Connect with us

Biz & IT

China’s largest chipmaker is delisting from the Nasdaq

Published

on

The U.S-China trade war is increasingly influencing tech. Huawei has suffered a turbulent past week with key suppliers pausing work with the company, and now China’s largest chipmaker is planning to delist from the New York Stock Exchange.

Semiconductor Manufacturing International Corp (SMIC) announced in a filing published Friday that it plans to delist next month ending a 15-year spell as a public company in the U.S. The firm will file a Form 25 to delist on June 3, which is likely to see it leave the NYSE around ten days later. SMIC, which is backed by the Chinese government and state-owned shareholders, will focus on its existing Hong Kong listing going forward but there will be trading options for those holding U.S-based ADRs.

In its announcement, SMIC said it plans to delist for reasons that include limited trading volumes and “significant administrative burden and costs” around the listing and compliance with reporting.

What it doesn’t say is that this is linked to the frosty relationship between the U.S. and China, and already the company has played that rationale.

“SMIC has been considering this migration for a long time and it has nothing to do with the trade war and Huawei incident. The migration requires a long preparation and timing has coincided with the current trade rhetoric, which may lead to misconceptions,” a spokesperson told CNBC.

Still, it is impossible to ignore the current context. Huawei’s entry to a U.S. blacklist has paused its relationship with key suppliers including ARM, Qualcomm, Intel and Google, which supplies the Android OS for its phones, so SMIC’s decision to remove its financial links to the U.S. fees into fears of a bifurcation of U.S. and Chinese tech, deliberate or not.

SMIC’s shares dropped 4 percent in Hong Kong on Friday. Trading of its U.S-based ADRs crossed one million on Friday, that’s well above an above 90-day volume of nearly 150,000 per day.

The company is China’s largest chip firm, specializing in integrated circuit manufacturing with clients such as Qualcomm, Broadcom and Texas Instruments. SMIC made a profit of $746.7 million in 2018 on revenues of $3.36 billion. Its most recent Q1 results released earlier this month saw revenue fall 19 percent year-on-year.

There has always been tension around Chinese companies using U.S. public markets to go public, and not just from an American standpoint. Chinese companies are increasingly exploring other options, including Hong Kong — where Xiaomi went public last year — while a-soon-to-launch ‘science and tech’ board in Shanghai is hotly touted as an alternative destination.

The board launches in pilot mode next month, but already Chinese bankers and tech companies have found it challenging to deliver on expectations, as a Reuters report earlier this year concluded.

Source link

Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Biz & IT

Home alarm tech backdoored security cameras to spy on customers having sex

Published

on

Getty Images / Aurich Lawson

A home security technician has admitted he repeatedly broke into cameras he installed and viewed customers engaging in sex and other intimate acts.

Telesforo Aviles, a 35-year-old former employee of home and small office security company ADT, said that over a five-year period, he accessed the cameras of roughly 200 customer accounts on more than 9,600 occasions—all without the permission or knowledge of customers. He said he took note of homes with women he found attractive and then viewed their cameras for sexual gratification. He said he watched nude women and couples as they had sex.

Aviles made the admissions Thursday in US District Court for the District of Northern Texas, where he pleaded guilty to one count of computer fraud and one count of invasive visual recording. He faces a maximum of five years in prison.

Aviles told prosecutors that he routinely added his email address to the list of users authorized to access customers’ ADT Pulse accounts, which allow customers to remotely connect to the ADT home security system so they can turn on or off lights, arm or disarm alarms, and view feeds from security cameras. In some cases, he told customers that he had to add himself temporarily so he could test the system. Other times, he added himself without their knowledge.

More legal fallout

An ADT spokesman said the company brought the illegal conduct to the attention of prosecutors last April after learning Aviles gained unauthorized access to the accounts of 220 customers in the Dallas area. The security company then contacted each customer “to help make this right.” The company has already resolved disputes with some of the customers. ADT published this statement last April and has continued to update it.

“We are grateful to the Dallas FBI and the US Attorney’s Office for holding Telesforo Aviles responsible for a federal crime,” the company wrote in an update posted on Friday.

In the aftermath of the breach discovery, ADT has been hit by at least two proposed class-action lawsuits, one on behalf of ADT customers and the other on behalf of minors and others living inside the homes. A plaintiff in one of the suits was allegedly a teenager at the time that the breach occurred. ADT informed her family that the technician spied on her home almost 100 times, according to the lawsuit.

The suits alleged that ADT marketed its camera systems as a way for parents to use smartphones to check in on kids and pets. ADT, the plaintiffs said, failed to implement safeguards—including as two-factor authentication or text alerts when new parties access the accounts—that could have alerted customers to the invasion. The breach was discovered when a customer noticed an unauthorized email among addresses that had permission to access the security system.

Continue Reading

Biz & IT

Chrome and Edge want to help with that password problem of yours

Published

on

Enlarge / Please don’t do this.

Getty Images

If you’re like lots of people, someone has probably nagged you to use a password manager and you still haven’t heeded the advice. Now, Chrome and Edge are coming to the rescue with beefed-up password management built directly into the browsers.

Microsoft on Thursday announced a new password generator for the recently released Edge 88. People can use the generator when signing up for a new account or when changing an existing password. The generator provides a drop-down in the password field. Clicking on the candidate selects it as a password and saves it to a password manager built into the browser. People can then have the password pushed to their other devices using the Edge password sync feature.

As I’ve explained for years, the same things that make passwords memorable and easy to use are the same things that make them easy for others to guess. Password generators are among the safest sources of strong passwords. Rather than having to think up a password that’s truly unique and hard to guess, users can instead have a generator do it properly.

