Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 12 hours 12 min ago

New Security Flaw Impacts 5G, 4G, and 3G Telephony Protocols

Thu, 01/31/2019 - 09:31
A new vulnerability has been discovered in the upcoming 5G cellular mobile communications protocol. Researchers have described this new flaw as more severe than any of the previous vulnerabilities that affected the 3G and 4G standards. From a report: Further, besides 5G, this new vulnerability also impacts the older 3G and 4G protocols, providing surveillance tech vendors with a new flaw they can abuse to create next-gen IMSI-catchers that work across all modern telephony protocols. This new vulnerability has been detailed in a research paper named "New Privacy Threat on 3G, 4G, and Upcoming5G AKA Protocols," published last year. According to researchers, the vulnerability impacts AKA, which stands for Authentication and Key Agreement, a protocol that provides authentication between a user's phone and the cellular networks. The AKA protocol works by negotiating and establishing keys for encrypting the communications between a phone and the cellular network.

Hackers Are Passing Around a Megaleak of 2.2 Billion Records

Thu, 01/31/2019 - 06:52
An anonymous reader shares a report: When hackers breached companies like Dropbox and LinkedIn in recent years -- stealing 71 and 117 million passwords, respectively -- they at least had the decency to exploit those stolen credentials in secret, or sell them for thousands of dollars on the dark web. Now, it seems, someone has cobbled together those breached databases and many more into a gargantuan, unprecedented collection of 2.2 billion unique usernames and associated passwords, and is freely distributing them on hacker forums and torrents, throwing out the private data of a significant fraction of humanity like last year's phone book. Earlier this month, security researcher Troy Hunt identified the first tranche of that mega-dump, named Collection #1 by its anonymous creator, a set of cobbled-together breached databases Hunt said represented 773 million unique usernames and passwords. Now other researchers have obtained and analyzed an additional vast database called Collections #2-5, which amounts to 845 gigabytes of stolen data and 25 billion records in all. After accounting for duplicates, analysts at the Hasso Plattner Institute in Potsdam, Germany, found that the total haul represents close to three times the Collection #1 batch.

India's Largest Bank SBI Leaked Account Data On Millions of Customers

Thu, 01/31/2019 - 05:00
An anonymous reader quotes a report from TechCrunch: India's largest bank has secured an unprotected server that allowed anyone to access financial information on millions of its customers, like bank balances and recent transactions. The server, hosted in a regional Mumbai-based data center, stored two months of data from SBI Quick, a text message and call-based system used to request basic information about their bank accounts by customers of the government-owned State Bank of India (SBI), the largest bank in the country and a highly ranked company in the Fortune 500. But the bank had not protected the server with a password, allowing anyone who knew where to look to access the data on millions of customers' information. The passwordless database allowed us to see all of the text messages going to customers in real time, including their phone numbers, bank balances and recent transactions. The database also contained the customer's partial bank account number. Some would say when a check had been cashed, and many of the bank's sent messages included a link to download SBI's YONO app for internet banking. The bank sent out close to three million text messages on Monday alone. The database also had daily archives of millions of text messages each, going back to December, allowing anyone with access a detailed view into millions of customers' finances. SBI claims more than 500 million customers across the globe with 740 million accounts.

Lawyer Sues Apple Over FaceTime Eavesdrop Bug, Says It Let Someone Record a Sworn Testimony

Thu, 01/31/2019 - 02:00
A lawyer in Houston has filed a lawsuit against Apple over a security vulnerability that let people eavesdrop on iPhones using FaceTime. "His lawsuit, filed Monday in Harris County, Texas, alleges that Apple 'failed to exercise reasonable care' and that Apple 'knew, or should have known, that its Product would cause unsolicited privacy breaches and eavesdropping,'" reports CNBC. "It alleged Apple did not adequately test its software and that Apple was 'aware there was a high probability at least some consumers would suffer harm.'" From the report: The suit says that Williams was "undergoing a private deposition with a client when this defective product breached allowed for the recording" of the conversation. Williams claimed this caused "sustained permanent and continuous injuries, pain and suffering and emotional trauma that will continue into the future" and that Williams "lost ability to earn a living and will continued to be so in the future." The lawsuit also says that iOS 12.1, the latest major release of the iPhone operating system, was defective and "unreasonable dangerous" and that Apple "failed to provide adequate warnings to avoid the substantial danger" posed by the security flaw. Williams is seeking compensatory and punitive damages as a result of the exploit.

