Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 23 hours 22 min ago

Slack Resets Passwords For 1% of Its Users Because of 2015 Hack

Thu, 07/18/2019 - 07:42
ZDNet: Slack published more details about a password reset operation that ZDNet reported earlier today. According to a statement the company published on its website, the password reset operation is related to the company's 2015 security breach. In March 2015, Slack said hackers gained access to some Slack infrastructure, including databases storing user credentials. Hackers stole hashed passwords, but they also planted code on the company's site to capture plaintext passwords that users entered when logging in. At the time, Slack reset passwords for users who it believed were impacted, and also added support for two-factor authentication for all accounts. But as ZDNet reported earlier today, the company recently received a batch of Slack users credentials, which prompted the company to start an investigation into its source and prepare a password reset procedure. "We immediately confirmed that a portion of the email addresses and password combinations were valid, reset those passwords, and explained our actions to the affected users," Slack said. In a message on its website, Slack said this batch of credentials came via its bug bounty program. The company said it initially believed the data came from users who had their PCs infected with malware, or users who reused passwords across different services.

To Foil Hackers, 'Morpheus' Chip Can Change Its Code In the Blink of An Eye

Wed, 07/17/2019 - 23:00
Todd Austin, a professor at the University of Michigan, is working on an approach known as Morpheus that aims to frustrate hackers trying to gain control of microchips by presenting them with a rapidly changing target. At a conference in Detroit this week organized by the U.S. Defense Department's Defense Advanced Research Projects Agency (DARPA), Austin described how the prototype Morpheus chip works. MIT Technology Review reports: The aim is to make it incredibly difficult for hackers to exploit key software that helps govern the chip's operation. Morpheus does this by repeatedly randomizing elements of the code that attackers need access to in order to compromise the hardware. This can be achieved without disrupting the software applications that are powered by the processor. Austin has been able to get the chip's code "churning" to happen once every 50 milliseconds -- way faster than needed to frustrate the most powerful automated hacking tools. So even if hackers find a vulnerability, the information needed to exploit it disappears in the blink of an eye. There's a cost to all this: the technology causes a slight drop in performance and requires somewhat bigger chips. The military may accept this trade-off in return for greater security on the battlefield, but it could limit Morpheus's appeal to businesses and consumers. Austin said a prototype has already resisted every known variant of a widely-used hacking technique known as a control-flow attack, which does things like tampering with the way a processor handles memory in order to allow hackers to sneak in malware. More tests lie ahead. A team of U.S. national security experts will soon begin probing the prototype chip to see if they can compromise its defenses, and Austin also plans to post some of Morpheus's code online so that other researchers can try to find flaws in it, too.

Making the Case For a Microsoft Surface Phone That Runs Android

Wed, 07/17/2019 - 16:03
Zac Bowden from Windows Central makes the case for why Microsoft may want to make a Surface phone that runs Android. An anonymous reader shares an excerpt from the report: While a Surface Phone running Android would never sell to the quantity that Samsung smartphones do (or at least not a first- or second-generation phone), Microsoft could utilize the Surface brand to showcase the best of Microsoft's Android efforts all in one place, just like it has done for Windows PCs. I'm picturing a Surface-branded, Microsoft-built smartphone that comes with Microsoft Launcher, Edge, Office, Your Phone phone-mirroring integration, and more, out of the box. In fact, that's one of four unique selling points that a Surface Phone running Android could have: -- Showcase the best of Microsoft's efforts on Android. -- Seamless integration with Windows PCs using Your Phone. -- Provide the best security and update support on Android. -- Brand recognition that can rival Apple and Samsung. That last point is more for Microsoft fans, but the first three are important. A Surface Phone running Android would be the only smartphone out there that's always guaranteed to work with all of Your Phone's features. I have a wide array of Android smartphones, yet 90 percent of them don't support all of Your Phone's features on Windows 10. Screen mirroring is only available on select devices, and while that may improve, there's no guarantee your smartphone will ever get it, or if it'll work well. Microsoft could also provide enhanced features, such as the ability to take cellular phone calls on your PC directly from your Surface Phone. It could also build out dedicated Phone and SMS apps that sync up with the Messages app on your PC, instead of having to relay it through the Your Phone app. There's so much more potential when you build your own Android phone.

