Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 18 hours 47 min ago

Oracle Issues Emergency Update To Patch Actively Exploited WebLogic Law

Wed, 06/19/2019 - 14:10
An anonymous reader quotes a report from Ars Technica: Oracle on Tuesday published an out-of-band update patching a critical code-execution vulnerability in its WebLogic server after researchers warned that the flaw was being actively exploited in the wild. The vulnerability, tracked as CVE-2019-2729, allows an attacker to run malicious code on the WebLogic server without any need for authentication. That capability earned the vulnerability a Common Vulnerability Scoring System score of 9.8 out of 10. The vulnerability is a deserialization attack targeting two Web applications that WebLogic appears to expose to the Internet by default -- wls9_async_response and wls-wsat.war. The flaw in Oracle's WebLogic Java application servers came to light as a zero-day four days ago when it was reported by security firm KnownSec404.

How Secure Are Zip Files? Senator Wyden Asks NIST To Develop Standards For Safely Sending and Receiving Files

Wed, 06/19/2019 - 12:14
Federal workers and the public in general might be mistaken about the security of .zip files, Sen. Ron Wyden said on Wednesday [PDF], and he's asking the National Institute of Standards and Technology to issue guidance on the best way to send sensitive files over the internet. Wyden wrote: Government agencies routinely share and receive sensitive data through insecure methods -- such as emailing .zip files -- because employees are not provided the tools and training to do so safely. As you know, it is a routine practice in the government, and indeed the private sector, to send by email-protected .zip files containing sensitive documents. Many people incorrectly believe that password-protected .zip files can protect sensitive data. Indeed, many password-protected .zip files can be easily broken with off-the-shelf hacking tools. This is because many of the software programs that create .zip files use a weak encryption algorithm by default. While secure methods to protect and share data exist and are freely available, many people do not know which software they should use. Given the ongoing threat of cyber attacks by foreign state actors and high-profile data breaches, this is a potentially catastrophic national security problem that needs to be fixed. The government must ensure that federal workers have the tools and training they need to safetly share sensitive data. To address this problem, I ask that NIST create and publish an easy-to-understand guide describing the best way for individuals and organizations to securely share sensitive data over the internet.

Cloudflare Announces an Ethereum Gateway

Wed, 06/19/2019 - 08:10
Internet security provider Cloudflare is introducing the Ethereum Gateway to its Distributed Web Gateway toolbox enabling users to interact with the Ethereum network without installing any software. From a report: This is part of Cloudflare's Distributed Web Gateway project to expand the decentralized web ecosystem and enhance its reliability, speed, and ease of use. Instead of downloading and cryptographically verifying hundreds of gigabytes of data -- an impossible task for low-power devices and those with low technical barriers to entry -- the gateway enables any device with web access to interact with the Ethereum network. This setup will make it possible to explore the blockchain and add interactive elements to sites powered by Ethereum smart contracts. In fact, the gateway gives people the ability to put new contracts on Ethereum with having to run a node, because Cloudflare will take a signed transaction and push it to the network thereby allowing miners to cryprographicaly add it. Despite the value Cloudflare brings to gateway clients, the service is completely free. Nick Sullivan, Cloudflare's Head of Cryptography, explains that the program "leverages the existing Cloudflare network, which already provides a number of free services."

House Lawmakers Demand End To Warrantless Collection of Americans' Data

Tue, 06/18/2019 - 15:20
Two House lawmakers are pushing an amendment that would effectively defund a massive data collection program run by the National Security Agency unless the government promises to not intentionally collect data of Americans. TechCrunch reports: The bipartisan amendment -- just 15 lines in length -- would compel the government to not knowingly collect communications -- like emails, messages and browsing data -- on Americans without a warrant. Reps. Justin Amash (R-MI, 3rd) and Zoe Lofgren (D-CA, 19th) have already garnered the support from some of the largest civil liberties and rights groups, including the ACLU, the EFF, FreedomWorks, New America and the Sunlight Foundation. Under the current statute, the NSA can use its Section 702 powers to collect and store the communications of foreign targets located outside the U.S. by tapping into the fiber cables owned and run by U.S. telecom giants. But this massive data collection effort also inadvertently vacuums up Americans' data, who are typically protected from unwarranted searches under the Fourth Amendment. The government has consistently denied to release the number of how many Americans are caught up in the NSA's data collection. For the 2018 calendar year, the government said it made more than 9,600 warrantless searches of Americans' communications, up 28% year-over-year.

