the video showed the tool crunching the address list. "I've spent maybe $10 to buy 200-odd Facebook accounts. And within three minutes, I have managed to do this for 6,000 [email] accounts."

The researcher [...] said that Facebook Email Search exploited a front-end vulnerability that he reported to Facebook recently but that "they [Facebook] do not consider to be important enough to be patched." Earlier this year, Facebook had a similar vulnerability that was ultimately fixed. "This is essentially the exact same vulnerability," the researcher says. "And for some reason, despite me demonstrating this to Facebook and making them aware of it, they have told me directly that they will not be taking action against it."

In a statement, Facebook said: "It appears that we erroneously closed out this bug bounty report before routing to the appropriate team. We appreciate the researcher sharing the information and are taking initial actions to mitigate this issue while we follow up to better understand their findings." A Facebook representative didn't respond to a question asking if the company told the researcher it didn't consider the vulnerability important enough to warrant a fix. The representative said Facebook engineers believe they have mitigated the leak by disabling the technique shown in the video.

ewhac writes: Firefox has long had a built-in PDF viewer, allowing users to view PDF files in the browser without having to install a third-party application. In addition to the other weird things PDF files can contain, one of them is JavaScript. Putatively offered as a way to create self-validating forms, this scripting capability has been abused over the decades in just about every way you can imagine. Firefox's built-in viewer, although it has apparently had the ability to execute embedded JS for some time, never turned that feature on, making it a safe(r) way to open PDFs... Until now. The newly released Firefox version 88 has flipped that switch, and will now blithely execute JavaScript embedded in PDFs. Firefox's main preferences dialog offers no control for turning this "feature" off.

To turn off JavaScript execution in PDFs: Enter about:config in the address bar; click "I'll be careful." In the search box near the top, enter pdfjs.enableScripting. Change the setting to False. Close the page.

FlatEric521 shares a report: Moxie Marlinspike, the founder of the popular encrypted chat app Signal claims to have hacked devices made by the infamous phone unlocking company Cellebrite, which has famously worked with cops to circumvent encryption such as Signal's. In a blog post Wednesday, Marlinspike not only published details about the new exploits for Cellebrite devices but seemed to suggest that Signal's code could be theoretically altered to hack Cellebrite devices en masse. "We were surprised to find that very little care seems to have been given to Cellebrite's own software security. Industry-standard exploit mitigation defenses are missing, and many opportunities for exploitation are present," Marlinspike wrote in the post. "Any app could contain such a file, and until Cellebrite is able to accurately repair all vulnerabilities in its software with extremely high confidence, the only remedy a Cellebrite user has is to not scan devices."

Marlinspike claims (whether you believe this portion of the post or not is up to you) that while he was on a walk he happened to find a Cellebrite phone unlocking device: "By a truly unbelievable coincidence, I was recently out for a walk when I saw a small package fall off a truck ahead of me. As I got closer, the dull enterprise typeface slowly came into focus: Cellebrite. Inside, we found the latest versions of the Cellebrite software, a hardware dongle designed to prevent piracy (tells you something about their customers I guess!), and a bizarrely large number of cable adapters." Along with his colleagues, Marlinspike analyzed the device and found that it included several vulnerabilities that could allow an attacker to include an "otherwise innocuous file in an app" that when it gets scanned by a Cellebrite device exploits it and tampers with the device and the data it can access.

A group of hackers executed a ransomware attack on Hoya, marking the second successful attack suffered by the Japanese firm in two years. From a report: "We can confirm that Hoya Vision Care US has experienced a cyberattack. Based on our initial forensics, the disruption appears to have been limited to our United States systems," a Hoya spokesperson said. "After identifying the threat, we quickly took action to contain it and contacted law enforcement. The company has engaged external experts to determine the nature and scope of this event. We will provide updates as more information becomes available." Hoya, named after the West Tokyo neighborhood where it was founded in 1941, is a glassmaker with about 37,000 employees worldwide and about $5 billion in annual revenue. The company gets last year 65% of its sales from contact lenses and glasses, while the rest comes Information technology devices and services such glass substrate used in the manufacturing of semiconductors and hard disk drives, according to 2020 company's report. The hacker group called Astro Team said on its blog last week that it targeted Hoya servers and stole about 300 gigabytes of confidential corporate data including finance, production, email messages, passwords and safety reports. In 2019, Hoya suffered a major cyberattack, infectong over 100 computers and forcing the company to shut down its factories for three days.

