Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 19 hours 8 min ago

Disney's Video Streaming Service Hotstar Halts Support for Safari Browser

Mon, 06/10/2019 - 06:40
Hotstar, India's largest video streaming service with more than 300 million users, disabled support for Apple's Safari web browser last week to mitigate a security flaw that allowed unauthorized usage of its platform, TechCrunch reports, citing sources. From the report: As users began to complain about not being able to use Hotstar on Safari, the company's official support account asserted that "technical limitations" on Apple's part were the bottleneck. "These limitations have been from Safari; there is very little we can do on this," the account tweeted Friday evening. Sources at Hotstar told TechCrunch that this was not an accurate description of the event. Instead, company's engineers had identified a security hole that was being exploited by unauthorized users to access and distribute Hotstar's content -- including the premium catalog. Hotstar, which assumes the global record for most concurrent views on a live event, is operated by Star India, a media conglomerate in India that was part of 20th Century Fox that Disney acquired earlier this year.

A Wave of SIM Swapping Attacks Targets Cryptocurrency Users

Sun, 06/09/2019 - 13:40
"Numerous members of the cryptocurrency community have been hit by SIM swapping attacks over the past week," ZDNet reported Monday, "in what appears to be a coordinated wave of attacks." SIM swapping, also known as SIM jacking, is a type of ATO (account take over) attack during which a malicious threat actor uses various techniques (usually social engineering) to transfers a victim's phone number to their own SIM card. The purpose of this attack is so that hackers can reset passwords or receive 2FA verification codes and access protected accounts.... [D]espite a period of calm in the first half of the year, a rash of SIM swapping attacks have been reported in the second half of May, and especially over the past week... Some candidly admitted to losing funds, while others said the SIM swapping attacks were unsuccessful because they switched to using hardware security tokens to protect accounts, instead of the classic SMS-based 2FA system.

Are Amazon's 'Ring' Doorbells Creating A Massive Police Surveillance Network?

Sun, 06/09/2019 - 11:41
"Police departments are piggybacking on Ring's network to build out their surveillance networks..." reports CNET, adding that Ring "helps police avoid roadblocks for surveillance technology, whether a lack of funding or the public's concerns about privacy." While residential neighborhoods aren't usually lined with security cameras, the smart doorbell's popularity has essentially created private surveillance networks powered by Amazon and promoted by police departments. Police departments across the country, from major cities like Houston to towns with fewer than 30,000 people, have offered free or discounted Ring doorbells to citizens, sometimes using taxpayer funds to pay for Amazon's products. While Ring owners are supposed to have a choice on providing police footage, in some giveaways, police require recipients to turn over footage when requested. Ring said Tuesday that it would start cracking down on those strings attached... While more surveillance footage in neighborhoods could help police investigate crimes, the sheer number of cameras run by Amazon's Ring business raises questions about privacy involving both law enforcement and tech giants... More than 50 local police departments across the US have partnered with Ring over the last two years, lauding how the Amazon-owned product allows them to access security footage in areas that typically don't have cameras -- on suburban doorsteps. But privacy advocates argue this partnership gives law enforcement an unprecedented amount of surveillance. "What we have here is a perfect marriage between law enforcement and one of the world's biggest companies creating conditions for a society that few people would want to be a part of," said Mohammad Tajsar, staff attorney at the ACLU of Southern California... Despite its benefits, the relationship between police departments and Ring raises concerns about surveillance and privacy, as Amazon is working with law enforcement to blanket communities with cameras.... "Essentially, we're creating a culture where everybody is the nosy neighbor looking out the window with their binoculars," said Dave Maass, a senior investigative researcher at the Electronic Frontier Foundation. "It is creating this giant pool of data that allows the government to analyze our every move, whether or not a crime is being committed." On a heat map of Bloomfield, there are hardly any spots in the New Jersey township out of sight of a Ring camera. Tajsar says in some scenarios "they're basically commandeering people's homes as surveillance outposts for law enforcement," and the articles notes that when police departments partner with Ring, "they have access to a law enforcement dashboard, where they can geofence areas and request footage filmed at specific times." While law enforcement "can only get footage from the app if residents choose to send it," if the residents refuse, police can still try to obtain the footage with a subpoena to Amazon's Ring.

