Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 11 hours 21 min ago

Microsoft: 70 Percent of All Security Bugs Are Memory Safety Issues

Mon, 02/11/2019 - 12:20
Around 70 percent of all the vulnerabilities in Microsoft products addressed through a security update each year are memory safety issues; a Microsoft engineer revealed last week at a security conference. From a report: Memory safety is a term used by software and security engineers to describe applications that access the operating system's memory in a way that doesn't cause errors. Memory safety bugs happen when software, accidentally or intentionally, accesses system memory in a way that exceeds its allocated size and memory addresses. Users who often read vulnerability reports come across terms over and over again. Terms like buffer overflow, race condition, page fault, null pointer, stack exhaustion, heap exhaustion/corruption, use after free, or double free -- all describe memory safety vulnerabilities. Speaking at the BlueHat security conference in Israel last week, Microsoft security engineer Matt Miller said that over the last 12 years, around 70 percent of all Microsoft patches were fixes for memory safety bugs.

Users Complain of Account Hacks, But OkCupid Denies a Data Breach

Sun, 02/10/2019 - 19:30
Zack Whittaker reports via TechCrunch: A reader contacted TechCrunch after his [OkCupid] account was hacked. The reader, who did not want to be named, said the hacker broke in and changed his password, locking him out of his account. Worse, they changed his email address on file, preventing him from resetting his password. OkCupid didn't send an email to confirm the address change -- it just blindly accepted the change. "Unfortunately, we're not able to provide any details about accounts not connected to your email address," said OkCupid's customer service in response to his complaint, which he forwarded to TechCrunch. Then, the hacker started harassing him strange text messages from his phone number that was lifted from one of his private messages. It wasn't an isolated case. We found several cases of people saying their OkCupid account had been hacked. But several users couldn't explain how their passwords -- unique to OkCupid and not used on any other app or site -- were inexplicably obtained. "There has been no security breach at OkCupid," said Natalie Sawyer, a spokesperson for OkCupid. "All websites constantly experience account takeover attempts. There has been no increase in account takeovers on OkCupid." Even on OkCupid's own support pages, the company says that account takeovers often happen because someone has an account owner's login information. "If you use the same password on several different sites or services, then your accounts on all of them have the potential to be taken over if one site has a security breach," says the support page. In fact, when we checked, OkCupid was just one of many major dating sites -- like Match, PlentyOfFish, Zoosk, Badoo, JDate, and eHarmony -- that didn't use two-factor authentication at all.

Google Play Caught Hosting An App That Steals Users' Cryptocurrency

Sun, 02/10/2019 - 12:20
The Google Play Store has been caught hosting an app designed to steal cryptocurrency from unwitting end users, according to researchers with Eset security company. "The malware, which masqueraded as a legitimate cryptocurrency app, worked by replacing wallet addresses copied into the Android clipboard with one belonging to attackers," reports Ars Technica. "As a result, people who intended to use the app to transfer digital coins into a wallet of their choosing would instead deposit the funds into a wallet belonging to the attackers." From the report: So-called clipper malware has targeted Windows users since at least 2017. The clipper malware available in Google Play impersonated a service called MetaMask, which is designed to allow browsers to run apps that work with the digital coin Ethereum. The primary purpose of Android/Clipper.C, as Eset has dubbed the malware, was to steal credentials needed to gain control of Ethereum funds. It also replaced both bitcoin and Ethereum wallet addresses copied to the clipboard with ones belonging to the attackers. Eset spotted the app shortly after its introduction to Google Play on February 1. Google has since removed it. Stefanko said it's the first time clipper malware has been hosted in the Android app bazaar. Eset malware researcher Lukas Stefanko wrote: "This attack targets users who want to use the mobile version of the MetaMask service, which is designed to run Ethereum decentralized apps in a browser, without having to run a full Ethereum node. However, the service currently does not offer a mobile app -- only add-ons for desktop browsers such as Chrome and Firefox. Several malicious apps have been caught previously on Google Play impersonating MetaMask. However, they merely phished for sensitive information with the goal of accessing the victims' cryptocurrency funds."

