Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 18 hours 57 min ago

'Hard-To-Fix' Cisco Flaw Puts Work Email At Risk

Tue, 05/14/2019 - 14:10
An anonymous reader quotes a report from the BBC: Security researchers have discovered serious vulnerabilities affecting dozens of Cisco devices. The flaws allow hackers to deceive the part of the product hardware that checks whether software updates come from legitimate sources. Experts believe this could put emails sent within an organization at risk as they may use compromised routers. Messages sent externally constitute less of a risk, however, as they tend to be encrypted. The California-based firm said it is working on "software fixes" for all affected hardware. "We've shown that we can quietly and persistently disable the Trust Anchor," Red Balloon chief executive Ang Cui, told Wired magazine. "That means we can make arbitrary changes to a Cisco router, and the Trust Anchor will still report that the device is trustworthy. Which is scary and bad, because this is in every important Cisco product. Everything." Security experts believe that the vulnerability could cause a major headache for Cisco, which has listed dozens of its products as vulnerable on its website. "We don't know how many devices could have been affected and it's unlikely Cisco can tell either," said Prof Alan Woodward, a computer security expert based at Surrey University. "It could cost Cisco a lot of money." Security firm Red Balloon has set up a website with more details on the vulnerabilities, which they are calling "Thrangycat."

Microsoft Patches 'Wormable' Flaw in Windows XP, 7 and Windows 2003

Tue, 05/14/2019 - 13:30
Microsoft today is taking the unusual step of releasing security updates for unsupported but still widely-used Windows operating systems like XP and Windows 2003, citing the discovery of a "wormable" flaw that the company says could be used to fuel a fast-moving malware threat like the WannaCry ransomware attacks of 2017. From a report: The vulnerability (CVE-2019-0708) resides in the "remote desktop services" component built into supported versions of Windows, including Windows 7, Windows Server 2008 R2, and Windows Server 2008. It also is present in computers powered by Windows XP and Windows 2003, operating systems for which Microsoft long ago stopped shipping security updates. Microsoft said the company has not yet observed any evidence of attacks against the dangerous security flaw, but that it is trying to head off a serious and imminent threat.

Google Exec's Internal Email On Data Leak Policy Rattles Employees

Tue, 05/14/2019 - 11:32
With employees organizing sit-ins over retaliation and continuing to agitate for change, Google is locking down internal communications. From a report: Google's top legal executive Kent Walker sent an all-staff email on Thursday informing employees that accessing documents classified as "need to know" without permission could result in termination, sources inside the company tell BuzzFeed News. After BuzzFeed News contacted Google about the email, Walker sent an update on Tuesday in the company's daily newsletter, clarifying that employees were typically only terminated when intentional violations resulted in data leaks, risks to user privacy, or harm to co-workers. The Thursday email, titled "An important reminder on data classifications," referenced changes to Google's data security policy that were updated in October. Although the policy has been in place since 2007, and updates are visible internally, employees weren't notified by email at the time. The timing of the email announcement rattled employees who've been involved with organizing within the company's ranks and who told BuzzFeed News they saw it as a blow to internal accountability mechanisms. These employees said the "need to know" language in the data security policy leaves which particular documents are considered "need to know" up to Google's interpretation; "need to know" documents aren't necessarily labeled as such, and the punishment for accessing such documents without permission can vary, but include termination.

Intel CPUs Released in Last 8 Years Impacted by New Zombieload Side-Channel Attack

Tue, 05/14/2019 - 09:22
Academics have discovered a new class of vulnerabilities in Intel processors that can allow attackers to retrieve data being processed inside a CPU. From a report: The leading attack in this new vulnerability class is a security flaw named Zombieload, which is another side-channel attack in the same category as Meltdown, Spectre, and Foreshadow. Just like the first three, Zombieload is exploited by taking advantage of the speculative execution process, which is an optimization technique that Intel added to its CPUs to improve data processing speeds and performance. For more than a year, academics have been poking holes in various components of the speculative execution process, revealing ways to leak data from various CPU buffer zones and data processing operations. Meltdown, Spectre, and Foreshadow have shown how various CPU components leak data during the speculative execution process. Today, an international team of academics -- including some of the people involved in the original Meltdown and Spectre research -- along with security researchers from Bitdefender have disclosed a new attack impacting the speculative execution process. This one is what researchers have named a Microarchitectural Data Sampling (MDS) attack, and targets a CPU's microarchitectural data structures, such as the load, store, and line fill buffers, which the CPU uses for fast reads/writes of data being processed inside the CPU. [...] In a research paper published today, academics say that all Intel CPUs released since 2011 are most likely vulnerable. Processors for desktops, laptops, and (cloud) servers are all impacted, researchers said on a special website they've set up with information about the Zombieload flaws.

