Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 7 min 11 sec ago

Google's New ReCAPTCHA Has a Dark Side

Thu, 06/27/2019 - 14:40
An anonymous reader quotes a report from Fast Company: We've all tried to log into a website or submit a form only to be stuck clicking boxes of traffic lights or storefronts or bridges in a desperate attempt to finally convince the computer that we're not actually a bot. For many years, this has been one of the predominant ways that reCaptcha -- the Google-run internet bot detector -- has determined whether a user is a bot or not. But last fall, Google launched a new version of the tool, with the goal of eliminating that annoying user experience entirely. Now, when you enter a form on a website that's using reCaptcha V3, you won't see the "I'm not a robot" checkbox, nor will you have to prove you know what a cat looks like. Instead, you won't see anything at all. Google is also now testing an enterprise version of reCaptcha v3, where Google creates a customized reCaptcha for enterprises that are looking for more granular data about users' risk levels to protect their site algorithms from malicious users and bots. But this new, risk-score based system comes with a serious trade-off: users' privacy. According to two security researchers who've studied reCaptcha, one of the ways that Google determines whether you're a malicious user or not is whether you already have a Google cookie installed on your browser. It's the same cookie that allows you to open new tabs in your browser and not have to re-log in to your Google account every time. But according to Mohamed Akrout, a computer science PhD student at the University of Toronto who has studied reCaptcha, it appears that Google is also using its cookies to determine whether someone is a human in reCaptcha v3 tests. Akrout wrote in an April paper about how reCaptcha v3 simulations that ran on a browser with a connected Google account received lower risk scores than browsers without a connected Google account. "Because reCaptcha v3 is likely to be on every page of a website, if you're signed into your Google account there's a chance Google is getting data about every single webpage you go to that is embedded with reCaptcha v3 -- and there many be no visual indication on the site that it's happening, beyond a small reCaptcha logo hidden in the corner," the report adds.

Western Intelligence Hacked Russia's Yandex To Spy On Accounts

Thu, 06/27/2019 - 11:24
Hackers working for Western intelligence agencies broke into Russian internet search company Yandex in late 2018 deploying a rare type of malware in an attempt to spy on user accounts, Reuters reported Thursday, citing four people with knowledge of the matter. From the report: The malware, called Regin, is known to be used by the "Five Eyes" intelligence-sharing alliance of the United States, Britain, Australia, New Zealand and Canada, the sources said. Intelligence agencies in those countries declined to comment. Western cyberattacks against Russia are seldom acknowledged or spoken about in public. It could not be determined which of the five countries was behind the attack on Yandex, said sources in Russia and elsewhere, three of whom had direct knowledge of the hack. The breach took place between October and November 2018. Yandex spokesman Ilya Grabovsky acknowledged the incident in a statement to Reuters, but declined to provide further details. "This particular attack was detected at a very early stage by the Yandex security team. It was fully neutralized before any damage was done," he said.

Huawei Personnel Worked With China's Military on Research Projects

Thu, 06/27/2019 - 07:22
Several Huawei employees have collaborated on research projects with Chinese armed forces personnel, indicating closer ties to the country's military than previously acknowledged by the smartphone and networking powerhouse, Bloomberg reported Thursday. From the report: Over the past decade, Huawei workers have teamed with members of various organs of the People's Liberation Army on at least 10 research endeavors spanning artificial intelligence to radio communications. They include a joint effort with the investigative branch of the Central Military Commission -- the armed forces' supreme body -- to extract and classify emotions in online video comments, and an initiative with the elite National University of Defense Technology to explore ways of collecting and analyzing satellite images and geographical coordinates. Those projects are just a few of the publicly disclosed studies that shed light on how staff at China's largest technology company teamed with the 'People's Liberation Army on research into an array of potential military and security applications.

