Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 16 hours 14 min ago

Cloudflare's 1.1.1.1 Service Launches on Android and iOS

Sun, 11/11/2018 - 11:05
harrymcc writes: Content-distribution network Cloudflare has introduced iOS and Android versions of 1.1.1.1, a free service which helps shield you from snoops by replacing your standard DNS with its encrypted (and speedy) alternative. The mobile incarnation of the PC service it launched last April, the apps don't require you to do anything other than downloaded and install them, give your device permission to install a VPN, and flip a switch -- making them approachable for the masses, not just geeks.

Can Facebook Keep Large-Scale Misinformation From the Free World?

Sun, 11/11/2018 - 03:34
You can have a disaster-free Election Day in the social media age, writes New York Times columnist Kevin Roose, "but it turns out that it takes constant vigilance from law enforcement agencies, academic researchers and digital security experts for months on end." It takes an ad hoc "war room" at Facebook headquarters with dozens of staff members working round-the-clock shifts. It takes hordes of journalists and fact checkers willing to police the service for false news stories and hoaxes so that they can be contained before spreading to millions. And even if you avoid major problems from bad actors domestically, you might still need to disclose, as Facebook did late Tuesday night, that you kicked off yet another group of what appeared to be Kremlin-linked trolls... Most days, digging up large-scale misinformation on Facebook was as easy as finding baby photos or birthday greetings... Facebook was generally responsive to these problems after they were publicly called out. But its scale means that even people who work there are often in the dark... Other days, combing through Facebook falsehoods has felt like watching a nation poison itself in slow motion. A recent study by the Oxford Internet Institute, a department at the University of Oxford, found that 25 percent of all election-related content shared on Facebook and Twitter during the midterm election season could be classified as "junk news"... Facebook has framed its struggle as an "arms race" between itself and the bad actors trying to exploit its services. But that mischaracterizes the nature of the problem. This is not two sovereign countries locked in battle, or an intelligence agency trying to stop a nefarious foreign plot. This is a rich and successful corporation that built a giant machine to convert attention into advertising revenue, made billions of dollars by letting that machine run with limited oversight, and is now frantically trying to clean up the mess that has resulted... It's worth asking, over the long term, why a single American company is in the position of protecting free and fair elections all over the world. Despite whatever progress has been made, the article complains that "It took sustained pressure from lawmakers, regulators, researchers, journalists, employees, investors and users to force the company to pay more attention to misinformation and threats of election interference. Facebook has shown, time and again, that it behaves responsibly only when placed under a well-lit microscope. "So as our collective attention fades from the midterms, it seems certain that outsiders will need to continue to hold the company accountable, and push it to do more to safeguard its users -- in every country, during every election season -- from a flood of lies and manipulation."

Credit Card Chips Have Failed to Halt Fraud (So Far)

Sun, 11/11/2018 - 00:34
An anonymous reader quotes Fortune: New chip-enabled credit cards, which were rolled out to U.S. consumers starting in 2015, were supposed to put an end to rampant credit card fraud. So much for that. A new report from the research firm Gemini Advisory has found that, of more than 60 million cases of credit card theft in the last 12 months, a whopping 93% of the stolen cards had the new chip technology... In theory, EMV should reduce fraud because every card transaction requires an encrypted connection between the chip card and the merchant's point-of-sale terminal... But while the EMV standard is supposed to ensure the card data cannot be captured, many merchants are failing to properly configure their systems, according to a Gemini Advisory executive who spoke with Fortune... The upshot is that criminals have been able to insert themselves into the transaction data steam, either by hacking into merchant networks or installing skimmer devices in order to capture card information... The report concludes by noting that big merchants have begun to tighten up their implementation of the EMV system, which will make them less of a target. Instead, criminals are likely to begin focusing on smaller businesses. The report estimates that in just the last twelve months, 41.6 million records have been stolen from chip-enabled cards.

Were Russian Hackers Deterred From Interfering In America's Election?

