Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 8 hours 14 min ago

Australia Concludes China Was Behind Hack on Parliament, Political Parties

Mon, 09/16/2019 - 11:30
Australian intelligence determined China was responsible for a cyber-attack on its national parliament and three largest political parties before the general election in May, Reuters reports. From the report: Australia's cyber intelligence agency -- the Australian Signals Directorate (ASD) -- concluded in March that China's Ministry of State Security was responsible for the attack, the five people with direct knowledge of the findings of the investigation told Reuters. The report, which also included input from the Department of Foreign Affairs, recommended keeping the findings secret in order to avoid disrupting trade relations with Beijing, two of the people said. The Australian government has not disclosed who it believes was behind the attack or any details of the report.

Database Leaks Data on Most of Ecuador's Citizens, Including 6.7 Million Children

Mon, 09/16/2019 - 08:00
The personal records of most of Ecuador's population, including children, has been left exposed online due to a misconfigured database, ZDNet reported Monday. From the report: The database, an Elasticsearch searver, was discovered two weeks ago by vpnMentor security researchers Noam Rotem and Ran Locar, who shared their findings exclusively with ZDNet. Together, we worked to analyze the leaking data, verify its authenticity, and contact the server owner. The leaky server is one of the, if not the biggest, data breaches in Ecuador's history, a small South American country with a population of 16.6 million citizens. The Elasticsearch server contained a total of approximately 20.8 million user records, a number larger than the country's total population count. The bigger number comes from duplicate records or older entries, containing the data of deceased persons.

LastPass Bug Leaks Credentials From Previous Site

Mon, 09/16/2019 - 07:20
Password manager LastPass has released an update last week to fix a security bug that exposes credentials entered on a previously visited site. From a report: The bug was discovered last month by Tavis Ormandy, a security researcher with Project Zero, Google's elite security and bug-hunting team. LastPass, believed to be the most popular password manager app today, fixed the reported issue in version 4.33.0, released last week, on September 12. If users have not enabled an auto-update mechanism for their LastPass browser extensions or mobile apps, they're advised to perform a manual update as soon as possible. This is because yesterday, Ormandy published details about the security flaw he found. The security researcher's bug report walks an attacker through the steps necessary to reproduce the bug.

Russia Carried Out a 'Stunning' Breach of FBI Communications System, Escalating the Spy Game on US Soil

Mon, 09/16/2019 - 06:00
Zach Dorfman, Jenna McLaughlin, and Sean D. Naylor, reporting for Yahoo News: On Dec. 29, 2016, the Obama administration announced that it was giving nearly three dozen Russian diplomats just 72 hours to leave the United States and was seizing two rural East Coast estates owned by the Russian government. As the Russians burned papers and scrambled to pack their bags, the Kremlin protested the treatment of its diplomats, and denied that those compounds -- sometimes known as the "dachas" -- were anything more than vacation spots for their personnel. The Obama administration's public rationale for the expulsions and closures -- the harshest U.S. diplomatic reprisals taken against Russia in several decades -- was to retaliate for Russian meddling in the 2016 presidential election. But there was another critical, and secret, reason why those locations and diplomats were targeted. Both compounds, and at least some of the expelled diplomats, played key roles in a brazen Russian counterintelligence operation that stretched from the Bay Area to the heart of the nation's capital , according to former U.S. officials. The operation, which targeted FBI communications, hampered the bureau's ability to track Russian spies on U.S. soil at a time of increasing tension with Moscow, forced the FBI and CIA to cease contact with some of their Russian assets, and prompted tighter security procedures at key U.S. national security facilities in the Washington area and elsewhere, according to former U.S. officials. It even raised concerns among some U.S. officials about a Russian mole within the U.S. intelligence community. "It was a very broad effort to try and penetrate our most sensitive operations," said a former senior CIA official. American officials discovered that the Russians had dramatically improved their ability to decrypt certain types of secure communications and had successfully tracked devices used by elite FBI surveillance teams. Officials also feared that the Russians may have devised other ways to monitor U.S. intelligence communications, including hacking into computers not connected to the internet. Senior FBI and CIA officials briefed congressional leaders on these issues as part of a wide-ranging examination on Capitol Hill of U.S. counterintelligence vulnerabilities.

