Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 22 hours 45 min ago

Google Chrome Impacted By New Magellan 2.0 Vulnerabilities

Tue, 12/24/2019 - 19:30
An anonymous reader quotes a report from ZDNet: A new set of SQLite vulnerabilities can allow attackers to remotely run malicious code inside Google Chrome, the world's most popular web browser. The vulnerabilities, five, in total, are named "Magellan 2.0," and were disclosed today by the Tencent Blade security team. All apps that use an SQLite database are vulnerable to Magellan 2.0; however, the danger of "remote exploitation" is smaller than the one in Chrome, where a feature called the WebSQL API exposes Chrome users to remote attacks, by default. Just like the original Magellan vulnerabilities, these new variations are caused by improper input validation in SQL commands the SQLite database receives from a third-party. An attacker can craft an SQL operation that contains malicious code. When the SQLite database engine reads this SQLite operation, it can perform commands on behalf of the attacker. In a security advisory published today, the Tencent Blade team says the Magellan 2.0 flaws can lead to "remote code execution, leaking program memory or causing program crashes." All apps that use an SQLite database to store data are vulnerable, although, the vector for "remote attacks over the internet" is not exploitable by default. To be exploitable, the app must allow direct input of raw SQL commands, something that very few apps allow. Thankfully, Google patched all five Magellan 2.0 vulnerabilities in Google Chrome 79.0.3945.79, released two weeks ago. The SQLite project also fixed the bugs in a series of patches on December 13, 2019; however, these fixes have not been included in a stable SQLite branch -- which remains v3.30.1, released on December 10.

A Twitter App Bug Was Used To Match 17 Million Phone Numbers To User Accounts

Tue, 12/24/2019 - 14:00
Security researcher Ibrahim Balic said he has matched 17 million phone numbers to Twitter user accounts by exploiting a flaw in Twitter's Android app. TechCrunch reports: Ibrahim Balic found that it was possible to upload entire lists of generated phone numbers through Twitter's contacts upload feature. "If you upload your phone number, it fetches user data in return," he told TechCrunch. He said Twitter's contact upload feature doesn't accept lists of phone numbers in sequential format -- likely as a way to prevent this kind of matching. Instead, he generated more than two billion phone numbers, one after the other, then randomized the numbers, and uploaded them to Twitter through the Android app. (Balic said the bug did not exist in the web-based upload feature.) Over a two-month period, Balic said he matched records from users in Israel, Turkey, Iran, Greece, Armenia, France and Germany, he said, but stopped after Twitter blocked the effort on December 20. Balic provided TechCrunch with a sample of the phone numbers he matched. Using the site's password reset feature, we verified his findings by comparing a random selection of usernames with the phone numbers that were provided. While he did not alert Twitter to the vulnerability, he took many of the phone numbers of high-profile Twitter users -- including politicians and officials -- to a WhatsApp group in an effort to warn users directly. A Twitter spokesperson told TechCrunch the company was working to "ensure this bug cannot be exploited again." "Upon learning of this bug, we suspended the accounts used to inappropriately access people's personal information. Protecting the privacy and safety of the people who use Twitter is our number one priority and we remain focused on rapidly stopping spam and abuse originating from use of Twitter's APIs," the spokesperson said.

Why the Wikimedia Foundation Has Not Signed on To the Contract for the Web

Tue, 12/24/2019 - 10:21
In November 2019, Tim Berners-Lee and the Web Foundation launched the Contract for the Web, a set of rules designed to address the challenges facing digital communication and participation -- from threats to online privacy and security to connectivity and digital inclusion. The multi-stakeholder effort outlines nine principles for governments, companies and citizens designed to safeguard the future of the Web. The Wikimedia Foundation has not yet signed on to the Contract and it has offered an explanation. From a blog post: The Wikimedia Foundation participated in the Core Group and the Working Group on Principle 6, "Developing technologies that support the best in humanity and challenge the worst," which aims to support positive technology that puts people first. The Contract aligns with our goal to foster a web where everyone can find and access knowledge freely. We deeply support the principles of the Contract for the Web. At Wikimedia, we are committed to fostering a digital information sphere that is accessible for everyone, that offers strong privacy protections, that supports free expression and open collaboration, and safeguards the web from bad actors that seek to monopolize and use it for harm. All of these principles align closely with the commitments underlined in the Contract for the Web. We chose not to sign the Contract at this time because we still have open questions about how the Contract will be implemented to maximize its impact. In particular, we are exploring how each signatory will be held accountable to these commitments. We are especially interested in seeing concrete steps towards enforcement mechanisms that ensure big technology companies that endorse the Contract will change their attitudes and current practices that violate the principles in the Contract. The world's biggest challenges, from the global climate crisis to disinformation online, can only be solved if we work together and ensure that everyone is doing their part. Active reporting, transparency, and clear indicators for progress are critical to ensuring the implementation of the Contract for the Web. However, it will take clear, direct, and enforceable systems to ensure we're all contributing to a better internet for everyone.

