Feed aggregator

Security Researchers Find Several Bugs In Nest Security Cameras

Slashdot security articles - Thu, 08/22/2019 - 16:10
An anonymous reader quotes a report from Motherboard: Hackers could have logged into your Nest Cam IQ Indoor and watch whatever was happening in your home by taking advantage of a vulnerability found by security researchers. The hackers could have also prevented you from using the camera, or use access to it to break into your home network. Researchers Lilith Wyatt and Claudio Bozzato of Cisco Talos discovered the vulnerabilities and disclosed them publicly on August 19. The two found eight vulnerabilities that are based in the Nest implementation of the Weave protocol. The Weave protocol is designed specifically for communications among Internet of Things or IoT devices. Nest has provided a firmware update that the company says will fix the vulnerabilities. The vulnerabilities apply to version 4620002 of the Nest Cam IQ indoor device. You can check the version of your camera on the Nest app. Nest says that the updates will happen automatically if your camera is connected to the internet. "We've fixed the disclosed bugs and started rolling them out to all Nest Camera IQs," Google said in a statement to ZDNet. "The devices will update automatically so there's no action required from users."

Valve Says Turning Away Researcher Reporting Steam Vulnerability Was a Mistake

Slashdot security articles - Thu, 08/22/2019 - 14:15
An anonymous reader quotes a report from Ars Technica: In an attempt to quell a controversy that has raised the ire of white-hat hackers, the maker of the Steam online game platform said on Thursday it made a mistake when it turned away a researcher who recently reported two separate vulnerabilities. In its statement, Valve Corporation references HackerOne, the reporting service that helps thousands of companies receive and respond to vulnerabilities in their software or hardware. Valve's new HackerOne program rules specifically provide that "any case that allows malware or compromised software to perform a privilege escalation through Steam, without providing administrative credentials or confirming a UAC dialog, is in scope. Any unauthorized modification of the privileged Steam Client Service is also in scope." The statement and the policy change from Valve came two days after security researcher Vasily Kravets, an independent researcher from Moscow, received an email telling him that Valve's security team would no longer receive his vulnerability reports through the HackerOne bug-reporting service. Valve turned Kravets away after he reported a steam vulnerability that allowed hackers who already had a toe-hold on a vulnerable computer to burrow into privileged parts of an operating system. Valve initially told Kravets such vulnerabilities were out of scope and gave no indication that the one Vasily reported would be fixed. The company later publicly denied that the issue was a vulnerability by incorrectly claiming that the exploit required hackers to have physical access to a vulnerable computer. The company went so far as to dispute the vulnerability in the advisory issued by the National Institute of Standards and Technology.

VMware Buys Carbon Black and Pivotal, Valued Together at $4.8 billion

Slashdot security articles - Thu, 08/22/2019 - 12:54
Software company VMware on Thursday said it's acquiring Carbon Black at an enterprise value of $2.1 billion and Pivotal at an enterprise value of $2.7 billion. The deals are expected to close by the end of January 2020. From a report: These are VMware's largest acquisitions yet. The deals build on VMware's strength helping companies run their software in their own data centers. They could help VMware compete better in the security market and hybrid-cloud infrastructure operations. VMware isn't talking about cost synergies that could come out of buying two other enterprise-focused companies. However, CEO Pat Gelsinger told CNBC the companies will be operating profitably under VMware next year. Gelsinger said that by year two, Carbon Black and Pivotal will have contributed more than $1 billion in revenue incrementally, which will mean VMware will have more than $3 billion in hybrid cloud and software-as-a-service revenue. Carbon Black was founded in 2002 and debuted on the Nasdaq under the symbol "CBLK" in May 2018. The company provides anti-malware and endpoint protection products that can see into many of a company's devices and tell if they have been hacked. [...] Pivotal and VMware go way back: The company was created from assets spun out of VMware and Dell (VMware's controlling owner) in 2013. Its products help companies build and deploy their software across different server infrastructure, including public clouds. Competitors include IBM, Oracle and SAP, among others, as well as cloud providers such as Amazon and Microsoft. Pivotal's customers include Boeing, Citi, Ford and Home Depot, according to its website.

