Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 8 hours 13 min ago

Senators Press Amazon For Answers On Ring's Sloppy Security Practices

Wed, 11/20/2019 - 11:30
New submitter BeerF writes: This past year has been chock full of uncomfortable revelations about Ring, the surveillance social network and home security hardware company acquired by Amazon for a reported $800 million, including reports of potentially disastrous internal security practices, an apparent disregard for user privacy, and wave after wave of detail on secret partnerships with local police. Today, in a letter addressed to Amazon CEO Jeff Bezos, five Democratic senators are asking for an explanation, citing potential threats to U.S. national security. Much of the letter focuses on allegations that Ring's Ukrainian office, where it conducts much of its research and development operation, allowed employees across the company to access customer video data whether they had any real need to or not. In January, The Intercept reported that this loose security atmosphere at Ring meant "if [someone] knew a reporter or competitor's email address, [they] could view all their cameras," per one source, who also recalled Ring engineers casually spying on and "teasing each other about who they brought home" after dates. "If hackers or foreign agents were to gain access to this data," the letter states, "it would not only threaten the privacy and safety of the impacted Americans; it could also threaten U.S. national security."

Google Wants Android To Use Regular Linux Kernel

Wed, 11/20/2019 - 09:32
Android is built on top of the Linux kernel, but it has always used a heavily-modified version with changes from OEMs, chip manufacturers like Qualcomm and MediaTek, and Google. There have been efforts over the years to close the gap between the two kernels, but now Google is getting more serious about it. From a report: At this year's Linux Plumbers Conference, Google engineers held talks about the company's efforts to get Android as close as possible to the mainline Linux kernel. Not only would this reduce technical overhead for Google and other companies, because they would no longer have to merge thousands of changes into each new Linux kernel version (and Google would no longer have to support Linux kernel versions for six years), but it could also benefit the Linux project as a whole. For example, the growing number of ARM-based Linux phones and computers could see improved performance and battery life. The first stage of this process is merging as many of Android's modifications as possible back into the mainline Linux kernel. As of Feburary 2018, the Android common kernel (which OEMs make additional changes to) has over 32,000 insertions and over 1,500 deletions compared to mainline Linux 4.14.0. That's an improvement from a few years ago, when Android added over 60,000 lines of code on top of Linux. To show off how much progress has been made, Tom Gall, the director of the Linaro Consumer Group, brought a Xiaomi Pocophone on stage that was running Android 10 on top of a mainline Linux kernel. He told the audience, "there are major, major props to be given to the Google Kernel Team in particular for getting their code upstream so that we can boot devices with a mainline kernel." It's likely that some of the phone's features were non-functional (the battery percentage in the picture reads as 0%), but it's still impressive.

Password Data For About 2.2 Million Users of Currency, Gaming Sites Dumped Online

Tue, 11/19/2019 - 23:00
Password data and other personal information belonging to as many as 2.2 million users of two websites -- one a cryptocurrency wallet service and the other a gaming bot provider -- have been posted online, according to Troy Hunt, the security researcher behind the Have I Been Pwned breach notification service. Ars Technica reports: One haul includes personal information for as many as 1.4 million accounts from the GateHub cryptocurrency wallet service. The other contains data for about 800,000 accounts on RuneScape bot provider EpicBot. The databases include registered email addresses and passwords that were cryptographically hashed with bcrypt, a function that's among the hardest to crack. The person posting the 3.72GB Gatehub database said it also includes two-factor authentication keys, mnemonic phrases, and wallet hashes, although GateHub officials said an investigation suggested wallet hashes were not accessed. The EpicBot database, meanwhile, purportedly included usernames and IP addresses. Hunt said he selected a representative sample of accounts from both databases to verify the authenticity of the data. All of the email addresses he checked were registered to accounts of the two sites. [...] While there were 2.2 million unique addresses in the two dumps, it's possible that corresponding password hashes or other data isn't included with each one.

