Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 18 hours 43 min ago

Over 13K iSCSI Storage Clusters Left Exposed Online Without a Password

Mon, 04/01/2019 - 12:05
Over 13,000 iSCSI storage clusters are currently accessible via the internet after their respective owners forgot to enable authentication. From a report: This misconfiguration has the risk of causing serious harm to devices' owners, as cyber-criminal groups could access these internet-accessible hard drives (storage disk arrays and NAS devices) to replace legitimate files with malware, insert backdoors inside backups, or steal company information stored on the unprotected devices. [...] Over the weekend, penetration tester A Shadow tipped ZDNet about this hugely dangerous misconfiguration issue. The researcher found over 13,500 iSCSI clusters on Shodan, a search engine that indexes internet-connected devices. In an online conversation with ZDNet, the researcher described this iSCSI exposure as a "dangerous backdoor" that can allow cyber-criminals to plant ransomware-infected files on companies' networks, steal company data, or place backdoors inside backup archives that may get activated when a company restores one of these booby-trapped files.

Tenants Outraged Over New York Landlord's Plan To Install Facial Recognition Technology

Sun, 03/31/2019 - 14:04
A Brooklyn landlord plans to install facial recognition technology at the entrance of a 700-unit building, according to Gothamist, "raising alarm among tenants and housing rights attorneys about what they say is a far-reaching and egregious form of digital surveillance." [Last] Sunday, several tenants told Gothamist that, unbeknownst to them, their landlord, Nelson Management, had sought state approval in July 2018 to install a facial recognition system known as StoneLock. Under state rules, landlords of rent-regulated apartments built before 1974 must seek permission from the state's Homes and Community Renewal (HCR) for any "modification in service." Tenants at the two buildings, located at 249 Thomas S. Boyland Street and 216 Rockaway Avenue, said they began receiving notices about the system in the fall. According to its website, Kansas-based company StoneLock offers a "frictionless" entry system that collects biometric data based on facial features. "We don't want to be tracked," said Icemae Downes, a longtime tenant. "We are not animals. This is like tagging us through our faces because they can't implant us with a chip." It is not clear how many New York City apartments are using facial scanning software or how such technology is being regulated. But in a sign of the times, the city's Department of Housing Preservation and Development last June began marketing 107 affordable units at a new apartment complex in the South Bronx. Among the amenities listed was "State of the Art Facial Recognition Building Access...." Across the real estate industry, New York City landlords have increasingly been moving to keyless entry systems, citing convenience as well as a desire to offer enhanced security. Over the years, in response to appeals filed by tenants, HCR has ruled in favor of key fob and card entry systems, saying that such substitutions did not violate rent-stabilization and rent-control laws. But the latest technology has triggered even more concerns about the ethics of data collection.... Last month, the management company reached out to a group of tenants to assuage their concerns about StoneLock. But tenants said the presentation, if anything, only deepened their fears that they were being asked to submit to a technology that had very little research behind it. "This was not something we asked for at any given time," one tenant complaint, while one of the attorneys representing the tenants said that, among other things, their landlord had "made no assurances to protect the data from being accessed by NYPD, ICE, or any other city, state, or federal agency." "Citing concerns over the potential for privacy and civil liberties violations, tenants at Brownsville's Atlantic Plaza Towers filed an objection to the plan in January..."

Devuan.org Now Points To 'Pwned' Page With Gopher URLs

Sun, 03/31/2019 - 13:04
"DEVUAN.ORG HAS BEEN PWNED" reads a new message at the home page for Devuan (a fork of Debian without systemd) -- which re-redirects to a new page named pwned.html, reports Slashdot reader DevNull127: In all capital letters, its carefully-indented message (complete with an ascii-art logo) now informs visitors that "the web sucks -- JavaScript sucks -- browsers suck." Posting the URLs to several gopher sites, it adds that "Gopher is the way -- gopher is the future." "Kiss port 80 goodbye. Join the revolution on port 70." The attackers identify themselves as "Green Hat Hackers," a term generally understood to mean ambitious newbie hackers who want to improve their skills. "Stop the madness," continues their message, which appeared just hours before the first day of April. "Get yourself a gopher client."

