Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 18 hours 42 min ago

How Verizon and a BGP Optimizer Knocked Large Parts of the Internet Offline Today

Mon, 06/24/2019 - 13:25
Cloudflare issued a blog post explaining how Verizon sent a large chunk of the internet offline this morning after it wrongly accepted a network misconfiguration from a small ISP in Pennsylvania. The outages affected Cloudflare, Facebook, Amazon, and others. The Register reports: For nearly three hours, network traffic that was supposed to go to some of the biggest online names was instead accidentally rerouted through a steel giant based in Pittsburgh. More than 20,000 prefixes -- roughly two per cent of the internet -- were wrongly announced by regional U.S. ISP DQE Communications: this announcement informed the sprawling internet's backbone equipment to thread netizens' traffic through one of DQE's clients, steel giant Allegheny Technologies, a rerouting that was then, mindbogglingly, accepted and passed on to the world by Verizon, a trusted major authority on the internet's highways and byways. And so, systems around the planet automatically updated, and connections destined for Facebook, Cloudflare, and others, ended up going to Allegheny, which black holed the traffic. Internet engineers suspect that a piece of automated networking software -- a BGP optimizer called Noction -- used by DQE was to blame for the problem. But even though these kinds of misconfigurations happen every day, there is significant frustration and even disbelief that a U.S. telco as large as Verizon would pass on this amount of incorrect routing information. The sudden, wrong, change should have been caught by filters and never accepted. [...] One key industry group called Mutually Agreed Norms for Routing Security (MANRS) has four main recommendations: two technical and two cultural for fixing the problem. The two technical approaches are filtering and anti-spoofing, which basically check announcements from other network operators to see if they are legitimate and remove any that aren't; and the cultural fixes are coordination and global validation -- which encourage operators to talk more to one another and work together to flag and remove any suspicious looking BGP changes. Verizon is not a member of MANRS.

Apple Releases First Public Betas of macOS Catalina, iOS 13 and iPadOS

Mon, 06/24/2019 - 11:20
Apple today seeded the first beta versions of upcoming macOS Catalina update, iOS 13 update, and iPadOS update to its public beta testing group, giving non-developers a chance to try out the software ahead of their fall public release. Beta testers who have signed up for Apple's beta testing program will be able to download the macOS Catalina beta through the Software Update mechanism in System Preferences after installing the proper profile. Those who want to be a part of Apple's beta testing program can sign up to participate through the beta testing website, which gives users access to iOS, macOS, and tvOS betas. Similarly, beta testers who have signed up for Apple's beta testing program will receive the iOS 13 beta update over-the-air after installing the proper certificate on an iOS device. New features in macOS Catalina update includes: macOS Catalina eliminates the iTunes app, which has been a key Mac feature since 2001. In Catalina, iTunes has been replaced by Music, Podcasts, and TV apps. The new apps can do everything that iTunes can do, so Mac users aren't going to be losing any functionality, and device management capabilities are now handled by the Finder app. macOS Catalina has a useful new Sidecar feature, designed to turn the iPad into a secondary display for the Mac. For those with an Apple Watch set up to unlock the Mac, there's now an option to approve security prompts in Catalina by tapping on the side button of the watch. Macs with a T2 chip in them also support Activation Lock, making them useless to thieves much as it does on the iPhone. There's a new Find My app that lets you track your lost devices, and previously, this functionality was only available via iCloud on the Mac. There's even a new option to find your devices even when they're offline by leveraging Bluetooth connections to other nearby devices, something that's particularly handy on the Mac because it doesn't have a cellular connection. For developers, a "Project Catalyst" feature lets apps designed for the iPad be ported over to the Mac with just a few clicks in Xcode and some minor tweaks. Apple's ultimate goal with Project Catalyst is to bring more apps to the Mac.

