Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 11 hours 15 min ago

Popular WordPress Plugin WPML Hacked By Angry Former Employee

Sun, 01/20/2019 - 12:10
A very popular WordPress plugin was hacked over the weekend after a hacker defaced its website and sent a mass message to all its customers revealing the existence of supposed unpatched security holes. From a report: In a follow-up mass email, the plugin's developers blamed the hack on a former employee, who also defaced their website. The plugin in question is WPML (or WP MultiLingual), the most popular WordPress plugin for translating and serving WordPress sites in multiple languages. According to its website, WPML has over 600,000 paying customers and is one of the very few WordPress plugins that is so reputable that it doesn't need to advertise itself with a free version on the official WordPress.org plugins repository. But on Saturday, ET timezone, the plugin faced its first major security incident since its launch in 2007. The attacker, which the WPML team claims is a former employee, sent out a mass email to all the plugin's customers.

Mark Zuckerberg's Mentor 'Shocked and Disappointed' -- But He Has a Plan

Sat, 01/19/2019 - 18:34
Early Facebook investor Roger McNamee published a scathing 3,000-word article adapted from his new book Zucked: Waking Up to the Facebook Catastrophe. Here's just one example of what's left him "shocked and disappointed": Facebook (along with Google and Twitter) has undercut the free press from two directions: it has eroded the economics of journalism and then overwhelmed it with disinformation. On Facebook, information and disinformation look the same; the only difference is that disinformation generates more revenue, so it gets better treatment.... At Facebook's scale -- or Google's -- there is no way to avoid influencing the lives of users and the future of nations. Recent history suggests that the threat to democracy is real. The efforts to date by Facebook, Google and Twitter to protect future elections may be sincere, but there is no reason to think they will do anything more than start a game of whack-a-mole with those who choose to interfere. Only fundamental changes to business models can reduce the risk to democracy. Google and Facebook "are artificially profitable because they do not pay for the damage they cause," McNamee argues, adding that some medical researchers "have raised alarms noting that we have allowed unsupervised psychological experiments on millions of people." But what's unique is he's offering specific suggestions to fix it. "I want to set limits on the markets in which monopoly-class players like Facebook, Google and Amazon can operate. The economy would benefit from breaking them up. A first step would be to prevent acquisitions, as well as cross subsidies and data sharing among products within each platform." "Another important regulatory opportunity is data portability, such that users can move everything of value from one platform to another. This would help enable startups to overcome an otherwise insurmountable barrier to adoption." "Given that social media is practically a public utility, I think it is worth considering more aggressive strategies, including government subsidies." "There need to be versions of Facebook News Feed and all search results that are free of manipulation." "I would like to address privacy with a new model of authentication for website access that permits websites to gather only the minimum amount of data required for each transaction.... it would store private data on the device, not in the cloud. Apple has embraced this model, offering its customers valuable privacy and security advantages over Android." "No one should be able to use a user's data in any way without explicit, prior consent. Third-party audits of algorithms, comparable to what exists now for financial statements, would create the transparency necessary to limit undesirable consequences." "There should be limits on what kind of data can be collected, such that users can limit data collection or choose privacy. This needs to be done immediately, before new products like Alexa and Google Home reach mass adoption."

