Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 20 hours 57 min ago

Vulnerability in Microsoft CTF Protocol Goes Back To Windows XP

Tue, 08/13/2019 - 12:42
CTF, a little-known Microsoft protocol used by all Windows operating system versions since Windows XP, is insecure and can be exploited with ease. From a report: According to Tavis Ormandy, a security researcher with Google's Project Zero elite security team and the one who discovered the buggy protocol, hackers or malware that already have a foothold on a user's computer can use the protocol to take over any app, high-privileged applications, or the entire OS, as a whole. Currently, there are no patches for these bugs, and a quick fix isn't expected, as the vulnerabilities are deeply ingrained in the protocol and its design. What CTF stands is currently unknown. Even Ormandy, a well-known security researcher, wasn't able to find what it means in all of Microsoft documentation. What Ormandy found out was that CTF is part of of the Windows Text Services Framework (TSF), the system that manages the text shown inside Windows and Windows applications. When users start an app, Windows also starts a CTF client for that app. The CTF client receives instructions from a CTF server about the OS system language and the keyboard input methods. It is unclear how Microsoft will patch the CTF problem.

Tesla Owner Implants RFID Chip From Her Model 3's Keycard Into Her Arm

Mon, 08/12/2019 - 18:10
A Tesla driver figured out a way to implant the RFID tag from her Model 3's keycard into her forearm. Now, all she needs to do to unlock and turn on her car is to hold her forearm near the console -- no physical key fob or smartphone required. The Verge reports: Amie DD is a software engineer and self-described "maker of things." In a video, she explained that she had implanted an RFID tag in her arm years ago, which she had used to open her home's front door and to send a smartphone's browser to her personal website. When she preordered her Model 3, she realized that she could probably do something similar with the keycard. She didn't have any luck transferring the software to her existing chip, so she decided to extract the card's chip and implant that into her arm. To do that, she dissolved the card using acetone, and had it encased in a biopolymer. From there, she went to a body-modification studio to have the chip (about the size of a Lego mini-figure) implanted into her forearm. In another video (warning, there's some blood), she shows off the implantation. She also documented her process on Hackaday. She told The Verge that the chip does work, but the range from her arm to the console "isn't the greatest." It's only about an inch, but she's hoping that it'll improve as the swelling of her arm goes down.

Russia Says New Weapon Blew Up In Nuclear Accident Last Week

Mon, 08/12/2019 - 16:52
An anonymous reader quotes a report from Bloomberg: The failed missile test that ended in an explosion killing five atomic scientists last week on Russia's White Sea involved a small nuclear power source, according to a top official at the institute where they worked. The men "tragically died while testing a new special device," Alexei Likhachev, the chief executive officer of state nuclear monopoly Rosatom, said at their funeral Monday in Sarov, a high-security city devoted to atomic research less than 400 kilometers (250 miles) east of Moscow where the institute is based. The part of the Russian Federal Nuclear Center that employed them is developing small-scale power sources that use "radioactive materials, including fissile and radioisotope materials" for the Defense Ministry and civilian uses, Vyacheslav Soloviev, scientific director of the institute, said in a video shown by local TV. The blast occurred Aug. 8 during a test of a missile engine that used "isotope power sources" on an offshore platform in the Arkhangelsk region, close to the Arctic Circle, Rosatom said over the weekend. The Defense Ministry initially reported two were killed in the accident, which it said involved testing of a liquid-fueled missile engine. The ministry didn't mention the nuclear element. It caused a brief spike in radiation in the nearby port city of Severodvinsk, according to a statement on the local administration's website that was later removed. A Sarov institute official on the video posted Sunday said radiation levels jumped to double normal levels for less than an hour and no lasting contamination was detected. The Russian military said radiation levels were normal but disclosed few details about the incident. There's speculation that the weapon being tested was the SSC-X-9 Skyfall, known in Russia as the Burevestnik, a nuclear-powered cruise missile that President Vladimir Putin introduced last year.

