Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 21 hours 23 min ago

Italy Stings Facebook With $1.1 Million Fine For Cambridge Analytica Data Misuse

Fri, 06/28/2019 - 18:02
Italy's data protection watchdog has slapped Facebook with a $1.1 million fine for violations of local privacy law attached to the Cambridge Analytica data misuse scandal. TechCrunch reports: Last year it emerged that up to 87 million Facebook users had had their data siphoned out of the social media giant's platform by an app developer working for the controversial (and now defunct) political data company, Cambridge Analytica. The offences in question occurred prior to Europe's tough new data protection framework, GDPR, coming into force -- hence the relatively small size of the fine in this case, which has been calculated under Italy's prior data protection regime. (Whereas fines under GDPR can scale as high as 4% of a company's annual global turnover.) A Facebook spokesperson issued the following statement: "We have said before that we wish we had done more to investigate claims about Cambridge Analytica in 2015. However, evidence indicates that no Italian user data was shared with Cambridge Analytica. Dr Kogan only shared data with Cambridge Analytica in relation to U.S. users. We made major changes to our platform back then and have also significantly restricted the information which app developers can access. We're focused on protecting people's privacy and have invested in people, technology and partnerships, including hiring more than 20,000 people focused on safety and security over the last year. We will review the Garante's decision and will continue to engage constructively with their concerns."

NSA Improperly Collected US Phone Call Data After Saying Problem Was Fixed

Fri, 06/28/2019 - 14:40
An anonymous reader quotes a report from USA Today: The National Security Agency improperly collected phone call records of Americans last fall, months after a previous breach that compelled the agency to destroy millions of records from the contentious program, documents released Wednesday revealed. The redacted documents, obtained by the ACLU in a Freedom of Information Act lawsuit, do not indicate how many records NSA improperly collected in the October breach, nor which telecommunications provider submitted the improper data. "These documents provide further evidence that the NSA has consistently been unable to operate the call detail record program within the bounds of the law," the ACLU said in a letter to Congress this week lobbying for an end to the program. The letter says elements within the Office of the Director of National Intelligence concluded the October violations had a "significant impact" on privacy and civil rights, but that the Americans affected were not told of the breach.

Firefox To Get a Random Password Generator, Like Chrome and Safari

Fri, 06/28/2019 - 14:00
Mozilla is adding a random password generator to Firefox. From a report: The Firefox random password generator is expected to become publicly available for all Firefox users with the release of Firefox 69, scheduled for release in early September, roughly a year after Chrome 69. Currently, the random password generator is only available in Firefox Nightly, a Firefox version for testing new features before they land in the stable branch. When Firefox 69 will be released, the random password generator is expected to be available as a checkbox in the Firefox settings section, under "Privacy & Security," under "Logins and Passwords."

FBI Urges Universities To Monitor Some Chinese Students And Scholars In the US

Fri, 06/28/2019 - 12:01
U.S. intelligence agencies are encouraging American research universities to develop protocols for monitoring students and visiting scholars from Chinese state-affiliated research institutions, as U.S. suspicion toward China spreads to academia. From a report: Since last year, FBI officials have visited at least 10 members of the Association of American Universities, a group of 62 research universities, with an unclassified list of Chinese research institutions and companies. Universities have been advised to monitor students and scholars associated with those entities on American campuses, according to three administrators briefed at separate institutions. FBI officials have also urged universities to review ongoing research involving Chinese individuals that could have defense applications, the administrators say. "We are being asked what processes are in place to know what labs they are working at or what information they are being exposed to," Fred Cate, vice president of research at Indiana University, tells NPR. "It's not a question of just looking for suspicious behavior -- it's actually really targeting specific countries and the people from those countries." In a statement responding to NPR's questions, the FBI said it "regularly engages with the communities we serve. As part of this continual outreach, we meet with a wide variety of groups, organizations, businesses, and academic institutions. The FBI has met with top officials from academia as part of our ongoing engagement on national security matters."

