Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 19 hours 6 min ago

Egypt Government Used Gmail Third-Party Apps To Phish Activists

Thu, 03/07/2019 - 16:03
An anonymous reader quotes a report from ZDNet: Members of Amnesty International say that Egyptian authorities are behind a recent wave of spear-phishing attacks that have targeted prominent local human rights defenders, media, and civil society organizations' staff. The attacks used a relatively new spear-phishing technique called "OAuth phishing," Amnesty experts said. OAuth phishing is when attackers aim to steal a user account's OAuth token instead of the account password. When a user grants a third-party app the right to access their account, the app receives an OAuth token instead of the user's password. These tokens work as authorization until the user revokes their access. Amnesty investigators said that in the recent spear-phishing campaign that targeted Egyptian activists, authorities created Gmail third-party apps through which they gained access to victim's accounts. Victims would receive an email that looked like a legitimate Gmail security alert. But when they clicked the link, they'd be redirected to a page where a third-party app would request access to their account. Once the victim granted the app access to their Gmail account, the user would be redirected to the account's legitimate security settings page where they'd be left to change their password. Even if the victim changes their password, at this point, the phishers would still have access to the account via the newly acquired OAuth token. The Amnesty International report says the spear-phishing campaign also targeted Yahoo, Outlook and Hotmail users.

Google's Project Zero Team Releases Details On High-Severity macOS Bug 'BuggyCow'

Thu, 03/07/2019 - 15:20
Google's bug-hunting researchers known as Project Zero have revealed a fresh zero-day vulnerability in macOS called "BuggyCow." "The attack takes advantage of an obscure oversight in Apple's protections on its machines' memory to enable so-called privilege escalation, allowing a piece of malware with limited privileges to, in some cases, pierce into deeper, far more trusted parts of a victim's Mac," reports Wired. "The trick's name is based on a loophole the hackers found in the so-called copy-on-write, or CoW, protection built into how MacOS manages a computer's memory." From the report: Some programs, when dealing with large quantities of data, use an efficiency trick that leaves data on a computer's hard drive rather than potentially clog up resources by pulling it into memory. That data, like any data in a computer's memory, can sometimes be used by multiple processes at once. The MacOS memory manager keeps a map of its physical location to help coordinate, but if one of those processes tries to change the data, the memory manager's copy-on-write safeguard requires it to make its own copy. Which is to say, a program can't simply change the data shared by all the other processes -- some of which could be more highly privileged, sensitive programs than the one requesting the change. Google's BuggyCow trick, however, takes advantage of the fact that when a program mounts a new file system on a hard drive -- basically loading a whole collection of files rather than altering just one -- the memory manager isn't warned. So a hacker can unmount a file system, remount it with new data, and in doing so silently replace the information that some sensitive, highly privileged code is using. Technically, as a zero-day vulnerability with no patch in sight, BuggyCow applies to anyone with an Apple laptop or desktop. But given the technical skill and access needed to pull it off, you shouldn't lose much sleep over it. To even start carrying out this Rube Goldberg -- style attack, a hacker would need a victim to already have some form of malware running on their computer. And while BuggyCow would allow that malware to potentially mess with the inner workings of higher-privileged parts of the computer, it could do so only if it found a highly privileged program that kept its sensitive data on the hard drive rather than memory. Project Zero says it warned Apple about BuggyCow back in November, but Apple hadn't acted to patch it ahead of last week's public reveal.