Sat, 11/10/2018 - 18:39
"Despite probing and trolling, a Russian cyberattack is the dog that did not bark in Tuesday's midterm elections," writes national security columnist Eli Lake. This is the assessment of the Department of Homeland Security, which says there were no signs of a coordinated campaign to disrupt U.S. voting. This welcome news raises a relevant and important question: Were cyber adversaries actually deterred from infiltrating voter databases and changing election results...? In September the White House unveiled a new policy aimed at deterring Russia, China, Iran and North Korea from hacking U.S. computer networks in general and the midterms in particular. National security adviser John Bolton acknowledged as much last week when he said the U.S. government was undertaking "offensive cyber operations" aimed at "defending the integrity of our electoral process." There aren't many details. Reportedly this entailed sending texts, pop-ups, emails and direct messages warning Russian trolls and military hackers not to disrupt the midterms. U.S. officials tell me much more is going on that remains classified. It is part of a new approach from the Trump administration that purports to unleash U.S. Cyber Command to hack the hackers back, to fight them in their networks as opposed to America's. Bolton has said the policy reverses previous restrictions on military hackers to disrupt the networks from which rival powers attack the U.S. Sometimes this is called "persistent engagement" or "defend forward." And it represents a shift in the broader U.S. approach to engaging adversaries in cyberspace.... The difference now is that America's cyber warriors will routinely try to disrupt cyberattacks before they begin... The object of cyberdeterrence is not to get an adversary to never use cyberweapons. It's to prevent attacks of certain critical systems such as voter registration databases, electrical grids and missile command-and-control systems. The theory, at least, is to force adversaries to devote resources they would otherwise use to attack the U.S. to better secure their own networks. Jason Healey, a historian of cyber conflicts at Columbia University's School for International and Public Affairs, asks "How much of cyberspace will survive the war?" warning that "persistent engagement" could lead to a dangerous miscalculation by an adversarial nation-state -- or even worse, a spiral of escalation, with other state's following America's lead, changing the open Internet into more of a battleground.

Disgruntled Security Researcher Publishes Major VirtualBox 0-Day Exploit

Sat, 11/10/2018 - 12:34
"A Russian security researcher has published details about a zero-day vulnerability affecting VirtualBox, an Oracle software application for running virtual machines," reports ZDNet. According to a text file uploaded on GitHub, Saint Petersburg-based researcher Sergey Zelenyuk has found a chain of bugs that can allow malicious code to escape the VirtualBox virtual machine (the guest OS) and execute on the underlying (host) operating system. Once out of the VirtualBox VM, the malicious code runs in the OS' limited userspace (kernel ring 3), but Zelenyuk said that attackers can use many of the already known privilege escalation bugs to gain kernel-level access (ring 0). "The exploit is 100% reliable," Zelenyuk said. "It means it either works always or never because of mismatched binaries or other, more subtle reasons I didn't account." The Russian researcher says the zero-day affects all current VirtualBox releases, works regardless of the host or guest operating system the user is running, and is reliable against the default configuration of newly created VMs. Besides a detailed write-up of the entire exploit chain, Zelenyuk has also published video proof, showing the zero-day in action against an Ubuntu VM running inside VirtualBox on an Ubuntu host OS. Long-time Slashdot reader Artem Tashkinov warns that the exploit utilizes "bugs in the data link layer of the default E1000 network interface adapter which makes this vulnerability critical for everyone who uses virtualization to run untrusted code." According to ZDNet, the same security researcher "found and reported a similar issue in mid-2017, which Oracle took over 15 months to fix." "This lengthy and drawn-out patching process appears to have angered Zelenyuk, who instead of reporting this bug to Oracle, has decided to publish details online without notifying the vendor."

