Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 21 hours 25 min ago

AI R&D is Booming, But General Intelligence is Still Out of Reach

Thu, 12/12/2019 - 08:44
The AI world is booming in a range of metrics covering research, education, and technical achievements, according to AI Index report -- an annual rundown of machine learning data points now in its third year. From a news writeup, which outlines some of the more interesting and pertinent points: AI research is rocketing. Between 1998 and 2018, there's been a 300 percent increase in the publication of peer-reviewed papers on AI. Attendance at conferences has also surged; the biggest, NeurIPS, is expecting 13,500 attendees this year, up 800 percent from 2012. AI education is equally popular. Enrollment in machine learning courses in universities and online continues to rise. Numbers are hard to summarize, but one good indicator is that AI is now the most popular specialization for computer science graduates in North America. Over 21 percent of CS PhDs choose to specialize in AI, which is more than double the second-most popular discipline: security / information assurance. The US is still the global leader in AI by most metrics. Although China publishes more AI papers than any other nation, work produced in the US has a greater impact, with US authors cited 40 percent more than the global average. The US also puts the most money into private AI investment (a shade under $12 billion compared to China in second place globally with $6.8 billion) and files many more AI patents than any other country (with three times more than the number two nation, Japan). AI algorithms are becoming faster and cheaper to train. Research means nothing unless it's accessible, so this data point is particularly welcome. The AI Index team noted that the time needed to train a machine vision algorithm on a popular dataset (ImageNet) fell from around three hours in October 2017 to just 88 seconds in July 2019. Costs also fell, from thousands of dollars to double-digit figures. Self-driving cars received more private investment than any AI field. Just under 10 percent of global private investment went into autonomous vehicles, around $7.7 billion. That was followed by medical research and facial recognition (both attracting $4.7 billion), while the fastest-growing industrial AI fields were less flashy: robot process automation ($1 billion investment in 2018) and supply chain management (over $500 million).

Iran Banks Burned, Then Customer Accounts Were Exposed Online

Thu, 12/12/2019 - 06:46
The details of millions of Iranian bank cards were published online after antigovernment protests last month. Experts suspect a state-sponsored cyberattack. From a report: After demonstrators in Iran set fire to hundreds of bank branches last month in antigovernment protests, the authorities dealt with another less visible banking threat that is only now coming to fuller light: a security breach that exposed the information of millions of Iranian customer accounts. As of Tuesday, details of 15 million bank debit cards in Iran had been published on social media in the aftermath of the protests, unnerving customers and forcing the government to acknowledge a problem. The exposure represented the most serious banking security breach in Iran, according to Iranian media and a law firm representing some of the victims. The breach, which targeted customers of Iran's three largest banks, was likely to further rattle an economy already reeling from the effects of American sanctions and came as Iran's leadership was grappling with deep-seated anger over its deadly crackdown on the protests. The number of affected accounts represents close to a fifth of the country's population. "This is the largest financial scam in Iran's history," reported Aftab News, a conservative media outlet. "Millions of Iranians are worried to find their names among the list of hacked accounts."

Maze Ransomware Was Behind Pensacola 'Cyber Event,' Florida Officials Say

Wed, 12/11/2019 - 14:50
An anonymous reader quotes a report from Ars Technica: An email sent by the Florida Department of Law Enforcement to all Florida county commissioners indicated that the ransomware that struck the city of Pensacola on December 7 was the same malware used in an attack against the private security firm Allied Universal, according to a report by the Pensacola News Journal. That malware has been identified elsewhere as Maze, a form of ransomware that has also been distributed via spam email campaigns in Italy. Bleeping Computer's Lawrence Abrams reported in November that the Maze operators had contacted him after the Allied Universal attack, claiming to have stolen files from the company before encrypting them on the victims' computers. After Allied apparently missed the deadline for payment of the ransom on the files, the ransomware operators published 700 megabytes of files from Allied and demanded 300 Bitcoins (approximately $2.3 million) to decrypt the network. The Maze operators told Abrams that they always steal victims' files to use as further leverage to get them to pay: "It is just a logic. If we disclose it who will believe us? It is not in our interest, it will be silly to disclose as we gain nothing from it. We also delete data because it is not really interesting. We are neither espionage group nor any other type of APT, the data is not interesting for us." "The use of the data to blackmail the victim, and in Allied's case, the threat to use Allied's certificates and domain name to spam customers with additional ransomware attacks, is something new," writes Sean Gallagher. "This is the first time this has ever happened, as far as we know," said Brett Callow, a spokesperson for the antivirus software vendor Emisoft. "Ransomware groups usually encrypt, not steal. We expect data exfiltration to become more and more commonplace. Whether Pensacola's data was exfiltrated, I obviously can't say."

