Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 33 min 26 sec ago

Almost a Third of World's Top VPNs Are Secretly Owned By Chinese Firms, Study Finds

Fri, 07/05/2019 - 16:45
SonicSpike shares a report from Computer Weekly: Almost a third (30%) of the world's top virtual private network (VPN) providers are secretly owned by six Chinese companies, according to a study by privacy and security research firm VPNpro. The study shows that the top 97 VPNs are run by just 23 parent companies, many of which are based in countries with lax privacy laws. Six of these companies are based in China and collectively offer 29 VPN services, but in many cases, information on the parent company is hidden to consumers. Researchers at VPNpro have pieced together ownership information through company listings, geolocation data, the CVs of employees and other documentation. In some instances, ownership of different VPNs is split amongst a number of subsidiaries. For example, Chinese company Innovative Connecting owns three separate businesses that produce VPN apps: Autumn Breeze 2018, Lemon Cove and All Connected. In total, Innovative Connecting produces 10 seemingly unconnected VPN products, the study shows. Although the ownership of a number of VPN services by one company is not unusual, VPNpro is concerned that so many are based in countries with lax or non-existence privacy laws.

Fake Samsung Firmware Update App Tricks More Than 10 Million Android Users

Fri, 07/05/2019 - 11:20
Over ten million users have been duped in installing a fake Samsung app named "Updates for Samsung" that promises firmware updates, but, in reality, redirects users to an ad-filled website and charges for firmware downloads. From a report: "I have contacted the Google Play Store and asked them to consider removing this app," Aleksejs Kuprins, malware analyst at the CSIS Security Group, told ZDNet this week in an interview, after publishing a report on the app's shady behavior earlier today. The app takes advantage of the difficulty in getting firmware and operating system updates for Samsung phones, hence the high number of users who have installed it. "It would be wrong to judge people for mistakenly going to the official application store for the firmware updates after buying a new Android device," the security researcher said. "Vendors frequently bundle their Android OS builds with an intimidating number of software, and it can easily get confusing."

Wikipedia Co-founder Slams Mark Zuckerberg, Twitter and the 'Appalling' Internet

Fri, 07/05/2019 - 07:20
Larry Sanger, who co-founded Wikipedia in 2001, is not happy with how the internet has evolved in the nearly two decades since then. From a report: "It's appalling frankly," he said in an interview with CNBC this week. Sanger's main gripe is with big social media platforms, especially Facebook and Twitter. These companies, he says, exploit users' personal data to make profits, at the expense of "massive violations" of privacy and security. "They can shape your experience, they can control what you see, when you see it and you become essentially a cog in their machine," he said. Sanger launched a "social media strike" this week to draw attention to his concerns. In a "Declaration of Digital Independence" published on his personal blog, he said "vast digital empires" need to be replaced by decentralized networks of independent individuals. [...] Facebook CEO Mark Zuckerberg has responded to seemingly endless concerns about privacy and security on the platform with a new vision for the company, highlighting measures like encrypted messaging. Sanger questioned whether Zuckerberg's intentions are "sincere" and blasted the Facebook executive for abusing the company's power online. "The internet wouldn't have been created by people like Mark Zuckerberg, or any of the sort of corporate executives in Silicon Valley today," he said. "They wouldn't be capable, they don't have the temperament, they're too controlling. They don't understand the whole idea of bottom up."

Internet Group Brands Mozilla 'Internet Villain' For Supporting DNS Privacy Feature

Fri, 07/05/2019 - 06:40
An industry group of internet service providers has branded Firefox browser maker Mozilla an "internet villain" for supporting a DNS security standard. From a report: Internet Services Providers' Association (ISPA), the trade group for U.K. internet service providers, nominated the browser maker for its proposed effort to roll out the security feature, which they say will allow users to "bypass UK filtering obligations and parental controls, undermining internet safety standards in the U.K." Mozilla said late last year it was planning to test DNS-over-HTTPS to a small number of users. Whenever you visit a website -- even if it's HTTPS enabled -- the DNS query that converts the web address into an IP address that computers can read is usually unencrypted. The security standard is implemented at the app level, making Mozilla the first browser to use DNS-over-HTTPS. By encrypting the DNS query it also protects the DNS request against man-in-the-middle attacks, which allow attackers to hijack the request and point victims to a malicious page instead. DNS-over-HTTPS also improves performance, making DNS queries -- and the overall browsing experience -- faster. But the ISPA doesn't think DNS-over-HTTPS is compatible with the U.K.'s current website blocking regime.

