Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 19 hours 51 min ago

Why Attackers Are Using C# For Post-PowerShell Attacks

Sat, 09/22/2018 - 23:34
An anonymous Slashdot reader summarizes an article by a senior security researcher at Forecepoint Security Labs: Among cyber criminals, there has been a trend in recent years for using more so called 'fileless' attacks. The driver for this is to avoid detection by anti-virus. PowerShell is often used in these attacks. Part of the strategy behind fileless attacks is related to the concept of 'living off the land', meaning that to blend in and avoid detection, attackers strive for only using the tools that are natively available on the target system, and preferably avoiding dropping executable files on the file system. Recently, C# has received some attention in the security community, since it has some features that may make it more appealing to criminals than PowerShell. [Both C# and Powershell use the .NET runtime.] A Forcepoint researcher has summarized the evolvement of attack techniques in recent years, particularly looking at a recent security issue related to C# in a .NET utility in terms of fileless attacks. From the article: A recent example of C# being used for offensive purposes is the PowerShell/C# 'combo attack' noted by Xavier Mertens earlier this month in which a malware sample used PowerShell to compile C# code on the fly. Also, a collection of adversary tools implemented in C# was released. Further, an improved way was published for injecting shellcode (.NET assembly) into memory via a C# application.... Given recent trends it seems likely that we'll start to see an increased number of attacks that utilize C# -- or combinations of C# and PowerShell such as that featured in Xavier Mertens' SANS blog -- in the coming months.

Huge Trove of Employee Records Discovered At Abandoned Toys 'R' Us

Sat, 09/22/2018 - 17:34
An anonymous reader writes: Hackaday recently engaged in a bit of urban exploration, taking a look inside of a recently purchased Toys "R" Us location that has been boarded up since the once giant toy store chain folded in June. Inside they found plenty of hardware left behind, from point-of-sale systems to the Cisco networking gear in the server room. But the most interesting find was on paper. In a back office, they found "several boxes" of personal information about the store's employees, from their medical records to photocopies of their driver's licenses and Social Security cards [and also tax forms]. A video included with the article gives the viewer an impression of just how large a collection of files were left behind. The author wonders if the situation in this particular store was a fluke, or if the other [800] Toys "R" Us locations were left in a similar state. The article calls it "a very surprising look at what get's left behind when the money runs out and the employees simply give up...." "We saw the great lengths the company went to protect customer information, so to see how little regard they had for their own people was honestly infuriating."

NSA's 'Codebreaker Challenge' Features Exploiting Blockchain To Steal Ethereum

Sat, 09/22/2018 - 13:34
"The National Security Agency's 2018 Codebreaker Challenge kicked off on Friday, 9/21, and runs through 12/31," writes Slashdot reader eatvegetables. Each year's challenge -- which is open to U.S. students -- comes with its own (fictitious) backstory which the organizers say is "meant for providing realistic context." This year's story? A new strain of ransomware has managed to penetrate several critical government networks and NSA has been called upon to assist in remediating the infection to prevent massive data losses. For each infected machine, an encrypted copy of the key needed to decrypt the ransomed files has been stored in a smart contract on the Ethereum blockchain* and is set to only be unlocked upon receipt of the ransom payment. Your mission is to ultimately (1) find a way to unlock the ransomware without giving in to the attacker's demands and (2) figure out a way to recover all of the funds already paid by other victims. * For the purposes of this challenge, a private blockchain has been created with no real monetary value associated with the Ether. "The first half focuses on network protocol analysis and binary reverse-engineering," writes eatvegetables, while "The second half is all about attempting to exploit the blockchain." An email address from "a recognized U.S. school or university" is required, and the original submission notes that America's college students "are already hard at work trying to push their school to the top of the leaderboard."