Senator Introduces Bill That Would Block US Companies From Storing Data In China

Tue, 11/19/2019 - 16:50
An anonymous reader quotes a report from The Hill: Sen. Josh Hawley (R-Mo.) on Monday introduced a bill that would curtail the flow of sensitive information about people in the U.S. to China through large tech companies like Apple and TikTok. Hawley's legislation would place new and wide-reaching limitations on companies with ties to China such as TikTok, the mega-popular social media platform owned by a Chinese firm, and Apple, an American company that builds many of its components in mainland China. The bill, called the National Security and Personal Data Protection Act, would subject a litany of companies with ties to countries of "national security concern," including Russia and China, to a new privacy regime. Sens. Tom Cotton (R-Ark.) and Marco Rubio (R-Fla.) also signed onto the bill on Monday. Hawley's bill would apply to tech companies that are subject to Chinese or Russian law, or are under the jurisdiction of those countries in a way that would allow those governments to access user data without "respect for civil liberties and privacy," according to the bill. Those companies would not be allowed to collect private data beyond what is required to run their services or transfer data on U.S. users to countries of concern. They would also be required to store information on U.S. users in the United States itself, and would have to submit a yearly report proving their compliance with the law once a year to the Federal Trade Commission, the U.S. attorney general, and all state attorneys general.

Disney+ Fans Without Answers After Thousands Hacked

Tue, 11/19/2019 - 16:10
Many Disney+ users who have had their accounts stolen and put up for sale on the dark web say that Disney has yet to sort their problems. The firm says it does not believe its systems have been compromised, suggesting that members' details have been stolen by other means. The BBC reports: On November 12, its first day live, people had technical problems and many complained on social media. Others said they were locked out of their accounts, and since they contacted Disney they have not heard back. According to an investigation by ZDNet, thousands of user accounts went on sale on the dark web. Only hours after the service launched, hackers were selling Disney+ accounts for as little as $3. A subscription to the service costs $7 a month. With the help of a cyber-security researcher, the BBC also found several hacked customer accounts for sale on the dark web. Many say they used unique userIDs and passwords to access the streaming platform. But Jason Hill, a lead researcher with CyberInt, says it looks like many were stolen because people use the same passwords for different sites. Mr Hill said that hackers can lift someone's password from a different site which has previously been hacked and then try it on a new site, like Disney+. If it works, they steal the account. The streaming service does not have two-factor authentication. Others are concerned because they can use their Disney+ login to access other products the company provides, like the Disney store and its recreation parks.

Antivirus Vendors and Non-Profits Join To Form 'Coalition Against Stalkerware'

Tue, 11/19/2019 - 12:10
Ten organizations today announced the creation of the Coalition Against Stalkerware, the first global initiative of its kind, with the sole purpose of fighting against stalkerware. From a report: Also known as spouseware, stalkerware is a smaller category of the spyware class. Stalkerware refers to apps that abusive partners install on the devices of their loved ones without their knowledge or consent. They contain features that allow the abuser to track their significant other's geographical location, web browsing habits, social media activity, log keystrokes inside instant messaging apps, retrieve photos, or even record audio and video without the owner's knowledge. Stalkerware apps are available for both mobile and desktop operating systems and are often sold commercially under the guise of child trackers, pet trackers, phone-finding apps, remote access toolkits, and so on. This kind of apps live in a gray area of the current app ecosystem where they can be used for both legitimate and criminal purposes, giving app makers an easy excuse when confronted with abuse reports from victims -- albeit some apps are more blatant and advertise themselves as a way to catch cheating girlfriends, although, these cases are rare.

Google and Samsung Fix Android Spying Flaw. Other Makers May Still Be Vulnerable

Tue, 11/19/2019 - 10:50
Until recently, weaknesses in Android camera apps from Google and Samsung made it possible for rogue apps to record video and audio and take images and then upload them to an attacker-controlled server -- without any permissions to do so. Camera apps from other manufacturers may still be susceptible. From a report: The weakness, which was discovered by researchers from security firm Checkmarx, represented a potential privacy risk to high-value targets, such as those preyed upon by nation-sponsored spies. Google carefully designed its Android operating system to bar apps from accessing cameras and microphones without explicit permission from end users. An investigation published Tuesday showed it was trivial to bypass those restrictions. The investigation found that an app needed no permissions at all to cause the camera to shoot pictures and record video and audio. To upload the images and video -- or any other image and video stored on the phone -- to an attacker-controlled server, an app needed only permission to access storage, which is among one of the most commonly given usage rights. The weakness, which is tracked as CVE-2019-2234, also allowed would-be attackers to track the physical location of the device, assuming GPS data was embedded into images or videos. Google closed the eavesdropping hole in its Pixel line of devices with a camera update that became available in July. Checkmarx said Samsung has also fixed the vulnerability, although it wasn't clear when that happened. Checkmarx said Google has indicated that Android phones from other manufacturers may also be vulnerable. The specific makers and models haven't been disclosed.

