Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 12 hours 36 min ago

'This Time It's Russia's Emails Getting Leaked'

Sat, 01/26/2019 - 08:34
"Russian oligarchs and Kremlin apparatchiks may find the tables turned on them," writes Kevin Poulsen at The Daily Beast, reporting on a new leak site that's unleashed "a compilation of hundreds of thousands of hacked emails and gigabytes of leaked documents." "Think of it as WikiLeaks, but without Julian Assange's aversion to posting Russian secrets." Slashdot reader hyades1 shared their report: The site, Distributed Denial of Secrets, was founded last month by transparency activists. Co-founder Emma Best said the Russian leaks, slated for release Friday, will bring into one place dozens of different archives of hacked material that, at best, have been difficult to locate, and in some cases appear to have disappeared entirely from the web. "Stuff from politicians, journalists, bankers, folks in oligarch and religious circles, nationalists, separatists, terrorists operating in Ukraine," said Best, a national-security journalist and transparency activist. "Hundreds of thousands of emails, Skype and Facebook messages, along with lots of docs...." The site is a kind of academic library or a museum for leak scholars, housing such diverse artifacts as the files North Korea stole from Sony in 2014, and a leak from the Special State Protection Service of Azerbaijan. The site's Russia section already includes a leak from Russia's Ministry of the Interior, portions of which detailed the deployment of Russian troops to Ukraine at a time when the Kremlin was denying a military presence there. Though some material from that leak was published in 2014, about half of it wasn't, and WikiLeaks reportedly rejected a request to host the files two years later, at a time when Julian Assange was focused on exposing Democratic Party documents passed to WikiLeaks by Kremlin hackers. "A lot of what WikiLeaks will do is organize and re-publish information that's appeared elsewhere," said Nicholas Weaver, a researcher at the University of California at Berkeley's International Computer Science Institute. "They've never done that with anything out of Russia." The Russian documents were posted simultaneously on the DDoSecrets website and on the Internet Archive, notes the New York Times, adding that the new site has also posted a large archive of internal documents from WikiLeaks itself. "Personally, I am disappointed by what I see as dishonest and egotistic behavior from Julian Assange and WikiLeaks," Best tells the Times. "But she added that she had made the Russian document collection available to WikiLeaks ahead of its public release on Friday, and had posted material favorable to Mr. Assange leaked from the Ecuadorean Embassy in London, where he has lived for more than six years to avoid arrest."

Millions of Bank Loan and Mortgage Documents Have Leaked Online

Fri, 01/25/2019 - 15:30
An anonymous reader quotes a report from TechCrunch: [M]illions of documents were found leaking after an exposed Elasticsearch server was found without a password. The documents contained highly sensitive financial data on tens of thousands of individuals who took out loans or mortgages over the past decade with U.S. financial institutions. The documents were converted using a technology called OCR from their original paper documents to a computer readable format and stored in the database, but they weren't easy to read. That said, it was possible to discern names, addresses, birth dates, Social Security numbers and other private financial data by anyone who knew where to find the server. Independent security researcher Bob Diachenko and TechCrunch traced the source of the leaking database to a Texas-based data and analytics company, Ascension. When reached, the company said that one of its vendors, OpticsML, a New York-based document management startup, had mishandled the data and was to blame for the data leak. It turns out that data was exposed again -- but this time, it was the original documents. Diachenko found the second trove of data in a separate exposed Amazon S3 storage server, which too was not protected with a password. Anyone who went to an easy-to-guess web address in their web browser could have accessed the storage server to see -- and download -- the files stored inside. The bucket contained 21 files containing 23,000 pages of PDF documents stitched together -- or about 1.3 gigabytes in size. Diachenko said that portions of the data in the exposed Elasticsearch database on Wednesday matched data found in the Amazon S3 bucket, confirming that some or all of the data is the same as what was previously discovered. Like in Wednesday's report, the server contained documents from banks and financial institutions across the U.S., including loans and mortgage agreements. We also found documents from the U.S. Department of Housing and Urban Development, as well as W-2 tax forms, loan repayment schedules and other sensitive financial information. Many of the files also contained names, addresses, phone numbers, Social Security numbers and more.

