Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 14 hours 41 min ago

The SIM Hijackers

Tue, 07/17/2018 - 21:55
Lorenzo Franceschi-Bicchierai of Motherboard has a chilling story on how hackers flip seized Instagram handles and cryptocurrency in a shady, buzzing underground market for stolen accounts and usernames. Their victim's weakness? Phone numbers. He writes: First, criminals call a cell phone carrier's tech support number pretending to be their target. They explain to the company's employee that they "lost" their SIM card, requesting their phone number be transferred, or ported, to a new SIM card that the hackers themselves already own. With a bit of social engineering -- perhaps by providing the victim's Social Security Number or home address (which is often available from one of the many data breaches that have happened in the last few years) -- the criminals convince the employee that they really are who they claim to be, at which point the employee ports the phone number to the new SIM card. Game over.

The US is Facing a Serious Shortage of Airline Pilots

Tue, 07/17/2018 - 10:40
An anonymous reader shares a report: The national security of the United States relies on a healthy airline industry. That requires modern reliable airplanes -- and highly skilled pilots to operate them. However, the United States has a shortage of pilots right now, particularly at the regional airline levels. According to the Federal Aviation Administration, there were about 827,000 pilots in America in 1987. Over the past three decades, that number has decreased by 30%. Meanwhile, during this period, there has been a tremendous increase in the demand for air travel. The International Air Transport Association predicts that, over the next 20 years, air travel will double. This is a classic case of low supply and high demand. This mismatch has created a perfect storm that could wreak havoc on the US airline industry over the next decade. The somber news is this shortage is going to get much worse. I have not only studied and researched the airline industry since 1978, but I also was a pilot for 19 years, before going back to academia in 2006. In the 1970s, when most of today's airline pilots like myself were growing up, piloting for an airline was considered a prestigious career. The job offered not only high salaries and nice schedules with many days off, but also a respected position in society. In the early 1990s, pilot salaries approached $300,000 in today's dollars for some international pilots. What's more, during this time, the military had a steady and consistent demand for pilots. A young aspiring aviator could go into the military to receive all of his or her flight training. Once these pilots had fulfilled their military commitment, they were almost guaranteed a good job flying for a major airline. Today, this is no longer the case. The career of the airline pilot has lost its luster.

Thousands of Patient Records Held for Ransom in Ontario Home Care Data Breach, Attackers Claim

Tue, 07/17/2018 - 10:00
CBC reports: The detailed medical histories and contact information of possibly tens of thousands of home-care patients in Ontario are allegedly being held for ransom by thieves who recently raided the computer systems of a health-care provider. CarePartners, which provides home medical care services on behalf of the Ontario government, announced last month that it had been breached. It said only that personal health and financial information of patients had been "inappropriately accessed," and did not elaborate further. However, a group claiming responsibility for the breach recently contacted CBC News and provided a sample of the data it claims to have accessed, shedding new light on the extent of the breach. The sample includes thousands of patient medical records with phone numbers and addresses, dates of birth, and health card numbers, as well as detailed medical histories including past conditions, diagnoses, surgical procedures, care plans and medications for patients across the province.

Thousands of Mega Logins Dumped Online, Exposing User Files

Tue, 07/17/2018 - 09:41
Thousands of credentials for accounts associated with New Zealand-based file storage service Mega have been published online, ZDNet reports. From the report: The text file contains over 15,500 usernames, passwords, and files names, indicating that each account had been improperly accessed and file names scraped. Patrick Wardle, chief research officer and co-founder at Digita Security, found the text file in June after it had been uploaded to malware analysis site VirusTotal some months earlier by a user purportedly in Vietnam. Wardle passed the data to ZDNet. We verified that the data belonged to Mega, the file-sharing site formerly owned by internet entrepreneur Kim Dotcom by contacting several users, who confirmed that the email address, password, and some of the files we showed them were used on Mega.