US Lawmakers Propose Allowing Prisons To Jam Signals From Smuggled Cellphones

Sun, 03/31/2019 - 11:34
An anonymous reader quotes the Associated Press: Federal legislation proposed Thursday would give state prison officials the ability they have long sought to jam the signals of cellphones smuggled to inmates within their walls... The legislation could help provide a solution to a problem prison officials have said represents the top security threat to their institutions. Corrections chiefs across the country have long argued for the ability to jam the signals, saying the phones -- smuggled into their institutions by the thousands, by visitors, errant employees, and even delivered by drone -- are dangerous because inmates use them to carry out crimes and plot violence both inside and outside prison.

In Massive Breach, Ex-NSA Contractor Pleads Guilty to Hoarding Highly Classified Secrets

Sun, 03/31/2019 - 09:34
"A former National Security Agency contractor on Thursday pleaded guilty to stealing secret defense information over two decades in what legal experts have described as the biggest breach of classified information in U.S. history." Long-time Slashdot reader mencik quotes USA Today: In his plea deal in U.S. District Court in Baltimore, Harold Thomas Martin III admitted to removing highly classified digital and hard copy documents, then storing them in his home and car from the late 1990s through 2016. Prosecutors say there is no indication Martin ever shared the stolen secrets. His defense attorneys say he simply hoarded the information... One of his lawyers previously described Martin as a "compulsive hoarder" who took home work documents... Martin, who held multiple security clearances while working at government agencies as a private contractor, said he knew stealing the documents risked the country's security. He pleaded guilty on Thursday to one felony count of willful retention of national defense information. He could be sentenced to nine years in prison. Martin also told a federal judge that he'd been diagnosed with ADHD. "His actions were the product of mental illness," his federal defenders' statement said. "Not treason."

Does India's Anti-Satellite Missile Test Mean The Weaponization of Space?

Sat, 03/30/2019 - 23:34
Reuters reports: India expects space debris from its anti-satellite weapons launch to burn out in less than 45 days, its top defense scientist said on Thursday, seeking to allay global concern about fragments hitting objects. The comments came a day after India said it used an indigenously developed ballistic missile interceptor to destroy one of its own satellites at a height of 300 km (186 miles), in a test aimed at boosting its defenses in space. Critics say such technology, known to be possessed only by the United States, Russia and China, raises the prospect of an arms race in outer space, besides posing a hazard by creating a cloud of fragments that could persist for years. G. Satheesh Reddy, the chief of India's Defence Research and Development Organisation, said a low-altitude military satellite was picked for the test, to reduce the risk of debris left in space. Space.com shared a reaction from a national security affairs professor at Naval War College in Newport, Rhode Island. They argued that India's test "likely represents a feeling by other countries, specifically India in this case, that the weaponization of space is forthcoming, and India doesn't want to be left out of the 'have' category if arms-control agreements are eventually reached."