Huawei Says It is Willing To Sign 'No-Spy' Agreements With Governments

Tue, 05/14/2019 - 07:32
Huawei is willing to sign no-spy agreements with governments, including Britain, the Chinese telecommunications company's chairman said on Tuesday as the United States pressures European countries to shun the firm over spying concerns. From a report: Washington has told allies not to use Huawei's technology to build new 5G telecommunications networks because of worries it could be a vehicle for Chinese spying, an accusation the firm has denied.

Israeli Firm Tied To Tool That Uses WhatsApp Flaw To Spy On Activists

Mon, 05/13/2019 - 19:35
An anonymous reader quotes a report from The New York Times: An Israeli firm accused of supplying tools for spying on human-rights activists and journalists now faces claims that its technology can use a security hole in WhatsApp, the messaging app used by 1.5 billion people, to break into the digital communications of iPhone and Android phone users (Warning: source may be paywalled; alternative source). Security researchers said they had found so-called spyware -- designed to take advantage of the WhatsApp flaw -- that bears the characteristics of technology from the company, the NSO Group. The spyware was used to break into the phone of a London lawyer who has been involved in lawsuits that accused the company of providing tools to hack the phones of Omar Abdulaziz, a Saudi dissident in Canada; a Qatari citizen; and a group of Mexican journalists and activists, the researchers said. There may have been other targets, they said. Digital attackers could use the vulnerability to insert malicious code and steal data from an Android phone or an iPhone simply by placing a WhatsApp call, even if the victim did not pick up the call. As WhatsApp's engineers examined the vulnerability, they concluded that it was similar to other tools from the NSO Group, because of its digital footprint. WhatsApp engineers patched the vulnerability on Monday. "WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices," the Facebook-owned company said in a statement.

Boost Mobile Says Hackers Broke into Customer Accounts

Mon, 05/13/2019 - 17:30
Boost Mobile is informing customers of a data breach nearly two months after it happened. "Boost.com experienced unauthorized online account activity in which an unauthorized person accessed your account through your Boost phone number and Boost.com PIN code," said the notification. "The Boost Mobile fraud team discovered the incident and was able to implement a permanent solution to prevent similar unauthorized account activity." TechCrunch reports: It's not known exactly how the hackers obtained customer PINs -- or how many Boost customers are affected. The company also notified the California attorney general, which companies are required to do if more than 500 people in the state are affected by the same security incident. Boost Mobile reportedly had 15 million customers in 2018. The hackers used those phone numbers and account PINs to break into customer accounts using the company's website Boost.com, said the notification. These codes can be used to alter account settings. Hackers can automate account logins using lists of exposed usernames and passwords -- or in this case phone numbers and PIN codes -- in what's known as a credential stuffing attack. Boost said it has sent to affected customers a text with a temporary PIN.

Google Accused of 'Posing' on Privacy

Sun, 05/12/2019 - 11:34
"You heard the headline, surely. Google is giving you privacy. Lots of privacy. Privacy here, there and everywhere. You're free. Rejoice. Leap in the air," writes Inc. columnist Chris Matyszczyk -- arguing that there's one huge and painful catch: Google needs to know everything about you because, as my colleague Bill Murphy Jr. reported, it's after as much of the advertising industry as it can swallow whole. However, Google also needs to look as if it's doing something about privacy, because privacy is the new big thing. Everyone's talking about it and Google is finding itself the subject of more and more lawsuits, as it emerges that the company keeps on tracking you whether you want it to or not. So what has Google really done with this privacy effort? Yes, it's introduced more privacy and security controls which, in the latest version of Android, might even amount to 50 elements for you to toggle away at. And that is the wicked psychological point. Google is posing to regulators by doing this. It's also putting it entirely in users' hands to work out how all these controls work and what they all mean. Because it knows the vast majority of users just don't and won't do it. The column argues that Google "is inviting people to be full-time monitors of what Google may or may not be spying on" -- while at the same time "making sure this is far too much work."

