Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 23 hours 21 min ago

More Than 1,000 Android Apps Harvest Data Even After You Deny Permissions

Mon, 07/08/2019 - 08:45
An anonymous reader shares a report: Permissions on Android apps are intended to be gatekeepers for how much data your device gives up. If you don't want a flashlight app to be able to read through your call logs, you should be able to deny that access. But even when you say no, many apps find a way around: Researchers discovered more than 1,000 apps that skirted restrictions, allowing them to gather precise geolocation data and phone identifiers behind your back. The discovery highlights how difficult it is to stay private online, particularly if you're attached to your phones and mobile apps. Tech companies have mountains of personal data on millions of people, including where they've been, who they're friends with and what they're interested in. Lawmakers are attempting to reel that in with privacy regulation, and app permissions are supposed to control what data you give up. Apple and Google have released new features to improve people's privacy, but apps continue to find hidden ways to get around these protections. Researchers from the International Computer Science Institute found up to 1,325 Android apps that were gathering data from devices even after people explicitly denied them permission. Serge Egelman, director of usable security and privacy research at the ICSI, presented the study in late June at the Federal Trade Commission's PrivacyCon.

British Airways Hit With Record Fine For Data Breach

Mon, 07/08/2019 - 07:28
AmiMoJo writes: British Airways is facing a record fine of 183m Pound ($230m) for last year's breach of its security systems. The Information Commissioner's Office said the incident took place after users of British Airways' website were diverted to a fraudulent site. Through this false site, details of around 500,000 customers were harvested by the attackers. The BA penalty amounts to 1.5% of its worldwide turnover in 2017, less than the possible maximum of 4%. The fine amounts to around 10% of BA's profits for that year.

Why We All Need To Agree That It Is Flat Out Unacceptable To Use RSA in 2019

Mon, 07/08/2019 - 06:08
An excerpt from a post on Trail of Bits: From major open source projects to exciting new proprietary software, we've seen it all. But one common denominator in all of these systems is that for some inexplicable reason people still seem to think RSA is a good cryptosystem to use. Let me save you a bit of time and money and just say outright -- if you come to us with a codebase that uses RSA, you will be paying for the hour of time required for us to explain why you should stop using it. RSA is an intrinsically fragile cryptosystem containing countless foot-guns which the average software engineer cannot be expected to avoid. Weak parameters can be difficult, if not impossible, to check, and its poor performance compels developers to take risky shortcuts. Even worse, padding oracle attacks remain rampant 20 years after they were discovered. While it may be theoretically possible to implement RSA correctly, decades of devastating attacks have proven that such a feat may be unachievable in practice.

When Ransomware Gets Paid By A City's Insurance Policies

Sun, 07/07/2019 - 12:46
Remember when the small town of Lake City, Florida paid $460,000 for a ransomware's decryption key? As they slowly recover 100 years of encrypted municipal records, the New York Times looks at the lessons learned, arguing that cyberattackers have simply found a juicy target: small governments with weak computer protections -- and strong insurance policies. The city had backup files for all its data, but they were on the same network -- and also inaccessible... The city's insurer, the Florida League of Cities, hired a consultant to handle the negotiations with the hackers via the email addresses that had been posted on the city server. The initial demands were refused outright, and city technicians raced to find a workaround. "We tried a lot of different solutions," said Joseph Helfenberger, the city manager. None of them worked. "We were at the end of the day faced with either re-creating the data from scratch, or paying the ransom," he said. The insurer's negotiator settled on a payment of 42 Bitcoins, or about $460,000, Helfenberger said, of which the city would pay a $10,000 deductible. After the payment, the hackers provided a decryption key, and recovery efforts began in earnest. As it turned out, recovery would not be simple. Even with the decryption key, each terabyte has taken about 12 hours to recover. Much of the city's data, nearly a month after the onset of the attack, has still not been unlocked... In Lake City, the information technology director, blamed for both failing to secure the network and taking too long to recover the data, wound up losing his job. Mark A. Orlando, the chief technology officer for Raytheon Intelligence Information and Services, tells the Times it's unrealistic to expect cities to never pay the ransom. "Anyone who said that has never been in charge of a municipality that has half their services down and no choice." But does that create an ever-widening problem? The FBI knows of at least 1,500 reported ransomware incidents last year, according to the article, although the Illinois computer programmer offering free decryption help at ID Ransomware says he's receiving 1,500 requests for assistance every day.

