Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 2 days 11 hours ago

Hackers Publish Personal Data On Thousands of US Police Officers, Federal Agents

Sat, 04/13/2019 - 05:00
An anonymous reader quotes a report from TechCrunch: A hacker group has breached several FBI-affiliated websites and uploaded their contents to the web, including dozens of files containing the personal information of thousands of federal agents and law enforcement officers, TechCrunch has learned. The hackers breached three sites associated with the FBI National Academy Association, a coalition of different chapters across the U.S. promoting federal and law enforcement leadership and training located at the FBI training academy in Quantico, VA. The hackers exploited flaws on at least three of the organization's chapter websites -- which we're not naming -- and downloaded the contents of each web server. The hackers then put the data up for download on their own website, which we're also not naming nor linking to given the sensitivity of the data. The spreadsheets contained about 4,000 unique records after duplicates were removed, including member names, a mix of personal and government email addresses, job titles, phone numbers and their postal addresses. The FBINAA could not be reached for comment outside of business hours. If we hear back, we'll update. "We hacked more than 1,000 sites," said the hacker. "Now we are structuring all the data, and soon they will be sold. I think something else will publish from the list of hacked government sites." When asked if they were worried that the files they put up for download would put federal agents and law enforcement at risk, the hacker said: "Probably, yes." The hacker claimed to have "over a million data" [sic] on employees across several U.S. federal agencies and public service organizations.

Why Tens of Thousands of Perfectly Good, Donated iPhones Are Shredded Every Year

Fri, 04/12/2019 - 19:30
An anonymous reader quotes a report from Motherboard: Tens of thousands of perfectly usable iPhones are scrapped each year by electronics recyclers because of the iPhone's "activation lock," according to a new analysis paper published Thursday. Earlier this year, we published a lengthy feature about the iPhone's activation lock (also called iCloud lock informally), an anti-theft feature that prevents new accounts from logging into iOS without the original user's iCloud password. This means that stolen phones can't be used by the person who stole it without the original owner's iCloud password (this lock can also be remotely enabled using Find My iPhone.) The feature makes the iPhone a less valuable theft target, but it has had unintended consequences, as well. iCloud lock has led to the proliferation of an underground community of hackers who use phishing and other techniques to steal iCloud passwords from the original owner and unlock phones. It's also impacted the iPhone repair, refurbishing, and recycling industry, because phones that are legitimately obtained often still have iCloud enabled, making that phone useless except for parts. Between 2015 and 2018, the Wireless Alliance, the recycling company in question, collected roughly 6 million cell phones in donation boxes it set up around the country. Of those, 333,519 of them were iPhones deemed by the company to be "reusable." And of those, 33,000 of them were iCloud locked and had to be stripped for parts and scrap metal. Last year, a quarter of all reusable iPhones it collected were activation locked. Allison Conwell, a coauthor of the CoPIRG report, told me in a phone call that the Wireless Alliance's findings show that many people donate their devices intending for them to be reused, but they're scrapped instead. In her paper, Conwell suggests that Apple should work with certified recyclers to unlock phones that have been legitimately donated (a survey of random devices conducted by the Wireless Alliance found that more than 90 percent of them had not been reported lost or stolen.) The paper suggests that Apple could either unlock phones that have not been reported lost or stolen for 30 days, or affirmatively ask users whether they had donated their previous phone and unlock it that way.

Some Enterprise VPN Apps Store Authentication/Session Cookies Insecurely

Fri, 04/12/2019 - 08:50
At least four Virtual Private Network (VPN) applications sold or made available to enterprise customers share security flaws, warns the Carnegie Mellon University CERT Coordination Center (CERT/CC) and the Department of Homeland Security's Computer Emergency Response Center (US-CERT). From a report: VPN apps from Cisco, F5 Networks, Palo Alto Networks, and Pulse Secure are impacted, CERT/CC analyst Madison Oliver said in a security alert published earlier today, echoed by the DHS' US-CERT. All four have been confirmed to store authentication and/or session cookies in an non-encrypted form inside a computer's memory or log files saved on disk.

