Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 23 hours 54 min ago

Facebook Co-founder Chris Hughes Says Libra Will Empower Corporations and Weaken Developing Countries, Urges Global Regulators To Act Now

Fri, 06/21/2019 - 12:05
In May, Facebook co-founder Chris Hughes shocked many when he expressed grave concerns about Facebook's CEO, its business and its impact on the world. He went as far as suggesting that Facebook should be broken up. Two months later, Hughes has another interesting remark to share. He has warned that Facebook's new planned digital currency Libra would shift monetary power to corporate giants. [Editor's note: the link may be paywalled; alternative source.] In an op-ed he wrote today: If even modestly successful, Libra would hand over much of the control of monetary policy from central banks to these private companies, which also include Visa, Uber, and Vodafone. If global regulators don't act now, it could very soon be too late. I've been a cryptocurrency sceptic, believing that the instability and regulatory challenges are just too sizeable. But Libra is different because it is a "stablecoin", with a value pegged to a basket of currencies and other assets. Anyone, whether they use Facebook or not, can buy in with a local currency and cash back out at any time. Vital decisions about Libra's administration, security and underlying assets will be made by the Switzerland-based Libra Association -- essentially Facebook and its largely corporate partners. To avoid complaints that setting up this coin would give a single company dangerous powers, Facebook has smartly limited itself to a single vote on the commission. That doesn't make the prospect of Libra's success any less frightening. This currency would insert a powerful new corporate layer of monetary control between central banks and individuals. Inevitably, these companies will put their private interests -- profits and influence -- ahead of public ones. [...] The Libra Association's goals specifically say that ability will encourage "decentralised forms of governance." In other words, Libra will disrupt and weaken nation states by enabling people to move out of unstable local currencies and into a currency denominated in dollars and euros and managed by corporations. The Libra Association promises to choose stable currencies and assets unlikely to suffer inflationary crises. The sponsors are right that a liquid, stable currency would be attractive to many in emerging markets. So attractive, in fact, that if enough people trade out of their local currencies, they could threaten the ability of emerging market governments to control their monetary supply, the local means of exchange, and, in some cases, their ability to impose capital controls.

WeTransfer Shared Its Users' Files With the Wrong People

Fri, 06/21/2019 - 10:50
WeTransfer, a popular online service to transfer and share files, has informed some of its customers of a security incident that resulted in it sharing emails with download links to wrong recipients. BetaNews reports: In the email to customers, WeTransfer said: "We are writing to let you know about a security incident in which a number of WeTransfer service emails were sent to the wrong people. This happened on June 16th and 17th. Our team has been working tirelessly to correct and contain this situation and find out how it happened. We have learned that a transfer you sent or received was also delivered to some people it was not meant to go to. Our records show those files have been accessed, but almost certainly by the intended recipient. Nevertheless, as a precaution we blocked the link to prevent further downloads.

US Blacklists More Chinese Tech Companies Over National Security Concerns

Fri, 06/21/2019 - 10:10
The Trump administration added five Chinese entities to a United States blacklist on Friday, further restricting China's access to American technology and stoking already high tensions as President Trump and President Xi Jinping of China prepare to meet in Japan next week. From a report: The Commerce Department announced that it would add four Chinese companies and one Chinese institute to an "entity list," saying they posed risks to American national security or foreign policy interests [Editor's note: the link may be paywalled; alternative source]. The move essentially bars the entities, which include one of China's leading supercomputer makers, Sugon, and a number of its subsidiaries set up to design microchips, from buying American technology and components without a waiver from the United States government. The move could all but cripple these Chinese businesses, which rely on American chips and other technology to manufacture advanced electronics. Those added to the entity list also include Higon, Chengdu Haiguang Integrated Circuit, Chengdu Haiguang Microelectronics Technology, and Wuxi Jiangnan Institute of Computing Technology, which lead China's development of high performance computing, some of which is used in military applications like simulating nuclear explosions, the Commerce Department said. Each of the aforementioned companies does businesses under a variety of other names.

