Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 18 hours 43 min ago

Comcast Is Reportedly Developing a Device That Would Track Your Bathroom Habits

Tue, 05/21/2019 - 15:20
Comcast is reportedly working on a device designed to closely monitor a user's health. "The device will monitor people's basic health metrics using ambient sensors, with a focus on whether someone is making frequent trips to the bathroom or spending more time than usual in bed," reports CNBC. "Comcast is also building tools for detecting falls, which are common and potentially fatal for seniors." The Verge reports: Many products on the market today already have the motion sensors, cameras, and other hardware that allow for what Comcast seems to be envisioning -- but not even Amazon or Google have directly sought to keep such a close eye on their customers' personal health with their respective Echo and Home devices. Comcast itself already offers home security services, and the company's much-touted X1 voice remote for its Xfinity cable platform has helped Comcast make advancements in recognizing and processing voice commands. According to CNBC, Comcast's device won't offer functionality like controlling smart home devices, nor will it have the ability to search for answers to a person's questions on the internet. But it will reportedly "have a personality like Alexa" and be able to place calls to emergency services. In an email to The Verge, a Comcast spokesperson said the company's upcoming device "is NOT a smart speaker" and "is purpose-built to be a sensor that detects motion." It's said that Comcast aims to offer the device and a companion health tracking service to "at-risk people, including seniors and people with disabilities." The company is also in discussions with hospitals about potentially "using the device to ensure that patients don't end up back in the hospital after they've been discharged."

Google Says Some G Suite User Passwords Were Stored In Plaintext Since 2005

Tue, 05/21/2019 - 14:08
Google says a small number of its enterprise customers mistakenly had their passwords stored on its systems in plaintext. The exact number was not disclosed. "We recently notified a subset of our enterprise G Suite customers that some passwords were stored in our encrypted internal systems unhashed," said Google vice president of engineering Suzanne Frey. Slashdot reader pegdhcp appears to be one of the users impacted by this security lapse: I am sharing a message that I received from G Suite, redacted. They are having some serious problem... If you missed the message or somehow tend to ignore sometimes extremely frequent and unnecessary G Suite messages like I do, this one can be important depending on your settings. [You can read the full email message (with redactions) below:]

Behind the Naming of ZombieLoad and Other Intel Spectre-Like Flaws

Tue, 05/21/2019 - 08:00
secwatcher writes: There was a lot more to the name game behind choosing titles for ZombieLoad, Spectre and Meltdown than picking cool and edgy attack titles. If you have ever wondered why they were named what they were, Threatpost tracked down one of the researchers behind the naming convention (and discovery) and found out. Much like the funky titles of advanced persistent threat groups, these speculative execution attacks, which impact Intel CPUs, are often named to reflect the impact behind the vulnerabilities, their attributes and how the attack processes work. "We always try to come up with names that somehow resemble the nature of the attack," Daniel Gruss, a security researcher from the Graz University of Technology and one of the founders of the ZombieLoad flaw, told Threatpost in a recent podcast interview. When it comes to ZombieLoad, "the nature of the attack is also something which fits the name very well," said Gruss. That's because the attack relies on the processor sending multiple load requests out to load data (instead of loading data once), as a result of the chip carrying out processes that will work in the most optimistic, opportunistic way, said Gruss. Spectre and Meltdown, for their part, have their own history behind their names. The idea for naming Spectre after a ghost -- also known by its logo, of a malevolent-looking ghost with a stick in its hand -- came from from Paul Kocher, one of the collaborating researchers who discovered the flaw. "The reasoning behind the name was that Spectre is ... it's not a nice spectre," Gruss told Threatpost. Meltdown, meanwhile, was so named because the vulnerability "melts security boundaries which are normally enforced by the hardware." But beyond that, unlike Spectre, the attack can be fixed and won't haunt users for years to come, said Gruss.