Ring Told People To Snitch On Their Neighbors In Exchange For Free Stuff

Mon, 08/12/2019 - 16:12
popcornfan679 shares a report from Motherboard: Ring, Amazon's home security company, has encouraged people to form their own "Digital Neighborhood Watch" groups that report crime in exchange for free or discounted Ring products, according to an internal company slide presentation obtained by Motherboard. The slide presentation -- which is titled "Digital Neighborhood Watch" and was created in 2017, according to Ring -- tells people that if they set up these groups, report all suspicious activity to police, and post endorsements of Ring products on social media, then they can get discount codes for Ring products and unspecified Ring "swag." A Ring spokesperson said the program described in the slide presentation was rolled out in 2017, before Ring was acquired by Amazon. They said it was discontinued that same year. "This particular idea was not rolled out widely and was discontinued in 2017," Ring said. "We will continue to invent, iterate, and innovate on behalf of our neighbors while aligning with our three pillars of customer privacy, security, and user control." "Some of these ideas become official programs, and many others never make it past the testing phase," Ring continued, adding that the company "is always exploring new ideas and initiatives."

Epic Hit With Class-Action Suit Over Hacked Fortnite Accounts

Mon, 08/12/2019 - 11:35
Epic Games is being sued over security breaches that allowed hackers to access the personal information of Epic Games accounts. From a report: The class-action lawsuit, filed by Franklin D. Azar & Associates in U.S. District Court in North Carolina, alleges Epic's "failure to maintain adequate security measures and notify users of the security breach in a timely manner." The lawsuit states that "there are more than 100 class members." In January, Epic acknowledged that a bug in Fortnite may have exposed personal information for millions of user accounts.

Getting Cool Vanity License Plate 'NULL' Is Not Really a Cool Idea, Infosec Researcher Discovers

Mon, 08/12/2019 - 10:50
Choosing NULL as your license plate might seem like a funny idea. But as an infosec researcher discovered recently, the cool-looking NULL vanity plate comes with its own consequences. Researcher Droogie, that's his handle, who presented at this year's DEF CON in Las Vegas, said he has been on the receiving end of thousands of dollars worth of tickets that aren't his. From a report: Droogie registered a vanity California license plate consisting solely of the word "NULL" -- which in programming is a term for no specific value -- for fun. And, he admitted to laughs, on the off chance it would confuse automatic license plate readers and the DMV's ticketing system. "I was like, 'I'm the shit,'" he joked to the crowd. "'I'm gonna be invisible.' Instead, I got all the tickets." Things didn't go south immediately. As Droogie explained, he's a cautious driver and didn't get any tickets for the first year he owned the vanity plate. Then he went to reregister his tags online, and, when prompted to input his license plate, broke the DMV webpage. It seemed the DMV site didn't recognize the plate "NULL" as an actual input. That was the first sign that something was amiss. The next sign was, well, a little more serious: After receiving a legitimate parking ticket, thousands of dollars in random tickets starting arriving in the mail at his house, addressed to him. It seemed that a privately operated citation processing center had a database of outstanding tickets, and, for some reason -- possibly due to incomplete data on their end -- many of those tickets were assigned to the license plate "NULL." In other words, the processing center was likely trying to tell its systems it didn't know the plates of the offending cars. Instead, with Droogie's vanity plate now in play, it pegged all those outstanding tickets on him. Specifically, over $12,000 worth of outstanding tickets. Long story short, Droogie went on the painstaking process to explain the situation to the DMV and the LAPD, both of whom advised him to change his plate. At any rate, the DMV reached out to the private vendor and sorted the issue.

Does Quantum Cryptography Need a Reboot?