Do You Protect Your iPhone? It's a Case Study That Divides Americans.

Tue, 12/24/2019 - 08:10
As smartphones balloon in price, some pushing past $1,000, there is a debate between case haves and case have-nots. One side says it makes absolutely no sense to ferry such expensive gadgets unprotected -- especially one vital to modern living. From a report: Phone-case holdouts say their nervous pals are delusional, clinging to their bulky silicon prophylactics like a security blanket. Cases cause carelessness, they say, leading to phones dropped, slammed and stepped-on. Having no protective case "makes me pay attention," says Drew Davidson, director of Carnegie Mellon University's Entertainment Technology Center. "I have friends that break every phone even though they have cases."

Malware Broker Behind US Hacks is Now Teaching Computer Skills in China

Tue, 12/24/2019 - 07:30
A Chinese malware broker who was sentenced in the United States this year for dealing in malicious software linked to major hacks is back at his old workplace: teaching high-school computer courses, including one on internet security. From a report: Yu Pingan, who spent 18 months in a San Diego federal detention center, had pleaded guilty to conspiracy to commit computer hacking. A high school instructor, he had been arrested at Los Angeles International Airport in August 2017 upon arriving with a group of teachers to observe a U.S. university. A Reuters reporter found him teaching at his old school here last month. Yu was sentenced by a federal judge in February to time served and allowed to return to China. The victims of the hacking conspiracy included microchip supplier Qualcomm, aerospace and defense firm Pacific Scientific Energetic Materials Co, and gaming company Riot Games, according to the judgment. Exactly what was stolen in the computer breaches wasn't disclosed in public court filings.

A 22-Year-Old Was Convicted For Attempting To Blackmail Apple For $100,000 In iTunes Gift Cards

Tue, 12/24/2019 - 05:00
An anonymous reader quotes a report from Gizmodo: A 22-year-old boss backed by a gangster cabal of "internet buddies" has been thwarted and convicted in their attempt to blackmail Apple, the UK's National Crime Agency reports. In 2017, London-based Kerem Albayrak made Apple an offer they couldn't refuse: deliver $100,000 in iTunes gift cards or $75,000 in cryptocurrency or kiss 319 million iCloud accounts goodbye. On Friday, a court sentenced him to a two year suspended jail term. On March 12th, 2017, Albayrak, don of hacker syndicate the "Turkish Crime Family," sent Apple Security and several media outlets a YouTube video showing him apparently logging in to two victims' iCloud accounts. The NCA reports that Albayrak had threatened to factory reset the accounts and sell the database vis-a-vis his "internet buddies," boasting to outlets that he'd had access to 300 million accounts (a figure which was later increased to 559 million). They gave Apple until April 7th to fill their demands, Apple Insider has reported. One week and zero gift cards later, they upped their demands and reportedly sent ZDNet a set of 54 sample accounts. ZDNet confirmed their authenticity, though the plot thickened: at least one account had been compromised years prior. Apple and UK authorities ultimately found that the Turkish Crime Family had not, in fact, successfully compromised the network, and concluded that the data came from an unrelated breach of largely defunct third-party services. Albayrak pleaded guilty to one count of blackmail and two counts of unauthorized acts with intent to impair the operation of or prevent/hinder access to a computer. He was handed a two year suspended jail term, 300 hours of unpaid labor, and six months of "electronic curfew" (an ankle bracelet).