Microsoft Seeks To Join the Official Linux-Distros Mailing List

Fri, 06/28/2019 - 11:21
Microsoft's transformation into a fully paid-up member of the Linux love-train continued this week as the Windows giant sought to join the exclusive club that is the official linux-distros mailing list. From a report: The purpose of the linux-distros list is used by Linux distributions to privately report, coordinate, and discuss security issues yet to reach the general public; oss-security is there for stuff that is already out in the open or cannot wait for things to bounce around for a few days first. Sasha Levin, who describes himself as a "Linux kernel hacker" at the beast of Redmond, made the application for his employer to join the list, which if approved would allow Microsoft to tap into private behind-the-scenes chatter about vulnerabilities, patches, and ongoing security issues with the open-source kernel and related code. These discussions are crucial for getting an early heads up, and coordinating the handling and deployment of fixes before they are made public. To demonstrate that Microsoft qualifies for membership alongside the likes of Ubuntu, Debian, and SUSE, he cited Microsoft's Azure Sphere and the Windows Subsystem For Linux (WSL) 2 as examples of distro-like builds.

FDA Warns About Insulin Pump Cybersecurity

Fri, 06/28/2019 - 08:41
Something new for diabetes patients to worry about: Someone nearby could potentially connect wirelessly to your Medtronic MiniMed insulin pump, the FDA warned yesterday. From a report: While the agency said that, as far as it knows, no one has actually hacked into someone else's insulin pump and harmed them, this is the future of health care cyber risk. They could then change the pump's settings, causing it to deliver too much or too little insulin to the patient. The agency said that patients using certain models of the pump should switch to less vulnerable ones.

Trump White House Reportedly Debating Encryption Policy Behind Closed Doors

Thu, 06/27/2019 - 18:02
According to a report in Politico, the Trump administration held a National Security Council meeting on Wednesday that weighed the challenges and benefits of encryption. "One of Politico's sources said that the meeting was split into two camps: Decide, create and publicize the administration's position on encryption or go so far as to ask Congress for legislation to ban end-to-end encryption," reports Gizmodo. From the report: That would be a huge escalation in the encryption fight and, moreover, would probably be unsuccessful due to a lack of willpower in Congress. No decision was made by the Trump administration officials, Politico reported. The White House did not respond to a request for comment. The fact that these discussions are ongoing both within the White House and with Silicon Valley shows that the issue is still very much alive within the corridors of power.

Microsoft Excel Power Query Feature Can Be Abused For Malware Distribution

Thu, 06/27/2019 - 17:25
Security researchers have devised a method to abuse a legitimate Microsoft Excel technology named Power Query to run malicious code on users' systems with minimal interaction. ZDNet reports: Power Query is a data connection technology that can allow Excel files to discover, connect, combine, and manipulate data before importing it from remote sources, such as an external database, text document, another spreadsheet, or a web page. The tool is included with recent versions of Excel and available as a separate downloadable add-in for older Excel versions. In research published today and shared with ZDNet, Ofir Shlomo, a security researcher with the Mimecast Threat Center, described a technique through which Power Query features could be abused to run malicious code on users' systems. The technique relies on creating malformed Excel documents that use Power Query to import data from an attacker's remote server. "Using Power Query, attackers could embed malicious content in a separate data source, and then load the content into the spreadsheet when it is opened," Shlomo said. "The malicious code could be used to drop and execute malware that can compromise the user's machine." Mimecast's technique can even bypass security sandboxes that analyze documents sent via email before allowing users to download and open them. Microsoft has yet to issue a fix for the vulnerability, but did release an advisory document for users, offering a way to beef up security.

