Feed aggregator

Source Code of Iranian Cyber-Espionage Tools Leaked on Telegram

Slashdot security articles - Thu, 04/18/2019 - 21:30
In an incident reminiscent of the Shadow Brokers leak that exposed the NSA's hacking tools, someone has now published similar hacking tools belonging to one of Iran's elite cyber-espionage units, known as APT34, Oilrig, or HelixKitten. From a report: The hacking tools are nowhere near as sophisticated as the NSA tools leaked in 2017, but they are dangerous nevertheless. The tools have been leaked since mid-March on a Telegram channel by an individual using the Lab Dookhtegan pseudonym. Besides hacking tools, Dookhtegan also published what appears to be data from some of APT34's hacked victims, mostly comprising of username and password combos that appear to have been collected through phishing pages. ZDNet was previously aware of some of these tools and victim data after this reporter received a tip in mid-March. In a Twitter DM, a Twitter user shared some of the same files that were discovered today on Telegram, and we believe that this Twitter user is the Telegram Lab Dookhtegan persona.

Ajit Pai Proposes Blocking China-Owned Telecom From US Phone Market

Slashdot security articles - Thu, 04/18/2019 - 12:52
An anonymous reader quotes a report from Ars Technica: FCC Chairman Ajit Pai has proposed denying China Mobile USA's application to offer telecom services in the U.S., saying the Chinese government-owned company poses a security risk. The FCC is scheduled to vote on an order to deny the application at its open meeting on May 9, and Pai yesterday announced his opposition to China Mobile entering the U.S. market. "After reviewing the evidence in this proceeding, including the input provided by other federal agencies, it is clear that China Mobile's application to provide telecommunications services in our country raises substantial and serious national security and law enforcement risks," Pai said. "Therefore, I do not believe that approving it would be in the public interest. I hope that my colleagues will join me in voting to reject China Mobile's application." China Mobile filed its application in 2011, and has repeatedly complained about the government's lengthy review process. According to Pai's announcement, China Mobile's application sought authority "to provide international facilities-based and resale telecommunications services between the U.S. and foreign destinations." In simpler terms, the company was seeking "a license to connect calls between the United States and other nations" and "was not seeking to provide domestic cell service and compete in the country with businesses like AT&T and Verizon," The New York Times wrote yesterday. An FCC official told reporters that such calls "could be intercepted for surveillance and make the domestic network vulnerable to hacking and other risks," the Times wrote.

Facebook Quietly Updates Last Month's Security Disclosure To Add That 'Millions' of Instagram Users Are Also Impacted

Slashdot security articles - Thu, 04/18/2019 - 10:13
Last month, Facebook disclosed that hundreds of millions of users on its platform had their account passwords stored in plain text -- in some cases going back to 2012 -- and searchable by thousands of Facebook employees. Today, the company quietly updated that blog post to reveal that Instagram users are also impacted. It said, in the update: Since this post was published, we discovered additional logs of Instagram passwords being stored in a readable format. We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others. Our investigation has determined that these stored passwords were not internally abused or improperly accessed.

Facebook 'Unintentionally Uploaded' Email Contacts From 1.5M Users

Slashdot security articles - Wed, 04/17/2019 - 17:41
Facebook "unintentionally" harvested the email contacts of about 1.5 million of its users during the past three years. From a report: The activity came to light when a security researcher noticed that Facebook was asking users to enter their email passwords to verify their identities when signing up for an account, according to Business Insider, which previously reported on the practice. Those who did enter their passwords then saw a pop-up message that said it was "importing" their contacts -- without first asking permission, BI reported. A Facebook spokesperson confirmed that 1.5 million people's contacts were collected in this manner since May 2016 to help build Facebook's web of social connections and recommend other users to add as friends.

