Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 2 days 11 hours ago

Iran Extends Social Media Crackdown With Move To Bar Instagram

Wed, 01/02/2019 - 15:30
An anonymous reader quotes a report from Bloomberg: Authorities in Iran are preparing to block access to Instagram, extending their crackdown on social media to the only major platform still freely available. The National Cyberspace Council approved steps toward blocking the service, Javad Javidnia, deputy for cyberspace affairs at the public prosecutor's office, was cited as saying by the semi-official Donya-e Eqtesad newspaper. Instagram would join Twitter, Facebook, YouTube and Telegram in being banned in the Islamic Republic, ostensibly for reasons of national security. Despite the restrictions, Iranians including Supreme Leader Ali Khamenei, President Hassan Rouhani and Foreign Minister Mohammad Javad Zarif continue to use the services, which are widely accessible via proxy servers. Rouhani's verified Twitter account has over 800,000 followers. Javidnia said efforts to filter Instagram hadn't worked. While judicial and political officials involved were yet to reach a consensus on barring the site, the prosecutor can take a unilateral decision to do so, he said.

USB Type-C Authentication Program Launched

Wed, 01/02/2019 - 12:51
With the arrival of USB-C a few years back, plugging into laptops, tablets and smartphones became even easier than before. But there are potential security risks. The USB Type-C Authentication Program launched today aims to address such issues. From a report: The new protocol from the USB Implementers Forum (USB-IF) can be used to validate the authenticity of a cable, charger or hardware at the moment of connection, and stop attacks in their tracks. The USB-IF has chosen DigiCert to operate registrations and certificate authority services for the new specification, which makes use of 128-bit cryptographic-based authentication for certificate format, digital signing, hash and random number generation. "USB Type-C Authentication gives OEMs the opportunity to use certificates that enable host systems to confirm the authenticity of a USB device or USB charger, including such product aspects as the descriptors, capabilities and certification status," said DigiCert in a press release. "This protects against potential damage from non-compliant USB chargers and the risks from maliciously embedded hardware or software in devices attempting to exploit a USB connection."

Mozilla Thunderbird Outlines Plans For 2019: Addressing UI Lags, Performance Issues; Improved 3rd-Party Email Integration, Encryption Usability

Wed, 01/02/2019 - 08:05
For years, Mozilla has largely neglected development of Thunderbird, an email client it owns. But the company, which grew its team to eight staff last year, says it plans to address most of the issues that users have complained about and add six more people to Thunderbird staff this year, it said in a blog post. In the blog post Wednesday, the company said: Our hires are already addressing technical debt and doing a fair bit of plumbing when it comes to Thunderbird's codebase. Our new hires will also be addressing UI-slowness and general performance issues across the application. This is an area where I think we will see some of the best improvements in Thunderbird for 2019, as we look into methods for testing and measuring slowness -- and then put our engineers on architecting solutions to these pain points. Beyond that, we will be looking into leveraging new, faster technologies in rewriting parts of Thunderbird as well as working toward a multi-process Thunderbird. [...] For instance, one area of usability that we are planning on addressing in 2019 is integration improvements in various areas. One of those in better Gmail support, as one of the biggest email providers it makes sense to focus some resources on this area. We are looking at addressing Gmail label support and ensuring that other features specific to the Gmail experience translate well into Thunderbird. We are looking at improving notifications in Thunderbird, by better integrating with each operating system's built-in notification system. By working on this feature Thunderbird will feel more "native" on each desktop and will make managing notifications from the app easier. The UX/UI around encryption and settings will get an overhaul in the coming year, whether or not all this work makes it into the next release is an open question â" but as we grow our team this will be a focus. It is our hope to make encrypting Email and ensuring your private communication easier in upcoming releases, we've even hired an engineer who will be focused primarily on security and privacy.

The Commerce Department is Considering National Security Restrictions on AI

Wed, 01/02/2019 - 07:31
An anonymous reader shares a report: A common belief among tech industry insiders is that Silicon Valley has dominated the internet because much of the worldwide network was designed and built by Americans. Now a growing number of those insiders are worried that proposed export restrictions could short-circuit the pre-eminence of American companies in the next big thing to hit their industry, artificial intelligence. In November, the Commerce Department released a list of technologies, including artificial intelligence, that are under consideration for new export rules because of their importance to national security. Technology experts worry that blocking the export of A.I. to other countries, or tying it up in red tape, will help A.I. industries flourish in those nations -- China, in particular -- and compete with American companies. "The number of cases where exports can be sufficiently controlled are very, very, very small, and the chance of making an error is quite large," said Jack Clark, head of policy at OpenAI, an artificial intelligence lab in San Francisco. "If this goes wrong, it could do real damage to the A.I. community." The export controls are being considered as the United States and China engage in a trade war. The Trump administration has been critical of the way China negotiates deals with American companies, often requiring the transfer of technology to Chinese partners as the cost of doing business in the country. And federal officials are making an aggressive argument that China has stolen American technology through hacking and industrial espionage.

