Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 8 hours 14 min ago

Trump Says He Fired National Security Advisor John Bolton -- But Bolton Says He 'Offered To Resign'

Tue, 09/10/2019 - 08:40
President Donald Trump said Tuesday he fired national security advisor John Bolton, saying on Twitter he had "disagreed strongly with many of his suggestions." From a report: But minutes later, Bolton in his own tweet said that he "offered to resign" Monday night -- and that Trump told him, "Let's talk about it tomorrow." Either way, Bolton's departure shocked Washington, D.C., and oil crude futures fell. Bolton, who was named national security advisor in March 2018, is a harsh critic of Iran, and has advocated military strikes against that oil-rich nation. "I informed John Bolton last night that his services are no longer needed at the White House. I disagreed strongly with many of his suggestions, as did others in the Administration, and therefore I asked John for his resignation, which was given to me this morning," Trump said in a tweet. "I thank John very much for his service. I will be naming a new National Security Advisor next week." Earlier this month, Bolton had accused China of stealing US technology to make a stealth fighter. On a visit to Ukraine last month, Bolton said an unnamed fifth-generation aircraft "looks a lot like the F-35, that's because it is the F-35. They just stole it."

We Need To Prepare for the Future of War, NSA Official Says

Tue, 09/10/2019 - 08:10
Glenn S. Gerstell, the general counsel of the National Security Agency, writing at The New York Times: The threats of cyberattack and hypersonic missiles are two examples of easily foreseeable challenges to our national security posed by rapidly developing technology. It is by no means certain that we will be able to cope with those two threats, let alone the even more complicated and unknown challenges presented by the general onrush of technology -- the digital revolution or so-called Fourth Industrial Revolution -- that will be our future for the next few decades. The digital revolution has urgent and profound implications for our federal national security agencies. It is almost impossible to overstate the challenges. If anything, we run the risk of thinking too conventionally about the future. The short period of time our nation has to prepare for the effects of this revolution is already upon us, and it could not come at a more perilous and complicated time for the National Security Agency, Central Intelligence Agency, National Geospatial-Intelligence Agency, Defense Intelligence Agency, Federal Bureau of Investigation and the other components of the intelligence community. Gearing up to deal with those new adversaries, which do not necessarily present merely conventional military threats, is itself a daunting challenge and one that must be undertaken immediately and for at least the next decade or two. But that is precisely when we must put in place a new foundation for dealing with the even more profound and enduring implications of the digital revolution. That revolution will sweep through all aspects of our society so powerfully that our only chance of effectively grappling with its consequences will lie in taking bold steps in the relatively near term. In short, our attention must turn to a far more complex set of threats of multiple dimensions enabled by the digital revolution. While the potential consequences are less catastrophic than nuclear war, they are nonetheless deeply threatening in a range of ways we will have trouble countering.

Loophole That Lets People Share Your Private Instagram Pics and Stories Isn't a 'Hack' -- but Still, Heads Up

Tue, 09/10/2019 - 06:50
An anonymous reader shares a report: Here's another reminder to be wary of what you share online: BuzzFeed News noticed on Monday that the way Instagram and its owner Facebook serve up media content allows for anyone who has access to a private photo or video to root around in the HTML code and copy-paste a direct link to it. BuzzFeed wrote: "The hack -- which works on Instagram stories as well -- requires only a rudimentary understanding of HTML and a browser. It can be done in a handful of clicks. A user simply inspects the images and videos that are being loaded on the page and then pulls out the source URL. This public URL can then be shared with people who are not logged in to Instagram or do not follow that private user. According to tests performed by BuzzFeed's Tech + News Working Group, JPEGs and MP4s from private feeds and stories can be viewed, downloaded, and shared publicly this way. ... Because all of this data is being hosted by Facebook's own content delivery network, the work-around also applies to private Facebook content. Here's an example of such a link to a private Instagram image, per the Verge: " BuzzFeed is calling this a "hack," but what's really happening is Internet 101. When an authorized user loads a piece of content on Instagram in a browser, it's trivial to look in the HTML and find a direct URL to where the image or video is sitting on a server. This is not exactly uncommon for the content delivery networks (CDNs) that serve as the backbones of big websites; the simplest and least computationally expensive method of restricting unauthorized users from accessing the image or video in question is to make its URL very, very long.