Venezuela's Government Blocks Access To Wikipedia

Sat, 01/19/2019 - 14:34
Haaretz (with contributions from Reuters and the Associated Press) reports: According to NetBlocks, a digital rights group that tracks restrictions to the internet, as of 12 January, Venezuela largest telecommunications provider CANTV has prevented access to Wikipedia in all languages. The internet observatory told Haaretz the ban was discovered by attempting "to access Wikipedia and other services 60,000 times from 150 different points in the country using multiple providers." Roughly 16 million people have access to the internet in the South American country ravaged by poverty and now facing a political crisis as leader Nicolas Maduro attempts to cling to power following a highly contested re-election last year. Wikipedia receives on average 60 million views from the country every month. According to NetBlocks, the ban was likely imposed after a Wikipedia article listed newly-appointed National Assembly president Juan Guaidà as âoepresident number 51 of the Bolivarian Republic of Venezuela,â ousting Maduro from his presidential status on Wikipedia... Alp Toker, the head of NetBlocks, explained to Haaretz that the block followed a string of controversial edits on the Spanish-language article for Guaido as well as other related articles. Long-time Slashdot reader williamyf identifies himself as "a Venezuelan in Venezuela." He reports that "The method used seems to be to intercept the SSL handshake and not a simple DNS block," adding "the situation is developing." In May of last year the government declared a "state of emergency" that authorized the government to police the internet and filter content, rights activists reported Monday. They added that now Venezuela's new leaders plan to introduce legislation requiring messaging service providers to censor content, and implementing other so-called "content security" measures.

Is US Surveillance Technology Propping Up Authoritarian Regimes?

Sat, 01/19/2019 - 13:34
A senior policy analyst from a non-partisan national security think tank -- and one of their cybersecurity policy fellows -- sound a dire warning in an op-ed shared by Slashdot reader schwit1: From facial recognition software to GPS trackers to computer hacking tools to systems that monitor and redirect flows of Internet traffic, contemporary surveillance technologies enable "high levels of social control at a reasonable cost," as Nicholas Wright puts it in Foreign Affairs. But these technologies don't just aid and enable what Wright and other policy analysts have called "digital authoritarianism." They also promote a sovereign and controlled model of the Internet, one characterized by frequent censorship, pervasive surveillance and tight control by the state. The United States could be a world leader in preventing the spread of this Internet model, but to do so, we must reevaluate the role U.S. companies play in contributing to it.... On one hand, the United States cares deeply about protecting a global and open Internet... On the other hand, American companies are selling surveillance technology that undermines this mission -- contributing to the broader spread of digital authoritarianism that the United States claims to fight. (This also implicates allies such as Britain, whose companies have also sold surveillance technology to oppressive regimes.) We won't be able to allay this situation until the United States updates its approach to exporting surveillance technology. Of course, this must be done carefully. But digital authoritarianism is spreading, and U.S. companies need to stop helping it.-

Firmware Vulnerability In Popular Wi-Fi Chipset Affects Laptops, Smartphones, Routers, Gaming Devices

Fri, 01/18/2019 - 18:03
Embedi security researcher Denis Selianin has discovered a vulnerability affecting the firmware of a popular Wi-Fi chipset deployed in a wide range of devices, such as laptops, smartphones, gaming rigs, routers, and Internet of Things (IoT) devices. According to Selianin, the vulnerability impacts ThreadX, a real-time operating system that is used as firmware for billions of devices. ZDNet reports: In a report published today, Selianin described how someone could exploit the ThreadX firmware installed on a Marvell Avastar 88W8897 wireless chipset to execute malicious code without any user interaction. The researcher chose this WiFi SoC (system-on-a-chip) because this is one of the most popular WiFi chipsets on the market, being deployed with devices such as Sony PlayStation 4, Xbox One, Microsoft Surface laptops, Samsung Chromebooks, Samsung Galaxy J1 smartphones, and Valve SteamLink cast devices, just to name a few. "I've managed to identify ~4 total memory corruption issues in some parts of the firmware," said Selianin. "One of the discovered vulnerabilities was a special case of ThreadX block pool overflow. This vulnerability can be triggered without user interaction during the scanning for available networks." The researcher says the firmware function to scan for new WiFi networks launches automatically every five minutes, making exploitation trivial. All an attacker has to do is send malformed WiFi packets to any device with a Marvell Avastar WiFi chipset and wait until the function launches, to execute malicious code and take over the device. Selianin says he also "identified two methods of exploiting this technique, one that is specific to Marvell's own implementation of the ThreadX firmware, and one that is generic and can be applied to any ThreadX-based firmware, which, according to the ThreatX homepage, could impact as much as 6.2 billion devices," the report says. Patches are reportedly being worked on.