Huawei Considers Rivals To Google's Android After US Ban

Tue, 05/21/2019 - 06:00
Huawei said it's working on its own operating system for its mobile handsets and will consider rivals to Google's Android, after the U.S. blacklisted the company, threatening its partnerships with chip, component and software suppliers. From a report: The Chinese telecom equipment giant said Tuesday it was in talks with the Alphabet about how to proceed after Google confirmed it would cut access to some of Huawei's operating system features for the company's new devices in response to the announcement. Should Google's system no longer be available, "then the alternative option will naturally come out -- either from Huawei or someone else," Abraham Liu, Huawei's representative to the European Union institutions, said at an event in Brussels on Tuesday. Liu said Huawei had been working on its own operating system but that he didn't have the details about when this would be ready. Huawei would do everything in its power to mitigate the impact of the U.S. decisions, Liu said.

Millions of Instagram Influencers Had Their Private Contact Data Scraped and Exposed

Mon, 05/20/2019 - 10:45
A massive database containing contact information of millions of Instagram influencers, celebrities and brand accounts has been found online. From a report: The database, hosted by Amazon Web Services, was left exposed and without a password allowing anyone to look inside. At the time of writing, the database had over 49 million records -- but was growing by the hour. From a brief review of the data, each record contained public data scraped from influencer Instagram accounts, including their bio, profile picture, the number of followers they have, if they're verified and their location by city and country, but also contained their private contact information, such as the Instagram account owner's email address and phone number. Security researcher Anurag Sen discovered the database and alerted TechCrunch in an effort to find the owner and get the database secured. We traced the database back to Mumbai-based social media marketing firm Chtrbox, which pays influencers to post sponsored content on their accounts. Each record in the database contained a record that calculated the worth of each account, based off the number of followers, engagement, reach, likes and shares they had. This was used as a metric to determine how much the company could pay an Instagram celebrity or influencer to post an ad.

Huawei Responds To Android Ban With Service and Security Guarantees, But Its Future Remains Unclear

Mon, 05/20/2019 - 06:05
Huawei has finally gone on the record about a ban on its use of Android, but the company's long-term strategy on mobile still remains unclear. From a report: In an effort to appease its worried customer base, the embattled Chinese company said today that it will continue to provide security updates and after-sales support to its existing lineup of smartphones, but it's what the company didn't say that will spark concerns. Huawei was unable to make guarantees about whether existing customers will continue to receive Android software updates, while its statement is bereft of any mention of whether future phones will ship with the current flavor of Android or something else. [...] Huawei's lukewarm response isn't unexpected. Earlier, Google issued a similarly non-committal statement that indicated that owners of Huawei phones will continue to be able to access the Google Play Store and Google Play Protect, but -- like the Chinese firm -- it made no mention of the future, and that really is the key question. Further reading: Qualcomm and Intel reportedly stop dealing with Huawei.

Tesla's Stock Falls After News About Autopilot Crashes and Battery Fires

Sun, 05/19/2019 - 23:34
CNBC reports: Tesla shares fell almost 8% on Friday to their lowest close since December 2016, after the National Transportation Safety Board said the company's Autopilot driver assistance system was engaged during a fatal crash in March... The accident was at least the third of its kind in the U.S. and raises concerns about Tesla's Autopilot technology. Thursday Elon Musk also told Tesla's employees that he and their CFO will now personally review all expenses going forward in a new "hardcore" attempt to control expenses, calling it "the only way for Tesla to become financially sustainable and succeed in our goal of helping make the world environmentally sustainable." And then there's the fires, reports CNBC: Recent reports of Tesla vehicles spontaneously catching fire could make potential customers wary at a time when virtually every automaker is getting ready to roll out battery-based vehicles, industry executives and analysts worry... Three of Tesla's sedans went up in flames without warning in recent months, one in Shanghai, another in Hong Kong, a third in San Francisco. Tesla has experienced at least 14 known battery fires in recent years... Of the 14 known fires involving Tesla vehicles, the majority occurred after a collision, but there have been a growing number of blazes in which its products appear to spontaneously ignite. That appeared to be the case when, on April 21, a security camera in a Shanghai garage captured images of a Model S sedan smoldering before suddenly bursting into flames. Another fire engulfed a Tesla sedan that appears to have been hooked up to one of the company's Superchargers in Hong Kong. Then, two weeks ago, firefighters in San Francisco tweeted that they had been called to a garage where another Tesla Model S was on fire. In an initial response, the automaker said it did not think the sedan itself was responsible for the California blaze. But it is investigating the two Chinese incidents, it said in a statement, and "out of an abundance of caution, we are revising charge and thermal management settings on Model S and Model X vehicles via an over-the-air software update that will begin rolling out today, to help further protect the battery and improve battery longevity..." "As the face of the emerging battery-car market, Tesla's troubles have been widely reported, but it is by no means the only manufacturer to have experienced unexpected fires..." reports CNBC. "Fires have been reported with Chevrolet Volts, Fisker Karmas, Mitsubishi iMiEVs and other electric vehicles."