Amazon's Ring May Be Branching Out Beyond Outdoor Cameras

Tue, 06/18/2019 - 07:20
The Amazon panopticon may soon be getting a few new eyes. From a report: In February 2018, Amazon paid $1 billion to acquire Ring, the connected-camera doorbell company whose founder was once rejected on Shark Tank. Since then, Ring has been integrated with other Amazon services, allowing live feeds from its devices on Amazon Echo Shows and leading to new products such smart floodlights. Ring has also helped Amazon to flesh out its rather creepy Key service, where users with Ring doorbells (and other connected products) can choose to let people and deliveries into their homes remotely. Ring has also been building up its Neighbors app, which allows Ring users to share their camera footage with people who live nearby, allowing them to see if they believe any crimes have been committed nearby. Ring has also forged partnerships with more than 50 police departments, leading to communities that are effectively surveilled by the police, through the camera company owned by the US's largest e-commerce company. Amazon is apparently not stopping there with its one-stop viewing. The company recently received trademarks, uncovered by Quartz, for multiple products that bear the Ring name, including Ring Beams, Ring Halo, and Ring Net. All three trademarks are listed as covering a range of uses, many matching what Ring products currently offer, including internet-connected security cameras, alarm systems, lighting, and cloud video storage.

Linux PCs, Servers, Gadgets Can Be Crashed by 'Ping of Death' Network Packets

Mon, 06/17/2019 - 12:45
Artem S. Tashkinov writes: The Register reports that it is possible to crash network-facing Linux servers, PCs, smartphones and tablets, and gadgets, or slow down their network connections, by sending them a series of maliciously crafted packets. It is also possible to hamper FreeBSD machines with the same attack. Patches and mitigations are available, and can be applied by hand if needed, or you can wait for a security fix to be pushed or offered to your at-risk device. A key workaround is to set /proc/sys/net/ipv4/tcp_sack to 0. At the heart of the drama is a programming flaw dubbed SACK Panic aka CVE-2019-11477: this bug can be exploited to remotely crash systems powered by Linux kernel version 2.6.29 or higher, which was released 10 years ago.

Robocalls Are Overwhelming Hospitals and Patients, Threatening a New Kind of Health Crisis

Mon, 06/17/2019 - 12:05
An anonymous reader shares a report: In the heart of Boston, Tufts Medical Center treats scores of health conditions, from administering measles vaccines for children to pioneering next-generation tools that can eradicate the rarest of cancers. But doctors, administrators and other hospital staff struggled to contain a much different kind of epidemic one April morning last year: a wave of thousands of robocalls that spread, like a virus, from one phone line to the next, disrupting communications for hours to come. For most Americans, such robocalls represent an unavoidable digital-age nuisance, resulting in constant interruptions targeting their phones each month. For hospitals, though, the spam calls amount to a literal life-or-death challenge, one that increasingly is threatening doctors and patients in a setting where every second can count. At Tufts Medical Center, administrators registered more than 4,500 calls between about 9:30 and 11:30 a.m. on April 30, 2018, said Taylor Lehmann, the center's chief information security officer. Many of the messages seemed to be the same: Speaking in Mandarin, an unknown voice threatened deportation unless the person who picked up the phone provided their personal information. Such calls are common, widely documented scams that seek to swindle vulnerable foreigners, who may surrender their private data out of fear their families and homes are at risk. But it proved especially troubling at Tufts, which is situated amid Boston's Chinatown neighborhood, Lehmann said. Officials there couldn't block the calls through their telecom carrier, Windstream, which provides phone and web services to consumers and businesses. "There's nothing we could do," Lehmann said Windstream told them.

Google's Login Chief: Apple's Sign-In Button Is Better Than Using Passwords

Sun, 06/16/2019 - 11:34
After Apple announced a single sign-on tool last week, The Verge interviewed Google product management director Mark Risher. Though Google offers its own single sign-on tool, The Verge found him "surprisingly sunny about having a new button to compete with. While the login buttons are relatively simple, they're much more resistant to common attacks like phishing, making them much stronger than the average password -- provided you trust the network offering them." RISHER: I honestly do think this technology will be better for the internet and will make people much, much safer. Even if they're clicking our competitor's button when they're logging into sites, that's still way better than typing in a bespoke username and password, or more commonly, a recycled username and password... Usually with passwords they recommend the capital letters and symbols and all of that, which the majority of the planet believes is the best thing that they should do to improve their security. But it actually has no bearing on phishing, no bearing on password breaches, no bearing on password reuse. We think that it's much more important to reduce the total number of passwords out there... People often push back against the federated model, saying we're putting all our eggs into one basket. It sort of rolls off the tongue, but I think it's the wrong metaphor. A better metaphor might be a bank. There are two ways to store your hundred dollars: you could spread it around the house, putting one dollar in each drawer, and some under your mattress and all of that. Or you could put it in a bank, which is one basket, but it's a basket that is protected by 12-inch thick steel doors. That seems like the better option!

