Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 5 hours 29 min ago

Node.js Event-Stream Hack Reveals Open Source 'Developer Infrastructure' Exploit

Sat, 12/01/2018 - 14:18
"[O]n Nov. 26 it was publicly revealed that a widely deployed open-source Node.js programming language module known as event-stream had been injected with malicious code that looked to steal cryptocurrency wallets," reports eWeek, adding "The event-stream library has over two million downloads." An anonymous reader quotes Ars Technica: The backdoor came to light [November 20th] with this report from Github user Ayrton Sparling. Officials with the NPM, the open source project manager that hosted event-stream, didn't issue an advisory until six days later.... "This compromise was not targeting module developers in general or really even developers," an NPM official told Ars in an email. "It targeted a select few developers at a company, Copay, that had a very specific development environment set up. Even then, the payload itself didn't run on those developers' computers; rather, it would be packaged into a consumer-facing app when the developers built a release. The goal was to steal Bitcoin from this application's end users...." According to the Github discussion that exposed the backdoor, the longtime event-stream developer no longer had time to provide updates. So several months ago, he accepted the help of an unknown developer. The new developer took care to keep the backdoor from being discovered. Besides being gradually implemented in stages, it also narrowly targeted only the Copay wallet app. The malicious code was also hard to spot because the flatmap-stream module was encrypted. The attack is the latest to exploit weaknesses in a widely used supply chain to target downstream end users... The supply-chain attacks show one of the weaknesses of open source code. Because of its openness and the lack of funds of many of its hobbyist developers and users, open source code can be subject to malicious modifications that often escape notice. "The time has come," concludes Ars Technica, "for maintainers and users of open source software to devise new measures to better police the millions of packages being used all around us." Sophos' security blog also asks why so many developers "immediately and blindly trusted the new maintainer," and shared a concerned comment from developer named Chris Northwood. "Nothing's stopping this happening again, and it's terrifying."

Is Linux Taking Over The World?

Sat, 12/01/2018 - 12:41
"2019 just might be the Year of Linux -- the year in which Linux is fully recognized as the powerhouse it has become," writes Network World's "Unix dweeb." The fact is that most people today are using Linux without ever knowing it -- whether on their phones, online when using Google, Facebook, Twitter, GPS devices, and maybe even in their cars, or when using cloud storage for personal or business use. While the presence of Linux on all of these systems may go largely unnoticed by consumers, the role that Linux plays in this market is a sign of how critical it has become. Most IoT and embedded devices -- those small, limited functionality devices that require good security and a small footprint and fill so many niches in our technology-driven lives -- run some variety of Linux, and this isn't likely to change. Instead, we'll just be seeing more devices and a continued reliance on open source to drive them. According to the Cloud Industry Forum, for the first time, businesses are spending more on cloud than on internal infrastructure. The cloud is taking over the role that data centers used to play, and it's largely Linux that's making the transition so advantageous. Even on Microsoft's Azure, the most popular operating system is Linux. In its first Voice of the Enterprise survey, 451 Research predicted that 60 percent of nearly 1,000 IT leaders surveyed plan to run the majority of their IT off premises by 2019. That equates to a lot of IT efforts relying on Linux. Gartner states that 80 percent of internally developed software is now either cloud-enabled or cloud-native. The article also cites Linux's use in AI, data lakes, and in the Sierra supercomputer that monitors America's nuclear stockpile, concluding that "In its domination of IoT, cloud technology, supercomputing and AI, Linux is heading into 2019 with a lot of momentum." And there's even a long list of upcoming Linux conferences...

Lenovo Finally Pays $7.3 M Fine Over Invasive 2014 'Superfish' Adware Pre-Installations