Email Addresses and Passwords Leaked For 113,000 Users Of Account Hijacking Forum

Sun, 05/19/2019 - 19:34
"Ogusers.com -- a forum popular among people involved in hijacking online accounts and conducting SIM swapping attacks to seize control over victims' phone numbers -- has itself been hacked," reports security researcher Brian Krebs, "exposing the email addresses, hashed passwords, IP addresses and private messages for nearly 113,000 forum users." On May 12, the administrator of OGusers explained an outage to forum members by saying a hard drive failure had erased several months' worth of private messages, forum posts and prestige points, and that he'd restored a backup from January 2019. Little did the administrators of OGusers know at the time, but that May 12 incident coincided with the theft of the forum's user database, and the wiping of forum hard drives. On May 16, the administrator of rival hacking community RaidForums announced he'd uploaded the OGusers database for anyone to download for free... "The website owner has acknowledged data corruption but not a breach so I guess I'm the first to tell you the truth. According to his statement he didn't have any recent backups so I guess I will provide one on this thread lmfao." Some users of the hijacking forum complained that their email addresses had started getting phishing emails -- and that the forum's owner had since altered the forum's functionality so user's couldn't delete their accounts. "It's difficult not to admit feeling a bit of schadenfreude in response to this event..." writes Krebs, adding "federal and state law enforcement investigators going after SIM swappers are likely to have a field day with this database, and my guess is this leak will fuel even more arrests and charges for those involved."

Are Trendy Developers Ignoring Tradeoffs and Over-Engineering Workplaces?

Sat, 05/18/2019 - 17:34
An anonymous reader shares an article titled "Does IT Run on Java 8?" "After more than ten years in tech, in a range of different environments, from Fortune 500 companies, to startups, I've finally come to realize that most businesss and developers simply don't revolve around whatever's trending on Hacker News," argues one Python/R/Spark data scientist: Most developers -- and companies -- are part of what [programmer] Scott Hanselman dubbed a while ago as the 99%... "They don't read a lot of blogs, they never write blogs, they don't go to user groups, they don't tweet or facebook, and you don't often see them at large conferences. Lots of technologies don't iterate at this speed, nor should they. "Embedded developers are still doing their thing in C and C++. Both are deeply mature and well understood languages that don't require a lot of churn or panic on the social networks. Where are the dark matter developers? Probably getting work done. Maybe using ASP.NET 1.1 at a local municipality or small office. Maybe working at a bottling plant in Mexico in VB6. Perhaps they are writing PHP calendar applications at a large chip manufacturer." While some companies are using Spark and Druid and Airflow, some are still using Coldfusion... Or telnet... Or Microsoft TFS... There are reasons updates are not made. In some cases, it's a matter of national security (like at NASA). In others, people get used to what they know. In some cases, the old tech is better... In some cases, it's both a matter of security, AND IT is not a priority. This is the reason many government agencies return data in PDF formats, or in XML... For all of this variety of reasons and more, the majority of companies that are at the pinnacle of succes in America are quietly running Windows Server 2012 behind the scenes. And, not only are they running Java on Windows 2012, they're also not doing machine learning, or AI, or any of the sexy buzzwords you hear about. Most business rules are still just that: hardcoded case statements decided by the business, passed down to analysts, and done in Excel sheets, half because of bureacracy and intraction, and sometimes, because you just don't need machine learning. Finally, the third piece of this is the "dark matter" effect. Most developers are simply not talking about the mundane work they're doing. Who wants to share their C# code moving fractions of a cent transactions between banking systems when everyone is doing Tensorflow.js? In a footnote to his essay, Hanselman had added that his examples weren't hypothetical. "These people and companies all exist, I've met them and spoken to them at length." (And the article includes several tweets from real-world developers, including one which claims Tesla's infotainment firmware and backend services were all run in a single-location datacenter "on the worst VMware deployment known to man.") But the data scientist ultimately asks if our online filter bubbles are exposing us to "tech-forward biases" that are "overenthusiastic about the promises of new technology without talking about tradeoffs," leading us into over-engineered platforms "that our companies don't need, and that most other developers that pick up our work can't relate to, or can even work with... "For better or worse, the world runs on Excel, Java 8, and Sharepoint, and I think it's important for us as technology professionals to remember and be empathetic of that."