Greg Kroah-Hartman, who is one of the head honchos of the Linux kernel development and maintenance team, has banned the University of Minnesota (UMN) from further contributing to the Linux Kernel. The University had apparently introduced questionable patches into the kernel of Linux. From a report: The UMN had worked on a research paper dubbed "On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits". Obviously, the "Open-Source Software" (OSS) here is indicating the Linux kernel and the University had stealthily introduced Use-After-Free (UAF) vulnerability to test the susceptibility of Linux. So far so good perhaps as one can see it as ethical experimenting. However, the UMN apparently sent another round of "obviously-incorrect patches" into the kernel in the form of "a new static analyzer" causing distaste to Greg Kroah-Hartman who has now decided to ban the University from making any further contributions.

wiredmikey shares a report from SecurityWeek: Google late Tuesday shipped another urgent security patch for its dominant Chrome browser and warned that attackers are exploiting one of the zero-days in active attacks. This is the fourth in-the-wild Chrome zero-day discovered so far in 2021 and the continued absence of IOC data or any meaningful information about the attacks continue to raise eyebrows among security experts.

The newest Chrome update -- 90.0.4430.85 -- is available for Windows, Mac and Linux users and is being rolled out via the browser's automatic update mechanism. The vulnerability being exploited is identified as CVE-2021-21224 and simply described as a "type confusion" in the V8 Chrome rendering engine. Google credited the Jose Martinez (tr0y4) from VerSprite Inc. for reporting the vulnerability. "Google is aware of reports that exploits for CVE-2021-21224 exist in the wild," the company said, with no additional details.

An anonymous reader quotes a report from Ars Technica: Hackers backed by nation-states are exploiting critical vulnerabilities in the Pulse Secure VPN to bypass two-factor authentication protections and gain stealthy access to networks belonging to a raft of organizations in the US Defense industry and elsewhere, researchers said. At least one of the security flaws is a zero-day, meaning it was unknown to Pulse Secure developers and most of the research world when hackers began actively exploiting it, security firm Mandiant said in a blog post published Tuesday. Besides CVE-2021-22893, as the zero-day is tracked, multiple hacking groups -- at least one of which likely works on behalf of the Chinese government -- are also exploiting several Pulse Secure vulnerabilities fixed in 2019 and 2020.

Used alone or in concert, the security flaws allow the hackers to bypass both single-factor and multifactor authentication protecting the VPN devices. From there, the hackers can install malware that persists across software upgrades and maintain access through webshells, which are browser-based interfaces that allow hackers to remotely control infected devices. Multiple intrusions over the past six months have hit defense, government, and financial organizations around the world, Tuesday's post reported. Separately, the US Cybersecurity and Infrastructure Security Agency said that targets also include US government agencies, critical infrastructure entities, and other private sector organizations." Mandiant said that it has uncovered "limited evidence" that tied one of the hacker groups to the Chinese government. Dubbed UNC2630, this previously unknown team is one of at least two hacking groups known to be actively exploiting the vulnerabilities. Tuesday's blog post also referred to another previously unseen group that Mandiant is calling UNC2717. In March, the group used malware Mandiant identifies as RADIALPULSE, PULSEJUMP, and HARDPULSE against Pulse Secure systems at a European organization. Pulse Secure on Tuesday published an advisory instructing users how to mitigate the currently unpatched security bug.

An anonymous reader writes: The operators of the REvil ransomware are demanding that Apple pay a ransom demand to avoid having confidential information leaked on the dark web. The REvil crew claims it came into possession of Apple product data after breaching Quanta Computer, a Taiwanese company that is the biggest laptop manufacturer in the world and which is also one of the companies that assemble official Apple products based on pre-supplied product designs and schematics.

