Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 19 hours 54 min ago

Insider Threats Pose the Biggest Security Risk

Fri, 03/22/2019 - 17:30
An anonymous reader shares a report: According to a new study 91 percent of IT and security professionals feel vulnerable to insider threats, and 75 percent believe the biggest risks lie in cloud applications like popular file storage and email solutions including Google Drive, Gmail and Dropbox. The report from SaaS operations management specialist BetterCloud also shows 62 percent of respondents believe the biggest security threat comes from the well-meaning but negligent end user. Among other findings are that 46 percent of IT leaders (heads of IT and above) believe that the rise of SaaS applications makes them the most vulnerable. In addition 40 percent of respondents believe they are most vulnerable to exposure of confidential business information such as financial information and customer lists. Only 26 percent of C-level executives say they've invested enough to mitigate the risk of insider threats, compared to 44 percent of IT managers.

FEMA Data Breach Hits 2.5 Million Disaster Survivors

Fri, 03/22/2019 - 16:50
The Federal Emergency Management Agency (FEMA) unlawfully shared the private information of 2.3 million hurricane and wildfire survivors with a federal contractor that was helping them find temporary housing, an inspector general from the Department of Homeland Security said Friday. The data includes "20 unnecessary data fields" such as "electronic funds transfer number," "bank transit number" and addresses. CNN reports: FEMA said it began filtering the data in December 2018 to prevent this information from being shared, but a more permanent fix may not be finalized until June 2020. "Since discovery of this issue, FEMA has taken aggressive measures to correct this error. FEMA is no longer sharing unnecessary data with the contractor and has conducted a detailed review of the contractor's information system," said Lizzie Litzow, press secretary for FEMA, in a statement. "To date, FEMA has found no indicators to suggest survivor data has been compromised. FEMA has also worked with the contractor to remove the unnecessary data from the system and updated its contract to ensure compliance with Department of Homeland Security (DHS) cybersecurity and information-sharing standards. As an added measure, FEMA instructed contracted staff to complete additional DHS privacy training."

Microsoft Revived and Killed Clippy in a Single Day

Fri, 03/22/2019 - 16:11
The dream of the '90s was alive in Microsoft Teams this week when Microsoft's old office assistant, Clippy, showed up. From a report: If you used Microsoft Office between 1997 and 2001, you likely remember Clippy as the animated paperclip that popped up and offered tips for using the software. Microsoft did away with Clippy in 2001, so people were surprised to see Clippy stickers appear in Microsoft Teams this week. And they were even more surprised when, just a day later, Microsoft offed the little guy again. On Tuesday, Clippy appeared as an animated pack of stickers for Microsoft Teams. The stickers were released on the Office Developer GitHub page, but by the next day, they had vanished. Clippy was around just long enough to rally old fans, and there's now a user petition to bring Clippy back.

Dashcam Video Shows Tesla Steering Toward Lane Divider - Again

Fri, 03/22/2019 - 14:10
AmiMoJo shares a report from Ars Technica: The afternoon commute of Reddit user Beastpilot takes him past a stretch of Seattle-area freeway with a carpool lane exit on the left. Last year, in early April, the Tesla driver noticed that Autopilot on his Model X would sometimes pull to the left as the car approached the lane divider -- seemingly treating the space between the diverging lanes as a lane of its own. This was particularly alarming, because just days earlier, Tesla owner Walter Huang had died in a fiery crash after Autopilot steered his Model X into a concrete lane divider in a very similar junction in Mountain View, California. Beastpilot made several attempts to notify Tesla of the problem but says he never got a response. Weeks later, Tesla pushed out an update that seemed to fix the problem. Then in October, it happened again. Weeks later, the problem resolved itself. This week, he posted dashcam footage showing the same thing happening a third time -- this time with a recently acquired Model 3. "The behavior of the system changes dramatically between software updates," Beastpilot told Ars. "Human nature is, 'if something's worked 100 times before, it's gonna work the 101st time.'" That can lull people into a false sense of security, with potentially deadly consequences.