The Messy Truth About Infiltrating Computer Supply Chains

Fri, 01/25/2019 - 12:36
In October last year, Bloomberg Businessweek published an alarming story: Operatives working for China's People's Liberation Army had secretly implanted microchips into motherboards made in China and sold by U.S.-based Supermicro. While Bloomberg's story -- which has been challenged by numerous players -- may well be completely (or partly) wrong, the danger of China compromising hardware supply chains is very real, judging from classified intelligence documents, reports The Intercept. From the report: U.S. spy agencies were warned about the threat in stark terms nearly a decade ago and even assessed that China was adept at corrupting the software bundled closest to a computer's hardware at the factory, threatening some of the U.S. government's most sensitive machines, according to documents provided by National Security Agency whistleblower Edward Snowden. The documents also detail how the U.S. and its allies have themselves systematically targeted and subverted tech supply chains, with the NSA conducting its own such operations, including in China, in partnership with the CIA and other intelligence agencies. The documents also disclose supply chain operations by German and French intelligence. What's clear is that supply chain attacks are a well-established, if underappreciated, method of surveillance -- and much work remains to be done to secure computing devices from this type of compromise. "An increasing number of actors are seeking the capability to target ... supply chains and other components of the U.S. information infrastructure," the intelligence community stated in a secret 2009 report. "Intelligence reporting provides only limited information on efforts to compromise supply chains, in large part because we do not have the access or technology in place necessary for reliable detection of such operations."

US Pressed Chinese Firms To Show One Example of When They Resisted Request For Data From Chinese Government, But They Have Never Done So: WSJ

Thu, 01/24/2019 - 12:21
The latest in the Huawei saga, which is increasing tension between the U.S. and China. WSJ reports about a remarkable event: Confronted with U.S. accusations of cyber espionage, Chinese companies and government officials often accuse Washington of hypocrisy, pointing to allegations in 2013 by former NSA contractor Edward Snowden that the U.S. had been hacking into key Chinese networks for years. Western officials say systems of checks and balances in their countries allow for companies to challenge those demands, unlike in China. To further highlight that difference, U.S. officials have repeatedly pressed Chinese companies to demonstrate to them one example of a time they resisted a request for data from the Chinese government, but they have never done so, according to a person familiar with those conversations. U.S. intelligence officials have suggested at times that their views on Huawei are informed by definitive examples of malfeasance, though they have so far refused to share such evidence publicly. When the House Intelligence Committee in 2012 published an unclassified report naming Huawei as a security risk, it spoke generally about a lack of trust lawmakers placed in China but steered clear of providing concrete examples of the company being caught engaging in nefarious activity.

Chrome API Update Will Kill a Bunch of Other Extensions, Not Just Ad Blockers

Thu, 01/24/2019 - 07:20
An anonymous reader writes: A planned update to one of the Google Chrome extensions APIs would kill much more than a few ad blockers, ZDNet has learned, including browser extensions for antivirus products, parental control enforcement, phishing detection, and various privacy-enhancing services. Developers for extensions published by F-Secure, NoScript, Amnesty International, and Ermes Cyber Security, among others, made their concerns public today after news broke this week that Google was considering the API change. Furthermore, efforts to port NoScript from Firefox to Chrome are also impacted, according to the plugin's author, who says the new API update all but cripples the NoScript for Chrome port.

How Web Apps Can Turn Browser Extensions Into Backdoors

Wed, 01/23/2019 - 17:10
"Threatpost has a link to some recent research about ways web pages can exploit browser extensions to steal information or write files," writes Slashdot reader jbmartin6. "Did we need another reason to be deeply suspicious of any browser extension? Not only do they spy on us for their makers, now other people can use them to spy on us as well. The academic paper is titled 'Empowering Web Applications with Browser Extensions' (PDF)." From the report: "An attacker [uses] a script that is present in a web application currently running in the user browser. The script either belongs to the web application or to a third party. The goal of the attacker is to interact with installed extensions, in order to access user sensitive information. It relies on extensions whose privileged capabilities can be exploited via an exchange of messages with scripts in the web application," researchers wrote. They added, "Even though content scripts, background pages and web applications run in separate execution contexts, they can establish communication channels to exchange messages with one another... APIs [are used] for sending and receiving (listening for) messages between the content scripts, background pages and web applications." The researcher behind the paper focused on a specific class of web extension called "WebExtensions API," a cross-browser extensions system compatible with major browsers including Chrome, Firefox, Opera and Microsoft Edge. After analyzing 78,315 extensions that used the specific WebExtension API, it found 3,996 that were suspicious. While it seems voluminous, they noted that research found a small number of vulnerable extensions overall, and that concern should be measured. However, "browser vendors need to review extensions more rigorously, in particular take into consideration the use of message passing interfaces in extensions."