Security Cameras + AI = Dawn of Non-Stop Robot Surveillance

Sat, 06/15/2019 - 20:34
AmiMoJo shared this post from one of the ACLU's senior technology policy analysts about what happens when security cameras get AI upgrades: [I]magine that all that video were being watched -- that millions of security guards were monitoring them all 24/7. Imagine this army is made up of guards who don't need to be paid, who never get bored, who never sleep, who never miss a detail, and who have total recall for everything they've seen. Such an army of watchers could scrutinize every person they see for signs of "suspicious" behavior. With unlimited time and attention, they could also record details about all of the people they see -- their clothing, their expressions and emotions, their body language, the people they are with and how they relate to them, and their every activity and motion... The guards won't be human, of course -- they'll be AI agents. Today we're publishing a report on a $3.2 billion industry building a technology known as "video analytics," which is starting to augment surveillance cameras around the world and has the potential to turn them into just that kind of nightmarish army of unblinking watchers.... Many or most of these technologies will be somewhere between unreliable and utterly bogus. Based on experience, however, that often won't stop them from being deployed -- and from hurting innocent people... We are still in the early days of a revolution in computer vision, and we don't know how AI will progress, but we need to keep in mind that progress in artificial intelligence may end up being extremely rapid. We could, in the not-so-distant future, end up living under armies of computerized watchers with intelligence at or near human levels. These AI watchers, if unchecked, are likely to proliferate in American life until they number in the billions, representing an extension of corporate and bureaucratic power into the tendrils of our lives, watching over each of us and constantly shaping our behavior... Policymakers must contend with this technology's enormous power. They should prohibit its use for mass surveillance, narrow its deployments, and create rules to minimize abuse. They argue that the threat is just starting to emerge. "It is as if a great surveillance machine has been growing up around us, but largely dumb and inert -- and is now, in a meaningful sense, 'waking up.'"

These Are the Internet of Things Devices That Are Most Targeted By Hackers

Sat, 06/15/2019 - 14:34
ZDNet reports: Internet-connected security cameras account for almost half of the Internet of Things devices that are compromised by hackers even as homes and businesses continue to add these and other connected devices to their networks. Research from cybersecurity company SAM Seamless Network found that security cameras represent 47 percent of vulnerable devices installed on home networks. According to the data, the average U.S. household contains 17 smart devices while European homes have an average of 14 devices connected to the network... Figures from the security firm suggest that the average device is the target of an average of five attacks per day, with midnight the most common time for attacks to be executed -- it's likely that at this time of the night, the users will be asleep and not paying attention to devices, so won't be witness to a burst of strange behavior. The anonymous reader who submitted this story suggests a possible solution: government inspectors should examine every imported IoT device at the border. "The device gets rejected if it has non-essential ports open, hard-coded or generic passwords, no automated patching for at least four years, etc."

Vim and Neo Editors Vulnerable To High-Severity Bug

Sat, 06/15/2019 - 09:34
JustAnotherOldGuy quotes Threatpost: A high-severity bug impacting two popular command-line text editing applications, Vim and Neovim, allow remote attackers to execute arbitrary OS commands. Security researcher Armin Razmjou warned that exploiting the bug is as easy as tricking a target into clicking on a specially crafted text file in either editor. Razmjou outlined his research and created a proof-of-concept (PoC) attack demonstrating how an adversary can compromise a Linux system via Vim or Neowim. He said Vim versions before 8.1.1365 and Neovim before 0.3.6 are vulnerable to arbitrary code execution... Vim and Neovim have both released patches for the bug (CVE-2019-12735) that the National Institute of Standards and Technology warns, "allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline." "Beyond patching, it's recommended to disable modelines in the vimrc (set nomodeline), to use the securemodelinesplugin, or to disable modelineexpr (since patch 8.1.1366, Vim-only) to disallow expressions in modelines," the researcher said.