Microsoft Criticized For VPN-Breaking Windows 10 Update

Sun, 07/07/2019 - 10:34
"Windows 10 continues to be a danger zone," writes Forbes senior contributor Gordon Kelly: Not only have problems been piling up in recent weeks, Microsoft has also been worryingly deceptive about the operation of key services. And now the company has warned millions about another problem. Spotted by the always excellent Windows Latest, Microsoft has told tens of millions of Windows 10 users that the latest KB4501375 update may break the platform's Remote Access Connection Manager (RASMAN). And this can have serious repercussions. The big one is VPNs. RASMAN handles how Windows 10 connects to the internet and it is a core background task for VPN services to function normally. Given the astonishing growth in VPN usage for everything from online privacy and important work tasks to unlocking Netflix and YouTube libraries, this has the potential to impact heavily on how you use your computer. Interestingly, in detailing the issue Microsoft states that it only affects Windows 10 1903 - the latest version of the platform. The problem is Windows 10 1903 accounts for a conservative total of at least 50M users. Microsoft estimates they'll have a solution available "in late July," adding that the issue only occurs "when a VPN profile is configured as an Always On VPN (AOVPN) connection with or without device tunnel. This does not affect manual only VPN profiles or connections." That support page also offers a work-around which involves configuring the default telemetry settings in either the group policy settings or with a registry value. UPDATE (7/7/2019): ZDNet is strongly criticizing Forbes' article, arguing that the issue affects only a small number of Windows users, "when the diagnostic data level setting is manually configured to the non-default setting of 0." For those who don't understand how unusual that configuration is, note that it applies only to Windows 10 Enterprise and that it can be set only using Group Policy on corporate networks or by manually editing the registry. You can't accidentally enable this setting. And you can't deliberately set it on a system running Windows 10 Home or Pro, because it is for Enterprise edition only.

Inside The Seamy World of Robocalling Schemes

Sun, 07/07/2019 - 06:34
CNBC reports on the latest revelations from America's Federal Trade Commission about the tactics used by the robocall industry: In some cases, robocalls proliferate through programs that resemble multilevel marketing schemes, where business founders push robocall packages on "members" to spur quick growth. In one case, an organization known alternately as "8 Figure Dream Lifestyle," "Millionaire Mind" and "Online Entrepreneur Academy" enticed consumers to buy memberships to gain access to a "franchise-like opportunity" to sell the organization's "proven business model" or "blueprint for success" downstream. Members paid between $2,395 and $22,495 to join, and the business claimed they could earn $5,000 to $10,000 in the first two weeks, followed by similarly large sums... The FTC also looked at an organization called Life Management Services, which allegedly netted $15.6 million from consumers who thought they were reorganizing their credit card debt through an interest rate reduction service... Another complaint, against a corporation called First Choice Horizon, outlines how the robocaller "under the guise of confirming consumers' identities" for an offer of "bogus credit card interest rate reduction services," further "tricked them into providing their personal financial information, including their social security and credit card numbers," according to the FTC... Another organization, called Media Mix 365, which generated "leads" for home solar energy companies, called a single number 1,000 times in a year and placed millions of nuisance calls to others, the FTC says... A company called Lifewatch was a prolific spoofer, the FTC said, sending calls to consumers' phones that looked like they may have been coming from familiar numbers or numbers within the same area code. The group sold a "free" medical alert system and fraudulently claimed the system was endorsed by the American Heart Association or AARP. On the calls, people were told that they wouldn't be charged for the product unless it was "activated," but their credit cards were charged immediately, the FTC said... For consumers wondering what they can do about the calls, the first rule is always, "hang up, do not engage. If you see an unknown caller ID, don't answer." Consumers can report robocalls or violations of the Do Not Call registry to the FTC on its website.