Bad Bots Now Make Up 20 Percent of Web Traffic

Slashdot security articles - Wed, 04/17/2019 - 15:30
So-called "bad bots," tasked with performing denial-of-service (DoS) attacks or other malicious activities like automatically publishing fake content or reviews, are estimated to make up roughly 37.9 percent of all internet traffic. "In 2018, one in five website requests -- 20.4 percent -- of traffic was generated by bad bots alone," reports ZDNet, citing Distil Networks' latest bot report, "Bad Bot Report 2019: The Bot Arms Race Continues." From the report: According to Distil Networks' latest bot report, the financial sector is the main target for such activity, followed by ticketing, the education sector, government websites, and gambling. Based on the analysis of hundreds of billions of bad bot requests over 2018, simple bots, which are easy to detect and defend against, accounted for 26.4 percent of bad bot traffic. Meanwhile, 52.5 percent came from those considered to be "moderately" sophisticated, equipped with the capability to use headless browser software as well as JavaScript to conduct illicit activities. A total of 73.6 percent of bad bots are classified as Advanced Persistent Bots (APBs), which are able to cycle through random IP addresses, switch their digital identities, and mimic human behavior. Amazon is the leading ISP for bad bot traffic origins. In total, 18 percent of bad bot traffic came from the firm's services, a jump from 10.62 percent in 2017. Almost 50 percent of bad bots use Google Chrome as their user agent and 73.6 percent of bad bot traffic was recorded as originating from data centers, down from 82.7 percent in 2017. The United States outstrips all other countries as a generator of bad bots. In total, 53.4 percent of bad bot traffic came from the US, followed by the Netherlands and China. The most blocked country by IP is Russia, together with Ukraine and India.

Cyberspies Hijacked the Internet Domains of Entire Countries

Slashdot security articles - Wed, 04/17/2019 - 08:40
Trailrunner7 shares a report: The discovery of a new, sophisticated team of hackers spying on dozens of government targets is never good news. But one team of cyberspies has pulled off that scale of espionage with a rare and troubling trick, exploiting a weak link in the internet's cybersecurity that experts have warned about for years: DNS hijacking, a technique that meddles with the fundamental address book of the internet. Researchers at Cisco's Talos security division on Wednesday revealed that a hacker group it's calling Sea Turtle carried out a broad campaign of espionage via DNS hijacking, hitting 40 different organizations. In the process, they went so far as to compromise multiple country-code top-level domains -- the suffixes like .co.uk, or .ru, that end a foreign web address -- putting all the traffic of every domain in multiple countries at risk. The hackers' victims include telecoms, internet service providers, and domain registrars responsible for implementing the domain name system. But the majority of the victims and the ultimate targets, Cisco believes, were a collection of mostly governmental organizations including ministries of foreign affairs, intelligence agencies, military targets, and energy-related groups, all based in the Middle East and North Africa. By corrupting the internet's directory system, hackers were able to silently use "man-in-the-middle" attacks to intercept all internet data from email to web traffic sent to those victim organizations. [...] Cisco Talos said it couldn't determine the nationality of the Sea Turtle hackers, and declined to name the specific targets of their spying operations. But it did provide a list of the countries where victims were located: Albania, Armenia, Cypress, Egypt, Iraq, Jordan, Lebanon, Libya, Syria, Turkey, and the United Arab Emirates. Cisco's Craig Williams confirmed that Armenia's .am top-level domain was one 'of the "handful" that were compromised, but wouldn't say which of the other countries' top-level domains were similarly hijacked.

Microsoft Loses Control Over Windows Tiles Subdomain

Slashdot security articles - Wed, 04/17/2019 - 06:40
Microsoft has lost control over a crucial subdomain that Windows 8 and Windows 10 use to deliver RSS-based news and updates to Live Tiles -- animated Windows start menu items. From a report: The subdomain (notifications.buildmypinnedsite.com) is currently under the control of Hanno Bock, a security researcher and journalist for German tech news site Golem.de. The subdomain was part of the buildmypinnedsite.com service that Microsoft set up with the launch of Windows 8, and more specifically to allow websites to show live updates inside users' Start pages and menus. [...] Today Bock said the service no longer works. "The host that should deliver the XML files -- notifications.buildmypinnedsite.com -- only showed an error message from Microsoft's cloud service Azure," the researcher said. "The host was redirected to a subdomain of Azure. However this subdomain wasn't registered with Azure." Bock registered this subdomain on his Azure account and is currently sinkholing any requests it receives. He also notified Microsoft of the issue but said the company did not reply. "We won't keep the host registered permanently. There's a decent amount of traffic reaching this host and running up costs," the researcher said. "Once we cancel the subdomain a bad actor could register it and abuse it for malicious attacks," he warned.

