Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 11 hours 46 min ago

Software Executive Exploits ATM Loophole To Steal $1 Million

Tue, 02/05/2019 - 14:50
An anonymous reader quotes a report from ZDNet: A Chinese software manager has been sentenced after being found guilty of stealing approximately $1 million from Huaxia Bank ATMs containing security weaknesses. The 43-year-old former manager employed in Huaxia Bank's software and technology development center spotted a "loophole" in the bank's core operating system which offered an unrecorded timeframe in which to make withdrawals, as reported by the South China Morning Post. Qin Qisheng realized that cash withdrawals made close to midnight were not recorded by the bank's systems in 2016, and in the same year, began systematically abusing the glitch. Qin wrote a number of scripts which, once implanted in the bank's software, allowed him to probe the loophole without raising suspicion. It appears these tests were successful as the software chief then made withdrawals for over a year of between $740 and $2,965, the publication says. The money had to come from somewhere, and so Qin used a "dummy account" established by the bank for testing purposes. In total, Chinese law enforcement says that the former manager was able to steal over seven million yuan, equivalent to roughly $1 million. Huaxia Bank eventually uncovered the scheme, which Qin attempted to explain away as "internal security tests." When it came to the money, the software manager said the funds were simply "resting" in his own account but were due to be returned to the bank. The financial institution accepted his explanation and fixed the problem, but law enforcement didn't and arrested him for theft in December 2018. Qin was given a jail term of ten and a half years, and on appeal, the sentence was upheld.

'You Need To Be Very, Very Cautious': US Warns European Allies Not To Use Chinese Gear For 5G Networks

Tue, 02/05/2019 - 12:10
The United States sees the European Union as its top priority in a global effort to convince allies not to buy Huawei equipment for next-generation mobile networks, a U.S. State Department Official said on Tuesday. From a report: After meetings with the European Commission and the Belgian government in Brussels, U.S. officials are set to take a message to other European capitals that the world's biggest telecommunications gear maker poses a security risk, said the official, who declined to be named. "We are saying you need to be very, very cautious and we are urging folks not to rush ahead and sign contracts with untrusted suppliers from countries like China," the official said. The United States fears China could use the equipment for espionage -- a concern that Huawei Technologies says is unfounded. The push to sideline Huawei in Europe, one of its biggest markets, is likely to deepen trade frictions between Washington and Beijing.

Chrome Can Tell You if Your Passwords Have Been Compromised

Tue, 02/05/2019 - 08:10
An anonymous reader shares a report: Given the frequency of hacks and data leaks these days, chances are good at least one of your passwords has been released to the wild. A new Chrome extension released by Google today makes it a little easier to stay on top of that: Once installed, Password Checkup will simply sit in your Chrome browser and alert you if you enter a username / password combination that Google "knows to be unsafe." The company says it has a database of 4 billion credentials that have been compromised in various data breaches that it can check against. When the extension detects an insecure password, it'll prompt you with a big red dialog box to immediately update your info. It's handy, but users might wonder exactly what Google can see -- to that end, Google says that the extension "never reveal[s] this personal information."

Teenager Who Found FaceTime Bug Will Be Eligible For Bug Bounty Program

Tue, 02/05/2019 - 02:00
Grant Thompson, the teenager that reported the FaceTime bug last week, will be eligible for the Apple bug bounty program. "Apple's bug bounty system is typically invite-only and limited to specific categories of security flaws, like accessing iCloud account data or demonstrating ways for iPhone apps to escape the security sandbox of iOS," reports 9to5Mac. "It appears the company is making an exception here given the embarrassingly public nature of the case, although further details about the reward have yet to be discussed." From the report: The FaceTime bug that made waves as result of 9to5Mac's coverage last week was actually first reported to Apple by Grant Thompson and his mother in Arizona a week earlier. However, deficiencies in the Apple bug reporting process meant that the report was not acted upon by the company. Instead, the teenager made headlines when his mother shared their Apple communications on Twitter. Their claims were later proved to be legitimate. Around January 22, Apple Support directed them to file a Radar bug report, which meant the mother had to first register a developer account as an ordinary customer. Even after following the indicated steps, it does not appear that Apple's product or engineering teams were aware of the problem until its viral explosion a week later. CNBC reports that an unnamed "high-level Apple executive" met with the Thompsons at their home in Tucson, Arizona on Friday. They apparently discussed how Apple could improve its bug reporting process and indicated that Grant would be eligible for the Apple bug bounty program.