Ask Slashdot: Can A Lack of Privacy Be Weaponized?

Sun, 09/15/2019 - 09:34
Slashdot reader dryriver asks a scary what-if question about the detailed digital profiles of our online and offline lives that are being created by "hundreds of privately owned, profit-driven companies operating with no meaningful oversight." Digital profiles are just a collection of 1s and 0s and are wide open to digital tampering or digital distortion. You could easily be made to appear to have done just about anything from visiting questionnable websites on the dark web, to buying things that you never actually bought or would have an interest in buying, to being in places in the physical world at given dates and times that you would never actually visit in real life. In other words, your digital profile(s) may make you appear to be a completely different person, doing completely different things, from who you objectively are in actuality. For now, these digital profiles mostly sit in data centers around the world, and try to serve ads to you. But what happens if someday your digital profile is weaponized against you? What happens in a situation where you need to prove that you are a morally upright, law-abiding person, and your digital profile(s) are accessed, and claim that you are anything but a moral, law-abiding person? What happens if these digital profiles are someday routinely examined by courts of law to determine whether you are a person of good character or not? What happens if one of your digital profiles is purposely leaked into the public realm someday, and your "digital mirror image" did all sorts of crappy things that you, in real life, would never do?

IOS 13 Lock Screen Lets Anyone See Your Address Book

Sun, 09/15/2019 - 07:34
Slashdot reader dryriver writes: A security researcher discovered that if you get your hands on someone else's iThing running iOS 13, and place a phone call to it, you can choose to respond with a TXT message, and get to see the contents of the address book on the iThing without actually getting past the lock screen... The security researcher who found the flaw was not financially rewarded or acknowledged by Apple, but rather given the cold shoulder. The security researcher says all he'd wanted was a $1 Apple Store card to keep as a trophy, according to The Register: The procedure, demonstrated below in a video, involves receiving a call and opting to respond with a text message, and then changing the "to" field of the message, which can be accomplished via voice-over. The "to" field pulls up the owner's contacts list, thus giving an unauthorized miscreant the ability to crawl through the address book without ever needing to actually unlock the phone. They also report that while the insecure-lock-screen iOS 13 will be officially released on September 19, a fixed version, iOS 13.1, "is due to land on September 30."

Python 2 Sunsets in 107 Days. JPMorgan Isn't Ready

Sun, 09/15/2019 - 06:34
In 107 days, Python 2 -- first released in 2000 -- will officially sunset, according to an announcement this week by "volunteers who make and take care of the Python programming language." But according to TechRepublic, not everybody is ready: Given Python's popularity and ubiquity, the amount of business logic hinging on Python is quite vast, presenting an issue for organizations still clinging to Python 2. JPMorgan's Athena trading platform is one of those applications -- while access has only been available directly to clients since 2018, the Athena platform is used internally at JPMorgan for pricing, trading, risk management, and analytics, with tools for data science and machine learning. This extensive feature set utilizes over 150,000 Python modules, over 500 open source packages, and 35 million lines of Python code contributed by over 1,500 developers, according to data presented by Misha Tselman, executive director at J.P. Morgan Chase in a talk at PyData 2017. Migrating 35 million lines of code from Python 2 to Python 3 is quite the undertaking -- and JPMorgan is going to miss the deadline, according to eFinancialCareers, stating that JPMorgan's roadmap puts "most strategic components" compatible with Python 3 by the end of Q1 2020 -- that is, three months after the end of security patches -- with "all legacy Python 2.7 components" planned for compatibility with Python 3 by Q4 2020. Modern developer practices are needed to maintain a project of this scale -- fortunately, JPMorgan uses Continuous Delivery, with 10,000 to 15,000 production changes per week, according to Tselman. The eFinancialCareers site argues that banks "have been dragging their feet," adding that JPMorgan is not the only bank that still hasn't migrated to Python 3. The Python volunteers are pointing concerned individuals to the Python 2.7 Countdown Clock, and their announcement also links to a list of support and migration vendors, adding "If you can pay to hire someone to help you, post on the job board or hire a consultant. If you need free help from volunteers, look at this help page."