Facebook Shares Shoot Up After Strong Q4 Earnings Despite Scandals

Wed, 01/30/2019 - 23:00
Despite Facebook's recent scandals, such as the site's biggest data breach, the social media company managed to beat Wall Street's estimates in its Q4 earnings. "Facebook hit 2.32 billion monthly users, up 2.2 percent from 2.27 billion last quarter, speeding up its growth rate," reports TechCrunch. "Facebook climbed to 1.52 billion daily active users from 1.49 billion last quarter for a 2 percent growth rate that dwarfed last quarter's 1.36 percent." From the report: Facebook earned $16.91 billion off all those users with a $2.38 GAAP earnings per share. Those numbers handily beat Wall Street's expectations of $16.39 billion in revenue and $2.18 GAAP earnings per share, plus 2.32 billion monthly and 1.51 billion daily active users. Facebook's daily to monthly user ratio, or stickiness, held firm at 66 percent where it's stayed for years, showing those still on Facebook aren't using it much less. Facebook shares had closed today at $150.42 but shot up over 9 percent following the record revenue and profit announcements to hover around $162. A big 30 percent year-over-year boost in average revenue per user in North America fueled those gains. Yet that's still way down from $186 where it was a year ago and a peak of $217 in July. Facebook's monthly active user plateaued in North America but roared up in Europe. That was shored up by a reversal of last quarter's decline in Rest Of World average revenue per user, which fell 4.7% in Q3 but bounced back with 16.5 percent growth in Q4. Facebook raked in $6.8 billion in profit this quarter as it slowed down hiring and only grew headcount 5 percent from 33,606 to 35,587. It seems Facebook has gotten to a comfortable place with its security staff-up in the wake of election interference, fake news, and content moderation troubles. Its revenue is up 30 percent year-over-year while profits grew 61 percent, which is pretty remarkable for a 15-year old technology company.

Attackers Can Track Kids' Locations Via Connected Watches

Wed, 01/30/2019 - 17:40
secwatcher shares a report from Threatpost: A gamut of kids' GPS-tracking watches are exposing sensitive data involving 35,000 children -- including their location, in real time. Researchers from Pen Test Partners specifically took a look at the Gator portfolio of watches from TechSixtyFour. The Gator line had been in the spotlight in 2017 for having a raft of vulnerabilities, called out by the Norwegian Consumers Council in its WatchOut research. "A year on, we decided to have a look at the Gator watch again to see how their security had improved," said Vangelis Stykas, in a Tuesday posting. "Guess what: a train wreck. Anyone could access the entire database, including real-time child location, name, parents' details etc. Not just Gator watches either -- the same back end covered multiple brands and tens of thousands of watches." "At issue was an easy-to-exploit, severe privilege-escalation vulnerability: The system failed to validate that the user had the appropriate permission to take admin control," reports Threatpost. "An attacker with access to the watch's credentials simply needed to change the user level parameter in the backend to an admin designation, which would provide access to all account information and all watch information."

Google Chrome To Get Warnings For 'Lookalike URLs'

Wed, 01/30/2019 - 15:00
Google Chrome browser is set to add a feature that will warn users when accessing sites with domain names that look like authentic websites. From a report: The feature has been in the works for quite some time at Google and is a response to the practice of using typosquatted domains or IDN homograph attacks to lure users on websites they didn't intend to access. Since the release of Chrome Canary 70, Google engineers have been testing a new feature called "Navigation suggestions for lookalike URLs." In Chrome Canary distributions -- Google Chrome's testing ground for new features -- users can access the following URL to enable the feature: chrome://flags/#enable-lookalike-url-navigation-suggestions.

Google+ Reveals Shutdown Timeline For Consumers

Wed, 01/30/2019 - 14:20
An anonymous reader quotes a report from Android Police: Google announced its plans to sunset its Google+ social media network for consumers on a sour note in October. The platform, which has a small but dedicated user-base, decided to shut down following Google's acknowledgement of a data exposure that affected up to 500,000 Google+ profiles. Shortly after, in December, the shutdown timeline was expedited due to another, larger bug that had the potential to reveal private user information and impacted approximately 52.5 million users. Now, the company has detailed its shutdown timeline for the consumer version of Google+ -- and it's not wasting any time. The shutdown timeline is as follows: - As early as February 4th, you will no longer be able to create new Google+ profiles, pages, communities, or events. - The Google+ feature for website comments will be removed by Blogger by February 4th and other sites by March 7th. All Google+ comments on all sites will be deleted starting April 2nd. - Google+ sign-in buttons will stop working in the coming weeks, but in some cases will be replaced by a Google sign-in button. - Google+ Community owners and moderators who are downloading data from their Community will gain additional data for download starting early March 2019. That includes author, body, and photos for every community post in a public community. -On April 2nd, all Google+ accounts and pages will be shut down and Google will begin deleting content from consumer Google+ accounts. Photos and videos from Google+ in users' Album Archive and Google+ pages will also be deleted. Photos and videos backed up in Google Photos will not be deleted.