Huawei Would Accept EU Supervision To Lay 5G Network

Sun, 02/10/2019 - 09:17
An anonymous reader quotes a report from TechRadar: Huawei has said it is willing for its equipment and activities to be supervised by the European Union (EU) as it continues to fend off the threat of restrictions on the use of its kit in 5G networks. Last year it emerged the US, which has long frozen out the company from its own telecommunications infrastructure, had been encouraging other western nations to take similar action. The main basis for Washington's fears is a perception that Huawei is linked to the Chinese government and that the use of the company's equipment risks the possibility of backdoors that could be used for espionage. These fears are heightened by 5G because of the sensitive information these networks will carry. The US is concerned that if its allies continue to use Huawei kit, then America's security will be threatened. Now, Abraham Liu, Huawei's chief representative to EU institutions, has used a speech to mark the Chinese New Year to repeat the company's denials and to stress its willingness to cooperate with the EU and European governments. "Cybersecurity should remain as a technical issue instead of an ideological issue. Because technical issues can always be resolved through the right solutions while ideological issue cannot," he is quoted as saying. "We are always willing to accept the supervision and suggestions of all European governments, customers and partners." A number of European nations, including the UK and Germany, have expressed concern about the use of Huawei equipment in their telecoms infrastructure, however earlier this week, France rejected proposals that would increase checks Last week, Huawei pledged to spend about $2 billion over five years to resolve the security issues in the United Kingdom. However, they also claimed that the firm "has never and will never use UK-based hardware, software or information gathered in the UK or anywhere else globally, to assist other countries in gathering intelligence." They added: "We would not do this in any country."

Trump's Border Wall Could Split SpaceX's Texas Launchpad In Two

Sun, 02/10/2019 - 05:34
An anonymous reader quotes the Los Angeles Times A launchpad on the U.S.-Mexico border, which it plans to use for rockets carrying humans around the world and eventually to Mars, could be split in two by the Trump administration's planned wall... Lawmakers said they were concerned about the effect on the company's 50-acre facility after seeing a Department of Homeland Security map showing a barrier running through what they described as a launchpad... James Gleeson, a SpaceX spokesman, declined to provide details on how the fence would affect the facility. "The Department of Homeland Security and U.S. Customs and Border Protection recently requested SpaceX permit access to our South Texas Launch site to conduct a site survey," he said in a statement. "At this time, SpaceX is evaluating the request and is in communication with DHS to further understand their plans...." Musk is working on a new, more powerful vehicle known as Starship to eventually ferry humans to Mars. SpaceX recently announced that it would test the Starship test vehicle at the site in south Texas.

83% Of Consumers Believe Personalized Ads Are Morally Wrong

Sat, 02/09/2019 - 18:34
An anonymous reader quotes Forbes: A massive majority of consumers believe that using their data to personalize ads is unethical. And a further 76% believe that personalization to create tailored newsfeeds -- precisely what Facebook, Twitter, and other social applications do every day -- is unethical. At least, that's what they say on surveys. RSA surveyed 6,000 adults in Europe and America to evaluate how our attitudes are changing towards data, privacy, and personalization. The results don't look good for surveillance capitalism, or for the free services we rely on every day for social networking, news, and information-finding. "Less than half (48 percent) of consumers believe there are ethical ways companies can use their data," RSA, a fraud prevention and security company, said when releasing the survey results. Oh, and when a compan y gets hacked? Consumers blame the company, not the hacker, the report says.