'Java Web Start Is Dead. Long Live Java Web Start!'

Sun, 06/09/2019 - 08:34
An anonymous reader reminded us about the open source reimplementation of Java Web Start, a framework originally developed by Sun Microsystems that allowed users to more easily run Java applications in an applet-like sandbox using a web browser. From OpenWebStart.com: Java Web Start (JWS) was deprecated in Java 9, and starting with Java 11, Oracle removed JWS from their JDK distributions. This means that clients that have the latest version of Java installed can no longer use JWS-based applications. And since public support of Java 8 has ended in Q2/2019, companies no longer get any updates and security fixes for Java Web Start. This is why we decided to create OpenWebStart, an open source reimplementation of the Java Web Start technology. Our replacement will provide the most commonly used features of Java Web Start and the JNLP standard, so that your customers can continue using applications based on Java Web Start and JNLP without any change. Red Hat is apparently involved in its parent project, IcedTea-Web, which it distributes as part of their Windows OpenJDK distribution.

How npm Stopped a Malicious Upstream Code Update From Stealing Cryptocurrency

Sat, 06/08/2019 - 12:34
"If you're a cryptocurrency startup, would you face a huge backlash by hacking your own customers to keep their funds safe if you know that a hacker is about to launch an attack and steal their funds?" asks ZDNet: This is exactly what happened yesterday when the Komodo Platform learned about a backdoor in one of its older wallet apps named Agama. Knowing they had little time to act, the Komodo team said it used the same backdoor to extract users' funds from all impacted wallets and move them to a safe location, out of the hacker's reach. The tactic paid off, and 8 million Komodo coins and 96 bitcoins, worth nearly $13 million, were taken from users' vulnerable accounts before the hacker could get a chance to abuse the backdoor and steal users' funds... While initially, it did not make any sense for a library with a very limited feature-set to contain such an advanced functionality, after investigating the issue, npm staffers realized they were dealing with a supply-chain attack aimed at another app downstream, which was using the now-backdoored library... The npm team said the malicious code would work as intended and collect Agama wallet app seeds and passphrases, and upload the data to a remote server. These malicious-payload updates are "becoming more and more popular," according to a post on the official npm blog (a point they later emphasized in a press release). "After being notified by our internal security tooling of this threat we responded by notifying and coordinating with Komodo to protect their users as well as remove the malware from npm."

Large 'GoldBrute' RDP Botnet Hunts For Exposed Servers With Weak Passwords

Sat, 06/08/2019 - 10:34
The Internet Storm Center reports: RDP, the remote desktop protocol, made the news recently after Microsoft patched a critical remote code execution vulnerability (CVE-2019-0708). While the reporting around this "Bluekeep" vulnerability focused on patching vulnerable servers, exposing RDP to the Internet has never been a good idea. Botnets have been scanning for these servers and are using weak and reused passwords to gain access to them. The latest example of such a botnet is an ongoing malicious campaign we are refering to as "GoldBrute". This botnet is currently brute forcing a list of about 1.5 million RDP servers exposed to the Internet... Each bot will only try one particular username and password per target. This is possibly a strategy to fly under the radar of security tools as each authentication attempt comes from different addresses. Long-time Slashdot reader UnderAttack writes: Infected systems will retrieve target lists from the command and control server and attempt to brute force credentials against the list, while at the same time looking for more exposed servers. With all the attention spent on patching RDP servers for the recent "BlueKeep" vulnerability, users should also make sure to just not expose RDP in the first place. Even patched, it will still be susceptible to brute forcing.