7-Eleven Japanese Customers Lose $500,000 Due To Mobile App Flaw

Fri, 07/05/2019 - 06:00
Approximately 900 customers of 7-Eleven Japan have lost a collective of $510,000 after hackers hijacked their 7pay app accounts and made illegal charges in their names. From a report: The incident was caused by an appalling security lapse in the design of the company's 7pay mobile payment app, which 7-Eleven Japan launched in the country on Monday, July 1. The 7pay mobile app was designed to show a barcode on the phone's screen when customers reach the 7-Eleven cashier counters. The cashier scans the barcode, and the bought goods are charged to the user's 7pay app and the customer's credit or debit cards that have been saved in the account. However, in a mind-boggling turn of events, the app contained a password reset function that was incredibly poorly designed. It allowed anyone to request a password reset for other people's accounts, but have the password reset link sent to their email address, instead of the legitimate account owner.

OpenID Foundation Says 'Sign In with Apple' is Not Secure Enough

Thu, 07/04/2019 - 08:00
The OpenID Foundation, the organization behind the OpenID open standard and decentralized authentication protocol, has penned an open letter to Apple in regards to the company's recently announced "Sign In with Apple" feature. From a report: In its letter, the organization said that Apple has built Sign In with Apple on top of the OpenID Connect platform, but the Cupertino company's implementation is not fully compliant with the OpenID standard, and as a result "exposes users to greater security and privacy risks." "The current set of differences between OpenID Connect and Sign In with Apple reduces the places where users can use Sign In with Apple and exposes them to greater security and privacy risks," said Nat Sakimura, OpenID Foundation Chairman. The OpenID Foundation published a list of differences between Sign In with Apple and the OpenID Connect platform, which Sakimura urged Apple to address. The OpenID exec said these differences place an unnecessary burden on developers working with both OpenID Connect and Sign In with Apple, who now have to support two different authentication standards and deal with each one's quirks. "By closing the current gaps, Apple would be interoperable with widely-available OpenID Connect Relying Party software," Sakimura said.

Hacker Who Launched DDoS Attacks on Sony, EA, and Steam Gets 27 Months in Prison

Thu, 07/04/2019 - 06:00
An anonymous reader shares a report: A 23-year-old man from Utah was sentenced this week to 27 months in prison for a series of DDoS attacks that took down online gaming service providers like Sony's PlayStation Network, Valve's Steam, Microsoft's Xbox, EA, Riot Games, Nintendo, Quake Live, DOTA2, and League of Legends servers, along with many others. Named Austin Thompson, but known online as DerpTrolling, the man is the first hacker who started a trend among other hackers and hacking crews -- namely of launching DDoS attacks against gaming providers during Christmas, which they later justified using ridiculous reasons such as "to spoil everyone's holiday," "to make people spend time with their families," or "for the lulz." The hacker's DDoS attacks were extremely successful at the time, in 2013, in a time when most companies didn't use strong DDoS mitigation services.

Broadcom Said To Be In Talks To Buy Symantec, the Security Software Maker

Wed, 07/03/2019 - 16:10
An anonymous reader quotes a report from Bloomberg: Broadcom is in advanced talks to buy cybersecurity firm Symantec, according to people familiar with the matter, seeking a further expansion into the more profitable software business. Broadcom could reach an agreement to buy the Mountain View, California-based company within weeks, said the people, who asked to not be identified because the matter isn't public. No deal has been finalized and the talks could fall through, the people said. "Broadcom's potential purchase of another asset with $4+ billion in software sales is likely its most ambitious deal yet -- leaderless Symantec has been losing share, even in its core segments," says Bloomberg's technology analyst Anand Srinivasan. "Broadcom CEO Hock Tan will likely need to aggressively cut Symantec costs while keeping sales stable." The report also adds that if this deal does happen, it "would mark Broadcom's second big bet in software, following its $18 billion takeover last year of CA Technologies."

