Tag Archive for: Slip

EU Tries To Slip In New Powers To Intercept Encrypted Web Traffic Without Anyone Noticing


from the QWACs-in-the-web dept

The EU is currently updating eIDAS (electronic IDentification, Authentication and trust Services), an EU regulation on electronic identification and trust services for electronic transactions in the European Single Market. That’s clearly a crucial piece of legislation in the digital age, and updating it is sensible given the fast pace of development in the sector. But it seems that something bad has happened in the process. Back in March 2022, a group of experts sent an open letter to MEPs [pdf] with the dramatic title “Global website security ecosystem at risk from EU Digital Identity framework’s new website authentication provisions”. It warned:

The Digital Identity framework includes provisions that are intended to increase the take-up of Qualified Website Authentication Certificates (QWACs), a specific EU form of website certificate that was created in the 2014 eIDAS regulation but which – owing to flaws with its technical implementation model – has not gained popularity in the web ecosystem. The Digital Identity framework mandates browsers accept QWACs issued by Trust Service Providers, regardless of the security characteristics of the certificates or the policies that govern their issuance. This legislative approach introduces significant weaknesses into the global multi-stakeholder ecosystem for securing web browsing, and will significantly increase the cybersecurity risks for users of the web.

The near-final text for eIDAS 2.0 has now been agreed by the EU’s negotiators, and it seems that it is even worse than the earlier draft. A new site from Mozilla called “Last Chance to fix eIDAS” explains how new legislative articles will require all Web browsers in Europe to trust the the certificate authorities and cryptographic keys selected by the government of EU Member States. Mozilla explains:

These changes radically expand the capability of EU governments to surveil their citizens by ensuring cryptographic keys under government control can be used to intercept encrypted web traffic across the EU. Any EU member state has the ability to designate cryptographic keys for distribution in web browsers and browsers are…

Source…

Hackers slip mysterious malware into 30K Apple Macs


Read Article

Security researchers have discovered a mysterious malware on nearly 30,000 Apple Macs and they have no idea what this is for and how is this virus going to infected the devices.

The malware named ‘Silver Sparrow’ comes with a mechanism to self-destruct itself, a capability that’s typically reserved for high-stealth operations.

“So far, though, there are no signs the self-destruct feature has been used, raising the question of why the mechanism exists,” Ars Technica first reported about the presence of malware citing security researchers.

The lack of a final payload suggests that the malware may spring into action anytime.

The malware has been found in 153 countries with heavy detection reported in the US, the UK, Canada, France and Germany.

Silver Sparrow is an activity cluster that includes a binary compiled to run on Apple’s new M1 chips but lacks one very important feature: a payload.

“Though we haven’t observed Silver Sparrow delivering additional malicious payloads yet, its forward-looking M1 chip compatibility, global reach, relatively high infection rate, and operational maturity suggest Silver Sparrow is a reasonably serious threat,” according to researchers from cyber security firm Red Canary.

The malware is uniquely positioned to deliver a potentially impactful payload at a moment’s notice.

Silver Sparrow comes in two versions — one with a binary in mach-object format compiled for Intel x86_64 processors and the other Mach-O binary for the M1.

Researchers have earlier warned that Apple’s transition from Intel to its own silicon M1 chip may make it easy for hackers to introduce malware.

“To me, the most notable [thing] is that it was found on almost 30K macOS endpoints… and these are only endpoints the MalwareBytes can see, so the number is likely way higher,” said Patrick Wardle, a macOS security expert.

–IANS

If you have an interesting article / experience / case study to share, please get in touch with us at [email protected]

Source…

Security News This Week: An Instagram Bug Let Celebrity Private Info Slip – WIRED


WIRED

Security News This Week: An Instagram Bug Let Celebrity Private Info Slip
WIRED
We also took an in-depth look at how the Android Security team helped fortify the recent Oreo release—and took big steps to help solve the operating system's ongoing fragmentation woes. Of course, there's more, which is why we've rounded up all the

and more »

android security – read more