Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 22 hours 12 min ago

First Government Office in the US To Accept Bitcoin As Payment

Sat, 05/19/2018 - 14:34
Long-time Slashdot reader SonicSpike quotes the Orlando Sentinel: If cash, check or credit card seems too old-fashioned, Seminole County, Florida Tax Collector Joel Greenberg said this week his office will begin accepting bitcoin as payment for new IDs, license plates and property taxes starting next month. Greenberg said accepting bitcoin and bitcoin cash as a payment method will promote transparency and accuracy in payment. "There's no risk to the taxpayer," said Greenberg, who has often raised eyebrows since his 2016 election by moves including encouraging certain employees with concealed-weapons permits to carry a firearm openly as a security measure. "Blockchain technology is the future of the whole financial industry." A spokesperson for a neighboring county's tax collector said they had no plans to follow the move. "Frankly, I think the currency is so volatile that I donâ(TM)t think it makes sense." And an official at a nearby county said bitcoin payments were "not on our to-do list", adding that no one in the county had requested the ability to pay their taxes in bitcoin.

IBM Warns Quantum Computing Will Break Encryption

Sat, 05/19/2018 - 13:34
Long-time Slashdot reader CrtxReavr shares a report from ZDNet: Quantum computers will be able to instantly break the encryption of sensitive data protected by today's strongest security, warns the head of IBM Research. This could happen in a little more than five years because of advances in quantum computer technologies. "Anyone that wants to make sure that their data is protected for longer than 10 years should move to alternate forms of encryption now," said Arvind Krishna, director of IBM Research... Quantum computers can solve some types of problems near-instantaneously compared with billions of years of processing using conventional computers... Advances in novel materials and in low-temperature physics have led to many breakthroughs in the quantum computing field in recent years, and large commercial quantum computer systems will soon be viable and available within five years... In addition to solving tough computing problems, quantum computers could save huge amounts of energy, as server farms proliferate and applications such as bitcoin grow in their compute needs. Each computation takes just a few watts, yet it could take several server farms to accomplish if it were run on conventional systems. The original submission raises another possibility. "What I wonder is, if encryption can be 'instantly broken,' does this also mean that remaining crypto-coins can be instantly discovered?"

40 Cellphone-Tracking Devices Discovered Throughout Washington

Sat, 05/19/2018 - 12:34
The investigative news "I-Team" of a local TV station in Washington D.C. drove around with "a leading mobile security expert" -- and discovered dozens of StingRay devices mimicking cellphone towers to track phone and intercept calls in Maryland, Northern Virginia, and Washington, D.C. An anonymous reader quotes their report: The I-Team found them in high-profile areas like outside the Trump International Hotel on Pennsylvania Avenue and while driving across the 14th Street bridge into Crystal City... The I-Team's test phones detected 40 potential locations where the spy devices could be operating, while driving around for just a few hours. "I suppose if you spent more time you'd find even more," said D.C. Councilwoman Mary Cheh. "I have bad news for the public: Our privacy isn't what it once was..." The good news is about half the devices the I-Team found were likely law enforcement investigating crimes or our government using the devices defensively to identify certain cellphone numbers as they approach important locations, said Aaron Turner, a leading mobile security expert... The I-Team got picked up [by StingRay devices] twice off of International Drive, right near the Chinese and Israeli embassies, then got another two hits along Massachusetts Avenue near Romania and Turkey... The phones appeared to remain connected to a fake tower the longest, right near the Russian Embassy. StringRay devices are also being used in at least 25 states by police departments, according to the ACLU. The devices were authorized by the FCC back in 2011 for "federal, state, local public safety and law enforcement officials only" (and requiring coordination with the FBI). But back in April the Associated Press reported that "For the first time, the U.S. government has publicly acknowledged the existence in Washington of what appear to be rogue devices that foreign spies and criminals could be using to track individual cellphones and intercept calls and messages... More sophisticated versions can eavesdrop on calls by forcing phones to step down to older, unencrypted 2G wireless technology. Some attempt to plant malware."