Hacking Campaign Targets iPhone Users With Data-Stealing, Location-Tracking Malware

Mon, 07/16/2018 - 17:15
ZDNet reports of a new mobile malware campaign that is "gaining access to iPhones by tricking users to download an open-source mobile device management (MDM) software package." From the report: Once in control, the unidentified hackers can steal various forms of sensitive information from infected devices, including the phone number, serial number, location, contact details, user's photos, SMS, and Telegram and WhatsApp chat messages. Thirteen users -- all in India -- have been been compromised in the attacks, which have been detailed by Cisco Talos. Those infected use a range of iPhone models and are running iOS versions ranging from 10.2.1 to 11.2.6. The campaign has been active since August 2015. The attackers take control by using the MDM package, which can give attackers complete control of the device and the ability to install fake versions of real apps. Two different MDM services are used in the campaign, enabling system-level control of multiple devices from one location and the ability to install, remove and exfiltrate data from apps. One method of stealing data comes via malicious versions of messaging services like Telegram and WhatsApp being pushed onto the compromised device via fake updates. The apps look legitimate to the user, but malicious code sends information -- including messages, photos and contacts -- to a central command and control server. Deploying these apps requires a side-loading injection technique, which allows for the ability to ask for additional permissions, execute code and steal information from the original application.

Passwords For Tens of Thousands of Dahua Devices Cached In IoT Search Engine

Sun, 07/15/2018 - 18:02
An anonymous reader writes: "Login passwords for tens of thousands of Dahua devices have been cached inside search results returned by ZoomEye, a search engine for discovering Internet-connected devices (also called an IoT search engine)," reports Bleeping Computer. A security researcher has recently discovered that instead of just indexing IoT devices, ZoomEye is also sending an exploitation package to devices and caching the results, which also include cleartext DDNS passwords that allow an attacker remote access to these devices. Searching for the devices is trivial and simple queries can unearth tens of thousands of vulnerable Dahua DVRs. According to the security researcher who spotted these devices, the trick has been used in the past year by the author of the BrickerBot IoT malware, the one who was on a crusade last year, bricking unsecured devices in an attempt to have them go offline instead of being added to IoT botnets.

Chrome is Using 10-13% More RAM to Fight Spectre

Sat, 07/14/2018 - 21:34
An anonymous reader quotes PCWorld: The critical Meltdown and Spectre bugs baked deep into modern computer processors will have ramifications on the entire industry for years to come, and Chrome just became collateral damage. Google 67 enabled "Site Isolation" Spectre protection for most users, and the browser now uses 10 to 13 percent more RAM due to how the fix behaves. "Site Isolation does cause Chrome to create more renderer processes, which comes with performance tradeoffs," Googleâ(TM)s Charlie Reis says. "On the plus side, each renderer process is smaller, shorter-lived, and has less contention internally, but there is about a 10-13% total memory overhead in real workloads due to the larger number of processes. Our team continues to work hard to optimize this behavior to keep Chrome both fast and secure." It's a significant performance hit, especially for a browser battling a reputation for being a memory hog, but a worthwhile one nonetheless. Chrome's Spectre-blocking site isolation "is now enabled by default for 99 percent of Chrome users on all platforms."

Interviews: Christine Peterson Answers Your Questions

Sat, 07/14/2018 - 17:34
You asked questions, we've got the answers! Christine Peterson is a long-time futurist who co-founded the nanotech advocacy group the Foresight Institute in 1986. One of her favorite tasks has been contacting the winners of the institute's annual Feynman Prize in Nanotechnology, but she also coined the term "Open Source software" for that famous promotion strategy meeting in 1998. Christine took some time to answer questions from Slashdot readers.

Compromised JavaScript Package Caught Stealing npm Credentials

Fri, 07/13/2018 - 12:05
An anonymous reader shares a report: A hacker gained access to a developer's npm account earlier this week and injected malicious code into a popular JavaScript library, code that was designed to steal the npm credentials of users who utilize the poisoned package inside their projects. The JavaScript (npm) package that got compromised is called eslint-scope, a sub-module of the more famous ESLint, a JavaScript code analysis toolkit. The hack took place on the night between July 11 and 12, according to the results of a preliminary investigation posted on GitHub a few hours ago. "One of our maintainers did observe that a new npm token was generated overnight (said maintainer was asleep)," said Kevin Partington, ESLint project member. Partington believes the hacker used the newly-generated npm token to authenticate and push a new version of the eslint-scope library on the npm repository of JavaScript packages.