Twitter CEO Jack Dorsey Says Biometrics May Defeat Bots

Wed, 01/23/2019 - 15:10
Trailrunner7 shares a report from Duo Security: From the beginning, Twitter's creators made the decision not to require real names on the service. It's a policy that's descended from older chat services, message boards and Usenet newsgroups and was designed to allow users to express themselves freely. Free expression is certainly one of the things that happens on Twitter, but that policy has had a number of unintended consequences, too. The service is flooded with bots, automated accounts that are deployed by a number of different types of users, some legitimate, others not so much. Many companies and organizations use automation in their Twitter accounts, especially for customer service. But a wide variety of malicious actors use bots, too, for a lot of different purposes. Governments have used bots to spread disinformation for influence campaigns, cybercrime groups employ bots as part of the command-and-control infrastructure for botnets, and bots are an integral part of the cryptocurrency scam ecosystem. This has been a problem for years on Twitter, but only became a national and international issue after the 2016 presidential election. Twitter CEO Jack Dorsey said this week that he sees potential in biometric authentication as a way to help combat manipulation and increase trust on the platform. "If we can utilize technologies like Face ID or Touch ID or some of the biometric things that we find on our devices today to verify that this is a real person, then we can start labeling that and give people more context for what they're interacting with and ideally that adds some more credibility to the equation. It is something we need to fix. We haven't had strong technology solutions in the past, but that's definitely changing with these supercomputers we have in our pockets now," Dorsey said. Jordan Wright, an R&D engineer at Duo Labs writes: "I think it's a step in the right direction in terms of making general authentication usable, depending on how it's implemented. But I'm not sure how much it will help the bot/automation issue. There will almost certainly need to be a fallback authentication method for users without an iOS device. Bot owners who want to do standard authentication will use whichever method is easiest for them, so if a password-based flow is still offered, they'd likely default to that." "The fallback is the tricky bit. If one exists, then Touch ID/Face ID might be helpful in identifying that there is a human behind an account, but not necessarily the reverse -- that a given account is not human because it doesn't use Touch ID," Wright adds.

France Will Hack Its Enemies Back, Its Defense Secretary Says

Wed, 01/23/2019 - 12:25
France's defence secretary Florence Parly had a declaration to make this week: "Cyber war has begun." And she said the Euro nation's military will use its "cyber arms as all other traditional weapons... to respond and attack," as well as setting up a military bug bounty program. From a report: Parly made her pledges during a speech to the Forum International de Cybersecurite (FIC) in the northern French town of Lille. Her speech was on a topic that most Western countries shy away from addressing directly in public. "The cyber weapon is not only for our enemies," said France's defence secretary this afternoon, speaking through a translator. "No. It's also, in France, a tool to defend ourselves. To respond and attack." Her remarks will be seen as moving the debate about offensive cyber capabilities -- not just so-called "active defence" but using infosec techniques as another weapon in the arsenal of state-on-state warfare -- to a new level.

New Ransomware Strain is Locking Up Bitcoin Mining Rigs in China

Wed, 01/23/2019 - 09:30
A new strain of ransomware has been observed targeting Bitcoin mining rigs. ZDNet reports: At the time of writing, most of the infections have been reported in China, the country where most of the world's cryptocurrency mining farms are located. Named hAnt, this new ransomware strain was first seen in August of last year, but a new wave of infections has been reported hitting mining farms earlier this month. Most of the infected mining rigs are Antminer S9 and T9 devices, used for Bitcoin mining, but there have also been reports of hAnt infecting Antminer L3 rigs, used for mining Litecoin. In rare instances, Avalon Miner equipment (used for Bitcoin), were also reported as infected, but in much smaller numbers.