Digital Exchange Loses $137 Million As Founder Takes Passwords To the Grave

Mon, 02/04/2019 - 15:10
A cryptocurrency exchange in Canada has lost control of at least $137 million of its customers' assets following the sudden death of its founder, who was the only person known to have access to the offline wallet that stored the digital coins. British Columbia-based QuadrigaCX is unable to access most or all of another $53 million because it's tied up in disputes with third parties. Ars Technica reports: The dramatic misstep was reported in a sworn affidavit that was obtained by CoinDesk. The affidavit was filed Thursday by Jennifer Robertson, widow of QuadrigaCX's sole director and officer Gerry Cotten. Robertson testified that Cotten died of Crohn's disease in India in December at the age of 30. Following standard security practices by many holders of cryptocurrency, QuadrigaCX stored the vast majority of its cryptocurrency holdings in a "cold wallet," meaning a digital wallet that wasn't connected to the Internet. The measure is designed to prevent hacks that regularly drain hot wallets of millions of dollars. Thursday's court filing, however, demonstrates that cold wallets are by no means a surefire way to secure digital coins. Robertson testified that Cotten stored the cold wallet on an encrypted laptop that only he could decrypt. Based on company records, she said the cold wallet stored $180 million in Canadian dollars ($137 million in US dollars), all of which is currently inaccessible to QuadrigaCX and more than 100,000 customers. "The laptop computer from which Gerry carried out the Companies' business is encrypted, and I do not know the password or recovery key," Robertson wrote. "Despite repeated and diligent searches, I have not been able to find them written down anywhere." The mismanaged cold wallet is only one of the problems besieging QuadrigaCX. Differences with at least three third-party partners has tied up most or all of an additional $53 million in assets. Making matters worse, many QuadrigaCX customers continued to make automatic transfers into the service following Cotten's death. On Monday, the site became inaccessible with little explanation, except for this status update, which was later taken down. On Thursday, QuadrigaCX said it would file for creditor protection as it worked to regain control of its assets. As of Thursday, the site had 115,000 customers with outstanding balances.

Nest Secure Has an Unlisted, Disabled Microphone

Mon, 02/04/2019 - 13:55
An anonymous reader quotes a report from Android Authority: Owners of the Nest Secure alarm system have been able to use voice commands to control their home security through Google Assistant for a while now. However, to issue those commands, they needed a separate Google Assistant-powered device, like a smartphone or a Google Home smart speaker. The reason for this limitation has always seemed straightforward: according to the official tech specs, there's no onboard microphone in the Nest Secure system. However, Google just informed us that it is right now rolling out Assistant functionality to all Nest Secure devices via a software update. That's right: if you currently own a Nest Secure, you will be able to use it as a Google Home very soon. That means somewhere in the Nest Guard -- the keypad base station of the Nest Secure -- there might be a microphone we didn't know existed. Either that or your voice commands are going to be heard by another product (like your phone, maybe) but Assistant's output will now come from the Nest Guard, if you happen to be in the range of that device. UPDATE: Google has issued a statement to Android Authority confirming the built-in microphone in the Nest Guard base system that's not listed on the official spec sheet at Nest's site. The microphone has been in an inactive state since the release of the Nest Secure, Google says. This unlisted mic is how the Nest Guard will be able to operate as a pseudo-Google Home with just a software update.