Apple Blocks Linux From Booting On New Hardware With T2 Security Chip

Sat, 11/10/2018 - 11:34
AmiMoJo writes: Apple's new-generation Macs come with a new so-called Apple T2 security chip that's supposed to provide a secure enclave co-processor responsible for powering a series of security features, including Touch ID. At the same time, this security chip enables the secure boot feature on Apple's computers, and by the looks of things, it's also responsible for a series of new restrictions that Linux users aren't going to like. The issue seems to be that Apple has included security certificates for its own and Microsoft's operating systems (to allow running Windows via Bootcamp), but not for the certificate that was provided for systems such as Linux. Disabling Secure Boot can overcome this, but also disables access to the machine's internal storage, making installation of Linux impossible.

US Military Publicly Dumps Russian Government Malware Online

Sat, 11/10/2018 - 05:00
An anonymous reader quotes a report from Motherboard: This week, U.S. Cyber Command (CYBERCOM), a part of the military tasked with hacking and cybersecurity focused missions, started publicly releasing unclassified samples of adversaries' malware it has discovered. CYBERCOM says the move is to improve information sharing among the cybersecurity community, but in some ways it could be seen as a signal to those who hack U.S. systems: we may release your tools to the wider world. On Friday, CYBERCOM uploaded multiple files to VirusTotal, a Google-owned search engine and repository for malware. Once uploaded, VirusTotal users can download the malware, see which anti-virus or cybersecurity products likely detect it, and see links to other pieces of malicious code. One of the two samples CYBERCOM distributed on Friday is marked as coming from APT28, a Russian government-linked hacking group, by several different cybersecurity firms, according to VirusTotal. Those include Kaspersky Lab, Symantec, and Crowdstrike, among others. APT28 is also known as Sofacy and Fancy Bear. The malware itself does not appear to still be active.

Mac Mini Teardown Reveals User-Upgradable RAM, But Soldered Down CPU and Storage

Fri, 11/09/2018 - 23:00
iFixit has released their teardown of the new Mac mini, providing a look inside the portable desktop computer. Some of the notable findings include user-upgradable RAM and soldered CPU and SSD. Mac Rumors reports: While the RAM in the previous-gen Mac mini from 2014 was soldered to the logic board, the new Mac mini has user-upgradeable RAM, as discovered earlier this week. As seen in older iMacs, the RAM is protected by a perforated shield that allows the memory modules to operate at a high frequency of 2666 MHz without interfering with other device functions, according to iFixit. To upgrade the RAM, the shield can be removed by unfastening four Torx screws. Other silicon on the logic board of this particular Mac mini includes the Apple T2 security chip, a 3.6GHz quad-core Intel Core i3 processor, Intel UHD Graphics 630, 128GB of flash storage from Toshiba, an Intel JHL7540 Thunderbolt 3 controller, and a Gigabit Ethernet controller from Broadcom. Despite the good news about the RAM, the CPU and SSD are soldered to the logic board, as are many ports, so this isn't a truly modular Mac mini. iFixit awarded the new Mac mini a repairability score of 6/10, with 10 being the easiest to repair, topping the latest MacBook Air, MacBook, MacBook Pro, iMac, and iMac Pro, and trailing only the 2013 Mac Pro.

Researchers Defeat Perceptual Ad Blockers, Declare 'New Arms Race'

Fri, 11/09/2018 - 17:40
dmoberhaus writes: Perceptual ad blockers were supposed to be the "superweapon" that put an end to the arms race between advertisers and users. According to new research, however, perceptual ad blockers will come out on the losing side in the war against internet advertisers and expose users to a host of new attack vectors in the process. Researchers at Stanford tricked six different visual classifiers used in perceptual ad blockers with adversarial ads designed to trick the ad blockers by making nearly imperceptible changes to the ads. "The researchers tried several different adversarial attacks on the perceptual ad blockers' visual classifiers," Motherboard reports. "One attack, for example, slightly altered the AdChoices logo that is commonly used to disclose advertisements to fool the perceptual ad blocker. In another attack, the researchers demonstrated how website publishers could overlay a transparent mask over a website that would allow ads to evade perceptual ad blockers." "The aim of our work is not to downplay the merits of ad-blocking, nor discredit the perceptual ad blocking philosophy, which is sound when instantiated with a robust visual ad detector," the researchers concluded. "Rather, our overarching goal is to highlight and raise awareness on the vulnerabilities that arise in building ad blockers with current computer vision systems."