Thousands of Servers Infected With New Lilocked (Lilu) Ransomware

Mon, 09/09/2019 - 17:30
Longtime Slashdot reader Merovech shares a report from ZDNet: Thousands of web servers have been infected and had their files encrypted by a new strain of ransomware named Lilocked (or Lilu). Infections have been happening since mid-July, and have intensified in the past two weeks, ZDNet has learned. Based on current evidence, the Lilocked ransomware appears to target Linux-based systems only. The way the Lilocked gang breaches servers and encrypts their content is currently unknown. A thread on a Russian-speaking forum puts forward the theory that crooks might be targeting systems running outdated Exim (email) software. It also mentions that the ransomware managed to get root access to servers by unknown means. Lilocked doesn't encrypt system files, but only a small subset of file extensions, such as HTML, SHTML, JS, CSS, PHP, INI, and various image file formats. This means infected servers continue to run normally. According to French security researcher Benkow, Lilocked has encrypted more than 6,700 servers, many of which have been indexed and cached in Google search results. However, the number of victims is suspected to be much much higher. Not all Linux systems run web servers, and there are many other infected systems that haven't been indexed in Google search results. Why it should scare you:- affects Linux servers- so far the vector of infection / vulnerability is unknown- you can craft a Google search to watch it spread!

Dozens of Google Employees Say They Were Retaliated Against For Reporting Harassment

Mon, 09/09/2019 - 08:50
An anonymous reader shares a report: Last November, Google made a promise to do better. More than 20,000 employees around the world had walked out of the company's offices to protest that Google had paid out over $100 million to multiple executives accused of sexual harassment in the workplace. In response, the tech giant apologized and said it would overhaul its sexual misconduct policies and that it would be more supportive of workers who raise concerns about problems at work. But almost a year after the historic walkout, a dozen current and former Google employees told Recode that many employees are still justifiably afraid to report workplace issues because they fear retaliation. They say the company continues to conceal rather than confront issues ranging from sexual harassment to security concerns, especially when the problems involve high-ranking managers or high-stakes projects. And in a previously unreported internal document obtained by Recode, dozens more employees say that when they filed complaints with Google's human resources department, they were retaliated against by being demoted, pushed out, or placed on less desirable projects. A spokesperson for Google said the company is aware of the document but declined to comment on it or any specific cases of alleged retaliation. In a statement to Recode, Google Vice President of People Operations Eileen Naughton defended how the company handles misconduct claims.

On Apple's Response To Google's Project Zero

Mon, 09/09/2019 - 07:25
Last week, Apple published a statement in which it disputed Google's Project Zero team's findings about the worst iOS attack in history. Alex Stamos, adjunct professor at Stanford University's Center for International Security and Cooperation and former CSO at Facebook, writes on Twitter: Apple's response to the worst known iOS attack in history should be graded somewhere between "disappointing" and "disgusting". First off, disputing Google's correct use of "indiscriminate" when describing a watering hole attack smacks of "it's ok, it didn't hit white people." The use of multiple exploits against an oppressed minority in an authoritarian state makes the likely outcomes *worse* than the Huffington Post example a former Apple engineer posited. It is possible that this data contributed to real people being "reeducated" or even executed. Even if we accept Apple's framing that exploiting Uyghurs isn't as big a deal as Google makes it out to be, they have no idea whether these exploits were used by the PRC in more targeted situations. Dismissing such a possibility out of hand is extremely risky. Second, the word "China" is conspicuously absent, once again demonstrating the value the PRC gets from their leverage over the world's most valuable public company. To be fair, Google's post also didn't mention China. Their employees likely leaked attribution on background. Third, the pivot to Apple's arrogant marketing is not only tone-deaf but really rings hollow to the security community when Google did all the heavy lifting here. I'm guessing we won't hear Tim talk about how they are going to do better on stage next week. Dear Apple employees: I have worked for companies that took too long to publicly address their responsibilities. This is not a path you want to take. Apple does some incredible security work, but this kind of legal/comms driven response can undermine that work. Demand better. Michael Tsai raises further questions about the way Apple framed its statement: "A blog," rather than "a blog post"? I love how Apple is subtly trying to discredit Project Zero by implying that it's a mere blog. And let's be sure everyone knows it's affiliated with Google, the privacy bad guys, even though it's a responsible, technically focused group. Apple says: "First, the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones 'en masse' as described." Project Zero literally referred to "a small collection of hacked websites" that received "receive thousands of visitors per week." And it does seem like a particular subpopulation was targeted "en masse." The sites in question were on the public Internet; it wasn't links being sent to target particular individuals. Apple is blaming the messenger for things it didn't even say. Apple adds: "The attack affected fewer than a dozen websites that focus on content related to the Uighur community." Oh, I get it. Most people would consider "fewer than a dozen" to be "a small collection." But in Apple-speak, there were "a small number" of corrupt App Store binaries causing crashes, and "a small number" of MacBook Pro users experiencing butterfly keyboard problems, not to be confused with the "very small number" of iPhones that unexpectedly shut down. So, yeah, I can see why Apple wants people to know that this "small collection" doesn't mean "millions." Although there are apparently 10 million Uigurs in China. Apple adds: "Google's post, issued six months after iOS patches were released[...] It's great that Project Zero reported this in a responsible way, because now we can downplay it as old news.