Saudis Gained Access to Amazon CEO's Phone, Says Bezos' Security Chief

Sat, 03/30/2019 - 20:34
"The security chief for Amazon chief executive Jeff Bezos said on Saturday that the Saudi government had access to Bezos' phone and gained private information from it," Reuters reports. But in addition, the National Enquirer's lawyer "tried to get me to say there was no hacking," writes security specialist Gavin de Becker. I've recently seen things that have surprised even me, such as National Enquirer's parent company, AMI, being in league with a foreign nation that's been actively trying to harm American citizens and companies, including the owner of the Washington Post. You know him as Jeff Bezos; I know him as my client of 22 years... Why did AMI's people work so hard to identify a source, and insist to the New York Times and others that he was their sole source for everything? My best answer is contained in what happened next: AMI threatened to publish embarrassing photos of Jeff Bezos unless certain conditions were met. (These were photos that, for some reason, they had held back and not published in their first story on the Bezos affair, or any subsequent story.) While a brief summary of those terms has been made public before, others that I'm sharing are new -- and they reveal a great deal about what was motivating AMI. An eight-page contract AMI sent for me and Bezos to sign would have required that I make a public statement, composed by them and then widely disseminated, saying that my investigation had concluded they hadn't relied upon "any form of electronic eavesdropping or hacking in their news-gathering process." Note here that I'd never publicly said anything about electronic eavesdropping or hacking -- and they wanted to be sure I couldn't.... An earlier set of their proposed terms included AMI making a statement "affirming that it undertook no electronic eavesdropping in connection with its reporting and has no knowledge of such conduct" -- but now they wanted me to say that for them. The contract further held that if Bezos or I were ever in our lives to "state, suggest or allude to" anything contrary to what AMI wanted said about electronic eavesdropping and hacking, then they could publish the embarrassing photos. I'm writing this today because it's exactly what the Enquirer scheme was intended to prevent me from doing. Their contract also contained terms that would have inhibited both me and Bezos from initiating a report to law enforcement. Things didn't work out as they hoped. De Becker instead turned over his investigation's results to U.S. federal officials, then published today's essay warning the National Enquirer and its chairman have "evolved into trying to strong-arm an American citizen whom that country's leadership wanted harmed, compromised, and silenced." He also suggests it's in response to the "relentless" coverage by the Washington Post (which Bezos owns) of the murder of Saudi Arabian journalist and dissident Jamal Khashoggi. "Experts with whom we consulted confirmed New York Times reports on the Saudi capability to 'collect vast amounts of previously inaccessible data from smartphones in the air without leaving a trace -- including phone calls, texts, emails.'"

Phone Carrier Apps Can Help Fight Robocalls -- Sometimes, Even For Free

Sat, 03/30/2019 - 11:34
Friday CNN reported on "what you can do right now to stop robocalls." "Short of throwing your phone in the garbage, there's no way to avoid them altogether. But wireless providers and smartphone developers offer tools to filter out at least some unwanted calls." - Verizon's Call Filter app is free to download on iPhones and Android devices. The company announced Thursday the app will offer some free features -- including auto-blocking calls from known fraudsters, showing warning banners for suspicious calls, and a spam reporting tool. For $2.99 a month per line, the Call Filter app can use a phonebook feature to look up the names of unknown callers, and it can show a "risk meter" for spam calls. - AT&T's Call Protect has similar free features and add-ons with a $3.99 per month subscription. (iOS and Android) - T-Mobile phones come loaded with Scam ID, which warns customers about suspicious phone numbers. It's also free to activate Scam Block, which automatically rejects calls from those numbers. An additional app called Name ID offers premium caller identification for $4 per line monthly. (iOS and Android) - Sprint's Premium Caller ID , which comes pre-installed, looks up unknown numbers and filters and blocks robocalls for $2.99 per line. - Google's Pixel phones also give you the option to have your voice assistant answer suspicious calls for you. The phone can transcribe the conversation and lets you decide whether to answer.

Casino Accused of Withholding Bug Bounty, Then Assaulting 'Ethical Hacker'

Sat, 03/30/2019 - 08:34
An anonymous reader quotes Ars Technica: People who find security vulnerabilities commonly run into difficulties when reporting them to the responsible company. But it's less common for such situations to turn into tense trade-show confrontations -- and competing claims of assault and blackmail. Yet that's what happened when executives at Atrient -- a casino technology firm headquartered in West Bloomfield, Michigan -- stopped responding to two UK-based security researchers who had reported some alleged security flaws. The researchers thought they had reached an agreement regarding payment for their work, but nothing final ever materialized. On February 5, 2019, one of the researchers -- Dylan Wheeler, a 23-year-old Australian living in the UK -- stopped by Atrient's booth at a London conference to confront the company's chief operating officer. What happened next is in dispute. Wheeler says that Atrient COO Jessie Gill got in a confrontation with him and yanked off his conference lanyard; Gill insists he did no such thing, and he accused Wheeler of attempted extortion. The debacle culminated in legal threats and a lot of mudslinging, with live play-by-play commentary as it played out on Twitter. Ars Technica calls the story "practically a case study in the problems that can arise with vulnerability research and disclosure," adding "the vast majority of companies have no clear mechanism for outsiders to share information about security gaps." A security research director at Rapid7 joked his first reaction was "man, I wish a vendor would punch me for disclosure. Boy, that beats any bug bounty." But they later warned, "It's on us as an industry not only to train corporate America on how to take disclosure, but also we need to do a little more training for people who find these bugs -- especially today, in an era where bug outings are kind of normal now -- to not expect someone to be necessarily grateful when one shows up."