Mozilla Halts Rollout of Firefox 65 on Windows Platform After Antivirus Issue

Mon, 02/04/2019 - 06:41
Mozilla has halted the rollout of v65 update to Firefox browser on Windows platform after learning about an issue with certain antivirus products. Users of Firefox 65, an update which was released last week, reported seeing "Your connection is not secure" error warnings when visiting popular sites. From a report: The issue mostly affected Firefox 65 users running AVG or Avast antivirus. The message appeared when users visited an HTTPS website and stated the 'Certificate is not trusted because the issuer is unknown' and that 'The server might not be sending the inappropriate intermediate certificates'. The problem, reported on Mozilla's bug report page and first spotted by Techdows, is due to the HTTPS-filtering feature in Avast and AVG antivirus. Avast owns AVG. The bug prevented users from visiting any HTTPS site with Firefox 65. To limit the impact on users, Mozilla decided to temporarily halt all automatic updates on Windows. In the meantime, Avast, which owns AVG, released a new virus engine update that completely disabled Firefox HTTPS filtering in Avast and AVG products. HTTPS filtering remains enabled on other browsers.

Linux Kernel Gets Another Option To Disable Spectre Mitigations

Sun, 02/03/2019 - 07:58
Despite being more than one year old, the Meltdown or Spectre vulnerabilities have remained a theoretical threat, and no malware strain or threat actor has ever used any in a real-world attack. Over the course of the last year, system and network administrators have called on the Linux project for options to disable these protections. A report adds: Many argued that the threat is theoretical and could easily be mitigated with proper perimeter defenses, in some scenarios. Even Linus Torvalds has called for a slowdown in the deployment of some performance-hitting Spectre mitigations. The Linux kernel team has reacted positively towards these requests and has been slowly adding controls to disable some of the more problematic mitigations. [...] The latest effort to have mitigations turned off -- and stay down -- is the addition of the PR_SPEC_DISABLE_NOEXEC control bit to the Linux kernel. This bit will prevent child processes from starting in a state where the protections for Spectre v4 are still activated, despite being deactivated in the parent process.

FBI Confiscates Six Drones Near Super Bowl Stadium

Sat, 02/02/2019 - 18:35
The FBI confiscated six drones in Atlanta for flying too close to the football stadium where the Super Bowl will be played Sunday, Reuters reports: Drone flight was prohibited on Saturday and from 10 a.m. until 5:30 p.m. EST on Sunday for one nautical mile (2 km) around the Mercedes-Benz Stadium and up to an altitude of 1,000 feet (305 meters), the Federal Aviation Administration said. The FAA will establish temporary flight restriction that prohibits drones within a 30-nautical-mile radius of the stadium and up to 17,999 feet in altitude from 5:30 p.m. to 11:59 p.m. EST on Sunday, the agency said. .. Drones "are a big concern," said Nick Annan, Homeland Security Investigations special agent in charge. "There are a few other things that are in place to mitigate drones," he added without elaborating. Operators who send drones into restricted areas around the Mercedes-Benz Stadium could face more than $20,000 in civil penalties and criminal prosecution, according to the FAA. Drone pilots are advised to check the FAA's B4UFly app to check when and where they can fly -- and the aviation agency has also produced a slick 20-second video "encouraging Super Bowl fans to bring their lucky jerseys, face paint and team spirit to the game -- but leave their drones at home -- because the stadium and the area around it is a No Drone Zone."

The Kremlin's Remote-Access Credentials Left Thousands Of Businesses Exposed For Years

Sat, 02/02/2019 - 07:34
A Dutch security researcher says he found credentials for the Russian government's backdoor account for accessing servers of businesses operating in Russia, ZDNet reports: The researcher says that after his initial finding, he later found the same "" account on over 2,000 other MongoDB databases that had been left exposed online, all belonging to local and foreign businesses operating in Russia. Examples include databases belonging to local banks, financial institutions, big telcos, and even Disney Russia.... "The first time I saw these credentials was in the user table of a Russian Lotto website," Victor Gevers told ZDNet in an interview Monday. "I had to do some digging to understand that the Kremlin requires remote access to systems that handle financial transactions.... "All the systems this password was on were already fully accessible to anyone," Gevers said. "The MongoDB databases were deployed with default settings. So anyone without authentication had CRUD [Create, Read, Update and Delete] access." "It took a lot of time and also many attempts to contact and warn the Kremlin about this issue," the researcher added -- specifically, three years, five months and 15 days. The Kremlin reused the same credentials "everywhere," reports IT News, "leaving a large number of businesses open to access from the internet." Long-time Slashdot reader Bismillah calls it "an illustration of the dangers of giving governments backdoors into systems and networks."

