Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 5 hours 14 sec ago

Hackers Behind Breach at Hotel Group Marriott Left Clues Suggesting They Were Working For Chinese Government Intelligence Gathering Operation, Report Says

Thu, 12/06/2018 - 07:20
Marriott said last week that a hack that began four years ago had exposed the records of up to 500 million customers in its Starwood hotels reservation system. Private investigators looking into the breach have found hacking tools, techniques and procedures previously used in attacks attributed to Chinese hackers, Reuters reported, citing three sources who were not authorized to discuss the company's private probe into the attack. From the report: That suggests that Chinese hackers may have been behind a campaign designed to collect information for use in Beijing's espionage efforts and not for financial gain, two of the sources said. While China has emerged as the lead suspect in the case, the sources cautioned it was possible somebody else was behind the hack because other parties had access to the same hacking tools, some of which have previously been posted online.

Australia Passes Anti-Encryption Laws [Update]

Thu, 12/06/2018 - 00:43
Earlier today, Australia's House of Representatives passed the Assistance and Access Bill. The Anti-Encryption Bill, as it is known as, would allow the nation's police and anti-corruption forces to ask, before forcing, internet companies, telcos, messaging providers, or anyone deemed necessary, to break into whatever content agencies they want access to. "While the Bill can still be blocked by the Senate -- Australian Twitter has been quite vocal over today's proceedings, especially in regards to the [Australian Labor Party's] involvement," reports Gizmodo. ZDNet highlights the key findings from a report from the Parliamentary Joint Committee on Intelligence and Security (PJCIS): The threshold for industry assistance is recommended to be lifted to offenses with maximum penalties in excess of three years; Technical Assistance Notices (TANs) and Technical Capability Notices (TCNs) will be subjected to statutory time limits, as well as any extension, renewal, or variation to the notices; the systemic weakness clause to apply to all listing acts and things; and the double-lock mechanism of approval from Attorney-General and Minister of Communications will be needed, with the report saying the Communications Minister will provide "a direct avenue for the concerns of the relevant industry to be considered as part of the approval process." The report's recommendations also call for a review after 18 months of the Bill coming into effect by the Independent National Security Legislation Monitor; TANs issued by state and territory police forces to be approved by the Australian Federal Police commissioner; companies issued with notices are able to appeal to the Attorney-General to disclose publicly the fact they are issued a TCN; and the committee will review the passed legislation in the new year and report by April 3, 2019, right around when the next election is expected to be called. In short: "Testimony from experts has been ignored; actual scrutiny of the Bill is kicked down the road for the next Parliament; Labor has made sure it is not skewered by the Coalition and seen to be voting against national security legislation on the floor of Parliament; and any technical expert must have security clearance equal to the Australia's spies, i.e. someone who has been in the spy sector." Further reading: Australia Set To Spy on WhatsApp Messages With Encryption Law. UPDATE: The encryption bill has passed the Senate with a final vote of 44-12, with Labor and the Coalition voting for it. "Australia's security and intelligence agencies now have legal authority to force encryption services to break the encryptions, reports The Guardian. Story is developing...

Australia's Anti-Encryption Bill Passes House of Representatives

Wed, 12/05/2018 - 23:00
Earlier today, Australia's House of Representatives passed the Assistance and Access Bill. The Anti-Encryption Bill, as it is known as, would allow the nation's police and anti-corruption forces to ask, before forcing, internet companies, telcos, messaging providers, or anyone deemed necessary, to break into whatever content agencies they want access to. "While the Bill can still be blocked by the Senate -- Australian Twitter has been quite vocal over today's proceedings, especially in regards to the [Australian Labor Party's] involvement," reports Gizmodo. ZDNet highlights the key findings from a report from the Parliamentary Joint Committee on Intelligence and Security (PJCIS): The threshold for industry assistance is recommended to be lifted to offenses with maximum penalties in excess of three years; Technical Assistance Notices (TANs) and Technical Capability Notices (TCNs) will be subjected to statutory time limits, as well as any extension, renewal, or variation to the notices; the systemic weakness clause to apply to all listing acts and things; and the double-lock mechanism of approval from Attorney-General and Minister of Communications will be needed, with the report saying the Communications Minister will provide "a direct avenue for the concerns of the relevant industry to be considered as part of the approval process." The report's recommendations also call for a review after 18 months of the Bill coming into effect by the Independent National Security Legislation Monitor; TANs issued by state and territory police forces to be approved by the Australian Federal Police commissioner; companies issued with notices are able to appeal to the Attorney-General to disclose publicly the fact they are issued a TCN; and the committee will review the passed legislation in the new year and report by April 3, 2019, right around when the next election is expected to be called. In short: "Testimony from experts has been ignored; actual scrutiny of the Bill is kicked down the road for the next Parliament; Labor has made sure it is not skewered by the Coalition and seen to be voting against national security legislation on the floor of Parliament; and any technical expert must have security clearance equal to the Australia's spies, i.e. someone who has been in the spy sector." Further reading: Australia Set To Spy on WhatsApp Messages With Encryption Law.

