Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 9 hours 1 min ago

Trojan Dropper Malware Found In CamScanner Android App With 100+ Million Downloads

Tue, 08/27/2019 - 14:43
Kaspersky security researchers have discovered a Trojan Dropper malicious module hidden within the Android app CamScanner that's been downloaded over 100 million times on the Google Play Store. After they reported their findings, Google removed the app, but added, "it looks like the app developers got rid of the malicious code with the latest update of CamScanner." They conclude: "Keep in mind, though, that versions of the app vary for different devices, and some of them may still contain malicious code." BleepingComputer reports: As a confirmation to sudden increases in negative ratings and user reviews usually pointing out to something not exactly going right with an app, the researchers found "that the developer added an advertising library to it that contains a malicious dropper component." In this case, while CamScanner was initially a legitimate Android app using in-app purchases and ad-based monetization, "at some point, that changed, and recent versions of the app shipped with an advertising library containing a malicious module," says Kaspersky. The module dubbed Trojan-Dropper.AndroidOS.Necro.n is a Trojan Dropper, a malware strain used to download and install a Trojan Downloader on already compromised Android devices which can be employed to infect the infected smartphones or tablets with other malware. When the CamScanner app is launched on the Android device, the dropper decrypts and executes malicious code stored within a mutter.zip file discovered in the app's resources. "As a result, the owners of the module can use an infected device to their benefit in any way they see fit, from showing the victim intrusive advertising to stealing money from their mobile account by charging paid subscriptions," found the researchers.

Using Multi-Factor Authentication Blocks 99.9% of Account Hacks, Microsoft Says

Tue, 08/27/2019 - 08:05
Microsoft says that users who enable multi-factor authentication (MFA) for their accounts will end up blocking 99.9% of automated attacks. From a report: The recommendation stands not only for Microsoft accounts but also for any other profile, on any other website or online service. If the service provider supports multi-factor authentication, Microsoft recommends using it, regardless if it's something as simple as SMS-based one-time passwords, or advanced biometrics solutions. "Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA," said Alex Weinert, Group Program Manager for Identity Security and Protection at Microsoft. Weinert said that old advice like "never use a password that has ever been seen in a breach" or "use really long passwords" doesn't really help. He should know. Weinert was one of the Microsoft engineers who worked to ban passwords that became part of public breach lists from Microsoft's Account and Azure AD systems back in 2016. As a result of his work, Microsoft users who were using or tried to use a password that was leaked in a previous data breach were told to change their credentials.

US Officials Fear Ransomware Attack Against 2020 Election

Mon, 08/26/2019 - 21:30
The U.S. government plans to launch a program in roughly one month that narrowly focuses on protecting voter registration databases and systems ahead of the 2020 presidential election. From a report: These systems, which are widely used to validate the eligibility of voters before they cast ballots, were compromised in 2016 by Russian hackers seeking to collect information. Intelligence officials are concerned that foreign hackers in 2020 not only will target the databases but attempt to manipulate, disrupt or destroy the data, according to current and former U.S. officials. "We assess these systems as high risk," said a senior U.S. official, because they are one of the few pieces of election technology regularly connected to the Internet. The Cybersecurity Infrastructure Security Agency, or CISA, a division of the Homeland Security Department, fears the databases could be targeted by ransomware, a type of virus that has crippled city computer networks across the United States, including recently in Texas, Baltimore and Atlanta. "Recent history has shown that state and county governments and those who support them are targets for ransomware attacks," said Christopher Krebs, CISA's director. "That is why we are working alongside election officials and their private sector partners to help protect their databases and respond to possible ransomware attacks."