'I Asked Apple for All My Data. Here's What Was Sent Back'

Sat, 05/19/2018 - 07:34
"I asked Apple to give me all the data it's collected on me since I first became a customer in 2010," writes the security editor for ZDNet, "with the purchase of my first iPhone." That was nearly a decade ago. As most tech companies have grown in size, they began collecting more and more data on users and customers -- even on non-users and non-customers... Apple took a little over a week to send me all the data it's collected on me, amounting to almost two dozen Excel spreadsheets at just 5MB in total -- roughly the equivalent of a high-quality photo snapped on my iPhone. Facebook, Google, and Twitter all took a few minutes to an hour to send me all the data they store on me -- ranging from a few hundred megabytes to a couple of gigabytes in size... The zip file contained mostly Excel spreadsheets, packed with information that Apple stores about me. None of the files contained content information -- like text messages and photos -- but they do contain metadata, like when and who I messaged or called on FaceTime. Apple says that any data information it collects on you is yours to have if you want it, but as of yet, it doesn't turn over your content which is largely stored on your slew of Apple devices. That's set to change later this year... And, of the data it collects to power Siri, Maps, and News, it does so anonymously -- Apple can't attribute that data to the device owner... One spreadsheet -- handily -- contained explanations for all the data fields, which we've uploaded here... [T]here's really not much to it. As insightful as it was, Apple's treasure trove of my personal data is a drop in the ocean to what social networks or search giants have on me, because Apple is primarily a hardware maker and not ad-driven, like Facebook and Google, which use your data to pitch you ads. CNET explains how to request your own data from Apple.

FCC Investigating LocationSmart Over Phone-Tracking Flaw

Fri, 05/18/2018 - 23:00
The FCC has opened an investigation into LocationSmart, a company that is buying your real-time location data from four of the largest U.S. carriers in the United States. The investigation comes a day after a security researcher from Carnegie Mellon University exposed a vulnerability on LocationSmart's website. CNET reports: The bug has prompted an investigation from the FCC, the agency said on Friday. An FCC spokesman said LocationSmart's case was being handled by its Enforcement Bureau. Since The New York Times revealed that Securus, an inmate call tracking service, had offered the same tracking service last week, Sen. Ron Wyden, a Democrat from Oregon, called for the FCC and major wireless carriers to investigate these companies. On Friday, Wyden praised the investigation, but requested the FCC to expand its look beyond LocationSmart. "The negligent attitude toward Americans' security and privacy by wireless carriers and intermediaries puts every American at risk," Wyden said. "I urge the FCC expand the scope of this investigation, and to more broadly probe the practice of third parties buying real-time location data on Americans." He is also calling for FCC Chairman Ajit Pai to recuse himself from the investigation, because Pai was a former attorney for Securus.

New Spectre Attack Can Reveal Firmware Secrets

Fri, 05/18/2018 - 17:30
Yuriy Bulygin, the former head of Intel's advanced threat team, has published research showing that the Spectre CPU flaws can be used to break into the highly privileged CPU mode on Intel x86 systems known as System Management Mode (SMM). ZDNet reports: Bulygin, who has launched security firm Eclypsium, has modified Spectre variant 1 with kernel privileges to attack a host system's firmware and expose code in SMM, a secure portion of BIOS or UEFI firmware. SMM resides in SMRAM, a protected region of physical memory that should only be accessible by BIOS firmware and not the operating system kernel, hypervisors or security software. SMM handles especially disruptive interrupts and is accessible through the SMM runtime of the firmware, knows as System Management Interrupt (SMI) handlers. "Because SMM generally has privileged access to physical memory, including memory isolated from operating systems, our research demonstrates that Spectre-based attacks can reveal other secrets in memory (eg, hypervisor, operating system, or application)," Bulygin explains. To expose code in SMM, Bulygin modified a publicly available proof-of-concept Spectre 1 exploit running with kernel-level privileges to bypass Intel's System Management Range Register (SMRR), a set or range registers that protect SMM memory. "These enhanced Spectre attacks allow an unprivileged attacker to read the contents of memory, including memory that should be protected by the range registers, such as SMM memory," he notes.

