Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 2 hours 35 sec ago

Privacy Group Challenges FTC's Small Facebook Settlement, Also Wants an Admission of Guilt

Sun, 07/28/2019 - 20:30
"A consumer privacy group has filed a challenge to Facebook's $5 billion settlement with the Federal Trade Commission, saying it is not 'adequate, reasonable or appropriate' and lets the social media giant off the hook for years of violations," reports the AP. The Verge argues that the current consensus is "the FTC gave the company a slap on the wrist, and Facebook's latest earnings report showed the social network earning three times as much in revenue as the FTC fine in just three months." Now, EPIC wants to potentially force the agency to alter the terms of the deal to better address complaints filed by individuals and consumer groups. EPIC takes issue not just with the relatively low size of the fine, which, while the biggest ever for a tech company, is barely a drop in the bucket for the $571 billion company. The group is also upset with how Facebook effectively avoided culpability for its actions, as part of the settlement allowed the company to avoid admitting any guilt over massive privacy and data security scandals, like Cambridge Analytica, that landed it in hot water with the agency. EPIC also wants a court to decide whether the FTC should have granted Facebook blanket immunity from past legal challenges and if the scope of the settlement can be broadened to include issues like Facebook's widespread use of facial recognition on users without their consent and violations of children's privacy. EPIC complains that the deal would extinguish more than 26,000 consumer complaints against Facebook that are currently pending at the FTC.

'No More Ransom' Decryption Tools Prevent $108M In Ransomware Payments

Sun, 07/28/2019 - 17:34
An anonymous reader quotes ZDNet: On the three-year anniversary of the No More Ransom project, Europol announced today that users who downloaded and decrypted files using free tools made available through the No More Ransom portal have prevented ransomware gangs from making profits estimated at at least $108 million... However, an Emsisoft spokesperson told ZDNet that the $108 million estimate that Europol shared today is "actually a huge underestimate. They're based on the number of successful decryptions confirmed by telemetry -- in other words, when the tools phone home to confirm they've done their job," Emsisoft told ZDNet... Just the free decryption tools for the GandCrab ransomware alone offered on the No More Ransom website have prevented ransom payments of nearly $50 million alone, Europol said. The project, which launched in July 2016, now hosts 82 tools that can be used to decrypt 109 different types of ransomware. Most of these have been created and shared by antivirus makers like Emsisoft, Avast, and Bitdefender, and others; national police agencies; CERTs; or online communities like Bleeping Computer. By far the most proficient member has been antivirus maker Emsisoft, which released 32 decryption tools for 32 different ransomware strains... All in all, Europol said that more than three million users visited the site and more than 200,000 users downloaded tools from the No More Ransom portal since its launch. One Emisoft researcher said they were "pretty proud" of their decryptor for MegaLocker, "as not only did it help thousands of victims, but it really riled up the malware author."

Penetration Testing Toolkit Includes Exploit For 'Incredibly Dangerous' Bluekeep Vulnerability

Sat, 07/27/2019 - 08:34
An anonymous reader quotes Vice: In May, Microsoft released a patch for a bug in several versions of Windows that is so bad that the company felt it even had to release a fix for Windows XP, an operating system that (has been unsupported) for five years. That vulnerability is known as BlueKeep, and it has kept a lot of security researchers up at night. They are worried that someone could write an exploit for it and make a worm that could wreak havoc the way WannaCry or NotPetya -- two viruses that spread almost uncontrollably all over the world locking thousands of computers -- did.... Researchers were so worried about this vulnerability that for months, no one has published the code for a proof-of-concept exploit. In other words, no one wanted to be the guy to even prove that this type of malware was even possible to write. Until now. On Tuesday, Immunity, a long time US government contractor, announced that it had developed an exploit for BlueKeep and included it into its penetration testing toolkit Canvas, which is available only to paying subscribers. Canvas customers, can now exploit this bug using Immunity's own code. ZDNet notes that Canvas licenses "cost between thousands and tens of thousands of US dollars," but also adds that "hackers have been known to pirate or legitimately buy penetration testing tools."