Microsoft Publishes SECCON Framework For Securing Windows 10

Fri, 04/12/2019 - 07:30
An anonymous reader writes: Microsoft published today a generic "security configuration framework" that contains guidance for systems administrators about the basic security settings they should be applying in order to secure Windows 10 devices. The SECCON framework, the name Microsoft gave this framework, is are five different recommendations for securing a Windows 10 device, depending on its role inside an organization (Enterprise security, Enterprise high-security, Enterprise VIP security, DevOps, Administrator). [Note: last two docs are empty and don't include any info just yet]. For each of these security levels, Microsoft has published default templates for Windows policies that sysadmins can apply to desired PCs, based on the access levels those workstations have. Microsoft hopes this will automate a system administrator's job in deploying a basic minimum of security features to Windows 10 systems, on which custom modifications can then be made, depending on each enterprise's needs.

Gmail Becomes First Major Email Provider To Support MTA-STS and TLS Reporting

Thu, 04/11/2019 - 10:15
Google announced this week that Gmail has become the first major email provider to support two new security standards, namely MTA-STS and TLS Reporting. From a report: Both are extensions to the Simple Mail Transfer Protocol (SMTP), the protocol through which all emails are sent today. The purpose of MTA-STS and TLS Reporting is to help email providers establish cryptographically secure connections between each other, with the main goal of twarthing SMTP man-in-the-middle attacks. SMTP man-in-the-middle attacks are a major problem for today's email landscape, where rogue email server operators can intercept, read, and modify the contents of people's emails. The two new standards will prevent this by allowing legitimate email providers to create a secure channel for exchanging emails.

Dragonblood Vulnerabilities Disclosed in Wi-Fi WPA3 Standard

Thu, 04/11/2019 - 06:40
Two security researchers disclosed details this week about a group of vulnerabilities collectively referred to as Dragonblood that impact the Wi-Fi Alliance's recently launched WPA3 Wi-Fi security and authentication standard. From a report: If ever exploited, the vulnerabilities would allow an attacker within the range of a victim's network to recover the Wi-Fi password and infiltrate the target's network. In total, five vulnerabilities are part of the Dragonblood ensemble -- a denial of service attack, two downgrade attacks, and two side-channel information leaks. While the denial of service attack is somewhat unimportant as it only leads to crashing WPA3-compatible access points, the other four are the ones that can be used to recover user passwords. Both the two downgrade attacks and two side-channel leaks exploit design flaws in the WPA3 standard's Dragonfly key exchange -- the mechanism through which clients authenticate on a WPA3 router or access point. In a downgrade attack, Wi-Fi WPA3-capable networks can be coerced in using an older and more insecure password exchange systems, which can allow attackers to retrieve the network passwords using older flaws.

A New Bill Would Force Companies To Check Their Algorithms For Bias

Thu, 04/11/2019 - 05:00
An anonymous reader quotes a report from The Verge: U.S. lawmakers have introduced a bill that would require large companies to audit machine learning-powered systems -- like facial recognition or ad targeting algorithms -- for bias. The Algorithmic Accountability Act is sponsored by Senators Cory Booker (D-NJ) and Ron Wyden (D-OR), with a House equivalent sponsored by Rep. Yvette Clarke (D-NY). If passed, it would ask the Federal Trade Commission to create rules for evaluating "highly sensitive" automated systems. Companies would have to assess whether the algorithms powering these tools are biased or discriminatory, as well as whether they pose a privacy or security risk to consumers. The Algorithmic Accountability Act is aimed at major companies with access to large amounts of information. It would apply to companies that make over $50 million per year, hold information on at least 1 million people or devices, or primarily act as data brokers that buy and sell consumer data. These companies would have to evaluate a broad range of algorithms -- including anything that affects consumers' legal rights, attempts to predict and analyze their behavior, involves large amounts of sensitive data, or "systematically monitors a large, publicly accessible physical place." That would theoretically cover a huge swath of the tech economy, and if a report turns up major risks of discrimination, privacy problems, or other issues, the company is supposed to address them within a timely manner.