Released from Prison, Spammer Who Stole 17.5 Million Passwords Apologizes and Reforms

Sun, 09/15/2019 - 03:34
An anonymous reader quotes ZDNet: Kyle Milliken, a 29-year-old Arkansas man, was released last week from a federal work camp. He served 17 months for hacking into the servers of several companies and stealing their user databases. Some of the victims included Disqus, from where he stole 17.5 million user records, Kickstarter, from where he took 5.2 million records, and Imgur, with 1.7 million records. For years, Milliken and his partners operated by using the credentials stolen from other companies to break into more lucrative accounts on other services. If users had reused their passwords, Milliken would access their email inboxes, Facebook, Twitter, or Myspace accounts, and post spam promoting various products and services. From 2010 to 2014, Milliken and his colleagues operated a successful spam campaign using this simple scheme, making more than $1.4 million in profits, and living the high life. Authorities eventually caught up with the hacker. He was arrested in 2014, and collaborated with authorities for the next years, until last year, when it leaked that he was collaborating with authorities and was blackballed on the cybercrime underground.... In an interview with ZDNet last week, Milliken said he's planning to go back to school and then start a career in cyber-security... [H]e publicly apologized to the Kickstarter CEO on Twitter. "I've had a lot of time to reflect and see things from a different perspective," Milliken told ZDNet. "When you're hacking or have an objective to dump a database, you don't think about who's on the other end. There's a lot of talented people, a ton of work, and even more money that goes into creating a company... there's a bit of remorse for putting these people through cyber hell." He also has a message for internet uesrs: stop reusing your passwords. And he also suggests enabling two-factor authentication. "I honestly think that the big three email providers (Microsoft, Yahoo, Google) added this feature because of me."

Would Consumers Be Safer With a National Data Broker Registry?

Sat, 09/14/2019 - 23:34
"A comprehensive national privacy law cannot be developed overnight..." argues the chief "data ethics officer" for Acxiom, a database marketing company, in a New York Times op-ed: Still, people deserve to know who is collecting data about them, why it's being collected and the types of companies with which the data is being shared. They should also have assurances that companies collecting data have adequate measures in place to ensure security and confidentiality. That's why, until we have a national privacy law, we should pursue a national data broker registry to help consumers discover this information -- and learn the difference between good data actors and bad ones. People who today use Facebook, Google, Amazon and Apple understand that these companies collect their data in an effort to improve their experience and to generate revenue by selling advertising. But there is less awareness of companies -- generally referred to as data brokers -- that collect, source and otherwise license information about consumers who are not their customers. The growing commercial use of data is outpacing the public's understanding.... Data-driven marketing helps businesses reduce wasteful ad spending and helps fund free or low-cost consumer products and services on the internet, including free search, email and social media platforms, as well as customized content. In many cases, it also funds the press and other channels of expression. Our business is underpinned by policies on comprehensive data governance, in an effort to ensure that data use is transparent, fair and just, that there are benefits for both businesses and consumers. We help marketers follow the golden rule of business -- "Know Your Customer" -- so that they can deliver a better experience. Unfortunately, the irresponsible actions of some individuals and organizations have cast a shadow over our industry. They violate consumers' privacy, profit from stolen data and commit fraud. Increasing transparency -- initially through a data broker registry and ultimately through a robust and balanced national privacy law -- would help reduce the conflation of legitimate, regulated entities with unethical companies and criminals.

Two Penetration Testers Arrested For Attempted Burglary

Sat, 09/14/2019 - 07:34
Somewhere along the North Raccoon River in Adel, Iowa -- population 3,682 -- two men were arrested for trying to break into the county courthouse. And then things got weird, the Des Moines Register reports: The men, outfitted with numerous burglary tools, told authorities they were on contract to test out the courthouse alarm system's viability and to gauge law enforcement's response time, an alleged contract that Dallas County officials said they had no knowledge of, according to a criminal complaint. Authorities later found out the state court administration did, in fact, hire the men to attempt "unauthorized access" to court records "through various means" in order to check for potential security vulnerabilities of Iowa's electronic court records, according to Iowa Judicial Branch officials. But, the state court administration "did not intend, or anticipate, those efforts to include the forced entry into a building," a Wednesday news release from the Iowa Judicial Branch read. Evidently, the courthouse's security system did its job. The alarm system was triggered by the two men whom law enforcement found walking around the courthouse's third floor at about 12:30 a.m. Wednesday, court records show. Justin Wynn, of Naples, Florida, and Gary Demercurio, 43, of Seattle, Washington, were both charged with third-degree burglary and possession of burglary tools. Their bond has been set at $50,000. "Our employees work diligently to ensure our engagements are conducted with utmost integrity and in alignment with the objectives of our client," their employer, the cybersecurity company Coalfire, told the Inquirer. When they contacted county sheriff Chad Leonard, he would only say that "It's a strange case. We're still investigating this thing."