It Was Sensitive Data From a US Anti-Terror Program -- and Terrorists Could Have Gotten To It For Years, Records Show

Mon, 08/26/2019 - 19:00
The Department of Homeland Security stored sensitive data from the nation's bioterrorism defense program on an insecure website where it was vulnerable to attacks by hackers for over a decade, according to government documents reviewed by The Times. From a report: The data included the locations of at least some BioWatch air samplers, which are installed at subway stations and other public locations in more than 30 U.S. cities and are designed to detect anthrax or other airborne biological weapons, Homeland Security officials confirmed. It also included the results of tests for possible pathogens, a list of biological agents that could be detected and response plans that would be put in place in the event of an attack. The information -- housed on a dot-org website run by a private contractor -- has been moved behind a secure federal government firewall, and the website was shut down in May. But Homeland Security officials acknowledge they do not know whether hackers ever gained access to the data. Internal Homeland Security emails and other documents show the issue set off a bitter clash within the department over whether keeping the information on the dot-org website posed a threat to national security. A former BioWatch security manager filed a whistleblower complaint alleging he was targeted for retaliation after criticizing the program's lax security. The website shared information among local, state and federal officials. It was easily identifiable through online search engines, but a user name and password were required to access sensitive data.

Apple Patches iPhone Jailbreaking Bug

Mon, 08/26/2019 - 11:10
Apple has released today an iOS security update to patch a bug the company accidentally un-patched in an earlier release, introducing a security weakness that allowed hackers to craft new jailbreaks for current iOS versions. From a report: The original bug, discovered by Ned Williamson, a Google Project Zero security engineer, allows a malicious app to exploit a "user-after-free" vulnerability and run code with system privileges in the iOS kernel. iOS version 12.4.1, released today, re-patches this bug that was initially fixed in iOS 12.3 but was accidentally unpatched in iOS 12.4, last month. Sadly, Apple's blunder didn't go unnoticed and earlier this month, a security researcher named Pwn20wnd released a public exploit based on Williamson's bug that could be used to jailbreak up-to-date iOS devices and grant users complete control over their iPhones. But while users taking a risk and jailbreaking their own devices doesn't sound that dangerous, a lesser-known fact is that malware operators and spyware vendors can also use Pwn20wnd's jailbreak as well.

Google Confirms Android 10 Will Fix 193 Security Vulnerabilities

Sun, 08/25/2019 - 07:34
"Were it not for third-party components, the August Android Security Bulletin would have been the first report to be released with only a single critical vulnerability found," reports TechRepublic. "However, with the inclusion of Broadcom and Qualcomm components, there are seven in total." Meanwhile, Forbes reports on what's being fixed in September's release of Android 10: 193 Android security vulnerabilities needed to be fixed, covering a broad swathe of elevation of privilege, remote code execution, information disclosure and denial of service categories. Two of these are in the Android runtime itself, another two in the library and 24 in the framework. The bulk, however, is split between the Android media framework with 68 vulnerabilities and the Android system with 97. All have been scored as "moderate" severity. The good news is that all will be fixed by the default Android 10 patch level of 2019-09-01 on release of the new OS. Also on the positive news front, the security bulletin update stated that "we have had no reports of active customer exploitation or abuse of these newly reported issues."

UK Cybersecurity Agency Urges Devs To Drop Python 2

Sat, 08/24/2019 - 14:45
Python's End-of-Life date is 129 days away, warns the UK National Cyber Security Centre (NCSC). "There will be no more bug fixes, or security updates, from Python's core developers." An anonymous reader quotes ZDNet: The UK's cyber-security agency warned developers Thursday to consider moving Python 2.x codebases to the newer 3.x branch due to the looming end-of-life of Python 2, scheduled for January 1, 2020... "If you continue to use unsupported modules, you are risking the security of your organisation and data, as vulnerabilities will sooner or later appear which nobody is fixing." "If you maintain a library that other developers depend on, you may be preventing them from updating to 3," the agency added. "By holding other developers back, you are indirectly and likely unintentionally increasing the security risks of others... If migrating your code base to Python 3 is not possible, another option is to pay a commercial company to support Python 2 for you," the NCSC said. The agency warns that companies who don't invest in migrating their Python 2.x code might end up in the same position as Equifax or the WannaCry victims. "At the NCSC we are always stressing the importance of patching. It's not always easy, but patching is one of the most fundamental things you can do to secure your technology," the agency said. "The WannaCry ransomware provides a classic example of what can happen if you run unsupported software," it said. "By making the decision to continue using Python 2 past its end of life, you are accepting all the risks that come with using unsupported software, while knowing that a secure version is available."