Malware Spotted Injecting Bing Results Into Google Searches

Fri, 06/07/2019 - 17:30
A new strain of malware intercepts and tampers with internet traffic on infected Apple Macs to inject Bing results into users' Google search results. The Register reports: A report out this month by security house AiroAV details how its bods apparently spotted a software nasty that configures compromised macOS computers to route the user's network connections through a local proxy server that modifies Google search results. In this latest case, it is claimed, the malware masquerades as an installer for an Adobe Flash plugin -- delivered perhaps by email or a drive-by download -- that the user is tricked into running. This bogus installer asks the victim for their macOS account username and password, which it can use to gain sufficient privileges to install a local web proxy and configure the system so that all web browser requests go through it. That proxy can meddle with unencrypted data as it flows in and out to and from the public internet. A root security certificate is also added to the Mac's keychain, giving the proxy the ability to generate SSL/TLS certs on the fly for websites requested. This allows it to potentially intercept and tamper with encrypted HTTPS traffic. This man-in-the-middle eavesdropping works against HTTP websites, and any HTTPS sites that do not employ MITM countermeasures. When the user opens their browser and attempts to run a Google search on an infected Mac, the request is routed to the local proxy, which injects into the Google results page an HTML iframe containing fetched Bing results for the same query, weirdly enough. As for why, "it's believed the Bing results bring in web ads that generate revenue for the malware's masterminds," the report says.

Want Someone's Personal Data? Give Them a Free Donut

Fri, 06/07/2019 - 10:50
Technology services provider Probrand has carried out a study at a cyber expo attended by UK security professionals, where attendees voluntarily shared sensitive data including their name, date of birth and favourite football team -- all to get their hands on a free donut. From a report: "We wanted to put this theory to the test and see just how willing people were to give up their data," says Mark Lomas, technical architect at Probrand. "We started by asking conversational questions such as 'How are you finding the day? Got any plans for after the event?' If someone happened to mention they were collecting their kids from school, we then asked what their names and ages were. One individual even showed a photograph of their children." As part of the task, Probrand also asked more direct questions such as, 'Which football team do you support?', 'What type of music are you into?' and 'What is your favourite band?' Whether asking questions transparently as part of a survey, or trying to adopt more hacker-type methods, they were alarmed to find how easy it was to obtain personal data -- which many people may be using as the basis of their passwords.

Google Warns of US National Security Risks From Huawei Ban

Fri, 06/07/2019 - 06:40
Google has warned the Trump administration it risks compromising US national security if it pushes ahead with sweeping export restrictions on Huawei [Editor's note: the link may be paywalled; alternative source], as the technology group seeks to continue doing business with the blacklisted Chinese company. Financial Times: Senior executives at Google are pushing US officials to exempt it from a ban on exports to Huawei without a licence approved by Washington, according to three people briefed on the conversations. The Trump administration announced the ban after the US-China trade talks collapsed, prompting protests from some of the biggest US technology companies who fear they could get hurt in the fallout. Google in particular is concerned it would not be allowed to update its Android operating system on Huawei's smartphones, which it argues would prompt the Chinese company to develop its own version of the software. Google argues a Huawei-modified version of Android would be more susceptible to being hacked, according to people briefed on its lobbying efforts. Huawei has said it would be able to develop its own operating system "very quickly."

Alan Turing Receives a (Late) Obituary From the NYT

Thu, 06/06/2019 - 15:20
"In recent years, The New York Times has been publishing obituaries of people long dead but who nevertheless would have been deserving of one when they died," writes Slashdot reader necro81. "They call it their 'Overlooked' series. Today, their overlooked figure is British mathematician and prototype computer scientist Alan Turing." Here's an excerpt from the obituary: His genius embraced the first visions of modern computing and produced seminal insights into what became known as "artificial intelligence." As one of the most influential code breakers of World War II, his cryptology yielded intelligence believed to have hastened the Allied victory. But, at his death several years later, much of his secretive wartime accomplishments remained classified, far from public view in a nation seized by the security concerns of the Cold War. Instead, by the narrow standards of his day, his reputation was sullied. On June 7, 1954, Alan Turing, a British mathematician who has since been acknowledged as one the most innovative and powerful thinkers of the 20th century -- sometimes called the progenitor of modern computing -- died as a criminal, having been convicted under Victorian laws as a homosexual and forced to endure chemical castration. Britain didn't take its first steps toward decriminalizing homosexuality until 1967. Only in 2009 did the government apologize for his treatment. [...] A coroner determined that he had died of cyanide poisoning and that he had taken his own life "while the balance of his mind was disturbed."