India Says Law Permits Agencies To Snoop on Citizens' Devices

Tue, 11/19/2019 - 07:27
The Indian government said on Tuesday that it is "empowered" to intercept, monitor, or decrypt any digital communication "generated, transmitted, received, or stored" on a citizen's device in the country in the interest of national security or to maintain friendly relations with foreign states. From a report: Citing section 69 of the Information Technology Act, 2000, and section 5 of the Telegraph Act, 1885, Minister of State for Home Affairs G. Kishan Reddy said local law empowers federal and state government to "intercept, monitor or decrypt or cause to be intercepted or monitored or decrypted any information generated, transmitted, received or stored in any computer resource in the interest of the sovereignty or integrity of India, the security of the state, friendly relations with foreign states or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence." Reddy's remarks were in response to the parliament, where a lawmaker had asked if the government had snooped on citizens' WhatsApp, Messenger, Viber, and Google calls and messages.

Hacker Publishes 2TB of Data From Cayman National Bank

Mon, 11/18/2019 - 16:30
An anonymous reader quotes a report from Motherboard: On Sunday, Motherboard reported that the hacker or hackers known as Phineas Fisher targeted a bank, stole money and documents, and is offering other hackers $100,000 to carry out politically motivated hacks. Now, the bank Phineas Fisher targeted, Cayman National Bank from the Isle of Man, confirmed it has suffered a data breach. "It is known that Cayman National Bank (Isle of Man) Limited was amongst a number of banks targeted and subject to the same hacking activity," Cayman National told Motherboard in a statement issued Monday. "A criminal investigation is ongoing and Cayman National is co-operating with the relevant law enforcement authorities to identify the perpetrators of the data theft. Cayman National takes any breach of data security very seriously and a specialist IT forensic investigation is underway, with appropriate actions being taken to ensure that the clients of Cayman National's Isle of Man bank and trust companies are protected," the statement added. The statement doesn't name Phineas Fisher explicitly, but instead says the bank was the victim of a "criminal hacking group." "I robbed a bank and gave the money away," Phineas Fisher wrote in their most recent manifesto, adding that they breached the bank in 2016. "Computer hacking is a powerful tool to fight economic inequality." In its statement, Cayman National claimed it had found no evidence of financial loss either to its customers or Cayman National itself. Twitter account Distributed Denial of Secrets (DDoSecrets) posted a link to the copies of the servers of Cayman National Bank and Trust. "To make certain files easier to access, the two Athol servers were combined into a single archive. The raw Athol servers will be released next week, along with the launch of the Hunter Memorial Library which will make over 600,000 of the bank's emails searchable online," reads a follow-up tweet. The total size of data is about 2 terabytes.

Intel To Remove Old Drivers and BIOS Updates From Its Site

Mon, 11/18/2019 - 08:50
By Friday this week, Intel plans to remove old drivers and BIOS updates from its official website. From a report: "This download, BIOS Update [BLH6710H.86A] 0163, will no longer be available after November 22, 2019 and will not be supported with any additional functional, security, or other updates," reads a message posted to the download page of one of the impacted components. "Intel recommends that users of BIOS Update [BLH6710H.86A] 0163 uninstall and/or discontinue use as soon as possible," the message continues. The downloads are drivers and BIOS updates for Intel desktop components and motherboards the company released in the 90s and early-to-mid 2000s. Downloads for hundreds of components are believed to have been impacted, from motherboards to NIC cards and graphics cards. Most of the drivers are for Windows versions like 98, ME, XP, and older Windows Server editions -- old Windows OS versions that have themselves reached end-of-life (EOL) All components and motherboards reached (EOL) years ago, and Intel stopped delivering firmware updates as a result. Its website was merely hosting the older files for convenience.