Sun, 08/11/2019 - 17:39
"Despite decades of research, there's no viable roadmap for how to scale quantum cryptography to secure real-world data and communications for the masses," according to IEEE Spectrum. Wave723 shares their report: A handful of companies now operate or pay for access to networks secured using quantum cryptography in the United States, China, Austria, and Japan. According to a recent industry report, six startups plus Toshiba are leading efforts to provide quantum cryptography to governments, large companies (including banks and financial institutions), and small to medium enterprises. But these early customers may never provide enough demand for these services to scale... From a practical standpoint, then, it doesn't appear that quantum cryptography will be anything more than a physically elaborate and costly -- and, for many applications, largely ignorable -- method of securely delivering cryptographic keys anytime soon. This is in part because traditional cryptography, relying as it does on existing computer networks and hardware, costs very little to implement. Whereas quantum crypto requires an entirely new infrastructure of delicate single-photon detectors and sources, and dedicated fiber optic lines. So its high price tag must be offset by a proven security benefit it could somehow deliver -- a benefit that has remained theoretical at best. Though it was supposed to replace mathematical cryptography, "Math may get the last laugh," the article explains. "An emerging subfield of mathematics with the somewhat misleading name 'post-quantum cryptography' now appears better situated to deliver robust and broadly scalable cryptosystems that could withstand attacks from quantum computers." They quote the security engineer at a New York cybersecurity firm who says quantum cryptography "seems like a solution to a problem that we don't really have." The article ends by suggesting that research may ultimately be applicable to quantum computers -- which could then be used to defeat math-based cryptography. But riffing on the article's title, sjames (Slashdot reader #1,099) quips that instead of giving quantum cryptography a reboot, maybe it just needs the boot.

'Who Owns Your Wireless Service? Crooks Do'

Sun, 08/11/2019 - 13:43
Long-time Slashdot reader trolman scared this scathing editorial by security researcher Brian Krebs: If you are somehow under the impression that you -- the customer -- are in control over the security, privacy and integrity of your mobile phone service, think again. And you'd be forgiven if you assumed the major wireless carriers or federal regulators had their hands firmly on the wheel. No, a series of recent court cases and unfortunate developments highlight the sad reality that the wireless industry today has all but ceded control over this vital national resource to cybercriminals, scammers, corrupt employees and plain old corporate greed... Incessantly annoying and fraudulent robocalls. Corrupt wireless company employees taking hundreds of thousands of dollars in bribes to unlock and hijack mobile phone service. Wireless providers selling real-time customer location data, despite repeated promises to the contrary. A noticeable uptick in SIM-swapping attacks that lead to multi-million dollar cyberheists... Is there any hope that lawmakers or regulators will do anything about these persistent problems? Gigi Sohn, a distinguished fellow at the Georgetown Institute for Technology Law and Policy, said the answer -- at least in this administration -- is probably a big "no." "The takeaway here is the complete and total abdication of any oversight of the mobile wireless industry," Sohn told KrebsOnSecurity. "Our enforcement agencies aren't doing anything on these topics right now, and we have a complete and total breakdown of oversight of these incredibly powerful and important companies."

Researchers Find More Than 40 Vulnerable Windows Device Drivers

Sun, 08/11/2019 - 11:34
Artem S. Tashkinov writes: Researchers from security company Eclypsium have discovered that more than forty drivers from at least twenty different vendors -- including every major BIOS vendor, as well as hardware vendors like ASUS, Toshiba, NVIDIA, and Huawei -- include critical vulnerabilities allowing an escalation of privileges to full system level access. Considering how widespread these drivers are, and the fact that they are digitally signed by Microsoft, they allow an attacker to more successfully penetrate target systems and networks, as well as remain hidden. Also while some of these drivers "are designed to update firmware, the driver is providing not only the necessary privileges, but also the mechanism to make changes" which means the attacker can gain a permanent foothold. Eclypsium has already notified Microsoft about the issues and at least NVIDIA has already released fixed drivers.