Microsoft Suggests Windows 10 Mobile Users Switch To iOS or Android As Support Winds Down

Fri, 01/18/2019 - 16:03
Windows 10 Mobile devices will be officially unsupported starting on December 10, 2019. As a result, Microsoft is recommending users move to an Android or iOS device instead. Mac Rumors reports: Microsoft made the recommendation in a Windows 10 Mobile support document (via Thurrott) explaining its plans to stop offering security updates and patches for Windows 10 Mobile: "With the Windows 10 Mobile OS end of support, we recommend that customers move to a supported Android or iOS device. Microsoft's mission statement to empower every person and every organization on the planet to achieve more, compels us to support our Mobile apps on those platforms and devices." All customers who have a Windows 10 Mobile device will be able to keep using it after December 10, 2019, but no further updates will be available.

Russian Hackers Allegedly Attempted To Breach the DNC After the 2018 Midterms

Fri, 01/18/2019 - 14:45
An anonymous reader quotes a report from Fortune: Russian hackers attempted to breach Democratic National Committee email addresses in a spear-phishing campaign just after the 2018 midterms, according to a DNC court document filed Thursday night. "The content of these emails and their timestamps were consistent with a spear-phishing campaign that leading cybersecurity experts have tied to Russian intelligence," reads the complaint. "Therefore, it is probable that Russian intelligence again attempted to unlawfully infiltrate DNC computers in November 2018." The complaint [...] said there is no evidence that the attempted hack in Nov. 2018 was successful. Spear-phishing campaigns involve sending emails that appear to be from a trusted source in order to gain confidential information. According to CNN, the emails in question appeared to have been sent from a State Department official and contained a PDF attachment that, if opened, would allow the hacker access to the recipient's computer. The timing and content of these emails were consistent with the practices of the Russian hacking group known as Cozy Bear, one of the two groups that hacked the DNC prior to the 2016 U.S. presidential election. According to the cybersecurity firm FireEye, Cozy Bear attempted to hack over 20 entities in Nov. 2018, including clients in local government, transportation, defense, law enforcement, and military.

The Government's Secret UFO Program Funded Research on Wormholes and Extra Dimensions

Fri, 01/18/2019 - 14:05
Documents released by the Department of Defense reveal some of what its infamous Advanced Aerospace Threat Identification Program was working on. From a report: The Department of Defense funded research on wormholes, invisibility cloaking, and "the manipulation of extra dimensions" under its shadowy Advanced Aerospace Threat Identification Program, first described in 2017 by the New York Times and the Washington Post. On Wednesday, the Defense Intelligence Agency released a list of 38 research titles pursued by the program in response to a Freedom of Information Act (FOIA) request by Steven Aftergood, director of the Federation of American Scientists' Project on Government Secrecy. The list provides one of the best looks at the Pentagon's covert UFO operation or study of "anomalous aerospace threats." According to Aftergood's FOIA request, the document marked "For Official Use Only" was sent to Congress on January 2018. One such research topic, "Traversable Wormholes, Stargates, and Negative Energy," was led by Eric W. Davis of EarthTech International Inc, which describes itself as a facility "exploring the forefront reaches of science and engineering," with an interest in theories of spacetime, studies of the quantum vacuum, and the search for extraterrestrial intelligence.

US Regulators Have Met To Discuss Imposing a Record-Setting Fine Against Facebook For Some of Its Privacy Violations: Report

Fri, 01/18/2019 - 12:00
U.S. regulators have met to discuss imposing a record-setting fine against Facebook for violating a legally binding agreement with the government to protect the privacy of its users' personal data, The Washington Post reported Friday [Editor's note: the link may be paywalled; alternative source], citing three people familiar with the deliberations. From the report: The fine under consideration at the Federal Trade Commission, a privacy and security watchdog that began probing Facebook last year, would mark the first major punishment levied against Facebook in the United States since reports emerged in March that Cambridge Analytica, a political consultancy, accessed personal information on about 87 million Facebook users without their knowledge. The penalty is expected to be much larger than the $22.5 million fine the agency imposed on Google in 2012. That fine set a record for the greatest penalty for violating an agreement with the FTC to improve its privacy practices.

