Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 5 hours 14 min ago

Apple Blocks Linux From Booting On New Hardware With T2 Security Chip

Sat, 11/10/2018 - 11:34
AmiMoJo writes: Apple's new-generation Macs come with a new so-called Apple T2 security chip that's supposed to provide a secure enclave co-processor responsible for powering a series of security features, including Touch ID. At the same time, this security chip enables the secure boot feature on Apple's computers, and by the looks of things, it's also responsible for a series of new restrictions that Linux users aren't going to like. The issue seems to be that Apple has included security certificates for its own and Microsoft's operating systems (to allow running Windows via Bootcamp), but not for the certificate that was provided for systems such as Linux. Disabling Secure Boot can overcome this, but also disables access to the machine's internal storage, making installation of Linux impossible.

US Military Publicly Dumps Russian Government Malware Online

Sat, 11/10/2018 - 05:00
An anonymous reader quotes a report from Motherboard: This week, U.S. Cyber Command (CYBERCOM), a part of the military tasked with hacking and cybersecurity focused missions, started publicly releasing unclassified samples of adversaries' malware it has discovered. CYBERCOM says the move is to improve information sharing among the cybersecurity community, but in some ways it could be seen as a signal to those who hack U.S. systems: we may release your tools to the wider world. On Friday, CYBERCOM uploaded multiple files to VirusTotal, a Google-owned search engine and repository for malware. Once uploaded, VirusTotal users can download the malware, see which anti-virus or cybersecurity products likely detect it, and see links to other pieces of malicious code. One of the two samples CYBERCOM distributed on Friday is marked as coming from APT28, a Russian government-linked hacking group, by several different cybersecurity firms, according to VirusTotal. Those include Kaspersky Lab, Symantec, and Crowdstrike, among others. APT28 is also known as Sofacy and Fancy Bear. The malware itself does not appear to still be active.

Mac Mini Teardown Reveals User-Upgradable RAM, But Soldered Down CPU and Storage

Fri, 11/09/2018 - 23:00
iFixit has released their teardown of the new Mac mini, providing a look inside the portable desktop computer. Some of the notable findings include user-upgradable RAM and soldered CPU and SSD. Mac Rumors reports: While the RAM in the previous-gen Mac mini from 2014 was soldered to the logic board, the new Mac mini has user-upgradeable RAM, as discovered earlier this week. As seen in older iMacs, the RAM is protected by a perforated shield that allows the memory modules to operate at a high frequency of 2666 MHz without interfering with other device functions, according to iFixit. To upgrade the RAM, the shield can be removed by unfastening four Torx screws. Other silicon on the logic board of this particular Mac mini includes the Apple T2 security chip, a 3.6GHz quad-core Intel Core i3 processor, Intel UHD Graphics 630, 128GB of flash storage from Toshiba, an Intel JHL7540 Thunderbolt 3 controller, and a Gigabit Ethernet controller from Broadcom. Despite the good news about the RAM, the CPU and SSD are soldered to the logic board, as are many ports, so this isn't a truly modular Mac mini. iFixit awarded the new Mac mini a repairability score of 6/10, with 10 being the easiest to repair, topping the latest MacBook Air, MacBook, MacBook Pro, iMac, and iMac Pro, and trailing only the 2013 Mac Pro.

Researchers Defeat Perceptual Ad Blockers, Declare 'New Arms Race'

Fri, 11/09/2018 - 17:40
dmoberhaus writes: Perceptual ad blockers were supposed to be the "superweapon" that put an end to the arms race between advertisers and users. According to new research, however, perceptual ad blockers will come out on the losing side in the war against internet advertisers and expose users to a host of new attack vectors in the process. Researchers at Stanford tricked six different visual classifiers used in perceptual ad blockers with adversarial ads designed to trick the ad blockers by making nearly imperceptible changes to the ads. "The researchers tried several different adversarial attacks on the perceptual ad blockers' visual classifiers," Motherboard reports. "One attack, for example, slightly altered the AdChoices logo that is commonly used to disclose advertisements to fool the perceptual ad blocker. In another attack, the researchers demonstrated how website publishers could overlay a transparent mask over a website that would allow ads to evade perceptual ad blockers." "The aim of our work is not to downplay the merits of ad-blocking, nor discredit the perceptual ad blocking philosophy, which is sound when instantiated with a robust visual ad detector," the researchers concluded. "Rather, our overarching goal is to highlight and raise awareness on the vulnerabilities that arise in building ad blockers with current computer vision systems."

