Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 8 hours 15 min ago

AMD Poses 'Major Challenge' to Intel's Server Leadership

Sat, 08/10/2019 - 11:34
Rob Enderle reports on the excitement at AMD's Epyc processor launch in San Francisco: I've been at a lot of AMD events, and up until this one, the general message was that AMD was almost as good as Intel but not as expensive. This year it is very different; Intel has stumbled badly, and AMD is moving to take the leadership role in the data center, so its message isn't that it is nearly as good but cheaper anymore; it is that it has better customer focus, better security and better performance. Intel's slip really was around trust, and as Intel seemed to abandon the processor segment, OEMs and customers lost faith, and AMD is capitalizing on that slip... AMD has always been relatively conservative, but Lisa Su, AMD's CEO, stated that the company has broken 80 performance records and that this new processor is the highest-performing one in the segment. This is one thing Lisa's IBM training helps validate; I went through that training myself and, at IBM, you aren't allowed to make false claims. AMD isn't making a false claim here. The new Epyc 2 is 64 cores and 128 threads and with PCIe generation 4, it has 128 lanes on top its 7nm technology, which currently also appears to lead the market. Over the years the average performance for the data center chips, according to Su, has improved around 15% per year. The last generation of Epyc exceeded this when it launched, but just slightly. This new generation blows the curve out; instead of 15% year-over-year improvement, it is closer to 100%... Intel has had a number of dire security problems that it didn't disclose in timely fashion, making their largest customers very nervous. AMD is going after this vulnerability aggressively and pointing to how they've uniquely hardened Epyc 2 so that customers that use it have few, if any, of the concerns they've had surrounding Intel parts. Part of this is jumping to more than 500 unique encryption keys tied to the platform. Besides Google and Twitter, AMD's event also included announcements from Hewlett-Packard Enterprise, Dell, Cray, Lenovo, and Microsoft Azure. For example, Hewlett Packard Enterprise has three systems immediately available with AMD's new processor, the article reports, with plan to have 9 more within the next 12 months. And their CTO told the audience that their new systems have already broken 37 world performance records, and "attested to the fact that some of the most powerful supercomputers coming to market will use this processor, because it is higher performing," calling them the most secure in the industry and the highest-performing. "AMD came to play in San Francisco this week," Enderle writes. "I've never seen it go after Intel this aggressively and, to be frank, this would have failed had it not been for the massive third-party advocacy behind Epyc 2. I've been in this business since the mid-'80s, and I've never seen this level of advocacy for a new processor ever before. And it was critical that AMD set this new bar; I guess this was an extra record they set, but AMD can legitimately argue that it is the new market leader, at least in terms of both raw and price performance, in the HPC in the server segment. "I think this also showcases how badly Intel is bleeding support after abandoning the IDF (Intel Developer Forum) conference."

New Spectre-like CPU Vulnerability Bypasses Existing Defenses

Sat, 08/10/2019 - 10:34
itwbennett writes: Researchers from security firm Bitdefender discovered and reported a year ago a new CPU vulnerability that 'abuses a system instruction called SWAPGS and can bypass mitigations put in place for previous speculative execution vulnerabilities like Spectre,' writes Lucian Constantin for CSO. There are three attack scenarios involving SWAPGS, the most serious of which 'can allow attackers to leak the contents of arbitrary kernel memory addresses. This is similar to the impact of the Spectre vulnerability.' Microsoft released mitigations for the vulnerability in July's Patch Tuesday, although details were withheld until August 6 when Bitdefender released its whitepaper and Microsoft published a security advisory.