“Microsoft Edge offers a built-in strong password generator that you can use when signing up for a new account or when changing an existing password,” members of Microsoft’s Edge team wrote. “Just look for the browser-suggested password drop down in the password field and when selected, it will automatically save to the browser and sync across devices for easy future use.”

Edge 88 is also rolling out a feature called the “password monitor.” As the name suggests, it monitors saved passwords to make sure none of them are included in lists compiled from website compromises or phishing attacks. When turned on, the password monitor will alert users when a password matches lists published online.

Checking passwords in a secure way is a difficult task. The browser needs to be able to check a password against a large, always-changing list without sending sensitive information to Microsoft or information that could be sniffed by someone monitoring the connection between the user and Microsoft.

In an accompanying post also published Thursday, Microsoft explained how that’s done:

Homomorphic encryption is a relatively new cryptographic primitive that allows computing on encrypted data without decrypting the data first. For example, suppose we are given two ciphertexts, one encrypting 5 and the other encrypting 7. Normally, it does not make sense to “add” these ciphertexts together. However, if these ciphertexts are encrypted using homomorphic encryption, then there is a public operation that “adds” these ciphertexts and returns an encryption of 12, the sum of 5 and 7.

First, the client communicates with the server to obtain a hash H of the credential, where H denotes a hash function that only the server knows. This is possible using a cryptographic primitive known as an Oblivious Pseudo-Random Function (OPRF). Since only the server knows the hash function H, the client is prevented from performing an efficient dictionary attack on the server, a type of brute force attack that uses a large combination of possibilities to determine a password. The client then uses homomorphic encryption to encrypt H(k) and send the resulting ciphertext Enc(H(k)) to the server. The server then evaluates a matching function on the encrypted credential, obtaining a result (True or False) encrypted under the same client key. The matching function operation looks like this: computeMatch(Enc(k), D). The server forwards the encrypted result to the client, who decrypts it and obtains the result.

In the above framework, the main challenge is to minimize the complexity of the computeMatch function to obtain good performance when this function is evaluated on encrypted data. We utilized many optimizations to achieve performance that scales to users’ needs.

Not to be outdone, members of the Google Chrome team this week unveiled password protections of their own. Chief among them is a fuller-featured password manager that’s built into the browser.

“Chrome can already prompt you to update your saved passwords when you log in to websites,” Chrome team members wrote. “However, you may want to update multiple usernames and passwords easily, in one convenient place. That’s why starting in Chrome 88, you can manage all of your passwords even faster and easier in Chrome Settings on desktop and iOS (Chrome’s Android app will be getting this feature soon, too).”

Chrome 88 is also making it easier to check if any saved passwords have wound up on password dumps. While password auditing came to Chrome last year, the feature can now be accessed using a security check similar to the one shown below:

Google

Many people are more comfortable using a dedicated password manager because they offer more capabilities than those baked into their browser. Most dedicated managers, for instance, make it easy to use dice words in a secure way. With the line between browsers and password managers beginning to blur, it’s likely only a matter of time until browsers offer more advanced management capabilities.

Continue Reading

Biz & IT

Phishing scam had all the bells and whistles—except for one

Published

on

Enlarge / The query window for username and password on a webpage can be seen on the monitor of a laptop.

Criminals behind a recent phishing scam had assembled all the important pieces. Malware that bypassed antivirus—check. An email template that got around Microsoft Office 365 Advanced Threat Protection—check. A supply of email accounts with strong reputations from which to send scam mails—check.

It was a recipe that allowed the scammers to steal more than 1,000 corporate employee credentials. There was just one problem: the scammers stashed their hard-won passwords on public servers where anyone—including search engines—could (and did) index them.

“Interestingly, due to a simple mistake in their attack chain, the attackers behind the phishing campaign exposed the credentials they had stolen to the public Internet, across dozens of drop-zone servers used by the attackers,” researchers from security firm Check Point wrote in a post published Thursday. “With a simple Google search, anyone could have found the password to one of the compromised, stolen email addresses: a gift to every opportunistic attacker.”

Check Point researchers found the haul as they investigated a phishing campaign that began in August. The scam arrived in emails that purported to come from Xerox or Xeros. The emails were sent by addresses that, prior to being hijacked, had high reputational scores that bypass many antispam and antiphishing defenses. Attached to the messages was a malicious HTML file that didn’t trigger any of the 60 most-used antimalware engines.

The email looked like this:

Check Point

Once clicked, the HTML file displayed a document that looked like this:

Check Point

When recipients were fooled and logged into a fake account, the scammers stored the credentials on dozens of WordPress websites that had been compromised and turned into so-called drop-zones. The arrangement made sense since the compromised sites were likely to have a higher reputational score than would be the case for sites owned by the attackers.

The attackers, however, failed to designate the sites as off-limits to Google and other search engines. As a result, Web searches were able to locate the data and lead security researchers to the cache of compromised credentials.

“We found that once the users’ information was sent to the drop-zone servers, the data was saved in a publicly visible file that was indexable by Google,” Thursday’s post from Check Point read. “This allowed anyone access to the stolen email address credentials with a simple Google search.”

Based on the analysis of roughly 500 of the compromised credentials, Check Point was able to compile the following breakdown of the industries targeted.

Simple Web searches show that some of the data stashed on the drop-zone servers remained searchable at the time this post was going live. Most of these passwords followed the same format, making it possible that the credentials didn’t belong to real-world accounts. Check Point’s discovery, however, is a reminder that, like so many other things on the Internet, stolen passwords are ripe for the picking.

Continue Reading

Trending