Facebook, Google Donate Heavily To Privacy Advocacy Groups

Mon, 11/18/2019 - 07:22
Few companies have more riding on proposed privacy legislation than Alphabet's Google and Facebook. To try to steer the bill their way, the giant advertising technology companies spend millions of dollars to lobby each year, a fact confirmed by government filings. From a report: Not so well-documented is spending to support highly influential think tanks and public interest groups that are helping shape the privacy debate, ostensibly as independent observers. Bloomberg Law examined seven prominent nonprofit think tanks that work on privacy issues that received a total of $1.5 million over a 18-month period ending Dec. 31, 2018. The groups included such organizations as the Center for Democracy and Technology, the Future of Privacy Forum and the Brookings Institution. The actual total is undoubtedly much higher -- exact totals for contributions were difficult to pin down. The tech giants have "funded scores of nonprofits, including consumer and privacy groups, and academics," said Jeffrey Chester, executive director at the Center for Digital Democracy, a public interest group that does not accept donations from Google or Facebook. Further, he says, their influence is strong. The companies have "opposed federal privacy laws and worked to weaken existing safeguards," Chester said. Accepting donations from these "privacy-killing companies enable them to influence decisions by nonprofits, even subtly," he said.

Why Two Pentesters In Iowa Are Facing A Criminal Investigation and Trespassing Charges

Sun, 11/17/2019 - 16:50
Ars Technica's security editor re-visits the story of two security penetration testers from Coalfire who were arrested one midnight in the county courthouse in Adel, Iowa (population 3,682): "They were crouched down like turkeys peeking over the balcony," Dallas County Sheriff Chad Leonard said in an interview. "Here we are at 12:30 in the morning confronted with this issue -- on September 11, no less. We have two unknown people in our courthouse -- in a government building -- carrying backpacks that remind me and several other deputies of maybe the pressure cooker bombs." After more deputies arrived, Justin Wynn, 29 of Naples, Florida, and Gary De Mercurio, 43 of Seattle, slowly proceeded down the stairs with hands raised. They then presented the deputies with a letter that explained the intruders weren't criminals but rather penetration testers who had been hired by Iowa's State Court Administration to test the security of its court information system. After calling one or more of the state court officials listed in the letter, the deputies were satisfied the men were authorized to be in the building... When Leonard arrived on the scene, the mood quickly changed. Leonard read the letter and sized the men up. It said the men were authorized to perform "physical social engineering to attempt to gain access" to courthouse systems... The letter also listed tasks that should not be performed, including alarm subversion, force-opening doors, and accessing environments that require personal protective equipment. The pentesters had already said they used a tool to open the front door. Leonard took that to mean the men had violated the restriction against forcing doors open. Leonard also said the men attempted to turn off the alarm -- something Coalfire officials vehemently deny. In Leonard's mind that was a second violation. Another reason for doubt: one of the people listed as a contact on the get-out-of-jail-free letter didn't answer the deputies' calls, while another said he didn't believe the men had permission to conduct physical intrusions. The sheriff also said he and his deputies smelled alcohol on the breath of one of the men. (Leonard, who didn't identify which Coalfire employee it was, said a test later showed the pentester had a blood alcohol content of 0.05, the equivalent of one or two drinks. It is below the 0.08 threshold for an operating while intoxicated conviction.) Leonard promptly had the men arrested on felony third-degree burglary charges... The charges have since been reduced to misdemeanor trespassing charges. Trial is scheduled for April. Meanwhile, the sheriff's department in nearby Polk County is conducting a criminal investigation into a September 10 break-in on its courthouse under the same arrangement with the State Judicial Administration.... The get-out-of-jail-free letter "said you won't manipulate doors," Leonard said. "Well, they picked four doors. It said they won't manipulate the alarm system. They went right up to the alarm and tried to shut it off. The biggest issue is they were only supposed to work from 6AM to 6PM. They came out in the middle of the night and broke in." Equally important, Leonard said, is what he believed to be the overstepping of Iowa officials who retained Coalfire. When the sheriff confronted the men that night, he said: "The State of Iowa has no authority to allow you to break into a county building. You're going to jail."