Huawei CEO Offers To License 5G Tech To American Companies In Peace Offer To Trump

Fri, 09/13/2019 - 15:40
An anonymous reader quotes a report from the BBC: Huawei's chief executive has proposed selling its current 5G know-how to a Western firm as a way to address security concerns voiced by the U.S. and others about its business. Ren Zhengfei said the buyer would be free to "change the software code." That would allow any flaws or supposed backdoors to be addressed without Huawei's involvement. Huawei has repeatedly denied claims that it would help the Chinese government spy on or disrupt other countries' telecoms systems, and says it is a private enterprise owned by its workers. Huawei's founder Ren Zhengfei made the proposal in interviews with the Economist and the New York Times. It would include ongoing access to the firm's existing 5G patents, licenses, code, technical blueprints and production engineering knowledge. "[Huawei is] open to sharing our 5G technologies and techniques with U.S. companies, so that they can build up their own 5G industry," the NYT quoted Ren as saying. "This would create a balanced situation between China, the U.S. and Europe." Speaking to the Economist he added: "A balanced distribution of interests is conducive to Huawei's survival." A spokesman for Huawei has confirmed the quotes are accurate and the idea represents a "genuine proposal." South Korea's Samsung and China's ZTE are other alternatives. "Huawei misunderstands the underlying problem," Hosuk Lee-Makiyama, from the European Centre for International Political Economy, told the BBC. "The issue is not the trustworthiness of Huawei as a vendor but the legal obligations that the Chinese government imposes on it. "China's National Intelligence Law requires Chinese businesses and citizens to surrender any data or 'communication tools' they may have access to, under strict punitive sanctions," said Lee-Makiyama. "Any equipment or software that Huawei licenses to an U.S. entity would still fall under this obligation, and there is no way that the licensing entity or the intelligence agencies could scrutinize millions of lines of code for potential backdoors."

Giant Entercom Radio Network Gets Ransomwared

Fri, 09/13/2019 - 15:00
Newer Guy writes: Entercom Communications, one of the USA's largest radio broadcasting companies, has been hit with a ransomware-like incident. It apparently came in from a computer in the programming department and has taken out the company's email system and servers. All their radio stations across the country have been affected. The ransomware people demanded half a million dollars to restore things; Entercom refused to pay.

T-Mobile Has a Secret Setting To Protect Your Account From Hackers That it Refuses To Talk About

Fri, 09/13/2019 - 08:41
T-Mobile has a feature that gives its customers more protection from hackers trying to steal their phone number, but you probably don't know it exists because the company doesn't advertise it publicly and won't even talk about it. From a report: It's called "NOPORT" and, in theory, it makes it a bit harder for criminals to hijack phone numbers with an attack known as "SIM swapping," a type of social engineering that is increasingly being used to steal people's phone numbers. SIM swapping attackers usually trick wireless providers into giving them control of a target's phone number by impersonating the victim with a company's customer support representatives -- usually on a phone call. T-Mobile's NOPORT feature makes this harder by requiring customers to physically come to a store and present a photo ID in order to request their number to be ported out to a different carrier or a new SIM card. In theory, this should make it impossible for someone to do a SIM swap (also known as SIM hijacking or port-out scam) over the phone. But it's unclear whether all T-Mobile customers can have NOPORT or how effective it really is. T-Mobile doesn't even inform customers that it exists. I learned about it from a tipster, and then confirmed that it is indeed real. I was able to activate the feature on my own T-Mobile account by calling customer service and asking for it to be put on the account, but the company has declined to answer specific questions about the feature.