The REvil gang posted 21 screenshots depicting Macbook schematics and threatened to publish new data every day until May 1, or until Apple or Quanta pay the ransom demand. The extortion attempt was also perfectly timed for maximum visibility to coincide with the Spring Loaded event, where Apple announced new products and software updates.

Facebook wants you to believe that the scraping of 533 million people's personal data from its platform, and the dumping of that data online by nefarious people, is something to be "normalised." The Register: A blundering Facebook public relations operative managed to send a journalist a copy of an internal document detailing the social network's strategy for containing the leaking of 533 million accounts -- and what the memo contained was infuriating though unsurprising. Belgian tech journalist Pieterjan van Leemputten asked the Mark Zuckerberg-owned company some questions about the theft and dumping online of account data earlier this month.

Miscreants had helped themselves to 70GB of names, phone numbers, dates of birth, email addresses, and more from people's Facebook profiles, thanks to a security weakness in the platform. Having stolen the data in 2019, crims bought and sold it among themselves before one shared it via a Tor-hidden site in early April, inviting anyone to come and help themselves to it all. Yet when van Leemputten asked Facebook's mouthpieces to respond, what he got in return was quite unexpected. As he told The Register: "Facebook accidentally sent me an internal email where they literally state that they will frame the recent 533 million data leak as a 'broad industry issue' and that they want to normalize this." The memo added, "To do this, the team is proposing a follow-up post in the next several weeks that talks more broadly about our anti-scraping work and provides more transparency around the amount of work we're doing in this area."

Now that Apple's lost item finder AirTag has officially been introduced, competitor Tile is going on record ahead of its testimony in front of Congress tomorrow about how it perceives Apple's latest product. In a statement, Tile CEO CJ Prober said today: "Our mission is to solve the everyday pain point of finding lost and misplaced things and we are flattered to see Apple, one of the most valuable companies in the world, enter and validate the category Tile pioneered. The reason so many people turn to Tile to locate their lost or misplaced items is because of the differentiated value we offer our consumers. In addition to providing an industry leading set of features via our app that works with iOS and Android devices, our service is seamlessly integrated with all major voice assistants, including Alexa and Google. And with form factors for every use case and many different styles at affordable prices, there is a Tile for everyone.

Tile has also successfully partnered with top brands like HP, Intel, Skullcandy and fitbit to enable our finding technology in mass market consumer categories like laptops, earbuds and wearables. With over 30 partners, we look forward to extending the benefits of Tile to millions of customers and enabling an experience that helps you keep track of all your important belongings. We welcome competition, as long as it is fair competition. Unfortunately, given Apple's well-documented history of using its platform advantage to unfairly limit competition for its products, we're skeptical. And given our prior history with Apple, we think it is entirely appropriate for Congress to take a closer look at Apple's business practices specific to its entry into this category. We welcome the opportunity to discuss these issues further in front of Congress tomorrow.

Geico, the second-largest auto insurer in the U.S., has fixed a security bug that let fraudsters steal customers' driver's license numbers from its website. From a report: In a data breach notice filed with the California attorney general's office, Geico said information gathered from other sources was used to "obtain unauthorized access to your driver's license number through the online sales system on our website." The insurance giant did not say how many customers were affected by the breach but said the fraudsters accessed customer driver's license numbers between January 21 and March 1. Companies are required to alert the state's attorney general's office when more than 500 state residents are affected by a security incident. Geico said it had "reason to believe that this information could be used to fraudulently apply for unemployment benefits in your name." Many financially driven criminals target government agencies using stolen identities or data. But many U.S. states require a government ID -- like a driver's license -- to file for unemployment benefits. To get a driver's license number, fraudsters take public or previously breached data and exploit weaknesses in auto insurance websites to obtain a customer's driver's license number. That allows the fraudsters to obtain unemployment benefits in another person's name.