Leaked Russian Interference Report Raises Questions About Brexit, UK Election Security

Sun, 11/17/2019 - 10:34
A report from the U.K. Parliament's intelligence committee concludes that "Russian interference may have had an impact on the Brexit referendum," reports the Times of London, adding that "the effect was 'unquantifiable.'" The Associated Press reports: The committee said British intelligence services failed to devote enough resources to counter the threat and highlighted the impact of articles posted by Russian new sites that were widely disseminated on social media, the newspaper reported... [Conservative Prime Minister Boris] Johnson's government has said it needs more time to review the security implications of the report, but it will be released after the election. Critics have alleged the report is being withheld because it shows Russians have made large donations to the Conservative Party, which is seeking to win a majority that would allow Johnson to push his Brexit deal through Parliament.... The House of Commons Intelligence and Security Committee began its investigation following allegations of Russian interference in both the 2016 U.S. election and the Brexit referendum earlier that year. The committee sent its report to Johnson for review on Oct. 17, saying it expected to "publish the report imminently." Committee Chairman Dominic Grieve has criticized Johnson's government for failing to release the document amid media reports it has already been cleared by British security services. The debate comes amid growing concerns about the security of elections fought in an increasingly digital world. Britain's election laws were written for a time when campaigns pushed mass-produced leaflets through mail slots, rather than flooding Facebook and Twitter accounts with individually targeted messages.

You Can Now Buy Pretend Food for Your $2,900 Sony Robot Dog

Sun, 11/17/2019 - 03:34
Gizmodo reports that Sony "will happily sell you make-believe virtual meals" for their robotic Aibo dog to unlock tricks, one of several new features added since its re-launch in 2017: The new feature that will appeal to most owners, however, is Aibo Food, which allows the robot to be virtually fed using augmented reality through the Aibo smartphone app. Meals can be purchased using coins, which are awarded to users through random actions like repeatedly using the Aibo app, or during special events. But once users runs out of coins, which is bound to quickly happen as they try out the new Aibo Food feature, they can either wait for more Sony handouts or purchase additional coins for a fee. Sony points out that Aibo's performance and features aren't dependent on whether the dog is regularly fed -- it is, after all, just a robot. So hopefully the company won't change its mind down the line, making your pup act sluggish and distracted when you're not forking out for pretend food.... Of course, other complications arrive once you start feeding an animal, and the new software update also allows users to finally potty train their Aibos using a new mapping feature so the robot doesn't pretend-shit all over your house. This appears to be a free feature, until Sony realises it can sell owners virtual poop bags. There's also a new web-based API/developer program that lets you program the robot dog to perform custom actions -- and Aibo dogs now come equipped with some new patrol/security functionality. "Using its facial recognition and room-mapping capabilities, Aibo will be able to patrol homes and locate various family members, providing reports on where everyone is, and helping owners track down specific people, according to Sony."

