Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 9 hours 48 min ago

An Ex-NSA Hacker Who Has Organized the First-Ever Mac Security Conference

Fri, 09/28/2018 - 18:20
Motherboard's Lorenzo Franceschi-Bicchierai spoke with Patrick Wardle, the ex-NSA hacker who's organizing a security conference exclusively dedicated to Macs. Despite what Apple has famously promoted in the mid 2000s that Macs don't get "PC viruses," Mac computers do in fact have bugs, vulnerabilities, and even malware targeted at them. From the report: "People are peeking behind the curtain and realizing that the facade of Mac security is not always what it's cracked to be," Wardle told Motherboard in a phone interview. "Any company that designs software is going to have issues -- but Apple has perfected the art of a flawless public facade that masks many security issues." Wardle would know. After hacking primarily Windows computers at Fort Meade, for the last few years Wardle been finding several issues in MacOS, so many that he considers himself a "thorn" on Apple's side. But his conference is not an exercise in shaming or finger pointing, Wardle said he hopes to educate and teach people about Mac security, especially now that so many companies are using Macs as their corporate computers. The conference is called Objective By the Sea, a wordplay on Objective-See, the name of Wardle's suite of free Mac security products (which is itself a wordplay on Apple's main programming language called Objective-C.) It will be held in Maui, Hawaii on November 3 and 4. The conference will be free for residents of Hawaii, and for patrons of Objective-See. That's why Wardle said he can't afford to pay for all speakers to attend, but he had no trouble finding people who wanted to participate. One group that doesn't want to come to Maui, at least for now, is Apple. Wardle said he reached out to the company, essentially offering it carte blanche to talk about whatever it wanted. But the company, so far, has not responded, according to him.

Facebook Faces Class-Action Lawsuit Over Massive New Hack

Fri, 09/28/2018 - 16:20
Follow the revelations this morning that a hacker exploited a security flaw in a popular feature of Facebook to steal account credentials of as many as 50 million users, a class-action lawsuit has been filed on behalf of one California resident, Carla Echavarria, and one Virginia resident, Derick Walker. "Both allege that Facebook's lack of proper security has exposed them and additional potential class members to a significantly increased chance of identity theft as a result of the breach," reports The Verge. From the report: The lawsuit was filed today in U.S. District Court for the Northern District of California. The complaint alleges Facebook is guilty of unlawful business practices, deceit by concealment, negligence, and violations of California's Customer Records Act. The plaintiffs want statutory damages and penalties awarded to them and other class members, as well as the providing of credit monitoring services, punitive damages, and the coverage of attorneys' fees and expenses. Although Facebook says it has fixed the issue that resulted in the breach, it still has little to no information to provide on who is behind the attack or when the attack even occurred. As it stands, in addition to this new lawsuit, Facebook is facing pressure from the New York State Attorney General Barbara Underwood, who announced on Twitter this afternoon that, "We're looking into Facebook's massive data breach. New Yorkers deserve to know that their information will be protected." Federal Trade Commissioner Rohit Chopra had a terse public reaction, releasing a simple three-line tweet reading, "I want answers." In addition to Underwood and Chopra, Sen. Mark R. Warner (D-VA) released a statement describing the hack is "deeply concerning" and calling for a full investigation.

iPhone XS Passcode Bypass Hack Exposes Contacts, Photos

Fri, 09/28/2018 - 14:20
secwatcher shares a report from Threatpost: A passcode bypass vulnerability in Apple's new iOS version 12 could allow an attacker to access photos and contacts (including phone numbers and emails) on a locked iPhone. The hack allows someone with physical access to a vulnerable iPhone to sidestep the passcode authorization screen on iPhones running Apple's latest iOS 12 beta and iOS 12 operating systems. Threatpost was tipped off to the bypass by Jose Rodriguez, who describes himself as an Apple enthusiast and "office clerk" based in Spain who has also found previous iPhone hacks. Rodriguez posted a video of the bypass on his YouTube channel under the YouTube account Videosdebarraquito, where he walks viewers through a complicated 37-step bypass process in Spanish. Threatpost has independently confirmed that the bypass works on a number of different iPhone models including Apple's newest model iPhone XS. The process involves tricking Siri and Apple's accessibility feature in iOS called VoiceOver to sidestep the device's passcode. The attack works provided the attacker has physical access to a device that has Siri enabled and Face ID either turned off or physically covered (by tape, for instance).

