Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 8 hours 14 min ago

Apple Disputes Google's Claims of a Devastating iPhone Hack

Fri, 09/06/2019 - 10:10
In a rare move, Apple has released a statement to comment on the attacks on iPhone users revealed by Google last week. From a report: Last week, Google dropped a bombshell in the form of a long, detailed analysis of five chains of iOS vulnerabilities discovered by its security teams. Google didn't say who was behind the attacks, nor who was targeted, but described the attack as "indiscriminate," and potentially hitting "thousands" of people. Apple disagrees. Friday, Apple published a brief press release that disputes some relatively minor details that Google released about the attacks. Namely, that the attacks lasted for a shorter amount of time and that they were less widespread than Google reported. "First, the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones 'en masse' as described. The attack affected fewer than a dozen websites that focus on content related to the Uighur community." Apple wrote. "Google's post, issued six months after iOS patches were released, creates the false impression of 'mass exploitation' to 'monitor the private activities of entire populations in real time,' stoking fear among all iPhone users that their devices had been compromised. This was never the case. Second, all evidence indicates that these website attacks were only operational for a brief period, roughly two months, not 'two years' as Google implies," the statement continued.

Why Phones That Secretly Listen To Us Are a Myth

Fri, 09/06/2019 - 08:09
A mobile security company has carried out a research investigation to address the popular conspiracy theory that tech giants are listening to conversations. From a report: The internet is awash with posts and videos on social media where people claim to have proof that the likes of Facebook and Google are spying on users in order to serve hyper-targeted adverts. Videos have gone viral in recent months showing people talking about products and then ads for those exact items appear online. Now, cyber security-specialists at Wandera have emulated the online experiments and found no evidence that phones or apps were secretly listening. Researchers put two phones -- one Samsung Android phone and one Apple iPhone -- into a "audio room". For 30 minutes they played the sound of cat and dog food adverts on loop. They also put two identical phones in a silent room. The security specialists kept apps open for Facebook, Instagram, Chrome, SnapChat, YouTube, and Amazon with full permissions granted to each platform. They then looked for ads related to pet food on each platform and webpage they subsequently visited. They also analyzed the battery usage and data consumption on the phones during the test phase. They repeated the experiment at the same time for three days, and noted no relevant pet food adverts on the "audio room" phones and no significant spike in data or battery usage.

Israeli Spyware Firm NSO Group is Wildly Profitable Despite Concerns Over Misuse of its Technology, Leaked Financials Show

Fri, 09/06/2019 - 07:26
An anonymous reader shares a report: The secretive Israeli spyware company NSO Group gained notoriety following allegations that its hacking tool Pegasus was used by governments like Saudi Arabia and Mexico to track dissidents and journalists. A few months later, the company was acquired for $1 billion by its cofounders Shalev Hulio and Omri Lavie alongside the private equity firm Novalpina Capital. To get that deal done, the founders raised money through a debt offering led by Credit Suisse and Jefferies. The banks reportedly struggled to sell the debt due to ethical concerns, but in the end it found buyers in mutual funds including BlackRock and Principal Financial Group, as well as collateralized loan obligation (CLO) management firms Ellington Management Group and Saratoga Investment Corp. Why would so many financial institutions align themselves with a company with a contentious reputation? NSO Group is high growth, and it's wildly profitable, according to a person who saw the debt offering circulated by the company earlier this year who shared its contents with Business Insider. And it did that all with just 60 customers.

Apple Plans Return of Touch ID and New Cheap iPhone

Thu, 09/05/2019 - 17:25
Apple is reportedly developing in-display fingerprint technology for as early as its 2020 iPhones, according to Bloomberg. "The technology is in testing both inside Apple and among the company's overseas suppliers, though the timeline for its release may slip to the 2021 iPhone refresh, said the people, who asked not to be identified discussing private work." From the report: Apple introduced fingerprint scanning on iPhones in 2013, following its acquisition of AuthenTec Inc., a pioneer in the field. Integrated into the iPhone's home button, the Touch ID system was used for unlocking the device, approving payments and authorizing app downloads -- and it gave Apple a technological edge with its speed and reliability. Touch ID was replaced with face-scanning sensors in 2017 with the iPhone X launch. Branded as Face ID, the new face authentication again put Apple ahead of the competition with a more robust and secure implementation than rivals. The upcoming fingerprint reader would be embedded in the screen, letting a user scan their fingerprint on a large portion of the display, and it would work in tandem with the existing Face ID system, the people familiar with Apple's plans said. The report also mentions Apple is working on its first low-cost iPhone since the iPhone SE: That could come out as early as the first half of 2020, the people said. The device would look similar to the iPhone 8 and include a 4.7-inch screen. The iPhone 8 currently sells for $599, while Apple sold the iPhone SE for $399 when that device launched in 2016. The new low-cost phone is expected to have Touch ID built into the home button, not the screen. Nikkei reported plans for a cheaper iPhone earlier this week.

