Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 23 hours 21 min ago

Bitpoint Cryptocurrency Exchange Hacked For $32 Million

Fri, 07/12/2019 - 08:15
Japan-based cryptocurrency exchange Bitpoint announced it lost 3.5 billion yen (roughly $32 million) worth of cryptocurrency assets after a hack that happened late yesterday, July 11. From a report: The exchange suspended all deposits and withdrawals this morning to investigate the hack, it said in a press release. In a more detailed document released by RemixPoint, the legal entity behind Bitpoint, the company said that hackers stole funds from both of its "hot" and "cold" wallets. This suggests the exchange's network was thoroughly compromised. Hot wallets are used to store funds for current transactions, while the cold wallets are offline devices storing emergency and long-term funds. Bitpoint reported the attackers stole funds in five cryptocurrencies, including Bitcoin, Bitcoin Cash, Litecoin, Ripple, and Ethereal. The exchange said it detected the hack because of errors related to the remittance of Ripple funds to customers. Twenty-seven minutes after detecting the errors, Bitpoint admins realized they had been hacked, and three hours later, they discovered thefts from other cryptocurrency assets.

Microsoft is Making Windows 10 Passwordless

Fri, 07/12/2019 - 06:44
Microsoft is planning to make Windows 10 PCs work without passwords. From a report: While the company has been working on removing passwords from Windows 10 and its Microsoft Accounts for a number of months now, the next major update to Windows 10 next year will go one step further. You'll soon be able to enable a passwordless sign-in for Microsoft accounts on a Windows 10 device. This means PCs will use Windows Hello face authentication, fingerprints, or a PIN code. The password option will simply disappear from the login screen, if you decide to opt in to this new "make your device passwordless" feature. [...] This will also extend to business users through Azure Active Directory, allowing businesses to go fully passwordless with security keys, the authenticator app, or Windows Hello.

Parks and Recreation Centers Are Using Sonic Devices That Play High-Pitched Noises To Repel Teens

Thu, 07/11/2019 - 18:10
NPR reports of the various parks and recreation centers in North America that are using sonic devices to repel teens from the premises. Philadelphia, for example, has 30 parks and recreation centers that are outfitted with a small speaker called the Mosquito. "It blares a constant, high-pitched ringing noise all night long -- but one that only teenagers and young adults can hear," reports NPR. "Anyone over age 25 is supposed to be immune because, basically, their ear cells have started to die off." From the report: Philadelphia parks officials have been installing the device since 2014, reported WHYY's Billy Penn, intending to shoo rowdy youths from the premises. And it's not the only U.S. city to do so. Mosquito's Vancouver-based manufacturer Moving Sound Technologies works with roughly 20 parks departments around the country to implement the youth-repellent devices, says president Michael Gibson. It's intended to prevent loitering and vandalism by teens and young adults at public facilities. But some say this age-based targeting is a form of prejudice. Philadelphia City Council member Helen Gym refers to the devices as "sonic weapons" -- and she's working to get them removed. [I]n Philadelphia, Parks & Recreation defends its use of the Mosquito, saying the devices are operational from 10 p.m. to 6 a.m. only, and they're just one part of an overall anti-vandalism strategy that includes fences and gates, security cameras and night watch staff. For now, the city is moving forward with installation. Despite the backlash, two new Mosquito devices are being installed at other city playgrounds as part of major renovation projects.

Microsoft Stirs Suspicions By Adding Telemetry Files To Security-Only Update

Thu, 07/11/2019 - 16:50
An anonymous reader quotes a report from ZDNet: As expected, Windows Update dropped off several packages of security and reliability fixes for Windows 7 earlier this week, part of the normal Patch Tuesday delivery cycle for every version of Windows. But some hawk-eyed observers noted a surprise in one of those Windows 7 packages. What was surprising about this month's Security-only update, formally titled the "July 9, 2019 -- KB4507456 (Security-only update)," is that it bundled the Compatibility Appraiser, KB2952664, which is designed to identify issues that could prevent a Windows 7 PC from updating to Windows 10. Among the fierce corps of Windows Update skeptics, the Compatibility Appraiser tool is to be shunned aggressively. The concern is that these components are being used to prepare for another round of forced updates or to spy on individual PCs. The word telemetry appears in at least one file, and for some observers it's a short step from seemingly innocuous data collection to outright spyware. [...] I strongly suspect that some part of the Appraiser component on Windows 7 SP1 had a security issue of its own. If that's the case, then the updates indisputably belong in a Security-only update. And if they happen to get installed on systems where administrators had taken special precautions not to install those components, Microsoft's reaction seems to be, "Well ... tough." "The Appraiser tool was offered via Windows Update, both separately and as part of a monthly rollup update two years ago; as a result, most of the declining population of Windows 7 PCs already has it installed," the report notes.