The White House unveiled on Tuesday a 100-day plan intended to protect the U.S. power grid from cyber-attacks, mainly by creating a stronger relationship between U.S. national security agencies and the mostly private utilities that run the electrical system. From a report: The plan is among the first big steps toward fulfilling the Biden administration's promise to urgently improve the country's cyber defenses. The nation's power system is both highly vulnerable to hacking and a target for nation-state adversaries looking to counter the U.S. advantage in conventional military and economic power. "The United States faces a well-documented and increasing cyber threat from malicious actors seeking to disrupt the electricity Americans rely on to power our homes and businesses," Secretary of Energy Jennifer Granholm said. Although the plan is billed as a 100-day sprint -- which includes a series of consultations between utilities and the government -- it will likely take years to fully implement, experts say. It will ask utilities to pay for and install technology to better detect hacks of the specialized computers that run the country's power systems, known as industrial control systems. The Edison Electric Institute, the trade group that represents all U.S. investor-owned electric companies, praised the White House plan and the Biden administration's focus on cybersecurity. "Given the sophisticated and constantly changing threats posed by adversaries, America's electric companies remain focused on securing the industrial control systems that operate the North American energy grid," said EEI president Tom Kuhn.

AmiMoJo writes: WordPress announced over the weekend that they plan on treating Google's new FLoC tracking technology as a security concern and hence block it by default on WordPress sites. For some time, browsers have begun to increasingly block third-party browser cookies used by advertisers for interest-based advertising. In response, Google introduced a new ad tracking technology called Federated Learning of Cohorts, or FLoC, that uses a web browser to anonymously place users into interest or behavioral buckets based on how they browse the web. After Google began testing FLoC this month in Google Chrome, there has been a consensus among privacy advocates that Google's FLoC implementation just replaces one privacy risk with another one.

"WordPress powers approximately 41% of the web -- and this community can help combat racism, sexism, anti-LGBTQ+ discrimination and discrimination against those with mental illness with four lines of code," says WordPress. WordPress states that this code is planned for WordPress 5.8, scheduled for release in July 2021. As FLoC is expected to roll out sooner, WordPress is considering back-porting this code to earlier versions to "amplify the impact" on current versions of the blogging platform. Further reading: Nobody is Flying To Join Google's FLoC.

As online identity management grows in importance, Mastercard swooped in this morning and bought identity verification company Ekata for $850 million. From a report: Mastercard certainly sees the rapid digital transformation that is happening in online commerce, a move that was accelerated by COVID. It's a transformation that once started isn't likely to change back to the old ways of doing business, even when we get past the pandemic. With Ekata, the company gets a solution that can verify the online identity of a person making the transaction in real time using various signals that can indicate if this is fraudulent or true as they open an account or transact business. The company provides a score and other data that predicts the likelihood this person is who they say they are. It's not unlike a credit risk score, except for identity. That was one of the primary reasons Mastercard decided to acquire Ekata, according to Ajay Bhalla, president of cyber and intelligence solutions at the company. "With the addition of Ekata, we will advance our identity capabilities and create a safer, seamless way for consumers to prove who they say they are in the new digital economy," Bhalla said in a statement.

Long-time Slashdot reader xiando shares news from LinuxReviews: Linux Kernel Runtime Guard (LKRG) is a security module for the Linux kernel developed by Openwall. The latest release adds compatibility with Linux kernels up to soon to be released 5.12, support for building LKRG into kernel images, support for old 32-bit x86 machines and more...

The Linux Kernel Runtime Guard is an out-of-tree kernel module you can install as a kernel module, or, with the 0.9.0 release, build into your Linux kernel. It does run-time integrity checks to detect security vulnerability exploits against the Linux kernel.
An Openwall developer also notes in the announcement that "During LKRG development and testing I've found 7 Linux kernel bugs, 4 of them have CVE numbers."

In 2018 Oracle's Larry Ellison bought the historic Cal Neva Lodge on the scenic north shore of California's Lake Tahoe for $36 million. Then in 2019 Mark Zuckerberg bought a $59 million compound on Lake Tahoe's west shore.

But now a wave of techies are moving in, reports Outside magazine, "freed by COVID from cubicles and work commutes. They migrated, laptops in tow, to mountain towns all over the West, transforming them into modern-day boomtowns: 'Zoom-towns.'" "It's the wildest time," says realtor Katey Brandenburg, who works on Tahoe's Nevada side. For her and other realtors around the lake, the autumn of 2020 felt like winning the lottery. "I paid off a lifetime of debt — 28 years of loans, college, credit cards, and cars — in three months."