Tesla Cars Keep More Data Than You Think

Fri, 03/29/2019 - 18:10
Tesla vehicles sent to the junk yard after a crash carry much more data than you'd think. According to CNBC, citing two security researchers, "Computers on Tesla vehicles keep everything that drivers have voluntarily stored on their cars, plus tons of other information generated by the vehicles including video, location and navigational data showing exactly what happened leading up to a crash." From the report: One researcher, who calls himself GreenTheOnly, describes himself as a "white hat hacker" and a Tesla enthusiast who drives a Model X. He has extracted this kind of data from the computers in a salvaged Tesla Model S, Model X and two Model 3 vehicles, while also making tens of thousands of dollars cashing in on Tesla bug bounties in recent years. Many other cars download and store data from users, particularly information from paired cellphones, such as contact information. But the researchers' findings highlight how Tesla is full of contradictions on privacy and cybersecurity. On one hand, Tesla holds car-generated data closely, and has fought customers in court to refrain from giving up vehicle data. Owners must purchase $995 cables and download a software kit from Tesla to get limited information out of their cars via "event data recorders" there, should they need this for legal, insurance or other reasons. At the same time, crashed Teslas that are sent to salvage can yield unencrypted and personally revealing data to anyone who takes possession of the car's computer and knows how to extract it. The contrast raises questions about whether Tesla has clearly defined goals for data security, and who its existing rules are meant to protect. A Tesla spokesperson said in a statement to CNBC: "Tesla already offers options that customers can use to protect personal data stored on their car, including a factory reset option for deleting personal data and restoring customized settings to factory defaults, and a Valet Mode for hiding personal data (among other functions) when giving their keys to a valet. That said, we are always committed to finding and improving upon the right balance between technical vehicle needs and the privacy of our customers." The report serves as a reminder for Tesla owners to factory reset their cars before handing them off to a junk yard or other reseller because that other party may not reset your car for you. "Tesla sometimes uses an automotive auction company called Manheim to inspect, recondition and sell used cars," reports CNBC. "A former Manheim employee, who asked to remain anonymous, confirmed that employees do not wipe the cars' computers with a factory reset." The researchers were able to obtain phonebooks "worth of contact information from drivers or passengers who had paired their devices, and calendar entries with descriptions of planned appointments, and e-mail addresses of those invited." The data also showed the drivers' last 73 navigation locations, as well as crash-related information. The Model 3 that one of the researchers bought for research purposes contained a video showing the car speeding out of the right lane into the trees off the left side of a dark two-lane route. "GPS and other vehicle data reveals that the accident happened in Orleans, Massachusetts, on Namequoit Road, at 11:15 pm on Aug 11, and was severe enough that airbags deployed," the report adds.

Critical Magento SQL Injection Flaw Could Soon Be Targeted By Hackers

Fri, 03/29/2019 - 17:30
itwbennett writes: The popular e-commerce platform Magento has released 37 security issues affecting both the commercial and open-source versions, four of which are critical. "Of those, one SQL injection flaw is of particular concern for researchers because it can be exploited without authentication," writes Lucian Constantine for CSO. Researchers from Web security firm Sucuri "have already reverse-engineered the patch [for that flaw] and created a working proof-of-concept exploit for internal testing," says Constantin. "The SQL vulnerability is very easy to exploit, and we encourage every Magento site owner to update to these recently patched versions to protect their ecommerce websites," the researchers warn in a blog post. "Unauthenticated attacks, like the one seen in this particular SQL Injection vulnerability, are very serious because they can be automated -- making it easy for hackers to mount successful, widespread attacks against vulnerable websites," the Sucuri researchers warned. "The number of active installs, the ease of exploitation, and the effects of a successful attack are what makes this vulnerability particularly dangerous." Since the researchers were able to create a working proof-of-concept exploit, it's only a matter of time until hackers discover a way to use the exploit to plant payment card skimmers on sites that have yet to install the new patch.