Hackers Stole Income, Immigration and Tax Data In Healthcare.gov Breach, Government Confirms

Fri, 11/09/2018 - 15:00
Late last month, HealthCare.gov suffered a data breach exposing 75,000 customers. Details were sparse at the time of the breach, but have now learned that hackers obtained "inappropriate access" to a number of broker and agent accounts, which "engaged in excessive searching" of the government's healthcare marketplace systems. TechCrunch reports: [The Centers for Medicare and Medicaid Services (CMS)] didn't say how the attackers gained access to the accounts, but said it shut off the affected accounts "immediately." In a letter sent to affected customers this week (and buried on the Healthcare.gov website), CMS disclosed that sensitive personal data -- including partial Social Security numbers, immigration status and some tax information -- may have been taken. According to the letter, the data included name, date of birth, address, sex, and the last four digits of the Social Security number (SSN), if SSN was provided on the application. Other information could include expected income, tax filing status, family relationships, whether the applicant is a citizen or an immigrant, immigration document types and numbers, employer name, pregnancy status, health insurance status, and more. The government did say that no bank account information was stolen.

China Violated Obama-Era Cybertheft Pact, U.S. Official Says

Fri, 11/09/2018 - 13:01
China has violated an accord it signed with the U.S. three years ago pledging not to engage in hacking for the purpose of economic espionage, a senior U.S. intelligence official said this week. From a report: The 2015 bilateral agreement had significantly reduced the amount of Chinese cybertheft targeting American companies, but Beijing's commitment to the deal has eroded, said Rob Joyce, senior adviser for cybersecurity strategy at the National Security Agency. "It is clear they are well beyond the bounds of the agreement today that was forged between our two countries," Joyce said during a panel conversation at the Aspen Cyber Summit. Joyce's comments were the latest sign of Washington's rising frustration over China's alleged violation of the pact signed between then-President Barack Obama and Chinese President Xi Jinping. Last week, then-Attorney General Jeff Sessions also said China wasn't adhering to the deal, in which the U.S. and China agreed not to conduct cyber operations against each other to steal intellectual property or other forms of economic intelligence.

US Secret Service Warns ID Thieves are Abusing USPS's Mail Scanning Service

Fri, 11/09/2018 - 06:02
Brian Krebs reports: A year ago, KrebsOnSecurity warned that "Informed Delivery," a new offering from the U.S. Postal Service (USPS) that lets residents view scanned images of all incoming mail, was likely to be abused by identity thieves and other fraudsters unless the USPS beefed up security around the program and made it easier for people to opt out. This week, the U.S. Secret Service issued an internal alert warning that many of its field offices have reported crooks are indeed using Informed Delivery to commit various identity theft and credit card fraud schemes. The internal alert -- sent by the Secret Service on Nov. 6 to its law enforcement partners nationwide -- references a recent case in Michigan in which seven people were arrested for allegedly stealing credit cards from resident mailboxes after signing up as those victims at the USPS's Web site. According to the Secret Service alert, the accused used the Informed Delivery feature "to identify and intercept mail, and to further their identity theft fraud schemes."

Cisco Removed Its Seventh Backdoor Account This Year, and That's a Good Thing

Thu, 11/08/2018 - 16:10
An anonymous reader quotes a report from ZDNet: Cisco, the world's leading provider of top networking equipment and enterprise software, has released today 15 security updates, including a fix for an issue that can be described as a backdoor account. This latest patch marks the seventh time this year when Cisco has removed a backdoor account from one of its products. Five of the seven backdoor accounts were discovered by Cisco's internal testers, with only CVE-2018-0329 and this month's CVE-2018-15439 being found by external security researchers. The company has been intentionally and regularly combing the source code of all of its software since December 2015, when it started a massive internal audit. Cisco started that process after security researchers found what looked to be an intentional backdoor in the source code of ScreenOS, the operating system of Juniper, one of Cisco's rivals. Juniper suffered a massive reputational damage following the 2015 revelation, and this may secretly be the reason why Cisco has avoided using the term "backdoor account" all year for the seven "backdoor account" issues. Instead, Cisco opted for more complex wordings such as "undocumented, static user credentials for the default administrative account," or "the affected software enables a privileged user account without notifying administrators of the system." It is true that using such phrasings might make Cisco look disingenuous, but let's not forget that Cisco has been ferreting these backdoor accounts mainly on its own, and has been trying to fix them without scaring customers or impacting its own stock price along the way.