RedDawn Android Malware Is Harvesting Personal Data of North Korean Defectors

Fri, 05/18/2018 - 16:50
According to security company McAfee, North Korea uploaded three spying apps to the Google Play Store in January that contained hidden functions designed to steal personal photos, contact lists, text messages, and device information from the phones they were installed on. "Two of the apps purported to be security utilities, while a third provided information about food ingredients," reports The Inquirer. All three of the apps were part of a campaign dubbed "RedDawn" and targeted primarily North Korean defectors. From the report: The apps were promoted to particular targets via Facebook, McAfee claims. However, it adds that the malware was not the work of the well-known Lazarus Group, but another North Korean hacking outfit that has been dubbed Sun Team. The apps were called Food Ingredients Info, Fast AppLock and AppLockFree. "Food Ingredients Info and Fast AppLock secretly steal device information and receive commands and additional executable (.dex) files from a cloud control server. We believe that these apps are multi-staged, with several components." "AppLockFree is part of the reconnaissance stage, we believe, setting the foundation for the next stage unlike the other two apps. The malwares were spread to friends, asking them to install the apps and offer feedback via a Facebook account with a fake profile promoted Food Ingredients Info," according to McAfee security researcher Jaewon Min. "After infecting a device, the malware uses Dropbox and Yandex to upload data and issue commands, including additional plug-in dex files; this is a similar tactic to earlier Sun Team attacks. From these cloud storage sites, we found information logs from the same test Android devices that Sun Team used for the malware campaign we reported in January. The logs had a similar format and used the same abbreviations for fields as in other Sun Team logs. Furthermore, the email addresses of the new malware's developer are identical to the earlier email addresses associated with the Sun Team."

Ask Slashdot: What's the Most Sophisticated Piece of Software Ever Written?

Fri, 05/18/2018 - 09:36
An anonymous reader writes: Stuxnet is the most sophisticated piece of software ever written, given the difficulty of the objective: Deny Iran's efforts to obtain weapons grade uranium without need for diplomacy or use of force, John Byrd, CEO of Gigantic Software (formerly Director of Sega and SPM at EA), argues in a blog post, which is being widely shared in developer circles, with most agreeing with Byrd's conclusion. He writes, "It's a computer worm. The worm was written, probably, between 2005 and 2010. Because the worm is so complex and sophisticated, I can only give the most superficial outline of what it does. This worm exists first on a USB drive. Someone could just find that USB drive laying around, or get it in the mail, and wonder what was on it. When that USB drive is inserted into a Windows PC, without the user knowing it, that worm will quietly run itself, and copy itself to that PC. It has at least three ways of trying to get itself to run. If one way doesn't work, it tries another. At least two of these methods to launch itself were completely new then, and both of them used two independent, secret bugs in Windows that no one else knew about, until this worm came along." "Once the worm runs itself on a PC, it tries to get administrator access on that PC. It doesn't mind if there's antivirus software installed -- the worm can sneak around most antivirus software. Then, based on the version of Windows it's running on, the worm will try one of two previously unknown methods of getting that administrator access on that PC. Until this worm was released, no one knew about these secret bugs in Windows either. At this point, the worm is now able to cover its tracks by getting underneath the operating system, so that no antivirus software can detect that it exists. It binds itself secretly to that PC, so that even if you look on the disk for where the worm should be, you will see nothing. This worm hides so well, that the worm ran around the Internet for over a year without any security company in the world recognizing that it even existed." What do Slashdot readers think?