Lawmakers, Intelligence Officials Welcomed To This Year's Def Con Conference

Sat, 08/10/2019 - 08:34
"Multiple members of congress, dozens of congressional staffers and members of the intelligence community are gathering in Las Vegas this weekend to rub shoulders with hackers at Def Con," reports CNN: Washington's embrace of the hacking community comes amid heightened awareness of the threat of cyber attacks in the wake of the 2016 US presidential election and lawmakers realizing they need to get to grips with technology, Phil Stupak, one of the organizers of Def Con's A.I. Village told CNN Business before the conference began... Hackers here are also demonstrating potential vulnerabilities in voting machines used by Americans. The convention's election village includes a room full of voting equipment where hackers can let loose... It will likely be the largest presence the government has had since before 2013, when, in the wake of NSA analyst Edward Snowden's leaks, Def Con founder Jeff Moss formally requested "the feds call a 'time-out' and not attend Def Con this year." But that has since smoothed over. "I think the record presence of both representative and administration reflect the reality that technology and security are built into our society," Moss told CNN Business. "We are trying to break down the barriers between the people in tech who know what they're doing and the people in Congress who know how to take that knowledge to make laws," said Stupak, who is also a fellow at Cyber Policy Initiative at the University of Chicago. Speaking at Def Con this year was the top cybersecurity official for America's Department of Homeland Security, who stressed the importance of backup paper ballots, as well as "auditability." Also attending Def Con is Senator Ron Wyden, who emphasized another important election safeguard to CNN: that no voting equipment should be connected to the internet.

Researchers Show How Europe's Data Protection Laws Can Dox People

Fri, 08/09/2019 - 16:03
An anonymous reader quotes a report from Motherboard: Europe's controversial privacy law, the General Data Protection Regulator -- better known as GDPR -- has been hailed by some as a solution to tech companies' pervasive data collection and tracking. What maybe no one saw coming is that GDPR can become another tool in the arsenal of enterprising and malicious social engineers, hackers, and people who want to dox and harass others. That's what Ph.D student and cybersecurity researcher James Pavur discovered when he and his fiance -- and co-author on their paper -- Casey Knerr made an unusual wager about using GDPR's right of access requests -- a mechanism that allows Europeans to ask any company about what data they have on themselves -- with the goal of extracting sensitive information. Along with his fiance Knerr, who also works in the infosec industry -- and with her full consent -- Pavur devised a clever, yet very simple experiment. He started with just Knerr's full name, a couple of email addresses, phone numbers, and any other low-hanging fruit that he could find online. In other words, "the weakest possible form of attack," as he put it in his paper. Then, he sent requests to 75 companies, and then to another 75 using the new data -- such as home addresses -- he found through the first wave of requests using an email address designed to look like that of Knerr. Thanks to these requests, Pavur was able to get his fiance's Social Security Number, date of birth, mother's maiden name, passwords, previous home addresses, travel and hotel logs, high school grades, partial credit card numbers, and whether she had ever been a user of online dating services. "Pavur and Knerr said 25 percent of companies never responded. Two thirds of companies, including online data services, responded with enough information to reveal that Pavur's fiance had an account with them. Of those who responded, 25 percent provided sensitive data without properly verifying the identity of the sender. Another 15 percent requested data that could have easily been forged, while 40 percent requested identifying information that would've been relatively hard to fake, according to the study.

Hundreds of Exposed Amazon Cloud Backups Found Leaking Sensitive Data

Fri, 08/09/2019 - 14:10
An anonymous reader quotes a report from TechCrunch: New research just presented at the Def Con security conference reveals how companies, startups and governments are inadvertently leaking their own files from the cloud. You may have heard of exposed S3 buckets -- those Amazon-hosted storage servers packed with customer data but often misconfigured and inadvertently set to "public" for anyone to access. But you may not have heard about exposed EBS snapshots, which poses as much, if not a greater, risk. These elastic block storage (EBS) snapshots are the "keys to the kingdom," said Ben Morris, a senior security analyst at cybersecurity firm Bishop Fox, in a call with TechCrunch ahead of his Def Con talk. EBS snapshots store all the data for cloud applications. "They have the secret keys to your applications and they have database access to your customers' information," he said. Morris built a tool using Amazon's own internal search feature to query and scrape publicly exposed EBS snapshots, then attach it, make a copy and list the contents of the volume on his system. It took him two months to build up a database of exposed data and just a few hundred dollars spent on Amazon cloud resources. Once he validates each snapshot, he deletes the data. Morris found dozens of snapshots exposed publicly in one region alone, he said, including application keys, critical user or administrative credentials, source code and more. He found several major companies, including healthcare providers and tech companies. He also found VPN configurations, which he said could allow him to tunnel into a corporate network. Morris said he did not use any credentials or sensitive data, as it would be unlawful.