Quantum Computers Pose a Security Threat That We're Still Totally Unprepared For

Wed, 12/05/2018 - 19:30
An anonymous reader quotes a report from MIT Technology Review: The world relies on encryption to protect everything from credit card transactions to databases holding health records and other sensitive information. A new report from the U.S. National Academies of Sciences, Engineering, and Medicine says we need to speed up preparations for the time when super-powerful quantum computers can crack conventional cryptographic defenses. The experts who produced the report, which was released today, say widespread adoption of quantum-resistant cryptography "will be a long and difficult process" that "probably cannot be completed in less than 20 years." It's possible that highly capable quantum machines will appear before then, and if hackers get their hands on them, the result could be a security and privacy nightmare. Today's cyberdefenses rely heavily on the fact that it would take even the most powerful classical supercomputers almost unimaginable amounts of time to unravel the cryptographic algorithms that protect our data, computer networks, and other digital systems. But computers that harness quantum bits, or qubits, promise to deliver exponential leaps in processing power that could break today's best encryption. The report cites an example of encryption that protects the process of swapping identical digital keys between two parties, who use them to decrypt secure messages sent to one another. A powerful quantum computer could crack RSA-1024, a popular algorithmic defense for this process, in less than a day. The U.S., Israel and others are working to develop standards for quantum-proof cryptographic algorithms, but they may not be ready or widely adopted by the time quantum computers arrive. "[I]t will take at least a couple of decades to get quantum-safe cryptography broadly in place," the report says in closing. "If that holds, we're going have to hope it somehow takes even longer before a powerful quantum computer ends up in a malicious hacker's hands."

Thieves Are Boosting the Signal From Key Fobs Inside Homes To Steal Vehicles

Wed, 12/05/2018 - 14:40
An anonymous reader quotes a report from CBC.ca: According to Markham automotive security specialist Jeff Bates, owner of Lockdown Security, wireless key fobs have a role to play in many recent car thefts, with thieves intercepting and rerouting their signals -- even from inside homes -- to open and steal cars. According to Bates, many of these thieves are using a method called "relay theft." Key fobs are constantly broadcasting a signal that communicates with a specific vehicle, he said, and when it comes into a close enough range, the vehicle will open and start. The thief will bring a device close to the home's door, close to where most keys are sitting, to boost the fob's signal. They leave another device near the vehicle, which receives the signal and opens the car. Many people don't realize it, Bates said, but the thieves don't need the fob in the car to drive it away. Bates says, if you have a key fob that can wirelessly unlock/start your car, you should not keep it by the front door. "If you do live in a house, try to leave your keys either upstairs or ... as far away from the vehicle as possible," he said. "The other thing that you can do is there are products out there that you can put your key fob into," such as a faraday cage -- a box used to block radio signals -- a key pouch, which works similarly, or even a steel box.

Cyber-Espionage Group Uses Chrome Extension To Infect Victims

Wed, 12/05/2018 - 14:00
In what appears to be a first on the cyber-espionage scene, a nation-state-backed hacking group has used a Google Chrome extension to infect victims and steal passwords and cookies from their browsers. From a report: This is the first time an APT (Advanced Persistent Threat -- an industry term for nation-state hacking groups) has been seen (ab)using a Chrome extension, albeit it's not the first time one has used a browser extension, as the Russian-linked Turla APT previously used a Firefox add-on in 2015. According to a report that's going to be published later today by the ASERT team at Netscout reveals the details of a spear-phishing campaign that's been pushing a malicious Chrome extension since at least May 2018. Hackers used spear-phishing emails to lure victims on websites copied from legitimate academic organizations. These phishing sites, now down, showed a benign PDF document but prevented users from viewing it, redirecting victims to the official Chrome Web Store page to install a (now removed) Chrome extension named Auto Font Manager.