Gmail Confidential Mode is Neither Secure Nor Private

Fri, 06/21/2019 - 08:10
Even though Google launched confidential mode over a year ago, people are still confused about what it does. Is it actually secure or private? Is it encrypted? From a report: When you turn it on, does it prevent Google from reading your messages? The answer to these questions is 'no.' In fact, the decision to call it "confidential" suggests a level of security and privacy that doesn't exist in Gmail confidential mode. Gmail's confidential mode does not mean your messages are end-to-end encrypted. Google can still read them. Expiring messages aren't erased for good, and the recipient can always take a screenshot of your message. Gmail's confidential mode does not make emails private because Google can always read them. When you send an email with confidential mode turned on, Google keeps the email contents on its servers. Other Gmail users can read the email in their inbox, but outside users only receive an email notifying them that a sender "has sent you an email via Gmail confidential mode" along with a link to a page on google.com.

Philips Hue Company Announces Lights That Beam Data At 250 Mbps

Thu, 06/20/2019 - 17:45
"Signify, the company formerly known as Philips Lighting that produces Hue-branded smart lights, has announced a new range of internet-transmitting Li-Fi lights called Truelifi," reports The Verge. The lights are capable of transmitting data to devices at speeds of up to 150 Mbps using light waves, rather than the radio signals used by 4G or Wi-Fi. The technology, which can be retrofitted into existing lighting, "can also be used to wirelessly connect two fixed points with data speeds of up to 250 Mbps." From the report: Li-Fi technology has been around for years but so far it's failed to take off. Most internet-connected devices like laptops and smartphones need an external adapter to receive data over Li-Fi, and even then the signal can be blocked when the receiver is in shadow. Signify says you'll need to plug a USB access key into a laptop to receive a Li-Fi signal from its Truelifi products. In the right circumstances, however, Li-Fi's use of light rather than radio signals to transmit data has its advantages. For example, it can be used in areas where there might be a lot of radio frequency interference, or in places like hospitals where RF could interfere with sensitive machines. While Li-Fi signals can be easily blocked, this disadvantage can be a boon to security applications since you have a lot more control over where the network spreads.

Facebook Usage Has Collapsed After Privacy Scandals, Data Shows

Thu, 06/20/2019 - 16:02
mrspoonsi shares a report from the Guardian: Facebook usage has plummeted over the last year, according to data seen by the Guardian, though the company says usage by other measures continues to grow. Since April 2018, the first full month after news of the Cambridge Analytica scandal broke in the Observer, actions on Facebook such as likes, shares and posts have dropped by almost 20%, according to the business analytics firm Mixpanel. Taking that month as a baseline, total actions fell by more that 10% within a month, recovered a bit over the summer and then fell again over the autumn and winter of 2018, except for a brief rally over the period of the U.S. midterm elections. The decline coincided with a series of data, privacy and hate speech scandals. In September the company discovered a breach affecting 50 million accounts, in November it admitted that an executive hired a PR firm to attack the philanthropist George Soros, and it has been repeatedly criticized for allowing its platform to be used to fuel ethnic cleansing in Myanmar. "On top of that, Facebook has continued to lose younger users, who are spreading their time and attention across other social platforms and digital activities," eMarketer said.