Hackers Stole Income, Immigration and Tax Data In Healthcare.gov Breach, Government Confirms

Fri, 11/09/2018 - 15:00
Late last month, HealthCare.gov suffered a data breach exposing 75,000 customers. Details were sparse at the time of the breach, but have now learned that hackers obtained "inappropriate access" to a number of broker and agent accounts, which "engaged in excessive searching" of the government's healthcare marketplace systems. TechCrunch reports: [The Centers for Medicare and Medicaid Services (CMS)] didn't say how the attackers gained access to the accounts, but said it shut off the affected accounts "immediately." In a letter sent to affected customers this week (and buried on the Healthcare.gov website), CMS disclosed that sensitive personal data -- including partial Social Security numbers, immigration status and some tax information -- may have been taken. According to the letter, the data included name, date of birth, address, sex, and the last four digits of the Social Security number (SSN), if SSN was provided on the application. Other information could include expected income, tax filing status, family relationships, whether the applicant is a citizen or an immigrant, immigration document types and numbers, employer name, pregnancy status, health insurance status, and more. The government did say that no bank account information was stolen.

China Violated Obama-Era Cybertheft Pact, U.S. Official Says

Fri, 11/09/2018 - 13:01
China has violated an accord it signed with the U.S. three years ago pledging not to engage in hacking for the purpose of economic espionage, a senior U.S. intelligence official said this week. From a report: The 2015 bilateral agreement had significantly reduced the amount of Chinese cybertheft targeting American companies, but Beijing's commitment to the deal has eroded, said Rob Joyce, senior adviser for cybersecurity strategy at the National Security Agency. "It is clear they are well beyond the bounds of the agreement today that was forged between our two countries," Joyce said during a panel conversation at the Aspen Cyber Summit. Joyce's comments were the latest sign of Washington's rising frustration over China's alleged violation of the pact signed between then-President Barack Obama and Chinese President Xi Jinping. Last week, then-Attorney General Jeff Sessions also said China wasn't adhering to the deal, in which the U.S. and China agreed not to conduct cyber operations against each other to steal intellectual property or other forms of economic intelligence.

US Secret Service Warns ID Thieves are Abusing USPS's Mail Scanning Service

Fri, 11/09/2018 - 06:02
Brian Krebs reports: A year ago, KrebsOnSecurity warned that "Informed Delivery," a new offering from the U.S. Postal Service (USPS) that lets residents view scanned images of all incoming mail, was likely to be abused by identity thieves and other fraudsters unless the USPS beefed up security around the program and made it easier for people to opt out. This week, the U.S. Secret Service issued an internal alert warning that many of its field offices have reported crooks are indeed using Informed Delivery to commit various identity theft and credit card fraud schemes. The internal alert -- sent by the Secret Service on Nov. 6 to its law enforcement partners nationwide -- references a recent case in Michigan in which seven people were arrested for allegedly stealing credit cards from resident mailboxes after signing up as those victims at the USPS's Web site. According to the Secret Service alert, the accused used the Informed Delivery feature "to identify and intercept mail, and to further their identity theft fraud schemes."