NSA's Free Malware Research Tool Gains Traction, 6 Months On

Fri, 08/09/2019 - 13:30
In March the National Security Agency released an internal malware research tool for free to the public, a first for the secretive agency. Six months later, by most indications, the release is an even bigger event than the NSA thought. From a report: Some aspects of researching malware have long required expensive software. The release of Ghidra, the NSA tool, has profoundly changed the field, opening it up to students, part-timers and hobbyists who otherwise couldn't afford to participate. It's been a good six months for Ghidra. The software has been downloaded more than 500,000 times from GitHub. "We had a bet on how many downloads it would be," Brian Knighton, senior researcher at the NSA, told Axios. "We were off by quite a factor." Ghidra also netted the NSA two nominations for "Pwnie" awards at the typically NSA-adverse DEF CON hacker conference this week. The NSA was also pleasantly surprised with the number of outside developers modifying code and creating new features for the now open-source program. The toolkit is popular enough that the NSA now offers touring classes on Ghidra for colleges and universities.

Researchers Bypass Apple FaceID Using Biometrics 'Achilles Heel'

Fri, 08/09/2019 - 09:25
Vulnerabilities have been uncovered in the authentication process of biometrics technology that could allow bad actors to bypass various facial recognition applications -- including Apple's FaceID. But there is a catch. Doing so requires the victim to be out cold. From a report: Researchers on Wednesday during Black Hat USA 2019 demonstrated an attack that allowed them to bypass a victim's FaceID and log into their phone simply by putting a pair of modified glasses on their face. By merely placing tape carefully over the lenses of a pair glasses and placing them on the victim's face the researchers demonstrated how they could bypass Apple's FaceID in a specific scenario. The attack itself is difficult, given the bad actor would need to figure out how to put the glasses on an unconscious victim without waking them up. To launch the attack, researchers with Tencent tapped into a feature behind biometrics called "liveness" detection, which is part of the biometric authentication process that sifts through "real" versus "fake" features on people. It works by detecting background noise, response distortion or focus blur. One such biometrics tool that utilizes liveness detection is FaceID, which is designed and utilized by Apple for the iPhone and iPad Pro. "With the leakage of biometric data and the enhancement of AI fraud ability, liveness detection has become the Achilles' heel of biometric authentication security as it is to verify if the biometric being captured is an actual measurement from the authorized live person who is present at the time of capture," researchers said during the Black Hat USA 2019 session.

Robocall Blocking Apps Caught Sending Your Private Data Without Permission

Fri, 08/09/2019 - 08:10
Robocall-blocking apps promise to rid your life of spoofed and spam phone calls. But are they as trustworthy as they claim to be? From a report: One security researcher said many of these apps can violate your privacy as soon as they are opened. Dan Hastings, a senior security consultant cybersecurity firm NCC Group, analyzed some of the most popular robocall-blocking apps -- including TrapCall, Truecaller, and Hiya -- and found egregious privacy violations. [...] Many of these apps, said Hastings, send user or device data to third-party data analytics companies -- often to monetize your information -- without your explicit consent, instead burying the details in their privacy policies. One app, TrapCall, sent users' phone numbers to a third-party analytics firm, AppsFlyer, without telling users -- either in the app nor in the privacy policy. He also found Truecaller and Hiya uploaded device data -- device type, model and software version, among other things -- before a user could accept their privacy policies.

