A weakness in the algorithm used to encrypt cellphone data in the 1990s and 2000s allowed hackers to spy on some internet traffic, according to a new research paper. Motherboard: The paper has sent shockwaves through the encryption community because of what it implies: The researchers believe that the mathematical probability of the weakness being introduced on accident is extremely low. Thus, they speculate that a weakness was intentionally put into the algorithm. After the paper was published, the group that designed the algorithm confirmed this was the case. Researchers from several universities in Europe found that the encryption algorithm GEA-1, which was used in cellphones when the industry adopted GPRS standards in 2G networks, was intentionally designed to include a weakness that at least one cryptography expert sees as a backdoor. The researchers said they obtained two encryption algorithms, GEA-1 and GEA-2, which are proprietary and thus not public, "from a source." They then analyzed them and realized they were vulnerable to attacks that allowed for decryption of all traffic.

When trying to reverse-engineer the algorithm, the researchers wrote that (to simplify), they tried to design a similar encryption algorithm using a random number generator often used in cryptography and never came close to creating an encryption scheme as weak as the one actually used: "In a million tries we never even got close to such a weak instance," they wrote. "This implies that the weakness in GEA-1 is unlikely to occur by chance, indicating that the security level of 40 bits is due to export regulations." Researchers dubbed the attack "divide-and-conquer," and said it was "rather straightforward." In short, the attack allows someone who can intercept cellphone data traffic to recover the key used to encrypt the data and then decrypt all traffic. The weakness in GEA-1, the oldest algorithm developed in 1998, is that it provides only 40-bit security. That's what allows an attacker to get the key and decrypt all traffic, according to the researchers.

Websites of dozens of financial institutions and airlines in Australia and the United States were briefly down on Thursday, in the second major blackout in just over a week caused by a glitch in an important piece of internet infrastructure. From a report: Server-related glitches at content delivery network provider Akamai had hampered services at Australian banks, while many U.S. airlines, including American Airlines and Southwest Airlines, also reported an hour-long outage. The disruption linked to technical issues at Akamai follows an outage at rival Fastly that affected a number of popular websites last week. The impacted platform is now up and running, an Akamai spokesperson said, adding that the company was "continuing to validate services." The outage was caused by a bug in Akamai's software that has since been fixed, and was not caused by a cyber-attack or vulnerability, the spokesperson added.

On Friday, Volkswagen disclosed a data breach that it said affected 3.3 million customers and interested buyers. On Monday, hackers put the data stolen from the car maker on sale on a notorious hacking forum. From a report: In the sales listing reviewed by Motherboard, a hacker that goes by 000 wrote that the data included email addresses and Vehicle Identification Numbers (VIN). The hacker also posted two samples of the data, which included full names, email addresses, mailing addresses, and phone numbers. The type of data seems to align with what Volkwagen admitted was stolen. In a website set up by a cybersecurity vendor on behalf of the car maker, Volkswagen said that "the majority" of affected data included: "first and last name, personal or business mailing address, email address, or phone number. In some instances, the data also included information about a vehicle purchased, leased, or inquired about, such as the Vehicle Identification Number (VIN), make, model, year, color and trim packages."

But for 90,000 victims, the data also included "more sensitive information relating to eligibility for a purchase, loan, or lease. Nearly all of the more sensitive data (over 95%) consists of driver's license numbers," according to the company, which added that the majority of data pertains to Audi customers and interested buyers in the US and Canada only. The company also said it believes the data was left unsecured by a vendor. (Audi is owned by the Volkswagen Group.) "There were also a very small number of dates of birth, Social Security or social insurance numbers, account or loan numbers, and tax identification numbers," the website read.

