source: wired.com

AT ITS ANNUAL worldwide threat assessment hearing on Tuesday, top national security officials gave the Senate Intelligence Committee a rundown from top intelligence officials of the dangers the United States will face in 2019 and beyond. The adversaries were familiar, with ChinaRussiaNorth Korea, and Iran mentioned alongside evolving situations like Brexit and the power struggle in Venezuela. But if any common theme emerged, it's the number of assessments the officials shared that seem to directly contradict positions touted by the Trump administration.

That tension hinted at another threat, one that didn't come up directly in Tuesday's hearing but appeared prominently in a report last week from director of national intelligence Dan Coats: That various recent actions by the United States may be undermining its own security.

That report, the "National Intelligence Strategy," usually has both a public and classified version. But this year, ODNI elected to create only one public document in an effort, Coats said in remarks announcing the report, to promote transparency about intelligence community activities and goals. While similar in many ways to the Worldwide Threat Assessment ODNI released alongside Tuesday's Senate hearing, last week's NIS took more direct aim at the abstract, yet fundamental threat of a shifting geopolitical order.

"Traditional adversaries will continue attempts to gain and assert influence, taking advantage of changing conditions in the international environment—including the weakening of the post-WWII international order and dominance of Western democratic ideals, increasingly isolationist tendencies in the West, and shifts in the global economy," last week's report said.

This simple statement can also be read as a bombshell, articulating a trend that most politicians would be wary of admitting publicly. That isolationism stems in large part from Trump; his trade war with China has caused ripples in the global economy. But in Tuesday's Senate testimony, intelligence officials including Coats, NSA director Paul Nakasone, CIA director Gina Haspel, and FBI director Christopher Wray brought none of that up directly.

 

"ISIS very likely will continue to pursue external attacks from Iraq and Syria against regional and Western adversaries."

DAN COATS, DIRECTOR OF NATIONAL INTELLIGENCE

The hearing instead focused on questions from senators about anti-terrorism efforts, nuclear proliferation, infrastructure hacking, and foreign intelligence and counter-intelligence-gathering. The discussion also touched on questions about defending big data and information-gathering risks from digital manipulations like "deepfakes,"compelling videos created by machine-learning programs that seem to depict something that didn't actually happen.

 source: threatpost.com

Researchers show how rogue web applications can be used to attack vulnerable browser extensions in a hack that gives adversaries access to private user data.

Researchers have added another reason to be suspicious of web browser extensions. According to a recently published academic report, various Chrome, Firefox and Opera browser extensions can be compromised by an adversary that can steal sensitive browser data and plant arbitrary files on targeted systems.

“We identified a good number of extensions that can be exploited by web applications to benefit from their privileged capabilities,” wrote Université Côte d’Azur researcher Dolière Francis Somé, in an academic paper titled Empowering Web Applications with Browser Extensions (PDF).

A web application is a client-server computer program that a computing device runs in a web browser – such as an online form or browser-based word processor. That’s separate from a browser extension – a small software add-on for customizing a web browser with something like an ad-blocker or a web-clipping tool.

“[Browser extensions] have access to sensitive user information, including browsing history, bookmarks, credentials (cookies) and list of installed extensions,” Somé pointed out. “They have access to a permanent storage in which they can store data as long as they are installed in the user’s browser. They can trigger the download of arbitrary files and save them on the user’s device.”

That access is unique to web applications, which are subject to what are called a Same Origin Policy (SOP) that bars an app from reading and writing user data between domains. The research, however, demonstrates how a specially crafted web application can bypass SOP protections by exploiting privileged browser extensions.

 source: securityintelligence.com

University of Maryland researchers warn that with limited resources, threat actors could launch a successful cyberattack on Google’s bot-detecting reCaptcha service.

In an academic paper detailing their findings, the researchers discuss how they created a tool called unCaptcha, which uses audio files in conjunction with artificial intelligence (AI) technologies such as speech-to-text software to bypass the Google security mechanism.

Over more than 450 tests, the unCaptcha tool defeated reCaptcha with 85 percent accuracy in 5.42 seconds, on average. This study proved that threat actors could potentially break into web-based services, pursue automated account creation and more.