Google Chrome Proposes 'Privacy Sandbox' To Reform Advertising Evils

Slashdot security articles - Thu, 08/22/2019 - 06:44
Google's Chrome team proposed a "privacy sandbox" Thursday that's designed to give us the best of both worlds: ads that publishers can target toward our interests but that don't infringe our privacy. From a report: It's a major development in an area where Chrome, the dominant browser, has lagged competitors. Browsers already include security sandboxes, restrictions designed to confine malware to limit its possible damage. Google's proposed privacy sandbox would similarly restrict tracking technology, according to proposal details Google published. The privacy sandbox is "a secure environment for personalization that also protects user privacy," said Justin Schuh, a director of Chrome Engineering focused on security matters, in a privacy sandbox blog post. "Our goal is to create a set of standards that is more consistent with users' expectations of privacy." For example, Chrome would restrict some private data to the browser -- an approach rival Brave Software has taken with its privacy-focused rival web browser. And it could restrict sharing personal data until it's shared across a large group of people using technologies called differential privacy and federated learning.

Backdoor Code Found In 11 Ruby Libraries

Slashdot security articles - Wed, 08/21/2019 - 23:00
Maintainers of the RubyGems package repository have yanked 18 malicious versions of 11 Ruby libraries that contained a backdoor mechanism and were caught inserting code that launched hidden cryptocurrency mining operations inside other people's Ruby projects. ZDNet reports: The malicious code was first discovered yesterday inside four versions of rest-client, an extremely popular Ruby library. According to an analysis by Jan Dintel, a Dutch Ruby developer, the malicious code found in rest-client would collect and send the URL and environment variables of a compromised system to a remote server in Ukraine. "Depending on your set-up this can include credentials of services that you use e.g. database, payment service provider," Dintel said. The code also contained a backdoor mechanism that allowed the attacker to send a cookie file back to a compromised project, and allow the attacker to execute malicious commands. A subsequent investigation by the RubyGems staff discovered that this mechanism was being abused to insert cryptocurrency mining code. RubyGems staff also uncovered similar code in 10 other projects. All the libraries, except rest-client, were created by taking another fully functional library, adding the malicious code, and then re-uploading it on RubyGems under a new name. All in all, all the 18 malicious library versions only managed to amass 3,584 downloads before being removed from RubyGems.

Moscow's Blockchain Voting System Cracked a Month Before Election

Slashdot security articles - Wed, 08/21/2019 - 14:10
An anonymous reader quotes a report from ZDNet: A French security researcher has found a critical vulnerability in the blockchain-based voting system Russian officials plan to use next month for the 2019 Moscow City Duma election. Pierrick Gaudry, an academic at Lorraine University and a researcher for INRIA, the French research institute for digital sciences, found that he could compute the voting system's private keys based on its public keys. This private keys are used together with the public keys to encrypt user votes cast in the election. Gaudry blamed the issue on Russian officials using a variant of the ElGamal encryption scheme that used encryption key sizes that were too small to be secure. This meant that modern computers could break the encryption scheme within minutes. What an attacker can do with these encryption keys is currently unknown, since the voting system's protocols weren't yet available in English, so Gaudry couldn't investigate further. "Without having read the protocol, it is hard to tell precisely the consequences, because, although we believe that this weak encryption scheme is used to encrypt the ballots, it is unclear how easy it is for an attacker to have the correspondence between the ballots and the voters," the French researcher said. "In the worst case scenario, the votes of all the voters using this system would be revealed to anyone as soon as they cast their vote." The Moscow Department of Information Technology promised to fix the reported issue. "We absolutely agree that 256x3 private key length is not secure enough," a spokesperson said in an online response. "This implementation was used only in a trial period. In few days the key's length will be changed to 1024." However, a public key of a length of 1024 bits may not be enough, according to Gaudry, who believes officials should use one of at least 2048 bits instead.