India Reportedly Wants To Build Its Own WhatsApp For Government Communications

Thu, 06/27/2019 - 06:41
India may have plans to follow France's footsteps in building a chat app and requiring government employees to use it for official communications. From a report: The New Delhi government is said to be pondering about the need to have homegrown email and chat apps, local news outlet Economic Times reported on Thursday. The rationale behind the move is to cut reliance on foreign entities, the report said, a concern that has somehow manifested amid U.S.'s ongoing tussle with Huawei and China. "We need to make our communication insular," an unnamed top government official was quoted as saying by the paper. The person suggested that by putting Chinese giant Huawei on the entity list, the U.S. has "set alarm bells ringing in New Delhi." India has its own ongoing trade tension with the U.S. Donald Trump earlier this month removed the South Asian nation from a special trade program after India did not assure him that it "unfortunate," and weeks later, increased tariffs on some U.S. exports.

Researchers Demonstrate How US Emergency Alert System Can Be Hijacked and Weaponized

Wed, 06/26/2019 - 18:02
After an emergency alert was accidentally sent to Hawaii residents last year, warning of an impending nuclear ballistic missile attack, researchers at the University of Colorado Boulder were prompted to ask the question: How easy would it be to exploit the nation's emergency alert systems, wreaking havoc on the American public via fake or misleading alerts? In short, they found that it wasn't very difficult at all. Motherboard reports: Their full study was recently unveiled at the 2019 International Conference on Mobile Systems, Applications and Services (MobiSys) in Seoul, South Korea. It documents how spoofing the Wireless Emergency Alert (WEA) program to trick cellular users wasn't all that difficult. To prove it, researchers built a mini "pirate" cell tower using easily-available hardware and open source software. Using isolated RF shield boxes to mitigate any real-world harm, they then simulated attacks in the 50,000 seat Folsom Field at the University. 90 percent of the time, the researchers say they were able to pass bogus alerts on to cell phones within range. The transmission of these messages from the government to the cellular tower is secure. It's the transmission from the cellular tower to the end user that's open to manipulation and interference, the researchers found. The vulnerability potentially impacts not just US LTE networks, but LTE networks from Europe to South Korea.

Second Florida City Pays Giant Ransom To Ransomware Gang In a Week

Wed, 06/26/2019 - 14:40
Less than a week after a first Florida city agreed to pay a whopping $600,000 to get their data back from hackers, now, a second city's administration has taken the same path. On Monday, in an emergency meeting of the city council, the administration of Lake City, a small Florida city with a population of 65,000, voted to pay a ransom demand of 42 bitcoins, worth nearly $500,000. ZDNet reports: The decision to pay the ransom demand was made after the city suffered a catastrophic malware infection earlier this month, on June 10, which the city described as a "triple threat." Despite the city's IT staff disconnecting impacted systems within ten minutes of detecting the attack, a ransomware strain infected almost all its computer systems, with the exception of the police and fire departments, which ran on a separate network. A ransom demand was made a week after the infection, with hackers reaching out to the city's insurance provider -- the League of Cities, which negotiated a ransom payment of 42 bitcoins last week. City officials agreed to pay the ransom demand on Monday, and the insurer made the payment yesterday, on Tuesday, June 25, local media reported. The payment is estimated to have been worth between $480,000 to $500,000, depending on Bitcoin's price at the time of the payment. The city's IT staff is now working to recover their data after receiving a decryption key.

Google Warns of Microsoft SwiftKey Losing Access To Gmail on July 15

Wed, 06/26/2019 - 12:42
Speaking of Google, the company is sending out warnings to Microsoft SwiftKey users that the keyboard will no longer be able to access the data in Google Accounts, including Gmail content, starting on July 15th. From a report: In an email, Google is telling SwiftKey users who have integrated the keyboard replacement with Gmail that the integration will no longer work on July 15th, 2019, unless SwiftKey complies with Google's updated data policies. When users install SwiftKey, they can personalize the keyboard by integrating it into email accounts such as Gmail. When integrating in other services, though, the app requests various permissions in how they can access the content in this service.