Amazon Workers Are Listening To What You Tell Alexa

Wed, 04/10/2019 - 17:00
Amazon reportedly employs thousands of people around the world to help improve its Alexa digital assistant. "The team listens to voice recordings captured in Echo owners' homes and offices," reports Bloomberg. "The recordings are transcribed, annotated and then fed back into the software as part of an effort to eliminate gaps in Alexa's understanding of human speech and help it better respond to commands." From the report: The team comprises a mix of contractors and full-time Amazon employees who work in outposts from Boston to Costa Rica, India and Romania, according to the people, who signed nondisclosure agreements barring them from speaking publicly about the program. They work nine hours a day, with each reviewer parsing as many as 1,000 audio clips per shift, according to two workers based at Amazon's Bucharest office, which takes up the top three floors of the Globalworth building in the Romanian capital's up-and-coming Pipera district. The modern facility stands out amid the crumbling infrastructure and bears no exterior sign advertising Amazon's presence. The work is mostly mundane. One worker in Boston said he mined accumulated voice data for specific utterances such as "Taylor Swift" and annotated them to indicate the searcher meant the musical artist. Occasionally the listeners pick up things Echo owners likely would rather stay private: a woman singing badly off key in the shower, say, or a child screaming for help. The teams use internal chat rooms to share files when they need help parsing a muddled word -- or come across an amusing recording. Sometimes they hear recordings they find upsetting, or possibly criminal. Two of the workers said they picked up what they believe was a sexual assault. When something like that happens, they may share the experience in the internal chat room as a way of relieving stress. Amazon says it has procedures in place for workers to follow when they hear something distressing, but two Romania-based employees said that, after requesting guidance for such cases, they were told it wasn't Amazon's job to interfere. [...] Amazon, in its marketing and privacy policy materials, doesn't explicitly say humans are listening to recordings of some conversations picked up by Alexa. "We use your requests to Alexa to train our speech recognition and natural language understanding systems," the company says in a list of frequently asked questions. In Alexa's privacy settings, the company gives users the option of disabling the use of their voice recordings for the development of new features. A screenshot reviewed by Bloomberg shows that the recordings sent to the Alexa auditors don't provide a user's full name and address but are associated with an account number, as well as the user's first name and the device's serial number. An Amazon spokesperson said in a statement to Bloomberg: "We take the security and privacy of our customers' personal information seriously. We only annotate an extremely small sample of Alexa voice recordings in order [to] improve the customer experience. For example, this information helps us train our speech recognition and natural language understanding systems, so Alexa can better understand your requests, and ensure the service works well for everyone." They added: "We have strict technical and operational safeguards, and have a zero tolerance policy for the abuse of our system. Employees do not have direct access to information that can identify the person or account as part of this workflow. All information is treated with high confidentiality and we use multi-factor authentication to restrict access, service encryption and audits of our control environment to protect it." Further reading: How To Stop Amazon From Listening To Your Recordings

US Firm Wins Bid To Block Huawei From Subsea Pacific Cables

Wed, 04/10/2019 - 16:20
An anonymous reader quotes a report from The Register: An American company is to build a series of undersea cables linking Australia to China after the Aussie government put its foot down and kicked Huawei off the contract. Building on our reports from last year that Australia had blocked Huawei from building a 4,000km cable between Australia, Papua New Guinea and the Solomon Islands, U.S. company TE Subcom has reportedly won the deal to build the link. "All options for meshing the Pacific Islands are good for the development of the economies of these countries," Keir Preedy, chief executive of the Solomon Island Submarine Cable Company, told Reuters. The company is developing the Solomons' new cable. In addition to the Aus-PNG-Solomons route previously announced, TE Subcom will build a cable spur to Hong Kong -- Chinese territory. "It is due for completion in 2022 and also includes a possible trans-Pacific branch to Los Angeles," the newswire stated.