US Considers Requiring 5G Equipment For Domestic Use Be Made Outside China

Mon, 06/24/2019 - 08:43
The Trump administration is examining whether to require that next-generation 5G cellular equipment used in the U.S. be designed and manufactured outside China [Editor's note: the link may be paywalled; alternative source], WSJ reports, citing people familiar with the matter. The move could reshape global manufacturing and further fan tensions between the countries. From the report: A White House executive order last month to restrict some foreign-made networking gear and services due to cybersecurity concerns started a 150-day review of the U.S. telecommunications supply chain. As part of that review, U.S. officials are asking telecom-equipment manufacturers whether they can make and develop U.S.-bound hardware, which includes cellular-tower electronics as well as routers and switches, and software outside of China, the people said. The conversations are in early and informal stages, they said. The executive order calls for a list of proposed rules and regulations by the 150-day deadline, in October; so, any proposals may take months or years to adopt. The proposals could force the biggest companies that sell equipment to U.S. wireless carriers, Finland's Nokia and Sweden's Ericsson, to move major operations out of China to service the U.S., which is the biggest market in the $250 billion-a-year global industry for telecom equipment and related services and infrastructure. There is no major U.S. manufacturer of cellular equipment. U.S. officials have long worried that Beijing could order Chinese engineers to insert security holes into technology made in China. They worry those security holes could be exploited for spying, or to remotely control or disable devices.

The Threat Actor You Can't Detect: Cognitive Bias

Sun, 06/23/2019 - 12:34
Long-time Slashdot reader chicksdaddy shares news of a recent report from cybersecurity company Forcepoint's X-Lab, examining how cybersecurity decision-making is affected by six common biases: For instance, Forcepoint found that older generations are typically characterized by information security professionals as "riskier users based on their supposed lack of familiarity with new technologies." However, studies have found the opposite to be true: younger people are far more likely to engage in risky behavior like sharing their passwords to streaming services. The presumption that older workers pose more of a risk than younger workers is an example of so-called "aggregate bias," in which subjects make inferences about an individual based on a population trend. Biases like this misinform security professionals by directing their focus to individual users based on their supposed group membership. In turn, analysts wrongly direct their focus to the wrong individuals as sources of security issues. Availability bias may influence cybersecurity analysts' decision-making in favor of hot topics in the news, which ultimately cloud other information they may know but are not so frequently exposed to; leading them to make less well-rounded decisions. People encounter "confirmation bias" most frequently during research. By neglecting the bigger picture, assumptions are made and research is specifically tailored to confirm those assumptions. When looking for issues, analysts can often find themselves looking for confirmation of what they already believe to be the cause as opposed to searching for all possible causes. The fundamental attribution error also plays a significant role in misleading security analysts, Forcepoint found. This is manifested when information security analysts or software developers place blame on users being inept instead of considering that their technology may be faulty or that internal factors contributed to a security lapse. The report also cites what it calls the framing effect. "Security problems are often aggressively worded, and use negative framing strategies to emphasize the potential for loss."

America's NSA Challenges Students With A Codebreaking Competition, Then Recruits Them

Sun, 06/23/2019 - 08:34
This year America's National Security Agency (NSA) is once again "developing a cyber challenge and daring more than 330 schools and 2,600 students to solve it," writes Federal News Network. Slashdot reader eatvegetables shares their report: Kathy Hutson, the senior strategist for industry and academic engagement at the NSA, said the Codebreaker Challenge has become one of the best ways to attract the next generation of talent to the federal government... NSA launched the Codebreaker Challenge in 2013 as a way to further connect with students and professors, who are focused on technology and cyber issues. Over the last six years, the annual initiative has become a much-anticipated challenge with professors making it a part of their classes and students testing their mettle against NSA's cyber experts... The initiative provides students, professors and anyone else who is interested "with a hands-on opportunity to develop their reverse-engineering /low-level code analysis skills while working on a realistic problem set centered around the NSA's mission," said Eric Bryant, a technical director in the crypto analysis organization at the NSA. The 2018 challenge focused on ransomware and blockchain, requiring participants to solve eight separate, but related challenges... Bryant said a group of NSA cyber experts develop the challenge each year on top of their regular duties. He said they try to focus on areas that are either up-and-coming or current cyber threats and attack vectors. For the 2019 Codebreaker Challenge, Bryant said it likely will focus on mobile security threats, probably using an Android operating system... Bryant said he reaches out to all of the students who solve the challenge and NSA sends them letters of recognition and a memento for participating. "We reach out to these students to figure out what year they are in, how could they come here to do internships or hire them full-time, so we are definitely on that from a hiring and recruitment perspective," Hutson said. The NSA keeps a leaderboard ranking the participating colleges. (Last year Oregon State had over 100 students participating.) The 2018 challenge is still online, Bryant says, "and there are people who are working and submitting solutions."