The Next Hot Job: Pretending To Be a Robot

Thu, 09/05/2019 - 16:03
"As the promise of autonomous machines lags the underlying technology, the growing need for human robot-minders could juice the remote workforce," reports The Wall Street Journal. An anonymous reader shares excerpts from the report: Across industries, engineers are building atop work done a generation ago by designers of military drones. Whether it's terrestrial delivery robots, flying delivery drones, office-patrolling security robots, inventory-checking robots in grocery stores or remotely piloted cars and trucks, the machines that were supposed to revolutionize everything by operating autonomously turn out to require, at the very least, humans minding them from afar. Until the techno-utopian dream of full automation comes into effect -- and frankly, there's no guarantee that will ever happen -- there will be plenty of jobs for humans, just not ones their parents would recognize. Whether the humans in charge are in the same city or thousands of miles away, the proliferation of not-yet-autonomous technologies is driving a tiny but rapidly growing workforce. Companies working with remote-controlled robots know there are risks, and try to mitigate them in a few ways. Some choose only to operate slow-moving machines in simple environments -- as in Postmates's sidewalk delivery -- so that even the worst disaster isn't all that bad. More advanced systems require 'human supervisory control,' where the robot or vehicle's onboard AI does the basic piloting but the human gives the machine navigational instructions and other feedback. Prof. Cummings says this technique is safer than actual remote operation, since safety isn't dependent on a perfect wireless connection or a perfectly alert human operator. For every company currently working on self-driving cars, almost every state mandates they must either have a safety driver present in the vehicle or be able to control it from afar. Guidelines from the National Highway Traffic Safety Administration suggest the same. Phantom Auto is betting the shift to remote operation might become an important means of employment for people who used to drive for a living. Other requirements for our remote-controlled future include "a tolerance for working for a lower wage, since remote operation could allow companies to outsource driving, construction and service jobs to call centers in cheaper labor markets," the report adds. "Another might be a youth spent gaming. When Postmates managers interview potential delivery-robot pilots like Diana Villalobos, they ask whether or not they played videogames in their youth. 'When I was a kid, my parents always said, 'Stop playing videogames!' But it came in handy,' she says."

Twitter Disables SMS-to-Tweet Feature After Its CEO Got Hacked Last Week

Thu, 09/05/2019 - 14:45
Twitter is disabling the ability to send tweets via SMS messages after an incident last week when the company's CEO Twitter account got hacked via this feature. From a report: The social network said the move is only temporary, but did not provide a timeline for the feature's reactivation. Twitter blamed the whole issue on mobile networks and "vulnerabilities that need to be addressed by mobile carriers."

600,000 GPS Trackers Left Exposed Online With a Default Password of '123456'

Thu, 09/05/2019 - 14:03
According to Avast security researchers, over 600,000 GPS trackers manufactured by a Chinese company are using the same default password of "123456. "They say that hackers can abuse this password to hijack users' accounts, from where they can spy on conversations near the GPS tracker, spoof the tracker's real location, or get the tracker's attached SIM card phone number for tracking via GSM channels," reports BleepingComputer. From the report: Avast researchers said they found these issues in T8 Mini, a GPS tracker manufactured by Shenzhen i365-Tech, a Chinese IoT device maker. However, as their research advanced, Avast said the issues also impacted over 30 other models of GPS trackers, all manufactured by the same vendor, and some even sold as white-label products, bearing the logos of other companies. All models shared the same backend infrastructure, which consisted of a cloud server to which GPS trackers reported, a web panel where customers logged in via their browsers to check the tracker's location, and a similar mobile app, which also connected to the same cloud server. But all this infrastructure was full of holes. While Avast detailed several issues in its report, the biggest was the fact that all user accounts (either from the mobile app or web panel) relied on a user ID and a password that were easy to guess. The user IDs were based on the GPS tracker's IMEI (International Mobile Equipment Identity) code and was sequential, while the password was the same for all devices -- 123456. This means that a hacker can launch automated attacks against Shenzhen i365-Tech's cloud server by going through all user ID's one by one, and using the same 123456 password, and take over users' accounts. While users can change the default after they log into their account for the first time, Avast said that during a scan of over four million user IDs, it found that more than 600,000 accounts were still using the default password.