Apple Confirms $1 Million Reward For Anyone Who Can Hack An iPhone

Thu, 08/08/2019 - 23:00
Apple says it will offer up to $1 million for hackers who can find vulnerabilities in iPhones and Macs. "That's up from $200,000, and in the fall the program will be open to all researchers," reports Forbes. "Previously only those on the company's invite-only bug bounty program were eligible to receive rewards." From the report: As Forbes reported on Monday, Apple is also launching a Mac bug bounty, which was confirmed Thursday, but it's also extending it to watchOS and its Apple TV operating system. The announcements came in Las Vegas at the Black Hat conference, where Apple's head of security engineering Ivan Krstic gave a talk on iOS and macOS security. Forbes also revealed on Monday that Apple was to give bug bounty participants "developer devices" -- iPhones that let hackers dive further into iOS. They can, for instance, pause the processor to look at what's happening with data in memory. Krstic confirmed the iOS Security Research Device program would be by application only. It will arrive next year. The full $1 million will go to researchers who can find a hack of the kernel -- the core of iOS -- with zero clicks required by the iPhone owner. Another $500,000 will be given to those who can find a "network attack requiring no user interaction." There's also a 50% bonus for hackers who can find weaknesses in software before it's released. Apple is increasing those rewards in the face of an increasingly profitable private market where hackers sell the same information to governments for vast sums.

US Holds Off On Huawei Licenses As China Halts Crop-Buying

Thu, 08/08/2019 - 18:02
After China said it was halting purchases of U.S. farming goods earlier this week, the White House retaliated by postponing a decision about licenses for U.S. companies to restart business with Huawei. "Commerce Secretary Wilbur Ross, whose department has vetted the applications to resume sales, said last week he's received 50 requests and that a decision on them was pending," reports Bloomberg. "American businesses require a special license to supply goods to Huawei after the U.S. added the Chinese telecommunications giant to a trade blacklist in May over national-security concerns." From the report: President Donald Trump said in late June after agreeing to a now-broken trade truce with Chinese President Xi Jinping in Japan that some restrictions on Huawei would be loosened. But that promise was contingent upon China beefing up its purchases from American farmers, which Trump has complained the country has failed to do. In the past week tensions have escalated further as Trump said he would impose a 10% tariff on $300 billion of Chinese imports as of Sept. 1 and his Treasury Department formally labeled China a currency manipulator. Still, Trump said last week there were no plans to reverse the decision he made in Japan to allow more sales by U.S. suppliers of non-sensitive products to Huawei. He said the issue of Huawei is not related to the trade talks.

Critical US Election Systems Have Been Left Exposed Online

Thu, 08/08/2019 - 15:20
Jason Koebler shares a report from Motherboard: For years, U.S. election officials and voting machine vendors have insisted that critical election systems are never connected to the internet and therefore can't be hacked. But a group of election security experts have found what they believe to be nearly three dozen backend election systems in 10 states connected to the internet over the last year, including some in critical swing states. These include systems in nine Wisconsin counties, in four Michigan counties, and in seven Florida counties -- all states that are perennial battlegrounds in presidential elections. Some of the systems have been online for a year and possibly longer. Some of them disappeared from the internet after the researchers notified an information-sharing group for election officials last year. But at least 19 of the systems, including one in Florida's Miami-Dade County, were still connected to the internet this week, the researchers told Motherboard. "We ... discovered that at least some jurisdictions were not aware that their systems were online," said Kevin Skoglund, an independent security consultant who conducted the research with nine others, all of them long-time security professionals and academics with expertise in election security. "In some cases, [the vendor was] in charge [of installing the systems] and there was no oversight. Election officials were publicly saying that their systems were never connected to the internet because they didn't know differently."

$10.7 Billion Broadcom-Symantec Enterprise Deal Creates Software Titan

Thu, 08/08/2019 - 13:25
An anonymous reader quotes a report from CRN: Broadcom has agreed to purchase Symantec's enterprise business in a massive $10.7 billion deal that will break up the world's largest pure-play cybersecurity vendor. The San Jose, Calif.-based semiconductor manufacturer said the monster acquisition is expected to drive $2 billion of revenue and $1.3 billion of EBITDA (earning before interest, taxation, depreciation, and amortization), as well as upwards of $1 billion of cost synergies in the year following close. The Symantec name will be sold to Broadcom as part of the transaction. The deal will bring Symantec's $2.5 billion enterprise unit together with the software capabilities inherited last year through its $19 billion acquisition of CA Technologies. Symantec's enterprise business includes its traditional strength around anti-virus and endpoint protection as well as the cloud security capabilities inherited through the 2016 acquisition of Blue Coat Systems. "Meanwhile, Symantec's consumer business -- which includes its legacy Norton anti-virus capabilities as well as its more recent acquisition of LifeLock -- will become a standalone company," the report adds. "Interim Symantec President and CEO Rick Hill said the remaining consumer business contributed 90 percent of the company's total operating income, and the company expects to be able to continue to grow revenue for its Norton LifeLock business in the mid-single digits going forward."