Chrome OS Bug Started Mistakenly Sending 'Final Update' Notifications

Sun, 09/08/2019 - 19:42
An anonymous reader quotes 9to5Google: Like it or not, Chromebooks do have something of an expiration date when you purchase them, namely that one day they'll stop receiving updates. Thankfully, that date is typically over five years after the Chromebook's original release. For some, however, Chrome OS has been wrongly indicating this week that their Chromebook has received its "final update" many years too early. Just like the Chrome browser on desktop and Android, Chrome OS has four different update "channels" -- Stable, Beta, Dev, and Canary. Each one of these after Stable trades a level of stability for more rapid updates, with Canary receiving highly unstable updates almost every day. People who are bold enough to put their Chromebook on Dev or Canary have been facing an interesting new issue for the past few days. Upon restarting their device, Chrome OS immediately displays a notification warning that "this is the last automatic software and security update for this Chromebook." Of course, if you're seeing this message this week, there's a decent chance that this is not actually the case. Instead, these final update warnings are caused by a bug in the most recent versions of Chrome OS.

Purism Finally Starts Shipping Its Privacy-Focused 'Librem 5' Smartphone

Sun, 09/08/2019 - 14:34
"It's here! Purism announces shipment of the Librem 5," writes long-time Slashdot reader Ocean Consulting: Librem 5 is a landmark mobile device with a dedicated platform, runs PureOS Linux, and is the first mobile phone to seek hardware certification from the Free Software Foundation. Initially a crowd sourced funding campaign, the phone embraces principles of free software and user privacy. IP native communication is supported via Matrix. Privacy features include hardware kill switches for camera, microphone, cellular, wifi, Bluetooth and GPS. "The Librem 5 phone is built from the ground up to respect the privacy, security, and freedoms of society," reads the site's official announcement. "It is a revolutionary approach to solving the issues that people face today around data exploitation -- putting people in control of their own digital lives." They're adopting an "iterative" shipping schedule -- publishing a detailed schedule defining specific batches and their features with corresponding shipping dates. "Each iteration improves upon the prior in a rapid rolling release throughout the entire first version of the phone... As slots in a particular early batch free up, we will open it up for others in a later batch to join in, according to the date of the order."

Spring Cyberattack on US Power Grid 'Probably Just Some Script Kiddie'