No, Spotify, You Shouldn't Have Sent Mysterious USB Drives To Journalists

Mon, 12/23/2019 - 12:10
Zack Whittaker, writing for TechCrunch: Last week, Spotify sent a number of USB drives to reporters with a note: "Play me." It's not uncommon for reporters to receive USB drives in the post. Companies distribute USB drives all the time, including at tech conferences, often containing promotional materials or large files, such as videos that would otherwise be difficult to get into as many hands as possible. But anyone with basic security training under their hat will know to never plug in a USB drive without taking some precautions first. Concerned but undeterred, we safely examined the contents of the drive using a disposable version of Ubuntu Linux (using a live CD) on a spare computer. We examined the drive and found it was benign. On the drive was a single audio file. "This is Alex Goldman, and you've just been hacked," the file played. The drive was just a promotion for a new Spotify podcast. Because of course it was. Jake Williams, a former NSA hacker and founder of Rendition Infosec, called the move "amazingly tone deaf" to encourage reporters into plugging in the drives to their computers.

Chinese Hacker Group Caught Bypassing 2FA

Mon, 12/23/2019 - 09:30
Security researchers say they found evidence that a Chinese government-linked hacking group has been bypassing two-factor authentication (2FA) in a recent wave of attacks. From a report: The attacks have been attributed to a group the cyber-security industry is tracking as APT20, believed to operate on the behest of the Beijing government, Dutch cyber-security firm Fox-IT said in a report published last week. The group's primary targets were government entities and managed service providers (MSPs). The government entities and MSPs were active in fields like aviation, healthcare, finance, insurance, energy, and even something as niche as gambling and physical locks. The Fox-IT report comes to fill in a gap in the group's history. APT20's hacking goes back to 2011, but researchers lost track of the group's operations in 2016-2017, when they changed their mode of operation. Fox-IT's report documents what the group has been doing over the past two years and how they've been doing it. According to researchers, the hackers used web servers as the initial point of entry into a target's systems, with a particular focus on JBoss, an enterprise application platform often found in large corporate and government networks.

Popular Messaging App ToTok Reportedly an Emirati Spy Tool

Mon, 12/23/2019 - 07:30
A popular messaging app billed as a secure way to chat with friends and family is actually a spying tool used by the United Arab Emirates to track the activities of those who download it, The New York Times reported Sunday. From a report: The app, which debuted only a few months ago, has been downloaded millions of times around the world. The app is a mass surveillance tool, The Times reported, capable of monitoring every conversation, movement, relationship, appointment, sound and image of its users. The majority of the app's users are in the Emirates but recently surged in popularity in the US. An analysis and interviews with computer security experts suggest the company behind ToTok, Breej Holding, is a front for DarkMatter, an Abu Dhabi-based cyberintelligence and hacking firm that employs Emirati intelligence officials, former National Security Agency employees and former Israeli military intelligence operatives, The Times reported. The app was recently removed from the Apple and Google app stores, but it's still functional until users delete it from their device.

Are 'Advanced Driver Assistance Systems' Making Us Worse Drivers?

Sun, 12/22/2019 - 04:34
An anonymous reader quotes ZDNet: Advanced driver assistance systems are becoming on the norm even on midlevel cars. For safety advocates that seems like good news: Systems designed to prevent crashes should, after all, result in fewer crashes. But what if that thinking is flawed? A new report from AAA suggests that might be the case and that our increasing use of driver assistance systems may actually be resulting in higher rates of distracted driving. "This study drives home that engaged drivers are the key to staying safe," says Stefan Heck, CEO of Nauto, which makes driver monitoring technology... "Distracted driving is surging as the next major health epidemic, the top cause of fatal and injury collisions. It's imperative that automakers embed technology that doesn't lull drivers into a false sense of security -- -and instead keeps them focused on the road no matter what...." Data from one of these studies indicates that the simultaneous use of advanced driver assistance systems was associated with a 50% increase in the odds of engaging in any form of secondary task and an 80% increase in the odds of engaging in visual and/or manual secondary tasks, compared to the same drivers who were not using the automated system. In the other study, speeding related errors were present 19% of the time when driver assistance systems were in use, a higher rate than when driver assistance was available but turned off. In the same study, drowsy driving was present more often when driver assistance systems were active (5.4% of the time versus 3.4% when no system was active), indicating a possible detrimental effect of automation use associated with driver alertness.