In 'Bold Experiment', Facebook Creates Independent 'Oversight Board'' For Content Decisions

Sat, 07/06/2019 - 23:34
Facebook is being applauded for a new "bold experiment" in content decision-making by tech journalist Larry Magid, a founding member (for the last 10 years) of what he describes as "the less powerful Facebook Safety Advisory Board, which is composed of safety experts mostly representing nonprofit organizations in several countries.... "We are not empowered to overrule Facebook's management." Facebook is a company, not a government, but its user base is bigger than the population of any country in the world and the decisions made by its staff affect people in some of the same ways as decisions made by legislatures and courts in many countries. Nowhere is this more evident than in the way Facebook regulates speech. What it allows and forbids affects people's ability to communicate, but also impacts their safety, privacy, security and human rights... [W]hen it comes to some decisions, even Zuckerberg realizes that the stakes are too high for one person or one company to hold all the cards, and that's one of the reason's Facebook is in the process of putting together an Oversight Board for Content Decisions. That board, which will be made up of a diverse group of about 40 people from around the world, will be like what The Verge called a "Supreme Court for content moderation." The board, according to Facebook, will serve as an "independent authority outside of Facebook," and have the power to "reverse Facebook's decisions when necessary...." This is an extraordinary and mostly unprecedented undertaking from a private company which recognizes the potential impact of its decisions. If the board operates as planned, it will have the ability to overrule Zuckerberg himself on matters of what content is and isn't allowed on the service... If Facebook does a good job in creating a board which is both representative and independent and if it faithfully abides by its decisions, even when they are in conflict with what executives like Zuckerberg want, it will be at least a partial shift in the nature of corporate governance by creating a body that is neither controlled by the corporation itself or the governments in countries where the corporation operates. At the end of the day, local law in each jurisdiction will trump any decisions by this board and -- I suppose -- Facebook could change its mind and fail to implement one or more of the board's decisions, but if we take the company at its word, that isn't supposed to happen... Although Facebook is not completely rewriting the rules of corporate governance, it is making a bold move that changes the way some of its most important decisions will be made by empowering people who represent those affected by the company who -- without such a board -- would have no power over how the company operates. It is, to an extent, taking on powers held by governments as well as powers held by stockholders and board members. It's a bold experiment.

After 25 Months, Debian 10 'buster' Released

Sat, 07/06/2019 - 20:39
"After 25 months of development the Debian project is proud to present its new stable version 10 (code name 'buster'), which will be supported for the next 5 years thanks to the combined work of the Debian Security team and of the Debian Long Term Support team." An anonymous reader quotes Debian.org: In this release, GNOME defaults to using the Wayland display server instead of Xorg. Wayland has a simpler and more modern design, which has advantages for security. However, the Xorg display server is still installed by default and the default display manager allows users to choose Xorg as the display server for their next session. Thanks to the Reproducible Builds project, over 91% of the source packages included in Debian 10 will build bit-for-bit identical binary packages. This is an important verification feature which protects users against malicious attempts to tamper with compilers and build networks. Future Debian releases will include tools and metadata so that end-users can validate the provenance of packages within the archive. For those in security-sensitive environments AppArmor, a mandatory access control framework for restricting programs' capabilities, is installed and enabled by default. Furthermore, all methods provided by APT (except cdrom, gpgv, and rsh) can optionally make use of "seccomp-BPF" sandboxing. The https method for APT is included in the apt package and does not need to be installed separately... Secure Boot support is included in this release for amd64, i386 and arm64 architectures and should work out of the box on most Secure Boot-enabled machines. The announcement touts Debian's "traditional wide architecture support," arguing that it shows Debian "once again stays true to its goal of being the universal operating system." It ships with several desktop applications and environments, including the following: Cinnamon 3.8 GNOME 3.30 KDE Plasma 5.14 LXDE 0.99.2 LXQt 0.14 MATE 1.20 Xfce 4.12 "If you simply want to try Debian 10 'buster' without installing it, you can use one of the available live images which load and run the complete operating system in a read-only state via your computer's memory... Should you enjoy the operating system you have the option of installing from the live image onto your computer's hard disk."