New John the Ripper Cracks Passwords On FPGAs

Sat, 05/18/2019 - 10:41
Long-time Slashdot reader solardiz has long bring an advocate for bringing security to open environments. Wednesday he contacted Slashdot to share this update about a piece of software he's authored called John the Ripper: John the Ripper is the oldest still evolving password cracker program (and Open Source project), first released in 1996. John the Ripper 1.9.0-jumbo-1, which has just been announced with a lengthy list of changes, is the first release to include FPGA support (in addition to CPU, GPU, and Xeon Phi). This is a long-awaited (or long-delayed) major release, encompassing 4.5 years of development and 6000+ commits by 80+ contributors. From the announcement: "Added FPGA support for 7 hash types for ZTEX 1.15y boards [...] we support: bcrypt, descrypt (including its bigcrypt extension), sha512crypt & Drupal7, sha256crypt, md5crypt (including its Apache apr1 and AIX smd5 variations) & phpass. As far as we're aware, several of these are implemented on FPGA for the very first time. For bcrypt, our ~119k c/s at cost 5 in ~27W greatly outperforms latest high-end GPUs per board, per dollar, and per Watt. [...] We also support multi-board clusters (tested [...] for up to 16 boards, thus 64 FPGAs, [...] on a Raspberry Pi 2 host)."

Google Images + Facial Recognition Find Thief Who Looked Like Woody Harrelson

Sat, 05/18/2019 - 08:34
"The New York Police Department used a photo of Woody Harrelson in its facial recognition program in an attempt to identify a beer thief who looked like the actor," reports the Associated Press: Georgetown University's Center on Privacy and Technology highlighted the April 2017 episode in "Garbage In, Garbage Out," a report on what it says are flawed practices in law enforcement's use of facial recognition. The report says security footage of the thief was too pixelated and produced no matches while high-quality images of Harrelson, a three-time Oscar nominee, returned several possible matches and led to one arrest. The NYPD also used a photo of a New York Knicks player to search its database for a man wanted for a Brooklyn assault, the report said. "The stakes are too high in criminal investigations to rely on unreliable â" or wrong â" inputs," Georgetown researcher Clare Garvie wrote.... The Georgetown report says facial recognition has helped the NYPD crack about 2,900 cases in more than five years of using the technology. And in Florida, Vice reports, law enforcement agencies "run roughly 8,000 of these searches per month."

South Korean Government Planning Linux Migration as Windows 7 Support Ends

Fri, 05/17/2019 - 10:50
An anonymous reader shares a report: With just seven more months of support left for Windows 7, the South Korean government is planning to migrate to Linux, according to the Korea Herald, which notes that the Interior Ministry will begin "test-running Linux on its PCs, and if no security issues arise, Linux systems will be introduced more widely within the government. The Herald quotes the Interior Ministry as indicating that the transition to Linux, and the purchase of new PCs, would cost about 780 billion won ($655 million), but also anticipates long-term cost reductions with the adoption of Linux. The report doesn't mention a specific distro, instead "hopes to avoid building reliance on a single operating system." "Before the government-wide adoption, the ministry said it would test if the system could be run on private networked devices without security risks and if compatibility could be achieved with existing websites and software which have been built to run on Windows," the report stated.