Sun, 09/08/2019 - 13:34
The electric utility non-profit NERC has posted a "Lessons Learned" document detailing a March 5th incident that Environment & Energy News calls "a first-of-its-kind cyberattack on the U.S. grid". While it didn't cause any blackouts -- it was at a "low-impact" control center -- NERC is now warning power utilities to "have as few internet facing devices as possible" and to use more than just a firewall for defense. puddingebola shared this report from Environment & Energy News: The cyberthreat appears to have been simpler and far less dangerous than the hacks in Ukraine. The March 5 attack hit web portals for firewalls in use at the undisclosed utility. The hacker or hackers may not have even realized that the online interface was linked to parts of the power grid in California, Utah and Wyoming. "So far, I don't see any evidence that this was really targeted," said Reid Wightman, senior vulnerability analyst at industrial cybersecurity firm Dragos Inc. "This was probably just an automated bot that was scanning the internet for vulnerable devices, or some script kiddie," he said, using a term for an unskilled hacker... In the March episode, a flaw in the victim utility's firewalls allowed "an unauthenticated attacker" to reboot them over and over again, effectively breaking them. The firewalls served as traffic cops for data flowing between generation sites and the utility's control center, so operators lost contact with those parts of the grid each time the devices winked off and on. The glitches persisted for about 10 hours, according to NERC, and the fact that there were issues at multiple sites "raised suspicion." After an initial investigation, the utility decided to ask its firewall manufacturer to review what happened, according to NERC, which led to the discovery of "an external entity" -- a hacker or hackers -- interfering with the devices. NERC stressed that "there was no impact to generation...." Wightman said the "biggest problem" was the fact that hackers were able to successfully take advantage of a known flaw in the firewall's interface. "The advisory even goes on to say that there were public exploits available for the particular bug involved," he said. "Why didn't somebody say, 'Hey, we have these firewalls and they're exposed to the internet -- we should be patching?'" Large power utilities are required to check for and apply fixes to sensitive grid software that could offer an entry point for hackers.

One of America's Biggest Markets for AI-Powered Security Cameras: Schools

Sun, 09/08/2019 - 09:34
New video analytics systems can "identify people, suspicious behavior and guns" in real-time, and the technology is being used by Fortune 500 companies, stadiums, retailers, and police departments, reports the Los Angeles Times. But schools are "among the most enthusiastic adopters," they note, citing an interview with Paul Hildreth, the "emergency operations coordinator" at an Atlanta school district A year after an expelled student killed 17 people at Marjory Stoneman Douglas High School in Parkland, Florida, Broward County installed cameras from Avigilon of Canada throughout the district in February. Hildreth's Atlanta district will spend $16.5 million to put the cameras in its roughly 100 buildings in coming years. In Greeley, Colo., the school district has used Avigilon cameras for about five years, and the technology has advanced rapidly, said John Tait, security manager for Weld County School District 6... Schools are the largest market for video surveillance systems in the U.S., estimated at $450 million in 2018, according to IHS Markit, a London data and information services company. The overall market for real-time video analytics was estimated at $3.2 billion worldwide in 2018 -- and it's expected to grow to $9 billion by 2023, according to one estimate... Shannon Flounnory, executive director for safety and security for Fulton County Schools, said no privacy concerns have been heard there. "The events of Parkland kind of changed the game," he said. "We have not had any arguments or any pushback right now...." One company, Athena Security, has cameras that spot when someone has a weapon. And in a bid to help retailers, it recently expanded its capabilities to help identify big spenders when they visit a store... Both ZeroEyes and Athena Security in Austin, Texas, say their systems can detect weapons with more than 90% accuracy, but acknowledge their products haven't been tested in a real-life scenario. And both systems are unable to detect weapons if they're covered -- a limitation the companies say they are working to overcome.

Firefox Will Soon Encrypt DNS Requests By Default

Sun, 09/08/2019 - 05:34
This month Firefox will make DNS over encrypted HTTPS the default for the U.S., with a gradual roll-out starting in late September, reports Engadget: Your online habits should be that much more private and secure, with fewer chances for DNS hijacking and activity monitoring. Not every request will use HTTPS. Mozilla is relying on a "fallback" method that will revert to your operating system's default DNS if there's either a specific need for them (such as some parental controls and enterprise configurations) or an outright lookup failure. This should respect the choices of users and IT managers who need the feature turned off, Mozilla said. The team is watching out for potential abuses, though, and will "revisit" its approach if attackers use a canary domain to disable the technology. Users will be given the option to opt-out, explains Mozilla's official announcement. "After many experiments, we've demonstrated that we have a reliable service whose performance is good, that we can detect and mitigate key deployment problems, and that most of our users will benefit from the greater protections of encrypted DNS traffic." "We feel confident that enabling DNS-over-HTTPS by default is the right next step."