Mozilla Launches Paid Premium Support for Enterprise Customers

Fri, 09/13/2019 - 06:00
Mozilla has quietly launched a new product for enterprise customers: Ability to buy paid premium support for Firefox. From a report: The premium enterprise support for Firefox costs $10 per supported installation and offers customers the ability to submit bugs privately, get critical security bug fixes, get access to a private customer portal, get access to the enterprise critical issues distribution list, and have the ability to contribute to Firefox and its roadmap. According to Mozilla, it will support Firefox installations as long as they are running on machines that meet the system requirements. Windows, Mac, and Linux based operating systems are listed in the systems requirements so all platforms should be covered by the premium support.

New Simjacker Attack Exploited In the Wild To Track Users For At Least Two Years

Thu, 09/12/2019 - 08:50
Security researchers have disclosed today a major SMS-based attack method being abused in the real world by a surveillance vendor to track and monitor individuals. An anonymous reader shares a report: "We are quite confident that this exploit has been developed by a specific private company that works with governments to monitor individuals," security researchers from AdaptiveMobile Security said in a report. "We believe this vulnerability has been exploited for at least the last 2 years by a highly sophisticated threat actor in multiple countries, primarily for the purposes of surveillance." The attack, named Simjacker, works by attackers sending SMS messages to victims' phones. The SMS messages contain STK instructions that are run by a victim's SIM card to gather location data and the IMEI code, which is then sent through an SMS message to a logging system. Researchers said they've seen Simjacker being abused to track hundreds of victims for two years, yet it is unclear if the victims are criminals tracked by law enforcement, or dissidents tracked by oppressive regimes. Over one billion smartphone users use SIM cards deemed vulnerable to this attack.

Most Android Flashlight Apps Request An Absurd Number of Permissions

Wed, 09/11/2019 - 18:20
Out of 937 flashlight apps on the Play Store, Avast Security Evangelist Luis Corrons found that the vast majority requested a large number of permissions, with the average being of 25 permissions per app. ZDNet reports: "There might be variables average users are not aware of and that are needed for these apps to work, but if 408 of the apps need just 10 permissions or less, which seems fairly reasonable, how come there are 262 apps that require 50 permissions or more," Corrons said in a report published this week. The Avast researcher said he found 77 flashlight apps that requested more than 50 permissions, which is about a third of the total number of permissions the Android OS supports. The champions were two apps that requested 77 permissions, followed by another three, which requested 76. But while Corrons said that some apps appeared to justify some of the permissions they asked for, these were only an exception to the rule.

Google To Run DNS-over-HTTPS (DoH) Experiment in Chrome

Wed, 09/11/2019 - 06:45
Google has announced plans to test the new DNS-over-HTTPS (DoH) protocol inside Google Chrome starting with v78, scheduled for release in late October this year. From a report: The DNS-over-HTTPS protocol works by sending DNS requests to special DoH-compatible DNS resolvers. The benefit comes from the fact that DNS requests are sent via port 443, as encrypted HTTPS traffic, rather than cleartext, via port 53. This hides DoH requests in the unending stream of HTTPS traffic that moves across the web at any moment of the day and prevents third-party observers from tracking users' browsing histories by recording and looking at their unencrypted DNS data. The news that Google is looking into testing DoH in Chrome comes just as Mozilla announced plans over the weekend to gradually enable DoH by default for a small subset of users in the US later this month.