Marcus 'MalwareTech' Hutchins Gets No Prison Time, One Year Supervised Release

Fri, 07/26/2019 - 10:41
An anonymous reader writes: Marcus 'MalwareTech' Hutchins, the security researcher who helped stop the WannaCry ransomware outbreak, was sentenced today in the US to time served and one year of supervised release. The UK-born malware analyst avoided the prison time in the case as the judge described "too many positives on other side of ledger" -- referring to Hutchins' role in the WannaCry ransomware outbreak and his work as a malware analyst. Judge J. P. Stadmueller had a difficult decision on his hand, and would have considered a pardon. However, courts have no such power, and deferred to the executive branch. In court, Hutchins apologized, again, to victims, family, and friends. The judge waived any fines. The sentence comes after Hutchins pleaded guilty this April on two charges of entering a conspiracy to create and distribute malware, and in aiding and abetting its distribution.

Mozilla Debuts Implementation of WebThings Gateway Open Source Router Firmware

Fri, 07/26/2019 - 06:40
An anonymous reader shares a report: For the better part of two years, the folks at Mozilla have been diligently chipping away at Mozilla WebThings, an open implementation of the World Wide Web Consortium's (W3C) Web of Things standard for monitoring and controlling connected devices. In April, it gained a number of powerful logging, alarm, and networking features, and this week, a revamped component of WebThings -- WebThings Gateway, a privacy- and security-focused software distribution for smart home gateways -- formally debuted. Experimental builds of WebThings Gateway 0.9 are available on GitHub for the Turris Omnia router, with expanded support for routers and developer boards to come down the line. (Separately, there's a new build compatible with the recently announced Raspberry Pi 4.) Mozilla notes that it currently only offers "extremely basic" router configuration and cautions against replacing existing firmware, but the company says that it's a noteworthy milestone in its path to creating a full software distribution for wireless routers.

Russian Hack of Elections System Was Far-Reaching, Senate Intel Committee Report Finds

Fri, 07/26/2019 - 05:00
An anonymous reader quotes a report from The New York Times: The Senate Intelligence Committee concluded Thursday that election systems in all 50 states were targeted by Russia in 2016 (Warning: source may be paywalled; alternative source), largely undetected by the states and federal officials at the time, but at the demand of American intelligence agencies the committee was forced to redact its findings so heavily that key lessons for the 2020 election are blacked out. Even key findings at the beginning of the report were heavily redacted. It concluded that while there is no evidence that any votes were changed in actual voting machines, "Russian cyberactors were in a position to delete or change voter data" in the Illinois voter database. The committee found no evidence that they did so. While the report is not directly critical of either American intelligence agencies or the states, it described what amounted to a cascading intelligence failure, in which the scope of the Russian effort was underestimated, warnings to the states were too muted, and state officials either underreacted or, in some cases, resisted federal efforts to offer help.

Louisiana Governor Declares State Emergency After Local Ransomware Outbreak

Thu, 07/25/2019 - 18:10
Louisiana Governor John Bel Edwards has activated a state-wide state of emergency in response to a wave of ransomware infections that have hit multiple school districts. ZDNet reports: The ransomware infections took place this week and have impacted the school districts of three North Louisiana parishes -- Sabine, Morehouse, and Ouachita. IT networks are down at all three school districts, and files have been encrypted and are inaccessible, local media outlets are reporting. By signing the Emergency Declaration, the Louisiana governor is making available state resources to impacted schools. This includes assistance from cybersecurity experts from the Louisiana National Guard, Louisiana State Police, the Office of Technology Services, the Governor's Office of Homeland Security and Emergency Preparedness (GOHSEP), and others. State officials hope that additional IT expertise will speed up the recovery process so schools can resume their activity and preparations for the upcoming school year. Earlier today, some residents of Johannesburg have been left without electricity after a ransomware infection.

Stock Trading Service Robinhood Admits To Storing Some Passwords in Cleartext

Thu, 07/25/2019 - 11:30
Stock trading service Robinhood has admitted this week to storing some customers' passwords in cleartext, according to emails the company has been sending to impacted customers. From a report: "On Monday night, we discovered that some user credentials were stored in a readable format within our internal system," the company said. "We resolved the issue, and after thorough review, found no evidence that this information was accessed by anyone outside our response team." Robinhood is now resetting passwords out of an abundance of caution, despite not finding any evidence of abuse. A company spokesperson told ZDNet via phone call that not all Robinhood users were impacted, but could not reveal the exact number.