Google's New ReCAPTCHA Has a Dark Side

Thu, 06/27/2019 - 14:40
An anonymous reader quotes a report from Fast Company: We've all tried to log into a website or submit a form only to be stuck clicking boxes of traffic lights or storefronts or bridges in a desperate attempt to finally convince the computer that we're not actually a bot. For many years, this has been one of the predominant ways that reCaptcha -- the Google-run internet bot detector -- has determined whether a user is a bot or not. But last fall, Google launched a new version of the tool, with the goal of eliminating that annoying user experience entirely. Now, when you enter a form on a website that's using reCaptcha V3, you won't see the "I'm not a robot" checkbox, nor will you have to prove you know what a cat looks like. Instead, you won't see anything at all. Google is also now testing an enterprise version of reCaptcha v3, where Google creates a customized reCaptcha for enterprises that are looking for more granular data about users' risk levels to protect their site algorithms from malicious users and bots. But this new, risk-score based system comes with a serious trade-off: users' privacy. According to two security researchers who've studied reCaptcha, one of the ways that Google determines whether you're a malicious user or not is whether you already have a Google cookie installed on your browser. It's the same cookie that allows you to open new tabs in your browser and not have to re-log in to your Google account every time. But according to Mohamed Akrout, a computer science PhD student at the University of Toronto who has studied reCaptcha, it appears that Google is also using its cookies to determine whether someone is a human in reCaptcha v3 tests. Akrout wrote in an April paper about how reCaptcha v3 simulations that ran on a browser with a connected Google account received lower risk scores than browsers without a connected Google account. "Because reCaptcha v3 is likely to be on every page of a website, if you're signed into your Google account there's a chance Google is getting data about every single webpage you go to that is embedded with reCaptcha v3 -- and there many be no visual indication on the site that it's happening, beyond a small reCaptcha logo hidden in the corner," the report adds.

Western Intelligence Hacked Russia's Yandex To Spy On Accounts

Thu, 06/27/2019 - 11:24
Hackers working for Western intelligence agencies broke into Russian internet search company Yandex in late 2018 deploying a rare type of malware in an attempt to spy on user accounts, Reuters reported Thursday, citing four people with knowledge of the matter. From the report: The malware, called Regin, is known to be used by the "Five Eyes" intelligence-sharing alliance of the United States, Britain, Australia, New Zealand and Canada, the sources said. Intelligence agencies in those countries declined to comment. Western cyberattacks against Russia are seldom acknowledged or spoken about in public. It could not be determined which of the five countries was behind the attack on Yandex, said sources in Russia and elsewhere, three of whom had direct knowledge of the hack. The breach took place between October and November 2018. Yandex spokesman Ilya Grabovsky acknowledged the incident in a statement to Reuters, but declined to provide further details. "This particular attack was detected at a very early stage by the Yandex security team. It was fully neutralized before any damage was done," he said.

Huawei Personnel Worked With China's Military on Research Projects

Thu, 06/27/2019 - 07:22
Several Huawei employees have collaborated on research projects with Chinese armed forces personnel, indicating closer ties to the country's military than previously acknowledged by the smartphone and networking powerhouse, Bloomberg reported Thursday. From the report: Over the past decade, Huawei workers have teamed with members of various organs of the People's Liberation Army on at least 10 research endeavors spanning artificial intelligence to radio communications. They include a joint effort with the investigative branch of the Central Military Commission -- the armed forces' supreme body -- to extract and classify emotions in online video comments, and an initiative with the elite National University of Defense Technology to explore ways of collecting and analyzing satellite images and geographical coordinates. Those projects are just a few of the publicly disclosed studies that shed light on how staff at China's largest technology company teamed with the 'People's Liberation Army on research into an array of potential military and security applications.

India Reportedly Wants To Build Its Own WhatsApp For Government Communications

Thu, 06/27/2019 - 06:41
India may have plans to follow France's footsteps in building a chat app and requiring government employees to use it for official communications. From a report: The New Delhi government is said to be pondering about the need to have homegrown email and chat apps, local news outlet Economic Times reported on Thursday. The rationale behind the move is to cut reliance on foreign entities, the report said, a concern that has somehow manifested amid U.S.'s ongoing tussle with Huawei and China. "We need to make our communication insular," an unnamed top government official was quoted as saying by the paper. The person suggested that by putting Chinese giant Huawei on the entity list, the U.S. has "set alarm bells ringing in New Delhi." India has its own ongoing trade tension with the U.S. Donald Trump earlier this month removed the South Asian nation from a special trade program after India did not assure him that it "unfortunate," and weeks later, increased tariffs on some U.S. exports.

