Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 1 hour 45 min ago

82% of People Say They Connect To Any Free WiFi That's Available in a Public Place, Survey Finds

Thu, 08/01/2019 - 08:45
Have you ever been in a public place and hopped onto a public WiFi network? From a report: We conducted a survey of 1,195 US residents over the past two weeks asking about internet connectivity and one interesting trend stood out. 82% of respondents (980 total) said they connect to any freely available network while out in public. When asked about the security implications of such a decision, the majority of the respondents said they didn't think about such things, and that it wasn't a concern for them.

California Police Are Sharing Facial Recognition Databases To ID Suspects

Thu, 08/01/2019 - 06:44
Many of California's local law enforcement agencies have access to facial recognition software for identifying suspects who appear in crime scene footage, documents obtained through public records requests show. From a report: Three California counties also have the capability to run facial recognition searches on each others' mug shot databases, and others could join if they choose to opt into a network maintained by a private law enforcement software company. The network is called California Facial Recognition Interconnect, and it's a service offered by DataWorks Plus, a Greenville, South Carolina-based company with law enforcement contracts in Los Angeles, San Bernardino, San Diego, San Francisco, Sacramento, and Santa Barbara. Currently, the three adjacent counties of Los Angeles, Riverside, and San Bernardino are able to run facial recognition against mug shots in each other's databases. That means these police departments have access to about 11.7 million mug shots of people who have previously been arrested, a majority of which come from the Los Angeles system.

Cisco To Pay $8.6 Million Fine For Selling Hackable Surveillance Tech

Wed, 07/31/2019 - 17:25
Cisco has agreed to pay $8.6 million to settle a claim that it sold video surveillance software it knew was vulnerable to hackers to hospitals, airports, schools, state governments and federal agencies. SFGate reports: The tech giant continued to sell the software and didn't fix the massive security weakness for about four years after a whistleblower alerted the company about it in 2008, according to a settlement unsealed Wednesday with the Justice Department and 15 states as well as the District of Columbia. Hackers could use the flaw not just to spy on video footage but to turn surveillance cameras on and off, delete footage and even potentially compromise other connected physical security systems such as alarms or locks - all without being detected, according to Hamsa Mahendranathan, an attorney at Constantine Cannon, which represented whistleblower James Glenn. The settlement marks the first time a company has been forced to pay out under a federal whistleblower law for not having adequate cybersecurity protections.

Everything Cops Say About Amazon's Ring Is Scripted Or Approved By Ring

Wed, 07/31/2019 - 14:00
An anonymous reader quotes a report from Gizmodo: Amazon's home security company Ring has garnered enormous control over the ways in which its law enforcement partners are allowed to portray its products, going as far as to review and even author statements attributed to police in the press, according to emails and documents obtained by Gizmodo. This summer, Ring even urged a Florida police department to delay announcing its partnership with the company for weeks, telling officials that it preferred to keep the spotlight on a separate initiative launched by the city, designed to incentivize the purchase of its home surveillance products. Because there are already thousands of Ring users in major cities across the U.S., one of Ring's primary goals in its police partnerships is encouraging existing customers to download Neighbors. To ensure that police stay on message when promoting the app, or answering questions about it, Ring not only provides police departments with talking points but widely seeks to secure contracts that grant it the absolute right to approve all police statements about its services. Contracts and other documents obtained from police departments in three states show that Ring pre-writes almost all of the messages shared by police across social media, and attempts to legally obligate police to give the company final say on all statements about its products, even those shared with the press. (In exchange, police are also given the ability to approve any Ring press releases that directly reference the partnering police agency.) Ring's so-called "press packets" to partnering agencies include a "Press Release Template," "Social Media Templates," and "Key Talking Points," as well as high-resolution Ring and Neighbors App logos "to incorporate with PR materials as needed." Furthermore, according to Gizmodo, "the packets are accompanied by instructions dictating that final drafts of public remarks must be sent to Ring so that the company's PR team can 'review and sign off' before they're sent to local news outlets." Motherboard recently reported that Ring has partnered with 200 law enforcement agencies across the U.S.