Industry analysts believe that the global chip shortage is creating the perfect environment for counterfeit semiconductors to enter the market. From a report: With demand looking unlikely to calm down, analyst firm Gartner estimates that the semiconductor shortage will last well into 2022, and has warned equipment manufacturers that wafer orders could come with up to 12 months of lead time in the coming months. For some companies, this will mean finding an alternative way of stocking up on chips or shutting down production lines. In other words, the current times are opening up a golden opportunity for electronic component counterfeiters and fraudsters to step in. "If next week, you need to get 5,000 parts or your line will shut down, you will be in a situation of distress purchase and you will put your guard down," Diganta Das, a researcher in counterfeit electronics at the Center for Advanced Life Cycle Engineering (CALCE), tells ZDNet. "You won't keep to your rules of verifying the vendor or going through test processes. This is likely to become a big problem."

As part of his research, Das regularly monitors counterfeit reporting databases like ERAI, and although it is too early to notice a surge, he is confident that the number of reports will start growing in the next six months as companies realize they have been sold illegal parts. The problem, of course, is unlikely to affect tech giants whose reliance on semiconductors is such that they have implemented robust supply chains, and will typically only purchase components directly from chip manufacturers. Those at risk rather include low-volume manufacturers whose supply chain for semiconductors is less established -- but it could include companies in sectors that are as critical as defense, healthcare and even automotive.

Hundreds of Southwest Airlines flights were delayed or canceled again on Wednesday as the company sought to resolve disruptions from earlier in the week amid a pickup in summer travel. From a report: The headaches for Southwest, which is widely credited for pioneering the low-fare airline business model, began on Monday night, when a problem with a weather data supplier prevented the airline from safely flying planes. The issue was resolved within hours, but on Tuesday the airline suffered its own technological problems, resulting in half of its flights that day being delayed and many being canceled, according to FlightAware, a flight tracking service. Spillover from that episode caused Wednesday's problems, the airline said. About 10 percent of Southwest's flights were canceled and another 19 percent were delayed by midafternoon, according to FlightAware.

"While our technology issues from Tuesday have been resolved, we are still experiencing a small number of cancellations and delays across our network as we continue working to resume normal operations," Dan Landson, a Southwest spokesman, said in a statement. Southwest said on Tuesday that it was having problems with "network connectivity." Mr. Landson said that those troubles were unrelated to the weather data problems from Monday and that there was no indication the airline's computer systems had been breached or hacked. The flight disruptions came at a critical time for a company celebrating its 50th year.

Southwest Airlines said on Tuesday it canceled about 500 flights and delayed hundreds of others after it was forced to temporarily halt operations over a computer issue -- the second time in 24 hours it had been forced to stop flights. From a report: The Federal Aviation Administration said it had issued a temporary nationwide groundstop at the request of Southwest Airlines to resolve a computer reservation issue. The groundstop lasted about 45 minutes, and ended at 2:30 p.m. EDT (1830 GMT), it said. Southwest said its operations were returning to normal. The issue was the result of "intermittent performance issues with our network connectivity." Southwest delayed nearly 1,300 flights on Tuesday, or 37% of its flights, according to flight tracker FlightAware.

Along with a string of new features across several areas of Android, Google is at last turning on end-to-end encryption (E2EE) for everyone in the Messages app. Beta testers have been able to use E2EE messaging since November. From a report: E2EE in Messages is only available in one-on-one conversations for the time being, not group chats. Both participants need to have RCS chat features enabled to use it. You'll know if a message you're about to send will be encrypted if you see a lock icon on the send button.

Irish police will have the power to compel people to provide passwords for electronic devices when carrying out a search warrant under new legislation. From a report: The change is part of the Garda Siochana Bill published by Irish Justice Minister Heather Humphreys on Monday. Gardai will also be required to make a written record of a stop and search. This will enable data to be collected so the effectiveness and use of the powers can be assessed. Special measures will be introduced for suspects who are children and suspects who may have impaired capacity. The bill will bring in longer detention periods for the investigation of multiple offences being investigated together, for a maximum of up to 48 hours. It will also allow for a week's detention for suspects in human trafficking offences, which are currently subject to a maximum of 24 hours detention.