Firefox Will Give You a Fake Browsing History To Fool Advertisers

Wed, 06/26/2019 - 12:02
Security through obscurity is out, security through tomfoolery is in. From a report: That's the basic philosophy sold by Track THIS, "a new kind of incognito" browsing project, which opens up 100 tabs crafted to fit a specific character -- a hypebeast, a filthy rich person, a doomsday prepper, or an influencer. The idea is that your browsing history will be depersonalized and poisoned, so advertisers won't know how to target ads to you. It was developed as a collaboration between mschf (pronounced "mischief") internet studios and Mozilla's Firefox as a way of promoting Firefox Quantum, the newest Firefox browser. [...] Just a warning -- if you use Track THIS it may take several minutes for all 100 tabs to load. (I used Chrome as my browser.) But when as it gradually loads, it's like taking a first-person journey through someone else's consciousness.

Google Now Allows Users To Auto-Delete Their Location History

Wed, 06/26/2019 - 10:00
Google today began rolling out location history deletion tools to Android and iOS, giving users a relatively simple way to limit the scope of Google's location tracking. Users can only choose between deleting data after three or 18 months. In a blog post, Google wrote: Choose a time limit for how long you want your activity data to be saved -- 3 or 18 months -- and any data older than that will be automatically deleted from your account on an ongoing basis. These controls are coming first to Location History and Web & App Activity and will roll out in the coming weeks.

Intel, Arm To Help Create New IoT Standard For Device Onboarding

Wed, 06/26/2019 - 08:01
Intel is working with rival Arm to create a new industry standard for an important issue in the Internet of Things market: making sure that devices are properly configured and connected to the cloud. From a report: The Santa Clara, Calif.-based chipmaker announced on Wednesday that the company is a founding member of the new IoT Technical Working Group within the FIDO Alliance, an industry consortium founded by PayPal, Lenovo and others in 2012 to develop standards for password-less authentication. The goal of FIDO's IoT Technical Working Group, which will also include experts from Microsoft, Google and Amazon, is to create a standard specification for "large-scale IoT onboarding," the process in which devices are configured and connected to IoT cloud management services at the time of installation. Lorie Wigle, the executive in charge of Intel's platform security efforts, told CRN that it is important to create a standard around IoT onboarding because many companies currently face challenges with the practice when it comes to handling large-scale deployments and security. [...] Once FIDO develops the standard, market forces will compel companies to adhere and participate, according to Wigle, who said it will also increase device variety, lower costs and accelerate deployments.

Eight of the World's Biggest Technology Service Providers Were Hacked by Chinese Cyber Spies in an Elaborate and Years-Long Invasion

Wed, 06/26/2019 - 07:20
The invasion exploited weaknesses in those companies, their customers, and the Western system of technological defense, Reuters reported on Wednesday. From the report: Hacked by suspected Chinese cyber spies five times from 2014 to 2017, security staff at Swedish telecoms equipment giant Ericsson had taken to naming their response efforts after different types of wine. Pinot Noir began in September 2016. After successfully repelling a wave of attacks a year earlier, Ericsson discovered the intruders were back. And this time, the company's cybersecurity team could see exactly how they got in: through a connection to information-technology services supplier Hewlett Packard Enterprise. Teams of hackers connected to the Chinese Ministry of State Security had penetrated HPE's cloud computing service and used it as a launchpad to attack customers, plundering reams of corporate and government secrets for years in what U.S. prosecutors say was an effort to boost Chinese economic interests. The hacking campaign, known as "Cloud Hopper," was the subject of a U.S. indictment in December that accused two Chinese nationals of identity theft and fraud. Prosecutors described an elaborate operation that victimized multiple Western companies but stopped short of naming them. A Reuters report at the time identified two: Hewlett Packard Enterprise and IBM. Yet the campaign ensnared at least six more major technology firms, touching five of the world's 10 biggest tech service providers. Also compromised by Cloud Hopper, Reuters has found: Fujitsu, Tata Consultancy Services, NTT Data, Dimension Data, Computer Sciences Corporation and DXC Technology. HPE spun-off its services arm in a merger with Computer Sciences Corporation in 2017 to create DXC.