Facebook Awards $100,000 Prize For New Code Isolation Technique

Sat, 08/24/2019 - 09:34
ZDNet reports: Facebook has awarded a $100,000 prize to a team of academics from Germany for developing a new code isolation technique that can be used to safeguard sensitive data while it's being processed inside a computer. The award is named the Internet Defense Prize, and is a $100,000 cash reward that Facebook has been giving out yearly since 2014 to the most innovative research presented at USENIX, a leading security conference that takes place every year in mid-August in the US. An anonymous reader writes: The new technique is called ERIM and leverages Intel's memory protection keys (MPKs) and binary code inspection to achieve both hardware and software-based in-process data isolation. The novelty of ERIM is that it has an near-zero performance overhead (compared to other techniques that induce a big performance dip), can be applied with little effort to new and existing applications, doesn't require compiler changes, and can run on a stock Linux kernel.

Why Are 'Supply Chain Attacks' on Open Source Libraries Getting Worse?

Sat, 08/24/2019 - 06:34
"A rash of supply chain attacks hitting open source software over the past year shows few signs of abating, following the discovery this week of two separate backdoors slipped into a dozen libraries downloaded by hundreds of thousands of server administrators," reports Ars Technica: The compromises of Webmin and the RubyGems libraries are only the latest supply chain attacks to hit open source software. Most people don't think twice about installing software or updates from the official site of a known developer. As developers continue to make software and websites harder to exploit, black hats over the past few years have increasingly exploited this trust to spread malicious wares by poisoning code at its source... To be fair, closed-source software also falls prey to supply-side attacks -- as evidenced by those that hit computer maker ASUS on two occasions, the malicious update to tax-accounting software M.E.Doc that seeded the NotPetya outbreak of 2017, and another backdoor that infected users of the CCleaner hard drive utility that same year. But the low-hanging fruit for supply chain attacks seems to be open source projects, in part because many don't make multi-factor authentication and code signing mandatory among its large base of contributors. "The recent discoveries make it clear that these issues are becoming more frequent and that the security ecosystem around package publication and management isn't improving fast enough," Atredis Partners Vice President of Research and Development HD Moore told Ars. "The scary part is that each of these instances likely resulted in even more developer accounts being compromised (through captured passwords, authorization tokens, API keys, and SSH keys). The attackers likely have enough credentials at hand to do this again, repeatedly, until all credentials are reset and appropriate MFA and signing is put in place."

Quantum Radar Has Been Demonstrated For the First Time

Sat, 08/24/2019 - 05:00
An anonymous reader quotes a report from MIT Technology Review: Shabir Barzanjeh at the Institute of Science and Technology Austria and a few colleagues have used entangled microwaves to create the world's first quantum radar. Their device, which can detect objects at a distance using only a few photons, raises the prospect of stealthy radar systems that emit little detectable electromagnetic radiation. The device is simple in essence. The researchers create pairs of entangled microwave photons using a superconducting device called a Josephson parametric converter. They beam the first photon, called the signal photon, toward the object of interest and listen for the reflection. In the meantime, they store the second photon, called the idler photon. When the reflection arrives, it interferes with this idler photon, creating a signature that reveals how far the signal photon has traveled. Voila -- quantum radar! The researchers go on to compare their quantum radar with conventional systems operating with similarly low numbers of photons and say it significantly outperforms them, albeit only over relatively short distances. That's interesting work revealing the significant potential of quantum radar and a first application of microwave-based entanglement. But it also shows the potential application of quantum illumination more generally. A big advantage is the low levels of electromagnetic radiation required. Then there is the obvious application as a stealthy radar that is difficult for adversaries to detect over background noise. The researchers say it could be useful for short-range low-power radar for security applications in closed and populated environments. The researchers detail their findings in a paper on arXiv.org.