Google Admits Bug Could Let People Spy On Nest Cameras

Thu, 06/20/2019 - 15:20
Google on Thursday confirmed that a bug in its Nest security cameras could have allowed users to be spied on. The Daily Dot reports: The issue was first raised by a user on Facebook who recently sold his Nest Cam Indoor yet was still able to access its feed. The problem involves Wink, an app that lets people manage multiple smart devices regardless of their developer. The Facebook user noted that despite carrying out a factory reset on his Nest camera before selling it, his Wink account remained connected to the device, allowing him to view snapshots of the buyer's live feed. Wirecutter tested the vulnerability on its own Nest Cam by linking it to a Wink account and then performing a factory reset. The publication also found it was receiving "a series of still images snapped every several seconds" via its Wink account. "In simpler terms: If you buy and set up a used Nest indoor camera that has been paired with a Wink hub, the previous owner may have unfettered access to images from that camera," Wirecutter says. "And we currently don't know of any cure for this problem." Google responded to the report and said it has fixed the problem. "We were recently made aware of an issue affecting some Nest cameras connected to third-party partner services via Works with Nest," a spokesperson told Wirecutter. "We've since rolled out a fix for this issue that will update automatically, so if you own a Nest camera, there's no need to take any action."

Firefox Zero-Day Was Used In Attack Against Coinbase Employees, Not Its Users

Thu, 06/20/2019 - 08:01
An anonymous reader writes: A recent Firefox zero-day that has made headlines across the tech news world this week was actually used in attacks against Coinbase employees, and not the company's users. Furthermore, the attacks used not one, but two Firefox zero-days, according to Philip Martin, a member of the Coinbase security team, which reported the attacks to Mozilla. One was an RCE reported by a Google Project Zero security researcher to Mozilla in April, and the second was a sandbox escape that was spotted in the wild by the Coinbase team together with the RCE, on Monday. The question here is how an attacker managed to get hold of the details for the RCE vulnerability and use it for his attacks after the vulnerability was privately reported to Mozilla by Google. The attacker could have found the Firefox RCE on his own, he could have bribed a Mozilla/Google insider, hacked a Mozilla/Google employee and viewed details about the RCE, or hacked Mozilla's bug tracker, like another attacker did in 2015.

Oracle Issues Emergency Update To Patch Actively Exploited WebLogic Flaw

Wed, 06/19/2019 - 14:10
An anonymous reader quotes a report from Ars Technica: Oracle on Tuesday published an out-of-band update patching a critical code-execution vulnerability in its WebLogic server after researchers warned that the flaw was being actively exploited in the wild. The vulnerability, tracked as CVE-2019-2729, allows an attacker to run malicious code on the WebLogic server without any need for authentication. That capability earned the vulnerability a Common Vulnerability Scoring System score of 9.8 out of 10. The vulnerability is a deserialization attack targeting two Web applications that WebLogic appears to expose to the Internet by default -- wls9_async_response and wls-wsat.war. The flaw in Oracle's WebLogic Java application servers came to light as a zero-day four days ago when it was reported by security firm KnownSec404.

Oracle Issues Emergency Update To Patch Actively Exploited WebLogic Law

Wed, 06/19/2019 - 14:10
An anonymous reader quotes a report from Ars Technica: Oracle on Tuesday published an out-of-band update patching a critical code-execution vulnerability in its WebLogic server after researchers warned that the flaw was being actively exploited in the wild. The vulnerability, tracked as CVE-2019-2729, allows an attacker to run malicious code on the WebLogic server without any need for authentication. That capability earned the vulnerability a Common Vulnerability Scoring System score of 9.8 out of 10. The vulnerability is a deserialization attack targeting two Web applications that WebLogic appears to expose to the Internet by default -- wls9_async_response and wls-wsat.war. The flaw in Oracle's WebLogic Java application servers came to light as a zero-day four days ago when it was reported by security firm KnownSec404.

How Secure Are Zip Files? Senator Wyden Asks NIST To Develop Standards For Safely Sending and Receiving Files

