Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 23 hours 41 min ago

Cellebrite Says It Can Unlock Any iPhone For Cops

Sat, 06/15/2019 - 02:00
An anonymous reader quotes a report from Wired: On Friday afternoon, the Israeli forensics firm and law enforcement contractor Cellebrite publicly announced a new version of its product known as a Universal Forensic Extraction Device or UFED, one that it's calling UFED Premium. In marketing that update, it says that the tool can now unlock any iOS device cops can lay their hands on, including those running iOS 12.3, released just a month ago. Cellebrite claims UFED Premium can extract files from many recent Android phones as well, including the Samsung Galaxy S9. No other law enforcement contractor has made such broad claims about a single product, at least not publicly. The move signals not only another step in the cat and mouse game between smartphone makers and the government-sponsored firms that seek to defeat their security, but also a more unabashedly public phase of that security face-off. "Cellebrite is proud to introduce #UFED Premium! An exclusive solution for law enforcement to unlock and extract data from all iOS and high-end Android devices," the company wrote on its Twitter feed for the UFED product. On a linked web page, the company says the new tool can pull forensic data off any iOS device dating back to iOS 7, and Android devices not just from Samsung but Huawei, LG, and Xiaomi.

Yubico To Replace Vulnerable YubiKey FIPS Security Keys

Thu, 06/13/2019 - 10:50
Yubico said today it plans to replace certain hardware security keys because of a firmware flaw that reduces the randomness of cryptographic keys generated by its devices. From a report: Affected products include models part of the YubiKey FIPS Series, a line of YubiKey authentication keys certified for use on US government networks (and others) according to the US government's Federal Information Processing Standards (FIPS). According to a Yubico security advisory published today, YubiKey FIPS Series devices that run firmware version 4.4.2 and 4.4.4 contain a bug that keeps "some predictable content" inside the device's data buffer after the power-up operation. This "predictable content" will influence the randomness of cryptographic keys generated on the device for a short period after the boot-up, until the "predictable content" is all used up, and true random data is present in the buffer. This means that for a short period after booting up YubiKey FIPS Series devices with the affected 4.4.2 and 4.4.4 versions will generate keys that can be either recovered partially, or in full, depending on the cryptographic algorithm the key is working with for a particular authentication operation.

Huawei Asks Verizon To Pay Over $1 Billion For Over 230 Patents

Thu, 06/13/2019 - 08:50
hackingbear writes: Huawei has told Verizon that the U.S. carrier should pay licensing fees for more than 230 of the Chinese telecoms equipment maker's patents and in aggregate is seeking more than $1 billion, a person briefed on the matter said on Wednesday. Verizon should pay to "solve the patent licensing issue," a Huawei intellectual property licensing executive wrote in February, the Wall Street Journal reported earlier. The patents cover network equipment for more than 20 of the company's vendors including major U.S. tech firms but those vendors would indemnify Verizon, the person said. Some of those firms have been approached directly by Huawei, the person said. The patents in question range from core network equipment, wireline infrastructure to internet-of-things technology, the Journal reported. The licensing fees for the more than 230 patents sought is more than $1 billion, the person said. Huawei has been battling the U.S. government for more than a year. National security experts worry that "back doors" in routers, switches and other Huawei equipment could allow China to spy on U.S. communications. Huawei has denied that it would help China spy.

Facebook Collected Device Data On 187,000 Users Using Banned Snooping

Wed, 06/12/2019 - 18:03
Facebook obtained personal and sensitive device data on about 187,000 users of its now-defunct Research app, which Apple banned earlier this year after the app violated its rules. TechCrunch reports: The social media giant said in a letter to Sen. Richard Blumenthal's office -- which TechCrunch obtained -- that it collected data on 31,000 users in the U.S., including 4,300 teenagers. The rest of the collected data came from users in India. "We know that the provisioning profile for the Facebook Research app was created on April 19, 2017, but this does not necessarily correlate to the date that Facebook distributed the provisioning profile to end users," said Timothy Powderly, Apple's director of federal affairs, in his letter. Facebook said the app dated back to 2016. These "research" apps relied on willing participants to download the app from outside the app store and use the Apple-issued developer certificates to install the apps. Then, the apps would install a root network certificate, allowing the app to collect all the data out of the device -- like web browsing histories, encrypted messages and mobile app activity -- potentially also including data from their friends -- for competitive analysis. In Facebook's case, the research app -- dubbed Project Atlas -- was a repackaged version of its Onavo VPN app, which Facebook was forced to remove from Apple's App Store last year for gathering too much device data. Just this week, Facebook relaunched its research app as Study, only available on Google Play and for users who have been approved through Facebook's research partner, Applause. Facebook said it would be more transparent about how it collects user data.