A Bug in Keeper Password Manager Leads To Sparring Over 'Zero-Knowledge' Claim

Fri, 05/18/2018 - 07:20
Keeper, a password manager maker that recently and controversially sued a reporter, has fixed a bug that a security researcher claimed could have allowed access to a user's private data. From a report: The bug -- which the company confirmed and has since fixed -- filed anonymously to a public security disclosure list, detailed how anyone controlling Keeper's API server could gain access to the decryption key to a user's vault of passwords and other sensitive information. The researcher found the issue in the company's Python-powered script called Keeper Commander, which allows users to rotate passwords, eliminating the need for hardcoded passwords in software and systems. According to the write-up, the researcher said it's possible that someone in control of Keeper's API -- such as employees at the company -- could unlock an account, because the API server stores the information used to produce an intermediary decryption key. "What seems to appear in the code of Keeper Commander from November 2015 to today is blind trust of the API server," said the researcher.

Facebook's Android App Is Asking for Superuser Privileges, Users Say

Fri, 05/18/2018 - 06:00
Catalin Cimpanu, reporting for BleepingComputer: The Facebook Android app is asking for superuser permissions, and a bunch of users are freaking out about granting the Facebook app full access to their device, an understandable reaction following the fallout from the Cambridge Analytica privacy scandal. "Grants full access to your device," read the prompts while asking users for superuser permissions. These popups originate from the official Facebook Android app (com.facebook.katana) and are started appearing last night [UTC timezone], continuing throughout the day. Panicked users took to social media, Reddit, and Android-themed forums to share screengrabs of these suspicious popups and ask for advice on what's going on.

Ask Slashdot: Which Is the Safest Router?

Thu, 05/17/2018 - 14:50
MindPrison writes: As ashamed as I am to admit it -- a longtime computer user since the Commodore heydays, I've been hacked twice recently and that has seriously made me rethink my options for my safety and well-being. So, I ask you dear Slashdot users, from one fellow longtime Slashdotter to another: which is the best router for optimal safety today?

Cell Phone Tracking Firm Exposed Millions of Americans' Real-time Locations

Thu, 05/17/2018 - 14:10
Earlier this week, ZDNet shed some light on a company called LocationSmart that is buying your real-time location data from four of the largest U.S. carriers in the United States. The story blew up because a former police sheriff snooped on phone location data without a warrant, according to The New York Times. ZDNet is now reporting that the company "had a bug in its website that allowed anyone to see where a person is located -- without obtaining their consent." An anonymous reader shares an excerpt: "Due to a very elementary bug in the website, you can just skip that consent part and go straight to the location," said Robert Xiao, a PhD. student at the Human-Computer Interaction Institute at Carnegie Mellon University, in a phone call. "The implication of this is that LocationSmart never required consent in the first place," he said. "There seems to be no security oversight here." The "try" website was pulled offline after Xiao privately disclosed the bug to the company, with help from CERT, a public vulnerability database, also at Carnegie Mellon. Xiao said the bug may have exposed nearly every cell phone customer in the U.S. and Canada, some 200 million customers. The researcher said he started looking at LocationSmart's website following ZDNet's report this week, which followed from a story from The New York Times, which revealed how a former police sheriff snooped on phone location data without a warrant. The sheriff has pleaded not guilty to charges of unlawful surveillance. He said one of the APIs used in the "try" page that allows users to try the location feature out was not validating the consent response properly. Xiao said it was "trivially easy" to skip the part where the API sends the text message to the user to obtain their consent. "It's a surprisingly simple bug," he said.

Hardcoded Password Found in Cisco Enterprise Software, Again

Thu, 05/17/2018 - 13:30
Catalin Cimpanu, writing for BleepingComputer: Cisco released 16 security advisories yesterday, including alerts for three vulnerabilities rated "Critical" and which received a maximum of 10 out of 10 on the CVSSv3 severity score. The three vulnerabilities include a backdoor account and two bypasses of the authentication system for Cisco Digital Network Architecture (DNA) Center. The Cisco DNA Center is a piece of software that's aimed at enterprise clients and which provides a central system for designing and deploying device configurations (aka provisioning) across a large network. This is, arguably, a pretty complex piece of software, and according to Cisco, a recent internal audit has yielded some pretty bad results.