Purism Launches First Security Key with Tamper-Evident Protection for Laptops

Sat, 09/22/2018 - 09:34
An anonymous reader quotes Softpedia: Purism announced Thursday that its highly anticipated Librem Key security key is now available for purchase as the first and only OpenPGP-based smart card to offer a Heads-firmware-integrated tamper-evident boot process for laptops. Developed in partnership with Nitrokey, a company known for manufacturing open-source USB keys that enable secure encryption and signing of data for laptops, Purism's Librem Key is dedicated to Librem laptop users, allowing them to store up to 4096-bit RSA keys and up to 512-bit ECC keys on the security key, as well as to securely generate new keys directly on the device. Librem Key integrates with the secure boot process of the latest Librem 13 and 15 laptops... Designed to let Librem laptop users see if someone has tampered with the software on their computers when it boots, Librem Key leverages the Heads-enabled TPM (Trusted Platform Module) chip in new Librem 13 and Librem 15 laptops. According to Purism, when inserted, the security key will blink green to show users that the laptop hasn't been tampered with, so they can continue from where they left off, and blinks red when tampering has occurred. Purism's web site explains: With so many attacks on password logins, most security experts these days recommend adding a second form of authentication (often referred to as "2FA" or "multi-factor authentication") in addition to your password so that if your password gets compromised the attacker still has to compromise your second factor. USB security tokens work well as this second factor because they are "something you have" instead of "something you know" like a password is, and because they are portable enough you can just keep them in your pocket, purse, or keychain and use them only when you need to login to a secure site.

New Custom Linux Distro is Systemd-Free, Debian-Based, and Optimized for Windows 10

Sat, 09/22/2018 - 07:34
An anonymous reader quotes MSPowerUser: Nearly every Linux distro is already available in the Microsoft Store, allowing developers to use Linux scripting and other tools running on the Windows Subsystem for Linux (WSL). Now another distro has popped up in the Store, and unlike the others it claims to be specifically optimised for WSL, meaning a smaller and more appropriate package with sane defaults which helps developers get up and running faster. WLinux is based on Debian, and the developer, Whitewater Foundry, claims their custom distro will also allow faster patching of security and compatibility issues that appear from time to time between upstream distros and WSL... Popular development tools, including git and python3, are pre-installed. Additional packages can be easily installed via the apt package management system... A handful of unnecessary packages, such as systemd, have been removed to improve stability and security. The distro also offers out of the box support for GUI apps with your choice of X client, according to the original submission. WLinux is open source under the MIT license, and is available for free on GitHub. It can also be downloaded from Microsoft Store at a 50% discount, with the development company promising the revenue will be invested back into new features.

Amazon Is Making It Easier To Set Up New IoT Gadgets

Fri, 09/21/2018 - 17:25
At an event yesterday where the company unveiled a range of new Echo smart speakers and other Alexa-enabled devices, the company announced a new way to easily set up internet of things (IoT) devices. The Verge reports: Called Wi-Fi Simple Setup, the system will use Amazon's Wi-Fi Lockers to store your Wi-Fi credentials and share them with compatible smart home devices. Amazon is debuting this tech with TP-Link and Eero, with the idea that customers can reuse network credentials in order to set up new devices. This means devices will connect on their own instead of you having to manually set up each smart product. According to Amazon, it's as easy as plugging in a Wi-Fi Simple Setup-enabled device. The device will automatically look for the Wi-Fi Simple Setup Network and connect once it receives encrypted credentials. Amazon says the process should take no longer than 30 seconds. The ecommerce company also announced a "plug-and-play smart home kit called Alexa Connect Kit. "It starts with a module that has Bluetooth LE and Wi-Fi and a real-time OS that companies can put in their products in order to make them smart," reports The Verge.

Twitter Notifies Developers About API Bug That Shared DMs With Wrong Developers

Fri, 09/21/2018 - 11:25
Twitter has started notifying developers today about an API bug that accidentally shared direct messages (private messages) or protected tweets from a Twitter business account with other developers. From a report: According to a support page published today, Twitter said the bug only manifested for Twitter business accounts where the account owner used the Account Activity API (AAAPI) to allow other developers access to that account's data. Because of the bug, the AAAPI sent DMs and protected tweets to the wrong person instead of the authorized developer. Twitter said it discovered the bug on September 10, and fixed it the same day. They also said the bug was active between May 2017 and September 2018, for almost 16 months. The bug represents a serious privacy issue, especially for Twitter business accounts that use DMs to handle customer complaints that in some cases may include private user information.

Romanian Ransomware Suspect Pleads Guilty To Hacking CCTVs in Washington DC

Fri, 09/21/2018 - 10:45
gosand writes: The Register reports that "a Romanian woman has admitted running a ransomware operation from infected Washington DC's CCTV systems just days before President Trump was sworn into office in the US capital." The US DOJ stated that "this case was of the highest priority due to its impact on the Secret Service's protective mission and its potential effect on the security plan for the 2017 Presidential Inauguration." She could face a maximum of 25 years if convicted. She and her cohort (who is still jailed in Romania) made the classic hacker mistake of using their personal gmail accounts for the campaign, even accessing them from one of the compromised PCs.