281 Alleged Email Scammers Arrested In Massive Global Sweep

Wed, 09/11/2019 - 02:00
The Department of Justice today announced the arrest of 281 suspects in connection with email scams and wire transfer fraud. The action is the biggest of its kind yet against this type of digital scammer, and is a strong symbol of law enforcement's sense of urgency in trying to contain a rapidly growing threat. Wired reports: You're familiar with crimes like this, even if you don't know them by their proper name of "business email compromise" schemes. It involves the coordinated crafting of compelling scam emails that trick employees or vulnerable individuals into sending money, then using strategic mules to wire the funds back to the perpetrators. Such scams have ballooned in recent years, costing victims tens of billions of dollars over time. The DOJ said the new round of arrests took four months to carry out across 10 countries, and resulted in the seizure of almost $3.7 million. Tuesday's law enforcement initiative, dubbed Operation reWired, involved extensive international coordination to make 167 arrests in Nigeria, 74 in the United States, 18 in Turkey, and 15 in Ghana. The remainder took place in France, Italy, Japan, Kenya, Malaysia, and the United Kingdom. Research and law enforcement investigations have shown that a large proportion of all email scamming originates in West Africa, specifically Nigeria, but the scams have spread, partly because some West African actors have moved around the world. The new arrest of 281 suspects involved global coordination among law enforcement agencies. In the U.S. alone, Operation reWired involved the DOJ, the Department of Homeland Security, the Treasury, the State Department, and the Postal Inspection Service.

Is Microsoft a Digital Nation and Does It Have a Secretary of State?

Tue, 09/10/2019 - 17:00
Longtime Slashdot reader cccc828 shares a report from The Economist, which poses the question: Is Microsoft a digital nation and does it have a secretary of state? "The answer of Brad Smith, the software giant's top lawyer, is, well, diplomatic," the report says. "Nation states are run by governments and firms need to be accountable to them, he says. But yes, he admits, he worries a lot about geopolitics these days." Here's an excerpt from the report: Mr Smith presides over an operation comparable in size to the foreign office of a mid-sized country. Its 1,500 employees work in departments like "Law Enforcement and National Security" or "Digital Diplomacy Group." It has outposts in 56 countries, sending regular cables to headquarters in Redmond, near Seattle. Mr Smith is as itinerant as a foreign minister. In one year he visited 22 countries and met representatives of 40 governments. [...] Mr Smith says a coherent corporate foreign policy is simply good business: it creates trust, which attracts customers. His doctrine indeed sits well with Microsoft's business model, based on sales of services and software. It can afford to be more of a purist on privacy and the spread of disinformation, the most politically contentious tech issues of the day, than giants whose profits come from targeted advertising on social networks. Acknowledging Microsoft's mixed record in the past, the article concludes: A dose of hypocrisy is perhaps inevitable in an organization the size of Microsoft. Critics level a more fundamental charge against its foreign policy, however. Where, they ask, does it -- and fellow tech giants -- derive the legitimacy to be independent actors on the international stage? This is the wrong question to pose. As businesses, they have every right to defend the interests of shareholders, employees and customers. As global ones, their priorities may differ from those of their home country's elected officials. And as entities which control much of the world's digital infrastructure, they should have a say in designing the international norms which govern it. At a time when many governments refuse to lead, why should the firms not be allowed to? Especially if, like Microsoft's, their efforts blend principles with pragmatism. How does your company deal with the ever more complex realities of world politics?

Weakness In Intel Chips Lets Researchers Steal Encrypted SSH Keystrokes

Tue, 09/10/2019 - 14:25
An anonymous reader quotes a report from Ars Technica: In late 2011, Intel introduced a performance enhancement to its line of server processors that allowed network cards and other peripherals to connect directly to a CPU's last-level cache, rather than following the standard (and significantly longer) path through the server's main memory. By avoiding system memory, Intel's DDIO -- short for Data-Direct I/O -- increased input/output bandwidth and reduced latency and power consumption. Now, researchers are warning that, in certain scenarios, attackers can abuse DDIO to obtain keystrokes and possibly other types of sensitive data that flow through the memory of vulnerable servers. The most serious form of attack can take place in data centers and cloud environments that have both DDIO and remote direct memory access enabled to allow servers to exchange data. A server leased by a malicious hacker could abuse the vulnerability to attack other customers. To prove their point, the researchers devised an attack that allows a server to steal keystrokes typed into the protected SSH (or secure shell session) established between another server and an application server. "The researchers have named their attack NetCAT, short for Network Cache ATtack," the report adds. "Their research is prompting an advisory for Intel that effectively recommends turning off either DDIO or RDMA in untrusted networks." "The researchers say future attacks may be able to steal other types of data, possibly even when RDMA isn't enabled. They are also advising hardware makers do a better job of securing microarchitectural enhancements before putting them into billions of real-world servers." The researchers published their paper about NetCAT on Tuesday.