Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 19 hours 31 min ago

Microsoft Will Now Pester Windows 7 Users To Upgrade To Windows 10 With Pop-ups

Tue, 03/12/2019 - 09:27
Mark Wilson writes: Anyone who is still using Windows 7 doesn't have much longer until the operating system is no longer supported by Microsoft. Come January 14, 2020 only those enterprise customers who are willing to pay for Extended Security Updates will receive any kind of support. Microsoft has already done a lot to encourage Windows 7 diehards to make the move to Windows 10, and now it is stepping things up a gear. Throughout 2019, the company will show pop-up notifications in Windows 7 about making the switch to the latest version of Windows.

US Tells Germany To Stop Using Huawei Equipment Or Lose Some Intelligence Access

Tue, 03/12/2019 - 02:00
The Wall Street Journal is reporting that the United States has told Germany to drop Huawei from its future plans or risk losing access to some U.S. intelligence. The U.S. says the Chinese company's equipment could be used for espionage -- a concern that Huawei says is unfounded. "The Trump administration has been pressing allies to end their relationships with Huawei, but Germany, moving ahead with its plans, has not moved to ban the company from its networks," reports The Verge. From the report: According to the Journal, a letter sent from the U.S. Ambassador to Germany warns the country that the U.S. will stop sharing some secrets if it allows Huawei to work on its next-generation 5G infrastructure. The letter, according to the Journal, argues that network security can't be effectively managed by audits of equipment or software. While the U.S. plans to continue sharing intelligence with Germany regardless, the Journal reports, officials plan to curtail the scope of that information if Huawei equipment is used in German infrastructure.

Russia Blocks Encrypted Email Provider ProtonMail

Mon, 03/11/2019 - 19:31
An anonymous reader quotes a report from TechCrunch: Russia has told internet providers to enforce a block against encrypted email provider ProtonMail, the company's chief has confirmed. The block was ordered by the state Federal Security Service, formerly the KGB, according to a Russian-language blog, which obtained and published the order after the agency accused the company and several other email providers of facilitating bomb threats. Several anonymous bomb threats were sent by email to police in late January, forcing several schools and government buildings to evacuate. In all, 26 internet addresses were blocked by the order, including several servers used to scramble the final connection for users of Tor, an anonymity network popular for circumventing censorship. Internet providers were told to implement the block "immediately," using a technique known as BGP blackholing, a way that tells internet routers to simply throw away internet traffic rather than routing it to its destination. But the company says while the site still loads, users cannot send or receive email. The way the KGB blocked ProtonMail is "particularly sneaky," ProtonMail chief executive Andy Yen said. "ProtonMail is not blocked in the normal way, it's actually a bit more subtle. They are blocking access to ProtonMail mail servers. So Mail.ru -- and most other Russian mail servers -- for example, is no longer able to deliver email to ProtonMail, but a Russian user has no problem getting to their inbox." "That's because the two ProtonMail servers listed by the order are its back-end mail delivery servers, rather than the front-end website that runs on a different system," adds TechCrunch.

Congress Introduces Bill To Improve 'Internet of Things' Security

Mon, 03/11/2019 - 18:30
Members of the US Senate and House of Representatives introduced the Internet of Things Cybersecurity Improvement Act on Monday, hoping to bring legislative action to the emerging technology. From a report: Connected devices are expected to boom to 20.4 billion units by 2020, but they don't all have the same levels of security. Hackers often target IoT devices that don't have built-in security, leading to problems like default passwords and vulnerabilities that can't be fixed. [...] Lawmakers are looking to fix that with the bill, which would require a bare minimum of security standards for any IoT devices that the federal government uses. "While I'm excited about their life-changing potential, I'm also concerned that many IoT devices are being sold without appropriate safeguards and protections in place, with the device market prioritizing convenience and price over security," Sen. Mark Warner, a Democrat from Virginia, said in a statement.