As ubiquitous as Google Docs has become in the last year alone, a major criticism often overlooked by the countless workplaces that use it is that it isn't end-to-end encrypted, allowing Google -- or any requesting government agency -- access to a company's files. But Google is finally addressing that key complaint with a round of updates that will let customers shield their data by storing their own encryption keys. From a report: Google Workspace, the company's enterprise offering that includes Google Docs, Slides and Sheets, is adding client-side encryption so that a company's data will be indecipherable to Google. Companies using Google Workspace can store their encryption keys with one of four partners for now: Flowcrypt, Futurex, Thales or Virtru, which are compatible with Google's specifications. The move is largely aimed at regulated industries -- like finance, healthcare and defense -- where intellectual property and sensitive data are subject to intense privacy and compliance rules.

Last fall, Google's in-house incubator Area 120 introduced a new work-tracking tool called Tables, an AirTable (a San Francisco-based startup that makes cloud-based spreadsheet collaboration software and is valued at $5.77 billion) rival that allows for tracking projects more efficiently using automation. Today, Google says Tables will officially "graduate" from Area 120 to become an official Google product by joining Google Cloud, which it expects to complete in the next year. From a report: The Tables project was started by long-time Google employee, now Tables' GM Tim Gleason, who spent 10 years at the company and many more before that in the tech industry. He said he was inspired to work on Tables because he always had a difficult time tracking projects, as teams shared notes and tasks across different documents, which quickly got out of date.

[...] Another factor that prompted Tables' adoption was how quickly people could be productive, thanks in part to its ability to integrate with existing data warehouses and other services. Currently, Tables supports Office 365, Microsoft Access, Google Sheets, Slack, Salesforce, Box and Dropbox, for example. Tables was one of only a few Area 120 projects to launch with a paid business model, along with ticket seller Fundo, conversational ads platform AdLingo and Google's recently launched Orion WiFi. During its beta, an individual could use Tables for free, with support for up to 100 tables and 1,000 rows. The paid plan was supposed to cost $10 per user per month, with support for up to 1,000 tables and 10,000 rows. This plan also included support for larger attachments, more actions and advanced history, sharing, forms, automation and views.

In light of the recent wave of high-profile ransomware attacks that have caused havoc in the US and Europe, the member states of the G7 group have called on Russia and other countries to crack down on ransomware gangs operating within their borders. From a report: "We call on all states to urgently identify and disrupt ransomware criminal networks operating from within their borders, and hold those networks accountable for their actions," the G7 group said in a communique published on Sunday, at the end of a three-day conference held in Cornwall, UK. "In particular, we call on Russia [...] to identify, disrupt, and hold to account those within its borders who conduct ransomware attacks, abuse virtual currency to launder ransoms, and other cybercrimes," the G7 group added.

The joint statement was signed by the governments of Canada, France, Germany, Italy, Japan, the UK, and the US -- more commonly known as the Group of Seven (G7). It comes after a series of ransomware attacks that caused disruptions at hospitals during the COVID-19 pandemic, fuel outages on the US East Coast following the Colonial Pipeline attack, and beef supply issues across Australia and the US following the JBS Foods ransomware incident.

NBC reports that America's "Teamsters" labor union was hit by a ransomware attack demanding $2.5 million back in 2019.

"But unlike many of the companies hit by high-profile ransomware attacks in recent months, the union declined to pay, despite the FBI's advice to do so, three sources familiar with the previously unreported cyberattack told NBC News." Personal information for the millions of active and retired members was never compromised, according to a Teamsters spokesperson, who also said that only one of the union's two email systems was frozen along with other data. Teamsters officials alerted the FBI and asked for help in identifying the source of the attack. They were told that many similar hacks were happening and that the FBI would not be able to assist in pursuing the culprit.

The FBI advised the Teamsters to "just pay it," the first source said. "They said 'this is happening all over D.C. ... and we're not doing anything about it,'" a second source said.

Union officials in Washington were divided over whether to pay the ransom — going so far as to bargain the number down to $1.1 million, according to the sources — but eventually sided with their insurance company, which urged them not to pony up... The Teamsters decided to rebuild their systems, and 99 percent of their data has been restored from archival material — some of it from hard copies — according to the union's spokesperson.

The FBI's communications office did not reply to repeated requests for comment. The FBI's stance is to discourage ransomware payments.
NBC News draws a lesson from the fact that it took nearly two years for this story to emerge. "An unknown number of companies and organizations have been extorted without ever saying a word about it publicly."