Over 100,000 GitHub Repos Have Leaked API or Cryptographic Keys

Fri, 03/22/2019 - 06:42
A scan of billions of files from 13 percent of all GitHub public repositories over a period of six months has revealed that over 100,000 repos have leaked API tokens and cryptographic keys, with thousands of new repositories leaking new secrets on a daily basis. From a report: The scan was the object of academic research carried out by a team from the North Carolina State University (NCSU), and the study's results have been shared with GitHub, which acted on the findings to accelerate its work on a new security feature called Token Scanning, currently in beta. The NCSU study is the most comprehensive and in-depth GitHub scan to date and exceeds any previous research of its kind. NCSU academics scanned GitHub accounts for a period of nearly six months, between October 31, 2017, and April 20, 2018, and looked for text strings formatted like API tokens and cryptographic keys.

750,000 Medtronic Defibrillators Vulnerable To Hacking

Thu, 03/21/2019 - 17:25
The Homeland Security Department has issued an alert Thursday describing two types of computer-hacking vulnerabilities in 16 different models of Medtronic implantable defibrillators sold around the world, including some still on the market today. The vulnerability also affects bedside monitors that read data from the devices in patients' homes and in-office programming computers used by doctors. From the report: Medtronic recommends that patients only use bedside monitors obtained from a doctor or from Medtronic directly, and to keep it plugged in so it can receive software updates, and that they maintain "good physical control" over the monitor. Implantable defibrillators are complex, battery-run computers implanted in patients' upper chests to monitor the heart and send electric pulses or high-voltage shocks to prevent sudden cardiac death and treat abnormal heart beats. The vulnerabilities announced Thursday do not affect Medtronic pacemakers. The more serious of the two is a vulnerability that could allow improper access to data sent between a defibrillator and an external device like an at-home monitor. The system doesn't use formal authentication or authorization protections, which means an attacker with short-range access to the device could inject or modify data and change device settings, the advisory says. A second vulnerability allows an attacker to read sensitive data streaming out of the device, which could include the patient's name and past health data stored on their device. The system does not use data encryption, the advisory says. (Deploying encryption in medical devices is tricky because is increases computational complexity and therefore uses the battery faster.) The FDA isn't expected to issue a recall as the vulnerabilities are expected to be patched via a future software update.

Grandson of Legendary John Deere Inventor Calls Out Company On Right To Repair

Thu, 03/21/2019 - 14:00
chicksdaddy writes: The grandson of Theo Brown, a legendary engineer and inventor for John Deere who patented, among other things, the manure spreader is calling out the company his grandfather served for decades for its opposition to right to repair legislation being considered in Illinois. In an opinion piece published by The Security Ledger entitled "My Grandfather's John Deere would support Our Right to Repair," Willie Cade notes that his grandfather, Theophilus Brown is credited with 158 patents, some 70% of them for Deere & Co., including the manure spreader in 1915. His grandfather used to travel the country to meet with Deere customers and see his creations at work in the field. His hope, Cade said, was to help the company's customers be more efficient and improve their lives with his inventions. In contrast, Cade said the John Deere of the 21st Century engages in a very different kind of business model: imposing needless costs on their customers. An example of this kind of rent seeking is using software locks and other barriers to repair -- such as refusing to sell replacement parts -- in order to force customers to use authorized John Deere technicians to do repairs at considerably higher cost and hassle. "It undermines what my grandfather was all about," he writes. Cade, who founded the Electronics Reuse Conference, is supporting right to repair legislation that is being considered in Illinois and opposed by John Deere and the industry groups it backs. "Farmers who can't repair farm equipment and a wide spectrum of Americans who can't repair their smartphones are pushing back in states across the country."