Atlanta Pauses Scooter Permits After Deaths

Thu, 07/25/2019 - 10:50
Atlanta's mayor put a pause on the city's issuance of permits for smartphone-based electric scooter rentals Thursday following two recent deaths. From a report: The city had come under pressure from activists in recent days who had protested on Atlanta's streets after a man riding a scooter was run over by a city transit bus. The executive order from Mayor Keisha Lance Bottoms stops short of removing scooters from the city's streets. "Across the nation, municipalities are dealing with the sudden and unforeseen impact these devices have had on our communities," Bottoms said in a press release. "While some municipalities have banned the devices altogether, the City of Atlanta acted in good faith to work with the private sector to explore innovative solutions to ease existing commuting strains," said Bottoms. "However, as Atlanta has seen two scooter related deaths, this complex issue requires a more thorough and robust dialogue."

Amazon Requires Police To Shill Surveillance Cameras in Secret Agreement

Thu, 07/25/2019 - 08:50
Amazon's home security company Ring has enlisted local police departments around the country to advertise its surveillance cameras in exchange for free Ring products and a "portal" that allows police to request footage from these cameras, a secret agreement obtained by Motherboard shows. From a report: The agreement also requires police to "keep the terms of this program confidential." Dozens of police departments around the country have partnered with Ring, but until now, the exact terms of these partnerships have remained unknown. A signed memorandum of understanding between Ring and the police department of Lakeland, Florida, and emails obtained via a public records request, show that Ring is using local police as a de facto advertising firm. Police are contractually required to "Engage the Lakeland community with outreach efforts on the platform to encourage adoption of the platform/app." In order to partner with Ring, police departments must also assign officers to Ring-specific roles that include a press coordinator, a social media manager, and a community relations coordinator.

VLC Developer Debunks Reports of 'Critical Security Issue' In Open Source Media Player

Wed, 07/24/2019 - 16:45
New submitter Grindop53 shares a report: Widespread reports of a "critical security issue" that supposedly impacted users of VLC media player have been debunked as "completely bogus" by developers. Earlier this week, German computer emergency response team CERT-Bund -- part of the Federal Office for Information Security (BSI) -- pushed out an advisory warning network administrators and other users of a high-impact vulnerability in VLC. It seems that this advisory can be traced back to a ticket that was opened on VLC owner VideoLAN's public bug tracker more than four weeks ago. The alleged heap-based buffer overflow flaw was disclosed by a user named "topsec(zhangwy)," who stated that a malicious .mp4 file could be leveraged by an attacker to take control of VLC media player users' devices. The issue was flagged as high-risk on the CERT-Bund site, and the vulnerability was assigned a CVE entry (CVE-2019-13615). However, according to VideoLAN president Jean-Baptiste Kempf, the exploit does not work on the latest VLC build. In fact, any potential issues relating to the vulnerability were patched more than a year ago. "There is no security issue in VLC," Kempf told The Daily Swig in a phone conversation this morning. "There is a security issue in a third-party library, and a fix was pushed [out] 18 months ago." When asked how or why this oversight generated so much attention, Kempf noted that the reporter of the supposed vulnerability did not approach VideoLAN through its security reporting email address. "The guy never contacted us," said Kempf, who remains a lead developer at the VLC project. "This is why you don't report security issues on a public bug tracker." Kempf and his team were unable to replicate the issue in the latest version of VLC, leading many to believe that the bug reporter was working on a computer running an outdated version of Ubuntu. "If you report a security issue, at least update your Linux distribution," Kempf said.

FTC To Hold Facebook CEO Mark Zuckerberg Liable For Any Future Privacy Violations

Wed, 07/24/2019 - 10:45
Facebook CEO Mark Zuckerberg will have to personally answer to federal regulators under an agreement to settle a privacy case with the Federal Trade Commission that includes a $5 billion penalty for the giant social media company, the agency announced Wednesday. From a report: Separately, Facebook will pay $100 million to settle a case with the Securities and Exchange Commission for making misleading disclosures about the risk that users' data would be misused, the SEC said. Under the FTC agreement, Zuckerberg will be required to submit quarterly compliance reports directly to the federal regulators and to Facebook's board of directors. If the Facebook co-founder or "designated compliance officers" violate the agreement, they could be subject to civil and criminal penalties, the FTC said. "There's no way that the CEO can bury his head in the sand," James Kohm, head of the FTC's enforcement unit, told NPR. "There's no ostrich defense." According to FTC investigators, Facebook violated the terms of its 2011 settlement with the agency, in which it promised to protect user data from broad sharing with third-party apps. The company also committed new violations, they said. Kohm described two major incidents in which Facebook effectively lied to users. First, the company solicited phone numbers, saying they were being collected to verify users' identity if a password needed to be reset. Millions of people trusted the company, and then Facebook took those phone numbers and used them not just for security, but also for advertising purposes, the FTC said.

