Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 11 hours 59 min ago

Netflix Password Sharing May Soon Be Impossible Due To New AI Tracking

Thu, 01/10/2019 - 16:03
An anonymous reader quotes a report from The Independent: A video software firm has come up with a way to prevent people from sharing their account details for Netflix and other streaming services with friends and family members. UK-based Synamedia unveiled the artificial intelligence software at the CES 2019 technology trade show in Las Vegas, claiming it could save the streaming industry billions of dollars over the next few years. The AI system developed by Synamedia uses machine learning to analyze account activity and recognize unusual patterns, such as account details being used in two locations within similar time periods. The idea is to spot instances of customers sharing their account credentials illegally and offering them a premium shared account service that will authorize a limited level of password sharing. The company said it is already carrying out trials with a number of pay-TV operators but did not reveal which ones.

Nest Competitor Ring Reportedly Gave Employees Full Access To Customers' Live Camera Feeds

Thu, 01/10/2019 - 15:20
Amazon-owned Ring allowed employees to access customers' live camera feeds, according to a report from The Intercept. "Ring's engineers and executives have 'highly privileged access' to live camera feeds from customers' devices," reports 9to5Google. "This includes both doorbells facing the outside world, as well as cameras inside a person's home. A team tasked with annotating video to aid in object recognition captured 'people kissing, firing guns, and stealing.'" From the report: U.S. employees specifically had access to a video portal intended for technical support that reportedly allowed "unfiltered, round-the-clock live feeds from some customer cameras." What's surprising is how this support tool was apparently not restricted to only employees that dealt with customers. The Intercept notes that only a Ring customer's email address was required to access any live feed. According to the report's sources, employees had a blase attitude to this potential privacy violation, but noted that they "never personally witnessed any egregious abuses." Meanwhile, a second group of Ring employees working on R&D in Ukraine had access to a folder housing "every video created by every Ring camera around the world." What's more, these employees had a "corresponding database that linked each specific video file to corresponding specific Ring customers." Also bothersome is Ring's reported stance towards encryption. Videos in that bucket were unencrypted due to the costs associated with implementation and "lost revenue opportunities due to restricted access." In response to the report, Ring said: "We have strict policies in place for all our team members. We implement systems to restrict and audit access to information. We hold our team members to a high ethical standard and anyone in violation of our policies faces discipline, including termination and potential legal and criminal penalties. In addition, we have zero tolerance for abuse of our systems and if we find bad actors who have engaged in this behavior, we will take swift action against them."

Malware Found Preinstalled On Some Alcatel Smartphones

Thu, 01/10/2019 - 13:20
An anonymous reader quotes a report from ZDNet: A weather app that comes preinstalled on Alcatel smartphones contained malware that surreptitiously subscribed device owners to premium phone numbers behind their backs. The app, named "Weather Forecast-World Weather Accurate Radar," was developed by TCL Corporation, a Chinese electronics company that among other things owns the Alcatel, BlackBerry, and Palm brands. The app is one of the default apps that TCL installs on Alcatel smartphones, but it was also made available on the Play Store for all Android users --where it had been downloaded and installed more than ten million times. But at one point last year, both the app included on some Alcatel devices and the one that was available on the Play Store were compromised with malware. How the malware was added to the app is unclear. TCL has not responded to phone calls requesting comment made by ZDNet this week. The app reportedly harvested users' data and sent it to China. It collected geographic locations, email addresses, and IMEI codes, which it sent back to TCL. Upstream, a UK-based mobile security firm, also found that "the malicious code hidden inside the app would also attempt to subscribe users to premium phone numbers that incurred large charges on users' phone bills," reports ZDNet. "All in all, the company says it detected and blocked over 27 million transaction attempts across seven markets, which would have created losses of around $1.5 million to phone owners if they hadn't been blocked." Upstream notes that most of the behavior they've seen originated only from two types of smartphones: Pixi 4 and A3 Max models.

Linux systemd Affected by Memory Corruption Vulnerabilities, No Patches Yet

Thu, 01/10/2019 - 10:00
Major Linux distributions are vulnerable to three bugs in systemd, a Linux initialization system and service manager in widespread use, California-based security company Qualys said late yesterday. From a report: The bugs exist in 'journald' service, tasked with collecting and storing log data, and they can be exploited to obtain root privileges on the target machine or to leak information. No patches exist at the moment. Discovered by researchers at Qualys, the flaws are two memory corruption vulnerabilities (stack buffer overflow - CVE-2018-16864, and allocation of memory without limits - CVE-2018-16865) and one out-of-bounds error (CVE-2018-16866). They were able to obtain local root shell on both x86 and x64 machines by exploiting CVE-2018-16865 and CVE-2018-16866. The exploit worked faster on the x86 platform, achieving its purpose in ten minutes; on x64, though, the exploit took 70 minutes to complete. Qualys is planning on publishing the proof-of-concept exploit code in the near future, but they did provide details on how they were able to take advantage of the flaws.