Sat, 12/01/2018 - 10:34
Leonovo will add $7.3 million into a $1M fund settling a class action lawsuit over their undisclosed pre-installation of Superfish's targeting adware on 28 different laptop models in 2014. Within one year the U.S. Department of Homeland Security had warned that the adware made laptops vulnerable to SSL spoofing, allowing the reading of encrypted web traffic and the redirecting of traffic from official websites to spoofs, while according to Bloomberg the original software itself also "could access customer Social Security numbers, financial data, and sensitive heath information, the court said." An anonymous reader quotes Softpedia: According to a "SuperFish Vulnerability" advisory published by Lenovo on their support website following the discovery of the pre-installed software by consumers, the VisualDiscovery comparison search engine software was designed to work in the background, intercepting HTTP(S) traffic with the help of a self-signed root certificate that allowed it to decrypt and monitor all traffic, encrypted or not.... "VisualDiscovery was installed on nearly 800,000 Lenovo laptops sold in the United States between September 1, 2014 and February 28, 2015," also states the settlement agreement. "On January 18, 2015, in response to mounting complaints about the effects of VisualDiscovery, Lenovo instructed Superfish to turn it off at the server level...." Out of the 800,000 who bought the laptops that came with VisualDiscovery pre-installed, the 500,000 ones who registered their devices with Lenovo or bought them from retailers such as Best Buy and Amazon will be contacted directly by the Chinese company and informed about the settlement agreement. The rest of the customers who cannot be reached straightaway will be targeted by Lenovo using multiple online advertising platforms, from Google to Twitter and Facebook. A separate settlement with the FTC in 2017 was criticized for its failure to fine Lenovo -- though it did require the company to get affirmative consent for any future adware programs, plus regular third-party audits of its bundled software for the next 20 years.

Researchers Are Proposing a New Way To Generate Street Addresses by Extracting Roads From Satellite Images

Fri, 11/30/2018 - 14:15
An estimated 4 billion people in the world lack a physical address. Researchers at the MIT Media Lab and Facebook are now proposing a new way to address the unaddressed: with machine learning. From a report: The team first trained a deep-learning algorithm to extract the road pixels from satellite images. Another algorithm connected the pixels together into a road network. The system analyzed the density and shape of the roads to segment the network into different communities, and the densest cluster was labeled as the city center. The regions around the city center were divided into north, south, east, and west quadrants, and streets were numbered and lettered according to their orientation and distance from the center. When they compared their final results with a random sample of unmapped regions whose streets had been labeled manually, their approach successfully addressed more than 80% of the populated areas, improving coverage compared with Google Maps or OpenStreetMaps. This isn't the only way to automate the creation of addresses. The organization what3words generates a unique three-word combination for every 3-by-3-meter square on a global grid. The scheme has already been adopted in regions of South Africa, Turkey, and Mongolia by national package delivery services, local hospitals, and regional security teams. But Ilke Demir, a researcher at Facebook and one of the creators of the new system, says its main advantage is that it follows existing road topology and helps residents understand how two addresses relate to one another.

Trump Admin Takes First Steps To Overhaul H-1B Visa That Tech Companies Use To Hire Internationally

Fri, 11/30/2018 - 13:37
President Donald Trump's immigration authorities are moving to enact broad changes to a visa that allows American companies to bring international workers to the country. From a report: On Friday, U.S. Citizenship and Immigration Services and the Department of Homeland Security released a proposed rule that takes the first steps toward overhauling the H-1B visa. The new rule would prioritize applications for workers with advanced degrees from American universities. The policy would also change the application process companies go through when they want to secure H-1B visas for foreign talent. Instead of completing a petition for the new employee, companies would register for free online to enter what's been described as the "H-1B lottery." Immigration law caps the number of regular H-1B visas that can be awarded each year at 65,000. An additional 20,000 may be awarded to workers with master's degrees and PhDs. Under the new system, USCIS would review all applications, including those for workers with advanced degrees, during a registration period before the actual petitions are filed.

Marriott Says 500 million Starwood Guest Records Stolen in Massive Data Breach

Fri, 11/30/2018 - 06:50
An anonymous reader writes: Starwood Hotels has confirmed its hotel guest database of about 500 million customers has been stolen in a data breach. The hotel and resorts giant said in a statement filed with U.S. regulators that the "unauthorized access" to its guest database was detected on or before September 10 -- but may have dated back as far as 2014. "Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014," said the statement. "Marriott recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it." Specific details of the breach remain unknown. We've contacted Starwood for more and will update when we hear back. The company said hat it obtained and decrypted the database on November 19 and "determined that the contents were from the Starwood guest reservation database." Some 327 million records contained a guest's name, postal address, phone number, date of birth, gender, email address, passport number, Starwood's rewards information (including points and balance), arrival and departure information, reservation date, and their communication preferences.