Intel, Google, Microsoft, and Others Launch Confidential Computing Consortium for Data Security

Slashdot security articles - Wed, 08/21/2019 - 12:50
Major tech companies including Alibaba, Arm, Baidu, IBM, Intel, Google Cloud, Microsoft, and Red Hat today announced intent to form the Confidential Computing Consortium to improve security for data in use. From a report: Established by the Linux Foundation, the organization plans to bring together hardware vendors, developers, open source experts, and others to promote the use of confidential computing, advance common open source standards, and better protect data. "Confidential computing focuses on securing data in use. Current approaches to securing data often address data at rest (storage) and in transit (network), but encrypting data in use is possibly the most challenging step to providing a fully encrypted lifecycle for sensitive data," the Linux Foundation said today in a joint statement. "Confidential computing will enable encrypted data to be processed in memory without exposing it to the rest of the system and reduce exposure for sensitive data and provide greater control and transparency for users." The consortium also said the group was formed because confidential computing will become more important as more enterprise organizations move between different compute environments like the public cloud, on-premises servers, or the edge. To get things started, companies made a series of open source project contributions including Intel Software Guard Extension (SGX), an SDK for code protection at the hardware layer.

Researcher Publishes Second Steam Zero Day After Getting Banned on Valve's Bug Bounty Program

Slashdot security articles - Wed, 08/21/2019 - 11:30
A Russian security researcher has published details about a zero-day in the Steam gaming client. This is the second Steam zero-day the researcher has made public in the past two weeks. From a report: However, while the security researcher reported the first one to Valve and tried to have it fixed before public disclosure, he said he couldn't do the same with the second because the company banned him from submitting further bug reports via its public bug bounty program on the HackerOne platform. The entire chain of events behind the public disclosure of these two zero-days has caused quite a drama and discussions in the infosec community. All the negative comments have been aimed at Valve and the HackerOne staff, with both being accused of unprofessional behavior. Security researchers and regular Steam users alike are mad because Valve refused to acknowledge the reported issue as a security flaw, and declined to patch it.

MoviePass Exposed Thousands of Unencrypted Customer Card Numbers

Slashdot security articles - Wed, 08/21/2019 - 10:10
New submitter sizzlinkitty writes: Movie ticket subscription service MoviePass has exposed tens of thousands of customer card numbers and personal credit cards because a critical server was not protected with a password. Mossab Hussein, a security researcher at Dubai-based cybersecurity firm SpiderSilk, found an exposed database on one of the company's many subdomains. The database was massive, containing 161 million records at the time of writing and growing in real time. Many of the records were normal computer-generated logging messages used to ensure the running of the service -- but many also included sensitive user information, such as MoviePass customer card numbers. These MoviePass customer cards are like normal debit cards: they're issued by Mastercard and store a cash balance, which users who sign up to the subscription service can use to pay to watch a catalog of movies.

The First Lightning Security Key For iPhones Is Here, and It Works With USB-C, Too

Slashdot security articles - Wed, 08/21/2019 - 02:00
Yubico is releasing the $70 YubiKey 5Ci, the first security key that can plug into your iPhone's Lightning port or a USB-C port, and it's compatible with popular password vaults LastPass and 1Password out of the box. The Verge reports: That means you may not have to remember your password for your bank ever again -- just plug the YubiKey into your iPhone, use it to log into the 1Password app, and get that bank password. At launch, it'll support these well-known password managers and single sign-on tools: 1Password, Bitwarden, Dashlane, Idaptive, LastPass, and Okta. And when using the Brave browser for iOS, the YubiKey 5Ci can be used as an easier way to log into Twitter, GitHub, 1Password's web app, and a couple other services. Notably, the 5Ci doesn't work with the newest iPad Pros at all, despite having a USB-C connector that fits. And you can't just plug the Lightning side of the 5Ci into an iPhone and expect it to work with any service that supports the FIDO authentication protocol -- our passwordless future isn't here just yet. Yubico tells The Verge that services have to individually add support for Lightning connector on the 5Ci into their apps.