Please Stop Using Internet Explorer, Microsoft Says

Sat, 02/09/2019 - 03:25
Microsoft cybersecurity expert Chris Jackson recently published a post on the official Windows IT Pro blog, titled "The perils of using Internet Explorer as your default browser." Jackson urges users that it's time to stop using its old web browser, a product Microsoft officially discontinued in 2015. From a report: In his post, Jackson explains how Microsoft customers still ask him Internet Explorer related questions for their business. The fact of the matter is that while most average internet users have moved on to Google Chrome, Firefox, or Microsoft's Edge, some businesses are still working with older web apps or sites that were designed for Internet Explorer. Instead of updating its tech, many companies have chosen to just keep using the various enterprise compatibility modes of Microsoft's old web browser. But, Jackson says "enough is enough." It's time to event stop calling Internet Explorer a web browser.

Tesla Hacker Launches Open-Source Project 'FreedomEV' To Run On Rooted Teslas, Bring New Wi-Fi Hotspot and Anti-Tracking Features

Sat, 02/09/2019 - 01:45
Slashdot reader internet-redstar writes: The Tesla Hacker, Jasper Nuyens -- who uncovered Tesla's "unconfirmed lane change" last year -- now launched at FOSDEM an open-source project called "FreedomEV" to run on top of rooted Teslas. It adds new features to the vehicles, such as a "Hotspot Mode" for in-car Wi-Fi and a "Cloak Mode" to prevent all location tracking and more. It hopes to become available for other cars too. Full presentation video can be found here. The Github project and the website. He is looking for contributors and support from Tesla.

Amazon's Home Security Company Is Turning Everyone Into Cops

Fri, 02/08/2019 - 15:20
An anonymous reader quotes a report from Motherboard: Neighbors is not just a social media app: it's a service that's meant to be used with Ring security cameras, a Wi-Fi-powered home security company that was acquired by Amazon last February in a $1 billion deal. Neighbors was launched in May 2018, three months after the acquisition. If you have Ring security cameras, you can upload video content straight from your security camera to Neighbors. [...] Beyond creating a "new neighborhood watch," Amazon and Ring are normalizing the use of video surveillance and pitting neighbors against each other. Chris Gilliard, a professor of English at Macomb Community College who studies institutional tech policy, told Motherboard in a phone call that such a "crime and safety" focused platforms can actively reinforces racism. In Amazon's version of a "new neighborhood watch," petty crimes are policed heavily, and racism is common. Video posts on Neighbors disproportionately depict people of color, and descriptions often use racist language or make racist assumptions about the people shown. In many ways, the Neighbors/Ring ecosystem is like a virtual gated community: people can opt themselves in by downloading the Neighbors app, and with a Ring camera, users can frame neighbors as a threat. Motherboard individually reviewed more than 100 user-submitted posts in the Neighbors app between December 6 and February 5, and the majority of people reported as "suspicious" were people of color. Motherboard placed the "home" address at the VICE offices in Williamsburg, Brooklyn and kept the default 5-mile neighborhood radius, meaning the neighborhood encompassed all of lower Manhattan, most of Brooklyn, and parts of Queens and Hoboken. According to the Ring Community Guidelines, the Neighbors app bans "direct threats against any individuals, bullying, harassment, and any posts that demean, defame, or discriminate," but it relies on Neighbors users to report posts that violate that rule. The guidelines also claim that only "crime and safety related content" is allowed. The guidelines do not define what qualifies as "safety," but they do encourage users to "consider the behavior that made you suspicious and whether such suspicion is reasonable." When asked if Ring moderates content on Neighbors or reviews posts for racism, a company spokesperson said, "The Neighbors app by Ring is meant to facilitate this collaboration within communities by allowing users to easily share and communicate with their neighbors and in some cases, local law enforcement, about crime and safety in real-time."