Toyota Security Breach Exposes Personal Info of 3.1 Million Clients

Fri, 03/29/2019 - 13:30
An anonymous reader quotes a report from BleepingComputer: The personal information of roughly 3.1 million Toyota customers may have been leaked following a security breach of multiple Toyota and Lexus sales subsidiaries, as detailed in a breach notification issued by the car maker today. As detailed in a press release published on Toyota'a global newsroom, unauthorized access was detected on the computing systems of Tokyo Sales Holdings, Tokyo Tokyo Motor, Tokyo Toyopet, Toyota Tokyo Corolla, Nets Toyota Tokyo, Lexus Koishikawa Sales, Jamil Shoji (Lexus Nerima), and Toyota West Tokyo Corolla. "It turned out that up to 3.1 million items of customer information may have been leaked outside the company. The information that may have been leaked this time does not include information on credit cards," says the data breach notification. Toyota has not yet confirmed if the attackers were able to exfiltrate any of the customer personal information exposed after the IT systems of its subsidiaries were breached. Toyota said in a statement: "We apologize to everyone who has been using Toyota and Lexus vehicles for the great concern. We take this situation seriously, and will thoroughly implement information security measures at dealers and the entire Toyota Group."

Critical Magento SQL Injection Flaw Could Soon Be Targeted By Hackers

Fri, 03/29/2019 - 12:50
itwbennett writes: The popular e-commerce platform Magento has released 37 security issues affecting both the commercial and open-source versions, four of which are critical. 'Of those, one SQL injection flaw is of particular concern for researchers because it can be exploited without authentication,' writes Lucian Constantine for CSO. Researchers from Web security firm Sucuri 'have already reverse-engineered the patch [for that flaw] and created a working proof-of-concept exploit for internal testing' says Constantin. 'The SQL vulnerability is very easy to exploit, and we encourage every Magento site owner to update to these recently patched versions to protect their ecommerce websites,' the researchers warn in a blog post.

Paywalls Block Scientific Progress. Research Should Be Open To Everyone

Fri, 03/29/2019 - 12:10
An anonymous reader shares a report: Academic and scientific research needs to be accessible to all. The world's most pressing problems like clean water or food security deserve to have as many people as possible solving their complexities. Yet our current academic research system has no interest in harnessing our collective intelligence. Scientific progress is currently thwarted by one thing: paywalls. Paywalls, which restrict access to content without a paid subscription, represent a common practice used by academic publishers to block access to scientific research for those who have not paid. This keeps $25.5bn flowing from higher education and science into for-profit publisher bank accounts. My recent documentary, Paywall: The Business of Scholarship, uncovered that the largest academic publisher, Elsevier, regularly has a profit margin between 35-40%, which is greater than Google's. With financial capacity comes power, lobbyists, and the ability to manipulate markets for strategic advantages â" things that underfunded universities and libraries in poorer countries do not have. Furthermore, university librarians are regularly required to sign non-disclosure agreements on their contract-pricing specifics with the largest for-profit publishers. Each contract is tailored specifically to that university based upon a variety of factors: history, endowment, current enrolment. This thwarts any collective discussion around price structures, and gives publishers all the power.

Google: Play Protect Cut Harmful Android App Installs by 20% in 2018

Fri, 03/29/2019 - 10:50
Speaking of the state of Android apps' security, Google today published its annual Android Security & Privacy Year in Review, a comprehensive report that details the company's ongoing efforts to keep over two billion devices running Android mobile operating system secure. From a report: Google says that Google Play Protect, Android's AI-driven built-in defense mechanism, substantially cut down on the number of Potentially Harmful Applications (PHAs) in Google Play. Last year, only 0.08 percent of devices that used Google Play exclusively for app downloads were affected by PHAs, and even devices that installed apps from outside of Play -- 0.68 percent of which were affected by one or more PHAs, down from 0.80 percent in 2017 -- saw a 15 percent reduction in malware. In fact, Play Protect prevented 1.6 billion PHA installation attempts from outside of Google Play in 2018, Google says [PDF]. Installation attempts outside of Google Play fell by 20 percent from the previous year, and 73 percent of PHA installations were successfully stopped compared to 71 percent in 2017 and 59 percent in 2016. In all, 0.45 percent of Android devices running Play Protect installed PHAs in 2018 compared with 0.56 percent of devices in 2017, equating to a 20 percent year-over-year improvement.