Vulnerability Could Make DJI Drones a Spy In the Sky

Thu, 11/08/2018 - 15:30
wiredmikey writes from a report via SecurityWeek: A vulnerability in systems operated by Da Jiang Innovations (DJI) -- the world's largest drone manufacturer -- allowed anybody in the world to have full access to a drone user's DJI account. A successful attacker would be able to obtain cloud-based flight records, stored photographs, user PII including credit card details -- and a real-time view from the drone's camera and microphone. Check Point Researchers (who discovered and reported the vulnerability) told SecurityWeek, "The vulnerability is a unique opportunity for malicious actors to gain priceless information -- you have an eye in the sky. Organizations are moving towards automated flights, sometimes with dozens of drones patrolling across sensitive facilities. With this vulnerability you could take over the accounts and see and hear everything that the drones see or hear. This is a huge opportunity for malicious actors."

US Cyber Command Starts Uploading Foreign APT Malware To VirusTotal

Thu, 11/08/2018 - 06:00
The Cyber National Mission Force (CNMF), a subordinate unit of US Cyber Command (USCYBERCOM), set in motion a new initiative this week through which the DOD would share malware samples it discovered on its networks with the broader cybersecurity community. From a report: The CNMF kicked off this new project by creating an account on VirusTotal, an online file scanning service that also doubles as an online malware repository, and by uploading two malware samples.

Georgia's Secretary of State Brian Kemp Doxes Thousands of Absentee Voters

Wed, 11/07/2018 - 19:30
An anonymous reader quotes a report from TechCrunch: Georgia's secretary of state and candidate for state governor in the midterm election, Brian Kemp, has taken the unusual, if not unprecedented step of posting the personal details of 291,164 absentee voters online for anyone to download. Kemp's office posted an Excel file on its website within hours of the results of the general election, exposing the names and addresses of state residents who mailed in an absentee ballot -- including their reason why, such as if a person is "disabled" or "elderly." The file, according to the web page, allows Georgia residents to "check the status of your mail-in absentee ballot." Millions of Americans across the country mail in their completed ballots ahead of election day, particularly if getting to a polling place is difficult -- such as if a person is disabled, elderly or traveling. When reached, Georgia secretary of state's press secretary Candice Broce told TechCrunch that all of the data "is clearly designated as public information under state law," and denied that the data was "confidential or sensitive." "State law requires the public availability of voter lists, including names and address of registered voters," she said in an email. "While the data may already be public, it is not publicly available in aggregate like this," said security expert Jake Williams, founder of Rendition Infosec, who lives in Georgia. Williams took issue with the reasons that the state gave for each absentee ballot, saying it "could be used by criminals to target currently unoccupied properties." "Releasing this data in aggregate could be seen as suppressing future absentee voters in Georgia who do not want their information released in this manner," he said.

Police Decrypt 258,000 Messages After Breaking Pricey IronChat Crypto App

Wed, 11/07/2018 - 14:00
An anonymous reader quotes a report from Ars Technica: Police in the Netherlands said they decrypted more than 258,000 messages sent using IronChat, an app billed as providing end-to-end encryption that was endorsed by National Security Agency leaker Edward Snowden. In a statement published Tuesday, Dutch police said officers achieved a "breakthrough in the interception and decryption of encrypted communication" in an investigation into money laundering. The encrypted messages, according to the statement, were sent by IronChat, an app that runs on a device that cost thousands of dollars and could send only text messages. "Criminals thought they could safely communicate with so-called crypto phones which used the application IronChat," Tuesday's statement said. "Police experts in the east of the Netherlands have succeeded in gaining access to this communication. As a result, the police have been able to watch live the communication between criminals for some time." Blackbox-security.com, the site selling IronChat and IronPhone, quoted Snowden as saying: "I use PGP to say hi and hello, i use IronChat (OTR) to have a serious conversation," according to Web archives. Whether the endorsement was authentic or not wasn't immediately known. The site has been seized by Dutch police.

Google Sends Final Software Update To Legacy Nexus 5X, Nexus 6P Phones

Tue, 11/06/2018 - 23:00
Google has pushed out the final "guaranteed" official software update for Nexus devices. According to Hot Hardware, the November update for both the Nexus 5X and Nexus 6P "carries the final build number of OPM7.181105.004, running Android 8.1 Oreo." From the report: The last Nexus smartphones to launch from Google were the Nexus 5X and Nexus 6P, which debuted in late 2015. Under Google's three-year update policy, both smartphones have received two major Android releases (Android 7.0 Nougat in 2016 and Android 8.0 Oreo in 2017) along with three years of monthly security updates. The monthly security updates should have ended in September, but Google out of nowhere provided a two-month reprieve through November 2018.