Bluetooth Exploit Can Track and Identify iOS, Microsoft Mobile Device Users

Wed, 07/17/2019 - 10:11
A flaw in the Bluetooth communication protocol may expose modern device users to tracking and could leak their ID, researchers claim. From a report: The vulnerability can be used to spy on users despite native OS protections that are in place and impacts Bluetooth devices on Windows 10, iOS, and macOS machines. This includes iPhones, iPads, Apple Watch models, MacBooks, and Microsoft tablets & laptops. On Wednesday, researchers from Boston University David Starobinski and Johannes Becker presented the results of their research at the 19th Privacy Enhancing Technologies Symposium, taking place in Stockholm, Sweden. According to the research paper, Tracking Anonymized Bluetooth Devices, many Bluetooth devices will use MAC addresses when advertising their presence to prevent long-term tracking, but the team found that it is possible to circumvent the randomization of these addresses to permanently monitor a specific device. Android is immune as the OS does not continually send out advertising messages, the researchers said.

AI Photo Editor FaceApp Goes Viral Again on iOS, Raises Questions About Photo Library Access

Wed, 07/17/2019 - 09:34
FaceApp, an app that applies filters to photos, is having another moment in the spotlight this week. An anonymous reader shares a report: The app has gone viral again after first doing so two years ago or so. The effect has gotten better but these apps, like many other one-off viral apps, tend to come and go in waves driven by influencer networks or paid promotion. We first covered this particular AI photo editor from a team of Russian developers about two years ago. It has gone viral again now due to some features that allow you to edit a person's face to make it appear older or younger. You may remember at one point it had an issue because it enabled what amounted to digital blackface by changing a person from one ethnicity to another. In this current wave of virality, some new questions are floating around about FaceApp. The first is whether it uploads your camera roll in the background. We found no evidence of this and neither did security researcher and Guardian App CEO Will Strafach or researcher Baptiste Robert. The second is how it allows you to pick photos without giving photo access to the app.

Microsoft To Explore Using Rust

Wed, 07/17/2019 - 08:49
Microsoft plans to explore using the Rust programming language as an alternative to C, C++, and others, as a way to improve the security posture of its and everyone else's apps. From a report: The announcement was made yesterday by Gavin Thomas, Principal Security Engineering Manager for the Microsoft Security Response Center (MSRC). "You're probably used to thinking about the Microsoft Security Response Center as a group that responds to incidents and vulnerabilities," Thomas said. "We are a response organization, but we also have a proactive role, and in a new blog series we will highlight Microsoft's exploration of safer system programming languages, starting with Rust." The end game is to find a way to move developers from the aging C and C++ programming language to so-called "memory-safe languages." Memory-safe languages, such as Rust, are designed from the ground up with protections against memory corruption vulnerabilities, such as buffer overflows, race conditions, memory leaks, use-after free and memory pointer-related bugs.

Nokia 2.2 Brings Back the Removable Battery

Tue, 07/16/2019 - 17:25
HMD is bringing the latest version of the Nokia 2, called the "Nokia 2.2," to the U.S. For $139, it features a notched camera design, a plastic body, and a removable battery. Ars Technica reports: HMD is delivering a good package for the price, with a fairly modern design, the latest version of Android, and a killer update package with two years of major OS updates and three years of security updates. On the front, you have a 5.71-inch, 1520x720 IPS LCD with a flagship-emulating notch design and rounded corners. There's a sizable bezel on the bottom with a big "Nokia" logo on it, but it's hard to complain about that for $140. This is a cheap phone, so don't expect a ton in the specs department. Powering the Nokia 2.2 is a MediaTek Helio A22 SoC, which is just four Cortex A53 cores at 2GHz. The U.S. version gets 3GB of RAM and 32GB of storage version with an option to add a MicroSD card. The back and sides are plastic, and on the side you'll find an extra physical button, which will summon the Google Assistant. The back actually comes off, and -- get this -- you can remove the 3000mAh battery! Speaking of unnecessarily removed smartphone features from the past, there's also a headphone jack. Unfortunately, it's missing some key features to keep the price down. There's a microUSB port instead of a USB-C port, no fingerprint reader, and cameras that have low expectations. Since it is a GSM phone, it will be supported by T-Mobile and AT&T networks, along with all their MVNOs.