TSA Screeners Win Immunity From Abuse Claims, Court Rules

Thu, 07/12/2018 - 16:45
Mr.Intel writes from a report via Reuters: "Fliers may have a tough time recovering damages for invasive screenings at U.S. airport security checkpoints, after a federal appeals court on Wednesday said screeners are immune from claims under a federal law governing assaults, false arrests and other abuses," reports Reuters. In a 2-1 vote, the 3rd U.S. Circuit Court of Appeals in Philadelphia said Transportation Security Administration (TSA) screeners are shielded from liability under the Federal Tort Claims Act (FTCA) because they do not function as "investigative or law enforcement officers." The decision, the first on the issue by a federal appeals court, was a defeat for Nadine Pellegrino, a business consultant from Boca Raton, Florida. "She and her husband had sued for false arrest, false imprisonment and malicious prosecution over a July 2006 altercation at Philadelphia International Airport," reports Reuters. According to court papers, Pellegrino had been randomly selected for additional screening at the Philadelphia airport before boarding a U.S. Airways flight to Fort Lauderdale, Florida. Pellegrino, then 57, objected to the invasiveness of the search, but conditions deteriorated and she was later jailed for about 18 hours, the papers show. Criminal charges were filed, and Pellegrino was acquitted at a March 2008 trial.

New Spectre 1.1 and Spectre 1.2 CPU Flaws Disclosed

Wed, 07/11/2018 - 17:00
Two security researchers have revealed details about two new Spectre-class vulnerabilities, which they've named Spectre 1.1 and Spectre 1.2. From a report: Just like all the previous Meltdown and Spectre CPU bugs variations, these two take advantage of the process of speculative execution -- a feature found in all modern CPUs that has the role of improving performance by computing operations in advance and later discarding unneeded data. According to researchers, a Spectre 1.1 attack uses speculative execution to deliver code that overflows CPU store cache buffers in order to write and run malicious code that retrieves data from previously-secured CPU memory sections. Spectre 1.1 is very similar to the Spectre variant 1 and 4, but the two researchers who discovered the bug say that "currently, no effective static analysis or compiler instrumentation is available to generically detect or mitigate Spectre 1.1." As for Spectre 1.2, researchers say this bug can be exploited to write to CPU memory sectors that are normally protected by read-only flags.

Google Quietly Enables 'Site Isolation' Feature for 99% of Chrome Desktop Users

Wed, 07/11/2018 - 15:50
Google has quietly enabled a security feature called Site Isolation for 99% of its desktop users on Windows, Mac, Linux, and Chrome OS. This happened in Chrome 67, released at the end of May. From a report: Site Isolation isn't a new feature per-se, being first added in Chrome 63, in December 2017. Back then, it was only available if users changed a Chrome flag and manually enabled it in each of their browsers. The feature is an architectural shift in Chrome's modus operandi because when Site Isolation is enabled, Chrome runs a different browser process for each Internet domain. Initially, Google described Site Isolation as an "additional security boundary between websites," and as a way to prevent malicious sites from messing with the code of legitimate sites.