'We Tested Ring's Security. It's Awful'

Sat, 12/21/2019 - 15:34
"Ring lacks basic security features, making it easy for hackers to turn the company's cameras against its customers," reports Motherboard: Ring is not offering basic security precautions, such as double-checking whether someone logging in from an unknown IP address is the legitimate user, or providing a way to see how many users are currently logged in -- entirely common security measures across a wealth of online services... Ring doesn't appear to check a user's chosen password against known compromised user credentials. Although not a widespread practice, more online services are starting to include features that will alert a user if they're using an already compromised password.... Motherboard deliberately entered the wrong password to our account on the login portal while connecting from the Tor anonymity network dozens of times in quick succession. At no point did Ring try to limit our login attempts or present a captcha.... Ring does offer two-factor authentication, where a user is required to enter a second code sent to them as well as their password, but Ring does not force customers to use it. Motherboard verified that Ring's two-factor authentication does work as advertised, but multiple people who were logged into the app didn't have to log back in after it was enabled -- Ring didn't eject them nor ask them to enter a two-factor token... From a smartphone app, someone who is logged in can watch live and historical footage, listen through the camera's microphone, speak through the camera's speaker, play an alarm, see the name of the specific Wi-Fi network the camera is connected to, see the address the user originally registered the Ring camera with, see the phone number a user has entered into the app, and see nearby crime "incidents." This shows the specific, user-selected home address plotted on a map. Ring requires that a user input a home address to set up the camera.

The U.S. Navy Bans TikTok from Government-Issued Mobile Devices

Sat, 12/21/2019 - 14:34
An anonymous reader quotes Reuters: Earlier this week the United States Navy banned the social media app TikTok from government-issued mobile devices, saying the popular short video app represented a "cybersecurity threat." A bulletin issued by the Navy on Tuesday showed up on a Facebook page serving military members, saying users of government issued mobile devices who had TikTok and did not remove the app would be blocked from the Navy Marine Corps Intranet. The Navy would not describe in detail what dangers the app presents, but Pentagon spokesman Lieutenant Colonel Uriah Orland said in a statement the order was part of an effort to "address existing and emerging threats...." The U.S. government has opened a national security review of the app's owner Beijing ByteDance Technology Co's $1 billion acquisition of U.S. social media app Musical.ly, Reuters first reported last month. Last month, U.S army cadets were instructed not to use TikTok, after Senator Chuck Schumer raised security concerns about the army using TikTok in their recruiting.

Many Security-Critical Military Systems Are Now Using Linux

Sat, 12/21/2019 - 11:34
b-dayyy shared this article from Linux Security: The United States government's respect for and acceptance of open-source development has steadily grown stronger over the past decade, and the U.S. government is increasingly using open-source software as a way to roll out advanced, highly secure technology in an economical manner. On August 8, 2016, the White House CIO released a Federal Source Code Policy that calls for new software to be built, shared, and adapted using open-source methods to capitalize on code that is "secure, reliable, and effective in furthering our national objectives." The United States Department of Defense recognizes the key benefits associated with open-source development and trusts Linux as its operating system. In fact, the U.S. Army is the single largest installed base for Red Hat Linux and the U.S. Navy nuclear submarine fleet runs on Linux, including their sonar systems. Moreover, the Department of Defense just recently enlisted Red Hat, Inc., the world's largest provider of open-source solutions, to help improve squadron operations and flight training. In a comment on the original submission, long-time Slashdot reader bobs666 remembers setting up Minix 30 years ago "for running email for a part of the U.S. Army. It's too bad the stupid people made me stop working on the project." But the world may be changing. The article notes that Linux has now already been certified to meet the three different security certifications required by the United States Department of Defense.