Cellebrite Says It Can Unlock Any iPhone For Cops

Sat, 06/15/2019 - 02:00
An anonymous reader quotes a report from Wired: On Friday afternoon, the Israeli forensics firm and law enforcement contractor Cellebrite publicly announced a new version of its product known as a Universal Forensic Extraction Device or UFED, one that it's calling UFED Premium. In marketing that update, it says that the tool can now unlock any iOS device cops can lay their hands on, including those running iOS 12.3, released just a month ago. Cellebrite claims UFED Premium can extract files from many recent Android phones as well, including the Samsung Galaxy S9. No other law enforcement contractor has made such broad claims about a single product, at least not publicly. The move signals not only another step in the cat and mouse game between smartphone makers and the government-sponsored firms that seek to defeat their security, but also a more unabashedly public phase of that security face-off. "Cellebrite is proud to introduce #UFED Premium! An exclusive solution for law enforcement to unlock and extract data from all iOS and high-end Android devices," the company wrote on its Twitter feed for the UFED product. On a linked web page, the company says the new tool can pull forensic data off any iOS device dating back to iOS 7, and Android devices not just from Samsung but Huawei, LG, and Xiaomi.

Yubico To Replace Vulnerable YubiKey FIPS Security Keys

Thu, 06/13/2019 - 10:50
Yubico said today it plans to replace certain hardware security keys because of a firmware flaw that reduces the randomness of cryptographic keys generated by its devices. From a report: Affected products include models part of the YubiKey FIPS Series, a line of YubiKey authentication keys certified for use on US government networks (and others) according to the US government's Federal Information Processing Standards (FIPS). According to a Yubico security advisory published today, YubiKey FIPS Series devices that run firmware version 4.4.2 and 4.4.4 contain a bug that keeps "some predictable content" inside the device's data buffer after the power-up operation. This "predictable content" will influence the randomness of cryptographic keys generated on the device for a short period after the boot-up, until the "predictable content" is all used up, and true random data is present in the buffer. This means that for a short period after booting up YubiKey FIPS Series devices with the affected 4.4.2 and 4.4.4 versions will generate keys that can be either recovered partially, or in full, depending on the cryptographic algorithm the key is working with for a particular authentication operation.

Huawei Asks Verizon To Pay Over $1 Billion For Over 230 Patents

Thu, 06/13/2019 - 08:50
hackingbear writes: Huawei has told Verizon that the U.S. carrier should pay licensing fees for more than 230 of the Chinese telecoms equipment maker's patents and in aggregate is seeking more than $1 billion, a person briefed on the matter said on Wednesday. Verizon should pay to "solve the patent licensing issue," a Huawei intellectual property licensing executive wrote in February, the Wall Street Journal reported earlier. The patents cover network equipment for more than 20 of the company's vendors including major U.S. tech firms but those vendors would indemnify Verizon, the person said. Some of those firms have been approached directly by Huawei, the person said. The patents in question range from core network equipment, wireline infrastructure to internet-of-things technology, the Journal reported. The licensing fees for the more than 230 patents sought is more than $1 billion, the person said. Huawei has been battling the U.S. government for more than a year. National security experts worry that "back doors" in routers, switches and other Huawei equipment could allow China to spy on U.S. communications. Huawei has denied that it would help China spy.

Facebook Collected Device Data On 187,000 Users Using Banned Snooping

Wed, 06/12/2019 - 18:03
Facebook obtained personal and sensitive device data on about 187,000 users of its now-defunct Research app, which Apple banned earlier this year after the app violated its rules. TechCrunch reports: The social media giant said in a letter to Sen. Richard Blumenthal's office -- which TechCrunch obtained -- that it collected data on 31,000 users in the U.S., including 4,300 teenagers. The rest of the collected data came from users in India. "We know that the provisioning profile for the Facebook Research app was created on April 19, 2017, but this does not necessarily correlate to the date that Facebook distributed the provisioning profile to end users," said Timothy Powderly, Apple's director of federal affairs, in his letter. Facebook said the app dated back to 2016. These "research" apps relied on willing participants to download the app from outside the app store and use the Apple-issued developer certificates to install the apps. Then, the apps would install a root network certificate, allowing the app to collect all the data out of the device -- like web browsing histories, encrypted messages and mobile app activity -- potentially also including data from their friends -- for competitive analysis. In Facebook's case, the research app -- dubbed Project Atlas -- was a repackaged version of its Onavo VPN app, which Facebook was forced to remove from Apple's App Store last year for gathering too much device data. Just this week, Facebook relaunched its research app as Study, only available on Google Play and for users who have been approved through Facebook's research partner, Applause. Facebook said it would be more transparent about how it collects user data.