DARPA Hopes To Develop an AI Tool That Can Detect Deepfakes

Sun, 08/11/2019 - 07:34
America's Defense Department "is looking to build tools that can quickly detect deepfakes and other manipulated media amid the growing threat of 'large-scale, automated disinformation attacks,'" reports Nextgov: The Defense Advanced Research Projects Agency on Tuesday announced it would host a proposers day for an upcoming initiative focused on curbing the spread of malicious deepfakes, shockingly realistic but forged images, audio and videos generated by artificial intelligence. Under the Semantic Forensics program, or SemaFor, researchers aim to help computers use common sense and logical reasoning to detect manipulated media. As global adversaries enhance their technological capabilities, deepfakes and other advanced disinformation tactics are becoming a top concern for the national security community... Industry has started developing tech that use statistical methods to determine if a video or image has been manipulated, but existing tools "are quickly becoming insufficient" as manipulation techniques continue to advance, according to DARPA. "Detection techniques that rely on statistical fingerprints can often be fooled with limited additional resources," officials said in a post on FedBizOpps... Beyond simply detecting errors, officials also want the tools to attribute the media to different groups and determine whether the content was manipulated for nefarious purposes. Using that information, the tech would flag posts for human review. "A comprehensive suite of semantic inconsistency detectors would dramatically increase the burden on media falsifiers, requiring the creators of falsified media to get every semantic detail correct, while defenders only need to find one, or a very few, inconsistencies," DARPA officials said. But that's easier said than done. Today, even the most advanced machine intelligence platforms have a tough time understanding the world beyond their training data.

Remember Autorun.inf Malware In Windows? Turns Out KDE Offers Something Similar

Sun, 08/11/2019 - 06:34
Long-time Slashdot reader Artem S. Tashkinov writes: A security researcher has published proof-of-concept (PoC) code for a vulnerability in the KDE software framework. A fix is not available at the time of writing. The bug was discovered by Dominik "zer0pwn" Penner and impacts the KDE Frameworks package 5.60.0 and below. The KDE Frameworks software library is at the base of the KDE desktop environment v4 and v5 (Plasma), currently included with a large number of Linux distributions. The vulnerability occurs because of the way the KDesktopFile class (part of KDE Frameworks) handles .desktop or .directory files. It was discovered that malicious .desktop and .directory files could be created that could be used to run malicious code on a user's computer. When a user opens the KDE file viewer to access the directory where these files are stored, the malicious code contained within the .desktop or .directory files executes without user interaction — such as running the file. Zero user interaction is required to trigger code execution — all you have to do is to browse a directory with a malicious file using any of KDE file system browsing applications like Dolphin. When ZDNet contacted KDE for a comment Tuesday, their spokesperson provided this response. "We would appreciate if people would contact before releasing an exploit into the public, rather than the other way around, so that we can decide on a timeline together."