The Feds Cracked El Chapo's Encrypted Comms Network By Flipping His System Admin

Wed, 01/09/2019 - 17:00
With signs that the New York trial of notorious Mexican drug lord and alleged mass murderer Joaquin "El Chapo" Guzman is entering its end phase, prosecutors on Tuesday played copies of what they said were audio recordings of Guzman the FBI obtained "after they infiltrated his encrypted messaging system" with the help of Colombian and former cartel systems engineer Cristian Rodriguez, Reuters reported. Gizmodo reports: As has been previously reported by Vice, Colombian drug lord Jorge Cifuentes testified that Rodriguez had forgot to renew a license key critical to the communications network of Guzman's Sinaloa Cartel in September 2010, forcing cartel leaders to temporarily rely on conventional cell phones. Cifuentes told the court he considered Rodriguez "an irresponsible person" who had compromised their security, with a terse phone call played by prosecutors showing Cifuentes warned the subordinate he was in "charge of the system always working." But on Tuesday it was revealed that the FBI had lured Rodriguez into a meeting with an agent posing as a potential customer much earlier, in February 2010, according to a report in the New York Times. Later, they flipped Rodriguez, having him transfer servers from Canada to the Netherlands in a move masked as an upgrade. During that process, Rodriguez slipped investigators the network's encryption keys. The communications system ran over Voice over Internet Protocol (VoIP), with only cartel members able to access it. Getting through its encryption gave authorities access to roughly 1,500 of Guzman's and other cartel members' calls from April 2011 to January 2012, the Times wrote, with FBI agents able to identify ones placed by the drug lord by "comparing the high-pitched, nasal voice on the calls with other recordings of the kingpin, including a video interview he gave to Rolling Stone in October 2015."

Senators Call On FCC To Investigate Carriers Selling Location Data To Bounty Hunters

Wed, 01/09/2019 - 16:20
An anonymous reader quotes a report from Motherboard: On Tuesday, Motherboard revealed that major American telcos T-Mobile, AT&T, and Sprint are selling customer location data of users in an unregulated market that trickles down to bounty hunters and people not authorized to handle such information. In our investigation, we purchased the real-time location of a cell phone from a bail industry source for $300, pinpointing it to a specific part of Queens, New York. The issue potentially impacts hundreds of millions of cell phone users in the United States, with customers likely unaware that their location data is being sold and resold through multiple companies, with even the telcos sometimes having little idea where it ends up and how it is used. Now, Senators and a commissioner for the Federal Communications Commission (FCC) have urged government bodies to investigate, with some calling for regulation that would ensure customers are properly made aware of how their data is being sold. "The American people have an absolute right to the privacy of their data, which is why I'm extraordinarily troubled by reports of this system of repackaging and reselling location data to unregulated third party services for potentially nefarious purposes. If true, this practice represents a legitimate threat to our personal and national security," Senator Kamala Harris told Motherboard in a statement. Harris explicitly called on the FCC to investigate the issue. "The FCC needs to immediately investigate these serious security concerns and take the necessary steps to protect the privacy of American consumers," she said. On Tuesday, FCC commissioner Jessica Rosenworcel tweeted: "The FCC needs to investigate. Stat." "It shouldn't be that you pay a few hundred dollars to a bounty hunter and then they can tell you in real time where a phone is within a few hundred meters. That's not right. This entire ecosystem needs some oversight," she added on MSNBC's Velshi & Ruhle show on Wednesday. "I think we've got to get to this fast." Senators Mark Warner and Ron Wyden are also calling on the FCC to act.

Security Firm Kaspersky, Which Has Been Accused by US of Working With Russian Spies, Helped Catch an Alleged NSA Data Thief

Wed, 01/09/2019 - 12:27
An anonymous reader shares a report: The 2016 arrest of a former National Security Agency contractor charged with a massive theft of classified data began with an unlikely source: a tip from a Russian cybersecurity firm that the U.S. government has called a threat to the country. Moscow-based Kaspersky Lab turned Harold T. Martin III in to the NSA after receiving strange Twitter messages in 2016 from an account linked to him, according to two people with knowledge of the investigation. They spoke with POLITICO on condition of anonymity because they're not authorized to discuss the case. The company's role in exposing Martin is a remarkable twist in an increasingly bizarre case that is believed to be the largest breach of classified material in U.S. history. It indicates that the government's own internal monitoring systems and investigators had little to do with catching Martin, who prosecutors say took home an estimated 50 terabytes of data from the NSA and other government offices over a two-decade period, including some of the NSA's most sophisticated and sensitive hacking tools. The revelation also introduces an ironic turn in the negative narrative the U.S. government has woven about the Russian company in recent years.