That 773M Password 'Megabreach' is Years Old

Fri, 01/18/2019 - 06:06
Security reporter Brian Krebs writes: My inbox and Twitter messages positively lit up today with people forwarding stories from Wired and other publications about a supposedly new trove of nearly 773 million unique email addresses and 21 million unique passwords that were posted to a hacking forum. A story in The Guardian breathlessly dubbed it "the largest collection ever of breached data found." But in an interview with the apparent seller, KrebsOnSecurity learned that it is not even close to the largest gathering of stolen data, and that it is at least two to three years old. The dump, labeled "Collection #1" and approximately 87GB in size, was first detailed earlier today by Troy Hunt, who operates the HaveIBeenPwned breach notification service. Hunt said the data cache was likely "made up of many different individual data breaches from literally thousands of different sources." KrebsOnSecurity sought perspective on this discovery from Alex Holden, CTO of Hold Security, a company that specializes in trawling underground spaces for intelligence about malicious actors and their stolen data dumps. Holden said the data appears to have first been posted to underground forums in October 2018, and that it is just a subset of a much larger tranche of passwords being peddled by a shadowy seller online.

Google Play Malware Used Phones' Motion Sensors To Conceal Itself

Fri, 01/18/2019 - 05:00
An anonymous reader quotes a report from Ars Technica: Malicious apps hosted in the Google Play market are trying a clever trick to avoid detection -- they monitor the motion-sensor input of an infected device before installing a powerful banking trojan to make sure it doesn't load on emulators researchers use to detect attacks. The thinking behind the monitoring is that sensors in real end-user devices will record motion as people use them. By contrast, emulators used by security researchers -- and possibly Google employees screening apps submitted to Play -- are less likely to use sensors. Two Google Play apps recently caught dropping the Anubis banking malware on infected devices would activate the payload only when motion was detected first. Otherwise, the trojan would remain dormant. Security firm Trend Micro found the motion-activated dropper in two apps -- BatterySaverMobi, which had about 5,000 downloads, and Currency Converter, which had an unknown number of downloads. Google removed them once it learned they were malicious. The motion detection wasn't the only clever feature of the malicious apps. Once one of the apps installed Anubis on a device, the dropper used requests and responses over Twitter and Telegram to locate the required command and control server. Once Anubis was installed, it used a built-in keylogger that can steal users' account credentials. The malware can also obtain credentials by taking screenshots of the infected users' screen.

Twitter Bug Exposed Some Android Users' Protected Tweets For Years

Thu, 01/17/2019 - 15:30
Twitter disclosed on its Help Center page today that some Android users had their private tweets revealed for years due to a security flaw. "The issue caused the Twitter for Android app to disable the 'Protect your Tweets' setting for some Android users who made changes to their account settings, such as changing the email address associated with their account, between November 3rd, 2014 and January 14th, 2019," reports The Verge. From the report: Though the company says the issue was fixed earlier this week and that iOS or web users weren't affected, it doesn't yet know how many Android accounts were affected. Twitter says it's reached out to affected users and turned the setting back on for them, but it still recommends that users review their privacy settings to make sure it reflects their desired preferences.