Two College Students Nearly Grabbed Donald Trump's Tax Returns Online

Sat, 09/07/2019 - 14:34
"This was a Wayne's World scene gone awry..." says an attorney for 23-year-old Andrew Harris. "They were Wayne and Garth in a blue Pacer with a dumb idea and a mixed run of luck," he told the Philadelphia Inquirer: Harris previously had filed an application for federal student aid, and noticed that the government form would redirect to the IRS and import his own tax returns automatically. Harris and his fellow classmate Justin Hiemstra wondered: What would happen if they posed as one of Trump's offspring? Could they use an application for aid to land the returns and scoop the nation's biggest newspapers? Tiffany Trump had graduated in May 2016 from the University of Pennsylvania and had announced she was going to graduate school at Georgetown University. It could work. Six days before the 2016 election, Harris and Hiemstra went to Haverford College's computer lab and logged in using another student's credentials. They accessed a Free Application for Student Aid (FAFSA). When they attempted to register under the name of Trump's child, they were stunned to discover an application under that name already existed. Using Google, they successfully guessed most of the answers to a series of challenge questions to reset the password. Stymied four times on one of the security questions, they gave up. What they didn't realize was that the Department of Education was monitoring all traffic on the FAFSA site. The failed attempt sent up a red flag. The IRS dispatched federal investigators to Haverford shortly after. Last month Pulitzer Prize-winning tax journalist David Cay Johnston told the paper "It's surprising they didn't catch them until four tries." They also reported that while Harris was expelled from the college, 22-year-old Hiemstra was allowed to graduate, and both men have pleaded guilty to accessing a computer without authorization and attempting to access a computer without authorization to obtain government information. When sentenced in December, they'll face a maximum of two years in prison, two years of supervised release, and a $200,000 fine.

Google Expands Bug Bounty Programme To All Apps With Over 100M Installs

Sat, 09/07/2019 - 13:34
Long-time Slashdot reader AmiMoJo quotes VentureBeat: Google, which has already paid security researchers over $15 million since launching its bug bounty program in 2010, today increased the scope of its Google Play Security Reward Program (GPSRP). Security researchers will now be rewarded for finding bugs across all apps in Google Play with 100 million or more installs. At the same time, the company launched the Developer Data Protection Reward Program (DDPRP) in collaboration with [bug bounty platform] HackerOne. That program is for data abuses in Android apps, OAuth projects, and Chrome extensions.... Google also uses this vulnerability data to create automated checks that scan all Google Play apps for similar vulnerabilities. Affected app developers are notified via the Play Console. The App Security Improvement (ASI) program provides them with information on the vulnerability and how to fix it. In February, Google revealed that ASI has helped over 300,000 developers fix over 1,000,000 apps on Google Play. The article also notes that Android apps and Chrome extensions found to be abusing data "will be removed from Google Play and the Chrome Web Store."

Hong Kong Protesters Using Mesh Messaging App China Can't Block: Usage Up 3685%

Sat, 09/07/2019 - 12:34
An anonymous reader quotes Forbes: How do you communicate when the government censors the internet? With a peer-to-peer mesh broadcasting network that doesn't use the internet. That's exactly what Hong Kong pro-democracy protesters are doing now, thanks to San Francisco startup Bridgefy's Bluetooth-based messaging app. The protesters can communicate with each other — and the public — using no persistent managed network... While you can chat privately with contacts, you can also broadcast to anyone within range, even if they are not a contact. That's clearly an ideal scenario for protesters who are trying to reach people but cannot use traditional SMS texting, email, or the undisputed uber-app of China: WeChat. All of them are monitored by the state. Wednesday another article in Forbes confirmed with Bridgefy that their app uses end-to-end RSA encryption -- though an associate professor at the Johns Hopkins Information Security Institute warns in the same article about the possibility of the Chinese government demanding that telecom providers hand over a list of all users running the app and where they're located. Forbes also notes that "police could sign up to Bridgefy and, at the very least, cause confusion by flooding the network with fake broadcasts" -- or even use the app to spread privacy-compromising malware. "But if they're willing to accept the risk, Bridgefy could remain a useful tool for communicating and organizing in extreme situations."