Trusted Face Smart Unlock Method Has Been Removed From Android Devices

Thu, 09/05/2019 - 12:47
The not-so-widely-used trusted face smart unlock feature has officially been removed from Android, news blog Android Police reported this week. From the report: Trusted face was added in 2014 and has been accessible to users on all Android devices until recently. Now, it's completely gone from stock and OEM devices, running Android 10 or below. The feature was accessible under Settings -> Security -> Smart Lock -> Trusted face. It didn't use any biometric data for security, instead just relying on your face to unlock your device. A photo could easily fool it. The writing was on the wall for its removal: It was broken on Android Q Beta 6 and we know Google has been working on a more secure face authentication method. But it's not only Android 10 that no longer has the Trusted face option. We've verified that the option is gone from the OnePlus 6T, Samsung Galaxy S9 and S10, Nokia 3.2, all of which are running Android Pie stable.

Apple Change Causes Scramble Among Private Messaging App Makers

Thu, 09/05/2019 - 08:45
A change Apple is making to improve privacy in an upcoming version of its iPhone operating system has alarmed an unlikely group of software makers: developers of privacy-focused encrypted messaging apps. The Information (paywalled): They warn the change, which is already available in public test versions of iOS 13, could end up undermining the privacy goals that prompted it in the first place. The Information previously reported that the technical change Apple is making to its next operating systems, iOS 13, has sparked concern at Facebook, which believes it will have to make significant modifications to encrypted messaging apps like Facebook Messenger and WhatsApp to comply. But a much wider group of developers of encrypted messaging apps -- including Signal, Wickr, Threema and Wire -- is scrambling to overhaul their software so that key privacy features continue to work. Apple told The Information on Wednesday in a statement that it is working with the developers to resolve their concerns. "We've heard feedback on the API changes introduced in iOS 13 to further protect user privacy and are working closely with iOS developers to help them implement their feature requests," an Apple spokesperson said.

China Hacked Asian Telcos To Spy on Uighur Travelers

Thu, 09/05/2019 - 08:01
Hackers working for the Chinese government have broken into telecoms networks to track Uighur travelers in Central and Southeast Asia, Reuters reported, citing two intelligence officials and two security consultants who investigated the attacks. From a report: The hacks are part of a wider cyber-espionage campaign targeting "high-value individuals" such as diplomats and foreign military personnel, the sources said. But China has also prioritized tracking the movements of ethnic Uighurs, a minority mostly Muslim group considered a security threat by Beijing. China is facing growing international criticism over its treatment of Uighurs in Xinjiang. Members of the group have been subject to mass detentions in what China calls "vocational training" centers and widespread state surveillance. Beijing's alleged cyberspace attacks against Uighurs show how it is able to pursue those policies beyond its physical borders.

Google, Industry Try To Water Down First US Data-Privacy Law

Wed, 09/04/2019 - 17:30
Google and its industry allies are making a late bid to water down the first major data-privacy law in the U.S., seeking to carve out exemptions for digital advertising, according to documents obtained by Bloomberg and people familiar with the negotiations. Bloomberg reports: A lobbyist for Google recently distributed new language to members of California's state legislature that would amend the California Consumer Privacy Act. As currently drafted, the law limits how Google and other companies collect and make money from user data online, threatening a business model that generates billions of dollars in ad revenue. It's due to kick in next year and there are only a few more days to amend the law. The lobbying push seeks legislative approval to continue collecting user data for targeted advertising, and in some cases, the right to do so even if users opt out, according to the documents and the people familiar with the negotiations. It's unclear if the language circulating in the state capitol's corridors was drafted by Google, and other lobbyists are likely asking for similar changes. Industry groups, such as the California Chamber of Commerce and the Internet Association, often help write legislation and have been the face of industry during two years of debate over the CCPA. It's also common for interested parties to suggest late changes to bills. The Google representative, who distributed the revised language in recent weeks, has yet to find a lawmaker to sponsor the amendments, according to people familiar with negotiations. The proposal must be in a bill by Sept. 10 to be eligible for lawmakers to vote on it before they adjourn for the year on Sept. 13. One of the proposals would let Google and others use data collected from websites for their own analysis, and then share it with other companies that may find it useful. Currently, the CCPA prohibits the sale or distribution of user data if the user has opted out, with limited exceptions. Another proposal would loosen the definition of "business purpose" when it comes to selling or distributing user data. The law currently defines this narrowly and has a list of specific activities, such auditing and security, that will be allowed. Google's lobbyist shared new language that significantly broadens the rule by replacing the phrase "Business purposes are" with "Business purposes include," before the list of approved activities.