Debit Card With Built-In Fingerprint Reader Begins Trial In the UK

Mon, 03/11/2019 - 15:40
British bank Natwest is trialing the use of a new NFC payment card with a built-in fingerprint scanner. "The trial, which will include 200 customers when it begins in mid-April, will allow its participants to make NFC payments (called 'contactless' in the UK) without needing to input a PIN or offer a signature," reports The Verge. "The standard [30 British pound] limit for contactless payments will not apply when the fingerprint is used." From the report: Currently, anyone can make a contactless payment in the UK by tapping their card on the terminal to make a payment. As a result of this lack of security, a [30 British pound] limit is applied to such payments, with retailers requiring you to place your card into the card reader and enter a PIN for more expensive purchases (commonly referred to as the "Chip and PIN" method). Although mobile payments require authentication, customers often find they're subject to the same [30 British pound] limit. The fingerprint data is stored locally on the card, meaning there's no security information for a hacker to be able to steal from a bank's central database. It's not foolproof -- there's always the risk a sufficiently determined thief could steal and imitate your fingerprint -- but it's much more secure than a PIN that someone could learn by simply looking over your shoulder as you enter it.

Samsung Galaxy S10 Facial Recognition Fooled by a Video of the Phone Owner

Mon, 03/11/2019 - 08:07
Experts have proven once again that facial recognition on modern devices remains hilariously insecure and can be bypassed using simple tricks such as showing an image or a video in front of a device's camera. From a report: The latest device to fall victim to such attacks is Samsung Galaxy S10, Samsung's latest top tier phone and considered one of the world's most advanced smartphones to date. Unfortunately, the Galaxy S10's facial recognition feature remains just as weak as the one supported in its previous versions or on the devices of its competitors, according to Lewis Hilsenteger, a smartphone reviewer better known as Unbox Therapy on YouTube. Hilsenteger showed in a demo video uploaded on his YouTube channel last week how putting up a video of the phone owner in front of the Galaxy S10 front camera would trick the facial recognition system into unlocking the device.

US Government Will Be Scanning Your Face At 20 Top Airports, Documents Show

Mon, 03/11/2019 - 06:40
An anonymous reader shares a report: In March 2017, President Trump issued an executive order expediting the deployment of biometric verification of the identities of all travelers crossing its borders. That mandate stipulates facial recognition identification for "100 percent of all international passengers," including American citizens, in the top 20 US airports by 2021. Now, the United States Department of Homeland Security is rushing to get those systems up and running at airports across the country. But it's doing so in the absence of proper vetting, regulatory safeguards, and what some privacy advocates argue is in defiance of the law. According to 346 pages of as-yet-unpublished documents obtained by the nonprofit research organization Electronic Privacy Information Center, US Customs and Border Protection is scrambling to implement this "biometric entry-exit system," with the goal of using facial recognition technology on travelers aboard 16,300 flights per week -- or more than 100 million passengers traveling on international flights out of the United States -- in as little as two years, to meet Trump's accelerated timeline for a biometric system that had initially been signed into law by the Obama administration. This, despite questionable biometric confirmation rates and few, if any, legal guardrails. These same documents state -- explicitly -- that there were no limits on how partnering airlines can use this facial recognition data. CBP did not answer specific questions about whether there are any guidelines for how other technology companies involved in processing the data can potentially also use it. It was only during a data privacy meeting last December that CBP made a sharp turn and limited participating companies from using this data. But it is unclear to what extent it has enforced this new rule. CBP did not explain what its current policies around data sharing of biometric information with participating companies and third-party firms are, but it did say that the agency "retains photos ... for up to 14 days" of non-US citizens departing the country, for "evaluation of the technology" and "assurance of the accuracy of the algorithms" -- which implies such photos might be used for further training of its facial matching AI.