Google Shut Out Privacy, Security Teams From Secret China Project

Thu, 11/29/2018 - 19:30
An anonymous reader quotes a report from The Intercept about Google's secretive plans to build a censor version of its search engine for China: The objective, code-named Dragonfly, was to build a search engine for China that would censor broad categories of information about human rights, democracy, and peaceful protest. Yonatan Zunger, then a 14-year veteran of Google and one of the leading engineers at the company, was among a small group who had been asked to work on Dragonfly. He was present at some of the early meetings and said he pointed out to executives managing the project that Chinese people could be at risk of interrogation or detention if they were found to have used Google to seek out information banned by the government. Scott Beaumont, Google's head of operations in China and one of the key architects of Dragonfly, did not view Zunger's concerns as significant enough to merit a change of course, according to four people who worked on the project. Beaumont and other executives then shut out members of the company's security and privacy team from key meetings about the search engine, the four people said, and tried to sideline a privacy review of the plan that sought to address potential human rights abuses. Google's leadership considered Dragonfly so sensitive that they would often communicate only verbally about it and would not take written notes during high-level meetings to reduce the paper trail, two sources said. Only a few hundred of Google's 88,000 workforce were briefed about the censorship plan. Some engineers and other staff who were informed about the project were told that they risked losing their jobs if they dared to discuss it with colleagues who were themselves not working on Dragonfly.

Democrats Demand Info On Law Enforcement's Use of Amazon Facial Recognition Tool

Thu, 11/29/2018 - 16:10
An anonymous reader quotes a report from The Hill: A group of Democratic lawmakers sent a letter to Amazon CEO Jeff Bezos on Thursday saying that the company's previous explanations to Congress about its Rekognition software were inadequate. Democratic lawmakers expressed concern about the potential threat the technology poses to civil liberties in the hands of police. "Facial recognition technology may one day serve as a useful tool for law enforcement officials working to protect the American public and keep us safe," the letter reads. "However, at this time, we have serious concerns that this type of product has significant accuracy issues, places disproportionate burdens on communities of color, and could stifle Americans' willingness to exercise their First Amendment rights in public." In the letter on Thursday, the Democratic members requested that Amazon provide them with results from accuracy tests of the Rekognition software. They also asked again for information on their government clients and if they audited law enforcement's use of facial recognition to ensure that its not being employed in violation of civil rights law. "Customer trust, privacy, and security are our top priorities at AWS," Michael Punke, Amazon's vice president for global public policy, wrote in response. "We have long been committed to working with federal and state legislatures to modernize outdated laws to enhance the privacy and security of our customers by preventing law enforcement from accessing data without a warrant."

US iOS Users Targeted by Massive Malvertising Campaign

Thu, 11/29/2018 - 12:50
A cyber-criminal group known as ScamClub has hijacked over 300 million browser sessions over 48 hours to redirect users to adult and gift card scams, a cyber-security firm revealed this week. From a report: The traffic hijacking has taken place via a tactic known as malvertising, which consists of placing malicious code inside online ads. In this particular case, the code used by the ScamClub group hijacked a user's browsing session from a legitimate site, where the ad was showing, and redirected victims through a long chain of temporary websites, a redirection chain that eventually ended up on a website pushing an adult-themed site or a gift card scam. These types of malvertising campaigns have been going on for years, but this particular campaign stood out due to its massive scale, experts from cyber-security firm Confiant told ZDNet today. "On November 12 we've seen a huge spike in our telemetry," Jerome Dang, Confiant co-founder and CTO, told ZDNet in an email. Dangu says his company worked to investigate the huge malvertising spike and discovered ScamClub activity going back to August this year.

Mass Router Hack Exposes Millions of Devices To Potent NSA Exploit

Thu, 11/29/2018 - 10:50
More than 45,000 Internet routers have been compromised by a newly discovered campaign that's designed to open networks to attacks by EternalBlue, the potent exploit that was developed by, and then stolen from, the National Security Agency and leaked to the Internet at large, researchers say. From a report: The new attack exploits routers with vulnerable implementations of Universal Plug and Play to force connected devices to open ports 139 and 445, content delivery network Akamai said in a blog post. As a result, almost 2 million computers, phones, and other network devices connected to the routers are reachable to the Internet on those ports. While Internet scans don't reveal precisely what happens to the connected devices once they're exposed, Akamai said the ports --which are instrumental for the spread of EternalBlue and its Linux cousin EternalRed -- provide a strong hint of the attackers' intentions. The attacks are a new instance of a mass exploit the same researchers documented in April. They called it UPnProxy because it exploits Universal Plug and Play -- often abbreviated as UPnP -- to turn vulnerable routers into proxies that disguise the origins of spam, DDoSes, and botnets.

