Author: Dan Goodin

Tuesday's court order compelling Apple to hack the iPhone belonging to a gunman who killed 14 people and injured 22 others has ignited an acrimonious debate. CEO Tim Cook called the order "chilling" because, he said, it requires company engineers to create the equivalent of a backdoor that could be used against any iPhone. Law enforcement officials, meanwhile, contend the order is narrowly tailored to ensure only the shooter's phone is covered.

Here's why the totality of what we know right now leans in favor of Cook and his slippery slope argument.

The order requires Apple to create a customized version of iOS that will run only on the iPhone 5C belonging to Syed Rizwan Farook. Along with his wife, Tashfeen Malik, Farook went on a deadly shooting rampage in San Bernadino. The FBI understandably wants access to the data stored on Farook's phone so investigators have a better idea of the events leading up to the deadly attack and whether the husband-and-wife team received support from unknown people. But so far investigators have been unable to unlock the device. Security measures Apple built into the iPhone limit the number of guesses they can make, and there's also concern too many guesses could cause the phone to automatically destroy the data it stores.

The Stuxnet computer worm that destroyed centrifuges inside Iran's Natanz uranium enrichment site was only one element of a much larger US-prepared cyberattack plan that targeted Iran's air defenses, communications systems, and key parts of its power grid, according to articles published Tuesday.

The contingency plan, known internally as Nitro Zeus, was intended to be carried out in the event that diplomatic efforts to curb Iran's nuclear development program failed and the US was pulled into a war between Iran and Israel, according to an article published by The New York Times. At its height, planning for the program involved thousands of US military and intelligence personnel, tens of millions of dollars in expenditures, and the placing of electronic implants in Iranian computer networks to ensure the operation targeting critical infrastructure would work at a moment's notice.

Another piece of the plan involved using a computer worm to destroy computer systems at the Fordo nuclear enrichment site, which was built deep inside a mountain near the Iranian city of Qom. It had long been considered one of the hardest Iranian targets to disable and was intended to be a follow-up to "Olympic Games," the code name of the plan Stuxnet fell under.

Researchers have discovered a potentially catastrophic flaw in one of the Internet's core building blocks that leaves hundreds or thousands of apps and hardware devices vulnerable to attacks that can take complete control over them.

The vulnerability was introduced in 2008 in GNU C Library, a collection of open source code that powers thousands of standalone applications and most distributions of Linux, including those distributed with routers and other types of hardware. A function known as getaddrinfo() that performs domain-name lookups contains a buffer overflow bug that allows attackers to remotely execute malicious code. It can be exploited when vulnerable devices or apps make queries to attacker-controlled domain names or domain name servers or when they're exposed to man-in-the-middle attacks where the adversary has the ability to monitor and manipulate data passing between a vulnerable device and the open Internet.

Maintainers of glibc, as the open source library is called, released an update that patches the vulnerability. Anyone responsible for Linux-based software or hardware that performs domain name lookups should install it as soon as possible. For many people running servers, patching will be a simple matter of downloading the update and installing it. But for other types of users, a fix may not be so easy. Some apps that were compiled with a vulnerable version of glibc will have to be recompiled with an updated version of the library, a process that will take time as users wait for fixes to become available from hardware manufacturers and app developers.

Hackers have siphoned about $103,000 out of Bitcoin accounts that were protected with an alternative security measure, according to research that tracked six years' worth of transactions. Account-holders used easy-to-remember passwords to protect their accounts instead of the long cryptographic keys normally required

The heists were carried out against almost 900 accounts where the owners used passwords to generate the private encryption keys required to withdraw funds. In many cases, the vulnerable accounts were drained within minutes or seconds of going live. The electronic wallets were popularly known as "brain wallets" because, the thinking went, Bitcoin funds were stored in users' minds through memorization of a password rather than a 64-character private key that had to be written on paper or stored digitally. For years, brain wallets were promoted as a safer and more user-friendly way to secure Bitcoins and other digital currencies, although Gregory Maxwell, Gavin Andresen and many other Bitcoin experts had long warned that they were a bad idea.

The security concerns were finally proven once and for all last August when Ryan Castellucci, a researcher with security firm White Ops, presented research at the Defcon hacker convention that showed how easy it was to attack brain wallets at scale. Brain wallets used no cryptographic salt and passed plaintext passwords through a single hash iteration (in this case, the SHA256 function), a shortcoming that made it possible for attackers to crack large numbers of brain wallet passwords at once. Worse, a form of the insecurely hashed passwords are stored in the Bitcoin blockchain, providing all the material needed to compromise the accounts.

Adobe Systems has stopped distributing a recently issued update to its Creative Cloud graphics service amid reports a Mac version can delete important user data without warning or permission.

The deletions happen whenever Mac users log in to the Adobe service after the update has been installed, according to officials from Backblaze, a data backup service whose users are being disproportionately inconvenienced by the bug. Upon sign in, a script activated by Creative Cloud deletes the contents in the alphabetically first folder in a Mac's root directory. Backblaze users are being especially hit by the bug because the backup service relies on data stored in a hidden root folder called .bzvol. Because the folder is the alphabetically top-most hidden folder at the root of so many users' drives, they are affected more than users of many other software packages.