Microsoft is About To Start Aggressively Advertising Windows 10 To Windows 7 Stragglers

Wed, 12/11/2019 - 14:10
Mark Wycislik-Wilson, writing for BetaNews: Having already started to notify Windows 7 hangers on that support is due to come to an end, Microsoft is now ready to get a little more aggressive. If you haven't moved on from Windows 7, soon you will see full-screen notifications warning you that "your Windows 7 PC is out of support." The messages are due to be displayed from the day after support ends. So when January 15 rolls around, anyone who has doggedly stuck with Windows 7 will find that they not only have no support and no security updates, but also that they are pestered by an invasive message delivered by a program called EOSnotify.exe.

Apple Used the DMCA to Take Down a Tweet Containing an iPhone Encryption Key

Wed, 12/11/2019 - 12:36
Security researchers are accusing Apple of abusing the Digital Millennium Copyright Act (DMCA) to take down a viral tweet and several Reddit posts that discuss techniques and tools to hack iPhones. Lorenzo Franceschi-Bicchierai, reporting for Vice: On Sunday, a security researcher who focuses on iOS and goes by the name Siguza posted a tweet containing what appears to be an encryption key that could be used to reverse engineer the Secure Enclave Processor, the part of the iPhone that handles data encryption and stores other sensitive data. Two days later, a law firm that has worked for Apple in the past sent a DMCA Takedown Notice to Twitter, asking for the tweet to be removed. The company complied, and the tweet became unavailable until today, when it reappeared. In a tweet, Siguza said that the DMCA claim was "retracted." Apple confirmed that it sent the original DMCA takedown request, and later asked Twitter to put the Tweet back online. At the same time, Reddit received several DMCA takedown requests for posts on r/jailbreak, a popular subreddit where iPhone security researchers and hackers discuss techniques to jailbreak Apple devices, according to the subreddit's moderators. "Admins have not reached out to us in regards to these removals. We have no idea who is submitting these copyright claims," one moderator wrote.

ACLU is Suing ICE For Details on How It Uses Phone Spying Devices

Wed, 12/11/2019 - 09:30
The American Civil Liberties Union filed a lawsuit Wednesday demanding that two US Homeland Security agencies -- Customs and Border Protection and Immigration and Customs Enforcement -- release details on how they've been using powerful phone surveillance tools. From a report: The ACLU is suing after the two agencies declined to provide it with documents related to International Mobile Subscriber Identity, or IMSI, catchers, more commonly known as Stingrays. These devices pretend to be cell towers and connect with nearby phones, intercepting data that details calls, messages and device location. IMSI catchers can often pull in data from entire neighborhoods, and they're able to obtain sensitive details on people without the people even knowing. Civil liberties and privacy groups have criticized the technology for its invasive surveillance. The two agencies have denied the ACLU's requests for information since 2017, telling the civil rights organization that "no records responsive to your request were found." The assertion comes despite the fact that a House Oversight Committee investigation in 2016 found that ICE spent $10.6 million on 59 IMSI catchers and that CBP had spent $2.5 million on 33 IMSI catchers.

India Proposes New Rules To Access Its Citizens' Data

Wed, 12/11/2019 - 08:50
India has proposed groundbreaking rules, akin to Europe's GDPR, that would require technology companies to garner consent from citizens before collecting and processing their personal data. But at the same time, the new rules also state that companies would have to hand over "non-personal" data of their users to the government, and New Delhi would also hold the power to collect any data of its citizens without consent to serve sovereignty and larger public interest. From a report: The new rules, proposed in nation's first major data protection law dubbed "Personal Data Protection Bill 2019," a copy of which leaked on Tuesday, would permit New Delhi to "exempt any agency of government from application of Act in the interest of sovereignty and integrity of India, the security of the state, friendly relations with foreign states, public order." If the bill passes select controversial laws drafted more than a decade ago would remain unchanged. The bill might also change how global technology companies that have invested billions of dollars in India, thanks in part to the lax laws, see the nation of more than 600 million internet users.