I've Got a Bridge To Sell You. Why AutoCAD Malware Keeps Chugging On

Thu, 11/29/2018 - 09:25
Criminal hackers continue to exploit a feature in Autodesk's widely used AutoCAD program in an attempt to steal valuable computer-assisted designs for bridges, factory buildings, and other projects, researchers say. From a report: The attacks arrive in spear-phishing emails and in some cases postal packages that contain design documents and plans. Included in the same directory are camouflaged files formatted in AutoLISP, an AutoCAD-specific dialect of the LISP programming language. When targets open the design document, they may inadvertently cause the AutoLISP file to be executed. While modern versions of AutoCAD by default display a warning that a potentially unsafe script will run, the warnings can be disregarded or suppressed altogether. To make the files less conspicuous, the attackers have set their properties to be hidden in Windows and their contents to be encrypted. The attacks aren't new. Similar ones occurred as long ago as 2005, before AutoCAD provided the same set of robust defenses against targeted malware it does now. The attacks continued to go strong in 2009. A specific campaign recently spotted by security firm Forcepoint was active as recently as this year and has been active since at least 2014, an indication that malware targeting blueprints isn't going away any time soon. [...] Forcepoint said it has tracked more than 200 data sets and about 40 unique malicious modules, including one that purported to include a design for Hong Kong's Zhuhai-Macau Bridge.

Bloomberg is Still Reporting on Challenged Story Regarding China Hardware Hack

Thu, 11/29/2018 - 08:50
Erik Wemple, writing for The Washington Post: According to informed sources, Bloomberg has continued reporting the blockbuster story that it broke on Oct. 4, including a very recent round of inquiries from a Bloomberg News/Bloomberg Businessweek investigative reporter. In emails to employees at Apple, Bloomberg's Ben Elgin has requested "discreet" input on the alleged hack. "My colleagues' story from last month (Super Micro) has sparked a lot of pushback," Elgin wrote on Nov. 19 to one Apple employee. "I've been asked to join the research effort here to do more digging on this ... and I would value hearing your thoughts (whatever they may be) and guidance, as I get my bearings." One person who spoke with Elgin told the Erik Wemple Blog that the Bloomberg reporter made clear that he wasn't part of the reporting team that produced "The Big Hack." The goal of this effort, Elgin told the potential source, was to get to "ground truth"; if Elgin heard from 10 or so sources that "The Big Hack" was itself a piece of hackery, he would send that message up his chain of command. The potential source told Elgin that the denials of "The Big Hack" were "100 percent right." According to the potential source, Elgin also asked about the possibility that Peter Ziatek, senior director of information security at Apple, had written a report regarding a hardware hack affecting Apple. In an interview with the Erik Wemple Blog, Ziatek says that he'd never written that report, nor is he aware of such a document. Following the publication of Bloomberg's story, Apple conducted what it calls a "secondary" investigation surrounding its awareness of events along the lines of what was alleged in "The Big Hack." That investigation included a full pat-down of Ziatek's own electronic communications. It found nothing to corroborate the claims in the Bloomberg story, according to Ziatek.

DOJ Made Secret Arguments To Break Crypto, Now ACLU Wants To Make Them Public

Thu, 11/29/2018 - 05:00
An anonymous reader quotes a report from Ars Technica: Earlier this year, a federal judge in Fresno, California, denied prosecutors' efforts to compel Facebook to help it wiretap Messenger voice calls. But the precise legal arguments that the government made, and that the judge ultimately rejected, are still sealed. On Wednesday, the American Civil Liberties Union formally asked the judge to unseal court dockets and related rulings associated with this ongoing case involving alleged MS-13 gang members. ACLU lawyers argue that such a little-charted area of the law must be made public so that tech companies and the public can fully know what's going on. In their new filing, ACLU lawyers pointed out that "neither the government's legal arguments nor the judge's legal basis for rejecting the government motion has ever been made public." The attorneys continued, citing a "strong public interest in knowing which law has been interpreted" and referencing an op-ed published on Ars on October 2 as an example. The ACLU argued that the case is reminiscent of the so-called "FBI v. Apple" legal showdown -- whose docket and related filings were public -- where the government made novel arguments in an attempt to crack the encryption on a seized iPhone. Those legal questions were never resolved, as the government said the day before a scheduled hearing that it had found a company to assist in its efforts. "Moreover, the sealing of the docket sheet in this case impermissibly prevents the public from knowing anything about the actions of both the judiciary and the executive in navigating a novel legal issue, which has the potential to reoccur in the future," the ACLU's attorneys continued. "The case involves the executive branch's attempt to force a private corporation to break the encryption and other security mechanisms on a product relied upon by the public to have private conversations. The government is not just seeking information held by a third party; rather, it appears to be attempting to get this Court to force a communications platform to redesign its product to thwart efforts to secure communications between users."