Facebook Loses Facial Recognition Technology Appeal, Must Face Class Action

Thu, 08/08/2019 - 11:40
In a landmark decision, the Ninth Circuit today ruled that Facebook must face a class action suit claiming that its facial recognition practices violated an Illinois biometric privacy law. From a report: A federal appeals court on Thursday rejected Facebook's effort to undo a class action lawsuit claiming that it illegally collected and stored biometric data for millions of users without their consent. The 3-0 decision from the 9th U.S. Circuit Court of Appeals in San Francisco exposes Facebook to billions of dollars in potential damages to the Illinois users who brought the case. It came as the social media company faces broad criticism from lawmakers and regulators over its privacy practices. Last month, Facebook agreed to pay a record $5 billion fine to settle a Federal Trade Commission data privacy probe. "This biometric data is so sensitive that if it is compromised, there is simply no recourse," Shawn Williams, a lawyer for plaintiffs in the class action, said in an interview. "It's not like a Social security card or credit card number where you can change the number. You can't change your face."

Kazakhstan Halts Introduction of Internet Surveillance System

Thu, 08/08/2019 - 08:40
Kazakhstan has halted the implementation of an internet surveillance system criticized by lawyers as illegal, with the government describing its initial rollout as a test. From a report: Mobile phone operators in the oil-rich Central Asian nation's capital, Nur-Sultan, had asked customers to install an encryption certificate on their devices or risk losing internet access. State security officials said its goal was to protect Kazakh users from "hacker attacks, online fraud and other kinds of cyber threats." The certificate allowed users' traffic to be intercepted by the government, circumventing encryption used by email and messaging applications. Several Kazakh lawyers said this week they had sued the country's three mobile operators, arguing that restricting internet access to those who refused to install the certificate would be illegal. But late on Tuesday, Kazakhstan's State Security Committee said in a statement that the certificate rollout was simply a test which has now been completed. Users can remove the certificate and use internet as usual, it said.

WordPress Team Working on Daring Plan To Forcibly Update Old Websites

Thu, 08/08/2019 - 07:24
The developers behind the WordPress open-source content management system (CMS) are working on a plan to forcibly auto-update older versions of the CMS to more recent releases. From a report: The goal of this plan is to improve the security of the WordPress ecosystem, and the internet as a whole, since WordPress installations account for more than 34% of all internet websites. Officially supported versions include only the last six WordPress major releases, which currently are all the versions between v4.7 and v5.2. The plan is to slowly auto-update old WordPress sites, starting with v3.7, to the current minimum supported version, which is the v4.7 release. The WordPress team said it plans to monitor this tiered forced auto-update process for errors and site breakage. If there's something massively wrong, then auto-update can be stopped altogether. If only a few individual sites break, than those site will be rolled back to their previous versions and the owner will be notified via email.

Broadcom Close To Buying Symantec's Enterprise Business

Thu, 08/08/2019 - 05:00
phalse phace writes: Broadcom's on-again, off-again talks to buy Symantec are on again, but this time Broadcom is just interested in Symantec's Enterprise Business. According to the Wall Street Journal: "Broadcom is nearing a deal to buy Symantec's enterprise business after its attempted purchase of the entire cybersecurity firm fell apart. A deal for the Symantec business could be announced as early as Thursday, when Symantec reports its results, according to people familiar with the matter. The deal could value the Symantec division at around $10 billion, one of the people said. Broadcom had previously been in late-stage discussions to buy all of Symantec before the talks collapsed last month. Since then, the two sides have restarted discussions, with Broadcom zeroing in on the Symantec business that serves businesses and accounts for roughly half its $5 billion in annual revenue. The consumer segment accounts for the rest. The deal would be big for Symantec. Its entire market value is about $12.6 billion -- it has more than $2 billion of net debt -- compared with about $107.6 billion for Broadcom." UPDATE: It's official, Broadcom is acquiring Symantec's Enterprise Business for $10.7 billion.