FCC Promises to Fix Comment System Hijacked During Net Neutrality Repeal

Wed, 07/11/2018 - 14:29
FCC boss Ajit Pai says the agency will finally take steps to shore up the security of the FCC's public comment system after being widely criticized for turning a blind eye to routine fraud and abuse. From a report: If you'll recall, more than 22 million Americans voiced their thoughts on the Trump FCC's attack on net neutrality last fall via the agency's website. The vast majority of comments opposed the move, closely reflecting surveys that show widespread, bipartisan support for the rules. [...] Not a single one of your comments was cited in the FCC's 218 page justification for its decision. [...] Back in May, Senators Senators Jeff Merkley (D-OR) and Pat Toomey (R-PA) fired off a letter to Pai demanding he actually do something about the abuse of FCC systems. [...] In a response letter this week provided to the Wall Street Journal, Pai says the agency is finally taking steps to address the problem, while acknowledging his own identity was hijacked during the comment process. "It is troubling that some bad actors submitted comments using false names," Mr. Pai said. "Indeed, like you, comments were submitted in my name and my wife's name that reflect viewpoints we do not hold." Pai's letter, which wasn't publicly shared, states that the FCC hopes to eventually "rebuild and re-engineer" the commission's electronic comment system "to institute appropriate safeguards against abusive conduct." It also states that Pai will approach Congress for funding for the overhaul, something Pai likely knows may not actually happen.

Hacker Steals Military Docs Because Someone Didn't Change a Default FTP Password

Wed, 07/11/2018 - 08:03
New submitter secwatcher shares a report: A hacker is selling sensitive military documents on online hacking forums, a security firm has discovered. Some of the sensitive documents put up for sale include maintenance course books for servicing MQ-9 Reaper drones, and various training manuals describing comment deployment tactics for improvised explosive device (IED), an M1 ABRAMS tank operation manual, a crewman training and survival manual, and a document detailing tank platoon tactics. US-based threat intelligence firm Recorded Future discovered the documents for sale online. They say the hacker was selling the data for a price between $150 and $200, a very low asking price for such data. Recorded Future says it engaged the hacker online and discovered that he used Shodan to hunt down specific types of Netgear routers that use a known default FTP password. The hacker used this FTP password to gain access to some of these routers, some of which were located in military facilities, he said.

Access To Major Airport's Security System Offered on Dark Web for $10

Wed, 07/11/2018 - 06:45
Researchers at McAfee found remote access to a major airport's security system available on the dark web for $10. From a report: The hacked access came from an online market for remote desktop protocol (RDP) accounts, which sell access to hacked accounts in all kinds of systems. "There's a lot of discussion about sophisticated nation-state attacks, but this was a really cheap way anyone could get access to something," Raj Samani, chief scientist at McAfee, told Axios. The RDP market isn't typically about purchasing access to systems to actually use the systems. Instead, buyers pay between $3 and $19 for access to machines based on bandwidth. Those systems are often used for their resources rather than their information.

Malls In California Are Sending License Plate Information To ICE

Wed, 07/11/2018 - 05:00
Presto Vivace shares a report from The Week with the caption, "And they wonder why some of us prefer to shop online." From the report: Surveillance systems at more than 46 malls in California are capturing license plate information that is fed to Immigration and Customs Enforcement, the Electronic Frontier Foundation reported Tuesday. One company, Irvine Company Retail Properties, operates malls all over the state using a security network called Vigilant Solutions. Vigilant shares data with hundreds of law enforcement agencies, insurance companies, and debt collectors -- including ICE, which signed a contract with the security company earlier this year, reports The Verge. "[Irvine Company] is putting not only immigrants at risk, but invading the privacy of its customers by allowing a third-party to hold onto their data indefinitely," EFF wrote in its report, urging the chain of malls to stop providing information to ICE.

Orlando Police Decide To Keep Testing Controversial Amazon Facial Recognition Program

