Tor Project loses a third of staff in coronavirus cuts: Unlucky 13 out as nonprofit hacks back to core ops

Roundup This week in The Reg‘s security roundup of the notable bits beyond what we’ve already covered, the Tor Project has cut back to its core team, Zoom has called in the big security guns, US tech firms are taking on its Congress – and more.

First off, it has been a bad weekend for 13 staffers at the nonprofit Tor Project after they were let go as the team was reduced to core operations only.

“Like many other nonprofits and small businesses, the crisis has hit us hard, and we have had to make some difficult decisions,” it said in a statement.

“We had to let go of 13 great people who helped make Tor available to millions of people around the world. We will move forward with a core team of 22 people, and remain dedicated to continuing our work on Tor Browser and the Tor software ecosystem.”

Such drastic cuts are surprising, given Tor’s relatively small overheads and prominent supporters, including the US government and DARPA. Tor hasn’t released any more details at the moment.

Zoom calls in the big guns to fix security woes

After spending the last month or so as the clown atop the dunk tank in the IT security world, Zoom has called in some help with its bug bounty program.

Luta Security has been tapped to help the videoconferencing giant set up a bug bounty program so that it can get its future security lapses cleaned up and rewarded before they go public. Actually, this has been in the works for some time – Luta founder and CEO Katie Moussouris told The Register the project began months before the Coronavirus outbreak.

This is not just an empty gesture, either. Luta boss Moussouris is something of a legend in the bug bounty space, having helped launched the programs at Microsoft and the US Department of Defense. She also does not do half-assed bounty programs, so you can bet there will be a well-trained team on Zoom’s end to deal with the bug reports and get issues fixed.

Earlier in the month Zoom also recruited Alex Stamos, the former CSO of Yahoo! and Facebook, as well as noted security mavens Matthew Green, professor of Computer Science at the Johns Hopkins Information Security Institute and Lea Kissner, the former head of privacy tech at Google.

Tech firms ask for infosec funding with next US stimulus package

A group of tech advocacy groups are asking the US Congress to earmark money for IT spending in the next Coronavirus pandemic stimulus bill. Local, state and federal government’s IT systems are in desperate need of modernization, they argue.

“The COVID19 pandemic exposes the need to redouble efforts to digitize federal forms and reduce reliance on hand-processing paperwork for high priority response and relief efforts,” the letter [PDF] reads.

“In addition, the rapid transition to remote telework during the pandemic has also created new challenges for many government agencies, including increased cybersecurity threats, an inability to leverage commercial capabilities (which reduces program effectiveness), and important continuity of government operations.”

Equifax settles with Massachusetts and Indiana

Two of the states who opted to go it alone in their suits over the Equifax data theft will be getting a combined $37.7m in settlement payouts.

The states of Massachusetts and Indiana separately announced this week that they had settled their claims for $18.2m and $19.5m, respectively.

Indiana says the settlement cash will be paid out to citizens as restitution, while Massachusetts says it plans to carve off a portion for consumer aid programs.

Taiwan’s chipmakers under attack from foreign hackers

Semiconductor manufacturers in Taiwan are being targeted by an organized foreign hacking operation aimed at lifting intellectual property.

Security company CyCraft says it was called in to investigate the matter, and soon concluded that what was going on was a sophisticated, highly-organized APT operation that used, among other things, a particularly nasty “skeleton key” attack to infiltrate the networks and get to sensitive documents.

“The main objective of these attacks was the exfiltration of intellectual property, such as documents on integrated circuits (IC), software development kits (SDKs), IC designs, source code, etc,” the company writes.

“The motive behind these attacks likely stems from competitors (or possibly even nation-states due to the advanced nature of the attacks) seeking to gain a competitive advantage.”

Clearview exposes code in security lapse

As misconfigured database left a Clearview AI database containing, among other things, source code and secret keys, was left accessible to the general public.

Middle Eastern security shop SpiderSilk spotted the database, which was protected by a password. However, the firm claims, anyone could log in as a new user and get access to the crown jewels of the company, including access to its online storage buckets.

The exposure was spotted by a researcher and was since taken down, though the researchers and ClearView seem to be at odds over how the disclosure was handled.

Docker image security dissected

Akamai security research ace Larry Cashdollar (yes that is his real name) delivered a sobering look at what sort of attacks will target your typical Docker image in a given day.

Cashdollar’s Docker image honeypot, left out for 24 hours, was exposed to a number of automated intrusion attempts and was infected with things like a Mirai botnet payload and a crypto-mining malware.

Crash stop on Windows security

A recent update to Windows Defender is said to be causing some problems, as users are reporting their security software is crashing while trying to perform scans.

The security software can be restarted manually and hopefully an update from Microsoft to fix the bug is already in the works.

Inside look at a Linux bug

Ever wonder what does into a Linux kernel flaw? The security team at ZDI has provided an inside look at CVE-2020-8835, a kernel privilege escalation flaw.

Fortunately, there shouldn’t be much in the way of risk to users and admins, as the flaw has been known of for months and was patched some time ago. But it’s worth checking out how easy it is to subvert systems sometimes. ®

Sponsored: Practical tips for Office 365 tenant-to-tenant migration

READ MORE HERE