PewCrypt Ransomware Locks Users' Files and Won't Offer a Decryption Key Until - and Unless - PewDiePie's YouTube Channel Beats T-Series To Hit 100M Subscribers

Thu, 03/21/2019 - 12:12
The battle between PewDiePie, currently the most subscribed channel on YouTube, and T-Series, an Indian music label, continues to have strange repercussions. In recent months, as T-Series closes in on the gap to beat PewDiePie for the crown of the most subscribers on YouTube, alleged supporters of PewDiePie, in an unusual show of love, have hacked Chromecasts and printers to persuade victims to subscribe to PewDiePie's channel. Now ZDNet reports about a second strain of ransomware that is linked to PewDiePie. From the report: A second one appeared in January, and this was actually a fully functional ransomware strain. Called PewCrypt, this ransomware was coded in Java, and it encrypted users' files in the "proper" way, with a method of recovering files at a later date. The catch --you couldn't buy a decryption key, but instead, victims had to wait until PewDiePie gained over 100 million followers before being allowed to decrypt any of the encrypted files. At the time of writing, PewDiePie had around 90 million fans, meaning any victim would be in for a long wait before they could regain access to any of their files. Making matters worse, if T-Series got to 100 million subscribers before PewDiePie, then PewCrypt would delete the user's encryption key for good, leaving users without a way to recover their data. While the ransomware was put together as a joke, sadly, it did infect a few users, ZDNet has learned. Its author eventually realized the world of trouble he'd get into if any of those victims filed complaints with authorities, and released the ransomware's source code on GitHub, along with a command-line-based decryption tool.

Nokia Firmware Blunder Sent Some User Data To China

Thu, 03/21/2019 - 10:50
HMD Global, the Finnish company that sublicensed the Nokia smartphone brand from Microsoft, is under investigation in Finland for collecting and sending some phone owners' information to a server located in China. From a report: In a statement to Finnish newspaper Helsingin Sanomat, the company blamed the data collection on a coding mistake during which an "activation package" was accidentally included in some phones' firmware. HMD Global said that only a single batch of Nokia 7 Plus devices were impacted and included this package. The data collection was exposed today in an investigation published by Norwegian broadcaster NRK, which learned of it from a user's tip. According to NRK, affected Nokia phones collected user data every time the devices were turned on, unlocked, or the screen was revived from a sleep state. Collected data included the phone's GPS coordinates, network information, phone serial number, and SIM card number.

Microsoft Ships Antivirus For macOS as Windows Defender Becomes Microsoft Defender

Thu, 03/21/2019 - 09:26
Microsoft is bringing its Windows Defender anti-malware application to macOS -- and more platforms in the future -- as it expands the reach of its Defender Advanced Threat Protection (ATP) platform. From a report: To reflect the new cross-platform nature, the suite is also being renamed to Microsoft Defender ATP, with the individual clients being labelled "for Mac" or "for Windows." macOS malware is still something of a rarity, but it's not completely unheard of. Ransomware for the platform was found in 2016, and in-the-wild outbreaks of other malicious software continue to be found. Apple has integrated some malware protection into macOS, but we've heard from developers on the platform that Mac users aren't always very good at keeping their systems on the latest point release. Further reading: Microsoft launches previews of Windows Virtual Desktop and Defender ATP for Mac.

For Years, Hundreds of Millions of Facebook Users Had Their Account Passwords Stored in Plain Text and Searchable By Thousands of Facebook Employees

Thu, 03/21/2019 - 08:00
Hundreds of millions of Facebook users had their account passwords stored in plain text and searchable by thousands of Facebook employees -- in some cases going back to 2012, KrebsOnSecurity reported Thursday. From the report: Facebook says an ongoing investigation has so far found no indication that employees have abused access to this data. Facebook is probing the causes of a series of security failures in which employees built applications that logged unencrypted password data for Facebook users and stored it in plain text on internal company servers. That's according to a senior Facebook employee who is familiar with the investigation and who spoke on condition of anonymity because they were not authorized to speak to the press. The Facebook source said the investigation so far indicates between 200 million and 600 million Facebook users may have had their account passwords stored in plain text and searchable by more than 20,000 Facebook employees. The source said Facebook is still trying to determine how many passwords were exposed and for how long, but so far the inquiry has uncovered archives with plain text user passwords in them dating back to 2012. Facebook has responded.