Researchers Demonstrate How US Emergency Alert System Can Be Hijacked and Weaponized

Wed, 06/26/2019 - 18:02
After an emergency alert was accidentally sent to Hawaii residents last year, warning of an impending nuclear ballistic missile attack, researchers at the University of Colorado Boulder were prompted to ask the question: How easy would it be to exploit the nation's emergency alert systems, wreaking havoc on the American public via fake or misleading alerts? In short, they found that it wasn't very difficult at all. Motherboard reports: Their full study was recently unveiled at the 2019 International Conference on Mobile Systems, Applications and Services (MobiSys) in Seoul, South Korea. It documents how spoofing the Wireless Emergency Alert (WEA) program to trick cellular users wasn't all that difficult. To prove it, researchers built a mini "pirate" cell tower using easily-available hardware and open source software. Using isolated RF shield boxes to mitigate any real-world harm, they then simulated attacks in the 50,000 seat Folsom Field at the University. 90 percent of the time, the researchers say they were able to pass bogus alerts on to cell phones within range. The transmission of these messages from the government to the cellular tower is secure. It's the transmission from the cellular tower to the end user that's open to manipulation and interference, the researchers found. The vulnerability potentially impacts not just US LTE networks, but LTE networks from Europe to South Korea.

Second Florida City Pays Giant Ransom To Ransomware Gang In a Week

Wed, 06/26/2019 - 14:40
Less than a week after a first Florida city agreed to pay a whopping $600,000 to get their data back from hackers, now, a second city's administration has taken the same path. On Monday, in an emergency meeting of the city council, the administration of Lake City, a small Florida city with a population of 65,000, voted to pay a ransom demand of 42 bitcoins, worth nearly $500,000. ZDNet reports: The decision to pay the ransom demand was made after the city suffered a catastrophic malware infection earlier this month, on June 10, which the city described as a "triple threat." Despite the city's IT staff disconnecting impacted systems within ten minutes of detecting the attack, a ransomware strain infected almost all its computer systems, with the exception of the police and fire departments, which ran on a separate network. A ransom demand was made a week after the infection, with hackers reaching out to the city's insurance provider -- the League of Cities, which negotiated a ransom payment of 42 bitcoins last week. City officials agreed to pay the ransom demand on Monday, and the insurer made the payment yesterday, on Tuesday, June 25, local media reported. The payment is estimated to have been worth between $480,000 to $500,000, depending on Bitcoin's price at the time of the payment. The city's IT staff is now working to recover their data after receiving a decryption key.

Google Warns of Microsoft SwiftKey Losing Access To Gmail on July 15

Wed, 06/26/2019 - 12:42
Speaking of Google, the company is sending out warnings to Microsoft SwiftKey users that the keyboard will no longer be able to access the data in Google Accounts, including Gmail content, starting on July 15th. From a report: In an email, Google is telling SwiftKey users who have integrated the keyboard replacement with Gmail that the integration will no longer work on July 15th, 2019, unless SwiftKey complies with Google's updated data policies. When users install SwiftKey, they can personalize the keyboard by integrating it into email accounts such as Gmail. When integrating in other services, though, the app requests various permissions in how they can access the content in this service.

Firefox Will Give You a Fake Browsing History To Fool Advertisers

Wed, 06/26/2019 - 12:02
Security through obscurity is out, security through tomfoolery is in. From a report: That's the basic philosophy sold by Track THIS, "a new kind of incognito" browsing project, which opens up 100 tabs crafted to fit a specific character -- a hypebeast, a filthy rich person, a doomsday prepper, or an influencer. The idea is that your browsing history will be depersonalized and poisoned, so advertisers won't know how to target ads to you. It was developed as a collaboration between mschf (pronounced "mischief") internet studios and Mozilla's Firefox as a way of promoting Firefox Quantum, the newest Firefox browser. [...] Just a warning -- if you use Track THIS it may take several minutes for all 100 tabs to load. (I used Chrome as my browser.) But when as it gradually loads, it's like taking a first-person journey through someone else's consciousness.

Google Now Allows Users To Auto-Delete Their Location History

Wed, 06/26/2019 - 10:00
Google today began rolling out location history deletion tools to Android and iOS, giving users a relatively simple way to limit the scope of Google's location tracking. Users can only choose between deleting data after three or 18 months. In a blog post, Google wrote: Choose a time limit for how long you want your activity data to be saved -- 3 or 18 months -- and any data older than that will be automatically deleted from your account on an ongoing basis. These controls are coming first to Location History and Web & App Activity and will roll out in the coming weeks.