Wed, 06/19/2019 - 12:14
Federal workers and the public in general might be mistaken about the security of .zip files, Sen. Ron Wyden said on Wednesday [PDF], and he's asking the National Institute of Standards and Technology to issue guidance on the best way to send sensitive files over the internet. Wyden wrote: Government agencies routinely share and receive sensitive data through insecure methods -- such as emailing .zip files -- because employees are not provided the tools and training to do so safely. As you know, it is a routine practice in the government, and indeed the private sector, to send by email-protected .zip files containing sensitive documents. Many people incorrectly believe that password-protected .zip files can protect sensitive data. Indeed, many password-protected .zip files can be easily broken with off-the-shelf hacking tools. This is because many of the software programs that create .zip files use a weak encryption algorithm by default. While secure methods to protect and share data exist and are freely available, many people do not know which software they should use. Given the ongoing threat of cyber attacks by foreign state actors and high-profile data breaches, this is a potentially catastrophic national security problem that needs to be fixed. The government must ensure that federal workers have the tools and training they need to safetly share sensitive data. To address this problem, I ask that NIST create and publish an easy-to-understand guide describing the best way for individuals and organizations to securely share sensitive data over the internet.

Cloudflare Announces an Ethereum Gateway

Wed, 06/19/2019 - 08:10
Internet security provider Cloudflare is introducing the Ethereum Gateway to its Distributed Web Gateway toolbox enabling users to interact with the Ethereum network without installing any software. From a report: This is part of Cloudflare's Distributed Web Gateway project to expand the decentralized web ecosystem and enhance its reliability, speed, and ease of use. Instead of downloading and cryptographically verifying hundreds of gigabytes of data -- an impossible task for low-power devices and those with low technical barriers to entry -- the gateway enables any device with web access to interact with the Ethereum network. This setup will make it possible to explore the blockchain and add interactive elements to sites powered by Ethereum smart contracts. In fact, the gateway gives people the ability to put new contracts on Ethereum with having to run a node, because Cloudflare will take a signed transaction and push it to the network thereby allowing miners to cryprographicaly add it. Despite the value Cloudflare brings to gateway clients, the service is completely free. Nick Sullivan, Cloudflare's Head of Cryptography, explains that the program "leverages the existing Cloudflare network, which already provides a number of free services."

House Lawmakers Demand End To Warrantless Collection of Americans' Data

Tue, 06/18/2019 - 15:20
Two House lawmakers are pushing an amendment that would effectively defund a massive data collection program run by the National Security Agency unless the government promises to not intentionally collect data of Americans. TechCrunch reports: The bipartisan amendment -- just 15 lines in length -- would compel the government to not knowingly collect communications -- like emails, messages and browsing data -- on Americans without a warrant. Reps. Justin Amash (R-MI, 3rd) and Zoe Lofgren (D-CA, 19th) have already garnered the support from some of the largest civil liberties and rights groups, including the ACLU, the EFF, FreedomWorks, New America and the Sunlight Foundation. Under the current statute, the NSA can use its Section 702 powers to collect and store the communications of foreign targets located outside the U.S. by tapping into the fiber cables owned and run by U.S. telecom giants. But this massive data collection effort also inadvertently vacuums up Americans' data, who are typically protected from unwarranted searches under the Fourth Amendment. The government has consistently denied to release the number of how many Americans are caught up in the NSA's data collection. For the 2018 calendar year, the government said it made more than 9,600 warrantless searches of Americans' communications, up 28% year-over-year.

Amazon's Ring May Be Branching Out Beyond Outdoor Cameras

Tue, 06/18/2019 - 07:20
The Amazon panopticon may soon be getting a few new eyes. From a report: In February 2018, Amazon paid $1 billion to acquire Ring, the connected-camera doorbell company whose founder was once rejected on Shark Tank. Since then, Ring has been integrated with other Amazon services, allowing live feeds from its devices on Amazon Echo Shows and leading to new products such smart floodlights. Ring has also helped Amazon to flesh out its rather creepy Key service, where users with Ring doorbells (and other connected products) can choose to let people and deliveries into their homes remotely. Ring has also been building up its Neighbors app, which allows Ring users to share their camera footage with people who live nearby, allowing them to see if they believe any crimes have been committed nearby. Ring has also forged partnerships with more than 50 police departments, leading to communities that are effectively surveilled by the police, through the camera company owned by the US's largest e-commerce company. Amazon is apparently not stopping there with its one-stop viewing. The company recently received trademarks, uncovered by Quartz, for multiple products that bear the Ring name, including Ring Beams, Ring Halo, and Ring Net. All three trademarks are listed as covering a range of uses, many matching what Ring products currently offer, including internet-connected security cameras, alarm systems, lighting, and cloud video storage.