It's Scary How Much Personal Data People Leave on Used Laptops and Phones, Researcher Finds

Wed, 03/20/2019 - 06:40
A recent experiment by Josh Frantz, a senior security consultant at Rapid7, suggests that users are taking few if any steps to protect their private information before releasing their used devices back out into the wild. From a report: For around six months, he collected used desktop, hard disks, cellphones and more from pawn shops near his home in Wisconsin. It turned out they contain a wealth of private data belonging to their former owners, including a ton of personally identifiable information (PII) -- the bread and butter of identity theft. Frantz amassed a respectable stockpile of refurbished, donated, and used hardware: 41 desktops and laptops, 27 pieces of removable media (memory cards and flash drives), 11 hard disks, and six cellphones. The total cost of the experiment was a lot less than you'd imagine. "I visited a total of 31 businesses and bought whatever I could get my hands on for a grand total of around $600," he said. Frantz used a Python-based optical character recognition (OCR) tool to scan for Social Security numbers, dates of birth, credit card information, and other sensitive data. And the result was, as you might expect, not good. The pile of junk turned out to contain 41 Social Security numbers, 50 dates of birth, 611 email accounts, 19 credit card numbers, two passport numbers, and six driver's license numbers. Additionally, more than 200,000 images were contained on the devices and over 3,400 documents. He also extracted nearly 150,000 emails.

Trump Blockade of Huawei Fizzles In European 5G Rollout

Tue, 03/19/2019 - 16:10
An anonymous reader quotes a report from Bloomberg: Last summer, the Trump administration started a campaign to convince its European allies to bar China's Huawei from their telecom networks. Bolstered by the success of similar efforts in Australia and New Zealand, the White House sent envoys to European capitals with warnings that Huawei's gear would open a backdoor for Chinese spies. The U.S. even threatened to cut off intelligence sharing if Europe ignored its advice. So far, not a single European country has banned Huawei. Europe, caught in the middle of the U.S.-China trade war, has sought to balance concerns about growing Chinese influence with a desire to increase business with the region's second-biggest trading partner. With no ban in the works, Huawei is in the running for contracts to build 5G phone networks, the ultra-fast wireless technology Europe's leaders hope will fuel the growth of a data-based economy. The U.K.'s spy chief has indicated that a ban on Huawei is unlikely, citing a lack of viable alternatives to upgrade British telecom networks. Italy's government has dismissed the U.S. warnings as it seeks to boost trade with China. In Germany, authorities have proposed tighter security rules for data networks rather than outlawing Huawei. France is doing the same after initially flirting with the idea of restrictions on Huawei. Governments listened to phone companies such as Vodafone Group Plc, Deutsche Telekom AG, and Orange SA, who warned that sidelining Huawei would delay the implementation of 5G by years and add billions of euros in cost. While carriers can also buy equipment from the likes of Ericsson AB, Nokia Oyj, and Samsung Electronics Co., industry consultants say Huawei's quality is high, and the company last year filed 5,405 global patents, more than double the filings by Ericsson and Nokia combined. And some European lawmakers have been wary of Cisco Systems Inc., Huawei's American rival, since Edward Snowden leaked documents revealing the National Security Agency's use of U.S.-made telecom equipment for spying.

Norsk Hydro, One of the World's Largest Aluminum Producers, Switches To Manual Operations After Ransomware Infection

Tue, 03/19/2019 - 08:15
Norsk Hydro, one of the world's largest aluminum producers, said today it has "became victim of an extensive cyber-attack" that has crippled some of its infrastructure and forced it to switch to manual operations in some smelting locations. From a report: The cyber-attack was later identified as an infection with the LockerGoga ransomware strain, the company said during a press conference. News of the cyber-attack broke earlier this morning in a message the company sent to investors and stock exchanges. "Hydro became victim of an extensive cyber-attack in the early hours of Tuesday (CET), impacting operations in several of the company's business areas," the company said. "IT-systems in most business areas are impacted and Hydro is switching to manual operations as far as possible."