Don't Put Your Work Email on Your Personal Phone

Wed, 07/24/2019 - 10:05
Many of us have given up on the idea of carrying around a dedicated work phone. After all, why bother when you can get everything you need on your personal smartphone? Here's one reason: Your work account might be spying on you in the background. From a column: When you add a work email address to your phone, you'll likely be asked to install something called a Mobile Device Management (MDM) profile. Chances are, you'll blindly accept it. (What other choice do you have?) MDM is set up by your company's IT department to reach inside your phone in the background, allowing them to ensure your device is secure, know where it is, and remotely erase your data if the phone is stolen. From your company's perspective, there are obvious security reasons for installing an MDM on an employee's phone. But for employees, it's difficult to tell what these invisible profiles are collecting behind the scenes, as they provide people at your company with invisible control over your device. That's why when it comes to your phone, no matter how much you trust your IT department, it's a good idea to keep work and pleasure separate. MDM profiles, paired with device management tools, allow companies to track employee phones in a single dashboard. They can mitigate security breaches or potential harm from a rogue employee; if you work for a law firm, say, and your boss worries you're leaking sensitive emails from your smartphone, they could remotely wipe your data. MDM profiles can also force you to use a long password on your device, rather than a simple PIN, among other policies.

Google's Work in China is Not a Security Risk, White House Says

Wed, 07/24/2019 - 09:25
An anonymous reader shares a report: Earlier this month, Facebook board member and billionaire investor Peter Thiel accused Google of working with China's government. Today, The Wall Street Journal reports that Treasury Secretary Steven Mnuchin said that he and President Trump have no national security concerns about Alphabet's work in China. Thiel used the stage at National Conservatism Conference in Washington DC to call for the FBI and CIA to investigate Google's China ties. Thiel specifically cited Google's work on AI. But the same day Google confirmed that it killed plans for its controversial search engine, Dragonfly. The timing raised suspicion, and Trump tweeted that his administration would "take a look." "The president and I did diligence on this issue, we're not aware of any areas where Google is working with the Chinese government in any way that raises concerns," Mnuchin said today. He noted that Google continues to work with the US Department of Defense and that its work with China is "very, very limited."

Facebook Deceived Users About the Way It Used Phone Numbers, Facial Recognition, FTC To Allege in Complaint

Tue, 07/23/2019 - 11:58
The Federal Trade Commission plans to allege that Facebook misled users' about its handling of their phone numbers as part of a wide-ranging complaint that accompanies a settlement ending the government's privacy probe, Washington Post reported Tuesday, citing two people familiar with the matter. From the report: In the complaint, which has not yet been released, federal regulators take issue with Facebook's earlier implementation of a security feature called two-factor authentication. It allows users to request one-time password, sent by text message, each time they log onto the social-networking site. But some advertisers managed to target Facebook users who uploaded those contact details, perhaps without the full knowledge of those who provided them, the two sources said. The misuse of the phone numbers was first identified in media reports and by academics last year [PDF]. The FTC also plans to allege that Facebook had provided insufficient information to users -- roughly 30 million -- about their ability to turn off a tool that would identify and offer tag suggestions for photos, the sources added. The sources spoke on the condition of anonymity. The facial recognition issue appears to have first been publicized earlier this year by Consumer Reports.

NSA Forms Cybersecurity Directorate Under More Assertive U.S. Effort

Tue, 07/23/2019 - 08:45
The National Security Agency will create a cybersecurity directorate later this year as part of a wider effort to align the agency's offensive and defensive operations more closely, U.S. officials said. From a report: Anne Neuberger has been tapped to lead the new directorate, slated to become operational Oct. 1. The creation of the directorate and selection of Ms. Neuberger come during a broader fusion of NSA's offensive and defensive portfolios. The integration has been under way for several years but has expanded under Gen. Paul Nakasone, who has led the NSA and the U.S. Cyber Command since May 2018. The Trump administration has sought to be more aggressive and the NSA has adopted a strategy of "persistent engagement" in cyberspace against foreign adversaries including Russia, China and Iran. Much of those efforts, which are led offensively by Cyber Command but supported by intelligence collected by NSA, have focused on deterring election interference after Moscow, according to former special counsel Robert Mueller and the U.S. intelligence community, meddled in the 2016 presidential vote to boost the candidacy of Donald Trump. Russia has denied the allegations. Ms. Neuberger, 43 years old, is expected to be named formally to her new post Tuesday during a speech by Gen. Nakasone at the International Conference on Cyber Security at Fordham University. He is expected to provide public details on the cybersecurity directorate for the first time.