Cisco Removed Its Seventh Backdoor Account This Year, and That's a Good Thing

Thu, 11/08/2018 - 16:10
An anonymous reader quotes a report from ZDNet: Cisco, the world's leading provider of top networking equipment and enterprise software, has released today 15 security updates, including a fix for an issue that can be described as a backdoor account. This latest patch marks the seventh time this year when Cisco has removed a backdoor account from one of its products. Five of the seven backdoor accounts were discovered by Cisco's internal testers, with only CVE-2018-0329 and this month's CVE-2018-15439 being found by external security researchers. The company has been intentionally and regularly combing the source code of all of its software since December 2015, when it started a massive internal audit. Cisco started that process after security researchers found what looked to be an intentional backdoor in the source code of ScreenOS, the operating system of Juniper, one of Cisco's rivals. Juniper suffered a massive reputational damage following the 2015 revelation, and this may secretly be the reason why Cisco has avoided using the term "backdoor account" all year for the seven "backdoor account" issues. Instead, Cisco opted for more complex wordings such as "undocumented, static user credentials for the default administrative account," or "the affected software enables a privileged user account without notifying administrators of the system." It is true that using such phrasings might make Cisco look disingenuous, but let's not forget that Cisco has been ferreting these backdoor accounts mainly on its own, and has been trying to fix them without scaring customers or impacting its own stock price along the way.

Vulnerability Could Make DJI Drones a Spy In the Sky

Thu, 11/08/2018 - 15:30
wiredmikey writes from a report via SecurityWeek: A vulnerability in systems operated by Da Jiang Innovations (DJI) -- the world's largest drone manufacturer -- allowed anybody in the world to have full access to a drone user's DJI account. A successful attacker would be able to obtain cloud-based flight records, stored photographs, user PII including credit card details -- and a real-time view from the drone's camera and microphone. Check Point Researchers (who discovered and reported the vulnerability) told SecurityWeek, "The vulnerability is a unique opportunity for malicious actors to gain priceless information -- you have an eye in the sky. Organizations are moving towards automated flights, sometimes with dozens of drones patrolling across sensitive facilities. With this vulnerability you could take over the accounts and see and hear everything that the drones see or hear. This is a huge opportunity for malicious actors."

US Cyber Command Starts Uploading Foreign APT Malware To VirusTotal

Thu, 11/08/2018 - 06:00
The Cyber National Mission Force (CNMF), a subordinate unit of US Cyber Command (USCYBERCOM), set in motion a new initiative this week through which the DOD would share malware samples it discovered on its networks with the broader cybersecurity community. From a report: The CNMF kicked off this new project by creating an account on VirusTotal, an online file scanning service that also doubles as an online malware repository, and by uploading two malware samples.

Georgia's Secretary of State Brian Kemp Doxes Thousands of Absentee Voters

Wed, 11/07/2018 - 19:30
An anonymous reader quotes a report from TechCrunch: Georgia's secretary of state and candidate for state governor in the midterm election, Brian Kemp, has taken the unusual, if not unprecedented step of posting the personal details of 291,164 absentee voters online for anyone to download. Kemp's office posted an Excel file on its website within hours of the results of the general election, exposing the names and addresses of state residents who mailed in an absentee ballot -- including their reason why, such as if a person is "disabled" or "elderly." The file, according to the web page, allows Georgia residents to "check the status of your mail-in absentee ballot." Millions of Americans across the country mail in their completed ballots ahead of election day, particularly if getting to a polling place is difficult -- such as if a person is disabled, elderly or traveling. When reached, Georgia secretary of state's press secretary Candice Broce told TechCrunch that all of the data "is clearly designated as public information under state law," and denied that the data was "confidential or sensitive." "State law requires the public availability of voter lists, including names and address of registered voters," she said in an email. "While the data may already be public, it is not publicly available in aggregate like this," said security expert Jake Williams, founder of Rendition Infosec, who lives in Georgia. Williams took issue with the reasons that the state gave for each absentee ballot, saying it "could be used by criminals to target currently unoccupied properties." "Releasing this data in aggregate could be seen as suppressing future absentee voters in Georgia who do not want their information released in this manner," he said.