President Trump Officially Adds a New Branch to the U.S. Military: Space Force

Sat, 12/21/2019 - 07:34
The BBC reports: President Donald Trump has officially funded a Pentagon force focused on warfare in space -- the U.S. Space Force. The new military service, the first in more than 70 years, falls under the U.S. Air Force. The funding allocation was confirmed on Friday when the president signed the $738bn (£567bn) annual U.S. military budget. The launch of the Space Force will be funded by an initial $40m for its first year. Those figures indicate that Space Force will now receive $1 out of every $18,450 in the U.S. military budget -- or .0054 percent. Here's what that looks like as a pie chart. Newsweek's report includes the president's remarks at the signing ceremony: "That is something really incredible. It's a big moment. That's a big moment, and we're all here for it. Space. Going to be a lot of things happening in space." The president added: "Because space is the world's newest warfighting domain. Amid grave threats to our national security, American superiority in space is absolutely vital. And we're leading, but we're not leading by enough. But very shortly, we'll be leading by a lot." As noted by the BBC, the department's mission is not intended to blast troops into space, but will focus on protecting American assets like satellites from hostile attacks. The creation of the Space Force comes as China and Russia are increasingly focusing on the skies above, it noted. The Space Force website says responsibilities include "developing military space professionals, acquiring military space systems, maturing the military doctrine for space power." In response to the news, SpaceX CEO Elon Musk tweeted "Starfleet begins."

Wawa Announces Data Breach Potentially Affecting More Than 850 Stores

Fri, 12/20/2019 - 17:25
Wawa, a convenience store and gas station chain, notified customers Thursday of a data breach (Warning: source may be paywalled; alternative source) that collected debit and credit card information at potentially all of its more than 850 locations along the East Coast. It is now offering free credit monitoring and identity theft protection to those affected. The New York Times reports: Malware was discovered on Wawa payment processing servers on Dec. 10; it was blocked and contained by Dec. 12, the company said, adding that the malware no longer posed a risk to customers using cards to pay. Customer information including credit and debit card numbers, expiration dates and cardholder names on payment cards used in store and at fuel pumps was being collected as early as March 4, the company said. A.T.M.s inside stores were not affected. Debit card PINs, credit card security code numbers and driver's license information were also not part of the breach, the company said, adding that it was not aware of any unauthorized use of any payment card information because of the breach. After learning of the breach, Wawa initiated an investigation, notified law enforcement and payment card companies, the company said, adding that it had brought on board an external forensics firm for support. The company, which is based in Pennsylvania, established a dedicated call center to answer questions. "Today, I am very sorry to share with you that Wawa has experienced a data security incident," Chris Gheysens, Wawa's chief executive, said in a letter. Customers will not be responsible for any fraudulent charges on cards related to the data breach, he said. "I apologize deeply to all of you, our friends and neighbors, for this incident. You are my top priority and are critically important to all of the nearly 37,000 associates at Wawa."

Over 267 Million Facebook Users Reportedly Had Data Exposed Online

Fri, 12/20/2019 - 11:25
More than 267 million Facebook users allegedly had their user IDs, phone numbers and names exposed online, according to a report from Comparitech and security researcher Bob Diachenko. From a report: That info was found in a database that could be accessed without a password or any other authentication, and the researchers believe it was gathered as part of an illegal scraping operation or Facebook API abuse. Dianchenko says he reported the database to the service provider managing the IP address of the server, but the database was exposed for nearly two weeks. In the meantime, he says, the data was posted as a download in a hacker forum. That's a lot of personal data to be floating around in the wild, and as Comparitech notes, it could be used to carry out phishing scams and other foul play.

Apple Opens Public Bug Bounty Program, Publishes Official Rules

Fri, 12/20/2019 - 06:47
Apple has formally opened its bug bounty program today to all security researchers, after announcing the move earlier this year in August at the Black Hat security conference in Las Vegas. From a report: Until today, Apple ran an invitation-based bug bounty program for selected security researchers only and was accepting only iOS security bugs. Starting today, the company will accept vulnerability reports for a much wider spectrum of products that also includes as iPadOS, macOS, tvOS, watchOS, and iCloud. In addition, the company has also increased its maximum bug bounty reward from $200,000 to $1,500,000, depending on the exploit chain's complexity and severity.

