Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 2 days 11 hours ago

Google Fixes Chrome 'Evil Cursor' Bug Abused by Tech Support Scam Sites

Mon, 03/25/2019 - 14:20
Google has patched a Chrome bug that was being abused in the wild by tech support scammers to create artificial mouse cursors and lock users inside browser pages by preventing them from closing and leaving browser tabs. From a report: The trick was first spotted in September 2018 by Malwarebytes analyst Jerome Segura. Called an "evil cursor," it relied on using a custom image to replace the operating system's standard mouse cursor graphic. A criminal group that Malwarebytes called Partnerstroka operated by switching the standard OS 32-by-32 pixels mouse cursor with one of 128 or 256 pixels in size. A normal cursor would still appear on screen, but in the corner of a bigger transparent bounding box. [...] The "evil cursor" fix is currently live for Google Canary users, and is scheduled to land in the Chrome 75 stable branch, to be released later this spring.

Hacking Lawyers or Journalists Is Totally Fine, Says Notorious Cyberweapons Firm

Mon, 03/25/2019 - 08:50
The founder and CEO of NSO Group, the notorious Israeli hacking company with customers around the world, appeared on CBS's 60 Minutes Sunday night to defend the use of his company's tools in hacking and spying on lawyers, journalists, and minors when the country's customers determine the ends justify the means. From a report: NSO Group has reportedly sold hacking tools to dictators including those in Saudi Arabia, the United Arab Emirates, and across Central Asia -- a group of decision-makers whose track record includes numerous examples of human rights abuses and oppression of dissent. NSO's tools have been directly involved in the arrest of human rights activists and, in Mexico at least, spying on lawyers and journalists in an effort to catch the drug lord Joaquin "El Chapo" Guzman. "In order to catch El Chapo, for example, they had to intercept a journalist, an actress, and a lawyer," NSO Group founder Shalev Hulio told 60 minutes. "Now, by themselves, they are not criminals, right? But if they are in touch with a drug lord and in order to catch them, you need to intercept them, that's a decision an intelligence agency should get."

China Says it Cloned a Police Dog To Speed Up Training

Mon, 03/25/2019 - 06:45
A cloned dog, believed to be the first of the kind in China, has started training in Yunnan Province in a program to reduce the cost and time needed for training police dogs. From a report: Kunxun, a female of the Kunming wolfdog breed, was born on Dec. 19 last year in Beijing and arrived on March 5 for training at the Kunming Police Dog Base of the Ministry of Public Security. She was cloned from a 7-year-old female dog, known as Huahuangma, that has been in service in the city of Pu'er, Yunnan, by Sinogene, a Beijing-based biotechnology firm. The cloning is part of the ministry's research program. Huahuangma played important roles in helping detectives with dozens of murder investigations, and was accredited the first-level merit in 2016, said Wan Jiusheng, an officer who is responsible for training Kunxun. Huahuangma's outstanding abilities as a police dog made her an eligible donor of genes, Wan said. "It takes four to five years to train a meritorious dog such as Huahuangma, and costs hundreds of thousands of yuan," he said. Police dogs serving in real tasks are not usually used for breeding. The cloning program helps researchers copy their excellent genes and reduces the time and costs needed for training, researchers familiar with the program said.

Hackers Hijacked ASUS Software Updates To Install Backdoors on Thousands of Computers