Presidential Candidate John Delaney Wants To Create a Department of Cybersecurity

Slashdot security articles - Tue, 04/16/2019 - 14:50
On Tuesday, former Maryland representative and 2020 presidential candidate John Delaney announced a plan to create a Department of Cybersecurity that "would be led by a cabinet-level secretary who would be in charge of implementing the United States' cybersecurity strategy," reports The Verge. "The proposal is the first major cybersecurity push from any presidential candidate so far this cycle." From the report: In a press release, Delaney argued that the U.S.'s cyber authorities are spread too thin across too many agencies. This new agency would work to streamline the country's current approach. "Securing our cyber-infrastructure is not only a national security priority, it is an economic one as well," Delaney said. "In light of the many recent and continued cyberattacks on our country, we need to establish a cabinet-level agency to focus on protecting our cyberspace." Currently, the cybersecurity responsibility is scattered across a number of agencies, with Homeland Security handling threats to civilian agencies, US Cyber Command dealing with military cyberattacks, the FBI prosecuting federal and international cybercrime, and a string of ISACs coordinating private sector actors alongside government agencies. In the past, the White House has appointed a cybersecurity coordinator, or "czar," to work across those agencies, but President Trump eliminated the position in May 2018, leaving no single person or agency in charge of leading the country's cybersecurity efforts.

HP's EliteBook 800 G6 Notebook Series Adds Convenience, Privacy Features

Slashdot security articles - Tue, 04/16/2019 - 10:45
HP today announced its latest Elitebook 800 G6 line of business notebooks, boasting additional privacy options and a security software agent that HP says will make them more capable against zero-day attacks. From a report: HP's new models -- the EliteBook 830 G6, HP EliteBook 840 G6, and HP EliteBook 850 G6, plus the HP EliteBook x360 830 G6 -- offer up to 18 hours of battery life, a behind-the-glass privacy shutter, and options for a 1,000-nit screen that can be used outdoors. HP said it will ship most of the models in May, while the x360 model is expected to ship in June. Prices have not been announced. According to specifications provided to PCWorld, all four notebooks will share common Core i5-8265U and Core i7-8565 Whiskey Lake processors from Intel, while the Elitebook 830 G6 and EliteBook x360 830 G6 will offer a Core i3-8145U option as well. Wi-Fi 6 and Bluetooth 5.0 also appear for the first time in this generation, HP said. The members of the EliteBook lineup differ by screen size. The EliteBook 830 G6 and x360 830 G6 offer 13.3-inch displays. The 840 G6 is a 14-inch laptop, and the 850 G6 is a 15-inch machine. As many business notebooks do, HP has innovated on two axes: improving the hardware, as well as building in additional software and services. The company seems especially proud of the latter, specifically what it calls Sure Sense. The technology will be included on all of the newly announced EliteBook PCs. With Sure Sense, the company believes the lightweight software agent can react in real time to unknown threats, intelligently deciding whether they represent a risk to the system. The idea, HP said, is to provide an additional layer of security against so-called "zero-day" attacks that may come out of the blue and install ransomware or worse on corporate machines.

Scranos Rootkit Expands Operations From China To the Rest of the World

Slashdot security articles - Tue, 04/16/2019 - 06:47
A malware operation previously limited to China's borders has expanded over the past few months to infect users from all over the world, antivirus firm Bitdefender said in a report published today. From a report: Users who have the bad habit of downloading and installing cracked software applications are at the highest risk. According to Bitdefender experts, these apps are laced with a relatively new malware strain named Scranos. The most important piece of this malware is a rootkit driver that's hidden inside the tainted apps and which allows the malware to gain boot persistence and take full control over users' systems in the early stages of an infection. Although Bitdefender describes Scranos as "a work in progress, with many components in the early stage of development," the malware is still very dangerous as it is. That's because Scranos is a modular threat that once it infects a host computer, it can ping its command and control (C&C) server for additional instructions, and then download small modules to execute a fine set of operations.