YouTube Bans Content 'Showing Users How To Bypass Secure Computer Systems'

Wed, 07/03/2019 - 14:10
Kody Kinzie from the Null Byte YouTube channel on Tuesday said YouTube banned a video he made about launching fireworks over Wi-Fi for the 4th of July. According to YouTube's Community Guidelines, you are not allowed to post content "showing users how to bypass secure computer systems or steal user credentials and personal data." Doing so will apparently result in a strike. The Register notes that this written policy "first appears in the Internet Wayback Machine's archive of web history in an April 5, 2019 snapshot." "I'm worried for everyone that teaches about infosec and tries to fill in the gaps for people who are learning," Kinzie said on Twitter. "It is hard, often boring, and expensive to learn cybersecurity." Security professionals like Tim Erlin, VP of product management and strategy at cybersecurity biz Tripwire, also finds the policy questionable. "Google's intention here might be laudable, but the result is likely to stifle valuable information sharing in the information security community," he said. "In cybersecurity, we improve our defenses by understanding how attacks actually work. Theoretical explanations are often not the most effective tools, and forcing content creators onto platforms restricted in distribution, like a paid training course, simply creates roadblocks to the industry. Sharing real world examples brings more people to the industry, rather than creating more criminals."

Someone Is Spamming and Breaking a Core Component of PGP's Ecosystem

Wed, 07/03/2019 - 13:30
A new wave of spamming attacks on a core component of PGP's ecosystem has highlighted a fundamental weakness in the whole ecosystem. From a report: Unknown attackers are spamming a core component of the ecosystem of the well-known encryption software PGP, breaking users' PGP installations and clients. What's worse, there may be no way to stop them. Last week, contributors to the PGP protocol GnuPG noticed that someone was "poisoning" or "flooding" their certificates. In this case, poisoning refers to an attack where someone spams a certificate with a large number of signatures or certifications. This makes it impossible for the the PGP software that people use to verify its authenticity, which can make the software unusable or break. In practice, according to one of the GnuPG developers targeted by this attack, the hackers could make it impossible for people using Linux to download updates, which are verified via PGP.

D-Link To Undergo Security Audits For 10 Years as Part of FTC Settlement

Wed, 07/03/2019 - 11:30
D-Link has agreed to a settlement with the US Federal Trade Commission in regards to a 2017 lawsuit in which the US government agency accused the Taiwanese hardware maker of misrepresenting the security of its devices and ignoring vulnerability reports. From a report: As part of the settlement, D-Link has promised to implement a new software security program for its routers and Internet-connected cameras. The company has also agreed to subject itself to ten years of biennial security audits from a third-party, independent auditor. The FTC gets to choose the auditor, while D-Link got to decide the certifications the auditor must obtain before allowing it to review its security program.

File-Storage App 4shared Caught Serving Invisible Ads and Making Purchases Without Consent

Wed, 07/03/2019 - 10:10
With more than 100 million installs, file-sharing service 4shared is one of the most popular apps in the Android app store. But security researchers say the app is secretly displaying invisible ads and subscribes users to paid services, racking up charges without the user's knowledge -- or their permission -- collectively costing millions of dollars. From a report: "It all happens in the background... nothing appears on the screen," said Guy Krief, chief executive of London-based Upstream, which shared its research exclusively with TechCrunch. The researchers say the app contains suspicious third-party code that allowed the app to automate clicks and make fraudulent purchases. They said the component, built by Hong Kong-based Elephant Data, downloads code which is "directly responsible" for generating the automated clicks without the user's knowledge. The code also sets a cookie to determine if a device has previously been used to make a purchase, likely as a way to hide the activity.

US Government Staff Told To Treat Huawei as Blacklisted

Wed, 07/03/2019 - 06:08
A senior U.S. official told the Commerce Department's enforcement staff this week that China's Huawei should still be treated as blacklisted, days after U.S. President Donald Trump sowed confusion with a vow to ease a ban on sales to the firm. From a report: Trump surprised markets on Saturday by promising Chinese President Xi Jinping on the sidelines of the G20 summit in Japan that he would allow U.S. companies to sell products to Huawei Technologies. In May, the company was added to the so-called Entity List, which bans American firms from selling to it without special permission, as punishment for actions against U.S. national security interests. Trump's announcement on Saturday -- an olive branch to Beijing to revive stalled trade talks -- was cheered by U.S. chipmakers eager to maintain sales to Huawei, the world's largest telecoms equipment maker and a key U.S. customer. But Trump's comments also spawned confusion among industry players and government officials struggling to understand what Huawei policy he had unveiled. In an email to enforcement staff on Monday that was seen by Reuters, John Sonderman, Deputy Director of the Office of Export Enforcement, in the Commerce Department's Bureau of Industry and Security (BIS), sought to clarify how agents should approach license requests by firms seeking approval to sell to Huawei.