Lessons From the Cyberattack On India's Largest Nuclear Power Plant

Sat, 11/16/2019 - 18:34
Dan Drollette shares an article by two staffers at the Center for Global Security Research at Lawrence Livermore National Laboratory from The Bulletin of Atomic Scientists. "Indian officials acknowledged on October 30th that a cyberattack occurred at the country's Kudankulam nuclear power plant," they write, adding that "According to last Monday's Washington Post, Kudankulam is India's biggest nuclear power plant, 'equipped with two Russian-designed and supplied VVER pressurized water reactors with a capacity of 1,000 megawatts each.'" So what did we learn? While reactor operations at Kudankulam were reportedly unaffected, this incident should serve as yet another wake-up call that the nuclear power industry needs to take cybersecurity more seriously. There are worrying indications that it currently does not: A 2015 report by the British think tank Chatham House found pervasive shortcomings in the nuclear power industry's approach to cybersecurity, from regulation to training to user behavior. In general, nuclear power plant operators have failed to broaden their cultures of safety and security to include an awareness of cyberthreats. (And by cultures of safety and security, those in the field -- such as the Fissile Materials Working Group -- refer to a broad, all-embracing approach towards nuclear security, that takes into account the human factor and encompasses programs on personnel reliability and training, illicit trafficking interception, customs and border security, export control, and IT security, to name just a few items. The Hague Communique of 2014 listed nuclear security culture as the first of its three pillars of nuclear security, the other two being physical protection and materials accounting.) This laxness might be understandable if last week's incident were the first of its kind. Instead, there have been over 20 known cyber incidents at nuclear facilities since 1990. This number includes relatively minor items such as accidents from software bugs and inadequately tested updates along with deliberate intrusions, but it demonstrates that the nuclear sector is not somehow immune to cyber-related threats. Furthermore, as the digitalization of nuclear reactor instrumentation and control systems increases, so does the potential for malicious and accidental cyber incidents alike to cause harm. This record should also disprove the old myth, unfortunately repeated in Kudankulam officials' remarks, that so-called air-gapping effectively secures operational networks at plants. Air-gapping refers to separating the plant's internet-connected business networks from the operational networks that control plant processes; doing so is intended to prevent malware from more easily infected business networks from affecting industrial control systems. The intrusion at Kudankulam so far seems limited to the plant's business networks, but air gaps have failed at the Davis-Besse nuclear power plant in Ohio in 2003 and even classified U.S. military systems in 2008. The same report from Chatham House found ample sector-wide evidence of employee behavior that would circumvent air gaps, like charging personal phones via reactor control room USB slots and installing remote access tools for contractors... [R]evealing the culprits and motives associated with the Kudankulam attack matters less for the nuclear power industry than fixing the systemic lapses that enabled it in the first place. "The good news is that solutions abound..." the article concludes, noting guidance, cybersecurity courses, technical exchanges, and information through various security-minded public-private partnerships. "The challenge now is integrating this knowledge into the workforce and maintaining it over time... "But last week's example of a well-established nuclear power program responding to a breach with denial, obfuscation, and shopworn talk of so-called 'air-gaps' demonstrates how dangerously little progress the industry has made to date."

Web Summit Cancels Next Year's Rise, One of Asia's Largest Tech Conferences, Over Tension in Hong Kong

Fri, 11/15/2019 - 20:00
The ongoing tension in Hong Kong between the government and pro-democracy protesters continues to spill into the tech domain. From a report: Rise, which is among the largest tech conferences in Asia, will not run next year as planned due to "the ongoing situation in Hong Kong," according to Web Summit, the Ireland-based company that organizes the show. The organizer said it is postponing the sixth edition of its annual conference, which is held in Hong Kong, to March 2021 from March 2020. Web Summit, which hosts similar large-scale conferences in other parts of the world, made the announcement today in an email to previous attendees. A spokesperson confirmed the veracity of the email to TechCrunch. "Over recent months, we have been monitoring the ongoing situation in Hong Kong. Our number one concern is the wellbeing, safety, and security of attendees at our events," it said in a statement. "Given the uncertainty of the situation by early 2020 and after consulting with experts and advisories, we have decided to postpone RISE until 2021."

Germany Forces Apple To Let Other Mobile Wallet Services Use iPhone's NFC Chip

Fri, 11/15/2019 - 16:20
A new German law passed yesterday requires Apple to allow other mobile payments services access to the iPhone's NFC chip for payments to allow them to fully compete with Apple Pay. 9to5Mac reports: Apple initially completely locked down the NFC chip so that it could be used only by Apple Pay. It later allowed some third-party apps to use the chip but has always refused to do so for other mobile payment apps. Reuters reports that the law doesn't name Apple specifically, but would apply to the tech giant. The piece somewhat confusingly refers to access to the NFC chip by third-party payment apps as Apple Pay. "A German parliamentary committee unexpectedly voted in a late-night session on Wednesday to force the tech giant to open up Apple Pay to rival providers in Germany," reports Reuters. "This came in the form of an amendment to an anti-money laundering law that was adopted late on Thursday by the full parliament and is set to come into effect early next year. The legislation, which did not name Apple specifically, will force operators of electronic money infrastructure to offer access to rivals for a reasonable fee." Apple says that the change would be harmful: "We are surprised at how suddenly this legislation was introduced. We fear that the draft law could be harmful to user friendliness, data protection and the security of financial information."