WebKit Introduces New Tracking Prevention Policy

Slashdot security articles - Tue, 08/20/2019 - 07:30
AmiMoJo writes: WebKit, the open source HTML engine used by Apple's Safari browser and a number of others, has created a new policy on tracking prevention. The short version is that many forms of tracking will now be treated the same way as security flaws, being blocked or mitigated with no exceptions. While on-site tracking will still be allowed (and is practically impossible to prevent anyway), all forms of cross-site tracking and covert tracking will be actively and aggressively blocked.

Hacker Releases First Public Jailbreak for Up-to-Date iPhones in Years

Slashdot security articles - Mon, 08/19/2019 - 11:21
Apple has mistakenly made it a bit easier to hack iPhone users who are on the latest version of its mobile operating system iOS by unpatching a vulnerability it had already fixed. From a report: Hackers quickly jumped on this over the weekend, and publicly released a jailbreak for current, up-to-date iPhones -- the first free public jailbreak for a fully updated iPhone that's been released in years. Security researchers found this weekend that iOS 12.4, the latest version released in June, reintroduced a bug found by a Google hacker that was fixed in iOS 12.3. That means it's currently relatively easy to not only jailbreak up to date iPhones, but also hack iPhone users, according to people who have studied the issue. "Due to 12.4 being the latest version of iOS currently available and the only one which Apple allows upgrading to, for the next couple of days (till 12.4.1 comes out), all devices of this version (or any 11.x and 12.x below 12.3) are jail breakable -- which means they are also vulnerable to what is effectively a 100+ day exploit," said Jonathan Levin, a security researcher and trainer who specializes in iOS, referring to the fact that this vulnerability can be exploited with code that was found more than 100 days ago. Pwn20wnd, a security researcher who develops iPhone jailbreaks, published a jailbreak for iOS 12.4 on Monday.

Degrading Tor Network Performance Only Costs a Few Thousand Dollars Per Month

Slashdot security articles - Mon, 08/19/2019 - 07:21
Threat actors or nation-states looking into degrading the performance of the Tor anonymity network can do it on the cheap, for only a few thousands US dollars per month, new academic research has revealed. An anonymous reader writes: According to researchers from Georgetown University and the US Naval Research Laboratory, threat actors can use tools as banal as public DDoS stressers (booters) to slow down Tor network download speeds or hinder access to Tor's censorship circumvention capabilities. Academics said that while an attack against the entire Tor network would require immense DDoS resources (512.73 Gbit/s) and would cost around $7.2 million per month, there are far simpler and more targeted means for degrading Tor performance for all users. In research presented this week at the USENIX security conference, the research team showed the feasibility and effects of three types of carefully targeted "bandwidth DoS [denial of service] attacks" that can wreak havoc on Tor and its users. Researchers argue that while these attacks don't shut down or clog the Tor network entirely, they can be used to dissuade or drive users away from Tor due to prolongued poor performance, which can be an effective strategy in the long run.

Massive Ransomware Attack Hits 23 Local Texas Government Offices

Slashdot security articles - Sun, 08/18/2019 - 20:34
Long-time Slashdot reader StonyCreekBare shared this press release from the Texas Department of Information Resources (Dir) press release as of August 17, 2019, at approximately 5:00 p.m. central time: On the morning of August 16, 2019, more than 20 entities in Texas reported a ransomware attack. The majority of these entities were smaller local governments... At this time, the evidence gathered indicates the attacks came from one single threat actor. Investigations into the origin of this attack are ongoing; however, response and recovery are the priority at this time. It appears all entities that were actually or potentially impacted have been identified and notified. Twenty-three entities have been confirmed as impacted. Responders are actively working with these entities to bring their systems back online. The State of Texas systems and networks have not been impacted.