Microsoft Moves Windows 10 Closer To A Future Without Passwords

Sun, 05/12/2019 - 09:34
"Microsoft has very quietly confirmed the death of Windows 10 passwords this week," claims Forbes -- though I think they may be overstating things a bit: Microsoft's crypto, identity and authentication team group manager, Yogesh Mehta, has made an announcement that he says puts "the 800 million people who use Windows 10 one step closer to a world without passwords...." Mehta confirmed that with the release of the forthcoming Windows 10 May update, Windows Hello becomes a fully FIDO2 certified authenticator... [Windows Hello is "a biometrics-based technology that enables Windows 10 users to authenticate secure access to their devices, apps, online services and networks with just a fingerprint, iris scan or facial recognition."] So does the arrival of FIDO2 certification for Windows 10 mean that passwords are now dead? Not quite. The death of the password for Window 10 could yet be a lingering and painful one. "We encourage companies and software developers to adopt a strategy for achieving a passwordless future and start today by supporting password alternatives such as Windows Hello," Mehta says, before admitting that to arrive in this future requires "interoperable solutions that work across all industry platforms and browsers." I say painful, by the way, as there will no doubt be no shortage of stories about password security fails until the final nail is hammered into this authentication coffin.

MongoDB Database Containing Over 275 Million Personal Records Exposed and Hacked

Sat, 05/11/2019 - 09:34
"An unprotected and public-facing MongoDB database containing over 275 million records of personal information on Indian citizens has been discovered on search engine Shodan," writes Slashdot reader helpfulhecker. BleepingComputer reports that the detailed personally identifiable information was exposed online for over two weeks: Security Discovery researcher Bob Diachenko discovered the publicly accessible MongoDB database hosted on Amazon AWS using Shodan, and as historical data provided by the platform showed, the huge cache of PII data was first indexed on April 23, 2019. As he found out after further investigation, the exposed data included information such as name, gender, date of birth, email, mobile phone number, education details, professional info (employer, employment history, skills, functional area), and current salary for each of the database records. While the unprotected MongoDB database leaked the sensitive information of hundreds of millions of Indians, Diachenko did not find any information that would link it to a specific owner. Additionally, the names of the data collections stored within the database suggested that the entire cache of resumes was collected "as part of a massive scraping operation" for unknown purposes. Two months ago Diachenko also helped uncover over 800 million exposed email addresses in another unprotected MongoDB database. And in January an investigation with TechCrunch also discovered millions of highly sensitive financial documents from tens of thousands of individuals who took out loans or mortgages. The same month Diachenko also discovered an exposed 854 gigabyte MongoDB database filled with resumes from over 200 million job-seekers in China.

Google Launches Portal, an HTML Tag To Replace Iframe

Fri, 05/10/2019 - 14:10
An anonymous reader quotes a report from ZDNet: At the I/O 2019 developer conference earlier this week, Google launched a new technology called Portals that aims to provide a new way of loading and navigating through web pages. According to Google, Portals will work with the help of a new HTML tag named . This tag works similarly to classic tags, allowing web developers to embed remote content in their pages. Google says portals allow users to navigate inside the content they are embedding --something that iframes do not allow for security reasons. Furthermore, portals can also overwrite the main URL address bar, meaning they are useful as a navigation system, and more than embedding content -- the most common way in which iframes are used today. For example, engineers hope that when a user is navigating a news site, when they reach the bottom of a story, related links for other stories are embedded as portals, which the user can click and seamlessly transition to a new page. The advantage over using Portals over classic links is that the content inside portals can be pre-loaded while the user scrolls through a page, and be ready to expand into a new page without having the user wait for it to load. In a demo, you can see that Portals allow users to watch/listen to embedded content and then transition seamlessly to its origin page, where they could leave comments or open other media.

Researchers Are Liberating Thousands of Pages of Forgotten Hacking History From the Government

Fri, 05/10/2019 - 12:11
An anonymous reader writes: In 1989, just a few months after the web became a reality, a computer worm infected thousands of computers across the world, including those of NASA. Late last month -- 30 years after the "WANK worm" struck NASA -- the agency released an internal report that the agency wrote at the time, thanks to a journalist and a security researcher who have embarked on a project to use the Freedom of Information Act to get documents on historical hacking incidents. The project is called "Hacking History," and the people behind it are freelance journalists Emma Best, and security researcher (and former NSA hacker) Emily Crose. The two are crowdfunding to raise money to cover the costs of the FOIA requests via the document requesting platform MuckRock. In the last few years, hackers and the cybersecurity industry have gone mainstream, earning headlines in major newspapers, becoming key plotlines in Hollywood movies, and even getting a hit TV show. But it hasn't always been this way. For decades, infosec and hacking was a niche industry that got very little news coverage and very little public attention. As a result, the ancient and not so ancient history of hacking has a lot of holes. Now, the two women are trying to fill in those gaps in hacker history, like missing pieces of a puzzle, sending FOIA requests to several US government agencies, including the FBI.