Sprint Says Hackers Breached Customer Accounts Via Samsung Website

Tue, 07/16/2019 - 08:45
US mobile network operator Sprint said hackers broke into an unknown number of customer accounts via the Samsung.com "add a line" website. From a report: "On June 22, Sprint was informed of unauthorized access to your Sprint account using your account credentials via the Samsung.com 'add a line' website," Sprint said in a letter it is sending impacted customers. "The personal information of yours that may have been viewed includes the following: phone number, device type, device ID, monthly recurring charges, subscriber ID, account number, account creation date, upgrade eligibility, first and last name, billing address and add-on services," the US telco said. Sprint said the information hackers had access to did not pose "a substantial risk of fraud or identity theft," although, many might disagree with its assessment. The company said it re-secured all compromised accounts by resetting PIN codes, three days later, on June 25.

Permission-Greedy Apps Delayed Android 6 Upgrade So They Could Harvest More User Data

Tue, 07/16/2019 - 08:05
Android app developers intentionally delayed updating their applications to work on top of Android 6.0, so they could continue to have access to an older permission-requesting mechanism that granted them easy access to large quantities of user data, research published by the University of Maryland last month has revealed. From a report: The central focus of this research was the release of Android (Marshmallow) 6.0 in October 2015. The main innovation added in Android 6.0 was the ability for users to approve app permissions on a per-permission basis, selecting which permissions they wanted to allow an app to have. [...] In research published in June, two University of Maryland academics say they conducted tests between April 2016 and March 2018 to see how many apps initially coded to work on older Android SDKs were updated to work on the newer Android 6.0 SDK. The research duo says they installed 13,599 of the most popular Android apps on test devices. Each month, the research team would update the apps and scan the apps' code to see if they were updated for the newer Android 6.0 release. "We find that an app's likelihood of delaying upgrade to the latest platform version increases with an increase in the ratio of dangerous permissions sought by the apps, indicating that apps prefer to retain control over access to the users' private information," said Raveesh K. Mayya and Siva Viswanathan, the two academics behind the research.

Broadcom and Symantec End Buyout Talks

Mon, 07/15/2019 - 17:45
phalse phace writes: Earlier this month, there was a report that Broadcom was in advance talks with Symantec about a possible buyout. It's being reported that those talks have now ended. "Symantec and Broadcom have ceased deal negotiations, sources tell CNBC's David Faber," reports CNBC. "The people familiar with the matter added that Symantec would not accept less than $28 a share. People familiar with the matter added that Broadcom indicated in early conversations that it would be willing to pay $28.25 per share for Symantec, but that following due diligence knocked that figure down below $28."

Facebook's Libra Cryptocurrency Could Be Misused By Terrorists, Says Treasury Chief Mnuchin

Mon, 07/15/2019 - 15:20
In a press conference Monday, Treasury Secretary Steven Mnuchin said Facebook's proposed digital currency, Libra, "could be misused by money launderers and terrorist financiers" and that it was a "national security issue." CNBC reports: "Cryptocurrencies such as bitcoin have been exploited to support billions of dollars of illicit activity like cyber crime, tax evasion, extortion, ransomware, illicit drugs and human trafficking," Mnuchin said, adding that he is "not comfortable today" with Facebook's launch. "They have a lot of work to do," he said. The press conference comes days after President Donald Trump said in a tweet that he was "not a fan" of cryptocurrencies like bitcoin. He also suggested Facebook, which plans on launching the global cryptocurrency next year, would need a bank charter to do so. Bitcoin dropped sharply on Monday following the president's criticism on Twitter. The world's first and most valuable digital currency fell roughly 10% to a low of $9,872 to start the week. "The president does have concerns as it relates to bitcoin and cryptocurrencies -- those are legitimate concerns that we have been working on for a long period of time," Mnuchin said. In response to the Treasury secretary's comments, Facebook told CNBC that "they anticipated critical feedback from regulators, central banks, lawmakers around the world." The tech giant also said they announced Libra a year before its anticipated launch date, "so that we could have those conversations."