Tue, 07/10/2018 - 17:00
Despite previous reports that the program has been ended, the Orlando Police Department in Florida is planning to continue its test of Amazon's real-time facial recognition system. "News of OPD supposedly ending its use of Rekognition on footage captured by a number of CCTV cameras came just a day after the ACLU sent a letter to Orlando Mayor Buddy Dyer regarding the face recognition program," reports Gizmodo. "But the end date for the initial pilot period had already been selected -- it just happened to coincide with the ACLU's report and the ensuing backlash from civil rights groups." From the report: While the original test period ended, the OPD will soon sit down with Amazon representatives to outline the new pilot, the police department told the Orlando Sentinel. "It's really to prevent the next tragedy," Orlando Police Chief John Mina said. Now, with the program set to continue, Dyer says the practice is not as dystopian as it seems. Details on the new pilot are sparse. OPD confirmed it will test Rekognition on at least eight cameras, as it did before, though their location isn't known. In the previous trial program, five Rekognition-enabled cameras captured footage at OPD headquarters, while three additional cameras were positioned in downtown Orlando. During its initial testing phase, Rekognition will scan officers' faces against a face database made up of volunteers. The plan, the OPD memo explains, is for officers themselves to walk in front of the cameras and record how accurately the technology recognizes them from different angles, with different clothes, or other variables. It's not known how long this initial testing phase will last, though the city plans to draft proposed regulations before any public rollout begins. It's worth noting that pilot itself requires no public approval and Dyer has wholeheartedly supported Rekognition. "No images of the public will be used for any testing," OPD said in a statement.

Malware Found in Arch Linux AUR Package Repository

Tue, 07/10/2018 - 15:40
An anonymous reader shares a report: Malware has been discovered in at least three Arch Linux packages available on AUR (Arch User Repository), the official Arch Linux repository of user-submitted packages. The malicious code has been removed thanks to the quick intervention of the AUR team. The incident happened because AUR allows anyone to take over "orphaned" repositories that have been abandoned by their original authors. On Saturday, a user going by the pseudonym of "xeactor" took over one such orphaned package named "acroread" that allows Arch Linux users to view PDF files. According to a Git commit to the packag's source code, xeactor added malicious code that would download a file named "~x" from ptpb [dot] pw, a lightweight site mimicking Pastebin that allows users to share small pieces of texts.

Ex-Apple Worker Charged With Stealing Self-Driving Car Trade Secrets

Tue, 07/10/2018 - 15:00
U.S. authorities on Monday charged a former Apple employee with theft of trade secrets, alleging that the person downloaded a secret blueprint related to a self-driving car to a personal laptop and later trying to flee the country, according to a criminal complaint filed in federal court. From a report: The complaint said that the former employee, Xiaolang Zhang, disclosed intentions to work for a Chinese self-driving car startup and booked a last-minute flight to China after downloading the plan for a circuit board for the self-driving car. Authorities arrested Zhang on July 7 at the San Jose airport after he passed through a security checkpoint. "Apple takes confidentiality and the protection of our intellectual property very seriously," Apple said in a statement. "We're working with authorities on this matter and will do everything possible to make sure this individual and any other individuals involved are held accountable for their actions."

Apple's China-Friendly Censorship Caused An iPhone-Crashing Bug

Tue, 07/10/2018 - 13:00
Security researcher Patrick Wardle helped Apple fix a bug that would crash apps displaying the word "Taiwan" or the Taiwanese flag emoji. Some iPhones could be remotely crashed by something as simple as receiving a text message with the Taiwanese flag. Apple confirmed the fix in a security update Monday. Wired reports: "Basically Apple added some code to iOS with the goal that phones in China wouldn't display a Taiwanese flag," Wardle says, "and there was a bug in that code." Since at least early 2017, iOS has included that Chinese censorship function: Switch your iPhone's location setting to China, and the Taiwanese flag emoji essentially disappears from your phone, evaporating from its library of emojis and appearing as a "missing" emoji in any text that appears on the screen. That code likely represents a favor from Apple to the Chinese government, which for the last 70 years has maintained that Taiwan is a part of China and has no legitimate independent government. But Wardle found that in some edge cases, a bug in the Taiwan-censorship code meant that instead of treating the Taiwan emoji as missing from the phone's library, it instead considered it an invalid input. That caused phones to crash altogether, resulting in what hackers call a "denial of service" attack that would let anyone crash a vulnerable device on command. Wardle's still not sure how many devices are affected, or what caused that bug to be triggered only in some iOS devices and not others, but he believes it has something to do with the phone's location and language settings. Wardle has more details of the bug on his blog.