UAE Used Cyber Super-Weapon To Spy on iPhones of Foes

Wed, 01/30/2019 - 06:50
Reuters reports: A team of former U.S. government intelligence operatives working for the United Arab Emirates hacked into the iPhones of activists, diplomats and rival foreign leaders with the help of a sophisticated spying tool called Karma, in a campaign that shows how potent cyber-weapons are proliferating beyond the world's superpowers and into the hands of smaller nations. The cyber tool allowed the small Gulf country to monitor hundreds of targets beginning in 2016, from the Emir of Qatar and a senior Turkish official to a Nobel Peace laureate human-rights activist in Yemen, according to five former operatives and program documents reviewed by Reuters. The sources interviewed by Reuters were not Emirati citizens. Karma was used by an offensive cyber operations unit in Abu Dhabi comprised of Emirati security officials and former American intelligence operatives working as contractors for the UAE's intelligence services. The existence of Karma and of the hacking unit, code named Project Raven, haven't been previously reported. Raven's activities are detailed in a separate story published by Reuters today. The ex-Raven operatives described Karma as a tool that could remotely grant access to iPhones simply by uploading phone numbers or email accounts into an automated targeting system. The tool has limits -- it doesn't work on Android devices and doesn't intercept phone calls. But it was unusually potent because, unlike many exploits, Karma did not require a target to click on a link sent to an iPhone, they said.

Ask Slashdot: What Could Go Wrong In Tech That Hasn't Already Gone Wrong?

Tue, 01/29/2019 - 17:30
dryriver writes: If you look at the last 15 years in tech, just about everything that could go wrong seemingly has gone wrong. Everything you buy and bring into your home tracks you in some way or the other. Some software can only be rented now -- no permanent licenses available to buy. PC games are tethered into cloud crap like Steam, Origin and UPlay. China is messing with unborn baby genes. Drones have managed to mess up entire airports. The Scandinavians have developed a serious hatred of cash money and are instead getting themselves chipped. CPUs have horrible security. Every day some huge customer database somewhere gets pwned by hackers. Cybercrime has gone through the roof. You cannot trust the BIOS on your PC anymore. Windows 10 just will not stop updating itself. And AI is soon going to kill us all, if a self-driving car by Uber doesn't do it first. So: What has -- so far -- not gone wrong in tech that still could go wrong, and perhaps in a surprising way?

Facebook Pays Teens To Install VPN That Spies On Them

Tue, 01/29/2019 - 16:50
A new report from TechCrunch details how "desperate" Facebook is for data on its competitors. The social media company "has been secretly paying people to install a 'Facebook Research' VPN that lets the company suck in all of a user's phone and web activity," a TechCrunch investigation confirms. "Facebook sidesteps the App Store and rewards teenagers and adults to download the Research app and give it root access in what may be a violation of Apple policy so the social network can decrypt and analyze their phone activity." From the report: Since 2016, Facebook has been paying users ages 13 to 35 up to $20 per month plus referral fees to sell their privacy by installing the iOS or Android "Facebook Research" app. Facebook even asked users to screenshot their Amazon order history page. The program is administered through beta testing services Applause, BetaBound and uTest to cloak Facebook's involvement, and is referred to in some documentation as "Project Atlas" a fitting name for Facebook's effort to map new trends and rivals around the globe. We asked Guardian Mobile Firewall's security expert Will Strafach to dig into the Facebook Research app, and he told us that "If Facebook makes full use of the level of access they are given by asking users to install the Certificate, they will have the ability to continuously collect the following types of data: private messages in social media apps, chats from in instant messaging apps -- including photos/videos sent to others, emails, web searches, web browsing activity, and even ongoing location information by tapping into the feeds of any location tracking apps you may have installed." It's unclear exactly what data Facebook is concerned with, but it gets nearly limitless access to a user's device once they install the app.

Apple Was Notified About Major FaceTime Eavesdropping Bug Over a Week Ago

Tue, 01/29/2019 - 12:30
An anonymous reader writes: Twitter user MGT7500 tagged the official Apple Support account in a January 20 tweet claiming that her 14-year-old son discovered a "major security flaw" that allowed him to "listen in to your iPhone/iPad without your approval." The user also tagged Tim Cook on the issue in a follow-up tweet on January 21." Once the bug started making headlines on Monday, the Twitter user then shared additional tweets claiming that they had also emailed Apple's product security team over a week ago. A screenshot of the email was shared, and it appears the team did respond, but what they said is not visible in the screenshot. [...] All in all, there is evidence that Apple Support was tagged about an eavesdropping bug eight days before it made headlines, and if the rest of the tweets are truthful, the company was also alerted about the bug via several other avenues. The original story has been updated to include another example of a user -- John Meyer -- who has shared a video about the FaceTime bug that he says was recorded and sent to Apple on January 23.