Team of American Hackers and Emirati Spies Discussed Attacking The Intercept

Wed, 06/12/2019 - 13:25
The Intercept: Operatives at a controversial cybersecurity firm working for the United Arab Emirates government discussed targeting The Intercept and breaching the computers of its employees, according to two sources, including a member of the hacking team who said they were present at a meeting to plan for such an attack. The firm, DarkMatter, brought ex-National Security Agency hackers and other U.S. intelligence and military veterans together with Emirati analysts to compromise the computers of political dissidents at home and abroad, including American citizens, Reuters revealed in January. The news agency also reported that the FBI is investigating DarkMatter's use of American hacking expertise and the possibility that it was wielded against Americans. The campaign against dissidents and critics of the Emirati government, code-named Project Raven, began in Baltimore. A 2016 Intercept article by reporter Jenna McLaughlin revealed how the Maryland-based computer security firm CyberPoint assembled a team of Americans for a contract to hone UAE's budding hacking and surveillance capabilities, leaving some recruits unsettled. Much of the CyberPoint team was later poached by DarkMatter, a firm with close ties to the Emirati government and headquartered just two floors from the Emirati equivalent of the NSA, the National Electronic Security Authority (which later became the Signals Intelligence Agency).

Google Expands Android's Built-in Security Key To iOS Devices

Wed, 06/12/2019 - 10:08
An anonymous reader shares a report: In April, Google announced a groundbreaking technology that could allow Android users to use their smartphones as hardware security keys whenever logging into Google accounts on their laptops or work PCs. Initially, the technology was made available for Chrome OS, macOS, and Windows 10 devices. Today, Google announced it is expanding this technology to iOS as well. Today's news means that iPhone and iPad users can now use their (secondary) Android smartphones as a security key whenever logging into their Google accounts on an iOS device. The technology works basically the same, as Google explained in April, at the Cloud Next 2019 conference.

A Year Later, US Government Websites Are Still Redirecting To Hardcore Porn

Tue, 06/11/2019 - 15:40
An anonymous reader quotes a report from Gizmodo: Dozens of U.S. government websites appear to contain a flaw enabling anyone to generate URLs with their domains that redirect users to external sites, a handy tool for criminals hoping to infect users with malware or fool them into surrendering personal information. Gizmodo first reported a year ago that a wide variety of U.S. government sites were misconfigured, allowing porn bots to create links that redirected visitors to sites with colorful names like "HD Dog Sex Girl" and "Two Hot Russians Love Animal Porn." Among those affected was the Justice Department's Amber Alert site, links from which apparently redirected users to erotic material. Gizmodo first reported a year ago that a wide variety of U.S. government sites were misconfigured, allowing porn bots to create links that redirected visitors to sites with colorful names like "HD Dog Sex Girl" and "Two Hot Russians Love Animal Porn." Among those affected was the Justice Department's Amber Alert site, links from which apparently redirected users to erotic material. The ability to generate malicious links that appear to lead to actual government websites can be a handy pretense for criminals conducting phishing campaigns. What's more, these malicious redirects may be used to send users to websites masquerading as official government services, encouraging them to hand over personal information, such as names, addresses, and Social Security numbers.

US Customs and Border Protection Says Traveler Photos and License Plate Images Stolen In Data Breach

Mon, 06/10/2019 - 14:10
An anonymous reader quotes a report from TechCrunch: U.S. Customs and Border Protection has confirmed a data breach has exposed the photos of travelers and vehicles traveling in and out of the United States. The photos were stolen from a subcontractor's network through a "malicious cyberattack," a CBP spokesperson told TechCrunch in an email. "CBP learned that a subcontractor, in violation of CBP policies and without CBP's authorization or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractor's company network," said an agency statement. "Initial information indicates that the subcontractor violated mandatory security and privacy protocols outlined in their contract," the statement read. he agency first learned of the breach on May 31. When asked, a spokesperson for CBP didn't say how many photos were taken in the breach or if U.S. citizens were affected. The agency also didn't name the subcontractor. The database that the agency maintains includes traveler images, as well as passport and visa photos. Congress has been notified and the CBP said it is "closely monitoring" CBP-related work by the subcontractor.