Capital One Breach Said To Also Affect Other Major Companies

Wed, 07/31/2019 - 12:10
The data breach at Capital One may be the "tip of the iceberg" and may affect other major companies, according to security researchers. From a report: Israeli security firm CyberInt said Vodafone, Ford, Michigan State University and the Ohio Department of Transportation may have also fallen victim to the same data breach that saw over 106 million credit applications and files stolen from a cloud server run by Capital One by an alleged hacker, Paige Thompson, a Seattle resident, who was taken into FBI custody earlier this week. Reports from Forbes and security reporter Brian Krebs indicating that Capital One may not have been the only company affected, pointing to "one of the world's biggest telecom providers, an Ohio government body, and a major U.S. university," according to Slack messages sent by the alleged hacker. Krebs posted a screenshot of a list of files purportedly stolen by the alleged hacker. The stolen data contained filenames including car maker "Ford" and Italian financial services company "Unicredit." The Justice Department said Thompson may face additional charges -- suggesting other companies may have been involved. Further reading: Capital One's Breach Was Inevitable, Because We Did Nothing After Equifax.

Google Brings the Titan Security Key To More Countries

Wed, 07/31/2019 - 10:05
Google on Wednesday announced it's making its Titan Security Key available via the Google Store in multiple new countries: Canada, France, Japan and the United Kingdom. Google launched the second-factor security key last year, starting with availability in the US. From a report: Google touts the Titan Security Key as one of the best ways to protect Google Accounts from hacking and phishing, especially high-value accounts that are regularly probed and attacked. The key is used as part of Google's Advanced Protection Program. Based on FIDO open standards, the security key comes in both USB and Bluetooth varieties. Back in May, Google had to issue replacements for the Bluetooth keys due to a vulnerability in the pairing process.

'The White House Blocked My Report on Climate Change and National Security'

Wed, 07/31/2019 - 08:05
Dr. Rod Schoonover, who until recently served as a senior analyst in the Bureau of Intelligence and Research at the State Department, writing for The New York Times: Ten years ago, I left my job as a tenured university professor to work as an intelligence analyst for the federal government, primarily in the State Department but with an intervening tour at the National Intelligence Council. My focus was on the impact of environmental and climate change on national security, a growing concern of the military and intelligence communities. It was important work. Two words that national security professionals abhor are uncertainty and surprise, and there's no question that the changing climate promises ample amounts of both. I always appreciated the apolitical nature of the work. Our job in the State Department's Bureau of Intelligence and Research was to generate intelligence analysis buttressed by the best information available, without regard to political considerations. And although I was uncomfortable with some policies of the Trump administration, no one had ever tried to influence my work or conclusions. That changed last month, when the White House blocked the submission of my bureau's written testimony on the national security implications of climate change to the House Permanent Select Committee on Intelligence. The stated reason was that the scientific foundation of the analysis did not comport with the administration's position on climate change. After an extended exchange between officials at the White House and the State Department, at the 11th hour I was permitted to appear at the hearing and give a five-minute summary of the 11-page testimony. However, Congress was deprived of the full analysis, including the scientific baseline from which it was drawn. Perhaps most important, this written testimony on a critical topic was never entered into the official record.

iPhone Bluetooth Traffic Leaks Phone Numbers -- in Certain Scenarios

Wed, 07/31/2019 - 07:25
Security researchers say they can extract a user's phone number from the Bluetooth traffic coming from an iPhone smartphone during certain operations. From a report: The attack works because, when Bluetooth is enabled on an Apple device, the device sends BLE (Bluetooth Low Energy) packets in all directions, broadcasting the device's position and various details. This behavior is part of the Apple Wireless Direct Link (AWDL), a protocol that can work either via WiFi or BLE to interconnect and allow data transfers between nearby devices. Previous academic research has revealed that AWDL BLE traffic contains device identification details such as the phone status, Wi-Fi status, OS version, buffer availability, and others. However, in new research published last week, security researchers from Hexway said that during certain operations these BLE packets can also contain a SHA256 hash of the device's phone number.