How America's Tech Giants Are Helping Build China's Surveillance State

Sun, 07/14/2019 - 19:36
"An American organization founded by tech giants Google and IBM is working with a company that is helping China's authoritarian government conduct mass surveillance against its citizens," the Intercept reports. The OpenPower Foundation -- a nonprofit led by Google and IBM executives with the aim of trying to "drive innovation" -- has set up a collaboration between IBM, Chinese company Semptian, and U.S. chip manufacturer Xilinx. Together, they have worked to advance a breed of microprocessors that enable computers to analyze vast amounts of data more efficiently. Shenzhen-based Semptian is using the devices to enhance the capabilities of internet surveillance and censorship technology it provides to human rights-abusing security agencies in China, according to sources and documents. A company employee said that its technology is being used to covertly monitor the internet activity of 200 million people... Semptian presents itself publicly as a "big data" analysis company that works with internet providers and educational institutes. However, a substantial portion of the Chinese firm's business is in fact generated through a front company named iNext, which sells the internet surveillance and censorship tools to governments. iNext operates out of the same offices in China as Semptian, with both companies on the eighth floor of a tower in Shenzhen's busy Nanshan District. Semptian and iNext also share the same 200 employees and the same founder, Chen Longsen. [The company's] Aegis equipment has been placed within China's phone and internet networks, enabling the country's government to secretly collect people's email records, phone calls, text messages, cellphone locations, and web browsing histories, according to two sources familiar with Semptian's work. Promotional documents obtained from the company promise "location information for everyone in the country." One company representative even told the Intercept they were processing "thousands of terabits per second," and -- not knowing they were talking to a reporter -- forwarded a 16-minute video detailing their technology. "If a government operative enters a person's cellphone number, Aegis can show where the device has been over a given period of time: the last three days, the last week, the last month, or longer," the Intercept reports. Joss Wright, a senior research fellow at the University of Oxford's Internet Institute, told the Intercept that "by any meaningful definition, this is a vast surveillance effort." Read what the U.S. companies had to say about their involvement with Chinese surveillance technology:

Should Local Governments Pay Ransomware Attackers?

Sun, 07/14/2019 - 10:34
At least 170 local or state government systems in America have been hit with ransomware, and the French Interior Ministry received reports of 560 incidents just in 2018, according to Phys.org. (Though the French ministry also notes that most incidents aren't reported.) But when a government system is hit by ransomware, do they have a responsibility to pay the ransomware to restore their data -- or to not pay it? "You have to do what's right for your organization," said Gregory Falco, a researcher at Stanford University specializing in municipal network security. "It's not the FBI's call. You might have criminal justice information, you could have decades of evidence. You have to weigh this for yourself." Josh Zelonis at Forrester Research offered a similar view, saying in a blog post that victims need to consider paying the ransom as a valid option, alongside other recovery efforts. But Randy Marchany, chief information security officer for Virginia Tech University, said the best answer is to take a hardline "don't pay" attitude. "I don't agree with any organization or city paying the ransom," Marchany said. "The victims will have to rebuild their infrastructure from scratch anyway. If you pay the ransom, the hackers give you the decryption key but you have no assurance the ransomware has been removed from all of your systems. So, you have to rebuild them anyway." Victims often fail to take preventive measures such as software updates and data backups that would limit the impact of ransomware. But victims may not always be aware of potential remedies that don't involve paying up, said Brett Callow of Emsisoft, one of several security firms that offer free decryption tools. "If the encryption in ransomware is implemented properly, there is a zero chance of recovery unless you pay the ransom," Callow said. "Often it isn't implemented properly, and we find weaknesses in the encryption and undo it." Callow also points to coordinated efforts of security firms including the No More Ransom Project, which partners with Europol, and ID Ransomware, which can identify some malware and sometimes unlock data.

'Never Commit a Crime When Your Phone Is Connected to a Wi-Fi Network'

Sat, 07/13/2019 - 16:34
"Like many bad ideas, this one started with Bud Light," reports Slate. As four high school seniors sat around shooting the breeze before graduation, they decided to vandalize their school as a senior prank. Disguised with T-shirts over their faces to evade security cameras, the young men originally set out to spray-paint "Class of 2018," but in a moment one of the men describes to the Washington Post as "a blur," their graffiti fest took a turn toward swastikas, racial slurs attacking the school's principal, and other hateful symbols. Despite their covered faces, school officials had no problem finding who was responsible: The students' phones had automatically connected with the school's Wi-Fi using their unique logins. Their digital fingerprints tipped off administrators to who was on campus just before midnight, and, as the Post describes, they were held accountable for their crime. But the incident also showcases how little we know about what we're giving away with our digital footprints. These men had clearly given thought about how to stay anonymous -- they knew they needed masks to foil the cameras -- but they didn't think the devices in their pockets could give them away. The AP adds that the prison sentences for the four teenagers "ranged from eight to 18 weekends behind bars."