Facebook Will Open a 'War Room' Next Week To Monitor Election Interference

Thu, 09/20/2018 - 19:30
An anonymous reader quotes a report from The Verge: Sheera Frankel and Mike Isaac [write from The New York Times]: "Sandwiched between Building 20 and Building 21 in the heart of Facebook's campus, an approximately 25-foot by 35-foot conference room is under construction. Thick cords of blue wiring hang from the ceiling, ready to be attached to window-size computer monitors on 16 desks. On one wall, a half dozen televisions will be tuned to CNN, MSNBC, Fox News and other major cable networks. A small paper sign with orange lettering taped to the glass door describes what's being built: "War Room." Set to open next week, the conference room is in keeping with Facebook's nick-of-time approach to midterm election preparedness. (It introduced a "pilot program" for candidate account security on Monday.) It's a big project. Samidh Chakrabarti, who oversees elections and civic engagement, told the Times: "We see this as probably the biggest companywide reorientation since our shift from desktops to mobile phones." Of course, the effort extends beyond the new conference room. Chakrabarti showed the Times a new internal tool "that helps track information flowing across the social network in real time," helping to identify misinformation as it goes viral or a surge in the creation of new (and likely fake) accounts.

Crippling DDoS Vulnerability Put the Entire Bitcoin Market At Risk

Thu, 09/20/2018 - 15:30
A major flaw was spotted in the Bitcoin network that could have allowed miners to bring down the entire blockchain by flooding full node operators with traffic, via a Distributed Denial-of-Service (DDoS) attack. "A denial-of-service vulnerability (CVE-2018-17144) exploitable by miners has been discovered in Bitcoin Core versions 0.14.0 up to 0.16.2." the patch notes state. "It is recommended to upgrade any of the vulnerable versions to 0.16.3 as soon as possible." The Next Web reports: Developers have issued a patch for anyone running nodes, along with an appeal to update the software immediately. As far as the attack vector in question goes, there's a catch: anyone ballsy enough to try to bring down Bitcoin would have to sacrifice almost $80,000 worth of Bitcoin in order do it. The bug relates to its consensus code. It meant that some miners had the option to send transaction data twice, causing the Bitcoin network to crash when attempting to validate them. As such invalid blocks need to be mined anyway, only those willing to disregard block reward of 12.5BTC ($80,000) could actually do any real damage.

Google Defends Gmail Data Sharing, Gives Few Details on Violations

Thu, 09/20/2018 - 10:40
Google defended how it polices third-party add-ons for Gmail in a letter to U.S. senators made public on Thursday, saying that upfront review catches the "majority" of bad actors. A report adds: Google said it uses automated scans and reports from security researchers to monitor third parties with access to Gmail data, but gave no details on how many add-ons have been caught violating its policies. Google's privacy practices have been under growing scrutiny. The Senate Commerce Committee has a hearing scheduled for Sept. 26 to question Google, Apple, AT&T, Twitter about their consumer data privacy practices. Gmail, the Google email service used by 1.4 billion people, enables add-on developers access to users' emails and the ability to share that data with other parties as "long as they are transparent" with users about how they are using data and get consent, Google said in the letter. For instance, a program that logs receipts could be allowed to scan Gmail as it searches for receipts.

ICANN Sets Plan To Reinforce Internet DNS Security

Thu, 09/20/2018 - 09:15
coondoggie shares a report: In a few months, the internet will be a more secure place. That's because the Internet Corporation for Assigned Names and Numbers (ICANN) has voted to go ahead with the first-ever changing of the cryptographic key that helps protect the internet's address book -- the Domain Name System (DNS). The ICANN Board at its meeting in Belgium this week, decided to proceed with its plans to change or "roll" the key for the DNS root on Oct. 11, 2018. It will mark the first time the key has been changed since it was first put in place in 2010. During its meeting ICANN spelled out the driving forces behind the need for improved DNS security that the rollover will bring. For example, the continued evolution of Internet technologies and facilities, and deployment of IoT devices and increased capacity of networks all over the world, coupled with the unfortunate lack of sufficient security in those devices and networks, attackers have increasing power to cripple Internet infrastructure, ICANN stated. "Specifically, the growth in attack capacity risks outstripping the ability of the root server operator community to expand defensive capacity. While it remains necessary to continue to expand defensive capacity in the near-term, the long-term outlook for the traditional approach appears bleak," ICANN stated. The KSK rollover means generating a new cryptographic public and private key pair and distributing the new public component to parties who operate validating resolvers, according to ICANN. Such resolvers run software that converts typical addresses like networkworld.com into IP network addresses. Resolvers include: internet service providers, enterprise network administrators and other DNS resolver operators, DNS resolver software developers; system integrators, and hardware and software distributors who install or ship the root's "trust anchor," ICANN said.