Microsoft Puts Slack On Internal List of 'Prohibited and Discouraged' Software

Sun, 06/23/2019 - 05:34
PolygamousRanchKid shares a report: GeekWire obtained an internal Microsoft list of prohibited and discouraged technology -- software and online services that the company doesn't want its employees using as part of their day-to-day work. We first picked up on rumblings of the prohibition from Microsoft employees who were surprised that they couldn't use Slack at work, before tracking down the list and verifying its authenticity. While the list references the competitive nature of these services in some situations, the primary criteria for landing in the "prohibited" category are related to IT security and safeguarding company secrets. Slack is on the "prohibited" category of the internal Microsoft list, along with tools such as the Grammarly grammar checker and Kaspersky security software. Services in the "discouraged" category include Amazon Web Services, Google Docs, PagerDuty and even the cloud version of GitHub, the popular software development hub and community acquired by Microsoft last year for $7.5 billion... "It's not just the risk that Google will try to find trade secrets from data stored on their servers," said Christopher Budd, who has worked in security technology for 20 years, including past roles in Microsoft security and privacy communications. "When you're at Microsoft, you're at risk of state sponsored industrial espionage." The article notes that in the past Microsoft adopted an even harsher stance to employees using competing products. "At a company meeting during his tenure as CEO, Steve Ballmer once famously snatched an iPhone from an employee and pretended to stomp on it..." But GeekWire also argues that Microsoft's prohibiting of a popular chat tool "can have implications in a competitive recruiting environment."

Amazon Patents 'Surveillance As a Service' Tech For Its Delivery Drones

Fri, 06/21/2019 - 18:03
Amazon's delivery drones may also be used to offer "surveillance as a service." According to The Verge, "Amazon was recently granted a patent that outlines how its UAVs could keep an eye on customers' property between deliveries while supposedly maintaining their privacy." From the report: The patent was originally filed in June 2015 and became public earlier this month. It describes how the company's drones could be hired to look out for open garage doors, broken windows, graffiti, or even a fire, before alerting the owner of the property. The patent was originally filed in June 2015 and became public earlier this month. It describes how the company's drones could be hired to look out for open garage doors, broken windows, graffiti, or even a fire, before alerting the owner of the property.

NASA Hacked Because of Unauthorized Raspberry Pi Connected To Its Network

Fri, 06/21/2019 - 17:42
An anonymous reader quotes a report from ZDNet: A report published this week by the NASA Office of Inspector General reveals that in April 2018 hackers breached the agency's network and stole approximately 500 MB of data related to Mars missions. The point of entry was a Raspberry Pi device that was connected to the IT network of the NASA Jet Propulsion Laboratory (JPL) without authorization or going through the proper security review. NASA described the hackers as an "advanced persistent threat," a term generally used for nation-state hacking groups.

Millions of Dell PCs Vulnerable To Flaw In Pre-Installed Software

Fri, 06/21/2019 - 15:20
secwatcher shares a report from Threatpost: Millions of PCs made by Dell and other OEMs are vulnerable to a flaw stemming from a component in pre-installed SupportAssist software. The flaw could enable a remote attacker to completely takeover affected devices. The high-severity vulnerability (CVE-2019-12280) stems from a component in SupportAssist, a proactive monitoring software pre-installed on PCs with automatic failure detection and notifications for Dell devices. That component is made by a company called PC-Doctor, which develops hardware-diagnostic software for various PC and laptop original equipment manufacturers (OEMs). A patch has been issued by PC-Doctor that fixes impacted devices. Impacted customers can find the latest version of SupportAssist here (for single PC users) or here (for IT managers).