Mon, 03/25/2019 - 06:05
ASUS is believed to have pushed malware to hundreds of thousands of customers through its trusted automatic software update tool after attackers compromised the company's server and used it to push the malware to machines. From a report: Researchers at cybersecurity firm Kaspersky Lab say that ASUS, one of the world's largest computer makers, was used to unwittingly to install a malicious backdoor on thousands of its customers' computers last year after attackers compromised a server for the company's live software update tool. The malicious file was signed with legitimate ASUS digital certificates to make it appear to be an authentic software update from the company, Kaspersky Lab says. ASUS, a multi-billion dollar computer hardware company based in Taiwan that manufactures desktop computers, laptops, mobile phones, smart home systems, and other electronics, was pushing the backdoor to customers for at least five months last year before it was discovered, according to new research from the Moscow-based security firm. The researchers estimate half a million Windows machines received the malicious backdoor through the ASUS update server, although the attackers appear to have been targeting only about 600 of those systems. The malware searched for targeted systems through their unique MAC addresses. Once on a system, if it found one of these targeted addresses, the malware reached out to a command-and-control server the attackers operated, which then installed additional malware on those machines. Kaspersky Lab said it uncovered the attack in January after adding a new supply-chain detection technology to its scanning tool to catch anomalous code fragments hidden in legitimate code or catch code that is hijacking normal operations on a machine. The company plans to release a full technical paper and presentation about the ASUS attack, which it has dubbed ShadowHammer, next month at its Security Analyst Summit in Singapore.

Which Programming Language Has The Most Security Vulnerabilities?

Sun, 03/24/2019 - 19:39
A new report from the open source security company WhiteSource asks the question, "Is one programming language more secure than the rest?" An anonymous reader quotes TechRepublic: To answer this question, the report compiled information from WhiteSource's database, which aggregates information on open source vulnerabilities from sources including the National Vulnerability Database, security advisories, GitHub issue trackers, and popular open source projects issue trackers. Researchers focused in on open source security vulnerabilities in the seven most widely-used languages of the past 10 years to learn which are most secure, and which vulnerability types are most common in each... The most common vulnerabilities across most of these languages are Cross-SiteScripting (XSS); Input Validation; Permissions, Privileges, and Access Control; and Information Leak / Disclosure, according to the report. Across the seven most widely-used programming languages, here's how the vulnerabilities were distributed: C (47%) PHP (17%) Java (11%) JavaScript (10%) Python (5%) C++ (5%) Ruby (4%) But the results are full of disclaimers -- for example, that C tops the list because it's the oldest language with "the highest volume of written code" and "is also one of the languages behind major infrastructure like Open SSL and the Linux kernel." The report also notes a "substantial rise" across all languages for known open source security vulnerabilities over the last two years, attributing this to more awareness about vulnerable components -- thanks to more research, automated security tools, and "the growing investment in bug bounty programs" -- as well as the increasing popularity of open source software. And it also reports a drop in the percentage of critical vulnerabilities for most languages -- except JavaScript and PHP. The report then concludes that "the Winner Of Most Secure Programming Language is...no one and everyone...! It is not about the language itself that makes it any more or less secure, but how you use it. If you are mitigating your vulnerabilities throughout the software development lifecycle with the proper management approach, then you are far more likely to stay secure." Coincidentally, WhiteSource sells software which monitors open source components throughout the software development lifecycle to provide alerts about security (and licensing) issues.

Which Programming Language Has The Most Security Vulnerabilties?

Sun, 03/24/2019 - 19:39
A new report from the open source security company WhiteSource asks the question, "Is one programming language more secure than the rest?" An anonymous reader quotes TechRepublic: To answer this question, the report compiled information from WhiteSource's database, which aggregates information on open source vulnerabilities from sources including the National Vulnerability Database, security advisories, GitHub issue trackers, and popular open source projects issue trackers. Researchers focused in on open source security vulnerabilities in the seven most widely-used languages of the past 10 years to learn which are most secure, and which vulnerability types are most common in each... The most common vulnerabilities across most of these languages are Cross-SiteScripting (XSS); Input Validation; Permissions, Privileges, and Access Control; and Information Leak / Disclosure, according to the report. Across the seven most widely-used programming languages, here's how the vulnerabilties were distributed: C (47%) PHP (17%) Java (11%) JavaScript (10%) Python (5%) C++ (5%) Ruby (4%) But the results are full of disclaimers -- for example, that C tops the list because it's the oldest language with "the highest volume of written code" and "is also one of the languages behind major infrastructure like Open SSL and the Linux kernel." The report also notes a "substantial rise" across all languages for known open source security vulnerabilities over the last two years, attributing this to more awareness about vulnerable components -- thanks to more research, automated security tools, and "the growing investment in bug bounty programs" -- as well as the increasing popularity of open source software. And it also reports a drop in the percentage of critical vulnerabilities for most languages -- except JavaScript and PHP. The report then concludes that "the Winner Of Most Secure Programming Language is...no one and everyone...! It is not about the language itself that makes it any more or less secure, but how you use it. If you are mitigating your vulnerabilities throughout the software development lifecycle with the proper management approach, then you are far more likely to stay secure." Coincidentally, WhiteSource sells software which monitors open source components throughout the software development lifecycle to provide alerts about security (and licensing) issues.