Facebook's Ex-Security Chief Details His 'Observatory' for Internet Abuse

Wed, 07/31/2019 - 06:47
Andy Greenberg, writing for Wired: When Alex Stamos describes the challenge of studying the worst problems of mass-scale bad behavior on the internet, he compares it to astronomy. To chart the cosmos, astronomers don't build their own Hubble telescopes or Arecibo observatories. They concentrate their resources in a few well-situated places and share time on expensive hardware. But when it comes to tackling internet abuse ranging from extremism to disinformation to child exploitation, Stamos argues, Silicon Valley companies and academics are still trying to build their own telescopes. What if, instead, they shared their tools -- and more importantly, the massive data sets they've assembled? That's the idea behind the Stanford Internet Observatory, part of the Stanford Cyber Policy Center where Stamos is a visiting professor. Founded with a $5 million donation from Craigslist creator Craig Newmark, the Internet Observatory aspires to be a central outlet for the study of all manner of internet abuse, assembling for visiting researchers the necessary machine learning tools, big data analysts, and perhaps most importantly, access to major tech platforms' user data -- a key to the project that may hinge on which tech firms cooperate and to what degree. "Misinformation is not just a computer science problem. It's a problem that brings in political science, sociology, psychology," Stamos says. "Part of the idea of the Internet Observatory is to build a place for these people to work together, and we want to build the infrastructure necessary to allow all the different parts of the political and social sciences to study what's happening online." Stamos says the observatory is currently negotiating with tech firms -- he names Facebook, Google, Twitter, YouTube, and Reddit as examples -- that it hopes will offer access to user data via API in real time and in historical archives. The observatory will then share that access with social scientists who might have a specific research project but lack the connections or resources to grapple with the immensity of the data involved.

Google Reveals Fistful of Flaws In Apple's iMessage App

Tue, 07/30/2019 - 16:45
Google researchers have shared details of five flaws in Apple's iMessage software that could make its devices vulnerable to attack. The BBC reports: In one case, the researchers said the vulnerability was so severe that the only way to rescue a targeted iPhone would be to delete all the data off it. Another example, they said, could be used to copy files off a device without requiring the owner to do anything to aid the hack. Apple released fixes last week. But the researchers said they had also flagged a sixth problem to Apple, which had not been rectified in the update to its mobile operating system. Apple's own notes about iOS 12.4 indicate that the unfixed flaw could give hackers a means to crash an app or execute commands of their own on recent iPhones, iPads and iPod Touches if they were able to discover it. Apple has not commented on this specific issue, but has urged users to install the new version of iOS, which addresses Google's other discoveries as well as a further range of glitches and threats. One of the two Google researchers involved - Natalie Silvanovich - intends to share more details of her findings at a presentation at the Black Hat conference in Las Vegas next month.

It's 2019, and One Third of Businesses Still Have Active Windows XP Deployments

Tue, 07/30/2019 - 12:05
As end of support for the still-popular Windows 7 draws near, risks of unpatched operating systems are likely to be a significant security concern in the near future. intensivevocoder writes: There is a relatively old -- though still fundamentally true -- adage about Windows: Microsoft's biggest competition is Microsoft, as a specific subset of users (and businesses) only upgrade to the latest version of Windows kicking and screaming. According to SpiceWorks' Future of Network and Endpoint Security report, published Tuesday, 32% of organizations still have at least one Windows XP device connected to their network, despite extended support for XP ending in 2014. (Notably, the last variant of XP, Windows POSReady 2009, reached end of life in April 2019 .) With the looming end of free support for Windows 7, this reticence of users and enterprises to upgrade to newer versions of Windows is likely to create significant security issues. Presently, 79% of organizations still have at least one Windows 7 system on their network, according to SpiceWorks, which also found that two thirds of businesses plan to migrate all of their machines off Windows 7 prior to the end of support on January 14, 2020, while a quarter will only migrate after that deadline. Separately, a Gartner market forecast from April forecasted that only 75% of professional PCs will be on Windows 10 by 2021.