Germany: Backdoor Found in Four Smartphone Models; 20,000 Users Infected

Thu, 06/06/2019 - 12:45
An anonymous reader shares a report: The German Federal Office for Information Security (or the Bundesamt fur Sicherheit in der Informationstechnik -- BSI) has issued security alerts today warning about dangerous backdoor malware found embedded in the firmware of at least four smartphone models sold in the country. Impacted models include the Doogee BL7000, the M-Horse Pure 1, the Keecoo P11, and the VKworld Mix Plus (malware present in the firmware, but inactive). All four are low-end Android smartphones. The BSI said the phones' firmware contained a backdoor trojan named Andr/Xgen2-CY.

New RCE Vulnerability Impacts Nearly Half of the Internet's Email Servers

Thu, 06/06/2019 - 05:00
An anonymous reader quotes a report from ZDNet: A critical remote command execution (RCE) security flaw impacts over half of the Internet's email servers, security researchers from Qualys have revealed today. The vulnerability affects Exim, a mail transfer agent (MTA), which is software that runs on email servers to relay emails from senders to recipients. According to a June 2019 survey of all mail servers visible on the Internet, 57% (507,389) of all email servers run Exim -- although different reports would put the number of Exim installations at ten times that number, at 5.4 million. In a security alert shared with ZDNet earlier today, Qualys, a cyber-security firm specialized in cloud security and compliance, said it found a very dangerous vulnerability in Exim installations running versions 4.87 to 4.91. The vulnerability is described as a remote command execution -- different, but just as dangerous as a remote code execution flaw -- that lets a local or remote attacker run commands on the Exim server as root. Qualys said the vulnerability can be exploited instantly by a local attacker that has a presence on an email server, even with a low-privileged account. lBut the real danger comes from remote hackers exploiting the vulnerability, who can scan the internet for vulnerable servers, and take over systems. The vulnerability was patched with Exim 4.92, on February 10, 2019, "but at the time the Exim team released v4.92, they didn't know they fixed a major security hole," reports ZDNet. "This was only recently discovered by the Qualys team while auditing older Exim versions. Now, Qualys researchers are warning Exim users to update to the 4.92 version to avoid having their servers taken over by attackers."

The Ambitious Plan To Reinvent How Websites Get Their Names

Thu, 06/06/2019 - 02:00
When you type in a URL to your browser and press "enter," your browser sends that name to a network of computers called the Domain Name System (DNS), which converts it into IP addresses. These numbers are what allow your browser to find the right server on the internet and connect to it. When you navigate to a website, you are trusting a handful of organizations that have been charged with keeping the DNS working and secure. "To people like Steven McKie, a developer for and investor in an open-source project called the Handshake Network, this centralized power over internet naming makes the internet vulnerable to both censorship and cyberattacks," reports MIT technology review. "Handshake wants to decentralize it by creating an alternative naming system that nobody controls. In doing so, it could help protect us from hackers trying to exploit the DNS's security weaknesses, and from governments hoping to use it to block free expression." From the report: The system would be based on blockchain technology, meaning it would be software that runs on a widely distributed network of computers. In theory, it would have no single point of failure and depend on no human-run organization that could be corrupted or co-opted. Handshake's software is a heavily modified version ("fork") of Bitcoin, and just as Bitcoin's network of miners protects the cryptocurrency from manipulation and makes it virtually impossible for authorities to shut down, a similar network could keep a permanent, censorship-resistant record of internet names. The Handshake team is far from the first to try to create a decentralized naming system for the web. But unlike previous efforts, Handshake isn't trying to replace DNS but work with it. Besides ICANN, there's yet another class of organization whose job Handshake aims to decentralize. See that little padlock icon in your browser bar, to the left of the domain name? That means your computer has verified that your connection to this website is encrypted and that the site is authentic, not a fake one designed by a criminal trying to steal your login credentials. It does that by checking the veracity of a string of numbers called the site's digital certificate, issued by one of a number of so-called certificate authorities. These entities, many of which are for-profit companies, are crucial to internet security. They can also get hacked. And if one gets breached, and an attacker can start issuing fake certificates, it undermines the security of the whole internet. But if website names are managed on a tamper-resistant blockchain, then you don't need certificate authorities; the naming system itself can provide the guarantee that the site you're connected to is real. That's what Handshake aims to do.