Airline Passenger Walked Past Security With a Loaded Gun Magazine

Sun, 03/24/2019 - 05:34
An airline passenger "passed a security checkpoint with a loaded gun magazine," reports the Associated Press, citing information from an airport duty manager: Bob Rotiski said the passenger who apparently had visited a shooting range packed a loaded magazine in his carry-on bag. He said an officer identified the magazine during security screening, but the wrong bag was pulled from the line. By that time, the passenger had already left the checkpoint with the bag containing the magazine.... Security lines were closed and flights were temporarily grounded at a San Francisco International Airport terminal...for nearly an hour, and United Airline flights out of Terminal 3 were grounded Saturday morning as TSA officers looked for the passenger. "Rotiski said the lines reopened after officers located the passenger and brought him back for re-screening."

Pwn2Own Competitors Crack Tesla, Firefox, Safari, Microsoft Edge, and Windows 10

Sat, 03/23/2019 - 17:34
A research duo who hacked a Tesla were the big winners at the annual Pwn2Own white hat security contest, reports ZDNet. "The duo earned $375,000 in prize money, of the total of $545,000 awarded during the whole three-day competition... They also get to keep the car." Team Fluoroacetate -- made up of Amat Cama and Richard Zhu -- hacked the Tesla car via its browser. They used a JIT bug in the browser renderer process to execute code on the car's firmware and show a message on its entertainment system... Besides keeping the car, they also received a $35,000 reward. "In the coming days we will release a software update that addresses this research," a Tesla spokesperson told ZDNet today in regards to the Pwn2Own vulnerability. Not coincidentally, Team Fluoroacetate also won the three-day contest after earning 36 "Master of Pwn" points for successful exploits in Apple Safari, Firefox, Microsoft Edge, VMware Workstation, and Windows 10... [R]esearchers also exploited vulnerabilities in Apple Safari, Microsoft Edge, VMware Workstation, Oracle Virtualbox, and Windows 10.

Lithuanian Pleads Guilty To Stealing $100 Million From Google, Facebook

Fri, 03/22/2019 - 18:10
schwit1 writes: Evaldas Rimasauskas, a Lithuanian citizen, concocted a brazen scheme that allowed him to bilk Facebook and Google out of more than $100 million. The crime defrauded Google of $23 million and Facebook of $99 million. Rimasauskas committed the crimes between 2013 to 2015, an indictment was issued in 2017, and he was formally indicted Wednesday in New York after he pleaded guilty to wire fraud, aggravated identity theft, and three counts of money laundering. "As Evaldas Rimasauskas admitted today, he devised a blatant scheme to fleece U.S. companies out of over $100 million, and then siphoned those funds to bank accounts around the globe," said U.S. Attorney Geoffrey S. Berman in a DoJ press release. How did he do it? The indictment reveals that he simply billed the companies for the amounts and they paid the bills. Rimasauskas was able to trick company employees into wiring the money to multiple bank accounts that he controlled and had set up in institutions in Cyprus, Lithuania, Hungary, Slovakia, and Latvia.