US Judge Rejects Yahoo Data Breach Settlement

Tue, 01/29/2019 - 10:10
A U.S. judge rejected Yahoo's proposed settlement with millions of people whose email addresses and other personal information were stolen in the largest data breach in history, faulting the Internet services provider for a lack of transparency. From a report: In a Monday night decision, U.S. District Judge Lucy Koh in San Jose, California, said she could not declare the settlement "fundamentally fair, adequate and reasonable" because it did not say how much victims could expect to recover. Yahoo, now part of New York-based Verizon Communications, was accused of being too slow to disclose three breaches from 2013 to 2016 that affected an estimated 3 billion accounts. The settlement called for a $50 million payout, plus two years of free credit monitoring for about 200 million people in the United States and Israel with nearly 1 billion accounts.

Singapore HIV Registry Data Leaked Online in Health Breach

Tue, 01/29/2019 - 09:04
Confidential data about more than 14,000 people diagnosed with HIV, including foreign visitors, has been stolen in Singapore and leaked online. From a report: Authorities revealed details about the 2016 health data breach on Monday. They believe an HIV-positive American whose partner was a senior Singaporean doctor is behind the leak. The hack comes just months after the records of 1.5m Singaporeans, including Prime Minister Lee Hsien Loong, were stolen last year. Confidential information including names, addresses, HIV status and other medical information is reportedly included in the latest breach. Officials say the details of 5,400 Singaporeans and 8,800 foreigners dating up to January 2013 have been compromised.

Firefox 65 Arrives With Content Blocking Controls, and Support for WebP and AV1

Tue, 01/29/2019 - 06:50
Firefox 65, the latest version of Mozilla's web browser, is now available for Windows, Mac, Linux, and Android platforms. The release brings simplified Content Blocking controls for Enhanced Tracking Protection, support for WebP image support with the Windows client getting an additional feature: support for AV1 format. From a report: Across all platforms, Firefox can now handle Google's WebP image format. WebP supports both lossy and lossless compression and promises the same image quality as existing formats at smaller file sizes. Firefox 65 for desktop brings redesigned controls for the Content Blocking section to let users choose their desired level of privacy protection. You can access it by either clicking on the small "i" icon in the address bar and clicking on the gear on the right side under Content Blocking or by going to Preferences, Privacy & Security, and then Content Blocking. Next, Firefox now supports AV1, the royalty-free video codec developed by the Alliance for Open Media. AV1 improves compression efficiency by more than 30 percent over the codec VP9, which it is meant to succeed. Lastly, Firefox's new Task Manager page (just navigate to about:performance or find it under "Other" in the main menu) is complete. Introduced in Firefox 64, Task Manager now reports memory usage for tabs and add-ons.

All-Photonic Quantum Repeaters Could Lead To a Faster, More Secure Global Quantum Internet

Mon, 01/28/2019 - 23:00
"University of Toronto Engineering professor Hoi-Kwong Lo and his collaborators have developed a prototype for a key element for all-photonic quantum repeaters, a critical step in long-distance quantum communication," reports Phys.Org. This proof-of-principle device could serve as the backbone of a future quantum internet. From the report: In light of [the security issues with today's internet], researchers have proposed other ways of transmitting data that would leverage key features of quantum physics to provide virtually unbreakable encryption. One of the most promising technologies involves a technique known as quantum key distribution (QKD). QKD exploits the fact that the simple act of sensing or measuring the state of a quantum system disturbs that system. Because of this, any third-party eavesdropping would leave behind a clearly detectable trace, and the communication can be aborted before any sensitive information is lost. Until now, this type of quantum security has been demonstrated in small-scale systems. Lo and his team are among a group of researchers around the world who are laying the groundwork for a future quantum Internet by working to address some of the challenges in transmitting quantum information over great distances, using optical fiber communication. Because light signals lose potency as they travel long distances through fiber-optic cables, devices called repeaters are inserted at regular intervals along the line. These repeaters boost and amplify the signals to help transmit the information along the line. But quantum information is different, and existing repeaters for quantum information are highly problematic. They require storage of the quantum state at the repeater sites, making the repeaters much more error prone, difficult to build, and very expensive because they often operate at cryogenic temperatures. Lo and his team have proposed a different approach. They are working on the development of the next generation of repeaters, called all-photonic quantum repeaters, that would eliminate or reduce many of the shortcomings of standard quantum repeaters. "We have developed all-photonic repeaters that allow time-reversed adaptive Bell measurement," says Lo. "Because these repeaters are all-optical, they offer advantages that traditional -- quantum-memory-based matter -- repeaters do not. For example, this method could work at room temperature."

