Chinese drones considered national security threat
The FBI and CISA released new guidance detailing how Chinese-made drones can pose a risk to critical infrastructure, along with best practices to defend against them. This reflects the reality that the Chinese-firm DJI dominates the consumer and industrial drone market at the same time that changes to Chinese law gives that government broader legal ground to access domestic company data. The guidance includes basic tips like ensuring drones use up-to-date patches, but also calls on companies to recognize that installing drone and docking stations inherently increases their threat service, even with domestically produced models. CISA recommends companies treat drones like other IoT devices, silo their network traffic, and perform regular log analysis.
PixieFail could spell trouble for cloud providers
Researchers at the security firm Quarkslab documented nine vulnerabilities in the open source UEFI specification TianoCore EDK II. These vulnerabilities relate to IPv6 and can be executed in the Preboot Execution Environment frequently used in large data centers, but generally off by default on consumer machines. The vulnerabilities impact motherboards from Arm Ltd., Insyde, AMI, Phoenix Technologies, and Microsoft. Attackers could use these flaws to download malicious firmware to a server by capturing local traffic. The researchers contacted the impacted companies, although any fix would need to roll out from them to customers to implement.
Have I Been Pwned adds “statistically significant” data leak
Troy Hunt and his leak alert site Have I Been Pwned have seen a lot of leaks, so when he describes one as “statistically significant” you should take notice. The site recently added the Naz.API dataset, which includes 104 gigabytes of data, including 70.8 million unique email addresses with associated plaintext passwords. In sampling, Hunt found that over a third of listed emails were net new to Have I Been Pwned, something very rare in leak datasets. This dataset appeared on hacker forums four months ago, seemingly coming from “stealer logs” on compromised machines, mixed with much older data from previous leaks.
GPUs at risk from LeftoverLocals
The security firm Trail of Bits published a report on vulnerabilities in GPUs that could allow an attacker to exfiltrate memory data. Dubbed LeftoverLocals, this attack would allow someone with established credentials to a target machine to access local GPU memory, with researchers seeing up to 180 megabytes possible. Apple, AMD, and Qualcomm confirmed impacted hardware. Apple said its new M3 and A12 processors resolved the vulnerabilities. Qualcomm said it will release firmware patches. AMD said to expect patches in March. The researchers disclosed LeftoverLocals to the Khronos Group and US-CERT Coordination Center in September to draw industry awareness.
(Wired)
Huge thanks to our sponsor, Savvy Security
Learn more at savvy.security/headlines.
Most CSAM online is self-generated
According to a new report from the Internet Watch Foundation, the amount of self-generated child sexual abuse imagery, as opposed to reshared CSAM, jumped to from 66% a year ago to now account for 90%. Overall the IWF found pages with CSAM up 8% on the year to 275,655. IWF chief executive Susie Hargreaves said not to characterized this as overall more CSAM available, better detection could account for the rise. The foundation used the study to advocate the UK government to weaken end-to-end encryption in the country.
Shein in China’s cybersecurity crosshairs
The Chinese big tech crackdown might have eased up in recent years, but a visit from the Cyberspace Administration of China when you’re about to IPO is still the last thing any Chinese firm is looking forward to. The Wall Street Journal’s sources say the agency began investigating the fast fashion giant Shein ahead of its IPO. THis will reportedly look into how it handles staff and supplier data, including what data it will disclose to US authorities once going public. Cybersecurity reviews by the CAC can take months, so it remains unclear how this will impact Shein’s IPO plans.
(WSJ)
Infostealers getting past macOS defenses
Researchers with SentinelOne released a report claiming that several active infostealers can currently bypass macOS’s built-in XProtect antivirus engine. This relies on known malware signatures. But even with those the KeySteal, Atomic Infostealer, and CherryPie stealers can still run freely. The researchers say the XProtect signature database shows Apple knows these remain an ongoing problem.
Google updates Chrome Incognito mode disclaimer
Earlier this month we covered Google’s $5 billion settlement over misleading language in its Chrome Incognito mode banner. A lawsuit from 2020 claimed Google didn’t make it clear that websites and Google itself would still track user data. In response, Chrome’s Canary build now displays a new Incognito mode warning, stating the mode “won’t change how data is collected by websites you visit and the services they use, including Google.”