Microsoft To Start Selling Windows 7 Add-On Support April 1st

Sun, 03/10/2019 - 08:34
AmiMoJo quotes Computerworld: Microsoft plans to start selling its Windows 7 add-on support beginning April 1. Labeled "Extended Security Updates" (ESU), the post-retirement support will give enterprise customers more time to purge their environments of Windows 7. From Windows 7's Jan. 14, 2020 end of support, ESU will provide security fixes for uncovered or reported vulnerabilities in the OS. Patches will be issued only for bugs rated "Critical" or "Important" by Microsoft, the top two rankings in a four-step scoring system. ESU will be dealt out in one-year increments for up to three years and support will be sold on a per-device basis, rather than the per-user approach Microsoft has pushed for Windows 10 licensing. Costs for ESU will start out low — $25 or $50 per year per device — but will double each year, ending at $100 or $200 per device for the third and final year

Could Blockchain-Based Fractions of Digitized Stocks Revolutionize Markets?

Sun, 03/10/2019 - 06:34
An anonymous reader quotes VentureBeat: Despite being championed as a decentralized form of money that puts individuals firmly in control of their own wealth, cryptocurrencies mostly remain the preserve of the super-rich and the super-nerdy. 1,000 Bitcoin wallets currently hold 35.18% of all Bitcoins, for example, and only a select few computer scientists understand the inner workings and machinations of blockchains... Such inconvenient truths undermine the oft-repeated claim that blockchains will democratize wealth, largely by lowering barriers to entry in financial networks and by preventing central banks from devaluing money via inflation. Nonetheless, this prediction has moved one step closer to realization in recent months, with the emergence of tokenized stocks.... In contrast to a new cryptocurrency designed specifically to conform to securities legislation (i.e. a security token), tokenized stocks provide digitized versions of existing shares in established companies, such as Google, Facebook, or Apple... [W]hat's interesting and potentially radical about such digital stocks is that they permit customers to buy fractions of stocks in big companies. This will open up trading to millions of people who wouldn't otherwise be able to afford buying shares in Apple or Amazon... One significant side effect of tokenized stocks is that they could change the fundamental nature of global stock markets and how they behave, by opening them up to round-the-clock trading... It's interesting to note that some commentators believe the growth of round-the-clock exchanges might, in the long term, result in the emergence of a single global stock market. The article also notes that it will be cheaper to trade digital versions of stocks, "since person-to-person trades circumvent the need to go through a broker... "They look set to make the financial world more accessible to millions people, in addition to having serious implications for global markets."

'Smart' Car Alarm App Could Allow 3 Million Cars To Be Unlocked Remotely

Sat, 03/09/2019 - 14:34
"Two popular smart alarm systems for cars had major security flaws that allowed potential hackers to track the vehicles, unlock their doors and, in some cases, cut off the engine," reports CNET: The vulnerabilities could be exploited with two simple steps, security researchers from Pen Test Partners, who discovered the flaw, said Friday. The problems were found in alarm systems made by Viper [known as Clifford in the U.K.] and Pandora Car Alarm System, two of the largest smart car alarm makers in the world. The two brands have as many as 3 million customers between them and make high-end devices that can cost thousands... Both apps' API didn't properly authenticate for update requests, including requests to change the password or email address. Ken Munro, founder of Pen Test Partners, said that all his team needed to do was send the request to a specific host URL and they were able to change an account's password and email address without notifying the victim that anything happened. Once they had access to the account, the researchers had full control of the smart car alarm. This allowed them to learn where a car was and unlock it. You don't have to be near the car to do this, and the accounts can be taken over remotely, Munro said. Potential attackers could also use the apps' API to target specific types of cars, the security researcher added... Pandora's alarm system also contained a microphone that would've allowed potential hackers to listen in on live audio, the security company found. Both companies fixed the issue in less than a week, CNET reports, possibly due to the seriousness of the issue. In a video demonstrating the severity of the bug, security researcher Munro even uses the driver's app to set off a car's alarms remotely. When that driver began pulling over, Munro then used the app to cut off the car's engine. "So simple, so serious," he said. ZDNet notes that one of the companies had been advertising their "smart" alarms as "unhackable".