Employees Connect Nuclear Plant To the Internet So They Can Mine Cryptocurrency

Fri, 08/23/2019 - 13:30
Ukrainian authorities are investigating a potential security breach at a local nuclear power plant after employees connected parts of its internal network to the internet so they could mine cryptocurrency. From a report: The investigation is being led by the Ukrainian Secret Service (SBU), who is looking at the incident as a potential breach of state secrets due to the classification of nuclear power plants as critical infrastructure. Investigators are examining if attackers might have used the mining rigs as a pivot point to enter the nuclear power plant's network and retrieve information from its systems, such as data about the plant's physical defenses and protections. According to authorities, the incident took place in July at the South Ukraine Nuclear Power Plant, located near the city of Yuzhnoukrainsk, in southern Ukraine. It's unknown how the scheme was discovered, but on July 10 the SBU raided the nuclear power plant, from where it seized computers and equipment specifically built for mining cryptocurrency.

Security Researchers Find Several Bugs In Nest Security Cameras

Thu, 08/22/2019 - 16:10
An anonymous reader quotes a report from Motherboard: Hackers could have logged into your Nest Cam IQ Indoor and watch whatever was happening in your home by taking advantage of a vulnerability found by security researchers. The hackers could have also prevented you from using the camera, or use access to it to break into your home network. Researchers Lilith Wyatt and Claudio Bozzato of Cisco Talos discovered the vulnerabilities and disclosed them publicly on August 19. The two found eight vulnerabilities that are based in the Nest implementation of the Weave protocol. The Weave protocol is designed specifically for communications among Internet of Things or IoT devices. Nest has provided a firmware update that the company says will fix the vulnerabilities. The vulnerabilities apply to version 4620002 of the Nest Cam IQ indoor device. You can check the version of your camera on the Nest app. Nest says that the updates will happen automatically if your camera is connected to the internet. "We've fixed the disclosed bugs and started rolling them out to all Nest Camera IQs," Google said in a statement to ZDNet. "The devices will update automatically so there's no action required from users."

Valve Says Turning Away Researcher Reporting Steam Vulnerability Was a Mistake

Thu, 08/22/2019 - 14:15
An anonymous reader quotes a report from Ars Technica: In an attempt to quell a controversy that has raised the ire of white-hat hackers, the maker of the Steam online game platform said on Thursday it made a mistake when it turned away a researcher who recently reported two separate vulnerabilities. In its statement, Valve Corporation references HackerOne, the reporting service that helps thousands of companies receive and respond to vulnerabilities in their software or hardware. Valve's new HackerOne program rules specifically provide that "any case that allows malware or compromised software to perform a privilege escalation through Steam, without providing administrative credentials or confirming a UAC dialog, is in scope. Any unauthorized modification of the privileged Steam Client Service is also in scope." The statement and the policy change from Valve came two days after security researcher Vasily Kravets, an independent researcher from Moscow, received an email telling him that Valve's security team would no longer receive his vulnerability reports through the HackerOne bug-reporting service. Valve turned Kravets away after he reported a steam vulnerability that allowed hackers who already had a toe-hold on a vulnerable computer to burrow into privileged parts of an operating system. Valve initially told Kravets such vulnerabilities were out of scope and gave no indication that the one Vasily reported would be fixed. The company later publicly denied that the issue was a vulnerability by incorrectly claiming that the exploit required hackers to have physical access to a vulnerable computer. The company went so far as to dispute the vulnerability in the advisory issued by the National Institute of Standards and Technology.