Oklahoma Government Data Leak Exposes FBI Investigation Records, Millions of Department Files

Thu, 01/17/2019 - 14:10
An anonymous reader quotes a report from ZDNet: Researchers have disclosed the existence of a server exposed to the public which not only contained terabytes of confidential government data but information relating to FBI investigations. According to UpGuard cybersecurity researchers Greg Pollock and Chris Vickery, the open storage server belonged to the Oklahoma Department of Securities (ODS), a U.S. government department which deals with securities cases and complaints. The database was found through the Shodan search engine which registered the system as publicly accessible on November 30, 2018. The UpGuard team stumbled across the database on December 7th and notified the department a day later after verifying what they were working with. To ODS' credit, the department removed public access to the server on the same day. In order to examine the security breach, the team was able to download the server's contents. The oldest records dated back to 1986 and the most recent was timestamped in 2016. In total, three terabytes of information representing millions of files. Contents ranged from personal data to system credentials and internal communication records. ODS said in a statement to ZDNet: "All state IP addresses, and many city and county addresses, are registered to OMES, but the agency has no visibility into the computer systems at the Oklahoma Department of Securities. For the past eight years the state has been working to consolidate all IT infrastructure under OMES and ODS had the option to consolidate its systems voluntarily and they did not."

Some Android GPS Apps Are Just Showing Ads on Top of Google Maps

Thu, 01/17/2019 - 12:15
A security researcher with antivirus maker ESET has discovered a collection of 19 Android apps that pose as GPS applications but which don't do anything but show ads on top of the legitimate Google Maps service. From a report: "They attract potential users with fake screenshots stolen from legitimate Navigation apps," said Lukas Stefanko, the ESET researcher who found them, who pointed out the 19 apps have been downloaded more than 50 million times. The apps "pretend to be full featured navigation apps, but all they can do is to create useless layer between User and Google Maps app," the researcher said. Stefanko says that the apps don't have any actual "navigation technology" and they only "misuse Google Maps."

North Korean Hackers Infiltrate Chile's ATM Network After Skype Job Interview

Thu, 01/17/2019 - 08:52
A Skype call and a gullible employee was all it took for North Korean hackers to infiltrate the computer network of Redbanc, the company that interconnects the ATM infrastructure of all Chilean banks. From a report: Prime suspects behind the hack are a hacker group known as Lazarus Group (or Hidden Cobra), known to have associations to the Pyongyang regime, is one of the most active and dangerous hacking groups around, and known to have targeted banks, financial institutions, and cryptocurrency exchanges in the past years. Lazarus' most recent attack took place at the end of December last year but only came to the public's attention after Chilean Senator Felipe Harboe called out Redbanc on Twitter last week for not disclosing its security breach. The company, which has direct lines into the networks of all Chilean banks, formally admitted to the hack a day later in a message posted on its website, but that announcement didn't include any details about the intrusion. However, a day after Redbanc's admission, an investigation conducted by Chilean tech news site trendTIC revealed that the financial firm was the victim of a serious cyber-attack, and not something that could be easily dismissed. According to reporters, the source of the hack was identified as a LinkedIn ad for a developer position at another company to which one of the Redbanc employees applied.

US CEOs Are More Worried About Cybersecurity Than a Possible Recession

Thu, 01/17/2019 - 06:13
With markets uncertain, many onlookers might think a recession is on the way, whether that's most CFOs in the world or voters in the United States. But domestic CEOs don't find heavy economic headwinds their biggest external business worry, according to a new survey by the Conference Board. Instead, it's cybersecurity followed by new competitors. Risk of a recession is third. From a report: After high-profile data breaches experienced over the last two years by such companies as Marriott, Equifax, and Uber, that might seem understandable. But U.S. CEOs stand in stark contrast to those of the rest of the world. Cybersecurity was the sixth most pressing issue for chief executives in Europe. It was seventh in Latin America, eighth in Japan, and 10th in China. Regarding concerns over a potential recession, Europe put that in second place, while Japan, China, and Latin America all rated it number one.