Many Android VPN Apps Request 'Dangerous' Permissions They Don't Need

Sat, 03/09/2019 - 11:34
A VPN researcher found that many Android VPN apps request access to sensitive permissions that they don't need, according to an article shared by WaitingForSupport. ZDNet reports: The study, carried out by John Mason from TheBestVPN.com, analyzed 81 Android apps available for download through the Google Play Store. Mason said he downloaded and extracted the permissions requested by each VPN app from their respective APK installer files.... According to Mason, 50 of the 81 Android VPN apps he tested requested access to at least one dangerous permission that accessed user data... Mason said he discovered VPN apps that requested access to read/write permissions for external device storage, wanted access to precise location data, wanted the ability to read or write system settings, and, in some cases, wanted to access call logs or manage local files. "In theory, VPN apps should only need a few permissions to function. INTERNET and ACCESS_NETWORK_STATE should usually be enough," Mason told us. "The use of a large number of dangerous permissions could be cause for suspicion."

Satellite Magnate Argues Post-Brexit Britain Will Be 'Lost In Space'

Sat, 03/09/2019 - 08:04
PolygamousRanchKid quotes the BBC: Will Marshall's "Planet" company operates the world's largest satellite imaging network, with 150 spacecraft able to fully picture Earth on a daily basis. He warns EU withdrawal will do immense harm to Britain's space industry. The UK will be "lost in space", he says. The UK Space Agency responded by saying home businesses had a positive outlook. The most recent survey of confidence across the sector found that three-quarters of organisations expected growth over the next three years, it added. Dr Marshall holds particular scorn for the UK government's actions on Galileo, the EU version of the Global Positioning System (GPS). Ministers have decided to walk away from the project because Brussels says a future Britain, as a "third country" outside the EU, cannot be involved in the system's most secure elements — this despite the UK having already invested £1.5bn in Galileo. London says it will build its own sat-nav system instead, but Dr Marshall calls this a "pie in the sky" plan that has significant economic and security implications.

North Korea Amassed Cryptocurrency Through Hacking, Says UN Panel

Fri, 03/08/2019 - 18:20
North Korea has used cyberattacks and blockchain technology to circumvent economic sanctions and obtain foreign currency, according to a panel of experts reporting to the U.N. Security Council. From a report: Pyongyang has amassed around $670 million in foreign and virtual currency through cyberthefts, using blockchain technology to cover its tracks, the panel told the Security Council's North Korea sanctions committee in its annual report, Nikkei has learned. It is the first time the panel has given details on how North Korea obtains foreign currency through cyberattacks. In its report, the panel recommended that member states "enhance their ability to facilitate robust information exchange on the cyberattacks by the Democratic People's Republic of Korea with other governments and with their own financial institutions," to detect and prevent attempts by North Korea to evade sanctions. The full report obtained by Nikkei, which has been approved by Security Council members for publication next week, says North Korea waged cyberattacks on overseas financial institutions from 2015 to 2018.