Philadelphia Bans Cashless Stores

Thu, 03/07/2019 - 13:25
An anonymous reader quotes a report from Ars Technica: This week, Philadelphia's mayor signed a bill that would ban cashless retail stores, according to The Morning Call. The move makes Philadelphia the first major city to require that brick-and-mortar retail stores accept cash. Besides Philadelphia, Massachusetts has required that retailers accept cash since 1978, according to CBS. The law takes effect July 1, and it will not apply to stores like Costco that require a membership, nor will it apply to parking garages or lots, or to hotels or rental car companies that require a credit or debit card as security for future charges, according to the Wall Street Journal. Retailers caught refusing cash can be fined up to $2,000. Amazon, whose new Amazon Go stores are cashless and queue-less, reportedly pushed back against the new law, asking for an exemption. According to the WSJ, Philadelphia lawmakers said that Amazon could work around the law under the exemption for stores that require a membership to shop there, but Amazon told the city that a Prime membership is not required to shop at Amazon Go stores, so its options are limited. A top official in Philadelphia's Chamber of Commerce said that the ban will prevent Philadelphia from modernizing with the rest of the country. Cashless companies argue that cash slows down transactions when change needs to be counted and creates security risks for employees locking up at the end of the night. Supporters of the new law argue that "not accepting cash hurts poorer residents who may not be able to afford or qualify for a credit card or who want to avoid fees that come with changing cash into a prepaid debit card," reports Ars. "Additionally, privacy advocates say that being forced to use a digital form of payment to buy things is a de facto requirement to share records of their purchases with third-party companies."

Bruce Schneier: It's Time For Technologists To Become Lawmakers

Thu, 03/07/2019 - 06:00
Bruce Schneier, a well-known security guru, this week called on technologists to become lawmakers and policy makers so countries can deal with issues such as the governance of artificial intelligence and cybersecurity. From a report: "The future is coming," Schneier said, speaking at the RSA security conference in San Francisco. "It's coming faster than we think. And it's coming faster than our existing policy tools can deal with. And the only way to fix this is to develop a new set of policy tools. With the help of the technologists, you understand the technologies." The issues are a lot larger than just computer security. Schneier wants more public interest technologists in all areas. [...] We saw the policy makers and technologies talk past each other when the FBI wanted Apple to break into an iPhone that belonged to a terrorist shooting suspect, Schneier said. The debate over Edward Snowden's disclosure of the National Security Agency's eavesdropping programs was another flash point. The need for policy makers to understand technology is clear. "This is no different than any other part of our complex world," he said. "We don't expect legislators to be experts in everything. We expect them to get and accept expertise. The second thing we need is for technologists to get involved in policy, and what we need is more public interest technologists" -- those who focus on social justice, the common good, and the public interest.

The Prototype iPhones That Hackers Use To Research Apple's Most Sensitive Code

Wed, 03/06/2019 - 15:01
Hackers and security researchers use rare "dev-fused" iPhones created for internal use at Apple to bypass Apple's protections and security features to uncover iPhone vulnerabilities and other sensitive info, Motherboard reported Wednesday, citing two dozen security researchers, current and former Apple employees, rare phone collectors, and members of the iPhone jailbreaking community. From the report: These rare iPhones have many security features disabled, allowing researchers to probe them much more easily than the iPhones you can buy at a store. Since the Black Hat talk, dev-fused iPhones have become a tool that security researchers around the world use to find previously unknown iPhone vulnerabilities (known as zero days), Motherboard has learned. Dev-fused iPhones were never intended to escape Apple's production pipeline have made their way to the gray market, where smugglers and middlemen sell them for thousands of dollars to hackers and security researchers. Using the information gleaned from probing a dev-fused device, researchers can sometimes parlay what they've learned into developing a hack for the normal iPhones hundreds of millions of people own.

Microsoft Open-Sources Windows Calculator

Wed, 03/06/2019 - 10:59
Microsoft said today it has made the source code for its Windows calculator available on GitHub. The company said it hopes to work with contributors to improve the user experience of Windows calculator. In a statement, Dave Grochocki and Howard Wolosky of Microsoft said: Today, we're excited to announce that we are open sourcing Windows Calculator on GitHub under the MIT License. This includes the source code, build system, unit tests, and product roadmap. Our goal is to build an even better user experience in partnership with the community. We are encouraging your fresh perspectives and increased participation to help define the future of Calculator. As developers, if you would like to know how different parts of the Calculator app work, easily integrate Calculator logic or UI into your own applications, or contribute directly to something that ships in Windows, now you can. Calculator will continue to go through all usual testing, compliance, security, quality processes, and Insider flighting, just as we do for our other applications.