A Large Chunk of Ethereum Clients Remain Unpatched

Fri, 05/17/2019 - 06:51
The Ethereum ecosystem is no different than the Windows or IoT landscape, where security flaws remain unpatched for long periods of time, despite the availability of public patches. From a report: In a report shared with ZDNet today, security researchers from SRLabs revealed that a large chunk of the Ethereum client software that runs on Ethereum nodes has yet to receive a patch for a critical security flaw the company discovered earlier this year. "According to our collected data, only two thirds of nodes have been patched so far," said Karsten Nohl, one of the researchers. The vulnerability is a denial of service (DoS) vulnerability in the Parity client that can be used to run Ethereum nodes. Per SRLabs, the vulnerability allows an attacker to remotely crash Ethereum nodes (that run Parity) by sending malformed packets. The issue was fixed with the release of the Parity Ethereum client v2.2.10, in mid-February this year, a few days after it was reported. While most DoS flaws are considered "low impact" for most products, this is not the case in the cryptocurrency world.

Amazon Updates Alexa To Guard Your House and Listen For Broken Glass, Smoke Alarm

Thu, 05/16/2019 - 17:20
Amazon is rolling out an update to Alexa that will turn the company's line of smart home products into home security devices while the user is out. Called "Alexa Guard," the feature will have your smart speakers listen for key sounds, including breaking glass and smoke and carbon monoxide alarms. If the Echo hears the noise, it will send you an alert, coupled with an audio recording of the noise. TechCrunch reports: It's an interesting new addition and one that leverages the sometimes controversial fact that the device's mics are designed to always be listening. Amazon points out that it worked with licensed contractors to break hundreds of different glass windows with different instruments in order to create a wide range of different sounds for Alexa to listen for. The new feature works with different smart home devices, as well. Users with Ring or ADT pro monitoring can set it up to forward alerts to their providers. Users with Away Lighting setup, meanwhile, can use the alert to flip on lights in order to make it look like you're still around. The app is rolling out as a free addition to all Echo owners in the U.S.

Hackers Abuse ASUS Cloud Service To Install Backdoor On Users' PCs

Thu, 05/16/2019 - 14:00
An anonymous reader quotes a report from Ars Technica: ASUS' update mechanism has once again been abused to install malware that backdoors PCs, researchers from Eset reported earlier this week. The researchers, who continue to investigate the incident, said they believe the attacks are the result of router-level man-in-the-middle attacks that exploit insecure HTTP connections between end users and ASUS servers, along with incomplete code-signing to validate the authenticity of received files before they're executed. Plead, as the malware is known, is the work of espionage hackers Trend Micro calls the BlackTech Group, which targets government agencies and private organizations in Asia. Last year, the group used legitimate code-signing certificates stolen from router-maker D-Link to cryptographically authenticate itself as trustworthy. Before that, the BlackTech Group used spear-phishing emails and vulnerable routers to serve as command-and-control servers for its malware. Late last month, Eset researchers noticed the BlackTech Group was using a new and unusual method to sneak Plead onto targets' computers. The backdoor arrived in a file named ASUS Webstorage Upate.exe included in an update from ASUS. An analysis showed infections were being created and executed by AsusWSPanel.exe, which is a legitimate Windows process belonging to, and digitally signed by, ASUS WebStorage. As the name suggests, ASUS WebStorage is a cloud service the computer-maker offers for storing files. Eset published its findings on Tuesday. [...] In all, Eset has counted about 20 computers receiving the malicious ASUS update, but that number includes only company customers. "The real number is probably higher if we consider targets that are not our users," Anton Cherepanov, a senior malware researcher at Eset, told Ars. Once the file is executed, it downloads an image from a different server that contains an encrypted executable file hidden inside. Once decrypted, the malicious executable gets dropped into the Windows Start Menu folder, where it's loaded each time the user logs in. In a blog post, ASUS reported a "WebStorage security incident" that reads: "ASUS Cloud first learned of an incident in late April 2019, when we were contacted by a customer with a security concern. Upon learning of the incident, ASUS Cloud took immediate action to mitigate the attack by shutting down the ASUS WebStorage update server and halting the issuance of all ASUS WebStorage update notifications, thereby effectively stopping the attack. In response to this attack, ASUS Cloud has revamped the host architecture of the update server and has implemented security measures aimed at strengthening data protection. This will prevent similar attacks in the future. Nevertheless, ASUS Cloud strongly recommends that users of ASUS WebStorage services immediately run a complete virus scan to ensure the integrity of your personal data."