Linux PCs, Servers, Gadgets Can Be Crashed by 'Ping of Death' Network Packets

Mon, 06/17/2019 - 12:45
Artem S. Tashkinov writes: The Register reports that it is possible to crash network-facing Linux servers, PCs, smartphones and tablets, and gadgets, or slow down their network connections, by sending them a series of maliciously crafted packets. It is also possible to hamper FreeBSD machines with the same attack. Patches and mitigations are available, and can be applied by hand if needed, or you can wait for a security fix to be pushed or offered to your at-risk device. A key workaround is to set /proc/sys/net/ipv4/tcp_sack to 0. At the heart of the drama is a programming flaw dubbed SACK Panic aka CVE-2019-11477: this bug can be exploited to remotely crash systems powered by Linux kernel version 2.6.29 or higher, which was released 10 years ago.

Robocalls Are Overwhelming Hospitals and Patients, Threatening a New Kind of Health Crisis

Mon, 06/17/2019 - 12:05
An anonymous reader shares a report: In the heart of Boston, Tufts Medical Center treats scores of health conditions, from administering measles vaccines for children to pioneering next-generation tools that can eradicate the rarest of cancers. But doctors, administrators and other hospital staff struggled to contain a much different kind of epidemic one April morning last year: a wave of thousands of robocalls that spread, like a virus, from one phone line to the next, disrupting communications for hours to come. For most Americans, such robocalls represent an unavoidable digital-age nuisance, resulting in constant interruptions targeting their phones each month. For hospitals, though, the spam calls amount to a literal life-or-death challenge, one that increasingly is threatening doctors and patients in a setting where every second can count. At Tufts Medical Center, administrators registered more than 4,500 calls between about 9:30 and 11:30 a.m. on April 30, 2018, said Taylor Lehmann, the center's chief information security officer. Many of the messages seemed to be the same: Speaking in Mandarin, an unknown voice threatened deportation unless the person who picked up the phone provided their personal information. Such calls are common, widely documented scams that seek to swindle vulnerable foreigners, who may surrender their private data out of fear their families and homes are at risk. But it proved especially troubling at Tufts, which is situated amid Boston's Chinatown neighborhood, Lehmann said. Officials there couldn't block the calls through their telecom carrier, Windstream, which provides phone and web services to consumers and businesses. "There's nothing we could do," Lehmann said Windstream told them.

Google's Login Chief: Apple's Sign-In Button Is Better Than Using Passwords

Sun, 06/16/2019 - 11:34
After Apple announced a single sign-on tool last week, The Verge interviewed Google product management director Mark Risher. Though Google offers its own single sign-on tool, The Verge found him "surprisingly sunny about having a new button to compete with. While the login buttons are relatively simple, they're much more resistant to common attacks like phishing, making them much stronger than the average password -- provided you trust the network offering them." RISHER: I honestly do think this technology will be better for the internet and will make people much, much safer. Even if they're clicking our competitor's button when they're logging into sites, that's still way better than typing in a bespoke username and password, or more commonly, a recycled username and password... Usually with passwords they recommend the capital letters and symbols and all of that, which the majority of the planet believes is the best thing that they should do to improve their security. But it actually has no bearing on phishing, no bearing on password breaches, no bearing on password reuse. We think that it's much more important to reduce the total number of passwords out there... People often push back against the federated model, saying we're putting all our eggs into one basket. It sort of rolls off the tongue, but I think it's the wrong metaphor. A better metaphor might be a bank. There are two ways to store your hundred dollars: you could spread it around the house, putting one dollar in each drawer, and some under your mattress and all of that. Or you could put it in a bank, which is one basket, but it's a basket that is protected by 12-inch thick steel doors. That seems like the better option!