New Tool Automates Phishing Attacks That Bypass 2FA

Wed, 01/09/2019 - 10:50
A new penetration testing tool published at the start of the year by a security researcher can automate phishing attacks with an ease never seen before and can even blow through login operations for accounts protected by two-factor authentication (2FA). From a report: Named Modlishka --the English pronunciation of the Polish word for mantis -- this new tool was created by Polish researcher Piotr Duszynski. Modlishka is what IT professionals call a reverse proxy, but modified for handling traffic meant for login pages and phishing operations. It sits between a user and a target website -- like Gmail, Yahoo, or ProtonMail. Phishing victims connect to the Modlishka server (hosting a phishing domain), and the reverse proxy component behind it makes requests to the site it wants to impersonate. The victim receives authentic content from the legitimate site --let's say for example Google -- but all traffic and all the victim's interactions with the legitimate site passes through and is recorded on the Modlishka server.

Canada's Bell Telecommunications Company Wants Permission To Gather, Track Customer Data

Tue, 01/08/2019 - 17:30
Bell Canada is asking customers for permission to track everything they do with their home and mobile phones, internet, television, apps or any other services they get through Bell or its affiliates. "In return, Bell says it will provide advertising and promotions that are more 'tailored' to their needs and preferences," reports From the report: "Tailored marketing means Bell will be able to customize advertising based on participant account information and service usage patterns, similar to the ways that companies like Google and others have been doing for some time," the company says in recent notices to customers. If given permission, Bell will collect information about its customers' age, gender, billing addresses, and the specific tablet, television or other devices used to access Bell services. It will also collect the "number of messages sent and received, voice minutes, user data consumption and type of connectivity when downloading or streaming." "Bell's marketing partners will not receive the personal information of program participants; we just deliver the offers relevant to the program participants on their behalf," the company assures customers. Teresa Scassa, who teaches law at the University of Ottawa and holds the Canada Research Chair in Information Law and Policy, says Bell customers who opt into Bell's new program could be giving away commercially valuable personal information with little to no compensation for increased risks to their privacy and security. "Here's a company that's taking every shred of personal information about me, from all kinds of activities that I engage in, and they're monetizing it. What do I get in return? Better ads? Really? That's it? What about better prices?" Toronto-based consultant Charlie Wilton, whose firm has advised Bell and Rogers in the past, says: "I mean, in a perfect world, they would give you discounts or they would give you points or things that consumers would more tangibly want, rather than just the elimination of a pain point -- which is what they're offering right now."

Google Removes 85 Adware Apps That Were Installed By Millions of Users

Tue, 01/08/2019 - 15:30
Google has removed 85 Android apps from the official Play Store that security researchers from Trend Micro deemed to contain a common strain of adware. "The 85 apps had been downloaded over nine million times, and one app, in particular, named 'Easy Universal TV Remote,' was downloaded over five million times," reports ZDNet. From the report: While the apps were uploaded on the Play Store from different developer accounts and were signed by different digital certificates, they exhibited similar behaviors and shared the same code, researchers said in a report published today. But besides similarities in their source code, the apps were also visually identical, and were all of the same types, being either games or apps that let users play videos or control their TVs remotely. The first time users ran any of the apps, they would proceed to show fullscreen ads in different steps, asking and reasking users to press various buttons to continue. If the user was persistent and stayed with the app until it reached a menu page, every menu button push would trigger yet another fullscreen ad, over and over again until the app would suddenly crash, hiding its original app icon. But despite the crash, unbeknownst to the user, the app would continue to run in the phone's background, showing new fullscreen ads ever 15 or 30 minutes, generating profits for the fraudsters until users either removed the apps or reset devices to factory settings as a last resort. You can view a list of the 85 adware apps via this PDF file.

US Telcos Are Selling Access To Their Customers' Location Data, and That Data Reaches Bounty Hunters and Others Not Authorized To Possess It