Apple's AWDL Protocol Plagued By Flaws That Enable Tracking and MitM Attacks

Tue, 07/30/2019 - 09:25
Apple Wireless Direct Link (AWDL), a protocol installed on over 1.2 billion Apple devices, contains vulnerabilities that enable attackers to track users, crash devices, or intercept files transferred between devices via man-in-the-middle (MitM) attacks. From a report: These are the findings of a research project that started last year at the Technical University of Darmstadt, in Germany, and has recently concluded, and whose findings researchers will be presenting later this month at a security conference in the US. The project sought to analyze the Apple Wireless Direct Link (AWDL), a protocol that Apple rolled out in 2014 and which also plays a key role in enabling device-to-device communications in the Apple ecosystem. While most Apple end users might not be aware of the protocol's existence, AWDL is at the core of Apple services like AirPlay and AirDrop, and Apple has been including AWDL by default on all devices the company has been selling, such as Macs, iPhones, iPads, Apple watches, Apple TVs, and HomePods. But in the past five years, Apple has never published any in-depth technical details about how AWDL works. This, in turn, has resulted in very few security researchers looking at AWDL for bugs or implementation errors.

US Issues Hacking Security Alert for Small Planes

Tue, 07/30/2019 - 08:45
wiredmikey writes: The DHS has issued a security alert for small planes, warning that modern flight systems are vulnerable to hacking if someone manages to gain physical access to the aircraft. The alert stems from research done by security firm Rapid7, which found that an attacker could potentially disrupt electronic messages transmitted across a small plane's network, for example by attaching a small device to its wiring, that would affect aircraft systems. Engine readings, compass data, altitude and other readings "could all be manipulated to provide false measurements to the pilot," according to the DHS alert.

Capital One's Breach Was Inevitable, Because We Did Nothing After Equifax

Tue, 07/30/2019 - 06:07
An anonymous reader shares a report: Another day, another massive data breach. This time it's the financial giant and credit card issuer Capital One, which revealed on Monday a credit file breach affecting 100 million Americans and 6 million Canadians. Sound familiar? It should. Just last week, credit rating giant Equifax settled for more than $575 million over a date breach it had -- and hid from the public for several months -- two years prior. Why should we be surprised? Equifax faced zero fallout until its eventual fine. All talk, much bluster, but otherwise little action. Equifax's chief executive Richard Smith "retired" before he was fired, allowing him to keep his substantial pension packet. Lawmakers grilled the company but nothing happened. An investigation launched by the former head of the Consumer Financial Protection Bureau, the governmental body responsible for protecting consumers from fraud, declined to pursue the company. The FTC took its sweet time to issue its fine -- which amounted to about 20% of the company's annual revenue for 2018. For one of the most damaging breaches to the U.S. population since the breach of classified vetting files at the Office of Personnel Management in 2015, Equifax got off lightly. Legislatively, nothing has changed. Equifax remains as much of a "victim" in the eyes of the law as it was before -- technically, but much to the ire of the millions affected who were forced to freeze their credit as a result.

Amazon's Ring Reportedly Partners With 200 Law Enforcement Agencies

Tue, 07/30/2019 - 05:00
An anonymous reader quotes a report from Motherboard: At least 200 law enforcement agencies around the country have entered into partnerships with Amazon's home surveillance company Ring, according to an email obtained by Motherboard via public record request. Ring has never disclosed the exact number of partnerships that it maintains with law enforcement. However, the company has partnered with at least 200 law enforcement agencies, according to notes taken by a police officer during a Ring webinar, which he emailed to himself in April. It's possible that the number of partnerships has changed since the day the email was sent. The officer who sent the email told Motherboard that the email was a transcribed version of handwritten notes that he took during a team webinar with a Ring representative on April 9. Additional emails obtained by Motherboard indicate that this webinar trained officers on how to use the "Law Enforcement Neighborhood Portal." This portal allows local police to see a map with the approximate locations of all Ring cameras in a neighborhood, and request footage directly from camera owners. Owners need to consent, but police do not need a warrant to ask for footage. "This doesn't surprise me at all, and it's the perfect example of how corporate surveillance and government surveillance are inextricably linked," Evan Greer, deputy director of Fight for the Future, told Motherboard. "Amazon is building a for-profit surveillance dragnet and partnering with local law enforcement agencies in ways that avoid any form of oversight or accountability that police departments might normally be required to adhere to." "It's time to come to grips with the fact that the 1984 dystopian future we all fear isn't something a future authoritarian government might impose," Greer told Motherboard, "it's something that's being built right now, in plain sight, through partnerships between private companies and government agencies."