Police Decrypt 258,000 Messages After Breaking Pricey IronChat Crypto App

Wed, 11/07/2018 - 14:00
An anonymous reader quotes a report from Ars Technica: Police in the Netherlands said they decrypted more than 258,000 messages sent using IronChat, an app billed as providing end-to-end encryption that was endorsed by National Security Agency leaker Edward Snowden. In a statement published Tuesday, Dutch police said officers achieved a "breakthrough in the interception and decryption of encrypted communication" in an investigation into money laundering. The encrypted messages, according to the statement, were sent by IronChat, an app that runs on a device that cost thousands of dollars and could send only text messages. "Criminals thought they could safely communicate with so-called crypto phones which used the application IronChat," Tuesday's statement said. "Police experts in the east of the Netherlands have succeeded in gaining access to this communication. As a result, the police have been able to watch live the communication between criminals for some time." Blackbox-security.com, the site selling IronChat and IronPhone, quoted Snowden as saying: "I use PGP to say hi and hello, i use IronChat (OTR) to have a serious conversation," according to Web archives. Whether the endorsement was authentic or not wasn't immediately known. The site has been seized by Dutch police.

Google Sends Final Software Update To Legacy Nexus 5X, Nexus 6P Phones

Tue, 11/06/2018 - 23:00
Google has pushed out the final "guaranteed" official software update for Nexus devices. According to Hot Hardware, the November update for both the Nexus 5X and Nexus 6P "carries the final build number of OPM7.181105.004, running Android 8.1 Oreo." From the report: The last Nexus smartphones to launch from Google were the Nexus 5X and Nexus 6P, which debuted in late 2015. Under Google's three-year update policy, both smartphones have received two major Android releases (Android 7.0 Nougat in 2016 and Android 8.0 Oreo in 2017) along with three years of monthly security updates. The monthly security updates should have ended in September, but Google out of nowhere provided a two-month reprieve through November 2018.

Blockchain-Based Elections Would Be a Disaster For Democracy

Tue, 11/06/2018 - 16:20
An anonymous reader quotes a report from Ars Technica: If you talk to experts on election security (I studied with several of them in graduate school) they'll tell you that we're nowhere close to being ready for online voting. "Mobile voting is a horrific idea," said election security expert Joe Hall when I asked him about a West Virginia experiment with blockchain-based mobile voting back in August. But on Tuesday, The New York Times published an opinion piece claiming the opposite. "Building a workable, scalable, and inclusive online voting system is now possible, thanks to blockchain technologies," writes Alex Tapscott, whom the Times describes as co-founder of the Blockchain Research Institute. Tapscott is wrong -- and dangerously so. Online voting would be a huge threat to the integrity of our elections -- and to public faith in election outcomes. Tapscott focuses on the idea that blockchain technology would allow people to vote anonymously while still being able to verify that their vote was included in the final total. Even assuming this is mathematically possible -- and I think it probably is -- this idea ignores the many, many ways that foreign governments could compromise an online vote without breaking the core cryptographic algorithms. For example, foreign governments could hack into the computer systems that governments use to generate and distribute cryptographic credentials to voters. They could bribe election officials to supply them with copies of voters' credentials. They could hack into the PCs or smartphones voters use to cast their votes. They could send voters phishing emails to trick them into revealing their voting credentials -- or simply trick them into thinking they've cast a vote when they haven't.

'Almost All' Pakistani Banks Hacked In Security Breach, Report Says

Tue, 11/06/2018 - 15:00
The cybercrime wing of Pakistan's Federal Investigation Agency has said data from "almost all" Pakistani banks was stolen in a recent security breach. FIA Cybercrimes Director retired Capt Mohammad Shoaib told Geo News that hackers based outside the country had breached the security systems of several local banks. "The hackers have stolen large amounts of money from people's accounts," he added. From a report: He said the FIA has written to all banks, and a meeting of the banks' heads and security managements is being called. The meeting will look into ways the security infrastructure of banks can be bolstered. "Banks are the custodians of the money people have stored in them," Shoaib said. "They are also responsible if their security features are so weak that they result in pilferage." It wasn't immediately clear when exactly the security breach took place. According to Shoaib, more than 100 cases are being investigated by the agency in connection with the breach.