Over Half of Fortune 500 Exposed To Remote Access Hacking

Thu, 11/14/2019 - 10:53
Over a two-week period, the computer networks at more than half of the Fortune 500 left a remote access protocol dangerously exposed to the internet, something many experts warn should never happen, according to new research by the security firm Expanse and 451 research. From a report: According to Coveware, more than 60% of ransomware is installed via a Windows remote access feature called Remote Desktop Protocol (RDP). It's a protocol that's fine in secure environments but once exposed to the open internet can, at its best, allow attackers to disrupt access and, at its worst, be vulnerable to hacking itself. RDP is a way of offering virtual access to a single computer. It allows, for example, an IT staffer in one office to provide tech support for a baffled user in a different office. But RDP is best used over a secured network rather than over the open internet. "We compare exposed RDP to leaving a computer attached to your network out on your lawn," Matt Kraning, co-founder and CTO of Expanse, told Axios.

Windows and Linux Get Options To Disable Intel TSX To Prevent Zombieload v2 Attacks

Thu, 11/14/2019 - 08:54
Both Microsoft and the Linux kernel teams have added ways to disable support for Intel Transactional Synchronization Extensions (TSX). From a report: TSX is the Intel technology that opens the company's CPUs to attacks via the Zombieload v2 vulnerability. Zombieload v2 is the codename of a vulnerability that allows malware or a malicious threat actor to extract information processed inside a CPU, information to which they normally shouldn't be able to access due to the security walls present inside modern-day CPUs. This new vulnerability was disclosed earlier this week. Intel said it would release microcode (CPU firmware) updates -- available on the company's Support & Downloads center. But, the reality of a real-world production environment is that performance matters. Past microcode updates for other attacks, such as Meltdown, Spectre, Foreshadow, Fallout, and Zombieload v1, have been known to introduce performance hits of up to 40%. Seeing that all the CPU attacks listed above are not only theoretical but also hard to pull off, some companies don't see this performance hit as an option.

YouTube's New Kids' Content System Has Creators Scrambling

Wed, 11/13/2019 - 15:00
As of Tuesday afternoon, YouTube is requiring creators to label any videos of theirs that may appeal to children. If they say a video is directed at kids, data collection will be blocked for all viewers, resulting in lower ad revenue and the loss of some of the platform's most popular features, including comments and end screens. It's a major change in how YouTube works, and has left some creators clueless as to whether they're subject to the new rules. The Verge reports: Reached by The Verge, Google confirmed that this new system was the result of a landmark $170 million settlement YouTube reached with the Federal Trade Commission in September for allegedly violating children's privacy. It's the largest fine ever collected under the Children's Online Privacy Protection Act (COPPA), which forbids collecting data from children under the age of 13 without explicit consent from their parents. In this case, the ruling means YouTube can't employ its powerful ad-targeting system on anyone who might be under the age of 13 -- a dire problem for a platform with so many young users. The new system is already sending creators reeling over what exactly is considered kids' content and what could happen if they unintentionally mislabel videos. Some of YouTube's most popular categories falls into a gray area for the policy, including gaming videos, family vlogging, and toy reviews. [...] In theory, YouTube has always been subject to COPPA, but those restrictions have taken on new urgency in the wake of the recent settlement with the FTC. Under the terms of the settlement, YouTube is required to "develop, implement, and maintain a system for Channel Owners to designate whether their Content on the YouTube Service is directed to Children." Under the system that YouTube rolled out on Tuesday, creators who strictly make children's content can also have their entire channel designated as directed at children. Once a video is labeled as kids' content, all personalized ads will be shut off, replaced with "contextualized" advertising based on the video itself. In addition to the removal of targeted ads, child-directed YouTube videos will also no longer include a comments section, click-through info cards, end screens, notification functions, and the community tab. "The consequences for not labeling a video as 'child-directed' could be even more severe," reports The Verge. "In its September order, the FTC made it clear that it could sue individual channel owners who abuse this new labeling system. Crucially, those lawsuits will fall entirely on channel owners, rather than on YouTube itself. Under the settlement, YouTube's responsibility is simply to maintain the system and provide ongoing data updates."