Google Play Apps With Over 4.3 Million Downloads Stole Pics, Pushed Porn Ads

Fri, 02/01/2019 - 17:30
Google has banned dozens of Android apps downloaded millions of times from the official Play Store after researchers discovered they were being used to display phishing and scam ads or perform other malicious acts. Ars Technica reports: A blog post published by security firm Trend Micro listed 29 camera- or photo-related apps, with the top 11 of them fetching 100,000 to 1 million downloads each. One crop of apps caused browsers to display full-screen ads when users unlocked their devices. Clicking the pop-up ads in some cases caused a paid online pornography player to be downloaded, although it was incapable of playing content. The apps were carefully designed to conceal their malicious capabilities. The apps also hid their icons from the Android app list. That made it hard for users to uninstall the apps, since there was no icon to drag and delete. The apps also used compression archives known as packers to make it harder for researchers -- or presumably, tools Google might use to weed out malicious apps -- from analyzing the wares. Trend Micro researchers discovered another batch of apps that falsely promised to allow users to "beautify" their pictures by uploading them to a designated server. Instead of delivering an edited photo, however, the server provided a picture with a fake update prompt in nine different languages. The apps made it possible for the developers to collect the uploaded photos, possibly for use in fake profile pics or for other malicious purposes. The developers took pains to prevent users from detecting what was happening. "The remote server used by these apps is encoded with BASE64 twice in the code," Wu wrote. "In addition, several of these apps can also hide themselves via the same hidden technique mentioned above."

NERC Fines Utilities $10 Million Citing Serious Cyber Risk, But Won't Name Them

Fri, 02/01/2019 - 15:30
chicksdaddy shares a report from The Security Ledger: The North American Electric Reliability Corp. (NERC) imposed its stiffest fine to date for violations of Critical Infrastructure Protection (CIP) cybersecurity regulations. But who violated the standards and much of what the agency found remains secret. In a heavily redacted 250-page regulatory filing, NERC fined undisclosed companies belonging to a so-called "Regional Entity" $10 million for 127 violations of the Critical Infrastructure Protection standards, the U.S.'s main cyber security standard for critical infrastructure including the electric grid. Thirteen of the violations listed were rated as a "serious risk" to the operation of the Bulk Power System and 62 were rated a "moderate risk." Together, the "collective risk of the 127 violations posed a serious risk to the reliability of the (Bulk Power System)," NERC wrote. The fines come as the U.S. intelligence community is warning Congress of the growing risk of cyber attacks on the U.S. electric grid. In testimony this week, Director of National Intelligence Dan Coats specifically called out Russia's use of cyber attacks to cause social disruptions, citing that country's campaign against Ukraine's electric infrastructure in 2015 and 2016. The extensively redacted document provides no information on which companies were fined or where they are located, citing the risk of cyber attack should their identity be known. Regional Entities account for virtually all of the electricity supplied in the U.S. They are made up of investor-owned utilities; federal power agencies; rural electric cooperatives; state, municipal, and provincial utilities; independent power producers; power marketers; and end-use customers. However, details in the report provide some insight into the fines. For example, violations of a CIP statue that requires companies to "manage electronic access to (Bulk Electric System) Cyber Systems by specifying a controlled Electronic Security Perimeter" is rated a serious risk. So too are violations of CIP requirements calling for covered entities to "implement and document" access controls for "all electronic access points to the Electronic Security Perimeter(s)." Specific requirements that were violated suggest that the companies failed to implement access controls that "denies access by default," "enable only ports and services required for operations and for monitoring Cyber Assets within the Electronic Security Perimeter," and ensure the authenticity of parties attempting to remotely access the company's "electronic security perimeter."