Mysterious Safety-Tampering Malware Infects Second Critical Infrastructure Site

Wed, 04/10/2019 - 12:55
An anonymous reader quotes a report from Ars Technica: Sixteen months ago, researchers reported an unsettling escalation in hacks targeting power plants, gas refineries, and other types of critical infrastructure. Attackers who may have been working on behalf of a nation caused an operational outage at a critical-infrastructure site after deliberately targeting a system that prevented health- and life-threatening accidents. What was unprecedented in this attack -- and of considerable concern to some researchers and critical infrastructure operators -- was the use of an advanced piece of malware that targeted the unidentified site's safety processes. The malware was named Triton and Trisis, because it targeted the Triconex product line made by Schneider Electric. Its development was ultimately linked to a Russian government-backed research institute. Now, researchers at FireEye -- the same security firm that discovered Triton and its ties to Russia -- say they have uncovered an additional intrusion that used the same malicious software framework against a different critical infrastructure site. As was the case in the first intrusion, the attackers focused most of their resources on the facility's OT, or operational technology, which are systems for monitoring and managing physical processes and devices. The discovery has unearthed a new set of never-before-seen custom tools that shows the attackers have been operational since as early as 2014. The existence of these tools, and the attackers' demonstrated interest in operational security, lead FireEye researchers to believe there may be other sites beyond the two already known where the Triton attackers were or still are present. "After establishing an initial foothold on the corporate network, the Triton actor focused most of their effort on gaining access to the OT network," FireEye researchers wrote in a report published Wednesday. "They did not exhibit activities commonly associated with espionage, such as using key loggers and screenshot grabbers, browsing files, and/or exfiltrating large amounts of information. Most of the attack tools they used were focused on network reconnaissance, lateral movement, and maintaining presence in the target environment."

Two Out of Three Hotels Accidentally Leak Guests' Personal Data: Symantec

Wed, 04/10/2019 - 12:15
Two out of three hotel websites inadvertently leak guests' booking details and personal data to third-party sites, including advertisers and analytics companies, according to research released by Symantec on Wednesday. From a report: The study, which looked at more than 1,500 hotel websites in 54 countries that ranged from two-star to five-star properties, comes several months after Marriott International disclosed one of the worst data breaches in history. Symantec said Marriott was not included in the study. Compromised personal information includes full names, email addresses, credit card details and passport numbers of guests that could be used by cybercriminals who are increasingly interested in the movements of influential business professionals and government employees, Symantec said.

Google Chrome Wants To Block Some HTTP File Downloads

Wed, 04/10/2019 - 10:15
An anonymous reader writes: Google wants to block some file downloads carried out via HTTP on websites that use HTTPS. The plan is to block EXE, DMG, CRX, ZIP, GZIP, BZIP, TAR, RAR, and 7Z file downloads when the download is initiated via HTTP but the website URL shows HTTPS. Google said it's currently not thinking of blocking all downloads started from HTTP sites, since the browser already warns users about a site's poor security via the "Not Secure" indicator in the URL bar. The idea is to block insecure downloads on sites that appear to be secure (loaded via HTTPS) but where the downloads take place via plain ol' HTTP.

You Can Now Use Your Android Phone as a 2FA Security Key for Google Accounts

Wed, 04/10/2019 - 08:41
Google said today it will now enable Android users to use their smartphones as a Fast Identity Online (FIDO) security key (for two-step authentication) for their Google accounts, thereby addressing one of the biggest challenges that has slowed the adoption of this security measure: convenience. A report adds: You can thus use your Android phone to protect your personal Google account, and your G Suite, Cloud Identity, and Google Cloud Platform work accounts. (Android tablets aren't supported -- Google specifically limited the functionality since users are more likely to have phones with them.) This means Android phones can move from two-step verification (2SV) to two-factor authentication (2FA). 2SV is a method of confirming a user's identity using something they know (password) and a second thing they know (a code sent via text message). 2FA is a method of confirming a user's identity by using a combination of two different factors: something they know (password), something they have (security key), or something they are (fingerprint). The feature is coming only to Android devices versions 7 and up.