Desjardins Data Breach Affecting 2.9 Million Members Caused By Employee Who's Since Been Fired

Fri, 06/21/2019 - 14:40
Freshly Exhumed shares a report from The Georgia Straight: The Quebec-based Desjardins Group has admitted to being victimized by one of the largest data breaches in Canadian history. Laval police informed the financial-services giant that personal information of more than 2.9 million members has been shared with people outside of the organization. This includes 2.7 million people and 173,000 businesses. "This situation is the outcome of unauthorized and illegal use of our internal data by an employee who has since been fired," Desjardins said in a statement. "In light of these events, and given the circumstances, additional security measures were put in place on all accounts." Desjardins, which is the largest federation of credit unions in North America, will be informing people by letters if they've been affected. The leaked data included first and last names, birthdates, social insurance numbers, addresses, phone numbers, email addresses, and details about banking habits. However, passwords, security questions, and PINs were not disclosed.

Prisons Are Banning Books That Teach Prisoners How To Code

Fri, 06/21/2019 - 14:02
An anonymous reader quotes a report from Motherboard: The Oregon Department of Corrections has banned prisoners from reading a number of books related to technology and programming, citing concerns about security. According to public records obtained by the Salem Reporter, the Oregon Department of Corrections has banned dozens of books related to programming and technology as they come through the mail room, ensuring that they don't get to the hands of prisoners. At least in official department code, there is no blanket ban on technology-related books. Instead, each book is individually evaluated to assess potential threats. Many programming-related books are cited as "material that threatens," often including the subject matter ("computer programming") as justification. The Oregon Department of Corrections (DOC) worries that prisoners could use the tools mentioned in some of the programming-related books to compromise their systems. But what's odd is the scope of the ban. Justin Seitz's Black Hat Python book failed the prison's security test since it's geared towards hacking, but so did the book Windows 10 for Dummies, Microsoft Excel 16 for Dummies which simply teaches proficiency in Excel and Windows 10. Officials at the DOC argue that knowledge of even these basic programs can pose a threat to prisons. "Not only do we have to think about classic prison escape and riot efforts like digging holes, jumping fences and starting fires, modernity requires that we also protect our prisons and the public against data system breaches and malware," DOC spokesperson Jennifer Black said in an emailed statement. "It is a balancing act we are actively trying to achieve."

Facebook Co-founder Chris Hughes Says Libra Will Empower Corporations and Weaken Developing Countries, Urges Global Regulators To Act Now

Fri, 06/21/2019 - 12:05
In May, Facebook co-founder Chris Hughes shocked many when he expressed grave concerns about Facebook's CEO, its business and its impact on the world. He went as far as suggesting that Facebook should be broken up. Two months later, Hughes has another interesting remark to share. He has warned that Facebook's new planned digital currency Libra would shift monetary power to corporate giants. [Editor's note: the link may be paywalled; alternative source.] In an op-ed he wrote today: If even modestly successful, Libra would hand over much of the control of monetary policy from central banks to these private companies, which also include Visa, Uber, and Vodafone. If global regulators don't act now, it could very soon be too late. I've been a cryptocurrency sceptic, believing that the instability and regulatory challenges are just too sizeable. But Libra is different because it is a "stablecoin", with a value pegged to a basket of currencies and other assets. Anyone, whether they use Facebook or not, can buy in with a local currency and cash back out at any time. Vital decisions about Libra's administration, security and underlying assets will be made by the Switzerland-based Libra Association -- essentially Facebook and its largely corporate partners. To avoid complaints that setting up this coin would give a single company dangerous powers, Facebook has smartly limited itself to a single vote on the commission. That doesn't make the prospect of Libra's success any less frightening. This currency would insert a powerful new corporate layer of monetary control between central banks and individuals. Inevitably, these companies will put their private interests -- profits and influence -- ahead of public ones. [...] The Libra Association's goals specifically say that ability will encourage "decentralised forms of governance." In other words, Libra will disrupt and weaken nation states by enabling people to move out of unstable local currencies and into a currency denominated in dollars and euros and managed by corporations. The Libra Association promises to choose stable currencies and assets unlikely to suffer inflationary crises. The sponsors are right that a liquid, stable currency would be attractive to many in emerging markets. So attractive, in fact, that if enough people trade out of their local currencies, they could threaten the ability of emerging market governments to control their monetary supply, the local means of exchange, and, in some cases, their ability to impose capital controls.