Python is a Hit With Hackers, Report Finds

Fri, 09/28/2018 - 11:35
After breaking into the top three most popular programming languages for the first time this month, behind C and Java, Python has also won the hearts of hackers and web nasties, according to attack statistics published this week by web security biz Imperva. From a report: The company says more than a third of daily attacks against sites the company protects come from a malicious or legitimate tool coded in Python. Imperva says that around 77 percent of all the sites the company protects, have been attacked by at least one Python-based tool. Furthermore, when the company looked at the list of tools that hackers used for their attacks, more than a quarter were coded in Python, by far the attackers' favorite tool. "Hackers, like developers, enjoy Python's advantages which makes it a popular hacking tool," the Imperva team says.

Facebook Says it Has Discovered 'Security Issue' Affecting Nearly 50 Million Accounts, Investigation in Early Stages

Fri, 09/28/2018 - 09:20
Facebook shared the following security announcement Friday: On the afternoon of Tuesday, September 25, our engineering team discovered a security issue affecting almost 50 million accounts. We're taking this incredibly seriously and wanted to let everyone know what's happened and the immediate action we've taken to protect people's security. Our investigation is still in its early stages. But it's clear that attackers exploited a vulnerability in Facebook's code that impacted "View As", a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people's accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don't need to re-enter their password every time they use the app. Here is the action we have already taken. First, we've fixed the vulnerability and informed law enforcement. Second, we have reset the access tokens of the almost 50 million accounts we know were affected to protect their security. We're also taking the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a "View As" look-up in the last year. As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login. After they have logged back in, people will get a notification at the top of their News Feed explaining what happened. Third, we're temporarily turning off the "View As" feature while we conduct a thorough security review. The company added it has yet to determine whether these impacted accounts were misused or any information was accessed. Senator Mark Warner has issued a stern reprimand to Facebook over the security incident revelation today. "This is another sobering indicator that Congress needs to step up and take action to protect the privacy and security of social media users. As I've said before -- the era of the Wild West in social media is over," he wrote.

Hacker Proclaims He'll Live-Stream an Attempt To Delete Mark Zuckerberg's Facebook Page This Sunday

Fri, 09/28/2018 - 06:05
An indie Taiwanese hacker has proclaimed he'll broadcast an attempt to wipe out Mark Zuckerberg's Facebook page this Sunday -- live. From a report: Self-professed bug bounty-hunter Chang Chi-yuan, who ferrets out software flaws in return for cash, says he'll live-stream an endeavor to delete the billionaire's account at 6 p.m. local time from his own Facebook page. He didn't get into details or respond to an online query. "Broadcasting the deletion of FB founder Zuck's account," the lanky youngster, who turns 24 this year based on past interviews, told his 26,000-plus followers on Facebook this week. "Scheduled to go live." Cyber-enthusiasts from India to the U.S. routinely expose loopholes in corporate websites and software, earning small financial rewards. It's unusual however for so-called white-hat hackers to do so in real time. Chang, a minor celebrity at home who's gone on talk shows to discuss his exploits, was reportedly sued by a local bus operator after infiltrating their systems and buying a ticket for just NT$1 (3 cents). He's published a gamut of claims -- none of which could be independently verified -- including attacks on Apple and Tesla. And his Facebook account was listed among eight "special contributors" in Line's 2016 bug-hunters' hall of fame. Update: He has backpedalled on the claim.

Delta's Fully Biometric Terminal Is the First In the US

Fri, 09/28/2018 - 02:00
In what Delta is calling the first "biometric terminal" in the country, they will reportedly use facial recognition at check-in, security and boarding inside the international terminal at Atlanta's Hartsfield-Jackson airport. Engadget reports: Passengers that want to use facial recognition can approach a kiosk in the lobby and click "Look," or approach a camera at the ticket counter, TSA checkpoint or when boarding. Once a green check mark flashes on the screen, they can proceed. Delta -- which plans to introduce fingerprint scanning to fold, too -- says passengers can use this system instead of the passports to get through these checkpoints, but you'll still need your passport for use in other non-biometric-equipped airports (although maybe one day we'll do away with passports altogether). Privacy advocates are concerned about the security risks present in facial scans, especially as it's an opt-out process. Others, however, say it makes air travel a more streamlined process.

Face Scanning In US Airports Is Rife With Technical Problems

Thu, 09/27/2018 - 16:20
Homeland Security's Inspector General has issued a report warning that its airport face scanning system is struggling with "technical and operational challenges." The report says that Customs and Border Protection "could only use the technology with 85 percent of passengers due to staff shortages, network problems and hastened boarding times during flight delays," reports Engadget. "The system did catch 1,300 people overstaying their allowed time in the U.S., but it might have caught more -- and there were problems 'consistently' matching people from specific age groups and countries." From the report: The watchdog also pointed out uncertainty about help from airlines, such as requiring them buy the cameras needed for taking passengers' photos. That represents a "significant point failure" for the face scanning system, the Inspector General said. As a result, the oversight body warned that Homeland Security might not make its target of having the face scanning system completely ready for use in the top 20 US airports by 2021.