US Senators Ask DHS To Look Into US Government Workers Using Foreign VPNs

Fri, 02/08/2019 - 10:09
Two US senators have asked the Department of Homeland Security (DHS) to look into the possible dangers of US government workers using VPN apps that are owned by foreign companies and which redirect sensitive government-related traffic through servers located in other countries -- namely China and Russia. From a report: "If U.S. intelligence experts believe Beijing and Moscow are leveraging Chinese and Russian-made technology to surveil Americans, surely DHS should also be concerned about Americans sending their web browsing data directly to China and Russia," said Senator Ron Wyden (D-OR) and Marco Rubio (R-FL) in a letter sent to Christopher Krebs, Director of the DHS' newly founded Cybersecurity and Infrastructure Security Agency (CISA). The two would like the DHS to issue an emergency directive and ban the use of foreign VPN apps if intelligence experts deem them a national security risk.

Australia Parliamentary Network Hacked In Possible Foreign Government Attack

Fri, 02/08/2019 - 05:00
An anonymous reader quotes a report from The Sydney Morning Herald: National security agencies are continuing to scour the Parliament's computer network for threats to MPs' data after what is being described as a "sophisticated" hack attack that could be the work of a foreign government. Alastair MacGibbon, head of the Australian Cyber Security Centre, said the government's cyber experts would work over coming days and weeks to make sure all the breaches had been detected and the hackers' presence removed. The hacking comes just three months ahead of the federal election, prompting fears that if MPs emails or data were stolen they could be used to cause political interference of the style Russia perpetrated against the United States in the 2016 presidential campaign. Sources said the fact that Parliament had significantly upgraded its cyber defense since an attack by Chinese intelligence agencies in 2011 suggested the latest hackers were highly skilled, potentially pointing to a foreign government. Mr MacGibbon stressed it was too early to say who was behind the attack but said this part of the investigation. The network is used by all MPs, including ministers. House Speaker Tony Smith and Senate President Scott Ryan said in a joint statement there was "no evidence that any data has been accessed or taken at this time, however this will remain subject to ongoing investigation." They said they had no evidence the hack was an effort to "influence the outcome of parliamentary processes or to disrupt or influence electoral or political processes."

Apple Tells App Developers To Disclose Or Remove Screen Recording Code

Thu, 02/07/2019 - 16:50
An anonymous reader quotes a report from TechCrunch: Apple is telling app developers to remove or properly disclose their use of analytics code that allows them to record how a user interacts with their iPhone apps -- or face removal from the app store, TechCrunch can confirm. In an email, an Apple spokesperson said: "Protecting user privacy is paramount in the Apple ecosystem. Our App Store Review Guidelines require that apps request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity." "We have notified the developers that are in violation of these strict privacy terms and guidelines, and will take immediate action if necessary," the spokesperson added. It follows an investigation by TechCrunch that revealed major companies, like Expedia, Hollister and Hotels.com, were using a third-party analytics tool to record every tap and swipe inside the app. We found that none of the apps we tested asked the user for permission, and none of the companies said in their privacy policies that they were recording a user's app activity. Even though sensitive data is supposed to be masked, some data -- like passport numbers and credit card numbers -- was leaking.

Apple Releases iPhone Update To Fix Group FaceTime Eavesdropping Bug

Thu, 02/07/2019 - 12:46
Apple on Thursday released iOS 12.1.4, an iPhone update that fixes a Group FaceTime bug that allowed users to eavesdrop on each other. The update is a available for the iPhone 5S and later, iPad Air and later, and iPod touch 6th generation. From a report: Last week, Apple turned off Group FaceTime after a bug was identified that allowed iPhone users to call another device via the FaceTime video chat service and hear audio on the other end before the recipient had answered the call. It essentially turned any iPhone into a hot mic without the user's knowledge. Apple on Friday said it'd fixed the vulnerability on its servers and that it'd issue a software update to re-enable Group FaceTime. Apple also apologized to users who were affected and said it takes the security of its products "extremely seriously."