Windows XP Dies Final Death As Embedded POSReady 2009 Reaches End of Life

Tue, 04/09/2019 - 17:50
New submitter intensivevocoder shares a report from TechRepublic: Extended support for Windows Embedded POSReady 2009 -- the last supported version of Windows based on Windows XP -- ended on April 9, 2019, marking the final end of the Windows NT 5.1 product line after 17 years, 7 months, and 16 days. Counting this edition, Windows XP is the longest-lived version of Windows ever -- a record which is unlikely to be beaten. Despite the nominal end of support for Windows XP five years ago, the existence of POSReady 2009 allowed users to receive security updates on Windows XP Home and Professional SP3 through the use of a registry hack. Microsoft dissuaded users from doing this, stating that they "do not fully protect Windows XP customers," though no attempt was apparently made to prevent users from using this hack. With POSReady reaching the end of support, the flow of these security updates will likewise come to an end.

Yahoo Offers $118 Million To Settle Lawsuit Over Massive Data Breach

Tue, 04/09/2019 - 17:30
Yahoo is offering to pay $117.5 million to settle its massive data breaches that compromised personal information, including email addresses and passwords. "The proposed settlement was announced on Tuesday, but still needs to be approved by U.S. District Judge Lucy Koh," reports CNN. From the report: Earlier this year, a different version of the class-action settlement was rejected by Koh, who wanted to see more benefit to consumers and a specific settlement amount. Yahoo was hit by multiple data breaches from 2013 to 2016. The 2013 breach affected every single customer account that existed at the time, which totaled 3 billion. Yahoo previously said names, email addresses and passwords were compromised but not financial information.

New Variants of Mirai Botnet Detected, Targeting More IoT Devices

Tue, 04/09/2019 - 16:50
An anonymous reader quotes a report from Ars Technica: Mirai, the "botnet" malware that was responsible for a string of massive distributed denial of service (DDoS) attacks in 2016 -- including one against the website of security reporter Brian Krebs -- has gotten a number of recent updates. Now, developers using the widely distributed "open" source code of the original have added a raft of new devices to their potential bot armies by compiling the code for four more microprocessors commonly used in embedded systems. Researchers at Palo Alto Networks' Unit 42 security research unit have published details of new samples of the Mirai botnet discovered in late February. The new versions of the botnet malware targeted Altera Nios II, OpenRISC, Tensilica Xtensa, and Xilinx MicroBlaze processors. These processors are used on a wide range of embedded systems, including routers, networked sensors, base band radios for cellular communications and digital signal processors. The new variants also include a modified encryption algorithm for botnet communications and a new version of the original Mirai TCP SYN denial-of-service attack. Based on the signature of the new attack option, Unit 42 researchers were able to trace activity of the variants back as far as November 2018.

Verizon Issues Patch For Vulnerabilities on Millions of Fios Routers

Tue, 04/09/2019 - 12:12
Verizon is sending out an update for millions of its routers after security researchers discovered vulnerabilities that could allow potential attackers to take over the devices. From a report: Researchers from Tenable, a security company, detailed three vulnerabilities with Verizon's Fios Quantum Gateway router on Tuesday. The company said it disclosed these security flaws to Verizon last December, and that the company issued a fix on March 13. Verizon said that a small percentage of its customers did not get the update automatically, and will still need a patch to protect against this security flaw. "We were recently made aware of three vulnerabilities related to login and password information on the Broadband Home Router Fios-G1100," a Verizon spokesman said in a statement. "As soon as we were made aware of these vulnerabilities, we took immediate action to remediate them and are issuing patches." The company said that several customers with a particular type of router did not get the update, but said that people affected will not need to take any action. If your router's firmware is running version, you're up to date and safe from the vulnerabilities.