Malicious Apps Infect 25 Million Android Devices With 'Agent Smith' Malware

Thu, 07/11/2019 - 14:50
An anonymous reader quotes a report from Phys.Org: Malicious apps from a campaign called "Agent Smith" have been downloaded to 25 million Android devices, according to new research by cyber-security firm Check Point. The apps, most of them games, were distributed through third-party app stores by a Chinese group with a legitimate business helping Chinese developers promote their apps on outside platforms. Check Point is not identifying the company, because they are working with local law enforcement. About 300,000 devices were infected in the U.S. The malware was able to copy popular apps on the phone, including WhatsApp and the web browser Opera, inject its own malicious code and replace the original app with the weaponized version, using a vulnerability in the way Google apps are updated. The hijacked apps would still work just fine, which hid the malware from users. Armed with all the permissions users had granted to the real apps, "Agent Smith" was able to hijack other apps on the phone to display unwanted ads to users. That might not seem like a significant problem, but the same security flaws could be used to hijack banking, shopping and other sensitive apps, according to Aviran Hazum, head of Check Point's analysis and response team for mobile devices. There was also a "dormant" version of "Agent Smith" in 11 apps on the Play Store, which could have been triggered into action by a banner ad containing the keyword "infect." The apps have since been removed from the Play Store, but had over 10 million downloads.

German Banks Are Moving Away From SMS One-Time Passcodes

Thu, 07/11/2019 - 14:10
Multiple German banks have announced plans to drop support for SMS-based one-time passcodes (OTP) as a login authentication and transaction verification method. From a report: Postbank plans to drop support in August, while Raiffeisen Bank and Volksbank plan to do so in the fall, Handelsblatt reports. Deutsche Bank and Commerzbank also plan to drop support for SMS OTP but have not announced a deadline, while Consorsbank plans to discontinue it by the end of the year. Other banks like DKB and N26 have never deployed the technology, while ING has not made any public statements on its plans. The reason why German banks are dropping support for SMS OTP is because of legislation that the EU passed in 2015, set to enter into effect on September 14, this year. In 2015, the EU revised the Payment Services Directive (PSD), a set of rules that govern online payments in the EU, and issued an updated version called the PSD2. This legislation also included a clause for strong customer authentication (SCA) mechanisms.

Investigating Some Subscription Scam iOS Apps

Thu, 07/11/2019 - 13:30
Security engineer Ivan writes: For some reason Apple allows "subscription scam" apps on the App Store. These are apps that are free to download and then ask you to subscribe right on launch. It's called the freemium business model, except these apps ask you to subscribe for "X" feature(s) immediately when you launch them, and keep doing so, annoyingly, over and over until you finally subscribe. By subscribing you get a number of "free days" (trial) and then they charge you weekly/monthly/yearly for very basic features like scanning QR Codes. I've been trying to monitor apps that have these characteristics: 1. They have In-App purchases for their subscriptions. 2. They have bad reviews, specially with words like "scam" or "fraud". 3. Their "good" reviews are generic, potentially bot-generated. This weekend I focused on 5 apps from 2 different developers and to my surprise they are very similar, not only their UI/UX but also their code is shared and their patterns are absolutely the same. A side from being classic subscription scam apps, I wanted to examine how they work internally and how they communicate with their servers and what type of information are they sending.