How Researchers Got Around reCaptcha

Online users will recognize reCaptcha as a small box that appears on many websites when signing up or logging in to digital services. Website visitors are typically asked to solve a challenge to prove they’re human, whether it’s typing in letters next to a distorted rendering of the letters, answering a question or clicking on images.

In this case, the University of Maryland researchers took advantage of the fact that Google’s system offers an audio version of its challenges for those who may be visually impaired. The attack method involved navigating to Google’s reCaptcha demo site, finding the audio challenge and downloading it, then putting it through a speech-to-text engine. After an answer had been parsed, it could be typed in and submitted.

While Google initially responded by creating a new version of reCaptcha, the researchers did the same thing with unCaptcha and were even more successful. In an interview with BleepingComputer, one of the researchers said the new version had a success rate of around 91 percent after more than 600 attempts.

Securing the Web Without CAPTCHAs

The research paper recommends a number of possible countermeasures to a tool such as unCaptcha, including broadening the sound bytes of reCaptcha audio challenges and adding distortion. CAPTCHAs are far from the only option available to protect digital services, however.

IBM Security experts, for example, discussed the promise of managed identity and access management (IAM), which allows organizations to not only protect online services with additional layers of security, but also have a third party deal with operational chores such as patching and resolving upcoming incidents. If a group of academics can automate attacks on CAPTCHA systems this successfully, it may be time for security leaders and their teams to look for something more sophisticated.

 source: cnet.com

The company's got a lot of problems to fix.

When Apple warned earlier this month that sales over the holidays were as much as 11 percent lower than expected, it was a shock. Now it looks like a trend. 

On Tuesday, Apple forecast sales of between $55 billion and $59 billion for the second fiscal quarter, compared with average Wall Street estimates of about $59 billion. The forecast follows disappointing fiscal first-quarter revenue the company reported in its results. 

The sales forecast is the latest data point for Apple watchers, who for years have wondered when iPhone sales would hit a theoretical limit for how many million could be sold every quarter. Now it seems they might have an answer.

Apple is estimated to have sold 66.6 million iPhones in its first fiscal quarter, which ended Dec. 29, down 15 percent from a year earlier, according to Bernstein analyst Toni Sacconaghi. Apple stopped publishing unit sales, meaning there's no official account for the number of iPhones, iPads or Macs sold. The company said it tallied nearly $52 billion in iPhone sales, down 15 percent from the same time a year ago.

It's unclear what's caused Apple to hit the wall. Some analysts blame the company's high iPhone prices. Apple now charges more for many of its phonesthan it does for the entry-level MacBook Air, which starts at $999. The colorful entry-level iPhone XR, which starts at $749, is the only new Apple phone to come in under the popular laptop's price. Meanwhile, cell carriers have cut subsidies as well.

In a letter Apple shared with investors Jan. 2, CEO Tim Cook pointed to an economic slowdown in China and the country's "rising trade tensions with the United States." He also said the company struggled to make enough products to sell to customers and that when it did, a stronger US dollar effectively raised prices overseas. Following up on a call Tuesday, Cook also blamed the lack of subsidies amplifying the sticker shock of its phones. 

Apple on Tuesday said it counted $84.3 billion in revenue, down more than 4 percent from a year earlier. That wasn't much of a surprise, considering the company issued a rare warning Jan. 2 that it would miss its forecasts by as much as $10 billion.

"While it was disappointing to miss our revenue guidance, we manage Apple for the long term, and this quarter's results demonstrate that the underlying strength of our business runs deep and wide," Cook said in a statement Tuesday. He added that Apple would continue to innovate, saying "we are not taking our foot off the gas."

Apple's shares, which had fallen more than 1 percent in regular trading Tuesday, rose more than 5 percent after the earnings release to $163.47 per share.

Apple's quarterly earnings were a strong reminder of just how important the iPhone is. 

Apple saw growth in all its other product categories, like the Mac and wearables. But with the iPhone representing more than 60 percent of Apple's sales, those successes weren't enough to blunt the iPhone's troubles.