Australia Set To Spy on WhatsApp Messages With Encryption Law

Wed, 12/05/2018 - 06:10
Australia is set to give its police and intelligence agencies the power to access encrypted messages on platforms such as WhatsApp, becoming the latest country to face down privacy concerns in the name of public safety. From a report: Amid protests from companies such as Facebook and Google, the government and main opposition struck a deal on Tuesday that should see the legislation passed by parliament this week. Under the proposed powers, technology companies could be forced to help decrypt communications on popular messaging apps, or even build new functionality to help police access data. Prime Minister Scott Morrison has said the legislation is needed to help foil terrorist attacks and organized crime. Critics say it is flawed and could undermine security across the Internet, jeopardizing activities from online voting to market trading and data storage.

Researchers Discover SplitSpectre, a New Spectre-like CPU Attack

Tue, 12/04/2018 - 19:30
An anonymous reader writes from a report via ZDNet: Three academics from Northeastern University and three researchers from IBM Research have discovered a new variation of the Spectre CPU vulnerability that can be exploited via browser-based code. The vulnerability, which researchers codenamed SplitSpectre, is a variation of the original Spectre v1 vulnerability discovered last year and which became public in January 2018. The difference in SplitSpectre is not in what parts of a CPU's microarchitecture the flaw targets, but how the attack is carried out. Researchers say a SplitSpectre attack is both faster and easier to execute, improving an attacker's ability to recover code from targeted CPUs. The research team says they were successfully able to carry out a SplitSpectre attack against Intel Haswell and Skylake CPUs, and AMD Ryzen processors, via SpiderMonkey 52.7.4, Firefox's JavaScript engine. The good news is that existing Spectre mitigations would thwart the SplitSpectre attacks.

The Secret Service Wants To Test Facial Recognition Around the White House

Tue, 12/04/2018 - 17:25
The Secret Service is planning to test facial recognition surveillance around the White House, "with the goal of identifying 'subjects of interest' who might pose a threat to the president," reports The Verge. The document with the plans was published by the American Civil Liberties Union, describing "a test that would compare closed circuit video footage of public White House spaces against a database of images -- in this case, featuring employees who volunteered to be tracked." From the report: The test was scheduled to begin on November 19th and to end on August 30th, 2019. While it's running, film footage with a facial match will be saved, then confirmed by human evaluators and eventually deleted. The document acknowledges that running facial recognition technology on unaware visitors could be invasive, but it notes that the White House complex is already a "highly monitored area" and people can choose to avoid visiting. We don't know whether the test is actually in operation, however. "For operational security purposes we do not comment on the means and methods of how we conduct our protective operations," a spokesperson told The Verge. The ACLU says that the current test seems appropriately narrow, but that it "crosses an important line by opening the door to the mass, suspicionless scrutiny of Americans on public sidewalks" -- like the road outside the White House. (The program's technology is supposed to analyze faces up to 20 yards from the camera.) "Face recognition is one of the most dangerous biometrics from a privacy standpoint because it can so easily be expanded and abused -- including by being deployed on a mass scale without people's knowledge or permission."

China Announces Punishments For Intellectual-Property Theft

Tue, 12/04/2018 - 16:03
China has announced an array of punishments that could restrict companies' access to borrowing and state-funding support over intellectual-property theft. The news comes after the G20 Summit in Argentina, where the Trump Administration agreed to hold off on tariff action for at least 90 days as they negotiate to resolve specific U.S. complaints. Bloomberg reports: China set out a total of 38 different punishments to be applied to IP violations, starting this month. The document, dated Nov. 21, was released Tuesday by the National Development and Reform Commission and signed by various government bodies, including the central bank and supreme court. China says violators would be banned from issuing bonds or other financing tools, and participating in government procurement. They would also be restricted from accessing government financial support, foreign trade, registering companies, auctioning land or trading properties. In addition, violators will be recorded on a list, and financial institutions will refer to that when lending or granting access to foreign exchange. Names will be posted on a government website. "This is an unprecedented regulation on IP violation in terms of the scope of the ministries and severity of the punishment," said Xu Xinming, a researcher at the Center for Intellectual Property Studies at China University of Political Science and Law. The newly announced punishments are "a security net of IP protection" targeting repeat offenders and other individuals who aren't in compliance with the law, he said.