A Major Cyber Attack Could Be Just As Deadly As Nuclear Weapons

Slashdot security articles - Sun, 08/18/2019 - 14:39
"As someone who studies cybersecurity and information warfare, I'm concerned that a cyberattack with widespread impact, an intrusion in one area that spreads to others or a combination of lots of smaller attacks, could cause significant damage, including mass injury and death rivaling the death toll of a nuclear weapon," warns an assistant Professor of Computer Science, North Dakota State University: Unlike a nuclear weapon, which would vaporize people within 100 feet and kill almost everyone within a half-mile, the death toll from most cyberattacks would be slower. People might die from a lack of food, power or gas for heat or from car crashes resulting from a corrupted traffic light system. This could happen over a wide area, resulting in mass injury and even deaths... The FBI has even warned that hackers are targeting nuclear facilities. A compromised nuclear facility could result in the discharge of radioactive material, chemicals or even possibly a reactor meltdown. A cyberattack could cause an event similar to the incident in Chernobyl. That explosion, caused by inadvertent error, resulted in 50 deaths and evacuation of 120,000 and has left parts of the region uninhabitable for thousands of years into the future. My concern is not intended to downplay the devastating and immediate effects of a nuclear attack. Rather, it's to point out that some of the international protections against nuclear conflicts don't exist for cyberattacks... Critical systems, like those at public utilities, transportation companies and firms that use hazardous chemicals, need to be much more secure... But all those systems can't be protected without skilled cybersecurity staffs to handle the work. At present, nearly a quarter of all cybersecurity jobs in the US are vacant, with more positions opening up than there are people to fill them. One recruiter has expressed concern that even some of the jobs that are filled are held by people who aren't qualified to do them. The solution is more training and education, to teach people the skills they need to do cybersecurity work, and to keep existing workers up to date on the latest threats and defense strategies.

Should HTTPS Certificates Expire After Just 397 Days?

Slashdot security articles - Sun, 08/18/2019 - 11:34
Google has made a proposal to the unofficial cert industry group that "would cut lifespan of SSL certificates from 825 days to 397 days," reports ZDNet. No vote was held on the proposal; however, most browser vendors expressed their support for the new SSL certificate lifespan. On the other side, certificate authorities were not too happy, to say the least. In the last decade and a half, browser makers have chipped away at the lifespan of SSL certificates, cutting it down from eight years to five, then to three, and then to two. The last change occured in March 2018, when browser makers tried to reduce SSL certificate lifespans from three years to one, but compromised for two years after pushback from certificate authorities. Now, barely two years later after the last change, certificate authorities feel bullied by browser makers into accepting their original plan, regardless of the 2018 vote... This fight between CAs and browser makers has been happening in the shadows for years. As HashedOut, a blog dedicated to HTTPS-related news, points out, this proposal is much more about proving who controls the HTTPS landscape than everything. "If the CAs vote this measure down, there's a chance the browsers could act unilaterally and just force the change anyway," HashedOut said. "That's not without precendent, but it's also never happened on an issue that is traditionally as collegial as this. "If it does, it becomes fair to ask what the point of the CA/B Forum even is. Because at that point the browsers would basically be ruling by decree and the entire exercise would just be a farce." Security researcher Scott Helme "claims that this process is broken and that bad SSL certificates continue to live on for years after being mississued and revoked -- hence the reason he argued way back in early 2018 that a shorter lifespan for SSL certificates would fix this problem because bad SSL certs would be phased out faster." But the article also notes that Timothy Hollebeek, DigiCert's representative at the CA/B Forum argues that the proposed change "has absolutely no effect on malicious websites, which operate for very short time periods, from a few days to a week or two at most. After that, the domain has been added to various blacklists, and the attacker moves on to a new domain and acquires new certificates."

Google Plans To Remove All FTP Support From Chrome

Slashdot security articles - Sun, 08/18/2019 - 05:34
An anonymous reader quotes MSPoweruser: Google Chrome always had a bit of a love-hate relationship when it comes to managing FTP links. The web browser usually downloads instead of rendering it like other web browsers. However, if you're using FTP then you might have to look elsewhere soon as Google is planning to remove FTP support altogether. In a post (via Techdows), Google, today announced its intention to deprecate FTP support starting with Chrome v80. The main issue with FTP right now is security and the protocol doesn't support encryption which makes it vulnerable and Google has decided it's no longer feasible to support it.