Security Cameras + AI = Dawn of Non-Stop Robot Surveillance

Sat, 06/15/2019 - 20:34
AmiMoJo shared this post from one of the ACLU's senior technology policy analysts about what happens when security cameras get AI upgrades: [I]magine that all that video were being watched -- that millions of security guards were monitoring them all 24/7. Imagine this army is made up of guards who don't need to be paid, who never get bored, who never sleep, who never miss a detail, and who have total recall for everything they've seen. Such an army of watchers could scrutinize every person they see for signs of "suspicious" behavior. With unlimited time and attention, they could also record details about all of the people they see -- their clothing, their expressions and emotions, their body language, the people they are with and how they relate to them, and their every activity and motion... The guards won't be human, of course -- they'll be AI agents. Today we're publishing a report on a $3.2 billion industry building a technology known as "video analytics," which is starting to augment surveillance cameras around the world and has the potential to turn them into just that kind of nightmarish army of unblinking watchers.... Many or most of these technologies will be somewhere between unreliable and utterly bogus. Based on experience, however, that often won't stop them from being deployed -- and from hurting innocent people... We are still in the early days of a revolution in computer vision, and we don't know how AI will progress, but we need to keep in mind that progress in artificial intelligence may end up being extremely rapid. We could, in the not-so-distant future, end up living under armies of computerized watchers with intelligence at or near human levels. These AI watchers, if unchecked, are likely to proliferate in American life until they number in the billions, representing an extension of corporate and bureaucratic power into the tendrils of our lives, watching over each of us and constantly shaping our behavior... Policymakers must contend with this technology's enormous power. They should prohibit its use for mass surveillance, narrow its deployments, and create rules to minimize abuse. They argue that the threat is just starting to emerge. "It is as if a great surveillance machine has been growing up around us, but largely dumb and inert -- and is now, in a meaningful sense, 'waking up.'"

These Are the Internet of Things Devices That Are Most Targeted By Hackers

Sat, 06/15/2019 - 14:34
ZDNet reports: Internet-connected security cameras account for almost half of the Internet of Things devices that are compromised by hackers even as homes and businesses continue to add these and other connected devices to their networks. Research from cybersecurity company SAM Seamless Network found that security cameras represent 47 percent of vulnerable devices installed on home networks. According to the data, the average U.S. household contains 17 smart devices while European homes have an average of 14 devices connected to the network... Figures from the security firm suggest that the average device is the target of an average of five attacks per day, with midnight the most common time for attacks to be executed -- it's likely that at this time of the night, the users will be asleep and not paying attention to devices, so won't be witness to a burst of strange behavior. The anonymous reader who submitted this story suggests a possible solution: government inspectors should examine every imported IoT device at the border. "The device gets rejected if it has non-essential ports open, hard-coded or generic passwords, no automated patching for at least four years, etc."

Vim and Neo Editors Vulnerable To High-Severity Bug

Sat, 06/15/2019 - 09:34
JustAnotherOldGuy quotes Threatpost: A high-severity bug impacting two popular command-line text editing applications, Vim and Neovim, allow remote attackers to execute arbitrary OS commands. Security researcher Armin Razmjou warned that exploiting the bug is as easy as tricking a target into clicking on a specially crafted text file in either editor. Razmjou outlined his research and created a proof-of-concept (PoC) attack demonstrating how an adversary can compromise a Linux system via Vim or Neowim. He said Vim versions before 8.1.1365 and Neovim before 0.3.6 are vulnerable to arbitrary code execution... Vim and Neovim have both released patches for the bug (CVE-2019-12735) that the National Institute of Standards and Technology warns, "allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline." "Beyond patching, it's recommended to disable modelines in the vimrc (set nomodeline), to use the securemodelinesplugin, or to disable modelineexpr (since patch 8.1.1366, Vim-only) to disallow expressions in modelines," the researcher said.