Quora Data Breach Exposes 100 Million Users' Personal Info

Tue, 12/04/2018 - 14:40
schwit1 shares a report from CBS News: Information sharing website Quora has announced a data breach which has exposed "approximately 100 million users'" personal data. The company said in a statement released Monday that it discovered the "unauthorized access to one of our systems by a malicious third party," on Friday. Chief Executive Adam D'Angelo wrote in the blog post that Quora had alerted law enforcement authorities and was "working rapidly to investigate the situation further and take the appropriate steps to prevent such incidents in the future." D'Angelo said Quora was working to alert the affected users of the site, whose names, email addresses and encrypted passwords, and public content such as their questions, answers and comments, were exposed through the breach. Those users would be required to reset their passwords, D'Angelo said.

Kubernetes' First Major Security Hole Discovered

Tue, 12/04/2018 - 11:48
Kubernetes has become the most popular cloud container orchestration system by far, so it was only a matter of time until its first major security hole was discovered. And the bug, CVE-2018-1002105, aka the Kubernetes privilege escalation flaw, is a doozy. It's a CVSS 9.8 critical security hole. From a report: With a specially crafted network request, any user can establish a connection through the Kubernetes application programming interface (API) server to a backend server. Once established, an attacker can send arbitrary requests over the network connection directly to that backend. Adding insult to injury, these requests are authenticated with the Kubernetes API server's Transport Layer Security (TLS) credentials. Can you say root? I knew you could. Worse still, "In default configurations, all users (authenticated and unauthenticated) are allowed to perform discovery API calls that allow this escalation." So, yes, anyone who knows about this hole can take command of your Kubernetes cluster.

House GOP Campaign Committee Says Its Emails Were Hacked During 2018 Campaign

Tue, 12/04/2018 - 10:15
The National Republican Congressional Committee was hacked this election cycle, it admitted Tuesday afternoon. From a report: "The NRCC can confirm that it was the victim of a cyber intrusion by an unknown entity. The cybersecurity of the Committee's data is paramount, and upon learning of the intrusion, the NRCC immediately launched an internal investigation and notified the FBI, which is now investigating the matter," NRCC spokesman Ian Prior said in a statement. "To protect the integrity of that investigation, the NRCC will offer no further comment on the incident." The major breach included thousands of emails from four senior aides, according to Politico, which first reported the hacks. An outside vendor noticed and alerted the committee in April. The committee then launched an internal investigation and alerted the FBI.

Marriott's Breach Response Is So Bad, Security Experts Are Filling In the Gaps

Tue, 12/04/2018 - 03:00
An anonymous reader quotes a report from TechCrunch: Last Friday, Marriott sent out millions of emails warning of a massive data breach -- some 500 million guest reservations had been stolen from its Starwood database. One problem: the email sender's domain didn't look like it came from Marriott at all. Marriott sent its notification email from "email-marriott.com," which is registered to a third party firm, CSC, on behalf of the hotel chain giant. But there was little else to suggest the email was at all legitimate -- the domain doesn't load or have an identifying HTTPS certificate. In fact, there's no easy way to check that the domain is real, except a buried note on Marriott's data breach notification site that confirms the domain as legitimate. But what makes matters worse is that the email is easily spoofable. Many others have sounded the alarm on Marriott's lackluster data breach response. Security expert Troy Hunt, who founded data breach notification site Have I Been Pwned, posted a long tweet thread on the hotel chain giant's use of the problematic domain. As it happens, the domain dates back at least to the start of this year when Marriott used the domain to ask its users to update their passwords. Williams isn't the only one who's resorted to defending Marriott customers from cybercriminals. Nick Carr, who works at security giant FireEye, registered the similarly named "email-mariott.com" on the day of the Marriott breach. "Please watch where you click," he wrote on the site. "Hopefully this is one less site used to confuse victims." Had Marriott just sent the email from its own domain, it wouldn't be an issue.