US Government Admits It Doesn't Know If Assange Cracked Password For Manning

Slashdot security articles - Tue, 04/16/2019 - 05:00
An anonymous reader quotes a report from Motherboard: The U.S. government does not have any evidence that WikiLeaks founder Julian Assange succeeded in cracking a password for whistleblower Chelsea Manning, according to a newly unsealed affidavit written by an FBI agent. Last week, Assange was escorted out of the Ecuadorian embassy in London, and arrested for breaching bail in connection to allegations of sexual misconduct in Sweden. The day of Assange's arrest, the U.S. government unsealed an indictment against Assange with a hacking conspiracy charge. The Department of Justice accused WikiLeaks' founder of agreeing to help Manning crack a password that would have helped the former military analyst get into a classified computer system under a username that did not belong to her, making it harder for investigators to trace the eventual leak. On Monday, the U.S. District Court for the Eastern District of Virginia unsealed the affidavit, which is dated December 21, 2017. The document contains more details on the interactions between Assange and Manning. And, most significantly, contains the admission that the U.S. government -- as of December of 2017 -- had no idea whether Assange actually cracked the password. Until now, we knew that the U.S. was aware that Assange attempted to crack a password for Manning once, but didn't know if it had more evidence of further attempts or whether it thought Assange was successful. "Investigators have not recovered a response by Manning to Assange's question, and there is no other evidence as to what Assange did, if anything, with respect to the password," FBI agent Megan Brown said in the affidavit. According to lawyers, the simple offer to help can be considered part of a conspiracy to violate the Computer Fraud and Abuse Act. "For purposes of a conspiracy charge, it is not necessary for the action to be successful. All that is needed is an overt action in furtherance of the conspiracy, namely Assange's efforts to crack the password for Manning," Bradley, a lawyer at the Mark Zaid P.C law firm in Washington, DC, told Motherboard via email. "That he failed is irrelevant."

TicTocTrack Smartwatch Flaws Can Be Abused To Track Kids

Slashdot security articles - Mon, 04/15/2019 - 15:40
secwatcher shares a report from Threatpost: A popular smartwatch that allows parents to track their children's whereabouts, TicTocTrack, has been discovered to be riddled with security issues that could allow hackers to track and call children. Researchers at Pen Test Partners revealed vulnerabilities in the watch (sold in Australia) on Monday, which could enable hackers to track children's location, spoof the child's location or view personal data on the victims' accounts. The parent company of the TicTocTrack watch, iStaySafe Pty Ltd., has temporarily restricted access to the watch's service and app while it investigates further. Researchers found that the service's back end does not make any authorization attempt on any request -- besides the user having a valid username and password combination. That means that an attacker who is logged into the service could remotely compromise the app and track other accounts that are based in Australia. The smartwatch, available in Australia for $149 (USD), is designed for children and uses GPS to track the movement of the wearer every six minutes, and offers voice calling and SMS features. The smartwatch's API can be attacked by changing the FamilyIdentifier number (which identifies the family that the user belongs to), which then could give a bad actor complete access to the user's data -- including the children's location, parent's full names, phone numbers and other personal identifiable information. Researchers with Pen Test Partners collaborated with security researcher Troy Hunt to test the attack. Hunt uploaded a video showing how the smartwatch vulnerability could be exploited to call his daughter -- and how her smartwatch would answer automatically without any interaction needed from her end.

DARPA Wants To Make a Better, More Secure Version of WhatsApp

Slashdot security articles - Mon, 04/15/2019 - 13:00
The Defense and Advanced Research Projects Agency (DARPA) appears to be in the process of developing its own ultra secure communication platform. The program is called "Resilient Anonymous Communication for Everyone," or RACE, and it will be similar to WhatsApp in that it will be for everyone to use. Trusted Reviews reports: The objectives of the program are to create a distributed messaging system that can do three things: Exist completely within a network; Provide confidentiality, integrity and availability of messaging; and Preserve privacy to any participant in the system. DARPA seem to be putting security front and center, and the description of the project claims that "compromised system data and associated networked communications should not be helpful for comprising any additional parts of the system," meaning that DARPA are keen that one breach shouldn't also give them a leg up on access to other parts of the system. So, will we soon be using a U.S government branded DARPA? Probably not, but the chances are that RACE will go some way to creating a messaging app that's resilient to attacks, with the protocol and security they find no doubt dripping through to consumer tech and features in the coming years.