A Report From the AMP Advisory Committee Meeting

Thu, 05/16/2019 - 07:20
Programmer Terence Eden doesn't like Google's AMP. He thinks Google's Accelerated Mobile Pages are a bad idea, poorly executed, and almost-certainly anti-competitive. So, he decided to join the AC (Advisory Committee) for AMP, he said, adding that he did not want Google to be surrounded with sycophants and yes-men. Here are some recommendations he has made: 1. Publish all user research: Don't allow new components to be created without a clear user story and research to support them. 2. Accessibly audit: Don't validate pages which can't pass an automated a11y test. 3. Stop the forced bundling: Let users opt-out of seeing AMP pages. Don't require AMP for prominent placement. Stop discriminating against non-Google browsers. 4. Reconsider AMP4Email : Lots of concerns from smaller email providers. Security and archiving concerns. Work with the ecosystem rather than imposing.

Trump Signs Executive Order Barring US Companies From Using Huawei Gear

Wed, 05/15/2019 - 16:50
schwit1 shares a report from Reuters: President Donald Trump on Wednesday signed an executive order declaring a national emergency and barring U.S. companies from using telecommunications equipment made by firms posing a national security risk, paving the way for a ban on doing business with China's Huawei. The executive order invokes the International Emergency Economic Powers Act, which gives the president the authority to regulate commerce in response to a national emergency that threatens the United States. The order directs the Commerce Department, working with other government agencies, to draw up a plan for enforcement within 150 days. The order, which has been under review for more than a year, is aimed at protecting the supply chain from "foreign adversaries to the nation's information and communications technology and services supply chain," said Commerce Secretary Wilbur Ross.

Google Recalls Its Bluetooth Titan Security Keys Because of a Security Bug

Wed, 05/15/2019 - 09:28
Google today disclosed a security bug in its Bluetooth Titan Security Key that could allow an attacker in close physical proximity to circumvent the security the key is supposed to provide. From a report: The company says that the bug is due to a "misconfiguration in the Titan Security Keys' Bluetooth pairing protocols" and that even the faulty keys still protect against phishing attacks. Still, the company is providing a free replacement key to all existing users. The bug affects all Titan Bluetooth keys, which sell for $50 in a package that also includes a standard USB/NFC key, that have a "T1" or "T2" on the back.

UK Hacking Powers Can Be Challenged in Court, Judge Rules

Wed, 05/15/2019 - 08:05
A five-year court battle in the United Kingdom has come to an end with the UK Supreme Court ruling that the UK's spy agencies and their hacking activities can be made subject to court challenges. From a report: On Wednesday, the court ruled that the GCHQ's Investigatory Powers Tribunal (IPT) is subject to judicial review in the High Court, which in turn means that the intelligence tribunal's decisions can be exposed, and challenged, based on the law of the land. The IPT is a closed-door and secretive tribunal involved in making decisions relating to the security activities and surveillance performed by UK intelligence and spy agencies, including the GCHQ, MI5, and MI6. The case in question is based on the GCHQ's powers to hack thousands or millions of devices in the quest for intelligence, previously challenged on the basis of human rights. Privacy International launched a legal case in 2014 questioning these powers. A subsequent ruling in 2016 by the IPT determined that the UK government held the right to launch sweeping "thematic" warrants which validated the hacking of devices en masse in the UK and abroad.

It's Almost Impossible To Tell If Your iPhone Has Been Hacked

Tue, 05/14/2019 - 15:30
An anonymous reader writes: A recent vulnerability in WhatsApp shows that there's little defenders can do to detect and analyze iPhone hacks. Some iOS security experts say this is yet another incident that shows iOS is so locked down it's hard -- if not impossible -- to figure out if your own iPhone has been hacked. [...] "The simple reality is there are so many 0-day exploits for iOS," said Stefan Esser, a security researcher that specializes in iOS. "And the only reason why just a few attacks have been caught in the wild is that iOS phones by design hinder defenders to inspect the phones." As of today, there is no specific tool that an iPhone user can download to analyze their phone and figure out if it has been compromised. In 2016, Apple took down an app made by Esser that was specifically designed to detect malicious jailbreaks.