Intel, Arm To Help Create New IoT Standard For Device Onboarding

Wed, 06/26/2019 - 08:01
Intel is working with rival Arm to create a new industry standard for an important issue in the Internet of Things market: making sure that devices are properly configured and connected to the cloud. From a report: The Santa Clara, Calif.-based chipmaker announced on Wednesday that the company is a founding member of the new IoT Technical Working Group within the FIDO Alliance, an industry consortium founded by PayPal, Lenovo and others in 2012 to develop standards for password-less authentication. The goal of FIDO's IoT Technical Working Group, which will also include experts from Microsoft, Google and Amazon, is to create a standard specification for "large-scale IoT onboarding," the process in which devices are configured and connected to IoT cloud management services at the time of installation. Lorie Wigle, the executive in charge of Intel's platform security efforts, told CRN that it is important to create a standard around IoT onboarding because many companies currently face challenges with the practice when it comes to handling large-scale deployments and security. [...] Once FIDO develops the standard, market forces will compel companies to adhere and participate, according to Wigle, who said it will also increase device variety, lower costs and accelerate deployments.

Eight of the World's Biggest Technology Service Providers Were Hacked by Chinese Cyber Spies in an Elaborate and Years-Long Invasion

Wed, 06/26/2019 - 07:20
The invasion exploited weaknesses in those companies, their customers, and the Western system of technological defense, Reuters reported on Wednesday. From the report: Hacked by suspected Chinese cyber spies five times from 2014 to 2017, security staff at Swedish telecoms equipment giant Ericsson had taken to naming their response efforts after different types of wine. Pinot Noir began in September 2016. After successfully repelling a wave of attacks a year earlier, Ericsson discovered the intruders were back. And this time, the company's cybersecurity team could see exactly how they got in: through a connection to information-technology services supplier Hewlett Packard Enterprise. Teams of hackers connected to the Chinese Ministry of State Security had penetrated HPE's cloud computing service and used it as a launchpad to attack customers, plundering reams of corporate and government secrets for years in what U.S. prosecutors say was an effort to boost Chinese economic interests. The hacking campaign, known as "Cloud Hopper," was the subject of a U.S. indictment in December that accused two Chinese nationals of identity theft and fraud. Prosecutors described an elaborate operation that victimized multiple Western companies but stopped short of naming them. A Reuters report at the time identified two: Hewlett Packard Enterprise and IBM. Yet the campaign ensnared at least six more major technology firms, touching five of the world's 10 biggest tech service providers. Also compromised by Cloud Hopper, Reuters has found: Fujitsu, Tata Consultancy Services, NTT Data, Dimension Data, Computer Sciences Corporation and DXC Technology. HPE spun-off its services arm in a merger with Computer Sciences Corporation in 2017 to create DXC.

Huawei Telecom Gear Much More Vulnerable To Hackers Than Rivals' Equipment, Report Says

Wed, 06/26/2019 - 06:03
Telecommunications gear made by China's Huawei is far more likely to contain flaws that could be leveraged by hackers for malicious use than equipment from rival companies, according to new research by cybersecurity experts that top U.S. officials said appeared credible. From a report: Over half of the nearly 10,000 firmware images encoded into more than 500 variations of enterprise network-equipment devices tested by the researchers contained at least one such exploitable vulnerability, the researchers found. Firmware is the software that powers the hardware components of a computer. The tests were compiled in a new report that has been submitted in recent weeks to senior officials in multiple government agencies in the U.S. and the U.K., as well as to lawmakers. The report is notable both for its findings and because it is circulating widely among Trump administration officials who said it further validated their policy decisions toward Huawei. "This report supports our assessment that since 2009, Huawei has maintained covert access to some of the systems it has installed for international customers," said a White House official who reviewed the findings. "Huawei does not disclose this covert access to customers nor local governments. This covert access enables Huawei to record information and modify databases on those local systems." The report, reviewed by The Wall Street Journal, was prepared by Finite State, a Columbus, Ohio-based cybersecurity firm.