AMD Poses 'Major Challenge' to Intel's Server Leadership

Sat, 08/10/2019 - 11:34
Rob Enderle reports on the excitement at AMD's Epyc processor launch in San Francisco: I've been at a lot of AMD events, and up until this one, the general message was that AMD was almost as good as Intel but not as expensive. This year it is very different; Intel has stumbled badly, and AMD is moving to take the leadership role in the data center, so its message isn't that it is nearly as good but cheaper anymore; it is that it has better customer focus, better security and better performance. Intel's slip really was around trust, and as Intel seemed to abandon the processor segment, OEMs and customers lost faith, and AMD is capitalizing on that slip... AMD has always been relatively conservative, but Lisa Su, AMD's CEO, stated that the company has broken 80 performance records and that this new processor is the highest-performing one in the segment. This is one thing Lisa's IBM training helps validate; I went through that training myself and, at IBM, you aren't allowed to make false claims. AMD isn't making a false claim here. The new Epyc 2 is 64 cores and 128 threads and with PCIe generation 4, it has 128 lanes on top its 7nm technology, which currently also appears to lead the market. Over the years the average performance for the data center chips, according to Su, has improved around 15% per year. The last generation of Epyc exceeded this when it launched, but just slightly. This new generation blows the curve out; instead of 15% year-over-year improvement, it is closer to 100%... Intel has had a number of dire security problems that it didn't disclose in timely fashion, making their largest customers very nervous. AMD is going after this vulnerability aggressively and pointing to how they've uniquely hardened Epyc 2 so that customers that use it have few, if any, of the concerns they've had surrounding Intel parts. Part of this is jumping to more than 500 unique encryption keys tied to the platform. Besides Google and Twitter, AMD's event also included announcements from Hewlett-Packard Enterprise, Dell, Cray, Lenovo, and Microsoft Azure. For example, Hewlett Packard Enterprise has three systems immediately available with AMD's new processor, the article reports, with plan to have 9 more within the next 12 months. And their CTO told the audience that their new systems have already broken 37 world performance records, and "attested to the fact that some of the most powerful supercomputers coming to market will use this processor, because it is higher performing," calling them the most secure in the industry and the highest-performing. "AMD came to play in San Francisco this week," Enderle writes. "I've never seen it go after Intel this aggressively and, to be frank, this would have failed had it not been for the massive third-party advocacy behind Epyc 2. I've been in this business since the mid-'80s, and I've never seen this level of advocacy for a new processor ever before. And it was critical that AMD set this new bar; I guess this was an extra record they set, but AMD can legitimately argue that it is the new market leader, at least in terms of both raw and price performance, in the HPC in the server segment. "I think this also showcases how badly Intel is bleeding support after abandoning the IDF (Intel Developer Forum) conference."

New Spectre-like CPU Vulnerability Bypasses Existing Defenses

Sat, 08/10/2019 - 10:34
itwbennett writes: Researchers from security firm Bitdefender discovered and reported a year ago a new CPU vulnerability that 'abuses a system instruction called SWAPGS and can bypass mitigations put in place for previous speculative execution vulnerabilities like Spectre,' writes Lucian Constantin for CSO. There are three attack scenarios involving SWAPGS, the most serious of which 'can allow attackers to leak the contents of arbitrary kernel memory addresses. This is similar to the impact of the Spectre vulnerability.' Microsoft released mitigations for the vulnerability in July's Patch Tuesday, although details were withheld until August 6 when Bitdefender released its whitepaper and Microsoft published a security advisory.

Lawmakers, Intelligence Officials Welcomed To This Year's Def Con Conference

Sat, 08/10/2019 - 08:34
"Multiple members of congress, dozens of congressional staffers and members of the intelligence community are gathering in Las Vegas this weekend to rub shoulders with hackers at Def Con," reports CNN: Washington's embrace of the hacking community comes amid heightened awareness of the threat of cyber attacks in the wake of the 2016 US presidential election and lawmakers realizing they need to get to grips with technology, Phil Stupak, one of the organizers of Def Con's A.I. Village told CNN Business before the conference began... Hackers here are also demonstrating potential vulnerabilities in voting machines used by Americans. The convention's election village includes a room full of voting equipment where hackers can let loose... It will likely be the largest presence the government has had since before 2013, when, in the wake of NSA analyst Edward Snowden's leaks, Def Con founder Jeff Moss formally requested "the feds call a 'time-out' and not attend Def Con this year." But that has since smoothed over. "I think the record presence of both representative and administration reflect the reality that technology and security are built into our society," Moss told CNN Business. "We are trying to break down the barriers between the people in tech who know what they're doing and the people in Congress who know how to take that knowledge to make laws," said Stupak, who is also a fellow at Cyber Policy Initiative at the University of Chicago. Speaking at Def Con this year was the top cybersecurity official for America's Department of Homeland Security, who stressed the importance of backup paper ballots, as well as "auditability." Also attending Def Con is Senator Ron Wyden, who emphasized another important election safeguard to CNN: that no voting equipment should be connected to the internet.