"Within a decade, quantum computers could be powerful enough to break the cryptographic security that protects cell phones, bank accounts, email addresses and — yes — bitcoin wallets," writes CNBC.

But fortunately, that would happen only if we do nothing in the meantime, they're told by Thorsten Groetker, former Utimaco CTO "and one of the top experts in the field of quantum computing." Crypto experts told CNBC they aren't all that worried about quantum hacking of bitcoin wallets for a couple of different reasons. Castle Island Ventures founding partner Nic Carter pointed out that quantum breaks would be gradual rather than sudden. "We would have plenty of forewarning if quantum computing was reaching the stage of maturity and sophistication at which it started to threaten our core cryptographic primitives," he said. "It wouldn't be something that happens overnight."

There is also the fact that the community knows that it is coming, and researchers are already in the process of building quantum-safe cryptography. "The National Institute of Science and Technology (NIST) has been working on a new standard for encryption for the future that's quantum-proof," said Fred Thiel, CEO of cryptocurrency mining specialist Marathon Digital Holdings. NIST is running that selection process now, picking the best candidates and standardizing them.

"It's a technical problem, and there's a technical solution for it," said Groetker. "There are new and secure algorithms for digital signatures. ... You will have years of time to migrate your funds from one account to another." Groetker said he expects the first standard quantum-safe crypto algorithm by 2024, which is still, as he put it, well before we'd see a quantum computer capable of breaking bitcoin's cryptography. Once a newly standardized post-quantum secure cryptography is built, Groetker said, the process of mass migration will begin. "Everyone who owns bitcoin or ethereum will transfer [their] funds from the digital identity that is secured with the old type of key, to a new wallet, or new account, that's secured with a new type of key, which is going to be secure," he said.
There will still be the problem of users who forget their password or died without sharing their key.

But in those scenarios, CNBC suggests, "an organization could lock down all accounts still using the old type of cryptography and give owners some way to access it."

Long-time Slashdot reader wildstoo writes: In a blog post on Thursday, GitHub security researcher Kevin Backhouse announced that Polkit, a Linux system service included in several modern Linux distros that provides an organized way for non-privileged processes to communicate with privileged ones, has been harbouring a major security bug for seven years.

The bug, assigned (CVE-2021-3560) allows a non-privileged user to gain administrative shell access with a handful of standard command line tools. The bug was fixed on June 3, 2021 in a coordinated disclosure.
"It's used by systemd," GitHub's blog post points out, "so any Linux distribution that uses systemd also uses polkit..."

"It's very simple and quick to exploit, so it's important that you update your Linux installations as soon as possible. Any system that has polkit version 0.113 (or later) installed is vulnerable. That includes popular distributions such as RHEL 8 and Ubuntu 20.04."

The number of active phishing sites hit a record number earlier this year in January, according to an industry report published this week by the Anti-Phishing Working Group (APWG). The Record reports: A total of 245,771 phishing sites were detected in January. The number represents the unique base URLs of phishing sites found and reported by APWG members. The APWG is an industry coalition made up of more than 2,200 organizations from the cyber-security industry, government, law enforcement, and NGOs sector, which includes some big names such as Microsoft, Facebook, PayPal, ICANN, AT&T, Comcast, Digicert, Cloudflare, Cisco, Salesforce, RSA, Verisign, ESET, McAfee, Avast, Symantec, Trend Micro, PhishLabs, Agari, Cofense, and many others. APWG experts noted that while the number of phishing sites declined in February, the next month, in March, the number of phishing sites jumped above 200,000 again, amounting to the fourth-worst month in APWG's reporting history.

The industry vertical most targeted in phishing attacks in Q1 remained the financial sector, which saw almost a quarter of all phishing attempts. Second was social media, with cybercrime groups attempting to hijack social media accounts to resell online on specialized marketplaces, according to the APWG report (PDF). Furthermore, around 83% of all phishing sites seen in Q1 2020 were also hosted on an HTTP-based connection. This finding reinforces a piece of well-known cybersecurity advice that if a website is loaded via HTTPS, it doesn't mean it's secure, but merely that its traffic can't be easily intercepted.