VMware Buys Carbon Black and Pivotal, Valued Together at $4.8 billion

Thu, 08/22/2019 - 12:54
Software company VMware on Thursday said it's acquiring Carbon Black at an enterprise value of $2.1 billion and Pivotal at an enterprise value of $2.7 billion. The deals are expected to close by the end of January 2020. From a report: These are VMware's largest acquisitions yet. The deals build on VMware's strength helping companies run their software in their own data centers. They could help VMware compete better in the security market and hybrid-cloud infrastructure operations. VMware isn't talking about cost synergies that could come out of buying two other enterprise-focused companies. However, CEO Pat Gelsinger told CNBC the companies will be operating profitably under VMware next year. Gelsinger said that by year two, Carbon Black and Pivotal will have contributed more than $1 billion in revenue incrementally, which will mean VMware will have more than $3 billion in hybrid cloud and software-as-a-service revenue. Carbon Black was founded in 2002 and debuted on the Nasdaq under the symbol "CBLK" in May 2018. The company provides anti-malware and endpoint protection products that can see into many of a company's devices and tell if they have been hacked. [...] Pivotal and VMware go way back: The company was created from assets spun out of VMware and Dell (VMware's controlling owner) in 2013. Its products help companies build and deploy their software across different server infrastructure, including public clouds. Competitors include IBM, Oracle and SAP, among others, as well as cloud providers such as Amazon and Microsoft. Pivotal's customers include Boeing, Citi, Ford and Home Depot, according to its website.

Google Chrome Proposes 'Privacy Sandbox' To Reform Advertising Evils

Thu, 08/22/2019 - 06:44
Google's Chrome team proposed a "privacy sandbox" Thursday that's designed to give us the best of both worlds: ads that publishers can target toward our interests but that don't infringe our privacy. From a report: It's a major development in an area where Chrome, the dominant browser, has lagged competitors. Browsers already include security sandboxes, restrictions designed to confine malware to limit its possible damage. Google's proposed privacy sandbox would similarly restrict tracking technology, according to proposal details Google published. The privacy sandbox is "a secure environment for personalization that also protects user privacy," said Justin Schuh, a director of Chrome Engineering focused on security matters, in a privacy sandbox blog post. "Our goal is to create a set of standards that is more consistent with users' expectations of privacy." For example, Chrome would restrict some private data to the browser -- an approach rival Brave Software has taken with its privacy-focused rival web browser. And it could restrict sharing personal data until it's shared across a large group of people using technologies called differential privacy and federated learning.

Backdoor Code Found In 11 Ruby Libraries

Wed, 08/21/2019 - 23:00
Maintainers of the RubyGems package repository have yanked 18 malicious versions of 11 Ruby libraries that contained a backdoor mechanism and were caught inserting code that launched hidden cryptocurrency mining operations inside other people's Ruby projects. ZDNet reports: The malicious code was first discovered yesterday inside four versions of rest-client, an extremely popular Ruby library. According to an analysis by Jan Dintel, a Dutch Ruby developer, the malicious code found in rest-client would collect and send the URL and environment variables of a compromised system to a remote server in Ukraine. "Depending on your set-up this can include credentials of services that you use e.g. database, payment service provider," Dintel said. The code also contained a backdoor mechanism that allowed the attacker to send a cookie file back to a compromised project, and allow the attacker to execute malicious commands. A subsequent investigation by the RubyGems staff discovered that this mechanism was being abused to insert cryptocurrency mining code. RubyGems staff also uncovered similar code in 10 other projects. All the libraries, except rest-client, were created by taking another fully functional library, adding the malicious code, and then re-uploading it on RubyGems under a new name. All in all, all the 18 malicious library versions only managed to amass 3,584 downloads before being removed from RubyGems.