Popular App Weather Forecast Collects Too Much User Data and is Attempting To Subscribe Some Users To Paid Services Without Permission

Wed, 01/02/2019 - 06:00
A popular weather app built by a Chinese tech conglomerate has been collecting an unusual amount of data from smartphones around the world and attempting to subscribe some users to paid services without permission, according to a London-based security firm's research. From a report: The free app, one of the world's most-downloaded weather apps in Google's Play store, is from TCL Communication Technology Holdings, of Shenzhen, China. TCL makes Alcatel- and BlackBerry -branded phones, while a sister company makes televisions. The app, called "Weather Forecast --World Weather Accurate Radar," collects data including smartphone users' geographic locations, email addresses and unique 15-digit International Mobile Equipment Identity (IMEI) numbers on TCL servers in China, according to Upstream Systems, the mobile commerce and security firm that found the activity. Until last month, the app was known as "Weather -- Simple weather forecast." The weather app also has attempted to surreptitiously subscribe more than 100,000 users of its low-cost Alcatel smartphones in countries such as Brazil, Malaysia and Nigeria to paid virtual-reality services, according to Upstream Systems. The security firm, which discovered the activity as part of its work for mobile operators, said users would have been billed more than $1.5 million had it not blocked the attempts.

First-Ever UEFI Rootkit Tied To Sednit APT

Tue, 01/01/2019 - 15:05
Researchers hunting cyber-espionage group Sednit (an APT also known as Sofacy, Fancy Bear and APT28) say they have discovered the first-ever instance of a rootkit targeting the Windows Unified Extensible Firmware Interface (UEFI) in successful attacks. From a report: The discussion of Sednit was part of the 35C3 conference, and a session given by Frederic Vachon, a malware researcher at ESET who published a technical write-up on his findings earlier this fall [PDF]. During his session, Vachon said that finding a rootkit targeting a system's UEFI is significant, given that rootkit malware programs can survive on the motherboard's flash memory, giving it both persistence and stealth. "UEFI rootkits have been researched and discussed heavily in the past few years, but sparse evidence has been presented of real campaigns actively trying to compromise systems at this level," he said. The rootkit is named LoJax. The name is a nod to the underlying code, which is a modified version of Absolute Software's LoJack recovery software for laptops. The purpose of the legitimate LoJack software is to help victims of a stolen laptop be able to access their PC without tipping off the bad guys who stole it. It hides on a system's UEFI and stealthily beacons its whereabouts back to the owner for possible physical recovery of the laptop.

Hackers Make a Fake Hand to Beat Vein Authentication

Mon, 12/31/2018 - 21:30
Devices and security systems are increasingly using biometric authentication to let users in and keep hackers out, be that fingerprint sensors or perhaps the iPhone's FaceID. Another method is so-called 'vein authentication,' which, as the name implies, involves a computer scanning the shape, size, and position of a users' veins under the skin of their hand. But hackers have found a workaround for that, too. From a report: On Thursday at the annual Chaos Communication Congress hacking conference in Leipzig, Germany, security researchers described how they created a fake hand out of wax to fool a vein sensor. "It makes you feel uneasy that the process is praised as a high-security system and then you modify a camera, take some cheap materials and hack it," Jan Krissler, who goes by the handle starbug, and who researched the vein authentication system along with Julian Albrecht, told Motherboard over email in German. Vein authentication works with systems that compare a user's placement of veins under their skin compared to a copy on record. According to a recent report from German news wire DPA, the BND, Germany's signals intelligence agency, uses vein authentication in its new headquarter building in Berlin. One attraction of a vein based system over, say, a more traditional fingerprint system is that it may be typically harder for an attacker to learn how a user's veins are positioned under their skin, rather than lifting a fingerprint from a held object or high quality photograph, for example. But with that said, Krissler and Albrecht first took photos of their vein patterns. They used a converted SLR camera with the infrared filter removed; this allowed them to see the pattern of the veins under the skin.

Severn Bridge, a Main Route Between England and Wales, Shuts as Drone Flown From Tower

Mon, 12/31/2018 - 10:01
A main route between England and Wales was closed after a man climbed a bridge and flew a drone from the top. An anonymous reader shares a report: Traffic was stopped on the M48 -- the older of two Severn crossings -- because of "concern for welfare," police said. The man, in his 20s, came down voluntarily from the 47m (154ft) bridge tower and was arrested on suspicion of causing a public nuisance. Highways England said it was deeply concerned and that "a person has put their life at serious risk". "The incident was quickly spotted on our security cameras and reported to police and thankfully there was no injury or worse on this occasion," it said. "Appropriate security is in place on the bridge, we are liaising with Avon and Somerset Police and will be undertaking investigations to determine if any damage was caused during the incident." Police said: "Officers attended the M48 Severn Bridge at 08:10 this morning after concerns were raised for a man who appeared to have climbed one of the towers and was flying a drone off it."