Apple has begun testing passkeys, a new authentication technology it says are as easy to use as passwords but vastly more secure. Part of iCloud Keychains, a test version of the technology will come with iPhones, iPads and Macs later this year. From a report: To set up an account on a website or app using a passkey, you first choose a username for the new account, then use FaceID or Touch ID to confirm that it's really you who's using the device. You don't ever pick a password. Your device handles generation and storage of the passkey, which iCloud Keychain synchronizes across all your Apple devices.

To use the passkey for authentication later, you'll be prompted to confirm your username and verify yourself with FaceID or Touch ID. Developers must update their login procedures to support passkeys, but it's an adaptation of the existing WebAuthn technology. "Because it's just a single tap to sign in, it's simultaneously easier, faster and more secure than almost all common forms of authentication today," Garrett Davidson, an Apple authentication experience engineer, said Wednesday at the company's annual WWDC developer conference.

Google's experiment to hide parts of a site's URL in the Chrome address bar (the Omnibox) has failed and has been removed from the browser earlier this week. From a report: The experiment ran from June 2020 to June 2021. It consisted of a series of options that Google added to the chrome://flags options page that, when enabled, only showed the main domain name of a site (therecord.media) instead of the full page URL (therecord.media/category/article/title).

McDonald's said hackers stole some data from its systems in markets including the U.S., South Korea and Taiwan, in another example of cybercriminals infiltrating high-profile global companies. From a report: The burger chain said Friday that it recently hired external consultants to investigate unauthorized activity on an internal security system, prompted by a specific incident in which the unauthorized access was cut off a week after it was identified, McDonald's said. The investigators discovered that company data had been breached in markets including the U.S., South Korea and Taiwan, the company said. In a message to U.S. employees, McDonald's said the breach disclosed some business contact information for U.S. employees and franchisees, along with some information about restaurants such as seating capacity and the square footage of play areas.

The company said no customer data was breached in the U.S., and that the employee data exposed wasn't sensitive or personal. The company advised employees and franchisees to watch for phishing emails and to use discretion when asked for information. McDonald's said attackers stole customer emails, phone numbers and addresses for delivery customers in South Korea and Taiwan. In Taiwan, hackers also stole employee information including names and contact information, McDonald's said. The company said the number of files exposed was small without disclosing the number of people affected. The breach didn't include customer payment information, McDonald's said.

The group of hackers that stole a wealth of data from game publishing giant Electronic Arts broke into the company in part by tricking an employee over Slack to provide a login token, Motherboard reported Friday. From the report: The group stole the source code for FIFA 21 and related matchmaking tools, as well as the source code for the Frostbite engine that powers games like Battlefield and other internal game development tools. In all, the hackers claim they have 780GB of data, and are advertising it for sale on various underground forums. EA previously confirmed the data impacted in the breach to Motherboard.

A representative for the hackers told Motherboard in an online chat that the process started by purchasing stolen cookies being sold online for $10, and using those to gain access to a Slack channel used by EA. In this case, the hackers were able to get into EA's Slack using the stolen cookie. "Once inside the chat we messaged a IT Support members we explain to them we lost our phone at a party last night," the representative said.

Volkswagen says more than 3.3 million customers had their information exposed after one of its vendors left a cache of customer data unsecured on the internet. From a report: The car maker said in a letter that the vendor, used by Volkswagen, its subsidiary Audi, and authorized dealers in the U.S. and Canada, left the customer data spanning 2014 to 2019 unprotected over a two-year window between August 2019 and May 2021. The data, which Volkswagen said was gathered for sales and marketing, contained personal information about customers and prospective buyers, including their name, postal and email addresses, and phone number. But more than 90,000 customers across the U.S. and Canada also had more sensitive data exposed, including information relating to loan eligibility. The letter said most of the sensitive data was driver's license numbers, but that a "small" number of records also included a customer's date of birth and Social Security numbers.