Security News

Apple's T2 security chip is insecure and cannot be fixed, a group of security researchers report. Over the past three years, a handful of hackers have delved into the inner workings of the custom silicon, fitted inside recent Macs, and found that they can use an exploit developed for iPhone jailbreaking, checkm8, in conjunction with a memory controller vulnerability known as blackbird, to compromise the T2 on macOS computers.

According to the NSA incompatibility issues often result in Secure Boot being disabled, which the agency advises against. "Customization enables administrators to realize the benefits of boot malware defenses, insider threat mitigations, and data-at-rest protections. Administrators should opt to customize Secure Boot rather than disable it for compatibility reasons. Customization may - depending on implementation - require infrastructures to sign their own boot binaries and drivers," the NSA says.

The American surveillance super-agency's 39-page explainer [PDF] covers UEFI security and, in particular, how folks can master Secure Boot and avoid switching it off for compatibility reasons. Secure Boot is a mechanism that uses cryptography to ensure you're booting an operating system that hasn't been secretly meddled with; any addition of a bootkit or rootkit should be caught by Secure Boot.

According to Eclypsium researchers, the bug tracked as CVE-2020-10713 could allow attackers to get around these protections and execute arbitrary code during the boot-up process, even when Secure Boot is enabled and properly performing signature verification. "During the parser stage, the configuration values are copied to internal buffers stored in memory. Configuration tokens that are longer in length than the internal buffer size end up leading to a buffer overflow issue. An attacker may leverage this flaw to execute arbitrary code, further hijacking the machine's boot process and bypassing Secure Boot protection. Consequently, it is possible for unsigned binary code to be loaded, further jeopardizing the integrity of the system."

An annoying vulnerability in the widely used GRUB2 bootloader can be potentially exploited by malware or a rogue insider already on a machine to thoroughly compromise the operating system or hypervisor while evading detection by users and security tools. Any system on which GRUB2 can be installed and run at boot-time is potentially vulnerable.

According to BlackBerry, the Tycoon attack can be difficult to detect, thanks to it being written in Java and deployed within its own Runtime Environment. Admins of Cisco Nexus and UCS gear should make sure their firmware is updated with the latest NX-OS fix from Switchzilla.

Boots, a UK pharmacy chain, has suspended payments on the loyalty cards of 14.4 million active customers after its security team spotted "Unusual" activity on a number of Boots Advantage Card accounts. If Boots wasn't hacked, then where did crooks get the credentials that they've evidently used to try to get into people's Advantage Card accounts so they can make fraudulent purchases on what we refer to in the States as "Somebody else's dime?".

It cannot be fixed without replacing the silicon, only mitigated, it is claimed: the design flaw is baked into millions of Intel processor chipsets manufactured over the past five years. Buried deep inside modern Intel chipsets is what's called the Management Engine, or these days, the Converged Security and Manageability Engine.

You guys are hosting a thriving marketplace for shills, charlatans and sockpuppets, the UK's watchdog told Facebook and eBay in June 2019, after finding over 100 eBay listings selling fake reviews and 26 Facebook groups offering to buy or sell them. Specifically, Facebook has booted 188 groups and yanked 24 user accounts, while eBay has permanently banned 140 users.

China-based electronics company Xiaomi said it has fixed a "Cache update" issue for its Xiaomi Mijia smart camera after a Reddit user claims that attempts to view Xiaomi camera footage on his Google Nest Hub instead showed videos of strangers. This security camera can be linked to the Google Nest Hub if users integrate their Google accounts on Xiaomi's Mi Home application.