Collection 1 Data Breach Exposes More Than 772 Million Email Addresses

Wed, 01/16/2019 - 23:00
A collection of almost 773 million unique email addresses and just under 22 million unique passwords were exposed on cloud service MEGA. Security researcher Troy Hunt said the collection of data, dubbed Collection #1, totaled over 12,000 separate files and more than 87GB of data. ZDNet reports: "What I can say is that my own personal data is in there and it's accurate; right email address and a password I used many years ago," Hunt wrote. "In short, if you're in this breach, one or more passwords you've previously used are floating around for others to see." Some passwords, including his own, have been "dehashed", that is converted back to plain text. Hunt said he gained the information after multiple people reached out to him with concerns over the data on MEGA, with the Collection #1 dump also being discussed on a hacking forum. "The post on the forum referenced 'a collection of 2000+ dehashed databases and Combos stored by topic' and provided a directory listing of 2,890 of the files," Hunt wrote. The collection has since been removed. You can visit Hunt's Have I Been Pwned service to see if you are affected by this breach.

Fortnite Bugs Gave Hackers Access To Millions of Player Accounts, Researchers Say

Wed, 01/16/2019 - 16:50
Researchers at cybersecurity firm Check Point say three vulnerabilities chained together could have allowed hackers to take control of any of Fortnite's 200 million players. "The flaws, if exploited, would have stolen the account access token set on the gamer's device once they entered their password," reports TechCrunch. "Once stolen, that token could be used to impersonate the gamer and log in as if they were the account holder, without needing their password." From the report: The researchers say that the flaw lies in how Epic Games, the maker of Fortnite, handles login requests. Researchers said they could send any user a crafted link that appears to come from Epic Games' own domain and steal an access token needed to break into an account. Here's how it works: The user clicks on a link, which points to an epicgames.com subdomain, which the hacker embeds a link to malicious code on their own server by exploiting a cross-site weakness in the subdomain. Once the malicious script loads, unbeknownst to the Fortnite player, it steals their account token and sends it back to the hacker. "If the victim user is not logged into the game, he or she would have to log in first," a researcher said. "Once that person is logged in, the account can be stolen." Epic Games has since fixed the vulnerability.

Federal Prosecutors Are Investigating Huawei For Allegedly Stealing Trade Secrets, Says Report

Wed, 01/16/2019 - 15:30
According to The Wall Street Journal, federal prosecutors have launched a criminal investigation to see if Huawei allegedly stole trade secrets from U.S. companies. The probe is reportedly built out of civil lawsuits against the telecommunications firm. The Hill reports: People familiar with the probe told the Journal that it is at an advanced stage and that an indictment could soon be coming. Huawei has long faced scrutiny from both lawmakers and national security officials, who have labeled the firm as a national security threat over its ties to the Chinese government. The company has denied that characterization, and China this week called for other countries to end âoethe groundless fabrications and unreasonable restrictionsâ on Huawei and other firms.

Google Play Starts Manually Whitelisting SMS, Phone Apps

Wed, 01/16/2019 - 14:10
An anonymous reader quotes a report from Ars Technica: Google is implementing major new Play Store rules for how Android's "SMS" and "Call Log" permissions are used. New Play Store rules will only allow certain types of apps to request phone call logs and SMS permissions, and any apps that don't fit into Google's predetermined use cases will be removed from the Play Store. The policy was first announced in October, and the policy kicks in and the ban hammer starts falling on non-compliant apps this week. Google says the decision to police these permissions was made to protect user privacy. SMS and phone permissions can give an app access to a user's contacts and everyone they've ever called, in addition to allowing the app to contact premium phone numbers that can charge money directly to the user's cellular bill. Despite the power of these permissions, a surprising number of apps ask for SMS or phone access because they have other, more benign use cases. So to clean up the Play Store, Google's current plan seems to be to (1) build more limited, replacement APIs for these benign use cases that don't offer access to so much user data and (2) kick everyone off the Play Store who is still using the wide-ranging SMS and phone permissions for these more limited use cases. Google provides a help page that helps explain the new rules and offer workarounds for some use cases.