Skype, Slack, Other Electron-Based Apps Can Be Easily Backdoored

Wed, 08/07/2019 - 19:30
An anonymous reader quotes a report from Ars Technica: The Electron development platform is a key part of many applications, thanks to its cross-platform capabilities. Based on JavaScript and Node.js, Electron has been used to create client applications for Internet communications tools (including Skype, WhatsApp, and Slack) and even Microsoft's Visual Studio Code development tool. But Electron can also pose a significant security risk because of how easily Electron-based applications can be modified without triggering warnings. At the BSides LV security conference on Tuesday, Pavel Tsakalidis demonstrated a tool he created called BEEMKA, a Python-based tool that allows someone to unpack Electron ASAR archive files and inject new code into Electron's JavaScript libraries and built-in Chrome browser extensions. The vulnerability is not part of the applications themselves but of the underlying Electron framework -- and that vulnerability allows malicious activities to be hidden within processes that appear to be benign. Tsakalidis said that he had contacted Electron about the vulnerability but that he had gotten no response -- and the vulnerability remains. While making these changes required administrator access on Linux and MacOS, it only requires local access on Windows. Those modifications can create new event-based "features" that can access the file system, activate a Web cam, and exfiltrate information from systems using the functionality of trusted applications -- including user credentials and sensitive data. In his demonstration, Tsakalidis showed a backdoored version of Microsoft Visual Studio Code that sent the contents of every code tab opened to a remote website. The problem lies in the fact that Electron ASAR files themselves are not encrypted or signed, allowing them to be modified without changing the signature of the affected applications. A request from developers to be able to encrypt ASAR files was closed by the Electron team without action.

Google Pixel 4 Will Have 90Hz 'Smooth Display and DSLR Camera Attachment

Wed, 08/07/2019 - 17:45
According to 9to5Google, Google's upcoming Pixel 4 and Pixel 4 XL smartphones will feature 90Hz refresh rates, 6GB of RAM, and a DSLR attachment, among other features not reported until now. From the report: First, the basics: There will be a Pixel 4 and Pixel 4 XL, and they will both more or less have the same features. They are phones. As we've already seen, they will have glass on the front and back, and a large camera bump. The have a sizable top bezel on the front housing the Soli radar chip, the speaker, a single front shooter, and the suite of sensors for face unlock. Other familiar aesthetic flourishes like a colored lock button and the usual 'G' logo on the back are also in tow. Things get a little interesting with the display specs. Pixel 4 and Pixel 4 XL will have 5.7-inch and 6.3-inch OLED displays, respectively -- the smaller is Full HD+, while the larger is Quad HD+. We can confirm now, though, that both will be 90 Hz displays, a feature Google is planning to call "Smooth Display." We also have word on the Pixel 4 and Pixel 4 XL camera specs. There are two sensors on the rear, one of which is a 12MP shooter with phase-detect auto-focus. Also, confirming details that we unearthed in the Google Camera app, the other rear sensor on the Google Pixel 4 and Pixel 4 XL is a 16MP telephoto lens. Another interesting tidbit on the camera side: We're told Google is developing a DSLR-like attachment for the Pixel 4 that may become an available accessory. In other Pixel 4 specs, the smaller 5.7-inch Google Pixel 4 will have a 2,800 mAh battery, while the larger model will have a 3,700 mAh battery. That means, compared to last year, the smaller Pixel will have a slightly smaller battery (down from 2,915 mAh), while the larger Pixel will have a notably beefier one (up from 3,430 mAh). Both devices will pack the Snapdragon 855, get an appreciated bump to 6GB of RAM, and will be available in both 64GB and 128GB variants in the United States. Finally, we can confirm that both Pixel 4 models will have stereo speakers, the Titan M security module that was introduced with the Pixel 3, and of course, the latest version of Android with 3 years of software support. We're also told to expect that, like previous years, Google will show off some new Assistant features that will be exclusive to Pixel 4.