Top Voting Machine Maker Reverses Position on Election Security, Promises Paper Ballots

Mon, 06/10/2019 - 09:30
Election Systems & Software has championed electronic voting machines in the US. Now it has had a change of heart about the need for paper records of votes. From a report: TechCrunch understands the decision was made around the time that four senior Democratic lawmakers demanded to know why ES&S, and two other major voting machine makers, were still selling decade-old machines known to contain security flaws. ES&S chief executive Tom Burt's op-ed said voting machines "must have physical paper records of votes" to prevent mistakes or tampering that could lead to improperly cast votes. Sen. Ron Wyden introduced a bill a year ago that would mandate voter-verified paper ballots for all election machines. The chief executive also called on Congress to pass legislation mandating a stronger election machine testing program. Burt's remarks are a sharp turnaround from the company's position just a year ago, in which the election systems maker drew ire from the security community for denouncing vulnerabilities found by hackers at the annual Defcon conference.

Disney's Video Streaming Service Hotstar Halts Support for Safari Browser

Mon, 06/10/2019 - 06:40
Hotstar, India's largest video streaming service with more than 300 million users, disabled support for Apple's Safari web browser last week to mitigate a security flaw that allowed unauthorized usage of its platform, TechCrunch reports, citing sources. From the report: As users began to complain about not being able to use Hotstar on Safari, the company's official support account asserted that "technical limitations" on Apple's part were the bottleneck. "These limitations have been from Safari; there is very little we can do on this," the account tweeted Friday evening. Sources at Hotstar told TechCrunch that this was not an accurate description of the event. Instead, company's engineers had identified a security hole that was being exploited by unauthorized users to access and distribute Hotstar's content -- including the premium catalog. Hotstar, which assumes the global record for most concurrent views on a live event, is operated by Star India, a media conglomerate in India that was part of 20th Century Fox that Disney acquired earlier this year.

A Wave of SIM Swapping Attacks Targets Cryptocurrency Users

Sun, 06/09/2019 - 13:40
"Numerous members of the cryptocurrency community have been hit by SIM swapping attacks over the past week," ZDNet reported Monday, "in what appears to be a coordinated wave of attacks." SIM swapping, also known as SIM jacking, is a type of ATO (account take over) attack during which a malicious threat actor uses various techniques (usually social engineering) to transfers a victim's phone number to their own SIM card. The purpose of this attack is so that hackers can reset passwords or receive 2FA verification codes and access protected accounts.... [D]espite a period of calm in the first half of the year, a rash of SIM swapping attacks have been reported in the second half of May, and especially over the past week... Some candidly admitted to losing funds, while others said the SIM swapping attacks were unsuccessful because they switched to using hardware security tokens to protect accounts, instead of the classic SMS-based 2FA system.

Are Amazon's 'Ring' Doorbells Creating A Massive Police Surveillance Network?

Sun, 06/09/2019 - 11:41
"Police departments are piggybacking on Ring's network to build out their surveillance networks..." reports CNET, adding that Ring "helps police avoid roadblocks for surveillance technology, whether a lack of funding or the public's concerns about privacy." While residential neighborhoods aren't usually lined with security cameras, the smart doorbell's popularity has essentially created private surveillance networks powered by Amazon and promoted by police departments. Police departments across the country, from major cities like Houston to towns with fewer than 30,000 people, have offered free or discounted Ring doorbells to citizens, sometimes using taxpayer funds to pay for Amazon's products. While Ring owners are supposed to have a choice on providing police footage, in some giveaways, police require recipients to turn over footage when requested. Ring said Tuesday that it would start cracking down on those strings attached... While more surveillance footage in neighborhoods could help police investigate crimes, the sheer number of cameras run by Amazon's Ring business raises questions about privacy involving both law enforcement and tech giants... More than 50 local police departments across the US have partnered with Ring over the last two years, lauding how the Amazon-owned product allows them to access security footage in areas that typically don't have cameras -- on suburban doorsteps. But privacy advocates argue this partnership gives law enforcement an unprecedented amount of surveillance. "What we have here is a perfect marriage between law enforcement and one of the world's biggest companies creating conditions for a society that few people would want to be a part of," said Mohammad Tajsar, staff attorney at the ACLU of Southern California... Despite its benefits, the relationship between police departments and Ring raises concerns about surveillance and privacy, as Amazon is working with law enforcement to blanket communities with cameras.... "Essentially, we're creating a culture where everybody is the nosy neighbor looking out the window with their binoculars," said Dave Maass, a senior investigative researcher at the Electronic Frontier Foundation. "It is creating this giant pool of data that allows the government to analyze our every move, whether or not a crime is being committed." On a heat map of Bloomfield, there are hardly any spots in the New Jersey township out of sight of a Ring camera. Tajsar says in some scenarios "they're basically commandeering people's homes as surveillance outposts for law enforcement," and the articles notes that when police departments partner with Ring, "they have access to a law enforcement dashboard, where they can geofence areas and request footage filmed at specific times." While law enforcement "can only get footage from the app if residents choose to send it," if the residents refuse, police can still try to obtain the footage with a subpoena to Amazon's Ring.