Two iOS Fitness Apps Were Caught Using Touch ID To Trick Users Into Payments of $120

Mon, 12/03/2018 - 18:45
secwatcher shares a report from Threatpost: Two apps that were posing as fitness-tracking tools were actually using Apple's Touch ID feature to loot money from unassuming iOS victims. The two impacted apps were the "Fitness Balance App" and "Calories Tracker App." Both apps looked normal, and served functions like calculating BMI, tracking daily calorie intake or reminding users to drink water; and both received good reviews on the iOS store. However, according to Reddit users and researchers with ESET, the apps steal money -- almost $120 from each victim -- thanks to a sneaky popup trick involving the Apple Touch ID feature. According to heated victims who took to Reddit to air their complaints, after a user launches one of the apps, it requests a fingerprint scan prompting users to "view their personalized calorie tracker and diet recommendations." After the users use Touch ID, the app then shows a pop-up confirming a payment of $119.99. The pop-up is only visible for a second, according to users. "However, if the user has a credit or debit card directly connected to their Apple account, the transaction is considered verified and money is wired to the operator behind these scams," said Lukas Stefanko, malware analyst with ESET security, in a Monday post on the scam.

Mapping the Spectral Landscape of IPv6 Networks

Mon, 12/03/2018 - 07:22
Trailrunner7 writes: Like real estate, we're not making any more IPv4 addresses. But instead of trying to colonize Mars or build cities under the sea, the Internet's architects developed a separate address scheme with an unfathomably large pool of addresses. IPv6 has an address space of 2^128, compared to IPv4's 2^32, and as the exhaustion of the IPv4 address space began to approach, registries started allocating IPv6 addresses and there now are billions of those addresses active at any given time. But no one really knows how many or where they are or what's behind them or how they're organized. A pair of researchers decided to tackle the problem and developed a suite of tools that can find active IPv6 addresses both in the global address space and in smaller, targeted networks. Known as ipv666, the open source tool set can scan for live IPv6 hosts using a statistical model that the researchers built. The researchers, Chris Grayson and Marc Newlin, faced a number of challenges as they went about developing the ipv666 tools, including getting a large IPv6 address list, which they accumulated from several publicly available data sets. They then began the painful process of building the statistical model to predict other IPv6 addresses based on their existing list. That may seem weird, but IPv6 addresses are nothing at all like their older cousins and come in a bizarre format that doesn't lend itself to simple analysis or prediction. Grayson and Newlin wanted to find as many live addresses as possible and ultimately try to figure out what the security differences are between devices on IPv4 and those on IPv6.

Prison Inmates Catfished $560,000 Out of Military Service Members in Sextortion Scam, NCIS Says

Sun, 12/02/2018 - 16:20
Hundreds of military service members reportedly got caught up in a sextortion scam run by prison inmates using cellphones, according to a release issued by the Naval Criminal Investigative Service (NCIS). From a report: Military agents from multiple criminal investigation groups have served summons and issued warrants for arrests related to the scheme. According to the NCIS, South Carolina and North Carolina prison inmates, assisted by outside accomplices, sought out service members through dating sites and social media, then took on false identities, feigned romantic interest, and exchanged photos. Once the inmates had successfully catfished their targets, they would then pose as the father of the fake persona, insisting their child was underage and that the target had therefore committed a crime by exchanging photos. In some situations, the "father" claimed he wouldn't press charges if the target gave him money. Sometimes the catfisher would pose as law enforcement requesting money for the family.

SKY Brasil Exposes 32 Million Customer Records

Sun, 12/02/2018 - 11:19
Independent security researcher Fabio Castro found data belonging to 32 million customers of SKY Brasil exposed online. "Using the advanced features of the Shodan search engine, he was able to discover multiple servers in Brazil running Elasticsearch that made information available without authentication," reports BleepingComputer. "A cluster of servers called 'digital-logs-prd' attracted the researcher's attention and with a simple command, he listed the indices available, one of them 429.1GB in size." From the report: The file included personally identifiable information of SKY Brasil customers, which featured full name, email address, service login password, client IP address, payment methods, phone number, and street address. SKY Brasil is a telecommunications company that also offers television services, being the second largest provider of pay-TV services in the country, according to statistics from March. In a conversation with BleepingComputer, Castro said that he reported his findings to the company who fixed the problem by restricting access with a password, an operation that takes just a few minutes. Because the server has been exposed for a long time, the protective measure may have come too late. Castro told us that it is very possible that criminals have already grabbed the data.