WeTransfer Shared Its Users' Files With the Wrong People

Fri, 06/21/2019 - 10:50
WeTransfer, a popular online service to transfer and share files, has informed some of its customers of a security incident that resulted in it sharing emails with download links to wrong recipients. BetaNews reports: In the email to customers, WeTransfer said: "We are writing to let you know about a security incident in which a number of WeTransfer service emails were sent to the wrong people. This happened on June 16th and 17th. Our team has been working tirelessly to correct and contain this situation and find out how it happened. We have learned that a transfer you sent or received was also delivered to some people it was not meant to go to. Our records show those files have been accessed, but almost certainly by the intended recipient. Nevertheless, as a precaution we blocked the link to prevent further downloads.

US Blacklists More Chinese Tech Companies Over National Security Concerns

Fri, 06/21/2019 - 10:10
The Trump administration added five Chinese entities to a United States blacklist on Friday, further restricting China's access to American technology and stoking already high tensions as President Trump and President Xi Jinping of China prepare to meet in Japan next week. From a report: The Commerce Department announced that it would add four Chinese companies and one Chinese institute to an "entity list," saying they posed risks to American national security or foreign policy interests [Editor's note: the link may be paywalled; alternative source]. The move essentially bars the entities, which include one of China's leading supercomputer makers, Sugon, and a number of its subsidiaries set up to design microchips, from buying American technology and components without a waiver from the United States government. The move could all but cripple these Chinese businesses, which rely on American chips and other technology to manufacture advanced electronics. Those added to the entity list also include Higon, Chengdu Haiguang Integrated Circuit, Chengdu Haiguang Microelectronics Technology, and Wuxi Jiangnan Institute of Computing Technology, which lead China's development of high performance computing, some of which is used in military applications like simulating nuclear explosions, the Commerce Department said. Each of the aforementioned companies does businesses under a variety of other names.

Gmail Confidential Mode is Neither Secure Nor Private

Fri, 06/21/2019 - 08:10
Even though Google launched confidential mode over a year ago, people are still confused about what it does. Is it actually secure or private? Is it encrypted? From a report: When you turn it on, does it prevent Google from reading your messages? The answer to these questions is 'no.' In fact, the decision to call it "confidential" suggests a level of security and privacy that doesn't exist in Gmail confidential mode. Gmail's confidential mode does not mean your messages are end-to-end encrypted. Google can still read them. Expiring messages aren't erased for good, and the recipient can always take a screenshot of your message. Gmail's confidential mode does not make emails private because Google can always read them. When you send an email with confidential mode turned on, Google keeps the email contents on its servers. Other Gmail users can read the email in their inbox, but outside users only receive an email notifying them that a sender "has sent you an email via Gmail confidential mode" along with a link to a page on google.com.

Philips Hue Company Announces Lights That Beam Data At 250 Mbps

Thu, 06/20/2019 - 17:45
"Signify, the company formerly known as Philips Lighting that produces Hue-branded smart lights, has announced a new range of internet-transmitting Li-Fi lights called Truelifi," reports The Verge. The lights are capable of transmitting data to devices at speeds of up to 150 Mbps using light waves, rather than the radio signals used by 4G or Wi-Fi. The technology, which can be retrofitted into existing lighting, "can also be used to wirelessly connect two fixed points with data speeds of up to 250 Mbps." From the report: Li-Fi technology has been around for years but so far it's failed to take off. Most internet-connected devices like laptops and smartphones need an external adapter to receive data over Li-Fi, and even then the signal can be blocked when the receiver is in shadow. Signify says you'll need to plug a USB access key into a laptop to receive a Li-Fi signal from its Truelifi products. In the right circumstances, however, Li-Fi's use of light rather than radio signals to transmit data has its advantages. For example, it can be used in areas where there might be a lot of radio frequency interference, or in places like hospitals where RF could interfere with sensitive machines. While Li-Fi signals can be easily blocked, this disadvantage can be a boon to security applications since you have a lot more control over where the network spreads.