Insider Threats Pose the Biggest Security Risk

Fri, 03/22/2019 - 17:30
An anonymous reader shares a report: According to a new study 91 percent of IT and security professionals feel vulnerable to insider threats, and 75 percent believe the biggest risks lie in cloud applications like popular file storage and email solutions including Google Drive, Gmail and Dropbox. The report from SaaS operations management specialist BetterCloud also shows 62 percent of respondents believe the biggest security threat comes from the well-meaning but negligent end user. Among other findings are that 46 percent of IT leaders (heads of IT and above) believe that the rise of SaaS applications makes them the most vulnerable. In addition 40 percent of respondents believe they are most vulnerable to exposure of confidential business information such as financial information and customer lists. Only 26 percent of C-level executives say they've invested enough to mitigate the risk of insider threats, compared to 44 percent of IT managers.

FEMA Data Breach Hits 2.5 Million Disaster Survivors

Fri, 03/22/2019 - 16:50
The Federal Emergency Management Agency (FEMA) unlawfully shared the private information of 2.3 million hurricane and wildfire survivors with a federal contractor that was helping them find temporary housing, an inspector general from the Department of Homeland Security said Friday. The data includes "20 unnecessary data fields" such as "electronic funds transfer number," "bank transit number" and addresses. CNN reports: FEMA said it began filtering the data in December 2018 to prevent this information from being shared, but a more permanent fix may not be finalized until June 2020. "Since discovery of this issue, FEMA has taken aggressive measures to correct this error. FEMA is no longer sharing unnecessary data with the contractor and has conducted a detailed review of the contractor's information system," said Lizzie Litzow, press secretary for FEMA, in a statement. "To date, FEMA has found no indicators to suggest survivor data has been compromised. FEMA has also worked with the contractor to remove the unnecessary data from the system and updated its contract to ensure compliance with Department of Homeland Security (DHS) cybersecurity and information-sharing standards. As an added measure, FEMA instructed contracted staff to complete additional DHS privacy training."

Microsoft Revived and Killed Clippy in a Single Day

Fri, 03/22/2019 - 16:11
The dream of the '90s was alive in Microsoft Teams this week when Microsoft's old office assistant, Clippy, showed up. From a report: If you used Microsoft Office between 1997 and 2001, you likely remember Clippy as the animated paperclip that popped up and offered tips for using the software. Microsoft did away with Clippy in 2001, so people were surprised to see Clippy stickers appear in Microsoft Teams this week. And they were even more surprised when, just a day later, Microsoft offed the little guy again. On Tuesday, Clippy appeared as an animated pack of stickers for Microsoft Teams. The stickers were released on the Office Developer GitHub page, but by the next day, they had vanished. Clippy was around just long enough to rally old fans, and there's now a user petition to bring Clippy back.

Dashcam Video Shows Tesla Steering Toward Lane Divider - Again

Fri, 03/22/2019 - 14:10
AmiMoJo shares a report from Ars Technica: The afternoon commute of Reddit user Beastpilot takes him past a stretch of Seattle-area freeway with a carpool lane exit on the left. Last year, in early April, the Tesla driver noticed that Autopilot on his Model X would sometimes pull to the left as the car approached the lane divider -- seemingly treating the space between the diverging lanes as a lane of its own. This was particularly alarming, because just days earlier, Tesla owner Walter Huang had died in a fiery crash after Autopilot steered his Model X into a concrete lane divider in a very similar junction in Mountain View, California. Beastpilot made several attempts to notify Tesla of the problem but says he never got a response. Weeks later, Tesla pushed out an update that seemed to fix the problem. Then in October, it happened again. Weeks later, the problem resolved itself. This week, he posted dashcam footage showing the same thing happening a third time -- this time with a recently acquired Model 3. "The behavior of the system changes dramatically between software updates," Beastpilot told Ars. "Human nature is, 'if something's worked 100 times before, it's gonna work the 101st time.'" That can lull people into a false sense of security, with potentially deadly consequences.