'Java Web Start Is Dead. Long Live Java Web Start!'

Sun, 06/09/2019 - 08:34
An anonymous reader reminded us about the open source reimplementation of Java Web Start, a framework originally developed by Sun Microsystems that allowed users to more easily run Java applications in an applet-like sandbox using a web browser. From Java Web Start (JWS) was deprecated in Java 9, and starting with Java 11, Oracle removed JWS from their JDK distributions. This means that clients that have the latest version of Java installed can no longer use JWS-based applications. And since public support of Java 8 has ended in Q2/2019, companies no longer get any updates and security fixes for Java Web Start. This is why we decided to create OpenWebStart, an open source reimplementation of the Java Web Start technology. Our replacement will provide the most commonly used features of Java Web Start and the JNLP standard, so that your customers can continue using applications based on Java Web Start and JNLP without any change. Red Hat is apparently involved in its parent project, IcedTea-Web, which it distributes as part of their Windows OpenJDK distribution.

How npm Stopped a Malicious Upstream Code Update From Stealing Cryptocurrency

Sat, 06/08/2019 - 12:34
"If you're a cryptocurrency startup, would you face a huge backlash by hacking your own customers to keep their funds safe if you know that a hacker is about to launch an attack and steal their funds?" asks ZDNet: This is exactly what happened yesterday when the Komodo Platform learned about a backdoor in one of its older wallet apps named Agama. Knowing they had little time to act, the Komodo team said it used the same backdoor to extract users' funds from all impacted wallets and move them to a safe location, out of the hacker's reach. The tactic paid off, and 8 million Komodo coins and 96 bitcoins, worth nearly $13 million, were taken from users' vulnerable accounts before the hacker could get a chance to abuse the backdoor and steal users' funds... While initially, it did not make any sense for a library with a very limited feature-set to contain such an advanced functionality, after investigating the issue, npm staffers realized they were dealing with a supply-chain attack aimed at another app downstream, which was using the now-backdoored library... The npm team said the malicious code would work as intended and collect Agama wallet app seeds and passphrases, and upload the data to a remote server. These malicious-payload updates are "becoming more and more popular," according to a post on the official npm blog (a point they later emphasized in a press release). "After being notified by our internal security tooling of this threat we responded by notifying and coordinating with Komodo to protect their users as well as remove the malware from npm."

Large 'GoldBrute' RDP Botnet Hunts For Exposed Servers With Weak Passwords

Sat, 06/08/2019 - 10:34
The Internet Storm Center reports: RDP, the remote desktop protocol, made the news recently after Microsoft patched a critical remote code execution vulnerability (CVE-2019-0708). While the reporting around this "Bluekeep" vulnerability focused on patching vulnerable servers, exposing RDP to the Internet has never been a good idea. Botnets have been scanning for these servers and are using weak and reused passwords to gain access to them. The latest example of such a botnet is an ongoing malicious campaign we are refering to as "GoldBrute". This botnet is currently brute forcing a list of about 1.5 million RDP servers exposed to the Internet... Each bot will only try one particular username and password per target. This is possibly a strategy to fly under the radar of security tools as each authentication attempt comes from different addresses. Long-time Slashdot reader UnderAttack writes: Infected systems will retrieve target lists from the command and control server and attempt to brute force credentials against the list, while at the same time looking for more exposed servers. With all the attention spent on patching RDP servers for the recent "BlueKeep" vulnerability, users should also make sure to just not expose RDP in the first place. Even patched, it will still be susceptible to brute forcing.

