Month: March 2022

Enlarge / US Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger speaking during a March 21 White House daily press briefing. (credit: Getty Images)

The Biden administration on Monday warned that it believes Russian state hackers may step up a cyber offensive that targets US organizations, particularly organizations in the private sector providing critical infrastructure.

Administration officials stressed that they have yet to unearth any evidence of specific cyberattack plans. But in recent weeks, officials have said Kremlin-sponsored strikes on US-based computers and networks was a distinct possibility that security defenders should prepare for. As the US and its allies have ratcheted up sanctions on Russia and the US receives new intelligence assessments, the White House is once again urging vigilance.

Part of Russia’s playbook

“Today, we are reiterating those warnings, and we’re doing so based on evolving threat intelligence, that the Russian government is exploring options for potential cyber attacks on critical infrastructure in the United States,” Anne Neuberger, the White House’s deputy national security advisor for cyber and emerging technology, said during a daily press briefing on Monday.

Enlarge / It can be tough to run a business when your loading dock is under water. (credit: Getty Images)

On Monday, the US Securities and Exchange Commission (SEC) announced new rules about disclosing climate risks for companies listed on US-based stock exchanges. The rules are meant to give investors a clearer sense of how companies manage present and future challenges posed by climate change and by attempts to reduce greenhouse gas emissions. The rules will be published in the Federal Register for public comment shortly. A final version is expected later this year, and the lawsuits are likely to begin afterward.

In the announcement, SEC Chair Gary Gensler said the new rules adhere to the organization’s mission. “Our core bargain from the 1930s is that investors get to decide which risks to take,” he said, “as long as public companies provide full and fair disclosure and are truthful in those disclosures.” Typically, risk disclosure occurs in required formal filings that companies make with the SEC, like quarterly financial statements.

Some companies disclose their risks voluntarily, but the absence of standards allows them significant leeway over what to reveal. And many other companies choose not to disclose anything related to climate.

Enlarge / Ukrainian Vice Prime Minister Mykhailo Fedorov shared this photo of Starlink user terminals on March 18. (credit: Mykhailo Fedorov)

SpaceX’s Starlink Internet is proving to be useful for Ukraine’s military as it fights the Russian invasion. In an article Friday titled, “Elon Musk’s Starlink helping Ukraine to win the drone war,” The Telegraph described how the satellite connection helps the Ukrainian army’s Aerorozvidka (Aerial Reconnaissance) unit do its work of “using surveillance and attack drones to target Russian tanks and positions.”

The Telegraph wrote:

Amid Internet and power outages, which are expected to get worse, Ukraine is turning to the newly available Starlink system for some of its communications. Drone teams in the field, sometimes in badly connected rural areas, are able to use Starlink to connect them to targeters and intelligence on their battlefield database. They can direct the drones to drop anti-tank munitions, sometimes flying up silently to Russian forces at night as they sleep in their vehicles.

The Ukrainian unit’s “most sophisticated drones are connected using Starlink,” The Times of London wrote. “If we use a drone with thermal vision at night, the drone must connect through Starlink to the artillery guy and create target acquisition,” an Aerorozvidka officer told the paper.

Enlarge / The Apple Park campus stands in this aerial photograph taken above Cupertino in October 2019. (credit: Sam Hall/Bloomberg via Getty Images)

Apple is experiencing far-reaching network outages that have affected services like Apple Music, iCloud, iMessage, Apple Maps, Apple Card, Apple TV+, the App Store, FaceTime, Siri, and more.

Users began complaining of strange app behavior and outages earlier this morning. For example, searches for locations or requests to initiate driving directions in Apple Maps stopped working completely.

Further, Bloomberg reporter Mark Gurman claimed on Twitter that the outage didn’t just affect services used by consumers—it also affected Apple’s internal tools and services. One Twitter user posted a picture (seen below) of Apple Store employees frantically attempting to keep their store running using pens and paper.

Enlarge (credit: Getty Images)

When we teach people how to avoid falling victim to phishing sites, we usually advise closely inspecting the address bar to make sure it does contain HTTPS and that it doesn’t contain suspicious domains such as google.evildomain.com or substitute letters such as g00gle.com. But what if someone found a way to phish passwords using a malicious site that didn’t contain these telltale signs?

One researcher has devised a technique to do just that. He calls it a BitB, short for “browser in the browser.” It uses a fake browser window inside a real browser window to spoof an OAuth page. Hundreds of thousands of sites use the OAuth protocol to let visitors login using their existing accounts with companies like Google, Facebook, or Apple. Instead of having to create an account on the new site, visitors can use an account that they already have—and the magic of OAuth does the rest.

Exploiting trust

The photo editing site Canva, for instance, gives visitors the option to login using any of three common accounts. The images below show what a user sees after clicking the “sign in” button; following that, the image show what appears after choosing to sign in with a Google password. After the user chooses Google, a new browser window with a legitimate address opens in front of the existing Canva window.