'Exodus' Spyware Found Targeting Apple iOS Users

Mon, 04/08/2019 - 17:40
The surveillance tool dubbed "Exodus" has been ported to the Apple iOS ecosystem. According to Threatpost, the spyware "can exfiltrate contacts, take audio recordings and photos, track location data and more on mobile devices." From the report: Earlier this month, word came that Google had booted a raft of Exodus-laden apps. According to Lookout Security, it turns out that iOS versions had become available outside the App Store, through phishing sites that imitate Italian and Turkmenistani mobile carriers. These are notable in that they abused the Apple Developer Enterprise program. According to Lookout and other research from Security Without Borders, the spyware appears to have been under development for at least five years. It's a three-stage affair, starting with a lightweight dropper that then fetches a large second-stage payload that contains multiple binaries with most of the spy goods housed within them. Finally, a third stage typically uses the Dirty COW exploit (CVE20165195) to obtain root privileges on a targeted device. In delving into the technical details, Lookout saw evidence of a fairly sophisticated operation, suggesting that it may have been initially marketed as a legitimate package for the government or law-enforcement sectors. In order to spread the iOS app outside of the official App Store, the cybercriminals abused Apple's enterprise provisioning system, which allowed them to sign the apps using legitimate Apple certificates. Lookout's analysis found that the iOS variant is a bit cruder than its Android counterpart, and it lacks the ability to exploit device vulnerabilities. However, the apps were still able to use documented APIs to exfiltrate contacts, photos, videos and user-recorded audio recordings, device information and location data; and, it offered a way to perform remote audio recording, though this required push notifications and user interaction. The good news is that Apple has revoked the affected certificates for this particular crop of apps.

Samsung's Galaxy S10 Fingerprint Sensor Fooled By 3D Printer

Mon, 04/08/2019 - 15:00
A Samsung Galaxy S10 user has managed to fool the in-display fingerprint reader on his smartphone using a 3D print of his fingerprint. The Verge reports: In a post on Imgur, user darkshark outlined his project: he took a picture of his fingerprint on a wineglass, processed it in Photoshop, and made a model using 3ds Max that allowed him to extrude the lines in the picture into a 3D version. After a 13-minute print (and three attempts with some tweaks), he was able to print out a version of his fingerprint that fooled the phone's sensor. The Galaxy S10's fingerprint sensor doesn't rely on a capacitive fingerprint scanner that's been used in other versions of the phone, using instead an ultrasonic sensor that's apparently more difficult to spoof. darkshark points out that it didn't take much to spoof his own fingerprint. A concern, he notes, is that payment and banking apps are increasingly using the authentication from a fingerprint sensor to unlock, and all he needed to get into his phone was a photograph, some software, and access to a 3D printer. "I can do this entire process in less than 3 minutes and remotely start the 3d print so that it's done by the time I get to it," he writes.

FBI Criticized For Delaying Breach Notifications, Including Insufficient Details

Mon, 04/08/2019 - 12:21
The Federal Bureau of Investigations does a poor job at notifying victims of a cyber-attack, a US government report released last week said. A story adds: FBI notifications arrive either too late or contain insufficient information for victims to take action, a report from the Department of Justice's Office of the Inspector General (DOJ-OIG) has concluded. The report analyzed Cyber Guardian, an FBI application for storing information about tips and ongoing investigations. The system also allows agents to enter details about suspected victims, which Cyber Guardian can later notify via automated messages. But the DOJ-OIG report said FBI agents are not using the system as it is intended. For example, interviews with 31 agents revealed that 29 entered victim information in a lead category called "Action," rather than the standard "Victim Notification."