Google Admits Partners Leaked More Than 1,000 Private Conversations With Google Assistant

Thu, 07/11/2019 - 11:30
Google admitted on Thursday that more than 1,000 sound recordings of customer conversations with the Google Assistant were leaked by some of its partners to a Belgian news site. From a report: These conversations are used by companies such as Google and Amazon -- which takes clips from the Amazon Echo -- to improve voice responses from their smart assistants. They are supposed to be kept confidential. But Belgian news site VRT said on Wednesday that a contractor provided it with samples of these sound samples, which VRT then used to identify some of the people in the clips. It also examined the sorts of conversations that Google collects when people say "OK Google," into a phone or a Google Home product. Among other things, VRT heard customer addresses. Sources who talked to the publication also described hearing recordings of a woman in distress and people talking about medical conditions. Google has now admitted the recordings were leaked. "We just learned that one of these language reviewers has violated our data security policies by leaking confidential Dutch audio data," Google product manager of search David Monsees said in a blog post. "Our Security and Privacy Response teams have been activated on this issue, are investigating, and we will take action. We are conducting a full review of our safeguards in this space to prevent misconduct like this from happening again."

US Mayors Group Adopts Resolution Not To Pay Any More Ransoms To Hackers

Thu, 07/11/2019 - 10:50
The US Conference of Mayors unanimously adopted a resolution this week to not pay any more ransom demands to hackers following ransomware infections. From a report: "Paying ransomware attackers encourages continued attacks on other government systems, as perpetrators financially benefit," the adopted resolution reads. "The United States Conference of Mayors has a vested interest in de-incentivizing these attacks to prevent further harm," it said. "NOW, THEREFORE, BE IT RESOLVED, that the United States Conference of Mayors stands united against paying ransoms in the event of an IT security breach." The resolution adopted this week at the 87th annual meeting of the US Conference of Mayors doesn't have any legal binding, but can be used as an official position to justify administrative actions, for both federal authorities and taxpayers alike. The Conference of Mayors includes over 1,400 mayors from across the US, representing cities with a population of over 30,000. The organization said that "at least 170 county, city, or state government systems have experienced a ransomware attack since 2013," and "22 of those attacks have occurred in 2019 alone."

Apple Disables Walkie Talkie App Due To Vulnerability That Could Allow iPhone Eavesdropping

Thu, 07/11/2019 - 06:10
Apple has disabled the Apple Watch Walkie Talkie app due to an unspecified vulnerability that could allow a person to listen to another customer's iPhone without consent. From a report: Apple has apologized for the bug and for the inconvenience of being unable to use the feature while a fix is made. The Walkie Talkie app on Apple Watch allows two users who have accepted an invite from each other to receive audio chats via a 'push to talk' interface reminiscent of the PTT buttons on older cell phones.

Apple Pushes a Silent Mac Update To Remove Hidden Zoom Web Server

Wed, 07/10/2019 - 21:30
Apple has released a silent update for Mac users removing a vulnerable component in Zoom, the popular video conferencing app, which allowed websites to automatically add a user to a video call without their permission. TechCrunch reports: The Cupertino, Calif.-based tech giant told TechCrunch that the update -- now released -- removes the hidden web server, which Zoom quietly installed on users' Macs when they installed the app. Apple said the update does not require any user interaction and is deployed automatically. Although Zoom released a fixed app version on Tuesday, Apple said its actions will protect users both past and present from the undocumented web server vulnerability without affecting or hindering the functionality of the Zoom app itself. The update will now prompt users if they want to open the app, whereas before it would open automatically.

Banned Chinese Security Cameras Are Almost Impossible To Remove

Wed, 07/10/2019 - 16:03
An anonymous reader quotes a report from Bloomberg: U.S. federal agencies have five weeks to rip out Chinese-made surveillance cameras in order to comply with a ban imposed by Congress last year in an effort to thwart the threat of spying from Beijing. But thousands of the devices are still in place and chances are most won't be removed before the Aug. 13 deadline. A complex web of supply chain logistics and licensing agreements make it almost impossible to know whether a security camera is actually made in China or contains components that would violate U.S. rules. The National Defense Authorization Act, or NDAA, which outlines the budget and spending for the Defense Department each year, included an amendment for fiscal 2019 that would ensure federal agencies do not purchase Chinese-made surveillance cameras. The amendment singles out Zhejiang Dahua Technology Co. and Hangzhou Hikvision Digital Technology Co., both of which have raised security concerns with the U.S. government and surveillance industry. Despite the looming deadline to satisfy the NDAA, at least 1,700 Hikvision and Dahua cameras are still operating in places where they've been banned, according to San Jose, California-based Forescout Technologies, which has been hired by some federal agencies to determine what systems are running on their networks. The actual number is likely much higher, said Katherine Gronberg, vice president of government affairs at Forescout, because only a small percentage of government offices actually know what cameras they're operating. The agencies that use software to track devices connected to their networks should be able to comply with the law and remove the cameras in time, Gronberg said. "The real issue is for organizations that don't have the tools in place to detect the banned devices," she added. Also, since many of Dahua and Hikvision's cameras are sent to equipment manufacturers and sold under those brands, those cameras have completely different labels and packaging. This means it would be nearly impossible to tell if the thousands of video cameras installed across the country are actually re-labelled Chinese devices.