Facebook Usage Has Collapsed After Privacy Scandals, Data Shows

Thu, 06/20/2019 - 16:02
mrspoonsi shares a report from the Guardian: Facebook usage has plummeted over the last year, according to data seen by the Guardian, though the company says usage by other measures continues to grow. Since April 2018, the first full month after news of the Cambridge Analytica scandal broke in the Observer, actions on Facebook such as likes, shares and posts have dropped by almost 20%, according to the business analytics firm Mixpanel. Taking that month as a baseline, total actions fell by more that 10% within a month, recovered a bit over the summer and then fell again over the autumn and winter of 2018, except for a brief rally over the period of the U.S. midterm elections. The decline coincided with a series of data, privacy and hate speech scandals. In September the company discovered a breach affecting 50 million accounts, in November it admitted that an executive hired a PR firm to attack the philanthropist George Soros, and it has been repeatedly criticized for allowing its platform to be used to fuel ethnic cleansing in Myanmar. "On top of that, Facebook has continued to lose younger users, who are spreading their time and attention across other social platforms and digital activities," eMarketer said.

Google Admits Bug Could Let People Spy On Nest Cameras

Thu, 06/20/2019 - 15:20
Google on Thursday confirmed that a bug in its Nest security cameras could have allowed users to be spied on. The Daily Dot reports: The issue was first raised by a user on Facebook who recently sold his Nest Cam Indoor yet was still able to access its feed. The problem involves Wink, an app that lets people manage multiple smart devices regardless of their developer. The Facebook user noted that despite carrying out a factory reset on his Nest camera before selling it, his Wink account remained connected to the device, allowing him to view snapshots of the buyer's live feed. Wirecutter tested the vulnerability on its own Nest Cam by linking it to a Wink account and then performing a factory reset. The publication also found it was receiving "a series of still images snapped every several seconds" via its Wink account. "In simpler terms: If you buy and set up a used Nest indoor camera that has been paired with a Wink hub, the previous owner may have unfettered access to images from that camera," Wirecutter says. "And we currently don't know of any cure for this problem." Google responded to the report and said it has fixed the problem. "We were recently made aware of an issue affecting some Nest cameras connected to third-party partner services via Works with Nest," a spokesperson told Wirecutter. "We've since rolled out a fix for this issue that will update automatically, so if you own a Nest camera, there's no need to take any action."

Firefox Zero-Day Was Used In Attack Against Coinbase Employees, Not Its Users

Thu, 06/20/2019 - 08:01
An anonymous reader writes: A recent Firefox zero-day that has made headlines across the tech news world this week was actually used in attacks against Coinbase employees, and not the company's users. Furthermore, the attacks used not one, but two Firefox zero-days, according to Philip Martin, a member of the Coinbase security team, which reported the attacks to Mozilla. One was an RCE reported by a Google Project Zero security researcher to Mozilla in April, and the second was a sandbox escape that was spotted in the wild by the Coinbase team together with the RCE, on Monday. The question here is how an attacker managed to get hold of the details for the RCE vulnerability and use it for his attacks after the vulnerability was privately reported to Mozilla by Google. The attacker could have found the Firefox RCE on his own, he could have bribed a Mozilla/Google insider, hacked a Mozilla/Google employee and viewed details about the RCE, or hacked Mozilla's bug tracker, like another attacker did in 2015.

Oracle Issues Emergency Update To Patch Actively Exploited WebLogic Flaw

Wed, 06/19/2019 - 14:10
An anonymous reader quotes a report from Ars Technica: Oracle on Tuesday published an out-of-band update patching a critical code-execution vulnerability in its WebLogic server after researchers warned that the flaw was being actively exploited in the wild. The vulnerability, tracked as CVE-2019-2729, allows an attacker to run malicious code on the WebLogic server without any need for authentication. That capability earned the vulnerability a Common Vulnerability Scoring System score of 9.8 out of 10. The vulnerability is a deserialization attack targeting two Web applications that WebLogic appears to expose to the Internet by default -- wls9_async_response and wls-wsat.war. The flaw in Oracle's WebLogic Java application servers came to light as a zero-day four days ago when it was reported by security firm KnownSec404.