Moscow's Blockchain Voting System Cracked a Month Before Election

Wed, 08/21/2019 - 14:10
An anonymous reader quotes a report from ZDNet: A French security researcher has found a critical vulnerability in the blockchain-based voting system Russian officials plan to use next month for the 2019 Moscow City Duma election. Pierrick Gaudry, an academic at Lorraine University and a researcher for INRIA, the French research institute for digital sciences, found that he could compute the voting system's private keys based on its public keys. This private keys are used together with the public keys to encrypt user votes cast in the election. Gaudry blamed the issue on Russian officials using a variant of the ElGamal encryption scheme that used encryption key sizes that were too small to be secure. This meant that modern computers could break the encryption scheme within minutes. What an attacker can do with these encryption keys is currently unknown, since the voting system's protocols weren't yet available in English, so Gaudry couldn't investigate further. "Without having read the protocol, it is hard to tell precisely the consequences, because, although we believe that this weak encryption scheme is used to encrypt the ballots, it is unclear how easy it is for an attacker to have the correspondence between the ballots and the voters," the French researcher said. "In the worst case scenario, the votes of all the voters using this system would be revealed to anyone as soon as they cast their vote." The Moscow Department of Information Technology promised to fix the reported issue. "We absolutely agree that 256x3 private key length is not secure enough," a spokesperson said in an online response. "This implementation was used only in a trial period. In few days the key's length will be changed to 1024." However, a public key of a length of 1024 bits may not be enough, according to Gaudry, who believes officials should use one of at least 2048 bits instead.

Intel, Google, Microsoft, and Others Launch Confidential Computing Consortium for Data Security

Wed, 08/21/2019 - 12:50
Major tech companies including Alibaba, Arm, Baidu, IBM, Intel, Google Cloud, Microsoft, and Red Hat today announced intent to form the Confidential Computing Consortium to improve security for data in use. From a report: Established by the Linux Foundation, the organization plans to bring together hardware vendors, developers, open source experts, and others to promote the use of confidential computing, advance common open source standards, and better protect data. "Confidential computing focuses on securing data in use. Current approaches to securing data often address data at rest (storage) and in transit (network), but encrypting data in use is possibly the most challenging step to providing a fully encrypted lifecycle for sensitive data," the Linux Foundation said today in a joint statement. "Confidential computing will enable encrypted data to be processed in memory without exposing it to the rest of the system and reduce exposure for sensitive data and provide greater control and transparency for users." The consortium also said the group was formed because confidential computing will become more important as more enterprise organizations move between different compute environments like the public cloud, on-premises servers, or the edge. To get things started, companies made a series of open source project contributions including Intel Software Guard Extension (SGX), an SDK for code protection at the hardware layer.

Researcher Publishes Second Steam Zero Day After Getting Banned on Valve's Bug Bounty Program

Wed, 08/21/2019 - 11:30
A Russian security researcher has published details about a zero-day in the Steam gaming client. This is the second Steam zero-day the researcher has made public in the past two weeks. From a report: However, while the security researcher reported the first one to Valve and tried to have it fixed before public disclosure, he said he couldn't do the same with the second because the company banned him from submitting further bug reports via its public bug bounty program on the HackerOne platform. The entire chain of events behind the public disclosure of these two zero-days has caused quite a drama and discussions in the infosec community. All the negative comments have been aimed at Valve and the HackerOne staff, with both being accused of unprofessional behavior. Security researchers and regular Steam users alike are mad because Valve refused to acknowledge the reported issue as a security flaw, and declined to patch it.

MoviePass Exposed Thousands of Unencrypted Customer Card Numbers

Wed, 08/21/2019 - 10:10
New submitter sizzlinkitty writes: Movie ticket subscription service MoviePass has exposed tens of thousands of customer card numbers and personal credit cards because a critical server was not protected with a password. Mossab Hussein, a security researcher at Dubai-based cybersecurity firm SpiderSilk, found an exposed database on one of the company's many subdomains. The database was massive, containing 161 million records at the time of writing and growing in real time. Many of the records were normal computer-generated logging messages used to ensure the running of the service -- but many also included sensitive user information, such as MoviePass customer card numbers. These MoviePass customer cards are like normal debit cards: they're issued by Mastercard and store a cash balance, which users who sign up to the subscription service can use to pay to watch a catalog of movies.