Huawei Telecom Gear Much More Vulnerable To Hackers Than Rivals' Equipment, Report Says

Wed, 06/26/2019 - 06:03
Telecommunications gear made by China's Huawei is far more likely to contain flaws that could be leveraged by hackers for malicious use than equipment from rival companies, according to new research by cybersecurity experts that top U.S. officials said appeared credible. From a report: Over half of the nearly 10,000 firmware images encoded into more than 500 variations of enterprise network-equipment devices tested by the researchers contained at least one such exploitable vulnerability, the researchers found. Firmware is the software that powers the hardware components of a computer. The tests were compiled in a new report that has been submitted in recent weeks to senior officials in multiple government agencies in the U.S. and the U.K., as well as to lawmakers. The report is notable both for its findings and because it is circulating widely among Trump administration officials who said it further validated their policy decisions toward Huawei. "This report supports our assessment that since 2009, Huawei has maintained covert access to some of the systems it has installed for international customers," said a White House official who reviewed the findings. "Huawei does not disclose this covert access to customers nor local governments. This covert access enables Huawei to record information and modify databases on those local systems." The report, reviewed by The Wall Street Journal, was prepared by Finite State, a Columbus, Ohio-based cybersecurity firm.

New Silex Malware is Bricking IoT Devices, Has Scary Plans

Tue, 06/25/2019 - 12:43
A new strain of malware is wiping the firmware of IoT devices in attacks reminiscent of the old BrickerBot malware that destroyed millions of devices back in 2017. From a report: Named Silex, this malware began operating earlier today, about three-four hours before this article's publication. The malware had bricked around 350 devices when this reporter began investigating its operations, and the number quickly spiked to 2,000 wiped devices by the time we published, an hour later. Attacks are still ongoing, and according to an interview with the malware's creator, they are about to intensify in the coming days. According to Akamai researcher Larry Cashdollar, who first spotted the malware earlier today, Silex works by trashing an IoT device's storage, dropping firewall rules, removing the network configuration, and then halting the device. It's as destructive as it can get without actually frying the IoT device's circuits. To recover, victims must manually reinstall the device's firmware, a task too complicated for the majority of device owners.

Microsoft Announces OneDrive Personal Vault For Sensitive Files

Tue, 06/25/2019 - 08:45
Microsoft today announced OneDrive Personal Vault, a new security layer for protecting sensitive and important files. The feature is rolling out "soon" to the web, Android, iOS, and Windows 10 in Australia, New Zealand, and Canada. From a report: Furthermore, the company is increasing OneDrive's cheapest storage plan from 50GB to 100GB at no additional cost. Office 365 subscribers are also getting new storage options. Personal Vault is a protected area in OneDrive that you can only access with the Microsoft Authenticator app or a second step of identity verification (fingerprint, face, PIN, or a code sent to you via email or SMS). Microsoft envisions OneDrive users saving travel, identification, vehicle, home, and insurance documents in their Personal Vault. You can use the OneDrive mobile app to scan documents, take pictures, or shoot video directly into your Personal Vault, keeping such items out of less secure areas like your camera roll.

China's Biggest Startups Ditch Oracle and IBM for Home-Made Tech

Tue, 06/25/2019 - 08:05
For years, companies like Oracle and IBM invested heavily to build new markets in China for their industry-leading databases. Now, boosted in part by escalating U.S. tensions, one Chinese upstart is stepping in, winning over tech giants, startups and financial institutions to its enterprise software. From a report: Beijing-based PingCAP already counts more than 300 Chinese customers. Many, including food delivery giant Meituan, its bike-sharing service Mobike, video streaming site iQIYI and smartphone maker Xiaomi are migrating away from Oracle and IBM's services toward PingCAP's, encapsulating a nation's resurgent desire to Buy China. PingCAP's ascendancy comes as the U.S. cuts Huawei off from key technology, sending chills through the country's largest entities while raising questions about the security of foreign-made products. That's a key concern as Chinese companies modernize systems in every industry from finance and manufacturing to healthcare by connecting them to the internet.