Hard Disks Can Be Turned Into Listening Devices, Researchers Find

Fri, 03/08/2019 - 15:30
Researchers from the University of Michigan and Zhejiang Univeristy in China have found that hard disk drives can be turned into listening devices, using malicious firmware and signal processing calculations. The Register reports: For a study titled "Hard Drive of Hearing: Disks that Eavesdrop with a Synthesized Microphone," computer scientists Andrew Kwong, Wenyuan Xu, and Kevin Fu describe an acoustic side-channel that can be accessed by measuring how sound waves make hard disk parts vibrate. "Our research demonstrates that the mechanical components in magnetic hard disk drives behave as microphones with sufficient precision to extract and parse human speech," their paper, obtained by The Register ahead of its formal publication, stated. "These unintentional microphones sense speech with high enough fidelity for the Shazam service to recognize a song recorded through the hard drive." The team's research work, scheduled to be presented in May at the 2019 IEEE Symposium on Security and Privacy, explores how it's possible to alter HDD firmware to measure the offset of a disk drive's read/write head from the center of the track it's seeking. The offset is referred to as the Positional Error Signal (PES) and hard drives monitor this signal to keep the read/write head in the optimal position for reading and writing data. PES measurements must be very fine because drive heads can only be off by a few nanometers before data errors arise. The sensitivity of the gear, however, means human speech is sufficient to move the needle, so to speak. Vibrations from HDD parts don't yield particularly good sound, but with digital filtering techniques, human speech can be discerned, given the right conditions. "Flashing HDD firmware is a prerequisite for the snooping [...] because the ATA protocol does not expose the PES," The Register reports. "To exfiltrate captured data, the three boffins suggest transmitting it over the internet by modifying Linux operating system files to create a reverse shell with root privileges or storing it to disk for physical recovery at a later date." The researchers note that this technique does require a fairly loud conversation to take place near the eavesdropping hard drive. "To record comprehensible speech, the conversation had to reach 85 dBA, with 75 dBA being the low threshold for capturing muffled sound," the report says. "To get Shazam to identify recordings captured through a hard drive, the source file had to be played at 90 dBA. Which is pretty loud. Like lawn mower or food blender loud."

Citrix Discloses Security Breach of Internal Network

Fri, 03/08/2019 - 12:50
Citrix disclosed today a security breach during which hackers accessed the company's internal network. In a short statement posted on its blog, Citrix Chief Security Information Officer Stan Black said Citrix found out about the hack from the FBI earlier this week. From a report: "On March 6, 2019, the FBI contacted Citrix to advise they had reason to believe that international cyber criminals gained access to the internal Citrix network," Black said. "While not confirmed, the FBI has advised that the hackers likely used a tactic known as password spraying, a technique that exploits weak passwords. Once they gained a foothold with limited access, they worked to circumvent additional layers of security," the Citrix exec added. Black said hackers accessed and downloaded business documents, but Citrix wasn't able to identify what specific documents had been stolen at the time of his announcement today.

Woman Wins $10,000 For Reading Fine Print of Terms and Conditions of Travel Insurance Policy

Fri, 03/08/2019 - 12:10
Georgia high school teacher Donelan Andrews won a $10,000 reward after she closely read the terms and conditions that came with a travel insurance policy she purchased for a trip to England. Squaremouth, a Florida insurance company, had inserted language promising a reward to the first person who emailed the company. NPR reports: "We understand most customers don't actually read contracts or documentation when buying something, but we know the importance of doing so," the company said. "We created the top-secret Pays to Read campaign in an effort to highlight the importance of reading policy documentation from start to finish." Not every company is so generous. To demonstrate the importance of reading the fine print, many companies don't give; they take. The mischievous clauses tend to pop up from time to time, usually in cheeky England. The report continues to highlight a number of different cases where companies have intentionally inserted unusual clauses into their terms of service, knowing people wouldn't read them. Here's one such case: A few years earlier, several Londoners agreed (presumably inadvertently) to give away their oldest child in exchange for Wi-Fi access. Before they could get on the Internet, users had to check a box agreeing to "assign their first born child to us for the duration of eternity." According to the Guardian, six people signed up, but the company providing the Wi-Fi said the clause likely wouldn't be enforceable in a court of law. "It is contrary to public policy to sell children in return for free services," the company explained.

Google: Chrome Zero-Day Was Used Together With a Windows 7 Zero-Day

Fri, 03/08/2019 - 09:25
Google said this week that a Chrome zero-day the company patched last week was actually used together with a second one, a zero-day impacting the Microsoft Windows 7 operating system. From a report: The two zero-days were part of ongoing cyber-attacks that Clement Lecigne, a member of Google's Threat Analysis Group, discovered last week on February 27. The attackers were using a combination of a Chrome and Windows 7 zero-days to execute malicious code and take over vulnerable systems. The company revealed the true severity of these attacks in a blog post this week. Google said that Microsoft is working on a fix, but did not give out a timeline. The company's blog post comes to put more clarity into a confusing timeline of events that started last Friday, March 1, when Google released Chrome 72.0.3626.121, a new Chrome version that included one solitary security fix (CVE-2019-5786) for Chrome's FileReader --a web API that lets websites and web apps read the contents of files stored on the user's computer.