Apple Will Store Russian User Data Locally, Possibly Decrypt on Request: Report

Fri, 02/01/2019 - 12:05
After resisting local government's mandates for years, Apple appears to have agreed to store Russian citizens' data within the country, a report says. From a report: According to a Foreign Policy report, Russia's telecommunications and media agency Roskomnadzor has confirmed that Apple will comply with the local data storage law, which appears to have major implications for the company's privacy initiatives. Apple's obligations in Russia would at least parallel ones in China, which required it turn over Chinese citizens' iCloud data to a partially government-operated data center last year. In addition to processing and storing Russian citizens' data on servers physically within Russia, Apple will apparently need to decrypt and produce user data for the country's security services as requested.

Firefox Will Soon Warn Users of Software That Performs MitM Attacks

Fri, 02/01/2019 - 08:15
The Firefox browser will soon come with a new security feature that will detect and then warn users when a third-party app is performing a Man-in-the-Middle (MitM) attack by hijacking the user's HTTPS traffic. From a report: The new feature is expected to land in Firefox 66, Firefox's current beta version, scheduled for an official release in mid-March. The way this feature works is to show a visual error page when, according to a Mozilla help page, "something on your system or network is intercepting your connection and injecting certificates in a way that is not trusted by Firefox." An error message that reads "MOZILLA_PKIX_ERROR_MITM_DETECTED" will be shown whenever something like the above happens.

Apple Says It Will Fix The FaceTime Bug That Allows You To Access Someone's iPhone Camera And Microphone Before They Pick Up

Fri, 02/01/2019 - 07:40
Apple said Friday morning that it had a fix for a bug discovered in Apple's video and audio chat service FaceTime this week, which had allowed callers to access the microphone and front-facing video camera of the person they were calling, even if that person hadn't picked up. The security issue is fixed on its servers, the company said, but the iPhone software update to re-enable the feature for users won't be rolled out until next week. From a report: "We have fixed the Group FaceTime security bug on Apple's servers and we will issue a software update to re-enable the feature for users next week," Apple said in an emailed statement to BuzzFeed News. "We thank the Thompson family for reporting the bug. We sincerely apologize to our customers who were affected and all who were concerned about this security issue. We appreciate everyone's patience as we complete this process."

H-1B Visa Lottery Will Now Favor Masters, Doctorate Degree Holders

Thu, 01/31/2019 - 16:30
McGruber shares a report from The San Francisco Chronicle: The Department of Homeland Security announced a rule change Wednesday that will transform the lottery that decides who gets the 85,000 H-1B visas granted to for-profit companies every year. Previously, an initial lottery granted 20,000 visas only to those holding advanced degrees granted by U.S. institutions -- master's degrees or doctorates -- and then a general lottery granted 65,000 visas to all qualified applicants. The Department of Homeland Security switched the order of these lotteries, it said in a notice of the final rule change, which will bolster the odds for highly educated foreign nationals. The change reduces the likelihood that people with just a bachelor's degree will win in the general lottery, said Lisa Spiegel, an attorney at Duane Morris in San Francisco and head of the firm's immigration group. The program shift could hurt technology staffing companies, also known as outsourcers, who have a reputation for flooding the lottery with applications. Three Indian firms -- Tata Consultancy Services, Infosys and Wipro -- often account for a majority of the H-1B applications, an analysis of government data shows.

Hacker Spoke To Baby and Hurled Obscenities At Couple Using Nest Camera, Dad Says

Thu, 01/31/2019 - 15:50
pgmrdlm shares a report from CBS News: An Illinois couple said a hacker spoke to their baby through one of their Nest security cameras and then later hurled obscenities at them, CBS station WBBM-TV reports. Arjun Sud told the station he was outside his 7-month-old son's room Sunday outside Chicago and he heard someone talking. "I was shocked to hear a deep, manly voice talking," Sud said. "My blood ran cold." Sud told WBBM-TV he thought the voice was coming over the baby monitor by accident. But it returned when he and his wife were downstairs. The voice was coming from another of the many Nest cameras throughout the couple's Lake Barrington house. "Asking me, you know, why I'm looking at him -- because he saw obviously that I was looking back -- and continuing to taunt me," Sud said. Later that night, Arjun Sud noticed the Nest thermostat they have upstairs had been raised to 90 degrees. He suspected the hacker was behind that too. Nest's parent company, Google, said in a statement that Nest's system was not breached. Google said the recent incidents stem from customers "using compromised passwords exposed through breaches on other websites."