Hackers Steal Data From Telcos in Espionage Campaign

Tue, 06/25/2019 - 06:44
Hackers broke into the systems of more than a dozen global telecom firms and stole huge amounts of data in a seven-year spying campaign, researchers from a cyber security company said, identifying links to previous Chinese cyber-espionage activities. From a report: Investigators at U.S.-Israeli cyber firm Cybereason said on Tuesday the attackers compromised companies in more than 30 countries and aimed to gather information on individuals in government, law-enforcement and politics. The hackers also used tools linked to other attacks attributed to Beijing by the United States and its Western allies, said Lior Div, chief executive of Cybereason. "For this level of sophistication it's not a criminal group. It is a government that has capabilities that can do this kind of attack," he told Reuters. Div later presented a step-by-step breakdown of the breach at a cybersecurity conference in Tel Aviv in the same session that the heads of U.S. and British cyber intelligence units and the head of Israel's Mossad spy agency spoke.

How Verizon and a BGP Optimizer Knocked Large Parts of the Internet Offline Today

Mon, 06/24/2019 - 13:25
Cloudflare issued a blog post explaining how Verizon sent a large chunk of the internet offline this morning after it wrongly accepted a network misconfiguration from a small ISP in Pennsylvania. The outages affected Cloudflare, Facebook, Amazon, and others. The Register reports: For nearly three hours, network traffic that was supposed to go to some of the biggest online names was instead accidentally rerouted through a steel giant based in Pittsburgh. More than 20,000 prefixes -- roughly two per cent of the internet -- were wrongly announced by regional U.S. ISP DQE Communications: this announcement informed the sprawling internet's backbone equipment to thread netizens' traffic through one of DQE's clients, steel giant Allegheny Technologies, a rerouting that was then, mindbogglingly, accepted and passed on to the world by Verizon, a trusted major authority on the internet's highways and byways. And so, systems around the planet automatically updated, and connections destined for Facebook, Cloudflare, and others, ended up going to Allegheny, which black holed the traffic. Internet engineers suspect that a piece of automated networking software -- a BGP optimizer called Noction -- used by DQE was to blame for the problem. But even though these kinds of misconfigurations happen every day, there is significant frustration and even disbelief that a U.S. telco as large as Verizon would pass on this amount of incorrect routing information. The sudden, wrong, change should have been caught by filters and never accepted. [...] One key industry group called Mutually Agreed Norms for Routing Security (MANRS) has four main recommendations: two technical and two cultural for fixing the problem. The two technical approaches are filtering and anti-spoofing, which basically check announcements from other network operators to see if they are legitimate and remove any that aren't; and the cultural fixes are coordination and global validation -- which encourage operators to talk more to one another and work together to flag and remove any suspicious looking BGP changes. Verizon is not a member of MANRS.