Over 100,000 GitHub Repos Have Leaked API or Cryptographic Keys

Fri, 03/22/2019 - 06:42
A scan of billions of files from 13 percent of all GitHub public repositories over a period of six months has revealed that over 100,000 repos have leaked API tokens and cryptographic keys, with thousands of new repositories leaking new secrets on a daily basis. From a report: The scan was the object of academic research carried out by a team from the North Carolina State University (NCSU), and the study's results have been shared with GitHub, which acted on the findings to accelerate its work on a new security feature called Token Scanning, currently in beta. The NCSU study is the most comprehensive and in-depth GitHub scan to date and exceeds any previous research of its kind. NCSU academics scanned GitHub accounts for a period of nearly six months, between October 31, 2017, and April 20, 2018, and looked for text strings formatted like API tokens and cryptographic keys.

750,000 Medtronic Defibrillators Vulnerable To Hacking

Thu, 03/21/2019 - 17:25
The Homeland Security Department has issued an alert Thursday describing two types of computer-hacking vulnerabilities in 16 different models of Medtronic implantable defibrillators sold around the world, including some still on the market today. The vulnerability also affects bedside monitors that read data from the devices in patients' homes and in-office programming computers used by doctors. From the report: Medtronic recommends that patients only use bedside monitors obtained from a doctor or from Medtronic directly, and to keep it plugged in so it can receive software updates, and that they maintain "good physical control" over the monitor. Implantable defibrillators are complex, battery-run computers implanted in patients' upper chests to monitor the heart and send electric pulses or high-voltage shocks to prevent sudden cardiac death and treat abnormal heart beats. The vulnerabilities announced Thursday do not affect Medtronic pacemakers. The more serious of the two is a vulnerability that could allow improper access to data sent between a defibrillator and an external device like an at-home monitor. The system doesn't use formal authentication or authorization protections, which means an attacker with short-range access to the device could inject or modify data and change device settings, the advisory says. A second vulnerability allows an attacker to read sensitive data streaming out of the device, which could include the patient's name and past health data stored on their device. The system does not use data encryption, the advisory says. (Deploying encryption in medical devices is tricky because is increases computational complexity and therefore uses the battery faster.) The FDA isn't expected to issue a recall as the vulnerabilities are expected to be patched via a future software update.

Grandson of Legendary John Deere Inventor Calls Out Company On Right To Repair

Thu, 03/21/2019 - 14:00
chicksdaddy writes: The grandson of Theo Brown, a legendary engineer and inventor for John Deere who patented, among other things, the manure spreader is calling out the company his grandfather served for decades for its opposition to right to repair legislation being considered in Illinois. In an opinion piece published by The Security Ledger entitled "My Grandfather's John Deere would support Our Right to Repair," Willie Cade notes that his grandfather, Theophilus Brown is credited with 158 patents, some 70% of them for Deere & Co., including the manure spreader in 1915. His grandfather used to travel the country to meet with Deere customers and see his creations at work in the field. His hope, Cade said, was to help the company's customers be more efficient and improve their lives with his inventions. In contrast, Cade said the John Deere of the 21st Century engages in a very different kind of business model: imposing needless costs on their customers. An example of this kind of rent seeking is using software locks and other barriers to repair -- such as refusing to sell replacement parts -- in order to force customers to use authorized John Deere technicians to do repairs at considerably higher cost and hassle. "It undermines what my grandfather was all about," he writes. Cade, who founded the Electronics Reuse Conference, is supporting right to repair legislation that is being considered in Illinois and opposed by John Deere and the industry groups it backs. "Farmers who can't repair farm equipment and a wide spectrum of Americans who can't repair their smartphones are pushing back in states across the country."