Equifax Slapped With UK's Maximum Penalty Over 2017 Data Breach

Thu, 09/20/2018 - 07:50
Credit rating giant Equifax has been issued with the maximum possible penalty by the UK's data protection agency for last year's massive data breach. From a report: Albeit, the fine is only 500,000 Pound (roughly $658,000) because the loss of customer data occurred when the UK's prior privacy regime was in force -- rather than the tough new data protection law, brought in via the EU's GDPR, which allows for maximum penalties of as much as 4% of a company's global turnover for the most serious data failures. So, again, Equifax has managed to dodge worse consequences over the 2017 breach, despite the hack resulting from its own internal process failings after it failed to patch a server that was known to be vulnerable for months -- thereby giving hackers a soft-spot to attack and swipe data on 147 million consumers. Personal information that was lost or compromised in the 2017 Equifax breach included names and dates of birth, addresses, passwords, driving licence and financial details.

US Senate Staff Targeted By State-Backed Hackers, Senator Says

Thu, 09/20/2018 - 05:00
An anonymous reader quotes a report from PBS NewsHour: Sen. Ron Wyden, an Oregon Democrat, said in a Wednesday letter to Senate leaders that his office discovered that "at least one major technology company" has warned an unspecified number of senators and aides that their personal email accounts were "targeted by foreign government hackers." Similar methods were employed by Russian military agents who leaked the contents of private email inboxes to influence the 2016 elections. Wyden did not specify the timing of the notifications, but a Senate staffer said they occurred "in the last few weeks or months." But the senator said the Office of the Sergeant at Arms, which oversees Senate security, informed legislators and staffers that it has no authority to help secure personal, rather than official, accounts. "This must change," Wyden wrote in the letter. "The November election grows ever closer, Russia continues its attacks on our democracy, and the Senate simply does not have the luxury of further delays."

California May Ban Terrible Default Passwords On Connected Devices

Thu, 09/20/2018 - 02:00
According to Engadget, the California Senate has sent Governor Jerry Brown draft legislation that would require manufacturers to either have to use unique preprogrammed passwords or make you change the credentials the first time you use it. "Companies will also have to 'equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device,'" reports Engadget. From the report: If Brown signs the bill into law, it will take effect at the beginning of 2020. But critics claim the wording is vague and doesn't go far enough in ensuring manufacturers don't include unsecured features. "It's like dieting, where people insist you should eat more kale, which does little to address the problem you are pigging out on potato chips," Robert Graham of Errata Security said in a blog post. "The key to dieting is not eating more but eating less." Given the huge number of connected devices available, it's also not clear how the state plans to enforce and regulate the rules.

Zaif Cryptocurrency Exchange Suffers $60 Million Hack

Wed, 09/19/2018 - 16:45
Hackers were able to steal $60 million worth of company and user funds belonging to the Zaif Japanese cryptocurrency exchange. The breach occurred last week, but the company discovered the hack on Monday, September 17. An anonymous reader shares the report from ZDNet: Investigators are still gathering details, but Zaif said the hack took place on September 14, between 17:00 and 19:00 local time, when the attacker siphoned off three types of cryptocurrencies from the company's "hot wallets." [A "hot wallet" is a term used to describe a cryptocurrency addresses with light security measures where a cryptocurrency exchange keeps funds for immediate transactions, such as cryptocurrency-to-cryptocurrency or cryptocurrency-to-fiat (and vice versa) operations.] Zaif says the hacker stole Bitcoin, Bitcoin Cash, and MonaCoin from its hot wallet, all three worth 6.7 billion Japanese yen (roughly $59.67 million) when combined. Of the 6.7 billion stolen yen, 2.2 billion yen -- 32 percent -- were Zaif funds, while 4.5 billion yen were customer funds. Zaif plans to secure a 5 billion yen loan to pay back affected customers.