Blockchain-Based Elections Would Be a Disaster For Democracy

Tue, 11/06/2018 - 16:20
An anonymous reader quotes a report from Ars Technica: If you talk to experts on election security (I studied with several of them in graduate school) they'll tell you that we're nowhere close to being ready for online voting. "Mobile voting is a horrific idea," said election security expert Joe Hall when I asked him about a West Virginia experiment with blockchain-based mobile voting back in August. But on Tuesday, The New York Times published an opinion piece claiming the opposite. "Building a workable, scalable, and inclusive online voting system is now possible, thanks to blockchain technologies," writes Alex Tapscott, whom the Times describes as co-founder of the Blockchain Research Institute. Tapscott is wrong -- and dangerously so. Online voting would be a huge threat to the integrity of our elections -- and to public faith in election outcomes. Tapscott focuses on the idea that blockchain technology would allow people to vote anonymously while still being able to verify that their vote was included in the final total. Even assuming this is mathematically possible -- and I think it probably is -- this idea ignores the many, many ways that foreign governments could compromise an online vote without breaking the core cryptographic algorithms. For example, foreign governments could hack into the computer systems that governments use to generate and distribute cryptographic credentials to voters. They could bribe election officials to supply them with copies of voters' credentials. They could hack into the PCs or smartphones voters use to cast their votes. They could send voters phishing emails to trick them into revealing their voting credentials -- or simply trick them into thinking they've cast a vote when they haven't.

'Almost All' Pakistani Banks Hacked In Security Breach, Report Says

Tue, 11/06/2018 - 15:00
The cybercrime wing of Pakistan's Federal Investigation Agency has said data from "almost all" Pakistani banks was stolen in a recent security breach. FIA Cybercrimes Director retired Capt Mohammad Shoaib told Geo News that hackers based outside the country had breached the security systems of several local banks. "The hackers have stolen large amounts of money from people's accounts," he added. From a report: He said the FIA has written to all banks, and a meeting of the banks' heads and security managements is being called. The meeting will look into ways the security infrastructure of banks can be bolstered. "Banks are the custodians of the money people have stored in them," Shoaib said. "They are also responsible if their security features are so weak that they result in pilferage." It wasn't immediately clear when exactly the security breach took place. According to Shoaib, more than 100 cases are being investigated by the agency in connection with the breach.

Oracle Says China Telecom Has Misdirected Internet Traffic, Including Out of the US, in Recent Years

Tue, 11/06/2018 - 13:00
Oracle's Internet Intelligence division has confirmed today the findings of a recently published academic paper that accused China of "hijacking the vital internet backbone of western countries." From a report: The research paper was authored by researchers from the US Naval War College and Tel Aviv University and it made quite a few waves online after it was published. Researchers accused China Telecom, one of China's biggest state-owned internet service providers, of hijacking and detouring internet traffic through its normally-closed internet infrastructure. Some security experts contested the research paper's findings because it didn't come from an authoritative voice in the world of internet BGP hijacks, but also because the paper touched on many politically sensitive topics, such as China's cyber-espionage activities and how China used BGP hijacks as a way to circumvent the China-US cyber pact of 2015. But today, Doug Madory, Director of Oracle's Internet Analysis division (formerly Dyn), confirmed that China Telecom has, indeed, engaged in internet traffic "misdirection." "I don't intend to address the paper's claims around the motivations of these actions," said Madori. "However, there is truth to the assertion that China Telecom (whether intentionally or not) has misdirected internet traffic (including out of the United States) in recent years."