AG Barr Says Consumers Should Accept Security Risks of Encryption Backdoors

Tue, 07/23/2019 - 06:02
U.S. attorney general William Barr has said consumers should accept the risks that encryption backdoors pose to their personal cybersecurity to ensure law enforcement can access encrypted communications. From a report: In remarks, Barr said the "significance of the risk should be assessed based on its practical effect on consumer cybersecurity, as well as its relation to the net risks that offering the product poses for society." He suggested that the "residual risk of vulnerability resulting from incorporating a lawful access mechanism is materially greater than those already in the unmodified product. [...] Some argue that, to achieve at best a slight incremental improvement in security, it is worth imposing a massive cost on society in the form of degraded safety." The risk, he said, was acceptable because "we are talking about consumer products and services such as messaging, smart phones, e-mail, and voice and data applications," and "not talking about protecting the nation's nuclear launch codes."

Hackers Stole 7.5TB of Secret Data From Russia's Intelligence Agency

Mon, 07/22/2019 - 18:02
Hackers have reportedly stolen about 7.5 terabytes of data from a major Russian Federal Security Service (FSB) contractor, thus exposing the secret projects the agency was working on to de-anonymize Tor browsing, scrape data from social media, and cut off Russia's internet from the rest of the world. Fossbytes reports: Russia's FSB is the successor agency to the infamous KGB and is similar to the FBI and MI5; a major part of their work includes electronic surveillance in the country and overseas as well. The attack on FSB took place on July 13 when a hacking group that goes by the name 0v1ru$ breached SyTech, a major FSB contractor that works on several internet projects. The hackers defaced SyTech's homepage and left a smiling Yoba Face and other pictures to indicate the breach. 0v1ru$ passed on the stolen data to the larger hacking group Digital Revolution, which in turn shared the files with various media outlets and posted on Twitter. BBC Russia outlines the project data that was stolen and lists the major ones, including Nautilus, a project to scrap data on social media platforms; Nautilus-S, a project to de-anonymize Tor users by creating exit nodes that are controlled by the Russian government; and Nadezhda, a project attempting to create a "sovereign internet" that is isolated from the rest of the internet.

Huawei Secretly Helped Build North Korea's Wireless Network, Leaked Documents Suggest

Mon, 07/22/2019 - 10:02
Chinese tech giant Huawei could have helped secretly build a 3G wireless network for North Korea, according to internal documents leaked by a former employee of the company. From a report: Huawei worked with another Chinese company, Panda International Information Technology, on a number of projects in the region over the course of eight years, as suggested by work orders, contracts and spreadsheets published by the Washington Post on Monday. The revelations come as the latest blow to Huawei's reputation in a series of events over the past year, a period in which the company has come under fire from the US government amid its trade war with China. In January, the US Justice Department unsealed indictments that included 23 counts pertaining to the alleged theft of intellectual property, obstruction of justice and fraud related to its alleged evasion of US sanctions against Iran. President Donald Trump has blacklisted the company as a security threat, and Huawei CFO Meng Wanzhou is under house arrest in Canada awaiting extradition to the US.

Equifax To Pay At Least $575M as Part of FTC Settlement

Mon, 07/22/2019 - 06:47
Equifax has agreed to pay at least $575 million to the US Federal Trade Commission, the Consumer Financial Protection Bureau and all 50 states over its massive 2017 data breach. From a report: If that isn't enough to compensate people impacted by the breach, the credit reporting company could have to pay up to $700 million -- a figure we got hints about on Friday. The settlement includes $300 million for a fund providing affected consumers with credit monitoring services and for those who bought credit or identity monitoring services in the wake of the breach. If that doesn't cover the losses, Equifax will add up to $125 million to the fund. It's also agreed to pay $175 million to 48 states, the District of Columbia and Puerto Rico, as well as $100 million in civil penalties to the CFPB. Hackers stole the personal information -- including Social Security numbers and home addresses -- of nearly 148 million Americans from Equifax's servers in a data breach that ran from May and July 2017. A December 2018 House Oversight Committee report called the breach "entirely preventable," saying Equifax didn't take action to prevent it and wasn't prepared for the aftermath.