John McAfee Hides in Cuba, Touts Cryptocurrency For Evading US Government's Sanctions

Sat, 07/06/2019 - 17:34
"On the run from U.S. tax authorities, tech guru John McAfee puffs a cigar aboard his towering white yacht in a Havana harbor," reports Reuters, "and says he can help Cuba evade the U.S. government too -- by launching a cryptocurrency that defeats a U.S. trade embargo." Long-time Slashdot reader Aighearach shared their report: McAfee in an interview touted the anonymity of the digital currency while also outlining his belief that income tax is illegal and plans to run from Cuba for the Libertarian Party nomination for U.S. president. "It would be trivial to get around the U.S. government's embargo through the use of a clever system of currency," the 73-year-old said Thursday. "So I made a formal offer to help them for free... on a private channel through Twitter." While Cuba had not responded, its Communist government said earlier this week it was studying the potential use of cryptocurrency to alleviate an economic crisis aggravated by tighter U.S. sanctions... Countries under U.S. sanctions such as Iran and Venezuela have floated the idea of using digital currency to trade although no scheme appears to have gotten off the ground. "You can't just create a coin and expect it to fly. You have to base it on the proper blockchain, have it structured such that it meets the specific needs of a country or economic situation," said McAfee. "There are probably less than 10 people in the world who know how to do that and I'm certainly one of them...." McAfee said he did not pay income tax for eight years for ideological reasons and was indicted... To avoid trial, he left the United States in January for the Bahamas. He arrived in Cuba a month ago after suspecting that U.S. law enforcement was trying to extradite him from the Bahamas. "With him on the yacht are his wife, four large dogs, two security guards and seven staff for his campaign 'in exile' for the Libertarian Party presidential nomination, McAfee said..." "Thousands of volunteers wearing masks depicting his face will campaign for him back home and abroad, he said."

International Crime Ring Suspected in 7-Eleven App Breach

Sat, 07/06/2019 - 11:34
On Monday, 7-Eleven launched a smartphone payment service for its 20,000 stores in Japan. By Thursday $510,000 had been stolen from the people using it -- as many as 900 customers. Long-time Slashdot reader shanen shared this follow-up article, which points out that it's also possible that email addresses and birth dates have been accessed from among the new app's 1.5 million registered users: Tsuyoshi Kobayashi, president of Seven Pay Co., told a press conference in Tokyo that the company will compensate users for the losses caused by fraudulent access and that it has already suspended accepting new users or allowing users of the service to add money to its smartphone application. The estimated amount of losses the company announced is as of 6 a.m. Thursday and the damage could expand... The parent company said someone, who had accessed their accounts and used the registered numbers of their credit or debit cards, purchased items at its convenience stores. The items included packs of cigarettes, which can be easily converted into cash, it said, adding there was a case in which a huge quantity worth 100,000 yen [$921] was purchased all at once at one of its outlets... According to Seven & i Holdings, some customers reported their losses on Tuesday and unauthorized access from China and other locations outside Japan was confirmed... Police arrested two Chinese men on Thursday in connection with the problem, investigative sources said. They are suspected of illegally using the ID and password of a customer Wednesday in an attempt to buy electric cigarette cartridges worth around 200,000 yen [$1,843] at a 7-Eleven shop in Tokyo. Nikkei Asian Review reports that one of the suspects "received instructions about gaining unauthorized access to 7pay accounts via WeChat, a popular Chinese messaging app. The Metropolitan Police Department suspects the involvement of an international criminal organization." (Japan Times reports that one man was asked to do "some shopping" after which they would receive "a reward".) Nikkei Asian Review also notes that the Japanese government has been pushing to to have a least 40% of all payments be cashless by the mid-2020s -- including generous government tax incentives -- which one consumer finance writer says has "overheated" the market, while "the quality of services has declined in some cases."