Researchers Show How Europe's Data Protection Laws Can Dox People

Fri, 08/09/2019 - 16:03
An anonymous reader quotes a report from Motherboard: Europe's controversial privacy law, the General Data Protection Regulator -- better known as GDPR -- has been hailed by some as a solution to tech companies' pervasive data collection and tracking. What maybe no one saw coming is that GDPR can become another tool in the arsenal of enterprising and malicious social engineers, hackers, and people who want to dox and harass others. That's what Ph.D student and cybersecurity researcher James Pavur discovered when he and his fiance -- and co-author on their paper -- Casey Knerr made an unusual wager about using GDPR's right of access requests -- a mechanism that allows Europeans to ask any company about what data they have on themselves -- with the goal of extracting sensitive information. Along with his fiance Knerr, who also works in the infosec industry -- and with her full consent -- Pavur devised a clever, yet very simple experiment. He started with just Knerr's full name, a couple of email addresses, phone numbers, and any other low-hanging fruit that he could find online. In other words, "the weakest possible form of attack," as he put it in his paper. Then, he sent requests to 75 companies, and then to another 75 using the new data -- such as home addresses -- he found through the first wave of requests using an email address designed to look like that of Knerr. Thanks to these requests, Pavur was able to get his fiance's Social Security Number, date of birth, mother's maiden name, passwords, previous home addresses, travel and hotel logs, high school grades, partial credit card numbers, and whether she had ever been a user of online dating services. "Pavur and Knerr said 25 percent of companies never responded. Two thirds of companies, including online data services, responded with enough information to reveal that Pavur's fiance had an account with them. Of those who responded, 25 percent provided sensitive data without properly verifying the identity of the sender. Another 15 percent requested data that could have easily been forged, while 40 percent requested identifying information that would've been relatively hard to fake, according to the study.

Hundreds of Exposed Amazon Cloud Backups Found Leaking Sensitive Data

Fri, 08/09/2019 - 14:10
An anonymous reader quotes a report from TechCrunch: New research just presented at the Def Con security conference reveals how companies, startups and governments are inadvertently leaking their own files from the cloud. You may have heard of exposed S3 buckets -- those Amazon-hosted storage servers packed with customer data but often misconfigured and inadvertently set to "public" for anyone to access. But you may not have heard about exposed EBS snapshots, which poses as much, if not a greater, risk. These elastic block storage (EBS) snapshots are the "keys to the kingdom," said Ben Morris, a senior security analyst at cybersecurity firm Bishop Fox, in a call with TechCrunch ahead of his Def Con talk. EBS snapshots store all the data for cloud applications. "They have the secret keys to your applications and they have database access to your customers' information," he said. Morris built a tool using Amazon's own internal search feature to query and scrape publicly exposed EBS snapshots, then attach it, make a copy and list the contents of the volume on his system. It took him two months to build up a database of exposed data and just a few hundred dollars spent on Amazon cloud resources. Once he validates each snapshot, he deletes the data. Morris found dozens of snapshots exposed publicly in one region alone, he said, including application keys, critical user or administrative credentials, source code and more. He found several major companies, including healthcare providers and tech companies. He also found VPN configurations, which he said could allow him to tunnel into a corporate network. Morris said he did not use any credentials or sensitive data, as it would be unlawful.

NSA's Free Malware Research Tool Gains Traction, 6 Months On

Fri, 08/09/2019 - 13:30
In March the National Security Agency released an internal malware research tool for free to the public, a first for the secretive agency. Six months later, by most indications, the release is an even bigger event than the NSA thought. From a report: Some aspects of researching malware have long required expensive software. The release of Ghidra, the NSA tool, has profoundly changed the field, opening it up to students, part-timers and hobbyists who otherwise couldn't afford to participate. It's been a good six months for Ghidra. The software has been downloaded more than 500,000 times from GitHub. "We had a bet on how many downloads it would be," Brian Knighton, senior researcher at the NSA, told Axios. "We were off by quite a factor." Ghidra also netted the NSA two nominations for "Pwnie" awards at the typically NSA-adverse DEF CON hacker conference this week. The NSA was also pleasantly surprised with the number of outside developers modifying code and creating new features for the now open-source program. The toolkit is popular enough that the NSA now offers touring classes on Ghidra for colleges and universities.