A Bug in FaceTime Allows One To Access Someone's iPhone Camera And Microphone Before They Answered the Call; Apple Temporarily Disables Group FaceTime Feature

Mon, 01/28/2019 - 21:29
Social media sites lit up today with anxious Apple users after a strange glitch in iPhone's FaceTime app became apparent. The issue: It turns out that an iPhone user can call another iPhone user and listen in on -- and access live video feed of -- that person's conversations through the device's microphone and camera -- even if the recipient does not answer the call. In a statement, Apple said it was aware of the bug and was working to release a fix later this week. In the meanwhile, the company has disabled Group calling functionality on FaceTime app. From a report: The issue was so serious that Twitter CEO Jack Dorsey, and even Andrew Cuomo, governor of the state of New York, weighed in and urged their followers to disable FaceTime. [...] That's bad news for a company that's been vocal about privacy and customer data protection lately. The timing couldn't be worse, given that Apple is set to host its earnings call for the October-December quarter of 2018 in just a matter of hours.

Huawei Is Blocked in US, But Its Chips Power Cameras Everywhere

Mon, 01/28/2019 - 13:31
An anonymous reader shares a report: Pelco, a California-based security camera maker, set lofty sales targets last year for a model with sharper video resolution and other cutting-edge features. That was until Congress derailed its plans. In August, updated legislation barred the U.S. military and government from buying tech gear from firms deemed too close to authorities in China. When the bill surfaced, Pelco scrapped any thought of providing its new GPC Professional 4K camera to the U.S. government and lowered its sales goals. The reason: The device uses parts from HiSilicon, the chip division of Huawei. [...] Most of the focus is on Huawei telecom gear that helps run communications networks all over the world. But chips from the HiSilicon unit are also sparking concern because they power about 60 percent of surveillance cameras. That means Chinese chips process video from cameras that sit in places as varied as pizzerias, offices and banks across the U.S.

Japanese Government Plans To Hack Into Citizens' IoT Devices

Mon, 01/28/2019 - 06:51
An anonymous reader writes: The Japanese government approved a law amendment on Friday that will allow government workers to hack into people's Internet of Things devices as part of an unprecedented survey of insecure IoT devices. The survey will be carried out by employees of the National Institute of Information and Communications Technology (NICT) under the supervision of the Ministry of Internal Affairs and Communications. NICT employees will be allowed to use default passwords and password dictionaries to attempt to log into Japanese consumers' IoT devices. The plan is to compile a list of insecure devices that use default and easy-to-guess passwords and pass it on to authorities and the relevant internet service providers, so they can take measures to alert consumers and secure the devices. The survey is scheduled to kick off next month, when authorities plan to test the password security of over 200 million IoT devices, beginning with routers and web cameras. Devices in people's homes and on enterprise networks will be tested alike

Do Debian APT and PHP Pear Patches Highlight Vulnerability In Package Management Infrastructure?

Sat, 01/26/2019 - 10:34
"Time and again, security experts and vendors alike will recommend to organizations and end users to keep software and systems updated with the latest patches," reports eWeek. "But what happens when the application infrastructure that is supposed to deliver those patches itself is at risk?" That's what open-source and Linux users were faced with this past week with a pair of projects reporting vulnerabilities. On January 22, the Debian Linux distribution reported a vulnerability in its APT package manager that is used by end users and organizations to get application updates. That disclosure was followed a day later, on January 23, with the PHP PEAR (PHP Extension and Application Repository) shutting down its primary website, warning that it was the victim of a data breach. PHP PEAR is a package manager that is included with many Linux distributions as part of the open-source PHP programming language binaries.... In the Debian APT case, a security researcher found a flaw, reported it, and the open-source project community responded rapidly, fixing the issue. With PHP PEAR issue, researchers with the Paranoids FIRE (Forensics, Incident Response and Engineering) Team reported that they discovered a tainted file on the primary PEAR website... Both PHP PEAR and Debian have issued updates fixing their respective issues. While both projects are undoubtably redoubling their efforts now with different security technologies and techniques, the simple fact is that the two issues highlight a risk with users trusting updating tools and package management systems.