Chrome Now Warns You When Your Password Has Been Stolen

Tue, 12/10/2019 - 16:10
Google is rolling out Chrome 79, and it includes a number of password protection improvements. The Verge reports: The biggest addition is that Chrome will now warn you when your password has been stolen as part of a data breach. Google has been warning about reused passwords in a separate browser extension or in its password checkup tool, but the company is now baking this directly into Chrome to provide warnings as you log in to sites on the web. You can control this new functionality in the sync settings in Chrome, and Google is using strongly hashed and encrypted copies of passwords to match them using multiple layers of encryption. This allows Google to securely match passwords using a technique called private set intersection with blinding. Alongside password warnings, Google is also improving its phishing protection with a real-time option. Google has been using a list of phishing sites that updates every 30 minutes, but the company found that fraudsters have been quickly switching domains or hiding from Google's crawlers. This new real-time protection should generate warnings for 30 percent more cases of phishing.

New Plundervolt Attack Impacts Intel Desktop, Server, and Mobile CPUs

Tue, 12/10/2019 - 14:50
An anonymous reader quotes a report from ZDNet: Academics from three universities across Europe have disclosed today a new attack that impacts the integrity of data stored inside Intel SGX, a highly-secured area of Intel CPUs. The attack, which researchers have named Plundervolt, exploits the interface through which an operating system can control an Intel processor's voltage and frequency -- the same interface that allows gamers to overclock their CPUs. Academics say they discovered that by tinkering with the amount of voltage and frequency a CPU receives, they can alter bits inside SGX to cause errors that can be exploited at a later point after the data has left the security of the SGX enclave. They say Plundervolt can be used to recover encryption keys or introduce bugs in previously secure software. Intel desktop, server, and mobile CPUs are impacted. A full list of vulnerable CPUs is available here. Intel has also released microcode (CPU firmware) and BIOS updates today that address the Plundervolt attack [by allowing users to disable the energy management interface at the source of the attack, if not needed]. Proof-of-concept code for reproducing attacks will be released on GitHub.

Iran's Internet Freedom is On Life Support

Tue, 12/10/2019 - 12:50
An anonymous reader shares a report: In November, Iran's government announced a price hike on oil, leading to mass protests in Tehran. To quell the spreading unrest, the Iranian government effectively shut down the internet. After a week of Iranian security forces cracking down on protesters, including an estimated death toll between 140 and 208, internet access was gradually restored around the country. Judging by statements made by President Hassan Rouhani, the internet shutdowns could be a harbinger of more censorship in 2020 and beyond. Iran's intranet, known as the National Information Network, will be expanded so "people will not need foreign [networks] to meet their needs," President Rouhani said to Iran's parliament on Sunday, according to Radio Farda. The decree to bolster the NIN comes from Supreme Leader Ali Khamenei himself, Rouhani said. Developing a more robust intranet would allow the Iranian government to cut access to the internet, and Iranians off from the rest of the world, without the economic self-impairment that internet cutoffs cause. An intranet would allow the Iranian government to select what sites and content Iranians can see, as opposed to the blunt and costly tool of a total shutdown.

Google Releases Chrome 79 With New Features Including an Option To Freeze Tabs and Back-Forward Caching

Tue, 12/10/2019 - 12:10
Google today released Chrome 79 for Windows, Mac, Linux, Chrome OS, Android, and iOS users. This release comes with security and bug fixes, but also with new features such as built-in support for the Password Checkup tool, real-time blacklisting of malicious sites via the Safe Browsing API, general availability of Predictive Phishing protections, a ban on loading HTTPS "mixed content," support for tab freezing, a new UI for the Chrome Sync profile section, and support for a back-forward caching mechanism. ZDNet has outlined each new feature in-depth.

Are You One Of Avast's 400 Million Users? This Is Why It Collects And Sells Your Web Habits.