Machine Learning Can Use Tweets To Spot Critical Security Flaws

Fri, 03/08/2019 - 08:45
Researchers at Ohio State University, the security company FireEye, and research firm Leidos last week published a paper [PDF] describing a new system that reads millions of tweets for mentions of software security vulnerabilities, and then, using their machine-learning-trained algorithm, assessed how much of a threat they represent based on how they're described. From a report: They found that Twitter can not only predict the majority of security flaws that will show up days later on the National Vulnerability Database -- the official register of security vulnerabilities tracked by the National Institute of Standards and Technology -- but that they could also use natural language processing to roughly predict which of those vulnerabilities will be given a "high" or "critical" severity rating with better than 80 percent accuracy. "We think of it almost like Twitter trending topics," says Alan Ritter, an Ohio State professor who worked on the research and will be presenting it at the North American Chapter of the Association for Computational Linguistics in June. "These are trending vulnerabilities." A work-in-progress prototype they've put online, for instance, surfaces tweets from the last week about a fresh vulnerability in MacOS known as "BuggyCow," as well as an attack known as SPOILER that could allow webpages to exploit deep-seated vulnerabilities in Intel chips. Neither of the attacks, which the researchers' Twitter scanner labeled "probably severe," has shown up yet in the National Vulnerability Database.

Over 800 Million Emails Leaked Online By Email Verification Service

Fri, 03/08/2019 - 05:00
Security researchers Bob Diachenko and Vinny Troia discovered an unprotected MongoDB database containing 150GB of detailed, plaintext marketing data -- including hundreds of millions of unique email addresses. An anonymous Slashdot reader shares Diachenko's findings, which were made public today: On February 25th, 2019, I discovered a non-password protected 150GB-sized MongoDB instance. This is perhaps the biggest and most comprehensive email database I have ever reported. Upon verification I was shocked at the massive number of emails that were publicly accessible for anyone with an internet connection. Some of data was much more detailed than just the email address and included personally identifiable information (PII). This database contained four separate collections of data and combined was an astounding 808,539,939 records. As part of the verification process I cross-checked a random selection of records with Troy Hunt's HaveIBeenPwned database. Based on the results, I came to conclusion that this is not just another "Collection" of previously leaked sources but a completely unique set of data. Although, not all records contained the detailed profile information about the email owner, a large amount of records were very detailed. We are still talking about millions of records. In addition to the email databases, this unprotected Mongo instance also uncovered details on the possible owner of the database -- a company named "Verifications.io" -- which offered the services of "Enterprise Email Validation." Unfortunately, it appears that once emails were uploaded for verification they were also stored in plain text. Once I reported my discovery to Verifications.io the site was taken offline and is currently down at the time of this publication.

Huawei Sues the US In Pushback Against Security Risk Claims

Thu, 03/07/2019 - 17:23
hackingbear writes: A suit filed by Huawei in Texas, where an American subsidy is located, this week is the latest maneuver in the Chinese telecommunications giant's global offensive against American pressure and persistent criticisms that it poses a national security risk. The company's lawsuit contends that the law which bans Huawei equipment without evidence and trial is a violation of the U.S. Constitution. The U.S. also argues that Huawei poses an unacceptable security risk due to its tie with the Chinese government, though a 2003 due diligence by Motorola in a merger talk found Huawei was independent (Warning: source paywalled) of Chinese government or military (the merger failed after Motorola board thought the $7.5 billion price tag for Huawei was too high.) In the lawsuit announcement, Huawei Chairman Guo Ping also accused U.S. agencies of hacking Huawei servers and stealing emails and source code. In a similar case, China's Sanyi sued the Obama administration and forced CFIUS to determine that the the company's acquisitions "have not raised national security objections."