Security Flaws In a Popular Smart Home Hub Let Hackers Unlock Front Doors

Tue, 07/02/2019 - 18:10
In new research published Tuesday, security researchers Chase Dardaman and Jason Wheeler found three security flaws which, when chained together, could be abused to open a front door with a smart lock. TechCrunch reports: Dardaman and Wheeler began looking into the ZipaMicro, a popular smart home hub developed by Croatian firm Zipato, some months ago, but only released their findings once the flaws had been fixed. The researchers found they could extract the hub's private SSH key for "root" -- the user account with the highest level of access -- from the memory card on the device. Anyone with the private key could access a device without needing a password, said Wheeler. They later discovered that the private SSH key was hardcoded in every hub sold to customers -- putting at risk every home with the same hub installed. Using that private key, the researchers downloaded a file from the device containing scrambled passwords used to access the hub. They found that the smart hub uses a "pass-the-hash" authentication system, which doesn't require knowing the user's plaintext password, only the scrambled version. By taking the scrambled password and passing it to the smart hub, the researchers could trick the device into thinking they were the homeowner. All an attacker had to do was send a command to tell the lock to open or close. With just a few lines of code, the researchers built a script that locked and unlocked a smart lock connected to a vulnerable smart hub.

Elizabeth Warren Accuses Advisory Panel For FCC of Corruption

Tue, 07/02/2019 - 16:50
An anonymous reader quotes a report from CNET: A panel that provides policy advice to the Federal Communications Commission is "stacked with corporate insiders," Democratic presidential candidate Elizabeth Warren said Monday. She cited a blog post by the Project On Government Oversight (POGO), which showed more than half of all Communications Security, Reliability and Interoperability Council (CSRIC) members are direct employees of private companies or of industry trade groups. This could lead to allegations that rather than working for American consumers, the FCC is working for "giant telecom companies", Warren, a Democratic senator from Massachusetts, tweeted Monday. "This is the definition of corruption: industry members writing the rules to benefit themselves & their rich friends," she added in another tweet. Sen. Warren has called on FCC Chair Ajit Pai to "explain the extent to which CSRIC may be corrupted by corporate influence." A letter from Warren and Rep. Pramila Jayapal dated June 27, spotted earlier by The Hill, asks for information (PDF) from Pai on whether the panel is "inappropriately dominated by industry (pdf) insiders." "The industry-dominated personnel on the panel have recommended policies that are directly in line with the wishes of the companies from which their members are drawn," the letter says, adding that POGO says a lack of expertise among FCC members means they rely increasingly on the panel's recommendations.

'Motorola Has Let Me Down For the Last Time'

Tue, 07/02/2019 - 15:30
Jerry Hildenbrand, writing for AndroidCentral: If you're ever in the mood to think about a "how the mighty have fallen" story, you need to look no further than Motorola. The company used to be at the forefront of technology in everything digital, but buyouts, restructuring, and eventually becoming another OEM nameplate has left Motorola little more than a memory that old tech dudes like me will fondly look back with melancholy reflections of the good old days. If I sound bitter, it's because I am, just a little. [...] The company has had a very poor record regarding updates since it was sold to Lenovo; both the big grand Android platform updates and the important but overlooked security patch updates. This compounds the whole issue, as the only realistic chance Z2 Force owners have to get those critically important updates they have missed is when they are bundled into the Android 9 release. These patches have no glitz or glamour associated, but they are the types of updates that keep you and your personal information safer. I've mentioned it before and I'll say it again: manufacturers owe us security patches on a regular basis if they expect us to owe them our allegiance.

Oracle On Why It Thinks AWS Winning Pentagon's $10 Billion Jedi Cloud Contract Stinks

Tue, 07/02/2019 - 12:50
An anonymous reader quotes a report from The Register: Ahead of its first day in a U.S. federal claims court in Washington DC, Oracle has outlined its position against the Pentagon's award of the Joint Enterprise Defense Infrastructure (JEDI) cloud contract to Amazon Web Services. Big Red's lengthy filing questions the basis of Uncle Sam's procurement procedure as well as Amazon's hiring of senior Department of Defense staff involved in that procurement process. Oracle's first day in court is set for 10 July. The JEDI deal could be worth up to $10 billion over 10 years. The Department of Defense handed the contract to AWS after deciding that only Amazon and Microsoft could meet the minimum security standards required in time. Oracle's filing said that U.S. "warfighters and taxpayers have a vested interest in obtaining the best services through lawful, competitive means... Instead, DoD (with AWS's help) has delivered a conflict-ridden mess in which hundreds of contractors expressed an interest in JEDI, over 60 responded to requests for information, yet only the two largest global cloud providers can clear the qualification gates." The company said giving JEDI, with its "near constant technology refresh requirements", to just one company was in breach of procurement rules. It accused the DoD of gaming the metrics used in the process to restrict competition for the contract. Oracle also accused Amazon of breaking the rules by hiring two senior DoD staff, Deap Ubhi and Anthony DeMartino, who were involved in the JEDI procurement process. Ubhi is described as "lead PM." A third name is redacted in the publicly released filing. The DoD, which is expected to make an offer to settle the case in late August, said in a statement: "We anticipate a court decision prior to that time. The DoD will comply with the court's decision. While the acquisition and litigation processes are proceeding independently the JEDI implementation will be subject to the determination of the court." The 50-page filing can be found here (PDF).