Alphabet Launches VirusTotal Enterprise

Thu, 09/27/2018 - 15:00
Google launched today a new set of services for enterprise customers of VirusTotal, a website that lets users test suspicious files and URLs against an aggregate of multiple antivirus scanning engines at the same time. From a report: This collection of new tools is part of the new VirusTotal Enterprise service, which Google described as "the most significant upgrade in VirusTotal's 14-year history." As the name implies, this new service is specifically aimed at enterprise customers and is an expansion of VirusTotal's current Premium Services. Google says VirusTotal Enterprise consists of existing VirusTotal capabilities, but also new functionality, such as improved threat detection and a faster search system that uses a brand new interface that unifies capabilities in VirusTotal's free and paid sites. "VirusTotal Enterprise allows users to search for malware samples (using VT Intelligence), hunt for future malware samples (using VT Hunt with YARA), analyze malware relationships (using VT Graph), and automate all these tasks with our API," Google said.

Apple's Device Enrollment Program Can Leak Sensitive Data About Devices, Owners

Thu, 09/27/2018 - 14:20
Mark Wilson shares a report from BetaNews: Security researchers have discovered an issue with the Device Enrollment Program used by Apple to allow organizations to manage their MacBooks and iPhones. Duo Security says that using nothing more than a serial number, it is possible to gain access to sensitive data about enrolled devices and their owners. It is even possible to enroll new devices that can then access Wi-Fi passwords, VPN configurations and more. Apple was alerted to the issue way back in May, but has not done anything about it as the company does not regard it as a vulnerability. James Barclay from Duo Security, and Rich Smith from Duo Labs share their findings in a paper entitled MDM Me Maybe: Device Enrollment Program Security. They point out that while there are various easy ways to obtain devices' serial numbers, the researchers have been able to create a simple serial generator that can be used to search for information. In regard to the serial generator, Smith told CNET: "While we aren't releasing the code, I'm not going to pretend to be under the impression that this is something that can't be reproduced. It would not be difficult for someone to replicate the code that we've developed."

Mobile Websites Can Tap Into Your Phone's Sensors Without Asking

Thu, 09/27/2018 - 11:30
When apps wants to access data from your smartphone's motion or light sensors, they often make that capability clear. That keeps a fitness app, say, from counting your steps without your knowledge. But a team of researchers has discovered that the rules don't apply to websites loaded in mobile browsers, which can often access an array of device sensors without any notifications or permissions whatsoever. From a report: That mobile browsers offer developers access to sensors isn't necessarily problematic on its own. It's what helps those services automatically adjust their layout, for example, when you switch your phone's orientation. And the World Wide Web Consortium standards body has codified how web applications can access sensor data. But the researchers -- Anupam Das of North Carolina State University, Gunes Acar of Princeton University, Nikita Borisov of the University of Illinois at Urbana-Champaign, and Amogh Pradeep of Northeastern University -- found that the standards allow for unfettered access to certain sensors. And sites are using it. The researchers found that of the top 100,000 sites -- as ranked by Amazon-owned analytics company Alexa -- 3,695 incorporate scripts that tap into one or more of these accessible mobile sensors. That includes plenty of big names, including Wayfair, Priceline.com, and Kayak.

Voting Machine Used in Half of US Is Vulnerable to Attack, Report Finds

Thu, 09/27/2018 - 10:20
Election machines used in more than half of U.S. states carry a flaw disclosed more than a decade ago that makes them vulnerable to a cyberattack, WSJ reported, citing a report which will be made public Thursday on Capitol Hill. From the report: The issue was found in the widely used Model 650 high-speed ballot-counting machine made by Election Systems & Software LLC, the nation's leading manufacturer of election equipment. It is one of about seven security problems in several models of voting equipment described in the report, which is based on research conducted last month at the Def Con hacker conference. The flaw in the ES&S machine stood out because it was detailed in a security report commissioned by Ohio's secretary of state in 2007, said Harri Hursti, an election-security researcher who co-wrote both the Ohio and Def Con reports. "There has been more than plenty of time to fix it," he said. While the Model 650 is still being sold on the ES&S website, a company spokeswoman said it stopped manufacturing the systems in 2008. The machine doesn't have the advanced security features of more-modern systems, but ES&S believes "the security protections on the M650 are strong enough to make it extraordinarily difficult to hack in a real world environment," the spokeswoman said via email. The machines process paper ballots and can therefore be reliably audited, she said. The Def Con report is the latest warning from researchers, academics and government officials who say election systems in the U.S. are at risk to tampering.