OpenPGP Keyserver Attack Ongoing

Sat, 07/06/2019 - 08:34
Trailrunner7 quotes Duo.com's Decipher blog: There's an interesting and troubling attack happening to some people involved in the OpenPGP community that makes their certificates unusable and can essentially break the OpenPGP implementation of anyone who tries to import one of the certificates. The attack is quite simple and doesn't exploit any technical vulnerabilities in the OpenPGP software, but instead takes advantage of one of the inherent properties of the keyserver network that's used to distribute certificates. Keyservers are designed to allow people to discover the public certificates of other people with whom they want to communicate over a secure channel. One of the properties of the network is that anyone who has looked at a certificate and verified that it belongs to another specific person can add a signature, or attestation, to the certificate. That signature basically serves as the public stamp of approval from one user to another... Last week, two people involved in the OpenPGP community discovered that their public certificates had been spammed with tens of thousands of signatures -- one has nearly 150,000 -- in an apparent effort to render them useless. The attack targeted [OpenPGP project developers] Robert J. Hansen and Daniel Kahn Gillmor, but the root problem may end up affecting many other people, too... Matthew Green, a cryptographer and associate professor at Johns Hopkins University, said that the attack points out some of the weaknesses in the entire OpenPGP infrastructure. "PGP is old and kind of falling apart. There's not enough people maintaining it and it's full of legacy code. There are some people doing the lord's work in keeping it up, but it's not enough," Green said. "Think about like an old hospital that's crumbling and all of the doctors have left but there's still some people keeping the emergency room open and helping patients. At some point you have to ask whether it's better just to let it close and let something better come along. "I think PGP is preventing the development of better stuff and the person who did this is clearly demonstrating this problem." On Thursday ZDNet quoted a disturbing blog post from OpenPGP project developer Robert "rjh Hansen, who warned that "given the ease of the attack and the highly publicized success of the attack, it is prudent to believe other certificates will soon be poisoned."

Why Is Slack Retaining Everyone's Chat History?

Sat, 07/06/2019 - 06:34
The associate director of research at the Electronic Frontier Foundation published a new warning in the Opinion section of the New York Times this week, calling Slack the only unicorn going public this year "that has admitted it is at risk for nation-state attacks" and saying there's a simple way to minimize risk -- that Slack has so far refused to take: Right now, Slack stores everything you do on its platform by default -- your username and password, every message you've sent, every lunch you've planned and every confidential decision you've made. That data is not end-to-end encrypted, which means Slack can read it, law enforcement can request it, and hackers -- including the nation-state actors highlighted in Slack's S-1 -- can break in and steal it... Slack's paying enterprise customers do have a way to mitigate their security risk -- they can change their settings to set shorter retention periods and automatically delete old messages -- but it's not just big companies that are at risk... Free customer accounts don't allow for any changes to data retention. Instead, Slack retains all of your messages but makes only the most recent 10,000 visible to you. Everything beyond that 10,000-message limit remains on Slack's servers. So while those messages might seem out of sight and out of mind, they are all still indefinitely available to Slack, law enforcement and third-party hackers... Slack should give everyone the same privacy protections available to its paying enterprise customers and let all of its users decide for themselves which messages they want to keep and which messages they want to delete. It's undeniably Slack's prerogative to charge for a more advanced product, but making users pay for basic privacy and security protections is the wrong call. It's time for Slack to step up, minimize the amount of sensitive data hanging around on its servers and give all its users retention controls. The article notes that Slack's stock filings acknowledge that it faces threats from "sophisticated organized crime, nation-state, and nation-state supported actors." The filings even specifically add that Slack's security measures "may not be sufficient to protect Slack and our internal systems and networks against certain attacks," and that completely eliminating the threat of a nation-state attack would be "virtually impossible."