Twitter Fesses Up To More Adtech Leaks

Wed, 08/07/2019 - 16:03
Twitter has disclosed more bugs related to how it uses personal data for ad targeting that means it may have shared users data with advertising partners even when a user had expressly told it not to. TechCrunch reports: Back in May the social network disclosed a bug that in certain conditions resulted in an account's location data being shared with a Twitter ad partner, during real-time bidding (RTB) auctions. In a blog post on its Help Center about the latest "issues" Twitter says it "recently" found, it admits to finding two problems with users' ad settings choices that mean they "may not have worked as intended." It claims both problems were fixed on August 5. Though it does not specify when it realized it was processing user data without their consent. The first bug relates to tracking ad conversions. This meant that if a Twitter user clicked or viewed an ad for a mobile application on the platform and subsequently interacted with the mobile app Twitter says it "may have shared certain data (e.g., country code; if you engaged with the ad and when; information about the ad, etc)" with its ad measurement and advertising partners -- regardless of whether the user had agreed their personal data could be shared in this way. It suggests this leak of data has been happening since May 2018 -- which is also the day when Europe's updated privacy framework, GDPR, came into force. Twitter specifies that it does not share users' names, Twitter handles, email or phone number with ad partners. However it does share a user's mobile device identifier, which GDPR treats as personal data as it acts as a unique identifier. The second issue Twitter discloses in the blog post also relates to tracking users' wider web browsing to serve them targeted ads. Here Twitter admits that, since September 2018, it may have served targeted ads that used inferences made about the user's interests based on tracking their wider use of the Internet -- even when the user had not given permission to be tracked.

A Boeing Code Leak Exposes Security Flaws Deep In a 787's Guts

Wed, 08/07/2019 - 14:40
An anonymous reader quotes a report from Wired: Late one night last September, security researcher Ruben Santamarta sat in his home office in Madrid and partook in some creative googling, searching for technical documents related to his years-long obsession: the cybersecurity of airplanes. He was surprised to discover a fully unprotected server on Boeing's network, seemingly full of code designed to run on the company's giant 737 and 787 passenger jets, left publicly accessible and open to anyone who found it. So he downloaded everything he could see. Now, nearly a year later, Santamarta claims that leaked code has led him to something unprecedented: security flaws in one of the 787 Dreamliner's components, deep in the plane's multi-tiered network. He suggests that for a hacker, exploiting those bugs could represent one step in a multistage attack that starts in the plane's in-flight entertainment system and extends to highly protected, safety-critical systems like flight controls and sensors. At the Black Hat security conference today in Las Vegas, Santamarta, a researcher for security firm IOActive, plans to present his findings, including the details of multiple serious security flaws in the code for a component of the 787 known as a Crew Information Service/Maintenance System. The CIS/MS is responsible for applications like maintenance systems and the so-called electronic flight bag, a collection of navigation documents and manuals used by pilots. Santamarta says he found a slew of memory corruption vulnerabilities in that CIS/MS, and he claims that a hacker could use those flaws as a foothold inside a restricted part of a plane's network. An attacker could potentially pivot, Santamarta says, from the in-flight entertainment system to the CIS/MS to send commands to far more sensitive components that control the plane's safety-critical systems, including its engine, brakes, and sensors. Boeing maintains that other security barriers in the 787's network architecture would make that progression impossible. Boeing said in a statement that it had investigated IOActive's claims and concluded that they don't represent any real threat of a cyberattack. "IOActive's scenarios cannot affect any critical or essential airplane system and do not describe a way for remote attackers to access important 787 systems like the avionics system," the company's statement reads. "IOActive reviewed only one part of the 787 network using rudimentary tools, and had no access to the larger system or working environments. IOActive chose to ignore our verified results and limitations in its research, and instead made provocative statements as if they had access to and analyzed the working system. While we appreciate responsible engagement from independent cybersecurity researchers, we're disappointed in IOActive's irresponsible presentation." Boeing says the company put an actual Boeing 787 in "flight mode" to test and try to exploit the vulnerabilities. They found that they couldn't carry out a successful attack.