Prisons Across the US Are Quietly Building Databases of Incarcerated People's Voice Prints

Thu, 01/31/2019 - 13:10
In New York and other states across the country, authorities are acquiring technology to extract and digitize the voices of incarcerated people into unique biometric signatures, known as voice prints. From a report: Prison authorities have quietly enrolled hundreds of thousands of incarcerated people's voice prints into large-scale biometric databases. Computer algorithms then draw on these databases to identify the voices taking part in a call and to search for other calls in which the voices of interest are detected. Some programs, like New York's, even analyze the voices of call recipients outside prisons to track which outsiders speak to multiple prisoners regularly. Corrections officials representing the states of Texas, Florida, and Arkansas, along with Arizona's Yavapai and Pinal counties; Alachua County, Florida; and Travis County, Texas, also confirmed that they are actively using voice recognition technology today. And a review of contracting documents identified other jurisdictions that have acquired similar voice-print capture capabilities: Connecticut and Georgia state corrections officials have signed contracts for the technology Authorities and prison technology companies say this mass biometric surveillance supports prison security and fraud prevention efforts. But civil liberties advocates argue that the biometric buildup has been neither transparent nor consensual. Some jurisdictions, for example, limit incarcerated people's phone access if they refuse to enroll in the voice recognition system, while others enroll incarcerated people without their knowledge. Once the data exists, they note, it could potentially be used by other agencies, without any say from the public.

Many Windows 10 Users Unable To Connect To Windows Update Service

Thu, 01/31/2019 - 12:00
For the past two days, some Windows 10 users from around the world have been reporting that they are unable to connect to Windows Update. When they attempt to do so, Windows 10 will complain that they are unable to connect to the update service. From a report: We first learned about this problem yesterday when our member Opera contacted us stating that they, and many others, were having issues connecting to Windows Update. When they tried updating, Windows would report that it could not connect to the update service. The wording of the error, shown below, indicates that this is an Internet connectivity issue, but others are not so sure. "We couldn't connect to the update service. We'll try again later, or you can check now. If it still doesn't work, make sure you're connected to the Internet" Unfortunately, there is no clear cut answer as to what is causing this issue and some feel it is related to a botched Windows Defender update and others state that this could be a DNS issue.

Criminals Are Tapping Into the Phone Network Backbone to Empty Bank Accounts

Thu, 01/31/2019 - 10:20
Sophisticated hackers have long exploited flaws in SS7, a protocol used by telecom companies to coordinate how they route texts and calls around the world. Those who exploit SS7 can potentially track phones across the other side of the planet, and intercept text messages and phone calls without hacking the phone itself. From a report: This activity was typically only within reach of intelligence agencies or surveillance contractors, but now Motherboard has confirmed that this capability is much more widely available in the hands of financially-driven cybercriminal groups, who are using it to empty bank accounts. So-called SS7 attacks against banks are, although still relatively rare, much more prevalent than previously reported. Motherboard has identified a specific bank -- the UK's Metro Bank -- that fell victim to such an attack. The news highlights the gaping holes in the world's telecommunications infrastructure that the telco industry has known about for years despite ongoing attacks from criminals. The National Cyber Security Centre (NCSC), the defensive arm of the UK's signals intelligence agency GCHQ, confirmed that SS7 is being used to intercept codes used for banking. "We are aware of a known telecommunications vulnerability being exploited to target bank accounts by intercepting SMS text messages used as 2-Factor Authentication (2FA)," The NCSC told Motherboard in a statement. "Some of our clients in the banking industry or other financial services; they see more and more SS7- based [requests],â Karsten Nohl, a researcher from Security Research Labs who has worked on SS7 for years, told Motherboard in a phone call. "All of a sudden you have someone's text messages."