'WaitList.dat' Windows File May Be Secretly Hoarding Your Passwords, Emails

Wed, 09/19/2018 - 14:40
A file named WaitList.dat, found only on touchscreen-capable Windows PCs, may be collecting your sensitive data like passwords and emails. According to ZDNet, in order for the file to exist users have to enable "the handwriting recognition feature that automatically translates stylus/touchscreen scribbles into formatted text." From the report: The handwriting to formatted text conversion feature has been added in Windows 8, which means the WaitList.dat file has been around for years. The role of this file is to store text to help Windows improve its handwriting recognition feature, in order to recognize and suggest corrections or words a user is using more often than others. "In my testing, population of WaitList.dat commences after you begin using handwriting gestures," [Digital Forensics and Incident Response expert Barnaby Skeggs] told ZDNet in an interview. "This 'flicks the switch' (registry key) to turn the text harvester functionality (which generates WaitList.dat) on." "Once it is on, text from every document and email which is indexed by the Windows Search Indexer service is stored in WaitList.dat. Not just the files interacted via the touchscreen writing feature," Skeggs says. Since the Windows Search Indexer service powers the system-wide Windows Search functionality, this means data from all text-based files found on a computer, such as emails or Office documents, is gathered inside the WaitList.dat file. This doesn't include only metadata, but the actual document's text. "The user doesn't even have to open the file/email, so long as there is a copy of the file on disk, and the file's format is supported by the Microsoft Search Indexer service," Skeggs told ZDNet. "On my PC, and in my many test cases, WaitList.dat contained a text extract of every document or email file on the system, even if the source file had since been deleted," the researcher added. Furthermore, Skeggs says WaitList.dat can be used to recover text from deleted documents.

'I'm Admin. You're Admin. Everyone is Admin.' Remote Access Bug Turns Western Digital My Cloud Into Everyone's Cloud

Wed, 09/19/2018 - 14:00
Researchers at infosec shop Securify revealed this week a vulnerability, designated CVE-2018-17153, which allows an unauthenticated attacker with network access to the device to bypass password checks and login with admin privileges. From a report:This would, in turn, give the attacker full control over the NAS device, including the ability to view and copy all stored data as well as overwrite and erase contents. If the box is accessible from the public internet, it could be remotely pwned, it appears. Alternatively, malware on a PC on the local network could search for and find a vulnerable My Cloud machine, and compromise it. According to Securify, the flaw itself lies in the way My Cloud creates admin sessions that are attached to an IP address. When an attacker sends a command to the device's web interface, as an HTTP CGI request, they can also include the cookie username=admin -- which unlocks admin access. Thus if properly constructed, the request would establish an admin login session to the device without ever asking for a password. In other words, just tell it you're the admin user in the cookie, and you're in. The researcher told TechCrunch that he reported the vulnerability to Western Digital last year, but the company "stopped responding."

Cloudflare Wants Internet Route Leaks To Be a Thing of the Past

Wed, 09/19/2018 - 10:45
Cloudflare wants routing issues to be a thing of the past by deploying a new feature to try to stop route leaks and hijacks in their tracks. From a report: Cloudflare told TechCrunch that rolling out resource public key infrastructure (RPKI) to all of its customers for free will make it far more difficult to reroute traffic -- either by accident or deliberately. RPKI, in a nutshell, helps to ensure that traffic goes to the right place through a route that's verified as legitimate and correct by using cryptographically signed certificates. "When two networks connect with each other -- say, AT&T and Verizon -- they announce the set of IP addresses for which they should be sent traffic," said Nick Sullivan, Cloudflare's head of cryptography. "The RPKI is a security framework to make sure a network announces only its legitimate IP addresses." Cloudflare's push in the right direction follows an effort by the National Institute for Standards and Technology, which last week published its first draft of a new standard, which incorporates RPKI as one of three components that will help prevent route leaks and hijacks. A possible approval is expected in the coming weeks.

China's Leaders Soften Their Stance on AI, Say They Will Be Sharing Their Findings With Other Countries

Wed, 09/19/2018 - 08:50
China might be at loggerheads with the United States over trade, but it is calling for a friendlier approach to the development of artificial intelligence. From a report: Speaking at the World Artificial Intelligence Conference in Shanghai this week, China's vice premier, Liu He, said that AI would depend heavily on international cooperation. "We're hoping that all countries, as members of the global village, will be inclusive and support each other so that we can respond to the double-edged-sword effect of new technologies," He said through a translator. "AI represents a new era. Cross-national and cross-discipline cooperation is inevitable." President Xi Jinping delivered a similar message in a letter presented at the same conference. Xi said that China would "share results with other countries in the field of artificial intelligence." He also called for collaboration between nations on AI topics such as ethics, law, governance, and security. This new, softer approach to artificial intelligence comes just over a year after the Chinese government announced an ambitious and aggressive AI plan. This blueprint called for Chinese AI researchers to lead the world by 2030, and for domestic companies to build an industry worth more than $150 billion. China's tech industry has already embraced machine learning and AI at an impressive rate.