Capital One Says Hacker Breached Accounts of 100 Million People; Ex-Amazon Employee Arrested

Mon, 07/29/2019 - 21:18
CaptainDork shares a report from Forbes: Capital One said Monday that sensitive financial information -- including social security and bank account numbers -- from over 100 million people were exposed in a massive data breach that led to the arrest of former Amazon employee Paige Thompson, a hacker who lives in Seattle. The information was taken from credit card applications submitted to the Virginia-based bank from 2005-2019. These included names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth and self-reported income. Additionally, Capital One said that 140,000 Social Security and 80,000 linked bank account numbers were compromised as well as fragments of transaction data from a total of 23 days during 2016, 2017 and 2018. No credit card account numbers or log-in credentials were exposed. Individuals whose information was compromised in the breach will be notified by Capital One. According to court documents, Paige Thompson was arrested for hacking into cloud computer servers rented by Capital One. Investigators say Thompson previously worked at the cloud computing company whose servers were breached, but did not name the company. "Thompson's resume, which is still online, and her LinkedIn profile indicate that she worked at Amazon, which operates the popular cloud computing business Amazon Web Services, from 2015-2016," reports Forbes. "Thompson allegedly posted the information from the hack on her Github profile, which included a link to her resume, leading the FBI to her. The hack occurred on March 22 or 23, the court documents say, but no one at Capital One knew the bank had been breached until four months later when an anonymous security researcher alerted them."

US Files Lawsuit Against Bitcoin Exchange That Helped Launder Ransomware Profits

Mon, 07/29/2019 - 16:03
The U.S. Department of Justice has filed a civil lawsuit seeking to recover more than $100 million from a notorious cryptocurrency exchange that has helped cyber-criminals launder stolen funds, such as those obtained from ransomware payments, dark web drug marketplaces, and funds from hacked cryptocurrency exchanges. ZDNet reports: In a lawsuit filed on Friday, July 26, the U.S. wants to recover $88,596,314 from the accounts of the now-defunct BTC-e cryptocurrency exchange, and an additional $12 million from Alexander "Mr. Bitcoin" Vinnick, BTC-e's founder and CEO. The sum represents a fine that was imposed by the U.S. Treasury's Financial Crimes Enforcement Network (FinCEN) in 2017 when the FBI shut down the BTC-e portal, and Greek authorities arrested Vinnick. For the past two years, the DOJ has been trying to extradite Vinnick to the U.S. to face charges, but with no success. The DOJ's civil lawsuit is an alternative legal method to make sure the U.S. Treasury FinCEN recovers its due fine in the case U.S. authorities opened in 2017. Those fines were imposed because BTC-e violated the Bank Secrecy Act (BSA). First by not registering with U.S. authorities as a Money Services Business (MSB), even if it catered to U.S. consumers. Second, for failing to implement an anti-money laundering (AML) program in accordance with U.S. and many other international standards. And third, for failing to file any suspicious activity report (SAR) for the numerous shady transactions that have happened on its platform. When authorities charged Vinnick and shut down BTC-e on July 26, 2017, the DOJ said that the platform, which claimed on its website to have handled over $7 billion worth of Bitcoin in its lifetime, had laundered criminal proceeds of more than $4 billion, representing more than half of the funds that have ever gone through its accounts. After the BTC-e shutdown, it was revealed at the Black Hat USA 2017 security conference that 95% of all ransomware ransom payments that had been made up until that point had been cashed out and converted into fiat currency through Vinnik's BTC-e portal.