Facebook Ordered To Stop Combining WhatsApp and Instagram Data Without Consent in Germany; Company Says It Needs That Data To Fight Terrorism and Child Abuse

Thu, 02/07/2019 - 06:00
Facebook has been ordered to curb its data collection practices in Germany after a landmark ruling on Thursday that the world's largest social network abused its market dominance to gather information about users without their consent. From a report: The order applies to data collected by Facebook-owned platforms like WhatsApp and Instagram, but also third-party sources that Facebook uses to flesh out its advertising profiles, including those of non-users. The Bundeskartellamt, or Federal Cartel Office (FCO), has given Facebook one month to appeal the landmark decision, which comes after a three-year investigation. If the appeal fails, the tech company will have to ensure these data sources are not combined without consent within the next four months. Although the ruling only applies within Germany, the decision could influence regulators in other countries. Gizmodo adds: Facebook insists that combining all of that data is actually great. In fact, the company says, it's keeping everyone safe from stuff like terrorism and child abuse. From Facebook's statement this morning: "Facebook has always been about connecting you with people and information you're interested in. We tailor each person's Facebook experience so it's unique to you, and we use a variety of information to do this -- including the information you include on your profile, news stories you like or share and what other services share with us about your use of their websites and apps. Using information across our services also helps us protect people's safety and security, including, for example, identifying abusive behavior and disabling accounts tied to terrorism, child exploitation and election interference across both Facebook and Instagram."

Many Popular iPhone Apps Secretly Record Your Screen Without Asking

Thu, 02/07/2019 - 05:00
An anonymous reader quotes a report from TechCrunch: Many major companies, like Air Canada, Hollister and Expedia, are recording every tap and swipe you make on their iPhone apps. In most cases you won't even realize it. And they don't need to ask for permission. You can assume that most apps are collecting data on you. Some even monetize your data without your knowledge. But TechCrunch has found several popular iPhone apps, from hoteliers, travel sites, airlines, cell phone carriers, banks and financiers, that don't ask or make it clear -- if at all -- that they know exactly how you're using their apps. Worse, even though these apps are meant to mask certain fields, some inadvertently expose sensitive data. Apps like Abercrombie & Fitch, Hotels.com and Singapore Airlines also use Glassbox, a customer experience analytics firm, one of a handful of companies that allows developers to embed "session replay" technology into their apps. These session replays let app developers record the screen and play them back to see how its users interacted with the app to figure out if something didn't work or if there was an error. Every tap, button push and keyboard entry is recorded -- effectively screenshotted -- and sent back to the app developers. [...] Apps that are submitted to Apple's App Store must have a privacy policy, but none of the apps we reviewed make it clear in their policies that they record a user's screen. Glassbox doesn't require any special permission from Apple or from the user, so there's no way a user would know. When asked, Glassbox said it doesn't enforce its customers to mention its usage in their privacy policy. A mobile expert known as The App Analyst recently found Air Canada's iPhone app to be improperly masking the session replays when they were sent, exposing passport numbers and credit card data in each replay session. Just weeks earlier, Air Canada said its app had a data breach, exposing 20,000 profiles.

Huawei Admits To Needing 5 Years, $2 Billion To Fix Security Issues

Thu, 02/07/2019 - 02:00
Bruce66423 writes: In a remarkable piece of honest self assessment, Huawei has produced a letter to a House of Commons committee member in response to security concerns raised by the UK Huawei Cyber Security Evaluation Centre (HCSEC) in its annual report, a body that includes Huawei, UK operators and UK government officials. The firm pledged to spend about $2 billion over five years to resolve these issues. However they also claim that: "Huawei has never and will never use UK-based hardware, software or information gathered in the UK or anywhere else globally, to assist other countries in gathering intelligence. We would not do this in any country" -- a claim in sharp contrast to the ability of the Communist Party of China to suborn anyone into doing so. Good to see that Chinese firms still have a sense of humor. As The Economist puts it: "And China's leaders are tightening their grip on business, including firms such as Huawei in which the state has no stake. This influence has been formalized in the National Intelligence Law of 2017, which requires firms to work with China's one-party state."