More Than Half of PC Applications Installed Worldwide Are Out-of-Date

Wed, 01/23/2019 - 06:00
Avast's PC Trends Report 2019 found [PDF] that users are making themselves vulnerable by not implementing security patches and keeping outdated versions of popular applications on their PCs. From a news report: The applications where updates are most frequently neglected include Adobe Shockwave (96%), VLC Media Player (94%) and Skype (94%). The report, which uses anonymized and aggregated data from 163 million devices across the globe, also found that Windows 10 is now installed on 40% of all PCs globally, which is fast approaching the 43% share held by Windows 7. However, 15% of all Windows 7 users and 9% of all Windows 10 users worldwide are running older and no longer supported versions of their product, for example, the Windows 7 Release to Manufacturing version from 2009 or the Windows 10 Spring Creators Update from early 2017.

DHS Issues Security Alert About Recent DNS Hijacking Attacks

Tue, 01/22/2019 - 18:20
The U.S. Department of Homeland Security has published today an "emergency directive" that contains guidance in regards to a recent report detailing a wave of DNS hijacking incidents perpetrated out of Iran. ZDNet reports: The emergency directive [1, 2] orders government agencies to audit DNS records for unauthorized edits, change passwords, and enable multi-factor authentication for all accounts through which DNS records can be managed. The DHS documents also urges government IT personnel to monitor Certificate Transparency (CT) logs for newly-issued TLS certificates that have been issued for government domains, but which have not been requested by government workers. The emergency directive comes after last week, the DHS issued an alert about ongoing DNS hijacking attacks through its US-CERT division. The DHS US-CERT alert was based on a report published last week by U.S. cyber-security firm FireEye. The now infamous report detailed a coordinated hacking campaign during which a cyber-espionage group believed to operate out of Iran had manipulated DNS records for the domains of private companies and government agencies. The purpose of these DNS hijacks was to redirect web traffic meant for companies and agencies' internal email servers towards malicious clones, where the Iranian hackers would record login credentials.

Google Proposes Changes To Chromium Browser That Will Break Content-Blocking Extensions, Including Various Ad Blockers

Tue, 01/22/2019 - 17:00
"Google engineers have proposed changes to the open-source Chromium browser that will break content-blocking extensions, including various ad blockers," reports The Register. "The drafted changes will also limit the capabilities available to extension developers, ostensibly for the sake of speed and safety. Chromium forms the central core of Google Chrome, and, soon, Microsoft Edge." From the report: In a note posted Tuesday to the Chromium bug tracker, Raymond Hill, the developer behind uBlock Origin and uMatrix, said the changes contemplated by the Manifest v3 proposal will ruin his ad and content blocking extensions, and take control of content away from users. Manifest v3 refers to the specification for browser extension manifest files, which enumerate the resources and capabilities available to browser extensions. Google's stated rationale for making the proposed changes is to improve security, privacy and performance, and supposedly to enhance user control. But one way Google would like to achieve these goals involves replacing the webRequest API with a new one, declarativeNetRequest. The webRequest API allows extensions to intercept network requests, so they can be blocked, modified, or redirected. This can cause delays in web page loading because Chrome has to wait for the extension. In the future, webRequest will only be able to read network requests, not modify them. The declarativeNetRequest allows Chrome (rather than the extension itself) to decide how to handle network requests, thereby removing a possible source of bottlenecks and a potentially useful mechanism for changing browser behavior. The report notes that Adblock Plus "should still be available" since "Google and other internet advertising networks apparently pay Adblock Plus to whitelist their online adverts."