Researchers Discover and Abuse New Undocumented Feature in Intel Chipsets

Fri, 03/29/2019 - 08:58
At the Black Hat Asia 2019 security conference, security researchers from Positive Technologies disclosed the existence of a previously unknown and undocumented feature in Intel chipsets. From a report: Called Intel Visualization of Internal Signals Architecture (Intel VISA), Positive Technologies researchers Maxim Goryachy and Mark Ermolov said this is a new utility included in modern Intel chipsets to help with testing and debugging on manufacturing lines. VISA is included with Platform Controller Hub (PCH) chipsets part of modern Intel CPUs and works like a full-fledged logic signal analyzer. According to the two researchers, VISA intercepts electronic signals sent from internal buses and peripherals (display, keyboard, and webcam) to the PCH -- and later the main CPU. Unauthorized access to the VISA feature would allow a threat actor to intercept data from the computer memory and create spyware that works at the lowest possible level. But despite its extremely intrusive nature, very little is known about this new technology.

Researchers Find Google Play Store Apps Were Actually Government Malware

Fri, 03/29/2019 - 06:50
Security researchers have found a new kind of government malware that was hiding in plain sight within apps on Android's Play Store. And they appear to have uncovered a case of lawful intercept gone wrong. An anonymous reader writes: This new case once again highlights the limits of Google's filters that are intended to prevent malware from slipping onto the Play Store. In this case, more than 20 malicious apps went unnoticed by Google over the course of roughly two years. Motherboard has also learned of a new kind of Android malware on the Google Play store that was sold to the Italian government by a company that sells surveillance cameras but was not known to produce malware until now. Experts told Motherboard the operation may have ensnared innocent victims as the spyware appears to have been faulty and poorly targeted. Legal and law enforcement experts told Motherboard the spyware could be illegal. The spyware apps were discovered and studied in a joint investigation by researchers from Security Without Borders, a non-profit that often investigates threats against dissidents and human rights defenders, and Motherboard. The researchers published a detailed, technical report of their findings on Friday.

Security Researcher Pleads Guilty To Hacking Into Microsoft and Nintendo

Thu, 03/28/2019 - 17:30
24-year-old security researcher Zammis Clark pleaded guilty today to hacking into Microsoft and Nintendo servers and stealing confidential information. Clark, known online as Slipstream or Raylee, "was charged on multiple counts of computer misuse offenses in a London Crown Court on Thursday, and pleaded guilty to hacking into Microsoft and Nintendo networks," reports The Verge. From the report: Prosecutors revealed that Clark had gained access to a Microsoft server on January 24th, 2017 using an internal username and password, and then uploaded a web shell to remotely access Microsoft's network freely for at least three weeks. Clark then uploaded multiple shells which allowed him to search through Microsoft's network, upload files, and download data. In total, around 43,000 files were stolen after Clark targeted Microsoft's internal Windows flighting servers. These servers contain confidential copies of pre-release versions of Windows, and are used to distribute early beta code to developers working on Windows. Clark targeted unique build numbers to gain information on pre-release versions of Windows in around 7,500 searches for unreleased products, codenames, and build numbers. Clark then shared access to Microsoft's servers through an Internet Relay Chat (IRC) server chatroom, allowing other individuals to access and steal confidential information. Prosecutors say other hackers from France, Germany, the United Arab Emirates, and other countries were then able to access Microsoft's servers. Police found the stolen files on Clark's home computer after a joint investigation involving Microsoft's cyber team, the FBI, EUROPOL, and the NCA's National Cyber Crime Unit (NCCU). [...] The Microsoft intrusion ended when Clark uploaded malware onto Microsoft's network, and he was subsequently arrested in June, 2017. Clark was then bailed without any restrictions on his computer use, and went on to hack into Nintendo's internal network in March last year. Clark gained access through Virtual Private Networks (VPNs) and used similar software to hack into Nintendo's highly confidential game development servers. These servers store development code for unreleased games, and Clark was able to steal 2,365 usernames and passwords until Nintendo eventually discovered the breach in May 2018. Nintendo estimates the cost of damages between $913,000 and $1.8 million, and Microsoft previously provided the court with a vague estimate of around $2 million in damages. 26-year-old Thomas Hounsell, known in the Windows community for running the now discontinued BuildFeed website, appeared alongside Clark in court on Thursday for using Clark's Microsoft server breach to conduct more than 1,000 searches for products, codenames, and build numbers over a 17-day period, the report adds.