Researchers Bypass Apple FaceID Using Biometrics 'Achilles Heel'

Fri, 08/09/2019 - 09:25
Vulnerabilities have been uncovered in the authentication process of biometrics technology that could allow bad actors to bypass various facial recognition applications -- including Apple's FaceID. But there is a catch. Doing so requires the victim to be out cold. From a report: Researchers on Wednesday during Black Hat USA 2019 demonstrated an attack that allowed them to bypass a victim's FaceID and log into their phone simply by putting a pair of modified glasses on their face. By merely placing tape carefully over the lenses of a pair glasses and placing them on the victim's face the researchers demonstrated how they could bypass Apple's FaceID in a specific scenario. The attack itself is difficult, given the bad actor would need to figure out how to put the glasses on an unconscious victim without waking them up. To launch the attack, researchers with Tencent tapped into a feature behind biometrics called "liveness" detection, which is part of the biometric authentication process that sifts through "real" versus "fake" features on people. It works by detecting background noise, response distortion or focus blur. One such biometrics tool that utilizes liveness detection is FaceID, which is designed and utilized by Apple for the iPhone and iPad Pro. "With the leakage of biometric data and the enhancement of AI fraud ability, liveness detection has become the Achilles' heel of biometric authentication security as it is to verify if the biometric being captured is an actual measurement from the authorized live person who is present at the time of capture," researchers said during the Black Hat USA 2019 session.

Robocall Blocking Apps Caught Sending Your Private Data Without Permission

Fri, 08/09/2019 - 08:10
Robocall-blocking apps promise to rid your life of spoofed and spam phone calls. But are they as trustworthy as they claim to be? From a report: One security researcher said many of these apps can violate your privacy as soon as they are opened. Dan Hastings, a senior security consultant cybersecurity firm NCC Group, analyzed some of the most popular robocall-blocking apps -- including TrapCall, Truecaller, and Hiya -- and found egregious privacy violations. [...] Many of these apps, said Hastings, send user or device data to third-party data analytics companies -- often to monetize your information -- without your explicit consent, instead burying the details in their privacy policies. One app, TrapCall, sent users' phone numbers to a third-party analytics firm, AppsFlyer, without telling users -- either in the app nor in the privacy policy. He also found Truecaller and Hiya uploaded device data -- device type, model and software version, among other things -- before a user could accept their privacy policies.

Apple Confirms $1 Million Reward For Anyone Who Can Hack An iPhone

Thu, 08/08/2019 - 23:00
Apple says it will offer up to $1 million for hackers who can find vulnerabilities in iPhones and Macs. "That's up from $200,000, and in the fall the program will be open to all researchers," reports Forbes. "Previously only those on the company's invite-only bug bounty program were eligible to receive rewards." From the report: As Forbes reported on Monday, Apple is also launching a Mac bug bounty, which was confirmed Thursday, but it's also extending it to watchOS and its Apple TV operating system. The announcements came in Las Vegas at the Black Hat conference, where Apple's head of security engineering Ivan Krstic gave a talk on iOS and macOS security. Forbes also revealed on Monday that Apple was to give bug bounty participants "developer devices" -- iPhones that let hackers dive further into iOS. They can, for instance, pause the processor to look at what's happening with data in memory. Krstic confirmed the iOS Security Research Device program would be by application only. It will arrive next year. The full $1 million will go to researchers who can find a hack of the kernel -- the core of iOS -- with zero clicks required by the iPhone owner. Another $500,000 will be given to those who can find a "network attack requiring no user interaction." There's also a 50% bonus for hackers who can find weaknesses in software before it's released. Apple is increasing those rewards in the face of an increasingly profitable private market where hackers sell the same information to governments for vast sums.