A Hacker Has Dumped Nearly One Billion User Records Over the Past Two Months

Slashdot security articles - Mon, 04/15/2019 - 11:20
A hacker who spoke with ZDNet in February about wanting to put up for sale the data of over one billion users is getting dangerously close to his goal after releasing another 65.5 million records last week and reaching a grand total of 932 million records overall. From a report: The hacker's name is Gnosticplayers, and he's responsible for the hacks of 44 companies, including last week's revelations. Since mid-February, the hacker has been putting batches of hacked data on Dream Market, a dark web marketplace for selling illegal products, such as guns, drugs, and hacking tools. He's released data from companies like 500px, UnderArmor, ShareThis, GfyCat, and MyHeritage, just to name the bigger names. Releases have been grouped in four rounds -- Round 1 (620 million user records), Round 2 (127 million user records), Round 3 (93 million user records), and Round 4 (26.5 million user records).

Hackers Could Read Your Hotmail, MSN, and Outlook Emails by Abusing Microsoft Support

Slashdot security articles - Mon, 04/15/2019 - 08:02
eatmorekix writes: On Saturday, Microsoft confirmed that some users of the company's email service had been targeted by hackers. A hacker or group of hackers had first broken into a customer support account for Microsoft, and then used that to gain access to information related to customers' email accounts such as the subject lines of their emails and who they've communicated with. But the issue is much worse than previously reported, with the hackers able to access email content from a large number of Outlook, MSN, and Hotmail email accounts, according to a source who witnessed the attack in action and described it before Microsoft's statement, as well as screenshots provided to Motherboard. Microsoft confirmed to Motherboard that hackers gained access to the content of some customers' emails.

Dragons, Nuclear Weapons, and Game of Thrones

Slashdot security articles - Sun, 04/14/2019 - 19:04
Slashdot reader Dan Drollette shared this article from the Bulletin of Atomic Scientists where a specialist in nuclear security analyzes Game of Thones, citing dragons "as living, fire-breathing metaphors for nuclear weapons." Despite the fantasy setting, the story teaches a great deal about the inherent dangers that come with managing these game-changing agents, their propensity for accidents, the relative benefits they grant their masters, and the strain these weapons impose upon those wielding them. "Dragons are the nuclear deterrent, and only [Daenerys Targaryen, one of the series' heroines] has them, which in some ways makes her the most powerful person in the world," George R. R. Martin said in 2011. "But is that sufficient? These are the kind of issues I'm trying to explore. "The United States right now has the ability to destroy the world with our nuclear arsenal, but that doesn't mean we can achieve specific geopolitical goals. Power is more subtle than that. You can have the power to destroy, but it doesn't give you the power to reform, or improve, or build." It makes for a bleak outlook. Or, as a character repeatedly warns in the first episode: "Winter is coming."

Internet Explorer Exploit Steals Data From Windows Users-- Even If They Never Use Internet Explorer

Slashdot security articles - Sun, 04/14/2019 - 14:39
Security researcher John Page has revealed a new zero-day exploit that allows remote attackers to exfiltrate Local files using Internet Explorer. "The craziest part: Windows users don't ever even have to open the now-obsolete web browser for malicious actors to use the exploit," reports Mashable. "It just needs to exist on their computer..." [H]ackers are taking advantage of a vulnerability using .MHT files, which is the file format used by Internet Explorer for its web archives. Current web browsers do not use the .MHT format, so when a PC user attempts to access this file Windows opens IE by default. To initiate the exploit, a user simply needs to open an attachment received by email, messenger, or other file transfer service... Most worrisome, according to Page, is that Microsoft told him that it would just "consider" a fix in a future update. The security researcher says he contacted Microsoft in March before now going public with the issue. As ZDNet points out, while Internet Explorer usage makes up less than 10 percent of the web browser market, it doesn't particularly matter in this case as the exploit just requires a user to have the browser on their PC.