Russia Orders Major VPN Providers To Block 'Banned' Sites

Thu, 03/28/2019 - 16:50
Russian authorities have ordered ten major VPN providers to begin blocking sites on the country's blacklist. "NordVPN, ExpressVPN, IPVanish and HideMyAss are among those affected," reports TorrentFreak. "TorGuard also received a notification and has pulled its services out of Russia with immediate effect." From the report: During the past few days, telecoms watch Roscomnadzor says it sent compliance notifications to 10 major VPN services with servers inside Russia -- NordVPN, ExpressVPN, TorGuard, IPVanish, VPN Unlimited, VyprVPN, Kaspersky Secure Connection, HideMyAss!, Hola VPN, and OpenVPN. The government agency is demanding that the affected services begin interfacing with the FGIS database, blocking the sites listed within. Several other local companies -- search giant Yandex, Sputnik, Mail.ru, and Rambler -- are already connected to the database and filtering as required. "In accordance with paragraph 5 of Article 15.8 of the Federal Law No. 149-FZ of 27.07.2006 'On Information, Information Technology and on Protection of Information' hereby we are informing you about the necessity to get connected to the Federal state informational system of the blocked information sources and networks [FGIS] within thirty working days from the receipt [of this notice]," the notice reads. A notice received by TorGuard reveals that the provider was indeed given just under a month to comply. The notice also details the consequences for not doing so, i.e being placed on the blacklist with the rest of the banned sites so it cannot operate in Russia. The demand from Roscomnadzor sent to TorGuard and the other companies also requires that they hand over information to the authorities, including details of their operators and places of business. The notice itself states that for foreign entities, Russian authorities require the full entity name, country of residence, tax number and/or trade register number, postal and email address details, plus other information.

Researchers Find 36 New Security Flaws In LTE Protocol

Thu, 03/28/2019 - 13:30
An anonymous reader quotes a report from ZDNet: A group of academics from South Korea have identified 36 new vulnerabilities in the Long-Term Evolution (LTE) standard used by thousands of mobile networks and hundreds of millions of users across the world. The vulnerabilities allow attackers to disrupt mobile base stations, block incoming calls to a device, disconnect users from a mobile network, send spoofed SMS messages, and eavesdrop and manipulate user data traffic. They were discovered by a four-person research team from the Korea Advanced Institute of Science and Technology Constitution (KAIST), and documented in a research paper they intend to present at the IEEE Symposium on Security and Privacy in late May 2019. The Korean researchers said they found 51 LTE vulnerabilities, of which 36 are new, and 15 have been first identified by other research groups in the past. They discovered this sheer number of flaws by using a technique known as fuzzing --a code testing method that inputs a large quantity of random data into an application and analyzes the output for abnormalities, which, in turn, give developers a hint about the presence of possible bugs. The resulting vulnerabilities, see image below or this Google Docs sheet, were located in both the design and implementation of the LTE standard among the different carriers and device vendors. The KAIST team said it notified both the 3GPP (industry body behind LTE standard) and the GSMA (industry body that represents mobile operators), but also the corresponding baseband chipset vendors and network equipment vendors on whose hardware they performed the LTEFuzz tests.