Tue, 12/10/2019 - 11:30
Avast, the multibillion-dollar Czech security company, doesn't just make money from protecting its 400 million users' information. It also profits in part because of sales of users' Web browsing habits and has been doing so since at least 2013. From a report: That's led to some labelling its tools "spyware," the very thing Avast is supposed to be protecting users from. Both Mozilla and Opera were concerned enough to remove some Avast tools from their add-on stores earlier this month, though the anti-virus provider says it's working with Mozilla to get its products back online. But recently appointed chief executive Ondrej Vlcek tells Forbes there's no privacy scandal here. All that user information that it sells cannot be traced back to individual users, he asserts. Here's how it works, according to Vlcek: Avast users have their Web activity harvested by the company's browser extensions. But before it lands on Avast servers, the data is stripped of anything that might expose an individual's identity, such as a name in the URL, as when a Facebook user is logged in. All that data is analysed by Jumpshot, a company that's 65%-owned by Avast, before being sold on as "insights" to customers. Those customers might be investors or brand managers. What do those customers get? Vlcek says Jumpshot, which was initially acquired in 2013, provides "insights on how cohorts of users on the internet use the web." For instance, it could show a percentage of visitors who went from one website to another. That could be useful to anyone monitoring an advertising campaign. "Typical customers would be, for example, investors, who would be interested in how online companies are doing in terms of their new campaigns," the new Avast chief explains. Say Amazon launches a new product -- Jumpshot could determine how much interest it's getting online.

Google Built Its Own Tiny HDMI 2.1 Box To Jump-Start 'the Next Generation of Android TV'

Tue, 12/10/2019 - 09:30
Google today announced that Android 10 is arriving on Android TV, and it's about as bland of an update as they come. From a report: Primarily, it's just the performance and security benefits of Android 10, without a single new user-facing feature. But at the bottom of Google's blog post, the company hints at why: Google's busy prepping for the "next-generation of Android TV," starting with the miniature box above. Google says this new ADT-3 dongle is a full-fledged Android TV platform, with a quad-core ARM Cortex A53 CPU, 2GB of DDR3 memory, and the ability to output 4K HDR content at 60 frames per second over its HDMI 2.1 port. Before you get too excited, know that it's a developer device. Like its predecessor, the ADT-2, it's possible you'll never see one officially available for purchase.

Facebook Tells US Attorney General It's Not Prepared To Get Rid Of Encryption On WhatsApp And Messenger

Tue, 12/10/2019 - 08:50
Facebook said it would not weaken end-to-end encryption across its messaging apps, despite pressure from world governments, in a letter to US Attorney General Bill Barr and UK and Australian leaders. From a report: The letter, sent Monday, came in response to an October open letter from Barr, UK Home Secretary Priti Patel, Australian Minister for Home Affairs Peter Dutton, and then-acting US homeland security secretary Kevin McAleenan, which raised concerns that Facebook's continued implementation of end-to-end encryption on its WhatsApp and Messenger apps would prevent law enforcement agencies from finding illegal activity such as child sexual exploitation, terrorism, and election meddling. The US, UK, and Australian governments asked the social networking company to design a backdoor in its encryption protocols, or a separate way for law enforcement to gain access to user content. "It is simply impossible to create such a backdoor for one purpose and not expect others to try and open it," wrote WhatsApp head Will Cathcart and Messenger head Stan Chudnovsky in Facebook's response. "People's private messages would be less secure and the real winners would be anyone seeking to take advantage of that weakened security. That is not something we are prepared to do."

Cyberattack Hits City of Pensacola After Shooting At Naval Air Station

Mon, 12/09/2019 - 17:30
The city of Pensacola, Florida, has been dealing with a cyberattack since late Friday when a Saudi Air Force trainee killed three sailors at Pensacola Naval Air Station. Officials for the city are unsure whether the incidents are related. CNN reports: The city of Pensacola, Florida, said it has experienced a cyber "incident" and has disconnected several city services until the issue can be resolved. Mayor Grover Robinson told CNN affiliate WEAR the city has been dealing with a cyberattack since late Friday. The city said the issue has impacted city emails and phones, 311 customer service and online payments, including Pensacola Energy and Pensacola Sanitation Services. However, 911 and emergency services are not impacted. As for whether the cyberattack is related to the Friday shooting, Kaycee Lagarde, a spokeswoman for the mayor, said: "It's really too early to say one way or another. We are still assessing this. We understand that it's on people's mind but we just don't know at this point." Lagarde said the incident was reported to the FBI and Homeland Security as a precaution.