What Happens When Landlords Can Get Cheap Surveillance Software?

Sat, 07/13/2019 - 15:34
"Cheap surveillance software is changing how landlords manage their tenants and what laws police can enforce," reports Slate. For example, there's a private company contracting with property managers that says they now have 475 security cameras in place and can sometimes scan more than 1.5 million license plates in a week. (According to Clayton Burnett, Watchstore Security's director of "innovation and new technology".) Burnett's company regularly hands over location data to police, he says, as evidence for cases large and small. But that investigative firepower also comes in handy for more routine landlord-tenant affairs. They've investigated tree trimmers charging for a day of work they didn't do and caught people dumping trash on private property. Sometimes, he says, a tenant will claim her car was hit in the building's parking lot and ask for free rent. His company can search for her plate and see that one day, she left the lot with her bumper intact and then came back later with a dent in it. Probably once a week, Burnett says, Watchtower uses it to prove that a tenant has "a buddy crashing on their couch," violating their lease. "Normally, there's some limit to how long they can stay, like five days," he says, "and we can prove they're going over that." One search, and they have proof that that buddy has been coming over every night for a month. I was wondering how tenants felt about this, and I asked Burnett whether anyone had ever complained about the license plate readers. "No," he said with a laugh. "I'd say they probably don't know about it...." [A]s the technology has matured, it's gotten in the hands of organizations that, five years ago, would never have been able to consider it. Small-town police departments can suddenly afford to conduct surveillance at a massive scale. Neighborhood homeowners associations and property managers are buying up cameras by the dozen. And in many jurisdictions, cheap automatic license plate reader (ALPR) cameras are creeping into neighborhoods -- with almost nothing restricting how they're used besides the surveiller's own discretion.... If you know that a bald guy in a gray Toyota illegally dumped trash in your lawn, the police won't try to track him down. But if they have the plate, enforcing lower-level crime becomes much easier. Several of the property managers and homeowners associations I spoke to emphasized that this is one of the main benefits of their ALPR systems. Along with burglaries, they're mostly concerned about people breaking into cars to steal personal belongings; police wouldn't investigate that before, but now homeowners associations can do the investigation for them and hand over the evidence. As Burnett put it, "[Police] are not going to be able to investigate [a small crime] unless we hand it to them on a silver platter. Which we've done plenty of times." The article points out that today's software can detect dents on cars and watch for specific bumper stickers (or Lyft tags) -- and often the software can be retrofitted to existing traffic cameras. A contractor working with police in one Pennsylvania county says they've now "virtually gated" an entire 20,000-person town south of Pittsburgh. "Any way you can come in and out, you're on camera." A senior investigative researcher at the EFF points out that "Now a cop can look up your license plate and see where you've been for the past two years."

Intel Patches Two New Security Flaws

Sat, 07/13/2019 - 12:34
This week Intel announced two new patches, according to Tom's Hardware: The flaw in the processor diagnostic tool (CVE-2019-11133) is rated 8.2 out 10 on the CVSS 3.0 scale, making it a high-severity vulnerability. The flaw [found by security researcher Jesse Michael from Eclypsium] "may allow an authenticated user to potentially enable escalation of privilege, information disclosure or denial of service via local access," according to Intel's latest security advisory. Versions of the tool that are older than 4.1.2.24 are affected. The second vulnerability, found by Intel's internal team, is a medium-severity vulnerability in Intel's SSD DC S4500/S4600 series sold to data center customers. The flaw found in the SSD firmware versions older than SCV10150 obtained a 5.3 score on the CVSS 3.0 scale, so it was labeled medium-severity. The bug may allow an unprivileged user to enable privilege escalation via physical access. As one of the flaws was uncovered by Intel itself and for the other the Eclypsium research coordinated with Intel for its disclosure, Intel was able to have ready the patches in time for the public announcement.