All told, 2020 saw more than 2,350 homes sold across the Tahoe Basin, for a boggling $3.28 billion, up from $1.76 billion in 2019, according to data analyzed by Sierra Sotheby's. That $3 billion stat is on a par with 2020 home-sales revenues in Aspen, Colorado (albeit there, the latest average home-sale price came in at $11 million). The trend is in line with real estate records being shattered from Sun Valley, Idaho, to Stowe, Vermont. And according to a just-released market update, it hasn't stopped: in the first quarter of 2021, median prices for single-family homes increased by an astronomical 70 percent year over year in Truckee, 72 percent in South Lake, and 81 percent in Incline Village...

"A disproportionate number of people who purchased homes in Tahoe in 2020 are employees of some of the largest tech companies in the Bay Area," says Deniz Kahramaner, founder of Atlasa, a real estate brokerage firm that specializes in data analytics. Of the 2,280 new-home buyers Atlasa identified throughout the Tahoe region in 2020, roughly 30 percent worked at software companies. The top three employers were Google (54 buyers), Apple (46), and Facebook (34)...

There is, however, one glaring issue with all this rapid, high-priced growth: the people who actually make a mountain town run — the ski instructors and patrollers, lift operators and shuttle drivers, housekeepers and snowcat mechanics, cooks and servers — can no longer afford to live there.
The article does note higher property taxes going toward public services (along with "more money eventually pumping into bars and restaurants.") And it also acknowledges affordable housing has for decades been an issue in tourist towns.

"It's just suddenly on steroids..."

America's top law enforcement agency "obtained a court order that allowed it to remove a backdoor program from hundreds of private Microsoft Exchange servers that were hacked through zero-day vulnerabilities earlier this year," reports CSO. (Thanks to detritus. (Slashdot reader #46,421) for sharing the news...) Earlier this week, the Department of Justice announced that the FBI was granted a search and seizure warrant by a Texas court that allows the agency to copy and remove web shells from hundreds of on-premise Microsoft Exchange servers owned by private organizations. A web shell is a type of program that hackers install on hacked web servers to grant them backdoor access and remote command execution capabilities on those servers through a web-based interface.

In this case, the warrant targeted web shells installed by a cyberespionage group dubbed Hafnium that is believed to have ties to the Chinese government. In early March, Microsoft reported that Hafnium has been exploiting previously unpatched vulnerabilities in Microsoft Exchange to compromise servers. At the same time, the company released patches for those vulnerabilities, as well as indicators of compromise and other detection tools, but this didn't prevent other groups of attackers from exploiting the vulnerabilities after they became public. In its warrant application, dated April 13, the FBI argues that despite the public awareness campaigns by Microsoft, CISA and the FBI itself, many servers remained infected with the web shell deployed by Hafnium. While the exact number has been redacted from the unsealed warrant, the DOJ said in a press release that it was "hundreds."

The FBI asked for, and received court approval, to access the malicious web shells through the passwords set by the original attackers and then use that access against the malware itself by executing a command that will delete the web shell, which is essentially an .aspx script deployed on the server. The FBI was also allowed to make a copy of the web shells first because they could constitute evidence.

The warrant states that it "does not authorize the seizure of any tangible property" or the copying or alteration of any content from the servers aside from the web shell themselves, which are identified in the warrant by their unique file paths. This means the FBI was not granted permission to patch the vulnerabilities to protect the servers from future exploitation or to remove any additional malware or tools that hackers might have already deployed...

The FBI sent an email message from an official email account, including a copy of the warrant, to the email addresses associated with the domain names of the infected servers.
An official statement from the Department of Justice is already using the past tense, announcing that U.S. authorities "have executed a court-authorized operation to copy and remove malicious web shells from hundreds of vulnerable computers in the United States. They were running on-premises versions of Microsoft Exchange Server software used to provide enterprise-level email service."