Why Huawei Gives the US and Its Allies Security Nightmares

Mon, 12/31/2018 - 03:08
Perhaps the most insightful piece that sums up why the U.S. and its allies are apprehensive of using Huawei's products. Six reasons, we are just highlighting the pointers, click on the source story to read the description: 1. There could be "kill switches" in Huawei equipment. 2. ... That even close inspections miss. 3. Back doors could be used for data snooping. 4. The rollout of 5G wireless networks will make everything worse. 5. Chinese firms will ship tech to countries in defiance of a US trade embargo. 6. Huawei isn't as immune to Chinese government influence as it claims to be.

EU Offers Big Bug Bounties On 14 Open Source Software Projects

Sat, 12/29/2018 - 08:34
Julia Reda is a member of Germany's Pirate Party, a member of the European Parliament, and the Vice-President of The Greens-European Free Alliance. Thursday her official web site announced: In 2014, security vulnerabilities were found in important Free Software projects. One of the issues was found in the Open Source encryption library OpenSSL.... The issue made lots of people realise how important Free and Open Source Software is for the integrity and reliability of the Internet and other infrastructure.... That is why my colleague Max Andersson and I started the Free and Open Source Software Audit project: FOSSA... In 2017, the project was extended for three more years. This time, we decided to go one step further and added the carrying out of Bug Bounties on important Free Software projects to the list of measures we wanted to put in place to increase the security of Free and Open Source Software... In January the European Commission is launching 14 out of a total of 15 bug bounties on Free Software projects that the EU institutions rely on. The bounties start at 25.000,00 € -- about $29,000 USD -- rising as high as 90.000,00 € ($103,000). "The amount of the bounty depends on the severity of the issue uncovered and the relative importance of the software," Reda writes. Click through for a list of the software projects for which bug bounties will be offered.

Samsung Wants To Bring Web Browsing, Office Work To the TV

Fri, 12/28/2018 - 18:30
Samsung's 2019 smart TVs will allow consumers to browse the web, access their PCs and even edit work documents from the comfort of their living room couch. From a report: The company previewed a new feature dubbed Remote Access this week, which integrates both Samsung's own Knox security framework as well as remote access software from VMWare. Samsung stopped short on revealing key details about Remote Access. It did disclose that Remote Access will make it possible to remotely access a PC from a TV, which then seems to function as a gateway to the web, as well as a way to play PC-based games. To use Remote Access, consumers won't have to just rely on their TV remote controls. Instead, it will also work with a keyboard, mouse, and other input devices. These may come in handy when consumers access what Samsung vaguely described as a "web browser-based cloud office service" to "access files and work on documents."

Mark Zuckerberg on Facebook's 2018: We've Changed, We Promise

Fri, 12/28/2018 - 11:30
It's nearly the new year, which means time for some reflection on what's happened and what's to come. For Facebook CEO Mark Zuckerberg, that means looking back on one really tough year. From a report: In his year-end post on Friday, Zuckerberg is optimistic, if a little defensive. He ticked off changes the company's made -- or, as he put it, "We've fundamentally altered our DNA" -- to focus more on handling the bad stuff that happens on Facebook. That includes tackling Russian interference in our elections, stopping harmful and bullying posts, and promising to give people more control over their data. He also noted that Facebook now has 30,000 people working on safety and harassment issues, and it's investing billions of dollars in security each year. He also acknowledged these issues will take more than a year to fix. But he said the company's started multiyear plans to address them. That doesn't mean he thinks Facebook is fully on the ball. "In the past we didn't focus as much on these issues as we needed to, but we're now much more proactive," he wrote. "I've learned a lot from focusing on these issues and we still have a lot of work ahead," Zuckerberg added. "I'm proud of the progress we've made in 2018 and grateful to everyone who has helped us get here -- the teams inside Facebook, our partners and the independent researchers and everyone who has given us so much feedback. I'm committed to continuing to make progress on these important issues as we enter the new year."

FCC Says It is Investigating CenturyLink 911 Outage

Fri, 12/28/2018 - 09:00
Federal Communications Commission Chairman Ajit Pai said on Friday the agency had launched an investigation into a nationwide CenturyLink outage that has affected 911 service for consumers across the country. In a statement, he said [PDF]: "When an emergency strikes, it's critical that Americans are able to use 911 to reach those who can help. The CenturyLink service outage is therefore completely unacceptable, and its breadth and duration are particularly troubling. I've directed the Public Safety and Homeland Security Bureau to immediately launch an investigation into the cause and impact of this outage. This inquiry will include an examination of the effect that CenturyLink's outage appears to have had on other providers' 911 services. I have also spoken with CenturyLink to underscore the urgency of restoring service immediately. We will continue to monitor this situation closely to ensure that consumers' access to 911 is restored as quickly as possible." The outage, which lasted all day Thursday and is still ongoing in certain states, knocked out 911 emergency call services in parts of western Washington state. News outlet KOMO reported that some CenturyLink customers reported receiving busy signals when dialing 911. Other areas of the country also experiencing 911 outages included parts of Missouri, Idaho and Arizona. Some ATM machines weren't working in Idaho and Montana. And additionally, Verizon said it had service interruptions in Albuquerque, New Mexico, and parts of Montana as a result of issues with CenturyLink.