Microsoft SharePoint Servers Are Under Attack

Fri, 05/10/2019 - 10:51
Hacker groups are attacking Microsoft SharePoint servers to exploit a recently patched vulnerability and gain access to corporate and government networks, according to recent security advisories sent out by Canadian and Saudi Arabian cyber-security agencies. From a report: The security flaw exploited in these attacks is tracked as CVE-2019-0604, which Microsoft patched through security updates released in February, March, and April this year. "An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account," Microsoft said at the time.

The Rise of Fear-Based Social Media Like Nextdoor, Citizen, and Now Amazon's Neighbors

Thu, 05/09/2019 - 19:30
An anonymous reader quotes a report from Vox: Violent crime in the U.S. is at its lowest rate in decades. But you wouldn't know that from a crop of increasingly popular social media apps that are forming around crime. Apps like Nextdoor, Citizen, and Amazon Ring's Neighbors -- all of which allow users to view local crime in real time and discuss it with people nearby -- are some of the most downloaded social and news apps in the U.S., according to rankings from the App Store and Google Play. Nextdoor was the ninth most-downloaded lifestyle app in the U.S. on iPhones at the end of April, according to App Annie, a mobile data and analytics provider; that's up from No. 27 a year ago in the social networking category. (Nextdoor changed its app category from social to lifestyle on April 30; on April 29 it was ranked 14th in social, according to App Annie.) Amazon Ring's Neighbors is the 36th most-downloaded social app. When it launched last year, it was 115th. Citizen, which considers itself a news app, was the seventh most-downloaded news app on iOS at the end of April, up from ninth last year and 29th in 2017. These apps have become popular because of -- and have aggravated -- the false sense that danger is on the rise. Americans seem to think crime is getting worse, according to data from both Gallup and Pew Research Center. In fact, crime has fallen steeply in the last 25 years according to both the FBI and the Bureau of Justice Statistics. David Ewoldsen, professor of media and information at Michigan State University, says these apps foment fear around crime, which feeds into existing biases and racism and largely reinforces stereotypes around skin color. As Steven Renderos, senior campaigns director at the Center for Media Justice, put it, "These apps are not the definitive guides to crime in a neighborhood -- it is merely a reflection of people's own bias, which criminalizes people of color, the unhoused, and other marginalized communities." A recent Motherboard article found that the majority of people posted as "suspicious" on Neighbors in a gentrified Brooklyn neighborhood were people of color.

Microsoft Recommends Using a Separate Device For Administrative Tasks

Thu, 05/09/2019 - 14:10
In a rare article detailing insights about its staff's efforts in securing its own internal infrastructure, Microsoft has shared some very insightful advice on how companies could reduce the risk of having a security breach. From a report: The central piece of this article is Microsoft's recommendation in regards to how companies should deal with administrator accounts. Per Microsoft's Security Team, employees with administrative access should be using a separate device, dedicated only for administrative operations. This device should always be kept up to date with all the most recent software and operating system patches, Microsoft said. "Provide zero rights by default to administration accounts," the Microsoft Security Team also recommended. "Require that they request just-in-time (JIT) privileges that gives them access for a finite amount of time and logs it in a system." Furthermore, the OS vendor also recommends that administrator accounts should be created on a separate user namespace/forest that cannot access the internet, and should be different from the employee's normal work identity.

Millions of People Uploaded Photos To the Ever App. Then the Company Used Them To Develop Facial Recognition Tools.

Thu, 05/09/2019 - 12:50
An anonymous reader shares a report: "Make memories": That's the slogan on the website for the photo storage app Ever, accompanied by a cursive logo and an example album titled "Weekend with Grandpa." Everything about Ever's branding is warm and fuzzy, about sharing your "best moments" while freeing up space on your phone. What isn't obvious on Ever's website or app -- except for a brief reference that was added to the privacy policy after NBC News reached out to the company in April -- is that the photos people share are used to train the company's facial recognition system, and that Ever then offers to sell that technology to private companies, law enforcement and the military. In other words, what began in 2013 as another cloud storage app has pivoted toward a far more lucrative business known as Ever AI -- without telling the app's millions of users.

FCC Blocks China Mobile From Operating in US Over National Security Concerns

Thu, 05/09/2019 - 12:10
The FCC has voted unanimously to deny China Mobile's application to provide telecommunications services in the U.S. due to concerns about national security and law enforcement risks. From a report: China Mobile's application, submitted in 2011, requested permission to provide telecom services in the U.S., including connecting calls between the U.S. and the vast majority of countries, which would involve interconnecting with American internet networks. FCC officials say China Mobile USA is indirectly and ultimately owned and controlled by the Chinese government. It's a subsidiary of global telecom giant China Mobile Limited. U.S. officials saw risks that China Mobile would comply with government espionage requests or that information about U.S. communications networks and users could be exploited. There were also concerns that Chinese government officials could use its access to U.S. networks to block or interfere with communications traffic should an issue arise between the two countries.