Apple Releases First Public Betas of macOS Catalina, iOS 13 and iPadOS

Mon, 06/24/2019 - 11:20
Apple today seeded the first beta versions of upcoming macOS Catalina update, iOS 13 update, and iPadOS update to its public beta testing group, giving non-developers a chance to try out the software ahead of their fall public release. Beta testers who have signed up for Apple's beta testing program will be able to download the macOS Catalina beta through the Software Update mechanism in System Preferences after installing the proper profile. Those who want to be a part of Apple's beta testing program can sign up to participate through the beta testing website, which gives users access to iOS, macOS, and tvOS betas. Similarly, beta testers who have signed up for Apple's beta testing program will receive the iOS 13 beta update over-the-air after installing the proper certificate on an iOS device. New features in macOS Catalina update includes: macOS Catalina eliminates the iTunes app, which has been a key Mac feature since 2001. In Catalina, iTunes has been replaced by Music, Podcasts, and TV apps. The new apps can do everything that iTunes can do, so Mac users aren't going to be losing any functionality, and device management capabilities are now handled by the Finder app. macOS Catalina has a useful new Sidecar feature, designed to turn the iPad into a secondary display for the Mac. For those with an Apple Watch set up to unlock the Mac, there's now an option to approve security prompts in Catalina by tapping on the side button of the watch. Macs with a T2 chip in them also support Activation Lock, making them useless to thieves much as it does on the iPhone. There's a new Find My app that lets you track your lost devices, and previously, this functionality was only available via iCloud on the Mac. There's even a new option to find your devices even when they're offline by leveraging Bluetooth connections to other nearby devices, something that's particularly handy on the Mac because it doesn't have a cellular connection. For developers, a "Project Catalyst" feature lets apps designed for the iPad be ported over to the Mac with just a few clicks in Xcode and some minor tweaks. Apple's ultimate goal with Project Catalyst is to bring more apps to the Mac.

US Considers Requiring 5G Equipment For Domestic Use Be Made Outside China

Mon, 06/24/2019 - 08:43
The Trump administration is examining whether to require that next-generation 5G cellular equipment used in the U.S. be designed and manufactured outside China [Editor's note: the link may be paywalled; alternative source], WSJ reports, citing people familiar with the matter. The move could reshape global manufacturing and further fan tensions between the countries. From the report: A White House executive order last month to restrict some foreign-made networking gear and services due to cybersecurity concerns started a 150-day review of the U.S. telecommunications supply chain. As part of that review, U.S. officials are asking telecom-equipment manufacturers whether they can make and develop U.S.-bound hardware, which includes cellular-tower electronics as well as routers and switches, and software outside of China, the people said. The conversations are in early and informal stages, they said. The executive order calls for a list of proposed rules and regulations by the 150-day deadline, in October; so, any proposals may take months or years to adopt. The proposals could force the biggest companies that sell equipment to U.S. wireless carriers, Finland's Nokia and Sweden's Ericsson, to move major operations out of China to service the U.S., which is the biggest market in the $250 billion-a-year global industry for telecom equipment and related services and infrastructure. There is no major U.S. manufacturer of cellular equipment. U.S. officials have long worried that Beijing could order Chinese engineers to insert security holes into technology made in China. They worry those security holes could be exploited for spying, or to remotely control or disable devices.

The Threat Actor You Can't Detect: Cognitive Bias

Sun, 06/23/2019 - 12:34
Long-time Slashdot reader chicksdaddy shares news of a recent report from cybersecurity company Forcepoint's X-Lab, examining how cybersecurity decision-making is affected by six common biases: For instance, Forcepoint found that older generations are typically characterized by information security professionals as "riskier users based on their supposed lack of familiarity with new technologies." However, studies have found the opposite to be true: younger people are far more likely to engage in risky behavior like sharing their passwords to streaming services. The presumption that older workers pose more of a risk than younger workers is an example of so-called "aggregate bias," in which subjects make inferences about an individual based on a population trend. Biases like this misinform security professionals by directing their focus to individual users based on their supposed group membership. In turn, analysts wrongly direct their focus to the wrong individuals as sources of security issues. Availability bias may influence cybersecurity analysts' decision-making in favor of hot topics in the news, which ultimately cloud other information they may know but are not so frequently exposed to; leading them to make less well-rounded decisions. People encounter "confirmation bias" most frequently during research. By neglecting the bigger picture, assumptions are made and research is specifically tailored to confirm those assumptions. When looking for issues, analysts can often find themselves looking for confirmation of what they already believe to be the cause as opposed to searching for all possible causes. The fundamental attribution error also plays a significant role in misleading security analysts, Forcepoint found. This is manifested when information security analysts or software developers place blame on users being inept instead of considering that their technology may be faulty or that internal factors contributed to a security lapse. The report also cites what it calls the framing effect. "Security problems are often aggressively worded, and use negative framing strategies to emphasize the potential for loss."