Microsoft Says Some Webmail Accounts Were Compromised

Slashdot security articles - Sun, 04/14/2019 - 03:34
A "limited" number of users of Microsoft's webmail services -- which include Hotmail, Outlook.com, and MSN -- "had their accounts compromised, TechCrunch reports. "We addressed this scheme, which affected a limited subset of consumer accounts, by disabling the compromised credentials and blocking the perpetrators' access," said a Microsoft spokesperson in an email. According to an email Microsoft has sent out to affected users, malicious hackers were potentially able to access an affected user's e-mail address, folder names, the subject lines of e-mails, and the names of other e-mail addresses the user communicates with -- "but not the content of any e-mails or attachments," nor -- it seems -- login credentials like passwords. Microsoft is still recommending that affected users change their passwords regardless. The breach occurred between January 1 and March 28, Microsoft's letter to users said. The hackers got into the system by compromising a customer support agent's credentials, according to the letter. Once identified, those credentials were disabled. Microsoft told users that it didn't know what data was viewed by the hackers or why, but cautioned that users might as a result see more phishing or spam emails as a result.

Police Are Using Google's Location Data From 'Hundreds of Millions' of Phones

Slashdot security articles - Sat, 04/13/2019 - 20:34
"When law enforcement investigations get cold, there's a source authorities can turn to for location data that could produce new leads: Google." An anonymous reader quotes CNET: Police have used information from the search giant's Sensorvault database to aid in criminal cases across the country, according to a report Saturday by The New York Times. The database has detailed location records from hundreds of millions of phones around the world, the report said. It's meant to collect information on the users of Google's products so the company can better target them with ads, and see how effective those ads are. But police have been tapping into the database to help find missing pieces in investigations. Law enforcement can get "geofence" warrants seeking location data. Those kinds of requests have spiked in the last six months, and the company has received as many as 180 requests in one week, according to the report.... For geofence warrants, police carve out a specific area and time period, and Google can gather information from Sensorvault about the devices that were present during that window, according to the report. The information is anonymous, but police can analyze it and narrow it down to a few devices they think might be relevant to the investigation. Then Google reveals those users' names and other data, according to the Times... [T]he AP reported last year that Google tracked people's location even after they'd turned off location-sharing on their phones. Google's data dates back "nearly a decade," the Times reports -- though in a statement, Google's director of law enforcement and information security insisted "We vigorously protect the privacy of our users while supporting the important work of law enforcement." (The Times also interviewed a man who was arrested and jailed for a week last year based partly on Google's data -- before eventually being released after the police found a more likely suspect.) "According to the Times, Google is the primary company that appears to be fulfilling the warrants," reports Gizmodo, adding that Apple "says it can't provide this information to authorities..." "A thriving black market in location data has persisted despite promises from carriers to stop selling it to middlemen, who divert it from intended uses in marketing and other services."

China's Largest Image Provider Suspends Site After Falsely Claiming Copyright On 'Black Hole' Photo

Slashdot security articles - Sat, 04/13/2019 - 08:34
An anonymous reader quotes Reuters: China's largest stock images provider, Visual China Group, shut its website and apologized on Friday after it falsely claimed copyright of images such as the first photo of a black hole and China's national flag. The company, which partners with U.S. photo agency Getty Images, said in a post on its official Weibo account the incident revealed its weak management and that it was cooperating with authorities investigating the matter. Shares in the company slumped by the maximum 10 percent allowed. The topic "Visual China apologises" was among the most-read items on China's Twitter-like Weibo platform on Friday, with over 250 million views... The country's leaders have pledged to do more to protect intellectual property rights amid complaints by the United States and other key trading partners about the theft of such assets. Elliot Papageorgiou, the Shanghai-based head of the IP practice at law firm Clyde & Co., said Visual China's use of the black hole image was embarrassing due to the photo's high profile. "It comes at an inconvenient time because China is trying hard to get recognition for some positive steps it is taking to protect intellectual property," he said. The company had claimed to have received authorization for using the photo -- though not for commercial purposes -- from the European Southern Observatory. But today the government-owned China Daily newspaper notes that "The European Southern Observatory, responding to questions from the National Business Daily in an email, said Visual China never contacted it for any purpose regarding the image. It said Visual China did not need to ask for authorization to reproduce the image provided the credit was clear and visible, but 'the behavior of using the so-called authorization as a copyright to sell the image in China and profit from it is illegal...'" "The official accounts of many large companies, including Baidu, Phoenix News Media, major retailer Suning and Qihoo 360, an internet security company, also left comments about having found their logos on Visual China with a copyright claim."
Syndicate content