Intel Sues Ex-Engineer For Trying To Steal 3D XPoint Technology On His Way To Micron

Sun, 12/02/2018 - 08:16
Intel has filed a lawsuit last week against one of their former hardware engineers, alleging they tried to steal confidential chip blueprints to potentially pass on to Micron. "The lawsuit [...] is the latest twist in the tale of Intel and Micron's difficult partnership over 3D XPoint memory," reports The Register. From the report: The legal complaint, aimed at former employee Doyle Rivers, alleges that having "secretly" accepted a position at Chipzilla's former bedfellow, Micron, Rivers had a go at taking confidential trade and personnel data with him as he left. Intel alleged that a few days before leaving, "Rivers tried to access and copy a 'top secret' designated Intel file that Intel's electronic security system blocked from being copied." Chipzilla said the document was related to what it was at pains to say is its "independent" work to productize the 3D XPoint tech into its Optane product line. In other words, blueprints secret to Intel. No one outside Intel, "including Micron" had been privy to such data, the complaint alleged. Intel's security system stopped the file from escaping, but according to the complaint, that did not stop Rivers from allegedly hoovering up a selection of personnel files into a USB device plugged into his computer. The chipmaker also claimed that Rivers "aggressively" recruited his former colleagues to join him on his grand adventure to pastures new. Intel demanded that Rivers return the USB drive, but he apparently "never responded" to them. Instead, "he handed the USB device over to his new employer." It was later discovered by a forensic investigator that it had been wiped. Intel is now demanding "a neutral forensic investigator" be allowed to take a look at Rivers' PC to see what was on there, and when exactly the USB stick was erased. There's a deadline of November 16 for Rivers to agree to this probing.

Jailed 'Iceman' Hacker Now Charged With Drone-Smuggling Scheme Orchestrated From Prison

Sun, 12/02/2018 - 06:34
In 2010, Max Ray Butler received a 13-year prison sentence for "hacking" -- at the time, the longest one ever -- after stealing nearly 2 million credit cards and running up fraudulent charges over $86 million. But eight years into his sentence, he's now being charged with commiting five more counts of wire fraud while still in prison, as well as possessing stolen credit card numbers and contraband in prison, plus two more related counts of conspiracy. An anonymous reader quotes the Washington Times: Previously known as Max Ray Butler and by his hacker alias, "Iceman," Max Ray Vision has been charged in a nine-count indictment filed by federal prosecutors that places him at the center of a scheme that allegedly involved using a smuggled cellphone, stolen banking data and a consumer-grade drone to make an airdrop into prison, The Daily Beast first reported Friday.... Prosecutors alleged in the indictment that Vision used a smuggled T-Mobile "My-Touch" cellphone while incarcerated at the Federal Correctional Center in Oakdale, Louisiana, to access the internet and obtain stolen debit card numbers. "Using MoneyGram and Western Union websites, and their respective mobile applications," a grand jury charged in the indictment, "Butler wired funds from the bank accounts associated with the stolen debit card numbers to other inmates at Oakdale FCC," including five co-defendants also charged in the indictment. He later instructed his fellow inmates to transfer the funds obtained from the stolen debit cards to a former cellmate who had been released in May 2015, according to the indictment... Vision's former cellmate allegedly used the stolen funds to purchase an unmanned aerial vehicle, or drone, that was then used in April 2016 to attempt to smuggle another cellphone and other unspecified contraband into prison, according to the indictment... He allegedly began using the smuggled Android phone in Oct. 2014, according to the indictment, roughly 18 months before the airdrop. "The potential for greater crimes [sic] opportunities are obvious," complained the Bureau of Prisons concluded in a report cited by The Daily Beast, "i.e. escape, introduction of firearms, etc. "Although [Vision] was only equipped with a smartphone, he proved that he is more than capable to disrupt and circumvent the security of the institution and present a clear danger to the community in general."