Apple's Security Expert Joined the ACLU To Tackle 'Authoritarian Fever'

Tue, 01/22/2019 - 16:20
An anonymous reader quotes a report from Motherboard: Apple security expert Jon Callas, who helped build protection for billions of computers and smartphones against criminal hackers and government surveillance, is now taking on government and corporate spying in the policy realm. Jon Callas is an elder statesman in the world of computer security and cryptography. He's been a vanguard in developing security for mobile communications and email as chief technology officer and co-founder of PGP Corporation -- which created Pretty Good Privacy, the first widely available commercial encryption software -- and serving the same roles at Silent Circle and Blackphone, touted as the world's most secure Android phone. As a security architect and analyst for Apple computers -- he served three stints with the tech giant in 1995-1997, 2009-2011, and 2016-2018 -- he has played an integral role in helping to develop and assess security for the Mac and iOS operating systems and various components before their release to the public. His last stretch there as manager of a Red Team (red teams hack systems to expose and fix their vulnerabilities) began just after the FBI tried to force the tech giant to undermine security it had spent years developing for its phones to break into an iPhone belonging to one of the San Bernardino shooters. But after realizing there's a limit to the privacy and surveillance issues technology companies can address, Callas decided to tackle the issues from the policy side, accepting a two-year position as senior technology fellow for the American Civil Liberties Union. Callas spoke to Motherboard about government backdoors, the need for tech expertise in policymaking, and what he considers the biggest challenge for the security industry.

Slashdot Asks: Which Mobile Payment Service Is Best For You?

Tue, 01/22/2019 - 15:40
Everyone has a smartphone these days, therefore everyone should have access to at least one mobile payment service -- Apple Pay, Google Pay, or Samsung Pay. Personally, I've only used Apple Pay a handful of times because the vast majority of stores I visit don't support it. For me, the biggest problem with mobile payment services like Apple Pay and Google Pay isn't the potential security concerns or inconveniences (having to pull my phone out of my pocket or requiring the merchant to pull out an NFC reader while in a drive-thru) -- it's the lack of compatibility. I want to be able to leave my wallet at home and do all of my shopping with my phone, which is not possible due to the lack of support at most retailers. With that said, the support is improving. Today, Apple announced that Apple Pay is now available at 74 of the top 100 U.S. retailers. Quartz reports: Today (Jan. 22), Apple announced that it has also signed up Taco Bell and Target -- two years ago, Target said it had no plans to adopt Apple Pay -- meaning that 74 of the top 100 U.S. retailers by revenue now accept Apple's digital payment. The company added pharmacy chain CVS, along with 7-Eleven, late last year. They joined other major US retailers that include Best Buy, Starbucks, McDonald's, Walgreens, Costco, and Kohl's. (Some of the biggest holdouts: Walmart and Home Depot.) Do you use mobile payment services? Which service(s) do you use and why?

Apple Releases macOS 10.14.3, iOS 12.1.3, watchOS 5.1.3, and tvOS 12.1.2

Tue, 01/22/2019 - 12:22
Apple today pushed software updates for a range of its computing platforms. They are all minor releases that simply offer a few bug fixes and security updates, with no new features -- and there are no new features in any of the beta releases for these versions of the operating systems, either. From a report: iOS 12.1.3 fixes a scrolling bug in Messages, an iPad Pro-specific audio bug, and a graphical error in some photos, and it addresses some CarPlay disconnects experienced by owners of the three new iPhone models released in late 2018. It also fixes two minor bugs related to the company's HomePod smart speaker.

Ubuntu Core 18 Released for IoT devices

Tue, 01/22/2019 - 07:30
Canonical today announced the release of Ubuntu Core 18 "for secure, reliable IoT devices." The Canonical blog notes that "Immutable, digitally signed snaps ensure that devices built with Ubuntu Core are resistant to corruption or tampering. Any component can be verified at any time." In addition, "The attack surface of Ubuntu Core has been minimized, with very few packages installed in the base OS, reducing the size and frequency of security updates and providing more storage for applications and data." Ubuntu Core also "enables a new class of app-centric things, which can inherit apps from the broader Ubuntu and Snapcraft ecosystems or build unique and exclusive applications that are specific to a brand or model." You can download it from here.