Justice Department Indicts Two Iranians Over SamSam Ransomware Attacks

Wed, 11/28/2018 - 17:25
Two Iranian officials have been indicted by U.S. federal prosecutors for creating and deploying the notorious SamSam ransomware, which exploits a deserialization vulnerability in Java-based servers. TechCrunch reports: Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah Mansouri, 27, were indicted by a federal grand jury in New Jersey on Monday on several counts of computer hacking and fraud charges. The case was unsealed Wednesday, shortly before a press conference announcing the charges by U.S. deputy attorney general Rod Rosenstein. In total, SamSam has generated some $6 million in proceeds to date -- or 1,430 bitcoin at today's value. In a separate announcement, the Treasury said it had imposed sanctions against two bitcoin addresses associated with the ransomware. The department said the two addresses processed more than 7,000 transactions used to collect ransom demands from victims. "The Iranian defendants allegedly used hacking and malware to cause more than $30 million in losses to more than 200 victims," said Rosenstein. "According to the indictment, the hackers infiltrated computer systems in ten states and Canada and then demanded payment. The criminal activity harmed state agencies, city governments, hospitals, and countless innocent victims." One of the victims was the City of Atlanta, which was knocked offline earlier this year and spent a projected $2.6 million in recovery. "It was later discovered that the city's computers had long been vulnerable to leaked exploits developed by the National Security Agency -- later stolen and leaked online for anyone to use," reports TechCrunch.

Dell Says It Detected A Security Breach Earlier This Month, But Financial Data Was Not Exposed

Wed, 11/28/2018 - 16:03
An anonymous reader quotes writes: "Hardware giant Dell announced today a security breach that took place earlier this month, on November 9," reports ZDNet. "Dell says it detected an unauthorized intruder (or intruders) 'attempting to extract customer information' from its systems, such as customer names, email addresses, and hashed passwords." These are accounts used for shopping on the official website and the official support forums. "Though it is possible some of this information was removed from Dell's network, our investigations found no conclusive evidence that any was extracted," the company said in a press release, also adding that hackers didn't target payment card or any other sensitive customer information. After it detected the breach, Dell initiated a password reset for all customer accounts. The company also said it notified law enforcement and hired a digital forensics firm to perform an independent investigation.

Microsoft Warns Of Two Apps That Installed Root Certificates Then Leaked the Private Keys

Wed, 11/28/2018 - 07:20
Catalin Cimpanu, reporting for ZDNet: Microsoft has issued a security advisory this week warning that two applications accidentally installed two root certificates on users' computers, and then leaked the private keys for all. The software developer's mistake means that malicious third-parties can extract the private keys from the two applications and use them to issue forged certificates to spoof legitimate websites and software publishers for years to come. The two applications are HeadSetup and HeadSetup Pro, both developed by German audio hardware company Sennheiser. The software is used to set up and manage softphones -- software apps for making telephone calls via the Internet and a computer, without needing an actual physical telephone. The issue with the two HeadSetup apps came to light earlier this year when German cyber-security firm Secorvo found that versions 7.3, 7.4, and 8.0 installed two root Certification Authority (CA) certificates into the Windows Trusted Root Certificate Store of users' computers but also included the private keys for all in the SennComCCKey.pem file.

Uber Fined Nearly $1.2 Million By Dutch, UK Over 2016 Data Breach

Tue, 11/27/2018 - 17:40
British and Dutch authorities fined Uber a combined $1.17 million for a 2016 data breach that exposed the personal details of millions of customers. "The U.K.'s Information Commissioner's Office (ICO) announced a $491,284 fine against the ride-sharing company for 'failing to protect customers' personal information during a cyber attack' in October and November of 2016," reports CNBC. "The Dutch Data Protection Authority imposed its own $679,257 penalty for the same incident." From the report: The 2016 cyberattack allowed hackers to access the personal details, including full names, email addresses and phone numbers, of 2.7 million Uber customers in the U.K. and 174,000 in the Netherlands, authorities said. The U.K.'s ICO said the cyberattack represented a "serious breach" of the country's Data Protection Act of 1998 by exposing customers and drivers to increased risk of fraud. The Dutch regulator said it was fining Uber because it did not report the breach within the country's mandated 72-hour window. In September, Uber agreed to pay $148 million to settle claims related to the 2016 data breach to states across the U.S. and Washington, D.C. In a statement Tuesday, an Uber spokesperson said the company is "pleased to close this chapter on the data incident from 2016."