Samba 4.11 Removes SMB1 File-Sharing Protocol Version By Default

Wed, 07/10/2019 - 14:40
Samba says version 4.11.0 will switch off previously on-by-default support for the aging and easily subverted SMB1 protocol. Slashdot reader Jeremy Allison - Sam shares a report from The Register detailing the new changes: The open-source SMB toolkit's developers say the Samba 4.11 build, currently in preview, will by default set SMB2_02 as the earliest supported version of the Windows file-sharing protocol. Admins will still have the option to allow SMB1 on their servers if they so choose, but support will be turned off by default. The move by Samba to drop SMB1 can be seen as long overdue, given that Microsoft has been moving to get rid of the file-server protocol version from its operating systems for several years now, even before it was revealed to be one of the NSA's favorite weak points to exploit. You can read the 4.11 release notes here.

Hackers Breached Greece's Top-Level Domain Registrar

Wed, 07/10/2019 - 13:25
State-sponsored hackers have breached ICS-Forth, the organization that manages Greece's top-level domain country codes of .gr and .el. From a report: ICS-Forth, which stands for the Institute of Computer Science of the Foundation for Research and Technology, publicly admitted to the security incident in emails it sent to domain owners on April 19. The hackers behind the breach are the same group detailed in a Cisco Talos report from April, which the company named Sea Turtle. The group uses a relatively novel approach to hacking targets. Instead of targeting victims directly, they breach or gain access to accounts at domain registrars and managed DNS providers where they make modifications to a company's DNS settings. By modifying DNS records for internal servers, they redirect traffic meant for a company's legitimate apps or webmail services to clone servers where they carry out man-in-the-middle attacks and intercept login credentials.

Academics Steal Data From Air-Gapped Systems Via a Keyboard's LEDs

Wed, 07/10/2019 - 12:45
The Caps Lock, Num Lock, and Scroll Lock LEDs on a keyboard can be used to exfiltrate data from a secure air-gapped system, academics from an Israeli university have proved. From a report: The attack, which they named CTRL-ALT-LED, is nothing that regular users should worry about but is a danger for highly secure environments such as government networks that store top-secret documents or enterprise networks dedicated to storing non-public proprietary information. he attack requires some pre-requisites, such as the malicious actor finding a way to infect an air-gapped system with malware beforehand. CTRL-ALT-LED is only an exfiltration method. But once these prerequisites are met, the malware running on a system can make the LEDs of an USB-connected keyboard blink at rapid speeds, using a custom transmission protocol and modulation scheme to encode the transmitted data. A nearby attacker can record these tiny light flickers, which they can decode at a later point, using the same modulation scheme used to encode it.

Firefox 68 Arrives With Darker Reader View, Recommended Extensions, and IT Customizations

Tue, 07/09/2019 - 13:40
Mozilla today launched Firefox 68 for Windows, Mac, Linux, Android, and iOS. Firefox 68 includes a darker reader view, recommended extensions, IT Pro customizations, and more. From a report: As part of this release, Mozilla has curated a list of recommended extensions "that have been thoroughly reviewed for security, usability, and usefulness." You can find the list on the Get Add-ons page in the Firefox Add-ons Manager (about:addons). While Firefox has had dark mode for months, the Reader View's dark contrast only covered the text area. Now, when you change the contrast to dark, all sections of the site (including sidebars and toolbars) will be immersed in dark mode. With Firefox 60, Mozilla introduced an enterprise version of the browser that employers can customize. This let IT professionals configure Firefox for their organization, either using Group Policy on Windows or a JSON file that works across Windows, Mac, and Linux. With Firefox 68, Mozilla has added more enterprise policies -- to configure or remove the new tab page, turn off search suggestions, and so on.