Firefox 66 Arrives With Autoplaying Blocked by Default, Smoother Scrolling, and Better Search

Tue, 03/19/2019 - 06:54
An anonymous reader writes: Mozilla today launched Firefox 66 for Windows, Mac, Linux, and Android. The release includes autoplaying content (audio and video) blocked by default, smoother scrolling, better search, revamped security warnings, WebAuthn support for Windows Hello, and improved extensions. The company says its main goal with this release is to reduce irritating experiences such as auto-playing videos, pop-ups, and page jumps. Firefox 66 for desktop is available for download now on Firefox.com, and all existing users should be able to upgrade to it automatically. The Android version is trickling out slowly on Google Play.

Hacked Tornado Sirens Taken Offline In Two Texas Cities Ahead of Major Storm

Tue, 03/19/2019 - 05:00
An anonymous reader quotes a report from ZDNet: A hacker set off the tornado emergency sirens in the middle of the night last week across two North Texas towns. Following the unauthorized intrusion, city authorities had to shut down their emergency warning system a day before major storms and potential tornados were set to hit the area. The false alarm caused quite the panic in the two towns, as locals were already on the edge of their seats regarding incoming storms. The city had run tests of the tornado alarm sirens a week before, but the tests were set during the middle of the day and had long concluded. The two hacked systems were taken offline the next morning, and remained offline ever since. Bad weather, including storms and potential tornadoes, was announced for all last week in the North Texas area. A severe thunderstorm hit the two cities the following night, on March 13. Thunderstorms are known to produce brief tornadoes, but luck had it that no tornado formed and hit the towns that day. Tornadoes are frequent in Texas, as the state is located in Tornado Alley, and tornado season, a period of the year between March and May when most tornadoes happen, had officially begun. Nevertheless, a tornado didn't form on March 13, and, luckily, the sirens weren't needed.

New Mirai Malware Variant Targets Signage TVs and Presentation Systems

Mon, 03/18/2019 - 15:40
An anonymous reader quotes a report from ZDNet: Security researchers have spotted a new variant of the Mirai IoT malware in the wild targeting two new classes of devices -- smart signage TVs and wireless presentation systems. This new strain is being used by a new IoT botnet that security researchers from Palo Alto Networks have spotted earlier this year. The botnet's author(s) appears to have invested quite a lot of their time in upgrading older versions of the Mirai malware with new exploits. Palo Alto Networks researchers say this new Mirai botnet uses 27 exploits, 11 of which are new to Mirai altogether, to break into smart IoT devices and networking equipment. Furthermore, the botnet operator has also expanded Mirai's built-in list of default credentials, that the malware is using to break into devices that use default passwords. Four new username and password combos have been added to Mirai's considerable list of default creds, researchers said in a report published earlier today. The purpose and modus operandi of this new Mirai botnet are the same as all the previous botnets. Infected devices scan the internet for other IoT devices with exposed Telnet ports and use the default credentials (from their internal lists) to break in and take over these new devices. The infected bots also scan the internet for specific device types and then attempt to use one of the 27 exploits to take over unpatched systems. The new Mirai botnet is specifically targeting LG Supersign signage TVs and WePresent WiPG-1000 wireless presentation systems.

Education and Science Giant Elsevier Left Users' Passwords Exposed Online

Mon, 03/18/2019 - 15:00
The world's largest scientific publisher, Elsevier, left a server open to the public internet, exposing user email addresses and passwords. "The impacted users include people from universities and educational institutions from across the world," reports Motherboard. "It's not entirely clear how long the server was exposed or how many accounts were impacted, but it provided a rolling list of passwords as well as password reset links when a user requested to change their login credentials." From the report: "Most users are .edu [educational institute] accounts, either students or teachers," Mossab Hussein, chief security officer at cybersecurity company SpiderSilk who found the issue, told Motherboard in an online chat. "They could be using the same password for their emails, iCloud, etc." Motherboard verified the data exposure by asking Hussein to reset his own password to a specific phrase provided by Motherboard before hand. A few minutes later, the plain text password appeared on the exposed server. Elsevier secured the server after Motherboard approached the company for comment. Hussein also provided Elsevier with details of the security issue. An Elsevier spokesperson told Motherboard in an emailed statement that "The issue has been remedied. We are still investigating how this happened, but it appears that a server was misconfigured due to human error. We have no indication that any data on the server has been misused. As a precautionary measure, we will also be informing our data protection authority, providing notice to individuals and taking appropriate steps to reset accounts."