Tor Project To Fix Bug Used For DDoS Attacks On Onion Sites For Years

Fri, 07/05/2019 - 18:03
An anonymous reader writes: "The Tor Project is preparing a fix for a bug that has been abused for the past years to launch DDoS attacks against dark web (.onion) websites," reports ZDNet. "Barring any unforeseen problems, the fix is scheduled for the upcoming Tor protocol 0.4.2 release." The bug has been known to Tor developers for years, and has been used to launch Slow Loris-like attacks on the web servers that run the Tor service supporting an .onion site. It works by opening many connections to the server and maxing out the CPU. Since Tor connections are CPU intensive because of the cryptography involved to support the privacy and anonymity of the network, even a a few hundreds connections are enough to bring down dark web portals. A tool to exploit the bug and to automate DDoS attacks has been around for four years, and has been used by hackers to extort dark web marketplaces all spring. At least two markets selling illegal products have shut down after refusing to pay attackers. To get the bug fixed, members of a dark web forum banded together and donated to the Tor Project to sponsor the bug's patch.

Almost a Third of World's Top VPNs Are Secretly Owned By Chinese Firms, Study Finds

Fri, 07/05/2019 - 16:45
SonicSpike shares a report from Computer Weekly: Almost a third (30%) of the world's top virtual private network (VPN) providers are secretly owned by six Chinese companies, according to a study by privacy and security research firm VPNpro. The study shows that the top 97 VPNs are run by just 23 parent companies, many of which are based in countries with lax privacy laws. Six of these companies are based in China and collectively offer 29 VPN services, but in many cases, information on the parent company is hidden to consumers. Researchers at VPNpro have pieced together ownership information through company listings, geolocation data, the CVs of employees and other documentation. In some instances, ownership of different VPNs is split amongst a number of subsidiaries. For example, Chinese company Innovative Connecting owns three separate businesses that produce VPN apps: Autumn Breeze 2018, Lemon Cove and All Connected. In total, Innovative Connecting produces 10 seemingly unconnected VPN products, the study shows. Although the ownership of a number of VPN services by one company is not unusual, VPNpro is concerned that so many are based in countries with lax or non-existence privacy laws.

Fake Samsung Firmware Update App Tricks More Than 10 Million Android Users

Fri, 07/05/2019 - 11:20
Over ten million users have been duped in installing a fake Samsung app named "Updates for Samsung" that promises firmware updates, but, in reality, redirects users to an ad-filled website and charges for firmware downloads. From a report: "I have contacted the Google Play Store and asked them to consider removing this app," Aleksejs Kuprins, malware analyst at the CSIS Security Group, told ZDNet this week in an interview, after publishing a report on the app's shady behavior earlier today. The app takes advantage of the difficulty in getting firmware and operating system updates for Samsung phones, hence the high number of users who have installed it. "It would be wrong to judge people for mistakenly going to the official application store for the firmware updates after buying a new Android device," the security researcher said. "Vendors frequently bundle their Android OS builds with an intimidating number of software, and it can easily get confusing."

Wikipedia Co-founder Slams Mark Zuckerberg, Twitter and the 'Appalling' Internet

Fri, 07/05/2019 - 07:20
Larry Sanger, who co-founded Wikipedia in 2001, is not happy with how the internet has evolved in the nearly two decades since then. From a report: "It's appalling frankly," he said in an interview with CNBC this week. Sanger's main gripe is with big social media platforms, especially Facebook and Twitter. These companies, he says, exploit users' personal data to make profits, at the expense of "massive violations" of privacy and security. "They can shape your experience, they can control what you see, when you see it and you become essentially a cog in their machine," he said. Sanger launched a "social media strike" this week to draw attention to his concerns. In a "Declaration of Digital Independence" published on his personal blog, he said "vast digital empires" need to be replaced by decentralized networks of independent individuals. [...] Facebook CEO Mark Zuckerberg has responded to seemingly endless concerns about privacy and security on the platform with a new vision for the company, highlighting measures like encrypted messaging. Sanger questioned whether Zuckerberg's intentions are "sincere" and blasted the Facebook executive for abusing the company's power online. "The internet wouldn't have been created by people like Mark Zuckerberg, or any of the sort of corporate executives in Silicon Valley today," he said. "They wouldn't be capable, they don't have the temperament, they're too controlling. They don't understand the whole idea of bottom up."