Malware Spotted Injecting Bing Results Into Google Searches

Fri, 06/07/2019 - 17:30
A new strain of malware intercepts and tampers with internet traffic on infected Apple Macs to inject Bing results into users' Google search results. The Register reports: A report out this month by security house AiroAV details how its bods apparently spotted a software nasty that configures compromised macOS computers to route the user's network connections through a local proxy server that modifies Google search results. In this latest case, it is claimed, the malware masquerades as an installer for an Adobe Flash plugin -- delivered perhaps by email or a drive-by download -- that the user is tricked into running. This bogus installer asks the victim for their macOS account username and password, which it can use to gain sufficient privileges to install a local web proxy and configure the system so that all web browser requests go through it. That proxy can meddle with unencrypted data as it flows in and out to and from the public internet. A root security certificate is also added to the Mac's keychain, giving the proxy the ability to generate SSL/TLS certs on the fly for websites requested. This allows it to potentially intercept and tamper with encrypted HTTPS traffic. This man-in-the-middle eavesdropping works against HTTP websites, and any HTTPS sites that do not employ MITM countermeasures. When the user opens their browser and attempts to run a Google search on an infected Mac, the request is routed to the local proxy, which injects into the Google results page an HTML iframe containing fetched Bing results for the same query, weirdly enough. As for why, "it's believed the Bing results bring in web ads that generate revenue for the malware's masterminds," the report says.

Want Someone's Personal Data? Give Them a Free Donut

Fri, 06/07/2019 - 10:50
Technology services provider Probrand has carried out a study at a cyber expo attended by UK security professionals, where attendees voluntarily shared sensitive data including their name, date of birth and favourite football team -- all to get their hands on a free donut. From a report: "We wanted to put this theory to the test and see just how willing people were to give up their data," says Mark Lomas, technical architect at Probrand. "We started by asking conversational questions such as 'How are you finding the day? Got any plans for after the event?' If someone happened to mention they were collecting their kids from school, we then asked what their names and ages were. One individual even showed a photograph of their children." As part of the task, Probrand also asked more direct questions such as, 'Which football team do you support?', 'What type of music are you into?' and 'What is your favourite band?' Whether asking questions transparently as part of a survey, or trying to adopt more hacker-type methods, they were alarmed to find how easy it was to obtain personal data -- which many people may be using as the basis of their passwords.

Google Warns of US National Security Risks From Huawei Ban

Fri, 06/07/2019 - 06:40
Google has warned the Trump administration it risks compromising US national security if it pushes ahead with sweeping export restrictions on Huawei [Editor's note: the link may be paywalled; alternative source], as the technology group seeks to continue doing business with the blacklisted Chinese company. Financial Times: Senior executives at Google are pushing US officials to exempt it from a ban on exports to Huawei without a licence approved by Washington, according to three people briefed on the conversations. The Trump administration announced the ban after the US-China trade talks collapsed, prompting protests from some of the biggest US technology companies who fear they could get hurt in the fallout. Google in particular is concerned it would not be allowed to update its Android operating system on Huawei's smartphones, which it argues would prompt the Chinese company to develop its own version of the software. Google argues a Huawei-modified version of Android would be more susceptible to being hacked, according to people briefed on its lobbying efforts. Huawei has said it would be able to develop its own operating system "very quickly."

Alan Turing Receives a (Late) Obituary From the NYT

Thu, 06/06/2019 - 15:20
"In recent years, The New York Times has been publishing obituaries of people long dead but who nevertheless would have been deserving of one when they died," writes Slashdot reader necro81. "They call it their 'Overlooked' series. Today, their overlooked figure is British mathematician and prototype computer scientist Alan Turing." Here's an excerpt from the obituary: His genius embraced the first visions of modern computing and produced seminal insights into what became known as "artificial intelligence." As one of the most influential code breakers of World War II, his cryptology yielded intelligence believed to have hastened the Allied victory. But, at his death several years later, much of his secretive wartime accomplishments remained classified, far from public view in a nation seized by the security concerns of the Cold War. Instead, by the narrow standards of his day, his reputation was sullied. On June 7, 1954, Alan Turing, a British mathematician who has since been acknowledged as one the most innovative and powerful thinkers of the 20th century -- sometimes called the progenitor of modern computing -- died as a criminal, having been convicted under Victorian laws as a homosexual and forced to endure chemical castration. Britain didn't take its first steps toward decriminalizing homosexuality until 1967. Only in 2009 did the government apologize for his treatment. [...] A coroner determined that he had died of cyanide poisoning and that he had taken his own life "while the balance of his mind was disturbed."

Germany: Backdoor Found in Four Smartphone Models; 20,000 Users Infected

Thu, 06/06/2019 - 12:45
An anonymous reader shares a report: The German Federal Office for Information Security (or the Bundesamt fur Sicherheit in der Informationstechnik -- BSI) has issued security alerts today warning about dangerous backdoor malware found embedded in the firmware of at least four smartphone models sold in the country. Impacted models include the Doogee BL7000, the M-Horse Pure 1, the Keecoo P11, and the VKworld Mix Plus (malware present in the firmware, but inactive). All four are low-end Android smartphones. The BSI said the phones' firmware contained a backdoor trojan named Andr/Xgen2-CY.