South Africa, UK Acknowledge Mass Surveillance By Tapping Undersea Internet Cables

Sat, 09/07/2019 - 11:34
The South African government has been conducting mass surveillance on all communications in the country, reports Reclaim the Net:, citing a report from Privacy International as well as recently-revealed affidavits and other documents from former State Security Agency (SSA) director-general Arthur Fraser: Interestingly, the mass surveillance has been happening since 2008... The surveillance was supposedly designed to cover information about organized crime and acts of terrorism. It even involves surveillance on food security, water security, and even illegal financial flows. The report also revealed that the South African government has done bulk interception of Internet traffic by way of tapping into fiber-optic cables under the sea. What is not clear though is whether the surveillance covers all Internet traffic or limited only to some of the fiber cables. The SSA said that the automated collection of data was specifically geared for foreign communications that pose threats to state security only. However, even the SSA admits to the fact that it will require human intervention to determine whether any communications that pass through the fiber cables are foreign or not. Hence, it would be difficult to distinguish between foreign and local communications. The iAfrikan site interviewed a digital rights researcher at South Africa's amaBhungane Centre for Investigative Journalism, whose legal filings helped bring this information to light. "We had details of the state's mass surveillance activities at least as early as 2006...." he tells the site, adding later that "The government has been quite upfront that it's collecting data from a vast number of people who are not suspected of any wrongdoing... Essentially, the State Security Agency is collecting as much haystack as it can, just in case it needs to look for a needle." Privacy International reports that the U.K. government has also recently acknowledged their "bulk interception of internet traffic by tapping undersea fibre optic cables." The site describes the work of the two countries as "some of the most pervasive surveillance programmes in human history."

COBOL Turns 60. Why It Will Outlive Us All

Sat, 09/07/2019 - 10:34
ZDNet remembers when the only programming languages "were machine and assembler," until Burroughs Corporation programmer Mary Hawes proposed a vendor-neutral language with an English-like vocabulary. (Grace Hopper suggested they approach the Department of Defense, leading to a summit of 41 computer users and manufacturers at the Pentagon in 1959.) But ZDNet argues that 60 years later, COBOL isn't done yet. In 2016, the Government Accountability Office reported the Department of Homeland Security, Department of Veterans Affairs, and the Social Security Administration, to name just three, were still using COBOL. According to a COBOL consulting company, which goes by the delightful name, COBOL Cowboys, 200 billion lines of COBOL code are still in use today and 90% of Fortune 500 companies still having COBOL code keeping the lights on. And, if you've received cash out of an ATM recently, it's almost certain COBOL was running behind the scenes. ZDNet explains that's the largest number of businesses using COBOL are financial institutions, which, according to Micro Focus includes "banking, insurance and wealth management/equities trading. Second is government services (federal, provincial, local)." Micro Focus is the company that now maintains COBOL, and their global director of marketing and "application modernization" tells ZDNet that "the number of organizations running COBOL systems today is in the tens of thousands. It is impossible to estimate the tens of millions of end users who interface with COBOL-based applications on a daily basis, but the language's reliance is clearly seen with its use in 70 percent of global transaction processing systems. Any time you phone a call center, any time you transfer money, or check your account, or pay a mortgage, or renew or get an insurance quote, or when contacting a government department, or shipping a parcel, or ordering some flowers, or buying something online at a whole range of retailers, or booking a vacation, or a flight, or trading stocks, or even checking your favorite baseball team's seasonal statistics, you are interacting with COBOL. ZDNet notes that some people are even moving their COBOL applications into the cloud, concluding "At this rate, COBOL programs will outlive us all."

Parts of Wikipedia Went Offline After 'Malicious' DDoS Attack

Sat, 09/07/2019 - 06:34
An anonymous reader quotes the website of Ireland's national public service broadcasting: Popular online reference website Wikipedia went down in several countries after the website was targeted by what it described as a "malicious attack". The server of the Wikimedia Foundation, which hosts the site, suffered a "massive" Distributed Denial of Service (DDoS) attack, the organisation's German account said in a tweet last night. In a separate statement the Wikimedia Foundation said that the attack on the encyclopedia - one of the world's most popular websites - was "ongoing" and teams were working to restore access... Wikimedia condemned the breach of its server, saying it threatened "everyone's fundamental rights to freely access and share information."