The 'Vast Majority' of America's Voting Machines Use Windows 7 or Older Systems

Sat, 07/13/2019 - 11:34
Many of America's voting machines are depending on an outdated Microsoft operating system, reports the Associated Press. "The vast majority of 10,000 election jurisdictions nationwide use Windows 7 or an older operating system to create ballots, program voting machines, tally votes and report counts." That's significant because Windows 7 reaches its "end of life" on Jan. 14, meaning Microsoft stops providing technical support and producing "patches" to fix software vulnerabilities, which hackers can exploit. In a statement to the AP, Microsoft said Friday it would offer continued Windows 7 security updates for a fee through 2023. Critics say the situation is an example of what happens when private companies ultimately determine the security level of election systems with a lack of federal requirements or oversight.... It's unclear whether the often hefty expense of security updates would be paid by vendors operating on razor-thin profit margins or cash-strapped jurisdictions. It's also uncertain if a version running on Windows 10, which has more security features, can be certified and rolled out in time for primaries. The Associated Press contacted the Coalition for Good Governance, an election integrity advocacy organization, and received this comment from the group's the executive director. "Is this a bad joke?"

US Mayors Resolve Not To Pay Hackers Over Ransomware Attacks

Fri, 07/12/2019 - 17:30
More than 225 U.S. mayors have signed on to a resolution not to pay ransoms to hackers. It's a collective stand against the ransomware attacks that have crippled city government computer systems in recent years. CNET reports: The resolution was adopted at the U.S. Conference of Mayors annual meeting, which took place late June and early July in Honolulu. "The United States Conference of Mayors stands united against paying ransoms in the event of an IT security breach," the resolution reads. This could give city leaders across the US some leverage against hackers. The 227 mayors who attended the meeting agreed to adopt the resolution, but the US Conference of Mayors represents more than 1,400 cities with populations over 30,000.

Monroe College Hit With Ransomware, $2 Million Demanded

Fri, 07/12/2019 - 14:50
A ransomware attack in New York City's Monroe College has shut down the college's computer systems at campuses located in Manhattan, New Rochelle and St. Lucia. The attackers are seeking 170 bitcoins or approximately $2 million dollars in order to decrypt the entire college's network. Bleeping Computer reports: According to the Daily News, Monroe College was hacked on Wednesday at 6:45 AM and ransomware was installed throughout the college's network. It is not known at this time what ransomware was installed on the system, but it is likely to be Ryuk, IEncrypt, or Sodinokibi, which are known to target enterprise networks. The college has not indicated at this time whether they will be paying the ransom or restoring from backups while gradually bringing their network back online. "The good news is that the college was founded in 1933, so we know how to teach and educate without these tools," Monroe College spokesperson Jackie Ruegger told the Daily News. "Right now we are finding workarounds for our students taking online classes so they have their assignments."

Revealed: This Is Palantir's Top-Secret User Manual For Cops

Fri, 07/12/2019 - 12:50
New submitter popcornfan679 shares a report: Through a public record request, Motherboard has obtained a user manual that gives unprecedented insight into Palantir Gotham (Palantir's other services, Palantir Foundry, is an enterprise data platform), which is used by law enforcement agencies like the Northern California Regional Intelligence Center. (Palantir is one of the most significant and secretive companies in big data analysis.) The NCRIC serves around 300 communities in northern California and is what is known as a "fusion center," a Department of Homeland Security intelligence center that aggregates and investigates information from state, local, and federal agencies, as well as some private entities, into large databases that can be searched using software like Palantir. Fusion centers have become a target of civil liberties groups in part because they collect and aggregate data from so many different public and private entities. The guide doesn't just show how Gotham works. It also shows how police are instructed to use the software. This guide seems to be specifically made by Palantir for the California law enforcement because it includes examples specific to California. We don't know exactly what information is excluded, or what changes have been made since the document was first created. The first eight pages that we received in response to our request is undated, but the remaining twenty-one pages were copyrighted in 2016. (Palantir did not respond to multiple requests for comment.) The Palantir user guide shows that police can start with almost no information about a person of interest and instantly know extremely intimate details about their lives.