Google Chrome To Remove 'Secure' Indicator From HTTPS Pages in September

Thu, 05/17/2018 - 12:50
Google announced Thursday it plans to drop the "Secure" indicator from the Chrome URL address bar -- starting with Chrome v68, set for release in July -- and only show a lock icon when the user is navigating to an HTTPS-secured website. From a report: The move is scheduled to take effect with the release of Chrome 69, scheduled for September, this year. Emily Schechter, Product Manager for Chrome Security, said the company is now comfortable making this move as a large chunk of Chrome's traffic is now via HTTPS. Since most traffic is HTTPS anyway, it's not necessary to draw the user's attention to the "Secure" indicator anymore.

OnePlus 6 Launched With 6.28-inch Display, Snapdragon 845 CPU, and Headphone Jack

Wed, 05/16/2018 - 14:00
OnePlus has launched their newest flagship smartphone today at an event in London. The OnePlus 6, as it is called, features a 6.28-inch 2280x1080 display with 19:9 aspect ratio and notch, Snapdragon 845 octa-core processor with up to 8GB of RAM, 16- and 20-megapixel rear-facing cameras, 3,330mAh battery, 3.5mm headphone jack, and Android 8.1 Oreo running out of the box with support for Android P coming soon. Strangely, the phone features a glass build construction but no support for wireless charging. OnePlus claims the glass back will be better for transmitting radio waves, but it's likely included in preparation for the OnePlus 6T, which will likely launch several months later and include wireless charging. PhoneDog reports: Around on the back of the OnePlus 6 is a vertically stacked dual rear camera setup that's now in the center of the phone for symmetry. There's a 16MP camera with Sony IMX 519 sensor, f/1.7 aperture, and support for optical image stabilization and electronic image stabilization, as well as a 20MP camera with Sony IMD 376K sensor and f/1.7 aperture. Also included are portrait mode and slow-motion 480fps video capture features. The body of the OnePlus 6 is made of Gorilla Glass 5, which OnePlus says will be better for transmitting radio waves. Rounding out the OP6's spec list is a 16MP front-facing camera, NFC, Bluetooth 5.0, USB-C, an alert slider, and a 3.5mm headphone jack. On the security side of things, there's a rear fingerprint reader and face unlock, and when it comes to wireless capabilities, the OnePlus 6 supports 40 global LTE bands as well as 4x4 MIMO for speeds up to 1Gbps. The OnePlus 6 will be available on May 22 with the following prices: 6GB/64GB: $529; 8GB/128GB: $579; 8GB/256GB: $629.

The SEC Created Its Own Scammy ICO To Teach Investors a Lesson

Wed, 05/16/2018 - 11:20
In its latest effort to fend off cryptocurrency scams, the Securities and Exchange Commission launched its own fake initial coin offering website today called the Howey Coin to warn people against fraudulent cryptocurrencies. From a report: The name is a tongue-in-cheek reference to the Howey Test that the SEC uses to determine whether an investment is a security, which the Commission would therefore have legal jurisdiction over. Click 'Buy Coins Now' on the Howey Coins site and you'll be redirected to an SEC page that states: "We created the bogus HoweyCoins.com site as an educational tool to alert investors to possible fraud involving digital assets like crypto-currencies and coin offerings." It even has a white paper [PDF].