A Data Leak Exposed the Personal Info of Over 3,000 Ring Users

Thu, 12/19/2019 - 15:30
The log-in credentials for 3,672 Ring camera owners were compromised this week, exposing log-in emails, passwords, time zones, and the names people give to specific Ring cameras, which are often the same as camera locations, such as "bedroom" or "front door." BuzzFeed News reports: Using the log-in email and password, an intruder could access a Ring customer's home address, telephone number, and payment information, including the kind of card they have, and its last four digits and security code. An intruder could also access live camera footage from all active Ring cameras associated with an account, as well as a 30- to 60-day video history, depending on the user's cloud storage plan. We don't know how this tranche of customer information was leaked. Ring denies any claims that the data was compromised as a part of a breach of Ring's systems. A Ring spokesperson declined to tell BuzzFeed News when it became aware of the leak or whether it affected a third party that Ring uses to provide its services. Security experts told BuzzFeed News that the format of the leaked data -- which includes username, password, camera name, and time zone in a standardized format -- suggests it was taken from a company database. They said data obtained via credential stuffing -- when previously-compromised emails and passwords are used to get access to other accounts -- would likely not display Ring-specific data like camera names or time zone. BuzzFeed News was alerted to the leak by a security researcher, who claimed he used a web crawler to search the internet for any data leaks pertaining to Ring accounts. The security researcher found the list of compromised credentials posted anonymously on a text storage site. "Ring has not had a data breach. Our security team has investigated these incidents and we have no evidence of an unauthorized intrusion or compromise of Ring's systems or network," a Ring spokesperson said. "It is not uncommon for bad actors to harvest data from other company's data breaches and create lists like this so that other bad actors can attempt to gain access to other services."

Facebook Won't Use 2FA Numbers To Suggest Friends Anymore

Thu, 12/19/2019 - 13:33
Facebook won't use the phone numbers some users give it for two-factor authentication for its "people you may know" feature. From a report: The social network says the move is "part of a wide-ranging overhaul of its privacy practices." It previously used phone numbers to serve ads too but says it stopped doing that in June. Two-factor authentication is a great way to reduce the risk of accounts being compromised, so giving users reasons to avoid using it is vile, even by Facebook's admittedly low standards. When news broke last year that Facebook was misusing phone numbers in that way it was met with appropriate opprobrium from the media and privacy advocates.

Worried About 5G's Health Effects? Don't Be

Thu, 12/19/2019 - 08:50
There are real concerns about the way 5G is being deployed in the US, including security issues, the potential to interfere with weather forecasting systems, and the FCC steamrolling local regulators in the name of accelerating the 5G rollout. But concerns over the potential health impacts of 5G are overblown. From a report: If you weren't worried about prior generations of cellular service causing cancer, 5G doesn't produce much new to worry about. And you probably didn't need to be worried before. Few 5G services will use higher frequencies in the near term, and there's little reason to think these frequencies are any more harmful than other types of electromagnetic radiation such as visible light. Most concerns about health impacts from 5G stem from millimeter-wave technology, high-frequency radio waves that are supposed to deliver much faster speeds. The catch is that millimeter-wave transmissions are far less reliable at long distances than transmissions using the lower frequencies that mobile carriers have traditionally used. To provide reliable, ubiquitous 5G service over millimeter-wave frequencies, carriers will need a larger number of smaller access points. That's led to two fears: That the effects of millimeter-wave signals might be more dangerous than traditional frequencies; and that the larger number of access points, some potentially much closer to people's homes, might expose people to more radiation than 4G services. But millimeter waves aren't the only, or even the main, way that carriers will deliver 5G service. T-Mobile offers the most widespread 5G service available today. But it uses a band of low frequencies originally used for broadcast television. Sprint, meanwhile, repurposed some of the "mid-band" spectrum it uses for 4G to provide 5G. Verizon and AT&T both offer millimeter-wave-based services, but they're only available in a handful of locations. The wireless industry is focused more on using mid- and low-band frequencies for 5G, because deploying a massive number of millimeter-wave access points will be time-consuming and expensive. In other words, 5G will continue using the same radio frequencies that have been used for decades for broadcast radio and television, satellite communications, mobile services, Wi-Fi, and Bluetooth.