WireGuard VPN Is On Its Way To Linux

Mon, 12/09/2019 - 16:50
WireGuard has now been committed to the mainline Linux kernel. "While there are still tests to be made and hoops to be jumped through, it should be released in the next major Linux kernel release, 5.6, in the first or second quarter of 2020," reports ZDNet. From the report: WireGuard has been in development for some time. It is a layer 3 secure VPN. Unlike its older rivals, which it's meant to replace, its code is much cleaner and simple. The result is a fast, easy-to-deploy VPN. While it started as a Linux project, WireGuard code is now cross-platform, and its code is now available on Windows, macOS, BSD, iOS, and Android. It took longer to arrive than many wished because WireGuard's principal designer, Jason Donenfeld, disliked Linux's built-in cryptographic subsystem on the grounds its application programming interface (API) was too complex and difficult. He suggested it be supplemented with a new cryptographic subsystem: His own Zinc library. Many developers didn't like this. They saw this as wasting time reinventing the cryptographic well. But Donenfeld had an important ally. Torvalds wrote, "I'm 1000% with Jason on this. The crypto/ model is hard to use, inefficient, and completely pointless when you know what your cipher or hash algorithm is, and your CPU just does it well directly." In the end, Donenfeld compromised. "WireGuard will get ported to the existing crypto API. So it's probably better that we just fully embrace it, and afterward work evolutionarily to get Zinc into Linux piecemeal." That's exactly what happened. Some Zine elements have been imported into the legacy crypto code in the forthcoming Linux 5.5 kernel. This laid the foundation for WireGuard to finally ship in Linux early next year.

Google Under Investigation For 'Thanksgiving Four' Firings, Allegedly Discouraging Unions

Mon, 12/09/2019 - 14:12
An anonymous reader quotes a report from CNBC: The U.S. National Labor Relations Board has started a new investigation into Google's labor practices. An agency spokesperson confirmed to CNBC Monday that the probe, which will include whether Google violated labor laws when it recently fired four employees, has officially commenced. It will also look at whether Google discouraged employees from engaging in union activity. The investigation is expected to take roughly three months and be conducted by its regional staff based in Oakland. The latest investigation comes after four Google employees filed a federal complaint with the NLRB on Dec. 5, alleging unfair labor practices, which would violate a settlement made by Google. Google now faces another federal investigation into its labor practice just months after a separate settlement with the NLRB. [...] The latest investigation stems from employee uproar over the interrogation and subsequent firing of employees Rebecca Rivers and Laurence Berland, who had been placed on sudden and indefinite administrative leave in November for allegedly sharing sensitive information. After that, Berland and Rivers held a rally in San Francisco that drew in roughly 200 Google workers, demanding the company reinstate the two employees and stating they were placed on leave in retaliation for their activism against the company's handling of hate policies and immigration issues. The week of Thanksgiving, Google fired four employees, including Berland and Rivers, claiming they shared confidential documents and breached security. In an internal memo, the company's security and investigations team called it a "rare" case.

Linux Users Can Now Use Disney+ After DRM Fix

Sun, 12/08/2019 - 12:34
"Linux users can now stream shows and movies from the Disney+ streaming service after Disney lowered the level of their DRM requirements," reports Bleeping Computer: When Disney+ was first launched, Linux users who attempted to watch shows and movies were shown an error stating "Something went wrong. Please try again. If the problem persists, visit the Disney+ Help Center (Error Code 83)." As explained by Hans de Goede, this error was being caused by the Disney+ service using the highest level of security for the Widevine Digital Rights Management (DRM) technology. As some Linux and Android devices did not support this higher DRM security level, they were unable to stream Disney+ shows in their browsers... Yesterday, Twitter users discovered that Disney+ had suddenly started working on Linux browsers after the streaming service tweaked their DRM security levels... Even with Disney+ lowering the DRM requirements, users must first make sure DRM is enabled in the browser. For example, Disney+ will not work with Firefox unless you enable the "Play DRM-controlled content" setting in the browser.

