Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 18 hours 58 min ago

Teenager Who Found FaceTime Bug Will Be Eligible For Bug Bounty Program

Tue, 02/05/2019 - 02:00
Grant Thompson, the teenager that reported the FaceTime bug last week, will be eligible for the Apple bug bounty program. "Apple's bug bounty system is typically invite-only and limited to specific categories of security flaws, like accessing iCloud account data or demonstrating ways for iPhone apps to escape the security sandbox of iOS," reports 9to5Mac. "It appears the company is making an exception here given the embarrassingly public nature of the case, although further details about the reward have yet to be discussed." From the report: The FaceTime bug that made waves as result of 9to5Mac's coverage last week was actually first reported to Apple by Grant Thompson and his mother in Arizona a week earlier. However, deficiencies in the Apple bug reporting process meant that the report was not acted upon by the company. Instead, the teenager made headlines when his mother shared their Apple communications on Twitter. Their claims were later proved to be legitimate. Around January 22, Apple Support directed them to file a Radar bug report, which meant the mother had to first register a developer account as an ordinary customer. Even after following the indicated steps, it does not appear that Apple's product or engineering teams were aware of the problem until its viral explosion a week later. CNBC reports that an unnamed "high-level Apple executive" met with the Thompsons at their home in Tucson, Arizona on Friday. They apparently discussed how Apple could improve its bug reporting process and indicated that Grant would be eligible for the Apple bug bounty program.

Digital Exchange Loses $137 Million As Founder Takes Passwords To the Grave

Mon, 02/04/2019 - 15:10
A cryptocurrency exchange in Canada has lost control of at least $137 million of its customers' assets following the sudden death of its founder, who was the only person known to have access to the offline wallet that stored the digital coins. British Columbia-based QuadrigaCX is unable to access most or all of another $53 million because it's tied up in disputes with third parties. Ars Technica reports: The dramatic misstep was reported in a sworn affidavit that was obtained by CoinDesk. The affidavit was filed Thursday by Jennifer Robertson, widow of QuadrigaCX's sole director and officer Gerry Cotten. Robertson testified that Cotten died of Crohn's disease in India in December at the age of 30. Following standard security practices by many holders of cryptocurrency, QuadrigaCX stored the vast majority of its cryptocurrency holdings in a "cold wallet," meaning a digital wallet that wasn't connected to the Internet. The measure is designed to prevent hacks that regularly drain hot wallets of millions of dollars. Thursday's court filing, however, demonstrates that cold wallets are by no means a surefire way to secure digital coins. Robertson testified that Cotten stored the cold wallet on an encrypted laptop that only he could decrypt. Based on company records, she said the cold wallet stored $180 million in Canadian dollars ($137 million in US dollars), all of which is currently inaccessible to QuadrigaCX and more than 100,000 customers. "The laptop computer from which Gerry carried out the Companies' business is encrypted, and I do not know the password or recovery key," Robertson wrote. "Despite repeated and diligent searches, I have not been able to find them written down anywhere." The mismanaged cold wallet is only one of the problems besieging QuadrigaCX. Differences with at least three third-party partners has tied up most or all of an additional $53 million in assets. Making matters worse, many QuadrigaCX customers continued to make automatic transfers into the service following Cotten's death. On Monday, the site became inaccessible with little explanation, except for this status update, which was later taken down. On Thursday, QuadrigaCX said it would file for creditor protection as it worked to regain control of its assets. As of Thursday, the site had 115,000 customers with outstanding balances.

Nest Secure Has an Unlisted, Disabled Microphone

Mon, 02/04/2019 - 13:55
An anonymous reader quotes a report from Android Authority: Owners of the Nest Secure alarm system have been able to use voice commands to control their home security through Google Assistant for a while now. However, to issue those commands, they needed a separate Google Assistant-powered device, like a smartphone or a Google Home smart speaker. The reason for this limitation has always seemed straightforward: according to the official tech specs, there's no onboard microphone in the Nest Secure system. However, Google just informed us that it is right now rolling out Assistant functionality to all Nest Secure devices via a software update. That's right: if you currently own a Nest Secure, you will be able to use it as a Google Home very soon. That means somewhere in the Nest Guard -- the keypad base station of the Nest Secure -- there might be a microphone we didn't know existed. Either that or your voice commands are going to be heard by another product (like your phone, maybe) but Assistant's output will now come from the Nest Guard, if you happen to be in the range of that device. UPDATE: Google has issued a statement to Android Authority confirming the built-in microphone in the Nest Guard base system that's not listed on the official spec sheet at Nest's site. The microphone has been in an inactive state since the release of the Nest Secure, Google says. This unlisted mic is how the Nest Guard will be able to operate as a pseudo-Google Home with just a software update.

Mozilla Halts Rollout of Firefox 65 on Windows Platform After Antivirus Issue

Mon, 02/04/2019 - 06:41
Mozilla has halted the rollout of v65 update to Firefox browser on Windows platform after learning about an issue with certain antivirus products. Users of Firefox 65, an update which was released last week, reported seeing "Your connection is not secure" error warnings when visiting popular sites. From a report: The issue mostly affected Firefox 65 users running AVG or Avast antivirus. The message appeared when users visited an HTTPS website and stated the 'Certificate is not trusted because the issuer is unknown' and that 'The server might not be sending the inappropriate intermediate certificates'. The problem, reported on Mozilla's bug report page and first spotted by Techdows, is due to the HTTPS-filtering feature in Avast and AVG antivirus. Avast owns AVG. The bug prevented users from visiting any HTTPS site with Firefox 65. To limit the impact on users, Mozilla decided to temporarily halt all automatic updates on Windows. In the meantime, Avast, which owns AVG, released a new virus engine update that completely disabled Firefox HTTPS filtering in Avast and AVG products. HTTPS filtering remains enabled on other browsers.

Linux Kernel Gets Another Option To Disable Spectre Mitigations

Sun, 02/03/2019 - 07:58
Despite being more than one year old, the Meltdown or Spectre vulnerabilities have remained a theoretical threat, and no malware strain or threat actor has ever used any in a real-world attack. Over the course of the last year, system and network administrators have called on the Linux project for options to disable these protections. A report adds: Many argued that the threat is theoretical and could easily be mitigated with proper perimeter defenses, in some scenarios. Even Linus Torvalds has called for a slowdown in the deployment of some performance-hitting Spectre mitigations. The Linux kernel team has reacted positively towards these requests and has been slowly adding controls to disable some of the more problematic mitigations. [...] The latest effort to have mitigations turned off -- and stay down -- is the addition of the PR_SPEC_DISABLE_NOEXEC control bit to the Linux kernel. This bit will prevent child processes from starting in a state where the protections for Spectre v4 are still activated, despite being deactivated in the parent process.