Google Launches Android Q Beta 4 With Final APIs and Official SDK

Wed, 06/05/2019 - 14:00
An anonymous reader quotes a report from VentureBeat: Google today launched the fourth Android Q beta with final Android Q APIs and the official SDK. If you're a developer, this is your fourth Android Q preview, and you can start testing your apps against this release by downloading it from developer.android.com/preview. The preview includes system images for the Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, and the official Android Emulator. If you're already enrolled in the beta program, you'll automatically get the update to Beta 4. Like Beta 3, Google is also bringing Android Q Beta 4 to third-party phones "over the coming weeks." The Beta 4 doesn't bring many new features -- it's more about finalizing what was already added, such as the additional privacy and security features, multitasking bubbles, and system-wide dark mode. Google is however "opening publishing on Google Play to apps that are compiled against, or optionally targeting, API 29," the report adds. "You can thus now push updates to users through Google Play to test your app's compatibility, including on devices running Android Q Beta 4."

Software Vendor May Have Opened a Gap For Hackers in 2016 Swing State

Wed, 06/05/2019 - 12:41
A Florida election software company targeted by Russians in 2016 inadvertently opened a potential pathway for hackers to tamper with voter records in North Carolina on the eve of the presidential election, POLITICO reported on Wednesday, citing a document and a person with knowledge. From the report: VR Systems, based in Tallahassee but with customers in eight states, used what's known as remote-access software to connect for several hours to a central computer in Durham County, N.C., to troubleshoot problems with the company's voter list management tool, the person said. The software distributes voter lists to so-called electronic poll books, which poll workers use to check in voters and verify their eligibility to cast a ballot. The company did not respond to POLITICO's requests for comment about its practices. But election security experts widely condemn remote connections to election-related computer systems -- not only because they can open a door for intruders but because they can also give attackers access to an entire network, depending on how they're configured. In Durham County's case, the computer in question communicated with North Carolina's State Board of Elections to download the county's voter list before elections, which could have potentially opened a gateway to the state system as well.

New Report Suggests 'High Likelihood of Human Civilization Coming To an End' Starting in 2050

Wed, 06/05/2019 - 09:21
A harrowing scenario analysis of how human civilization might collapse in coming decades due to climate change has been endorsed by a former Australian defense chief and senior royal navy commander. From a report: The analysis, published by the Breakthrough National Centre for Climate Restoration, a think-tank in Melbourne, Australia, describes climate change as "a near- to mid-term existential threat to human civilization" and sets out a plausible scenario of where business-as-usual could lead over the next 30 years. The paper argues that the potentially "extremely serious outcomes" of climate-related security threats are often far more probable than conventionally assumed, but almost impossible to quantify because they "fall outside the human experience of the last thousand years." On our current trajectory, the report warns, "planetary and human systems [are] reaching a 'point of no return' by mid-century, in which the prospect of a largely uninhabitable Earth leads to the breakdown of nations and the international order."