Choice To Pay Ransomware Might Be Simpler Than You'd Think

Tue, 07/02/2019 - 10:50
The conventional wisdom about ransomware is that when local governments pay the ransom, it encourages more criminals to launch more attacks. But that's not necessarily the case, experts say. From a report:The costs of recovering from a ransomware attack are often greater than the cost of the ransom. The victims of ransomware attacks are typically targets of opportunity, and cities generally aren't the primary targets. Corporations are -- and they often pay up. "The fact is, paying a ransom does not create a market," said Forrester Research's Josh Zelonis. "There already is a market." Riviera Beach and Lake City, Florida, paid a combined $1.1 million in ransom over about a week in June. Meanwhile, Atlanta spent $17 million restoring systems rather than pay a $50,000 ransom last year. Baltimore is likely to spend $10 million restoring its own systems refusing to pay a $75,000 ransom this year. The disruption to its city services may cost another $8 million. For some cities, the best response might be to pay the ransom, then use the millions of dollars that would have been spent on recovery to strengthen cyber defenses before the next attack. "If you don't learn from the past, you will end up being ransomed again," said Deborah Golden, the new head of Deloitte's cyber consultancy. Whether a city pays, doesn't pay, or has yet to be attacked, prevention will often save money.

China Is Forcing Tourists To Install Text-Stealing Malware at its Border

Tue, 07/02/2019 - 08:06
Foreigners crossing certain Chinese borders into the Xinjiang region, where authorities are conducting a massive campaign of surveillance and oppression against the local Muslim population, are being forced to install a piece of malware on their phones that gives all of their text messages as well as other pieces of data to the authorities, a collaboration by Motherboard, Suddeutsche Zeitung, the Guardian, the New York Times, and the German public broadcaster NDR has found. From the report: The Android malware, which is installed by a border guard when they physically seize the phone, also scans the tourist or traveller's device for a specific set of files, according to multiple expert analyses of the software. The files authorities are looking for include Islamic extremist content, but also innocuous Islamic material, academic books on Islam by leading researchers, and even music from a Japanese metal band. In no way is the downloading of tourists' text messages and other mobile phone data comparable to the treatment of the Uighur population in Xinjiang, who live under the constant gaze of facial recognition systems, CCTV, and physical searches. [...] The malware news shows that the Chinese government's aggressive style of policing and surveillance in the Xinjiang region has extended to foreigners, too. "[This app] provides yet another source of evidence showing how pervasive mass surveillance is being carried out in Xinjiang. We already know that Xinjiang residents -- particularly Turkic Muslims -- are subjected to round-the-clock and multidimensional surveillance in the region," Maya Wang, China senior researcher at Human Rights Watch, said. "What you've found goes beyond that: it suggests that even foreigners are subjected to such mass, and unlawful surveillance."

Senate Passes Cybersecurity Bill To Decrease Grid Digitization, Move Toward Manual Control

Mon, 07/01/2019 - 18:03
On June 27, the U.S. Senate passed a bipartisan cybersecurity bill that will study ways to replace automated systems with low-tech redundancies to protect the country's electric grid from hackers. Called The Securing Energy Infrastructure Act (SEIA), the bill establishes a two-year pilot program identifying new security vulnerabilities and researching and testing solutions, including "analog and nondigital control systems." The U.S Department of Energy would be required to report back to Congress on its findings. Utility Drive reports: The increase in distributed energy resources can serve load more efficiently, but also offers potential attackers more potential entry points. "Our connectivity is a strength that, if left unprotected, can be exploited as a weakness," Sen. Angus King, I-Maine, who sponsored the bill with Sen. Jim Risch, R-Idaho, said in a statement. Sens. Susan Collins, R-Maine, Martin Heinrich, D-N.M., and Mike Crapo, R-Idaho cosponsored the bill. The House measure is being introduced by Reps. Dutch Ruppersberger, D-Md., and John Carter, R-Texas.