Electric Car Charge Posts To Be Installed In Every New Home In England

Wed, 09/04/2019 - 16:50
England is introducing a mandatory electric car charging point for each newly built home. "This means that every brand new home, by law, will have to have a charging port for your electric vehicle -- even if you don't yet own one," reports CleanTechnica. From the report: This would make it easier on both fully electric and plug-in hybrid owners in England who use the government's home charger subsidy, which has funded the installation of almost 100,000 wall boxes, as home chargers are commonly called. In the Forward written by the Secretary of Transport, Rt Hon. Chris Grayling, he states that in the previous year the government set out a "bold and integrated Industrial Strategy" that was designed to create a "high-growth, high productivity green economy across the UK." It would be an economy ready for the 21st century and a huge part of this is a plan for solving the problem of roadside nitrogen dioxide concentrations. The goal is to cut exposure to air pollutants, reduce greenhouse gas emissions, and improve the UK's energy security. One of these polices states that they will support the development of one of the best electric vehicle infrastructure networks in the world.

A Huge Database of Facebook Users' Phone Numbers Found Online

Wed, 09/04/2019 - 12:13
Hundreds of millions of phone numbers linked to Facebook accounts have been found online. TechCrunch: The exposed server contained over 419 million records over several databases on users across geographies, including 133 million records on U.S.-based Facebook users, 18 million records of users in the U.K., and another with more than 50 million records on users in Vietnam. But because the server wasn't protected with a password, anyone could find and access the database. Each record contained a user's unique Facebook ID and the phone number listed on the account. A user's Facebook ID is typically a long, unique and public number associated with their account, which can be easily used to discern an account's username. But phone numbers have not been public in more than a year since Facebook restricted access to users' phone numbers. TechCrunch verified a number of records in the database by matching a known Facebook user's phone number against their listed Facebook ID. We also checked other records by matching phone numbers against Facebook's own password reset feature, which can be used to partially reveal a user's phone number linked to their account.

Fraudsters Deepfake CEO's Voice To Trick Manager Into Transferring $243,000

Wed, 09/04/2019 - 05:00
An anonymous reader quotes a report from The Next Web: In March, criminals sought the help of commercially available voice-generating AI software to impersonate the boss of a German parent company that owns a UK-based energy firm. They then tricked the latter's chief executive into urgently wiring said funds to a Hungarian supplier in an hour, with guarantees that the transfer would be reimbursed immediately. The company CEO, hearing the familiar slight German accent and voice patterns of his boss, is said to have suspected nothing, the report said. But not only was the money not reimbursed, the fraudsters posed as the German CEO to ask for another urgent money transfer. This time, however, the British CEO refused to make the payment. As it turns out, the funds the CEO transferred to Hungary were eventually moved to Mexico and other locations. Authorities are yet to determine the culprits behind the cybercrime operation. The firm was insured by Euler Hermes Group, which covered the entire cost of the payment. The names of the company and the parties involved were not disclosed. According to The Wall Street Journal, which first reported the news, the voice fraud cost the company $243,000.

Android 10 Launches Today, and Pixel Phones Get the Day One Update

Tue, 09/03/2019 - 16:10
An anonymous reader quotes a report from Ars Technica: Android 10 is finally finished! The next big Android update, which we've been examining for most of the year as the "Android Q Beta," starts rolling out to devices today. As usual, Android 10 is arriving on Pixel phones first (even the three-year-old Pixel 1), and Google says it is "working with a number of partners to launch or upgrade devices to Android 10 this year." Google has introduced a new branding strategy for Android, by the way, so there's no "Q" snack name with this release. In 2019, it's just "Android 10." Android 10 brings a number of changes to the world's most popular mobile operating system. First up, devices are getting "fully gestural" navigation, which lets you navigate around the phone with swipe gestures. Just like the implementation on the iPhone X, gesture navigation removed the need for a dedicated space for navigation buttons, allowing for more space for app content. There's finally full support for a dark theme, which will turn the entire system UI and any supported apps from the usual black text on a white background to white text on a black background. (That option significantly reduces the amount of light a phone puts out and saves battery life on OLED displays.) Google has also promised dark mode support for "all" of the Google apps in time for Android 10's launch, so we should be seeing updates to Gmail, Google Play, Google Maps, and a million other Google apps sometime soon. Other features of Android 10 include a faster share sheet, a "bubbles" API for floating apps, 230 new emoji, improved security and privacy options, and smarter notification panel.

