The head of the U.S. Marine Corps wants to remodel his team. The Marine Corps is considering offering bonuses and other benefits to attract older, more experienced Marines to re-enlist and develop cybersecurity capabilities as well. The measure marks a historic change that could transform a force composed primarily of high school graduates. “It’s going to be a little bit older, a little bit more experienced because as much as we love our young Marines, we need a little more age because it takes time to acquire these kinds of skills”, General Robert Neller told defense leaders at a conference in San Diego.
The 2018 defense budget earmarked money for the Marine Corps to add 1,000 Marines, many of whom will work in cyberwarfare and electronics. The manipulation of the networks that control air defence operations, for example, could be equal to or more lethal than the firepower in the future. Extremists have also been able to use mobile technology and social media to recruit members and raise money to become a real threat.
The Marine Corps will open up these kinds of jobs this October. However, this new occupational field does not avoid the fact that it is subject to the rigors of physical training. On the other hand, the Marine Corps is also developing plans to recruit and retain professionals from the cyberspace in the reserve, and in May unveiled new badges for the enlisted troops and officers working as remote-controlled aircraft operators. “These measures are going to change the Marine Corps and the way we fight”, said Neller.
Apple just banned cryptocurrency mining on iOS devices
Apple has added new language to its App Store review guidelines related to cryptocurrency. Under the Hardware Compatibility section, Apple now states that “apps, including any third party advertisements displayed within them, may not run unrelated background processes, such as cryptocurrency mining”. As of late May, the only mentions of cryptocurrencies in the guidelines were that apps were allowed to facilitate such transactions “provided that they do so in compliance with all state and federal laws for the territories in which the app functions”. But Apple’s new policy seems to go beyond obviously abusive cases of surreptitious cryptocurrency mining. The guidelines ban any on-device mining—even if users deliberately download an app whose explicit purpose is to mine.
Microsoft reveals which bugs it won’t patch
Microsoft has put out initial clarification around which bugs it will rapidly patch, and which ones must wait for a new product release – and which ones it won’t address at all. In a draft document posted online on Tuesday, the software giant laid out the criteria that the Microsoft Security Response Center (MSRC) uses when deciding what to patch and when. There are two litmus tests that broadly guide these decisions, as the company explained in the document: “Does the vulnerability violate a promise made by a security boundary or a security feature that Microsoft has committed to defending?”. And secondly, “does the severity of the vulnerability [as determined by Microsoft’s five-tier rating system] meet the bar for servicing?”. The “bar for servicing” in Microsoft parlance means that the flaw is rated Critical (i.e., allowing for remote code execution) or Important (privilege escalation, information disclosure, security bypasses and RCE), according to the document details. If the answer to both questions is yes, then the prescribed action is to issue a patch, either on Patch Tuesday or, in rare cases, in an out-of-band release. If the answer to either question is no, then the bug is relegated to back-burner status in most cases, with a fix coming in a subsequent release of the product or service.
News from the rest of the week
macOS still leaks secrets stored on encrypted drives
A macOS feature that caches thumbnail images of files can leak highly sensitive data stored on password-protected drives and encrypted volumes. The automatically generated caches can be viewed only by someone who has physical access to a Mac or infects the Mac with malware, and the behavior has existed on Macs for almost a decade. Still, the caching is triggered with minimal user interaction and causes there to be a permanent record of files even after the original file is deleted or the USB drive or encrypted volume that stored the data is disconnected from the Mac.
Google to fix location data leak in Google Home, Chromecast
Google in the coming weeks is expected to fix a location privacy leak in two of its most popular consumer products. New research shows that Web sites can run a simple script in the background that collects precise location data on people who have a Google Home or Chromecast device installed anywhere on their local network. “The only real limitation is that the link needs to remain open for about a minute before the attacker has a location. The attack content could be contained within malicious advertisements or even a tweet”, researcher told KrebsOnSecurity.
Android gets new anti-spoofing feature to make biometric authentication secure
Currently, the Android biometric authentication system uses two metrics borrowed from machine learning (ML): False Accept Rate (FAR), and False Reject Rate (FRR). In Android 8.1, they introduced two new metrics that more explicitly account for an attacker in the threat model: Spoof Accept Rate (SAR) and Imposter Accept Rate (IAR). As their names suggest, these metrics measure how easily an attacker can bypass a biometric authentication scheme. Spoofing refers to the use of a known-good recording (e.g. replaying a voice recording or using a face or fingerprint picture), while impostor acceptance means a successful mimicking of another user’s biometric (e.g. trying to sound or look like a target user).
North Korea’s new trojan is called Typeframe
Google developer discovers a critical bug in modern web browsers
Magento credit card stealer Reinfector allows reinfect sites with malicious code
Hackers steal $31 million from South Korean cryptocurrency exchange Bithumb