Urban Massage Data Breach Exposed Sensitive Comments On Its Creepy Clients

Tue, 11/27/2018 - 16:20
An anonymous reader shares a report from TechCrunch: Urban Massage, a popular massage startup that bills itself as providing "wellness that comes to you," has leaked its entire customer database. The London, U.K.-based startup -- now known as just Urban -- left its Google-hosted ElasticSearch database online without a password, allowing anyone to read hundreds of thousands of customer and staff records. Anyone who knew where to look could access, edit or delete the database. It's not known how long the database was exposed or if anyone else had accessed or obtained the database before it was pulled. It's believed that the database was exposed for at least a few weeks. Urban pulled the database offline after TechCrunch reached out. Among the records included thousands of complaints from workers about their clients. The records included specific complaints -- from account blocks for fraudulent behavior, abuse of the referral system and persistent cancelers. But, many records also included allegations of sexual misconduct by clients -- such as asking for "massage in genital area" and requesting "sexual services from therapist." Others were marked as "dangerous," while others were blocked due to "police enquiries." Each complaint included a customer's personally identifiable information -- including their name, address and postcode and phone number.

Google To Open Project Fi To iPhone, Samsung, and OnePlus

Tue, 11/27/2018 - 15:00
Google's Project Fi mobile service will reportedly be adding support for Samsung, OnePlus, and iPhones. "More handsets from existing Fi partners LG and Motorola will also gain Fi support," reports The Verge. "The iPhone experience is apparently 'in beta,' which is a sign that users might run into bugs or be left without some of Fi's features." From the report: The lineup of "Fi-ready" compatible phones -- those that Google says have been fully optimized for the network -- is fairly short: Google is currently selling the Pixel 3, 3 XL, 2 XL, LG G7, LG V35, Moto G6, and Moto X4 (Android One edition) directly through its Project Fi website. And although Google is apparently about to widen support and officially allow more devices onto Fi, those "Fi-friendly" phones will still offer the best overall user experience for subscribers, according to the report. It's not yet entirely clear what that means, but we should know more once Google makes a proper announcement. Either way, adding that pool of popular hardware will allow for many more consumers to give the service a shot and see if the pricing model and performance are preferable over Fi's larger competitors.

'General Motors, Sears and Toys R Us: Layoffs Across America Highlight Our Shredding Financial Safety Net'

Tue, 11/27/2018 - 08:47
New submitter Bruce Henry shares a story: Today's aging workforce faces an uncertain future. The announcement this week that General Motors will lay off 15 percent of its salaried workforce and shutter multiple plants in North America was a sobering reminder of how far the American worker has fallen. Unlike most large private sector corporations today, thousands of employees at GM still enjoy some union benefits. The company has reportedly set aside $2 billion for layoffs and buyouts. It's not much, but it's something -- many workers, if they are laid off en masse, will be far less lucky. Some older Americans are lucky enough to have been grandfathered into generous pension plans and others hope social security and personal savings will be enough to sustain themselves. But for millions of younger people, the outlook is bleaker -- an ever-diminishing social safety net, with retirement dependent almost entirely on how well they manage savings. Two-thirds of millennials have nothing saved for retirement. The private sector pension as we once knew it is all but dead. Public sector pensions, meanwhile, are under attack at the state level. "Companies don't offer pensions anymore. Social security, when it was established, was meant to be one leg of a stool," says Gerald Friedman, an economist at the University of Massachusetts at Amherst. "One leg would be the private pension through employment, a second leg personal savings, and a third leg social security. Social security is now the only source of income of a lot elderly have." What, if anything, are our politicians doing about this? Progressives rail against President Donald Trump, but real retirement security has not been a big enough part of the conversation on either side of the political spectrum. Millions of Americans are in danger of entering their final decades unable to afford ballooning medical bills and cost-of-living expenses. This is a huge problem, and one that liberals in particular should have capitalized on this election cycle.