Researcher Reveals a Severe, Unpatched Mac Password Flaw To Protest Apple Bug Bounty

Wed, 02/06/2019 - 08:45
Linuz Henze, a credible researcher, has revealed an exploit that in a single button press can reveal the passwords in a Mac's keychain. From a report: Keychain is where macOS stores most of the passwords used on the machine, ranging from iMessage private encryption keys to certificates, secured notes, Wi-Fi, and other Apple hardware passwords, app passwords, and web passwords. A pre-installed app called Keychain Access enables users to view the entire list of stored items, unlocking each one individually by repeatedly entering the system password, but Henze's KeySteal exploit grabs everything with a single press of a "Show me your secrets" button. While the demo is run on a 2014 MacBook Pro without Apple's latest security chips, Henze says that it works "without root or administrator privileges and without password prompts, of course." It appears to work on the Mac's login and system keychains, but not iCloud's keychain. Generally, white hat security researchers publicly reveal flaws like this only after informing the company and giving it ample time to fix the issues. But Henze is refusing to assist Apple because it doesn't offer paid bug bounties for macOS.

A Flaw Found in E-Ticketing Systems Used By at Least Eight Airlines Could Be Exploited To Access Sensitive Information About Travelers

Wed, 02/06/2019 - 08:08
Eight airlines, including Southwest, use e-ticketing systems that could allow hackers to access sensitive information about travelers merely by intercepting emails, according to research published Wednesday by the mobile security company Wandera. From a news writeup: Researchers at security and data management company Wandera have uncovered a vulnerability affecting a number of e-ticketing systems that could allow third parties to view, and in some cases even change, a user's flight booking details, or print their boarding passes. The problem affects a number of major airlines including Southwest, Air France, KLM and Thomas Cook. All of these have sent unencrypted check-in links to passengers. On clicking these links, a passenger is directed to a site where they are logged in automatically to the check-in for their flight, and in some cases they can then make changes to their booking.

China Hacked Norway's Visma To Steal Client Secrets, Investigators Say

Wed, 02/06/2019 - 07:27
A prolific espionage group, which the U.S. government believes is Chinese, compromised billion-dollar business service provider Visma in 2018, according to a report by Recorded Future, a threat intelligence firm. From a report: The attack was part of what Western countries said in December is a global hacking campaign by China's Ministry of State Security to steal intellectual property and corporate secrets, according to Recorded Future. China's Ministry of State Security has no publicly available contacts. The foreign ministry did not respond to a request for comment, but Beijing has repeatedly denied any involvement in cyber-enabled spying. Visma took the decision to talk publicly about the breach to raise industry awareness about the hacking campaign, which is known as Cloudhopper and targets technology service and software providers in order reach their clients. Cyber security firms and Western governments have warned about Cloudhopper several times since 2017 but have not disclosed the identities of the companies affected.

Scammer Groups Are Exploiting Gmail 'Dot Accounts' For Online Fraud

Wed, 02/06/2019 - 06:00
Cyber-criminal groups are exploiting a Gmail feature to file for fraudulent unemployment benefits, file fake tax returns, and bypass trial periods for online services. From a report: The trick is an old one and has been used in the past. It refers to Gmail's "dot accounts," a feature of Gmail addresses that ignores dot characters inside Gmail usernames, regardless of their placement. For example, Google considers john.doe@gmail.com, jo.hn.doe@gmail.com, and johndoe@gmail.com as the same Gmail address. Regular users have been using this feature for years to to register free trial accounts at online services using the same email address, but spelled out in different ways. In a report published today, the team at email security firm Agari says it saw criminal groups use dotted Gmail addresses in many more places all last year. In an example included in their report, Agari said it saw one group in particular use 56 "dotted" variations of a Gmail address to, among other things, submit 48 credit card applications at four US-based financial institutions, resulting in the approval of at least $65,000 in fraudulent credit.