Samsung Spilled SmartThings App Source Code, Secret Keys

Wed, 05/08/2019 - 16:45
Mossab Hussein, a security researcher at SpiderSilk, has discovered that a development lab used by Samsung engineers was leaking highly sensitive source code, credentials and secret keys for several internal projects -- including its SmartThings platform. TechCrunch reports: The electronics giant left dozens of internal coding projects on a GitLab instance hosted on a Samsung-owned domain, Vandev Lab. The instance, used by staff to share and contribute code to various Samsung apps, services and projects, was spilling data because the projects were set to "public" and not properly protected with a password, allowing anyone to look inside at each project, access and download the source code. Hussein said one project contained credentials that allowed access to the entire AWS account that was being used, including more than 100 S3 storage buckets that contained logs and analytics data. Many of the folders, he said, contained logs and analytics data for Samsung's SmartThings and Bixby services, but also several employees' exposed private GitLab tokens stored in plaintext, which allowed him to gain additional access from 42 public projects to 135 projects, including many private projects. Samsung told him some of the files were for testing but Hussein challenged the claim, saying source code found in the GitLab repository contained the same code as the Android app, published in Google Play on April 10. The app, which has since been updated, has more than 100 million installs to date.

Microsoft Wants To Close the UWP, Win32 Divide With 'Windows Apps'

Wed, 05/08/2019 - 13:25
An anonymous reader quotes a report from ZDNet: When Microsoft launched UWP in 2015, officials promised that the platform would provide apps with better performance and security because they'd be distributable and updatable from the Microsoft Store. Developers would be able to use a common set of programming interfaces across Windows 10, Windows Phone, HoloLens and more, officials said, when selling the UWP vision. The downside: UWP apps would work on Windows 10-based devices only. Developers would have to do work to get their apps to be UWP/Store-ready. And Win32 apps wouldn't get UWP features like touch and inking. Arguably, [Kevin Gallo, Corporate Vice President of the Windows Developer Platform] told me, "we shouldn't have gone that way," meaning creating this schism. But Microsoft execs -- including Gallo -- continue to maintain that UWP is not dead. Over the past year or so, Microsoft has been trying to undo some of the effects of what Gallo called the "massive divide" between Win32 and UWP by adding "modern desktop" elements to Win32 apps. "By the time we are done, everything will just be called 'Windows apps,'" Gallo told me. "We're not quite there yet." But the ultimate idea is to make "every platform feature available to every developer." In short, Microsoft's new goal is to try to make all features available to all of the Windows frameworks. Saying that Microsoft is dropping or deprecating any of the Windows frameworks seems to have been declared from on-high as a big no-no. Instead, Win32, UWP, Windows Presentation Foundation are all "elevated to full status," as Gallo told me. What about the Microsoft Store? Gallo says it's not dead. In Gallo's view, "the Store is about commerce. It's another channel for distribution." But it's not the only way Windows users will be able to get apps. "You can trust apps differently. They don't need to be in the Store. People really just want to know if Microsoft considers an app good," he said. ZDNet's Mary Jo Foley says "it sounds like Microsoft may be moving toward a model of getting apps Microsoft-certified and trusted and then allowing Windows developers to decide how best to distribute them -- via the Microsoft Store, the Web or other methods of their choosing."

Google Chrome To Support Same-Site Cookies, Get Anti-Fingerprinting Protection

Wed, 05/08/2019 - 12:06
Google plans to add support for two new privacy and security features in Chrome, namely same-site cookies and anti-fingerprinting protection. From a report: The biggest change that Google plans to roll out is in regards to how it treats cookie files. These new controls will be based on a new IETF standard that Chrome and Mozilla developers have been working on for more than three years. This new IETF specification describes a new attribute that can be set inside HTTP headers. Called "SameSite," the attribute must be set by the website owner and should describe the situations in which a site's cookies can be loaded. [...] Google engineers also announced a second major new privacy feature for Chrome. According to Google, the company plans to add support for blocking certain types of "user fingerprinting" techniques that are being abused by online advertisers. Google didn't go into details of what types of user fingerprinting techniques it was planning to block. It is worth mentioning that there are many, which range from scanning locally installed system fonts to abusing the HTML5 canvas element, and from measuring a user's device screen size to reading locally installed extensions.