Over 47,000 Supermicro Servers Are Exposing BMC Ports on the Internet

Tue, 09/03/2019 - 12:50
Catalin Cimpanu, writing for ZDNet: More than 47,000 workstations and servers, possibly more, running on Supermicro motherboards are currently open to attacks because administrators have left an internal component exposed on the internet. These systems are vulnerable to a new set of vulnerabilities named USBAnywhere that affect the baseboard management controller (BMC) firmware of Supermicro motherboards. Patches are available to fix the USBAnywhere vulnerabilities, but Supermicro and security experts recommend restricting access to BMC management interfaces from the internet, as a precaution and industry best practice.

Android Exploits Are Now Worth More Than iOS Exploits for the First Time

Tue, 09/03/2019 - 08:05
Zerodium, a company which claims it buys and then resells software exploits to government and law enforcement agencies, has updated its price list today, and Android exploits are worth more than iOS exploits for the first time ever. From a report: According to the company, starting today, a zero-click (no user interaction) exploit chain for Android can get hackers and security researchers up to $2.5 million in rewards. A similar exploit chain impacting iOS is worth only $2 million. Zerodium's new price for Android exploits is almost twelve times more when compared to the maximum of $200,000 the company was willing to offer a year ago, and even 100 times more than Zerodium was paying for some of the lower-impact Android exploits. Zerodium has timed its announcement with Google's official release for Android 10, scheduled for later today. Further reading: Exploit Sellers Say There are More iPhone Hacks on the Market Than They've Ever Seen.

How a Secret Dutch Mole Aided the US-Israeli Stuxnet Cyberattack on Iran

Mon, 09/02/2019 - 14:30
For years, an enduring mystery has surrounded the Stuxnet virus attack that targeted Iran's nuclear program: How did the U.S. and Israel get their malware onto computer systems at the highly secured uranium-enrichment plant? From a report: The first-of-its-kind virus, designed to sabotage Iran's nuclear program, effectively launched the era of digital warfare and was unleashed some time in 2007, after Iran began installing its first batch of centrifuges at a controversial enrichment plant near the village of Natanz. The courier behind that intrusion, whose existence and role has not been previously reported, was an inside mole recruited by Dutch intelligence agents at the behest of the CIA and the Israeli intelligence agency, the Mossad, according to sources who spoke with Yahoo News. An Iranian engineer recruited by the Dutch intelligence agency AIVD provided critical data that helped the U.S. developers target their code to the systems at Natanz, according to four intelligence sources. That mole then provided much-needed inside access when it came time to slip Stuxnet onto those systems using a USB flash drive. The Dutch were asked in 2004 to help the CIA and Mossad get access to the plant, but it wasn't until three years later that the mole, who posed as a mechanic working for a front company doing work at Natanz, delivered the digital weapon to the targeted systems. "[T]he Dutch mole was the most important way of getting the virus into Natanz," one of the sources told Yahoo.

Ask Slashdot: What Lightweight Alternative To Chrome or Firefox Do You Use?

Mon, 09/02/2019 - 10:00
thegarbz writes: It seems not a day goes by without yet another story reflecting poorly on major browsers. Not uncommon are stories that are mixed with a degree of bloat, either discussing rarely used features or directly criticizing memory consumption of major browsers. Unfortunately memory consumption is quite often the result of complete feature implementation of technologies used on the web, including DRM for streaming services and WebRTC. Other times it's the result of security measures, feature creep, or poor coding. So in 2019 for those of us with slower tablets, what browser do you use as an alternative to the big two? How well does it work with the modern HTML5 internet? Are websites frequently broken does the simplicity of other browsers largely go unnoticed?

Police Hijack a Botnet and Remotely Kill 850,000 Malware Infections

Mon, 09/02/2019 - 08:00
In a rare feat, French police have hijacked and neutralized a massive cryptocurrency mining botnet controlling close to a million infected computers. From a report: The notorious Retadup malware infects computers and starts mining cryptocurrency by sapping power from a computer's processor. Although the malware was used to generate money, the malware operators easily could have run other malicious code, like spyware or ransomware. The malware also has wormable properties, allowing it to spread from computer to computer. Since its first appearance, the cryptocurrency mining malware has spread across the world, including the U.S., Russia, and Central and South America. According to a blog post announcing the bust, security firm Avast confirmed the operation was successful. The security firm got involved after it discovered a design flaw in the malware's command and control server. That flaw, if properly exploited, would have "allowed us to remove the malware from its victims' computers" without pushing any code to victims' computers, the researchers said.