Hacker Breaches Securus, the Company That Helps Cops Track Phones Across the US

Wed, 05/16/2018 - 10:00
Securus, the company which tracks nearly any phone across the US for cops with minimal oversight, has been hacked, Motherboard reported Wednesday. From the report: The hacker has provided some of the stolen data to Motherboard, including usernames and poorly secured passwords for thousands of Securus' law enforcement customers. Although it's not clear how many of these customers are using Securus's phone geolocation service, the news still signals the incredibly lax security of a company that is granting law enforcement exceptional power to surveill individuals. "Location aggregators are -- from the point of view of adversarial intelligence agencies -- one of the juiciest hacking targets imaginable," Thomas Rid, a professor of strategic studies at Johns Hopkins University, told Motherboard in an online chat.

Ecuador Spent $5 Million Protecting and Spying On Julian Assange, Says Report

Tue, 05/15/2018 - 23:00
Citing reports from The Guardian and Focus Ecuador, The Verge reports that Ecuador's intelligence program spent at least $5 million "on an elaborate security and surveillance network around WikiLeaks founder Julian Assange." The intelligence program was known as "Operator Hotel," which began as "Operation Guest" when Assange took refuge in Ecuador's UK embassy in 2012. From the report: Operation Hotel has allegedly covered expenses like installing CCTV cameras and hiring a security team to "secretly film and monitor all activity in the embassy," including Assange's daily activities, moods, and interactions with staff and visitors. The Guardian estimates Ecuadorian intelligence agency Senain has spent at least $5 million on Assange-related operations, based on documents they reviewed. The report details attempts to improve Assange's public image and potentially smuggle him out of the embassy if he was threatened. But it also writes that relations between Assange and Ecuador have badly deteriorated over the past several years. In 2014, Assange allegedly breached the embassy's network security, reading confidential diplomatic material and setting up his own secret communications network.

Justice Department, FBI Are Investigating Cambridge Analytica

Tue, 05/15/2018 - 19:30
An anonymous reader quotes a report from CBS News: The Justice Department and FBI are investigating Cambridge Analytica, the now-shuttered political data firm that was once used by the Trump campaign and came under scrutiny for harvesting data of millions of users, The New York Times reported on Tuesday. The Times, citing a U.S. official and people familiar with the inquiry, reported federal investigators have looked to question former employees and banks connected to the firm. The Times reports prosecutors have informed potential witnesses there is an open investigation into the firm, whose profiles of voters were intended to help with elections. One source tells CBS News correspondent Paula Reid prosecutors are investigating the firm for possible financial crimes. A company that has that much regulatory scrutiny is almost guaranteed to have federal prosecutors interested, Reid was told. Christopher Wylie, a former Cambridge Analytica employee who spoke out about the data sharing practices, told the Times federal investigators had contacted him. The American official told the Times investigators have also contacted Facebook as a part of the probe.

Suspect Identified In CIA 'Vault 7' Leak

Tue, 05/15/2018 - 13:20
An anonymous reader quotes a report from The New York Times: In weekly online posts last year, WikiLeaks released a stolen archive of secret documents about the Central Intelligence Agency's hacking operations, including software exploits designed to take over iPhones and turn smart television sets into surveillance devices. It was the largest loss of classified documents in the agency's history and a huge embarrassment for C.I.A. officials. Now, The New York Times has learned the identity of the prime suspect in the breach (Warning: source may be paywalled; alternative source): a 29-year-old former C.I.A. software engineer who had designed malware used to break into the computers of terrorism suspects and other targets. F.B.I. agents searched the Manhattan apartment of the suspect, Joshua A. Schulte, one week after WikiLeaks released the first of the C.I.A. documents in March last year, and then stopped him from flying to Mexico on vacation, taking his passport, according to court records and family members. The search warrant application said Mr. Schulte was suspected of "distribution of national defense information," and agents told the court they had retrieved "N.S.A. and C.I.A. paperwork" in addition to a computer, tablet, phone and other electronics. But instead of charging Mr. Schulte in the breach, referred to as the Vault 7 leak, prosecutors charged him last August with possessing child pornography, saying agents had found the material on a server he created as a business in 2009 while he was a student at the University of Texas.