Intel Patches Three High-Severity Vulnerabilities

Slashdot security articles - Sat, 08/17/2019 - 17:34
Intel's latest patches "stomped out three high-severity vulnerabilities and five medium-severity flaws," reports Threatpost: One of the more serious vulnerabilities exist in the Intel Processor Identification Utility for Windows, free software that users can install on their Windows machines to identify the actual specification of their processors. The flaw (CVE-2019-11163) has a score of 8.2 out of 10 on the CVSS scale, making it high severity. It stems from insufficient access control in a hardware abstraction driver for the software, versions earlier than 6.1.0731. This glitch "may allow an authenticated user to potentially enable escalation of privilege, denial of service or information disclosure via local access" according to Intel. Users are urged to update to version 6.1.0731. Intel stomped out another high-severity vulnerability in its Computing Improvement Program, which is program that Intel users can opt into that uses information about participants' computer performance to make product improvement and detect issues. However, the program contains a flaw (CVE-2019-11162) in the hardware abstraction of the SEMA driver that could allow escalation of privilege, denial of service or information disclosure... A final high-severity flaw was discovered in the system firmware of the Intel NUC (short for Next Unit of Computing), a mini-PC kit used for gaming, digital signage and more. The flaw (CVE-2019-11140) with a CVSS score of 7.5 out of 10, stems from insufficient session validation in system firmware of the NUC. This could enable a user to potentially enable escalation of privilege, denial of service and information disclosure. An exploit of the flaw would come with drawbacks -- a bad actor would need existing privileges and local access to the victim system. The article notes that the patches "come on the heels of a new type of side-channel attack revealed last week impacting millions of newer Intel microprocessors manufactured after 2012."

June Windows Security Patch Broke Many EMF Files

Slashdot security articles - Sat, 08/17/2019 - 09:04
reg (Slashdot user #5,428) writes: A Windows security patch in June broke the display of many Windows Metafile graphics across all supported versions of Windows, resulting in many old PowerPoint files and Word documents not displaying figures, and graphics from some popular applications not displaying, including at least some ESRI GIS products and files created using the devEMF driver in R. This likely also impacts EMF files created with Open Source Office suites. While the problem can be fixed by recreating the files using a newer set of options, or resorting to using bitmaps, it means that presentations or documents that used to display perfectly no longer do. Microsoft promised a fix in July, but there is still no news of when it will be available.

Chrome and Firefox Changes Spark the End of 'Extended Validation' Certificates

Slashdot security articles - Sat, 08/17/2019 - 06:34
"Upcoming changes in Google Chrome and Mozilla Firefox may finally spark the end for Extended Validation certificates as the browsers plan to do away with showing a company's name in the address bar," reports Bleeping Computer. When connecting to a secure web site, an installed SSL/TLS certificate will encrypt the communication between the browser and web server. These certificates come in a few different flavors, with some claiming to offer a more thorough verification process or extra perks. One certificate, called EV Certificates, are known for having a browser display the owner of the certificate directly in the browser's address bar. This allegedly makes the site feel more trustworthy to a visitor. In reality, the different types of SSL/TLS certificates all serve a single purpose and that is to encrypt the communication between a browser and web site. Anything extra is seen by many as just a marketing gimmick to charge customers for a more expensive "trustworthy" certificate. In numerous blog posts, security researcher Troy Hunt has stated that EV Certificates will soon be dead as more and more sites switch away from them, because they are much harder to manage due to extra verification times, and because people have become to associate a padlock with a secure site rather than a company name. With Safari already removing EV Certificate company info from the address bar, most mobile browsers not showing it, and Chrome and Mozilla desktop browsers soon to remove it, Hunt's predictions are coming true. EV Certificates will soon be dead. AmiMoJo shared this post from Google's Chromium blog: Through our own research as well as a survey of prior academic work, the Chrome Security UX team has determined that the EV UI does not protect users as intended. Users do not appear to make secure choices (such as not entering password or credit card information) when the UI is altered or removed, as would be necessary for EV UI to provide meaningful protection. Further, the EV badge takes up valuable screen real estate, can present actively confusing company names in prominent UI, and interferes with Chrome's product direction towards neutral, rather than positive, display for secure connections. Because of these problems and its limited utility, we believe it belongs better in Page Info.
Syndicate content