The Google Pixel 4 Will Have Built-In Radar and Unlock With a Face Scan

Mon, 07/29/2019 - 15:20
In a YouTube video and blog post, Google revealed that its upcoming Pixel 4 smartphone will feature face unlock technology and a feature called "Motion Sense," which confirms that it will have a Project Soli chip that uses radar to detect hand gestures near the phone. The Verge reports: Adding face unlock puts the Pixel 4 on par with modern iPhones for unlocking, and it's (at least in theory) more convenient than an in-screen fingerprint sensor. Google also confirmed that the Pixel 4 will use the face unlock feature for payments: "face unlock works in almost any orientation -- even if you're holding it upside down -- and you can use it for secure payments and app authentication too." As with the iPhone, Google says that biometric data will be stored locally in a secure chip and never share with other Google services. The Pixel 4's face unlock feature will use a variety of sensors to identify your face, including depth, infrared, and RGB. That should mean that it will work in a variety of lighting situations and also work with a diverse set of faces. Google has told me that it has done "field research" to ensure both of those things. As for the "Motion Sense" feature, there's not a ton that we can glean from Google's article. Earlier rumors have pointed to it being related to Project Soli, which uses radar to detect tiny hand or finger movements above the device. For example, Google has demoed rubbing your thumb and index finger together to simulate turning a dial on a smartwatch. Some code found in the next version of Android has suggested it could be used for media controls at the very least. Google's post cites a possible use case where the Soli chip could detect your hand reaching for the phone, which would automatically turn on "the face unlock sensors." If it all works, the phone would automatically unlock itself and be ready by the time you're looking at it.

200 Million Devices -- Some Mission-Critical -- Vulnerable To Remote Takeover

Mon, 07/29/2019 - 14:45
An anonymous reader quotes a report from Ars Technica: About 200 million Internet-connected devices -- some that may be controlling elevators, medical equipment, and other mission-critical systems -- are vulnerable to attacks that give attackers complete control, researchers warned on Monday. In all, researchers with security firm Armis identified 11 vulnerabilities in various versions of VxWorks, a slimmed-down operating system that runs on more than 2 billion devices worldwide. Billed collectively as Urgent 11, the vulnerabilities consist of six remote code flaws and five less-severe issues that allow things like information leaks and denial-of-service attacks. None of the vulnerabilities affects the most recent version of VxWorks or any of the certified versions of the OS, including VxWorks 653 or VxWorks Cert Edition. For the 200 million devices Armis estimated are running a version that's susceptible to a serious attack, however, the stakes may be high. Because many of the vulnerabilities reside in the networking stack known as IPnet, they can often be exploited by little more than boobytrapped packets sent from outside the Internet. Depending on the vulnerability, exploits may also be able to penetrate firewalls and other types of network defenses. The most dire scenarios are attacks that chain together multiple exploits that trigger the remote takeover of multiple devices. "Such vulnerabilities do not require any adaptations for the various devices using the network stack, making them exceptionally easy to spread," Armis researchers wrote in a technical overview. "In most operating systems, such fundamental vulnerabilities in the crucial networking stacks have become extinct, after years of scrutiny unravelled and mitigated such flaws." VxWorks-maker Wind River says the latest release of VxWorks "is not affected by the vulnerability, nor are any of Wind Rivers' safety-critical products that are designed for safety certification, such as VxWorks 653 and VxWorks Cert Edition used in critical infrastructure." Wind River issued patches last month and is in the process of notifying affected customers of the threat.

DMARC's Abysmal Adoption Explains Why Email Spoofing is Still a Thing

Mon, 07/29/2019 - 10:10
Companies around the world are still failing to see the benefits of implementing DMARC, an email security protocol designed to prevent email spoofing, the primary trick used by cybercriminals to deliver phishing emails and BEC scams. From a report: Around 79.7% don't use DMARC, according to a report that surveyed the DMARC policies deployed with 21,075 business and government domains. The survey, carried out by email security and analytics firm 250ok, analyzed domains from sectors such as Fortune 500, US government (Executive, Legislative and Judicial), the China Hot 100, the top 100 law firms, international nonprofits, the SaaS 1000, education, e-commerce, financial services, and travel sectors. The survey looked specifically at DMARC adoption because of the protocol's importance.