Mozilla Blocks UAE Bid To Become an Internet Security Guardian After Hacking Reports

Tue, 07/09/2019 - 13:00
Firefox browser maker Mozilla is blocking the United Arab Emirates' government from serving as one of its internet security gatekeepers, citing Reuters reports on a UAE cyber espionage program. From a report: Mozilla said in a statement on Tuesday it was rejecting the UAE's bid to become a globally recognized internet security watchdog, empowered to certify the safety of websites for Firefox users. Mozilla said it made the decision because cybersecurity firm DarkMatter would have administered the gatekeeper role and it had been linked by Reuters and other reports to a state-run hacking program. Reuters reported in January that Abu Dhabi-based DarkMatter provided staff for a secret hacking operation, codenamed Project Raven, on behalf of an Emirati intelligence agency. The unit was largely comprised of former U.S. intelligence officials who conducted offensive cyber operations for the UAE government. Former Raven operatives told Reuters that many DarkMatter executives were unaware of the secretive program, which operated from a converted Abu Dhabi mansion away from DarkMatter's headquarters.

Logitech Wireless USB Dongles Vulnerable To New Hijacking Flaws

Tue, 07/09/2019 - 09:40
A security researcher has publicly disclosed new vulnerabilities in the USB dongles (receivers) used by Logitech wireless keyboards, mice, and presentation clickers. New submitter raikoseagle shares a report: The vulnerabilities allow attackers to sniff on keyboard traffic, but also inject keystrokes (even into dongles not connected to a wireless keyboard) and take over the computer to which a dongle has been connected. When encryption is used to protect the connection between the dongle and its paired device, the vulnerabilities also allow attackers to recover the encryption key. Furthermore, if the USB dongle uses a "key blacklist" to prevent the paired device from injecting keystrokes, the vulnerabilities allow the bypassing of this security protection system. Marcus Mengs, the researcher who discovered these vulnerabilities, said he notified Logitech about his findings, and the vendor plans to patch some of the reported issues, but not all.

Serious Zoom Security Flaw Could Let Websites Hijack Mac Cameras

Mon, 07/08/2019 - 21:30
Security researcher Jonathan Leitschuh has publicly disclosed a serious zero-day vulnerability for the Zoom video conference app on Macs that could allow websites to turn on user cameras without permission. The Verge reports: He has demonstrated that any website can open up a video-enabled call on a Mac with the Zoom app installed. That's possible in part because the Zoom app apparently installs a web server on Macs that accepts requests regular browsers wouldn't. In fact, if you uninstall Zoom, that web server persists and can reinstall Zoom without your intervention. Leitschuh details how he responsibly disclosed the vulnerability to Zoom back in late March, giving the company 90 days to solve the problem. According to Leitschuh's account, Zoom doesn't appear to have done enough to resolve the issue. The vulnerability was also disclosed to both the Chromium and Mozilla teams, but since it's not an issue with their browsers, there's not much those developers can do. The report notes that you can "patch" the vulnerability by making sure the Mac app is up to date and also disabling the setting that allows Zoom to turn your camera on when joining a meeting. "Again, simply uninstalling Zoom won't fix this problem, as that web server persists on your Mac," reports The Verge. "Turning off the web server requires running some terminal commands, which can be found at the bottom of the Medium post."

Microsoft Warns About Astaroth Malware Campaign

Mon, 07/08/2019 - 12:05
The Microsoft security team has issued a warning today about ongoing malware campaigns that are distributing the Astaroth malware using fileless and living-off-the-land techniques that make it harder for traditional antivirus solutions to spot the ongoing attacks. From a report: The attacks were detected by the team behind Windows Defender ATP, the commercial version of the company's Windows Defender free antivirus. Andrea Lelli, a member of the Windows Defender ATP team said alarms bells sounded at Microsoft's offices when they detected a huge and sudden spike in usage of the Windows Management Instrumentation Command-line (WMIC) tool. This is a legitimate tool that ships with all modern versions of Windows, but the sudden spike in usage suggested a pattern specific to malware campaigns. When Microsoft looked closer, it discovered a malware campaign that consisted of a massive spam operation that was sending out emails with a link to a website hosting a .LNK shortcut file.