Police Shut Down 3,000-Person Game of Hide-and-Seek At IKEA

Fri, 09/06/2019 - 23:00
An IKEA hide-and-seek game with 3,000 people was scheduled to take place in Glasglow, Scotland on Saturday, August 31, but police managed to put a stop to it before it even got started. From a report: The one-stop shop for everything home-related and also the ideal place for a 3,000-person hide-and-seek game. After all, the average store is about 300,000 square feet, while the world's largest IKEA is 700,000 square feet, and honestly, it's easy to imagine endless hiding spots. But unfortunately for one Facebook group, their planned trip to an IKEA in Glasgow, Scotland was cancelled after word got out about their Saturday event. Five police officers were called to the Braehead branch and remained at the store until the evening. "People are stopping everyone who 'looks like they are here for a game of hide and seek,'" one person wrote on Facebook after stopping by the store, The Scotsman reported. The IKEA itself also had its own security personnel, and no incidents were reported. The report says that IKEA management initially allowed hide-and-seek events -- a trend that began in Belgium in 2014 -- but were eventually forced to ban the events after they began getting out of hand. "The safety of our customers and co-workers is always our highest priority," said Rob Cooper, IKEA Glasgow Store Manager in a statement. "We were aware of an unofficial Hide and Seek Facebook event being organized to take place at our store today and have been working with the local police for support. While we appreciate playing games in one of our stores may be appealing to some, we do not allow this kind of activity to take place to ensure we are offering a safe environment and relaxed shopping experience for our customers."

Exploit For Wormable BlueKeep Windows Bug Released Into the Wild

Fri, 09/06/2019 - 14:50
An anonymous reader quotes a report from Ars Technica: For months, security practitioners have worried about the public release of attack code exploiting BlueKeep, the critical vulnerability in older versions of Microsoft Windows that's "wormable," meaning it can spread from computer to computer the way the WannaCry worm did two years ago. On Friday, that dreaded day arrived when the Metasploit framework -- an open source tool used by white hat and black hat hackers alike -- released just such an exploit into the wild. The module, which was published as a work in progress on Github, doesn't yet have the polish and reliability of the EternalBlue exploit that was developed by the NSA and later used in WannaCry. For instance, if the people using the new module specify the wrong version of Windows they want to attack, they'll likely wind up with a blue-screen crash. Getting the exploit to work on server machines also requires a change to default settings in the form of a registry modification that turns on audio sharing. The latest flaw, which is indexed as CVE-2019-0708 but is better known by the name BlueKeep, resides in earlier versions of the Remote Desktop Services, which help provide a graphical interface for connecting to Windows computers over the Internet. It affects Windows 2003 and XP, Vista 7, Server 2008 R2, and Server 2008. When Microsoft patched the vulnerability in May, it warned that computers that failed to install the fix could suffer a similar fate if reliable attack code ever becomes available. The reason: like the flaw that EternalBlue exploited, BlueKeep allowed for self-replicating attacks. Like a falling line of dominoes, a single exploit could spread from vulnerable machine to vulnerable machine with no interaction required of end users. "The release of this exploit is a big deal because it will put a reliable exploit in the hands of both security professionals and malicious actors," Ryan Hanson, principal research consultant at Atredis Partners and a developer who helped work on the release, told Ars. "I'm hoping the exploit will be primarily used by offensive teams to demonstrate the importance of security patches, but we will likely see criminal groups modifying it to deliver ransomware as well."

US To Collect Social Media Profiles From Immigrants, Asylum Seekers, and Refugees

Fri, 09/06/2019 - 11:30
The Department of Homeland Security plans to expand its social media profile collection program from US visa applicants to also include data from immigrants, asylum seekers, and refugees. From a report: The DHS published a notice on the federal registry describing its future data collection practice this week. The agency plans to ask immigrants, asylum seekers, and refugees to provide usernames -- without passwords -- for 19 social networking sites: (Q&A site), Douban (China-based social network), Facebook, Flickr, Instagram, LinkedIn, MySpace, Pinterest, QZone (QQ) (China-based social network, IM app), Reddit, Sina Weibo (China-based microblogging service), Tencent Weibo (China-based microblogging service), Tumblr, Twitter, Twoo (Belgium-based social network), Vine, VKontakte (VK), Youke (China-based video sharing portal), YouTube. These are the same social media profiles that the DHS had been collecting through the Customs and Border Protection (CBP) agency from US visa applications -- people who applied for entry in the US from a country where a visa card is required.