The EU's Embassy In Russia Was Hacked But The EU Kept It A Secret

Wed, 06/05/2019 - 07:24
The European Union's embassy in Moscow was hacked and had information stolen from its network, according to a leaked internal document seen by BuzzFeed News. From the report: An ongoing "sophisticated cyber espionage event" was discovered in April, just weeks before the European Parliament elections -- but the European External Action Service (EEAS), the EU's foreign and security policy agency, did not disclose the incident publicly. Russian entities are believed to be behind the hack, a source, speaking on condition of anonymity, told BuzzFeed News. The EEAS confirmed an incident had taken place and, asked whether the EU's foreign policy chief Federica Mogherini knew about the incident, said that EEAS hierarchy had been informed. "We have observed potential signs of compromised systems connected to our unclassified network in our Moscow Delegation. Measures have been taken and the investigation is in progress -- at this stage we cannot comment further," a spokesperson said. According to the leaked document, the initial attack took place in February 2017 but it was only detected in April this year. An analysis of the hack found activity affecting at least two computers and concluded that information had been stolen. However, officials have no idea how much and exactly what kind of information was taken during the attack.

Apple Is Now the Privacy-As-A-Service Company

Tue, 06/04/2019 - 13:30
An anonymous reader quotes a report from TechCrunch: Apple's truly transforming into a privacy-as-a-service company, which shows in the way that it's implementing both the new single sign-on account service, as well as its camera and location services updates in iOS 13. The SSO play is especially clever, because it includes a mechanism that will allow developers to still have the relevant info they need to maintain a direct relationship with their users -- provided users willingly sign-up to have that relationship, but opting in to either or both name and email sharing. Apple's work with camera providers is also unique -- providing actual on-device analysis of footage captured by third-party partners to deliver things that security device makers have typically offered as a value-add service themselves. That includes apparent identification of visitors to your home, for instance, and sending alerts when it detects people, as well as being able to differentiate that from other kinds of motion. That's going above and beyond simply protecting your data: It's replacing a potential privacy-risk feature with a privacy-minded one, at a service level across an entire category of devices. The new location services feature also makes it possible to provide single-use location permissions to apps, putting all the control with users instead of with service providers. "Other new features, including HomeKit firewalling of specific services and devices, are similar in tone, and likely indicate what Apple intends to do more of in the future," the report adds. "Combined with its existing efforts, this begins to paint a picture of where Apple plans to play in offering a comprehensive consumer services product that is substantially differentiated from similar offerings by Google and others."

SEC Sues Kik Over $100 Million ICO

Tue, 06/04/2019 - 10:53
The Securities and Exchange Commission sued Kik for illegally raising $100 million through a 2017 digital-token sale, in one of its highest profile cases targeting a company for not registering an offering with the regulator. From a report: After losing money for years on its sole product, an online-messaging application, Kik raised more than $55 million from U.S. investors by selling a digital token called Kin without the proper disclosures, the SEC said in a Tuesday court filing. The agency is seeking unspecified monetary penalties. "Companies do not face a binary choice between innovation and compliance with the federal securities laws," said Steven Peikin, co-head of the SEC's enforcement division. Kik was among the biggest initial coin offerings in the past two years and has prominent backers. Venture capitalist Fred Wilson defended the Kin digital currency in a blog post, saying it is not a security.

Russia Says Tinder Must Share User Data, Private Messages

Tue, 06/04/2019 - 08:50
An anonymous reader writes: The Russian government has added dating service Tinder on a government database that legally forces the company to hand over user data and private communications to the country's law enforcement and intelligence agencies. The database is called ORI, or the Register of Information Dissemination Organizations. According to Russian laws 97-FZ and 374-FZ, companies added to this database must hand over data to Russian police or Russian intelligence agencies like the FSB, upon request, with or without a court order, in order to help with investigations into terrorist and national security cases. Prior to today, the ORI database contained 175 companies, from both Russia and foreign countries. Tinder's addition to the ORI database was announced earlier today in a press release published by Roskomnadzor, the Russian government's telecommunications watchdog, and the agency in charge of maintaining ORI. According to Roskomsvoboda, a Russian non-governmental organization for the protection of digital rights of Internet users, Tinder is the fourth dating service added to ORI, after Mamba, Wamba, and Badoo's dating portal.