The Future of the Kilo: a Weighty Matter

Tue, 11/06/2018 - 12:20
A lump of metal in a building near Paris has long served as the global standard for the kilogram. That's about to change. From a report: Later this month, at the international General Conference on Weights and Measures, to be held in France, delegates are expected to vote to get rid of this single physical specimen and instead plump to use a fundamental measurement -- to be defined in terms of an electric current -- in order to define the mass of an object. The king of kilograms is about to be dethroned. And crucially much of the key work that has led to the toppling of the Paris kilogram has been carried out at the National Physical Laboratory where the late Bryan Kibble invented the basic concepts of the device that will replace that ingot in the Pavillon de Breteuil. The Kibble balance works by measuring the electric current that is required to produce an electromagnetic force equal to the gravitational force acting on a mass. A second stage allows the electromagnetic force to be determined in terms of a fundamental constant known as the Planck constant which will, in future, be used to define a kilogram. These machines will provide the standard for weighing objects -- and that means no more dusting of old lumps of alloy to ensure they stay pure and accurate. [...] "One key reason for doing this work is to provide international security," says Robinson. "If the Pavillon de Breteuil burned down tomorrow and the kilogram in its vaults melted, we would have no reference left for the world's metric weights system. There would be chaos. The current definition of the kilogram is the weight of that cylinder in Paris, after all." [...] Another major motivation for the replacement of le grand K is the need to be able to carry out increasingly more and more precise measurements. "Pharmaceutical companies will soon be wanting to use ingredients that will have to be measured in terms of a few millionths or even billionths of a gram," says Prior. "We need to be prepared to weigh substances with that kind of accuracy." Suggested reading: A thread on Twitter which discusses SI units and the redefinition of the kilogram.

Ask Slashdot: How To Fix an Outdated College Tech Curriculum?

Tue, 11/06/2018 - 07:20
An anonymous reader writes: As a student, what's the best way to bring change to an outdated college tech curriculum? The background on this is that I have 15 years of experience in the field and a very healthy amount of industry-recognized training and certifications. I'm merely finishing up my degree to flesh out my resume -- I haven't learned much from the program that I don't already know. However, the program would have benefited me greatly 15 years ago. It's a great program, except for a biometrics class that is absolutely behind the curve. The newest publication on the syllabus is from 2009. This is simply teaching the students outdated and often wrong information. Additionally, a lot of the material seems like it was stretched to make a full semester class in biometrics in the first place -- most of the material, honestly, could be compressed to about two hours of lecture and still be delivered at a reasonable rate. What's the best way for a student in my situation to get this fixed so the school stops wasting student's time with outdated and wrong information?

Researchers 'Break' Microsoft's Edge With Zero-Day Remote Code Exploit

Tue, 11/06/2018 - 02:00
Exploit developers Yushi Laing and Alexander Kochkov have teased a zero-day exploit for Microsoft's Edge browser that can allow a malicious actor to run commands on a user's machine. "Laing teased the 'stable exploit' for the Microsoft-developed web browser last week with an image that appeared to show the Windows Calculator app launched from a web browser, after working on the project for just under a week," reports IT PRO. From the report: The researcher had initially been looking into three remote code execution bugs for Firefox as part of an 'exploit chain', but struggled to establish code for the third. He then found two similar flaws on Microsoft Edge using the Wadi Fuzzer app developed by SensePost. Laing told BleepingComputer the pair wanted to develop a stable exploit for Microsoft Edge and escape the sandbox, termed as an exploit that force-crashes and incorrectly reloads an app with manipulated permissions. This would allow a user to run functions, and access other apps, beyond its normal permissions, as well as access data from other applications. They were also looking for a way to effectively seize control of a machine by escalating execution privileges to "system." They published a proof-of-concept for the Edge exploit in a short clip which shows the team using the browser to open the landing page for Google Chrome via Firefox.

Voting Machine Manual Instructed Election Officials To Use Weak Passwords

Mon, 11/05/2018 - 19:30
An anonymous reader quotes a report from Motherboard: An election security expert who has done risk-assessments in several states since 2016 recently found a reference manual that appears to have been created by one voting machine vendor for county election officials and that lists critical usernames and passwords for the vendor's tabulation system. The passwords, including a system administrator and root password, are trivial and easy to crack, including one composed from the vendor's name. And although the document indicates that customers will be prompted periodically by the system to change the passwords, the document instructs customers to re-use passwords in some cases -- alternating between two of them -- and in other cases to simply change a number appended to the end of some passwords to change them. The vendor, California-based Unisyn Voting Solutions, makes an optical-scan system called OpenElect Voting System for use in both precincts and central election offices. The passwords in the manual appear to be for the Open Elect Central Suite, the backend election-management system used to create election definition files for each voting machine before every election -- the files that tell the machine how to apportion votes based on the marks voters make on a ballot. The suite also tabulates votes collected from all of a county's Unisyn optical scan systems. The credentials listed in the manual include usernames and passwords for the initial log-in to the system as well as credentials to log into the client software used to tabulate and store official election results.