NSA Releases Ghidra, a Free Software Reverse Engineering Toolkit

Wed, 03/06/2019 - 06:40
An anonymous reader writes: At the RSA security conference this week, the National Security Agency released Ghidra, a free software reverse engineering tool that the agency had been using internally for well over a decade. The tool is ideal for software engineers, but will be especially useful for malware analysts first and foremost, being similar to other reverse engineering tools like IDA Pro, Hopper, HexRays, and others. The NSA's general plan was to release Ghidra so security researchers can get used to working with it before applying for positions at the NSA or other government intelligence agencies with which the NSA has previously shared Ghidra in private. Ghidra is currently available for download only through its official website, but the NSA also plans to release its source code under an open source license in the coming future.

FBI Director Christopher Wray On Encryption: We Can't Have an 'Entirely Unfettered Space Beyond the Reach of Law Enforcement'

Tue, 03/05/2019 - 16:03
An anonymous reader quotes a report from CNET: Encryption should have limits. That's the message FBI Director Christopher Wray had for cybersecurity experts Tuesday. The technology that scrambles up information so only intended recipients can read it is useful, he said, but it shouldn't provide a playground for criminals where law enforcement can't reach them. "It can't be a sustainable end state for there to be an entirely unfettered space that's utterly beyond law enforcement for criminals to hide," Wray said during a live interview at the RSA Conference, a major cybersecurity gathering in San Francisco. His comments are part of a back-and-forth between government agencies and security experts over the role of encryption technology in public safety. Agencies like the FBI have repeatedly voiced concerns like Wray's, saying encryption technology locks them out of communications between criminals. Cybersecurity experts say the technology is crucial for keeping data and critical computer systems safe from hackers. Letting law enforcement access encrypted information just creates a backdoor hackers will ultimately exploit for evil deeds, they say. Wray, a former assistant attorney general in the U.S. Department of Justice who counts among his biggest cases prosecutions against Enron officials, acknowledged Tuesday that encryption is "a provocative subject." As the leader of the nation's top law enforcement agency, though, he's focused on making sure the government can carry out criminal investigations. Hackers in other countries should expect more investigations and indictments, Wray said. "We're going to follow the facts wherever they lead, to whomever they lead, no matter who doesn't like it," he said. To applause, he added, "I don't really care what some foreign government has to say about it."

Why 'ji32k7au4a83' is a Remarkably Common Password

Tue, 03/05/2019 - 12:05
A seemingly complex set of characters like "ji32k7au4a83" is a very common password among users, it turns out. From a report: This interesting bit of trivia comes from self-described hardware/software engineer Robert Ou, who recently asked his Twitter followers if they could explain why this seemingly random string of numbers has been seen by Have I Been Pwned (HIBP) over a hundred times. Have I Been Pwned is an aggregator that was started by security expert Troy Hunt to help people find out if their email or personal data has shown up in any prominent data breaches. One service it offers is a password search that allows you to check if your password has shown up in any data breaches that are on the radar of the security community. In this case, "ji32k7au4a83" has been seen by HIBP in 141 breaches. Several of Ou's followers quickly figured out the solution to his riddle. The password is coming from the Zhuyin Fuhao system for transliterating Mandarin. The reason it's showing up fairly often in a data breach repository is because "ji32k7au4a83" translates to English as "my password."

Exploit Vendor Zerodium Announces Big Rewards For Cloud Zero-Days

Tue, 03/05/2019 - 10:48
Exploit vendor Zerodium said today it would pay up to $500,000 for zero-days in popular cloud products and services such as Microsoft's Hyper-V and (Dell) VMware's vSphere. From a report: Both Hyper-V and vSphere are what experts call virtualization software, also called hypervisors -- software that lets a single "host" server create and run one or more virtual "guest" operating systems. Virtualization software is often found in cloud-powered data centers. Hyper-V is the technology at the core of Microsoft's Azure cloud computing platform, while VMware's vSphere is used by Amazon Web Services and SAP. With cloud services growing in adoption, especially for hosting websites and crucial IT infrastructure, the importance of both technologies has been slowly increasing in recent years. This paradigm shift hasn't gone unnoticed in the exploit market, where Zerodium -- a Washington, DC-based exploit vendor -- is by far the leading company. In a tweet earlier today, Zerodium announced plans to pay up to $500,000 for fully-working zero-days in Hyper-V and vSphere that would allow an attacker to escape from the virtualized guest operating system to the host server's OS.