PewCrypt Ransomware Locks Users' Files and Won't Offer a Decryption Key Until - and Unless - PewDiePie's YouTube Channel Beats T-Series To Hit 100M Subscribers

Thu, 03/21/2019 - 12:12
The battle between PewDiePie, currently the most subscribed channel on YouTube, and T-Series, an Indian music label, continues to have strange repercussions. In recent months, as T-Series closes in on the gap to beat PewDiePie for the crown of the most subscribers on YouTube, alleged supporters of PewDiePie, in an unusual show of love, have hacked Chromecasts and printers to persuade victims to subscribe to PewDiePie's channel. Now ZDNet reports about a second strain of ransomware that is linked to PewDiePie. From the report: A second one appeared in January, and this was actually a fully functional ransomware strain. Called PewCrypt, this ransomware was coded in Java, and it encrypted users' files in the "proper" way, with a method of recovering files at a later date. The catch --you couldn't buy a decryption key, but instead, victims had to wait until PewDiePie gained over 100 million followers before being allowed to decrypt any of the encrypted files. At the time of writing, PewDiePie had around 90 million fans, meaning any victim would be in for a long wait before they could regain access to any of their files. Making matters worse, if T-Series got to 100 million subscribers before PewDiePie, then PewCrypt would delete the user's encryption key for good, leaving users without a way to recover their data. While the ransomware was put together as a joke, sadly, it did infect a few users, ZDNet has learned. Its author eventually realized the world of trouble he'd get into if any of those victims filed complaints with authorities, and released the ransomware's source code on GitHub, along with a command-line-based decryption tool.

Nokia Firmware Blunder Sent Some User Data To China

Thu, 03/21/2019 - 10:50
HMD Global, the Finnish company that sublicensed the Nokia smartphone brand from Microsoft, is under investigation in Finland for collecting and sending some phone owners' information to a server located in China. From a report: In a statement to Finnish newspaper Helsingin Sanomat, the company blamed the data collection on a coding mistake during which an "activation package" was accidentally included in some phones' firmware. HMD Global said that only a single batch of Nokia 7 Plus devices were impacted and included this package. The data collection was exposed today in an investigation published by Norwegian broadcaster NRK, which learned of it from a user's tip. According to NRK, affected Nokia phones collected user data every time the devices were turned on, unlocked, or the screen was revived from a sleep state. Collected data included the phone's GPS coordinates, network information, phone serial number, and SIM card number.

Microsoft Ships Antivirus For macOS as Windows Defender Becomes Microsoft Defender

Thu, 03/21/2019 - 09:26
Microsoft is bringing its Windows Defender anti-malware application to macOS -- and more platforms in the future -- as it expands the reach of its Defender Advanced Threat Protection (ATP) platform. From a report: To reflect the new cross-platform nature, the suite is also being renamed to Microsoft Defender ATP, with the individual clients being labelled "for Mac" or "for Windows." macOS malware is still something of a rarity, but it's not completely unheard of. Ransomware for the platform was found in 2016, and in-the-wild outbreaks of other malicious software continue to be found. Apple has integrated some malware protection into macOS, but we've heard from developers on the platform that Mac users aren't always very good at keeping their systems on the latest point release. Further reading: Microsoft launches previews of Windows Virtual Desktop and Defender ATP for Mac.

For Years, Hundreds of Millions of Facebook Users Had Their Account Passwords Stored in Plain Text and Searchable By Thousands of Facebook Employees

Thu, 03/21/2019 - 08:00
Hundreds of millions of Facebook users had their account passwords stored in plain text and searchable by thousands of Facebook employees -- in some cases going back to 2012, KrebsOnSecurity reported Thursday. From the report: Facebook says an ongoing investigation has so far found no indication that employees have abused access to this data. Facebook is probing the causes of a series of security failures in which employees built applications that logged unencrypted password data for Facebook users and stored it in plain text on internal company servers. That's according to a senior Facebook employee who is familiar with the investigation and who spoke on condition of anonymity because they were not authorized to speak to the press. The Facebook source said the investigation so far indicates between 200 million and 600 million Facebook users may have had their account passwords stored in plain text and searchable by more than 20,000 Facebook employees. The source said Facebook is still trying to determine how many passwords were exposed and for how long, but so far the inquiry has uncovered archives with plain text user passwords in them dating back to 2012. Facebook has responded.