Google, Microsoft Work Together For a Year To Figure Out New Type of Windows Flaw

Mon, 03/18/2019 - 13:40
Google researcher James Forshaw discovered a new class of vulnerability in Windows before any bug had actually been exploited. The involved parts of the flaw "showed that there were all the basic elements to create a significant elevation of privilege attack, enabling any user program to open any file on the system, regardless of whether the user should have permission to do so," reports Ars Technica. Thankfully, Microsoft said that the flaw was never actually exposed in any public versions of Windows, but said that it will ensure future releases of Windows will not feature this class of elevation of privilege. Peter Bright explains in detail how the flaw works. Here's an excerpt from his report: The basic rule is simple enough: when a request to open a file is being made from user mode, the system should check that the user running the application that's trying to open the file has permission to access the file. The system does this by examining the file's access control list (ACL) and comparing it to the user's user ID and group memberships. However, if the request is being made from kernel mode, the permissions checks should be skipped. That's because the kernel in general needs free and unfettered access to every file. As well as this security check, there's a second distinction made: calls from user mode require strict parameter validation to ensure that any memory addresses being passed in to the function represent user memory rather than kernel memory. Calls from kernel mode don't need that same strict validation, since they're allowed to use kernel memory addresses. Accordingly, the kernel API used for opening files in NT's I/O Manager component looks to see if the caller is calling from user mode or kernel mode. Then the API passes this information on to the next layer of the system: the Object Manager, which examines the file name and figures out whether it corresponds to a local filesystem, a network filesystem, or somewhere else. The Object manager then calls back in to the I/O Manager, directing the file-open request to the specific driver that can handle it. Throughout this, the indication of the original source of the request -- kernel or user mode -- is preserved and passed around. If the call comes from user mode, each component should perform strict validation of parameters and a full access check; if it comes from kernel mode, these should be skipped. Unfortunately, this basic rule isn't enough to handle every situation. For various reasons, Windows allows exceptions to the basic user-mode/kernel-mode split. Both kinds of exceptions are allowed: kernel code can force drivers to perform a permissions check even if the attempt to open the file originated from kernel mode, and contrarily, kernel code can tell drivers to skip the parameter check even if the attempt to open the file appeared to originate from user mode. This behavior is controlled through additional parameters passed among the various kernel functions and into filesystem drivers: there's the basic user-or-kernel mode parameter, along with a flag to force the permissions check and another flag to skip the parameter validation...

Slack Hands Over Control of Encryption Keys To Regulated Customers

Mon, 03/18/2019 - 07:30
Business communications and collaboration service Slack said today that it is launching Enterprise Key Management (EKM) for Slack, a new tool that enables customers to control their encryption keys in the enterprise version of the communications app. The keys are managed in the AWS KMS key management tool. From a report: Geoff Belknap, chief security officer (CSO) at Slack, says that the new tool should appeal to customers in regulated industries, who might need tighter control over security. "Markets like financial services, health care and government are typically underserved in terms of which collaboration tools they can use, so we wanted to design an experience that catered to their particular security needs," Belknap told TechCrunch. Slack currently encrypts data in transit and at rest, but the new tool augments this by giving customers greater control over the encryption keys that Slack uses to encrypt messages and files being shared inside the app. He said that regulated industries in particular have been requesting the ability to control their own encryption keys including the ability to revoke them if it was required for security reasons. "EKM is a key requirement for growing enterprise companies of all sizes, and was a requested feature from many of our Enterprise Grid customers. We wanted to give these customers full control over their encryption keys, and when or if they want to revoke them," he said. Further reading: Slack Doesn't Have End-to-End Encryption Because Your Boss Doesn't Want It.