Vladimir Putin Wants His Own Internet

Tue, 03/05/2019 - 10:11
A bill that's progressing through Russia's legislature could grant local authorities deeper control over internet access. The so-called "Sovereign Internet" bill seeks to set up a centralized hub officials can use to manage the flow of information in the nation. From a report: Putin is touting the initiative as a defensive response to the Trump Administration's new cyber strategy, which permits offensive measures against Russia and other designated adversaries. But industry insiders, security experts and even senior officials say political upheaval is the bigger concern. "This law isn't about foreign threats, or banning Facebook and Google, which Russia can already do legally," said Andrei Soldatov, author of "The Red Web: The Kremlin's Wars on the Internet" and co-founder of Agentura.ru, a site that tracks the security services. "It's about being able to cut off certain types of traffic in certain areas during times of civil unrest."

All Intel Chips Open To New 'Spoiler' Non-Spectre Attack

Tue, 03/05/2019 - 07:25
Spoiler is the newest speculative attack affecting Intel's micro-architecture. From a report: Like the Spectre and Meltdown attacks revealed in January 2018, Spoiler also abuses speculative execution in Intel chips to leak secrets. However, it targets a different area of the processor called the Memory Order Buffer, which is used to manage memory operations and is tightly coupled with the cache. Researchers from Worcester Polytechnic Institute, Massachusetts, and the University of Lubeck in north Germany detail the attack in a new paper, 'Spoiler: Speculative load hazards boost Rowhammer and cache attacks'. The paper [PDF] was released this month and spotted by The Register. The researchers explain that Spoiler is not a Spectre attack, so it is not affected by Intel's mitigations for it, which otherwise can prevent other Spectre-like attacks such as SplitSpectre.

Researchers Uncover Ring of GitHub Accounts Promoting 300+ Backdoored Apps

Tue, 03/05/2019 - 06:01
An anonymous reader writes: A security researcher has uncovered a ring of malicious GitHub accounts promoting over 300 backdoored Windows, Mac, and Linux applications and software libraries. The malicious apps contained code to gain boot persistence on infected systems and later download other malicious code -- which appeared to be a "sneaker bot," a piece of malware that would add infected systems to a botnet that would later participate in online auctions for limited edition sneakers. All the GitHub accounts that were hosting these files -- backdoored versions of legitimate apps -- have now been taken down. One account, in particular, registered in the name of Andrew Dunkins, hosted 305 backdoored ELF binaries. Another 73 apps were hosted across 88 other accounts.

Firefox Fears UAE Government's Cybersecurity Company 'DarkMatter' May Be Tied To a Cyber Espionage Program

Tue, 03/05/2019 - 05:00
An anonymous reader quotes a report from Patently Apple: Firefox browser-maker Mozilla is considering whether to block cybersecurity company DarkMatter from serving as one of its internet security gatekeepers after a Reuters report linked the United Arab Emirates-based firm to a cyber espionage program. Reuters reported in January that DarkMatter provided staff for a secret hacking operation, codenamed Project Raven, on behalf of an Emirati intelligence agency. The unit was largely comprised of former U.S. intelligence officials who conducted offensive cyber operations for the UAE government. Former Raven operatives told Reuters that many DarkMatter executives were unaware of the secretive program, which operated from a converted Abu Dhabi mansion away from DarkMatter's headquarters. Those operations included hacking into the internet accounts of human rights activists, journalists and officials from rival governments, Reuters found. DarkMatter has denied conducting the operations and says it focuses on protecting computer networks. While Mozilla had been considering whether to grant DarkMatter the authority to certify websites as safe, two Mozilla executives said in an interview last week that Reuters' report raised concerns about whether DarkMatter would abuse that authority. Mozilla said the company has not yet come to a decision on whether to deny the authority to DarkMatter, but expects to decide within weeks. Further reading available via Reuters