"This caused a lot of our customers to freak out," Backblaze Marketing Manager Yev Pusin wrote in an e-mail. "The reason we saw a huge uptick from our customers is because Backblaze's .bzvol is higher up the alphabet. We tested it again by creating a hidden file with an '.a' name, and the files inside were removed as well."

An estimated 63 percent of the encryption products available today are developed outside US borders, according to a new report that takes a firm stance against the kinds of mandated backdoors some federal officials have contended are crucial to ensuring national security.

The report, prepared by security researchers Bruce Schneier, Kathleen Seidel, and Saranya Vijayakumar, identified 865 hardware or software products from 55 countries that incorporate encryption. Of them, 546 originated from outside the US. The most common non-US country was Germany, a country that has publicly disavowed the kinds of backdoors advocated by FBI Director James Comey and other US officials. Although the Obama administration is no longer asking Congress for legislation requiring them, it continues to lobby private industry to include ways law-enforcement agencies can decrypt encrypted data sent or stored by criminal or terrorism suspects.

The authors said that they found no reason to believe the quality of encryption products developed abroad are any better or worse than their counterparts in the US or in the UK or France, whose officials have also hinted they favor encryption backdoors. The conclusion of their survey—which the researchers said represents the lower bound of the number of encryption products available worldwide—was that criminals or terrorists who are savvy enough to use encryption would also be smart enough to choose a product that isn't subject to mandatory backdoor laws. The result, the authors argued, is that US competitiveness would be harmed with little benefit to national security.

The US Internal Revenue Service was the target of a malware attack that netted electronic tax-return credentials for 101,000 social security numbers, the agency disclosed Tuesday.

Identity thieves made the haul by using taxpayers' personal data that was stolen from a source outside the IRS, according to a statement. The attackers then used an automated bot against an application on the IRS website that provides personal identification numbers for the electronic filing of tax returns. In all, the hackers made unauthorized queries against 464,000 social security numbers but succeeded against only 101,000 of them.

No personal information was obtained from the IRS systems. Agency officials are flagging the accounts of all affected taxpayers and plan to notify them by mail of the incident. The IRS is also working with other government agencies and industry partners to investigate the hack or stem its effects. The hack occurred last month.

Camtasia, uTorrent, and a large number of other Mac apps are susceptible to man-in-the-middle attacks that install malicious code, thanks to a vulnerability in Sparkle, the third-party software framework the apps use to receive updates.

The vulnerability is the result of apps that use a vulnerable version of Sparkle along with an unencrypted HTTP channel to receive data from update servers. It's the result of functions built into the WebKit rendering engine that allows JavaScript execution. As a result, attackers with the ability to manipulate the traffic passing between the end user and the server—say, an adversary on the same Wi-Fi network—can inject malicious code into the communication. A security engineer who goes by the name Radek said that the attack is viable on both the current El Capitan Mac platform and its predecessor Yosemite.

Here's a video showing a proof-of-concept attack performed against a vulnerable version of the Sequel Pro app:

To appreciate how malware targeting banks and other financial institutions is adopting sophisticated techniques once reserved for state-sponsored spies using so-called advanced persistent threats, consider the recently discovered Metel crimeware package.

It contains more than 30 separate modules that can be tailored to the computer it's infecting. One of the most powerful components automatically rolls back ATM transactions shortly after they're made. As a result, people with payment cards from a compromised bank can withdraw nearly unlimited sums of money from ATMs belonging to another bank. Because the Metel module repeatedly resets card balances, the criminals never pass the threshold that would normally freeze the card. Last year, the rollback scheme caused an unnamed bank in Russia to lose millions of rubles in a single night.

Metel usually gains an initial foothold by exploiting vulnerabilities in browsers or through spear phishing e-mails that trick employees to execute malicious files. Members of the Metel hacking gang then use legitimate software used by server administrators and security researchers to compromise other PCs in an attempt to further burrow into the targeted network. They will often patiently work this way until they gain control over a system with access to money transactions, for example, PCs used by call center operators or IT support.

It sounds like a scene from an absurdist play or a companion to the old tale of dogs and cats living together in harmony, but it has now been confirmed. Servers distributing the notorious Dridex banking trojan were instead circulating clean copies of the freely available Avira antivirus program.

Avira researchers still don't know how the mixup happened, but their chief theory is that a whitehat hacker compromised some of the Dridex distribution channels and replaced the normal malicious executables with a digitally signed Avira installer. As a result, when targets opened attachments contained in spam e-mails sent by Dridex servers, the would-be marks were instead prompted to run a program designed to protect computers from the very likes of the Dridex threat.

"We still don't know exactly who is doing this with our installer and why—but we have some theories," a blog post published Friday quoted Avira malware expert Moritz Kroll saying. "This is certainly not something we are doing ourselves."