New Phobos Ransomware Exploits Weak Security To Hit Targets Around the World

Mon, 01/21/2019 - 16:20
An anonymous reader quotes a report from ZDNet: A prolific cybercrime gang behind a series of ransomware attacks is distributing a new form of the file-encrypting malware which combines two well known and successful variants in a series of attacks against businesses around the world. Dubbed Phobos by its creators, the ransomware first emerged in December and researchers at CoveWare have detailed how it shares a number of similarities with Dharma ransomware. Like Dharma, Phobos exploits open or poorly secured RDP ports to sneak inside networks and execute a ransomware attack, encrypting files and demands a ransom to be paid in bitcoin for returning the files, which in this case are locked with a .phobos extension. The demand is made in a ransom note -- and aside from 'Phobos' logos being added to the ransom note, it's exactly the same as the note used by Dharma, with the same typeface and text use throughout. Phobos is being distributed by the gang behind Dharma and likely serves as an insurance policy for malicious campaigns, providing attackers with a second option for conducting attacks, should Dharma end up decrypted or prevented from successfully extorting ransoms from victims.

We'll Likely See a Rise in Internet Blackouts in 2019

Mon, 01/21/2019 - 12:11
We'll likely see a rise in internet blackouts in 2019, for two reasons: countries deliberately "turning off" the internet within their borders, and hackers disrupting segments of the internet with distributed denial-of-service (DDoS) attacks. Above all, both will force policymakers everywhere to reckon with the fact that the internet itself is increasingly becoming centralized -- and therefore increasingly vulnerable to manipulation, making everyone less safe. From a report: The first method -- states deliberately severing internet connections within their country -- has an important history. In 2004, the Maldivian government caused an internet blackout when citizens protested the president; Nepal similarly caused a blackout shortly thereafter. In 2007, the Burmese government apparently damaged an underwater internet cable in order to "staunch the flow of pictures and messages from protesters reaching the outside world." In 2011, Egypt cut most internet and cell services within its borders as the government attempted to quell protests against then-President Hosni Mubarak; Libya then did the same after its own unrest. In 2014, Syria had a major internet outage amid its civil war. In 2018, Mauritania was taken entirely offline for two days when undersea submarine internet cables were cut, around the same time as the Sierra Leone government may have imposed an internet blackout in the same region. When we think about terms like "cyberspace" and "internet," it can be tempting to associate them with vague notions of a digital world we can't touch. And while this is perhaps useful in some contexts, this line of thinking forgets the very real wires, servers, and other hardware that form the architecture of the internet. If these physical elements cease to function, from a cut wire to a storm-damaged server farm, the internet, too, is affected. More than that, if a single entity controls -- or can at least access -- that hardware for a region or even an entire country, government-caused internet blackouts are a tempting method of censorship and social control.

Online Casino Group Leaks Information on 108 Million Bets, Including User Details

Mon, 01/21/2019 - 09:31
An online casino group has leaked information on over 108 million bets, including details about customers' personal information, deposits, and withdrawals, ZDNet has learned. From the report: The data leaked from an ElasticSearch server that was left exposed online without a password, Justin Paine, the security researcher who discovered the server, told ZDNet. ElasticSearch is a portable, high-grade search engine that companies install to improve their web apps' data indexing and search capabilities. Last week, Paine came across one such ElasticSearch instance that had been left unsecured online with no authentication to protect its sensitive content. From a first look, it was clear to Paine that the server contained data from an online betting portal. [...] After an analysis of the URLs spotted in the server's data, Paine and ZDNet concluded that all domains were running online casinos where users could place bets on classic cards and slot games, but also other non-standard betting games. Some of the domains that Paine spotted in the leaky server included kahunacasino.com, azur-casino.com, easybet.com, and viproomcasino.net, just to name a few.

Bug Bounties Aren't Silver Bullet for Better Security

Sun, 01/20/2019 - 21:30
Many organizations may find they're better off hiring pen testers and in-house security researchers directly than running bug bounty programs, according to new MIT research. From a report: The New Solutions for Cybersecurity paper features a surprising analysis of bug bounty programs in the chapter, Fixing a Hole: The Labor Market for Bugs. It studied 61 HackerOne bounty programs over 23 months -- including those run for Twitter, Coinbase, Square and other big names -- and one Facebook program over 45 months. It claimed that, contrary to industry hype, organizations running these programs don't benefit from a large pool of white hats probing their products. Instead, an elite few produce the biggest volume and highest quality of bug reports across multiple products, earning the biggest slice of available rewards. It's also claimed that even these elite "top 1%" ethical hackers can't make a decent wage by Western standards.