Team of American Hackers and Emirati Spies Discussed Attacking The Intercept

Wed, 06/12/2019 - 13:25
The Intercept: Operatives at a controversial cybersecurity firm working for the United Arab Emirates government discussed targeting The Intercept and breaching the computers of its employees, according to two sources, including a member of the hacking team who said they were present at a meeting to plan for such an attack. The firm, DarkMatter, brought ex-National Security Agency hackers and other U.S. intelligence and military veterans together with Emirati analysts to compromise the computers of political dissidents at home and abroad, including American citizens, Reuters revealed in January. The news agency also reported that the FBI is investigating DarkMatter's use of American hacking expertise and the possibility that it was wielded against Americans. The campaign against dissidents and critics of the Emirati government, code-named Project Raven, began in Baltimore. A 2016 Intercept article by reporter Jenna McLaughlin revealed how the Maryland-based computer security firm CyberPoint assembled a team of Americans for a contract to hone UAE's budding hacking and surveillance capabilities, leaving some recruits unsettled. Much of the CyberPoint team was later poached by DarkMatter, a firm with close ties to the Emirati government and headquartered just two floors from the Emirati equivalent of the NSA, the National Electronic Security Authority (which later became the Signals Intelligence Agency).

Google Expands Android's Built-in Security Key To iOS Devices

Wed, 06/12/2019 - 10:08
An anonymous reader shares a report: In April, Google announced a groundbreaking technology that could allow Android users to use their smartphones as hardware security keys whenever logging into Google accounts on their laptops or work PCs. Initially, the technology was made available for Chrome OS, macOS, and Windows 10 devices. Today, Google announced it is expanding this technology to iOS as well. Today's news means that iPhone and iPad users can now use their (secondary) Android smartphones as a security key whenever logging into their Google accounts on an iOS device. The technology works basically the same, as Google explained in April, at the Cloud Next 2019 conference.

A Year Later, US Government Websites Are Still Redirecting To Hardcore Porn

Tue, 06/11/2019 - 15:40
An anonymous reader quotes a report from Gizmodo: Dozens of U.S. government websites appear to contain a flaw enabling anyone to generate URLs with their domains that redirect users to external sites, a handy tool for criminals hoping to infect users with malware or fool them into surrendering personal information. Gizmodo first reported a year ago that a wide variety of U.S. government sites were misconfigured, allowing porn bots to create links that redirected visitors to sites with colorful names like "HD Dog Sex Girl" and "Two Hot Russians Love Animal Porn." Among those affected was the Justice Department's Amber Alert site, links from which apparently redirected users to erotic material. Gizmodo first reported a year ago that a wide variety of U.S. government sites were misconfigured, allowing porn bots to create links that redirected visitors to sites with colorful names like "HD Dog Sex Girl" and "Two Hot Russians Love Animal Porn." Among those affected was the Justice Department's Amber Alert site, links from which apparently redirected users to erotic material. The ability to generate malicious links that appear to lead to actual government websites can be a handy pretense for criminals conducting phishing campaigns. What's more, these malicious redirects may be used to send users to websites masquerading as official government services, encouraging them to hand over personal information, such as names, addresses, and Social Security numbers.

US Customs and Border Protection Says Traveler Photos and License Plate Images Stolen In Data Breach

Mon, 06/10/2019 - 14:10
An anonymous reader quotes a report from TechCrunch: U.S. Customs and Border Protection has confirmed a data breach has exposed the photos of travelers and vehicles traveling in and out of the United States. The photos were stolen from a subcontractor's network through a "malicious cyberattack," a CBP spokesperson told TechCrunch in an email. "CBP learned that a subcontractor, in violation of CBP policies and without CBP's authorization or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractor's company network," said an agency statement. "Initial information indicates that the subcontractor violated mandatory security and privacy protocols outlined in their contract," the statement read. he agency first learned of the breach on May 31. When asked, a spokesperson for CBP didn't say how many photos were taken in the breach or if U.S. citizens were affected. The agency also didn't name the subcontractor. The database that the agency maintains includes traveler images, as well as passport and visa photos. Congress has been notified and the CBP said it is "closely monitoring" CBP-related work by the subcontractor.

Top Voting Machine Maker Reverses Position on Election Security, Promises Paper Ballots

Mon, 06/10/2019 - 09:30
Election Systems & Software has championed electronic voting machines in the US. Now it has had a change of heart about the need for paper records of votes. From a report: TechCrunch understands the decision was made around the time that four senior Democratic lawmakers demanded to know why ES&S, and two other major voting machine makers, were still selling decade-old machines known to contain security flaws. ES&S chief executive Tom Burt's op-ed said voting machines "must have physical paper records of votes" to prevent mistakes or tampering that could lead to improperly cast votes. Sen. Ron Wyden introduced a bill a year ago that would mandate voter-verified paper ballots for all election machines. The chief executive also called on Congress to pass legislation mandating a stronger election machine testing program. Burt's remarks are a sharp turnaround from the company's position just a year ago, in which the election systems maker drew ire from the security community for denouncing vulnerabilities found by hackers at the annual Defcon conference.