Open-Source Security Nonprofit Tries Raising Money With 'Hacker-Themed' T-Shirts

Sun, 12/08/2019 - 10:34
The nonprofit Open Source Technology Improvement Fund connects open-source security projects with funding and logistical support. (Launched in 2015, the Illinois-based group includes on its advisory council representatives from DuckDuckGo and the OpenVPN Project.) To raise more money, they're now planning to offer "hacker-themed swag" and apparel created with a state-of-the art direct-to-garment printer -- and they're using Kickstarter to help pay for that printer: With the equipment fully paid for, we will add a crucial revenue stream to our project so that we can get more of our crucial work funded. OSTIF is kicking-in half of the funding for the new equipment from our own donated funds from previous projects, and we are raising the other half through this KickStarter. We have carefully selected commercial-grade equipment, high quality materials, and gathered volunteers to work on the production of the shirts and wallets. Pledges of $15 or more will be rewarded with an RFID-blocking wallet that blocks "drive-by" readers from scanning cards in your pocket, engraved with the message of your choice. And donors pledging $18 or more get to choose from their "excellent gallery" of t-shirts. Dozens of artists have contributed more than 40 specially-commissioned "hacker-themed" designs, including "Resist Surveillance" and "Linux is Communism" (riffing on a 2000 remark by Microsoft's CEO Steve Ballmer). There's also shirts commemorating Edward Snowden (including one with an actual NSA document leaked by Edward Snowden) as well as a mock concert t-shirt for the "world tour" of the EternalBlue exploit listing locations struck after it was weaponized by the NSA. One t-shirt even riffs on the new millennial catchphrase "OK boomer" -- replacing it with the phrase "OK Facebook" using fake Cyrillic text. And one t-shirt design shows an actual critical flaw found by the OSTIF while reviewing OpenVPN 2.4.0. So far they have 11 backers, earning $790 of their $45,000 goal.

Are You Ready for the End of Python 2?

Sat, 12/07/2019 - 20:34
"Users of an old version of the popular Python language face a reckoning at the end of the year," reports Wired, calling it a programmer's "own version of update hell." The developers who maintain Python, who work for a variety of organizations or simply volunteer their time, say they will stop supporting Python 2 on January 1, 2020 -- more than a decade after the introduction of Python 3 in December 2008. That means no more security fixes or other updates, at least for the official version of Python. The Python team extended the initial deadline in 2015, after it became apparent that developers needed more time to make the switch. It's hard to say how many organizations still haven't made the transition. A survey of developers last year by programming toolmaker JetBrains found that 75 percent of respondents use Python 3, up from 53 percent the year before. But data scientist Vicki Boykis points out in an article for StackOverflow that about 40 percent of software packages downloaded from the Python code management system PyPI in September were written in Python 2.7. For many companies, the transition remains incomplete. Even Dropbox, which employed Python creator Guido van Rossum until his retirement last month, still has some Python 2 code to update. Dropbox engineer Max Belanger says shifting the company's core desktop application from Python 2 to Python 3 took three years. "It wasn't a lot of absolute engineering work," Belanger says. "But it took a long time because stability is so important. We wanted to make sure our users didn't feel any effects of the transition." The transition from Python 2 to 3 is challenging in part because of the number and complexity of other tools that programmers use. Programmers often rely on open source bundles of code known as "libraries" that handle common tasks, such as connecting to databases or verifying passwords. These libraries spare developers from having to rewrite these features from scratch. But if you want to update your code from Python 2 to Python 3, you need to make sure all the libraries you use also have made the switch. "It isn't all happening in isolation," Belanger says. "Everyone has to do it." Today, the 360 most popular Python packages are all Python 3-compatible, according to the site Python 3 Readiness. But even one obscure library that hasn't updated can cause headaches. Python's core team is now prioritizing smaller (but more frequent) updates to make it easier to migrate to newer versions, according to the article, noting that Guido Van Rossum "wrote last month that there might not ever be a Python 4. The team could just add features to Python 3 indefinitely that don't break backward compatibility."