Internet Group Brands Mozilla 'Internet Villain' For Supporting DNS Privacy Feature

Fri, 07/05/2019 - 06:40
An industry group of internet service providers has branded Firefox browser maker Mozilla an "internet villain" for supporting a DNS security standard. From a report: Internet Services Providers' Association (ISPA), the trade group for U.K. internet service providers, nominated the browser maker for its proposed effort to roll out the security feature, which they say will allow users to "bypass UK filtering obligations and parental controls, undermining internet safety standards in the U.K." Mozilla said late last year it was planning to test DNS-over-HTTPS to a small number of users. Whenever you visit a website -- even if it's HTTPS enabled -- the DNS query that converts the web address into an IP address that computers can read is usually unencrypted. The security standard is implemented at the app level, making Mozilla the first browser to use DNS-over-HTTPS. By encrypting the DNS query it also protects the DNS request against man-in-the-middle attacks, which allow attackers to hijack the request and point victims to a malicious page instead. DNS-over-HTTPS also improves performance, making DNS queries -- and the overall browsing experience -- faster. But the ISPA doesn't think DNS-over-HTTPS is compatible with the U.K.'s current website blocking regime.

7-Eleven Japanese Customers Lose $500,000 Due To Mobile App Flaw

Fri, 07/05/2019 - 06:00
Approximately 900 customers of 7-Eleven Japan have lost a collective of $510,000 after hackers hijacked their 7pay app accounts and made illegal charges in their names. From a report: The incident was caused by an appalling security lapse in the design of the company's 7pay mobile payment app, which 7-Eleven Japan launched in the country on Monday, July 1. The 7pay mobile app was designed to show a barcode on the phone's screen when customers reach the 7-Eleven cashier counters. The cashier scans the barcode, and the bought goods are charged to the user's 7pay app and the customer's credit or debit cards that have been saved in the account. However, in a mind-boggling turn of events, the app contained a password reset function that was incredibly poorly designed. It allowed anyone to request a password reset for other people's accounts, but have the password reset link sent to their email address, instead of the legitimate account owner.

OpenID Foundation Says 'Sign In with Apple' is Not Secure Enough

Thu, 07/04/2019 - 08:00
The OpenID Foundation, the organization behind the OpenID open standard and decentralized authentication protocol, has penned an open letter to Apple in regards to the company's recently announced "Sign In with Apple" feature. From a report: In its letter, the organization said that Apple has built Sign In with Apple on top of the OpenID Connect platform, but the Cupertino company's implementation is not fully compliant with the OpenID standard, and as a result "exposes users to greater security and privacy risks." "The current set of differences between OpenID Connect and Sign In with Apple reduces the places where users can use Sign In with Apple and exposes them to greater security and privacy risks," said Nat Sakimura, OpenID Foundation Chairman. The OpenID Foundation published a list of differences between Sign In with Apple and the OpenID Connect platform, which Sakimura urged Apple to address. The OpenID exec said these differences place an unnecessary burden on developers working with both OpenID Connect and Sign In with Apple, who now have to support two different authentication standards and deal with each one's quirks. "By closing the current gaps, Apple would be interoperable with widely-available OpenID Connect Relying Party software," Sakimura said.

Hacker Who Launched DDoS Attacks on Sony, EA, and Steam Gets 27 Months in Prison

Thu, 07/04/2019 - 06:00
An anonymous reader shares a report: A 23-year-old man from Utah was sentenced this week to 27 months in prison for a series of DDoS attacks that took down online gaming service providers like Sony's PlayStation Network, Valve's Steam, Microsoft's Xbox, EA, Riot Games, Nintendo, Quake Live, DOTA2, and League of Legends servers, along with many others. Named Austin Thompson, but known online as DerpTrolling, the man is the first hacker who started a trend among other hackers and hacking crews -- namely of launching DDoS attacks against gaming providers during Christmas, which they later justified using ridiculous reasons such as "to spoil everyone's holiday," "to make people spend time with their families," or "for the lulz." The hacker's DDoS attacks were extremely successful at the time, in 2013, in a time when most companies didn't use strong DDoS mitigation services.