Tue, 01/08/2019 - 11:20
T-Mobile, Sprint, and AT&T are selling access to their customers' location data, and that data is ending up in the hands of bounty hunters and others not authorized to possess it, letting them track most phones in the country, an investigation by news outlet Motherboard has found. From the report: Nervously, I gave a bounty hunter a phone number. He had offered to geolocate a phone for me, using a shady, overlooked service intended not for the cops, but for private individuals and businesses. Armed with just the number and a few hundred dollars, he said he could find the current location of most phones in the United States. The bounty hunter sent the number to his own contact, who would track the phone. The contact responded with a screenshot of Google Maps, containing a blue circle indicating the phone's current location, approximate to a few hundred metres. [...] The bounty hunter did this all without deploying a hacking tool or having any previous knowledge of the phone's whereabouts. Instead, the tracking tool relies on real-time location data sold to bounty hunters that ultimately originated from the telcos themselves, including T-Mobile, AT&T, and Sprint, a Motherboard investigation has found. These surveillance capabilities are sometimes sold through word-of-mouth networks. [...] Motherboard's investigation shows just how exposed mobile networks and the data they generate are, leaving them open to surveillance by ordinary citizens, stalkers, and criminals, and comes as media and policy makers are paying more attention than ever to how location and other sensitive data is collected and sold. The investigation also shows that a wide variety of companies can access cell phone location data, and that the information trickles down from cell phone providers to a wide array of smaller players, who don't necessarily have the correct safeguards in place to protect that data. "Blade Runner, the iconic sci-fi movie, is set in 2019. And here we are: there's an unregulated black market where bounty-hunters can buy information about where we are, in real time, over time, and come after us. You don't need to be a replicant to be scared of the consequences," Thomas Rid, professor of strategic studies at Johns Hopkins University, told Motherboard. Ron Wyden, a senator from Oregon, said in a statement, "This is a nightmare for national security and the personal safety of anyone with a phone."

Google's New SMS and Call Permission Policy is Crippling Apps Used by Millions

Tue, 01/08/2019 - 10:01
Ryne Hager, writing for AndroidPolice: Late last year, Google decided it was time to crack down on apps requesting SMS and call log permissions. Ostensibly, exceptions would be granted for categories including backups and automation, but as of now, there are still gaps which cover legitimate use cases. While some popular apps like Tasker have successfully secured exemptions, others like Cerberus have not. Instead, they've decided to strip out those permissions or risk facing the wrath of Google's upcoming January 9th banhammer, killing associated functionality and disappointing millions of long-time users to adhere to the Play Store's new policy. The Play Console support page for the applicable set of permissions notifies developers that they can submit what is effectively an application for an exemption, categories for which are listed on the same page. (And that list of exceptions has grown since the original announcement.) Nonetheless, a further set of prohibitions are also included in the form itself, which explicitly preclude support for phone security/device location apps like Cerberus.

Coinbase Suspends Ethereum Classic (ETC) Trading After Double-Spend Attacks

Tue, 01/08/2019 - 06:00
Cryptocurrency trading portal Coinbase delisted the Ethereum Classic (ETC) currency Monday after detecting a series of double-spend attacks over the last three days. From a report: In layman terms, double-spend attacks are when a malicious actor gains the majority computational power inside a blockchain, which they then use to enforce unauthorized transactions over legitimate ones. According to a security alert published today by Coinbase security engineer Mark Nesbitt, this is exactly what's been happening on the Ethereum Classic blockchain for the past three days, since January 5. Nesbitt says that a malicious actor has carried out 11 (at the time of writing) double-spend attacks during which he moved funds from legitimate accounts to their own. [...] According to Crypto51, it only costs $5,029 to rent enough computing powerto overwhelm the ETC blockchain with your own miners and gain 51 percent hashing power to carry out a double-spend attack.

Companies Are Now Offering Seven Figures For Hacks That Allow Spies, Cops To Steal Chat App Messages

Mon, 01/07/2019 - 18:10
Zerodium, a startup that buys and sells hacking tools and exploits to governments around the world, announced on Monday price increases for almost everything they are looking for, such as iOS remote jailbreaks and Windows exploits. "It said it will now pay security researchers $1,000,000 for exploits in WhatsApp, iMessage, and SMS/MMS apps for all mobile operating systems," reports Motherboard. From the report: Compromising the whole iPhone, sometimes referred to as remote jailbreaking or rooting the phone, can cost $2 million or more, and usually involves a series of bugs and exploits. The price increase shows that mobile devices in general are getting more and more secure, and thus harder to hack. That means that it's becoming increasingly hard for hackers to break into iOS and Android devices. That makes the life of folks like spy agencies and police departments harder too. That's where Zerodium and other similar companies, such as Azimuth and Crowdfense, come in: they act as intermediaries between security researchers and government agencies looking for tools -- often called zero-days -- to break into targets. Before today, Zerodium was willing to pay $500,000 for WhatsApp and iMessage exploits, according to an archived version of the company's site. These new prices are in line with the market, according to Maor Shwartz, who used to run a company that acquired and sold exploits to government agencies.

Germany Reportedly Seeks US Assistance After Hacking Breach

Mon, 01/07/2019 - 06:40
German authorities sought help from the U.S. National Security Agency after discovering that hackers had released private data linked to Chancellor Angela Merkel and hundreds of other German politicians, Bild newspaper reported. From a report: Responding to the biggest data dump of its kind in the country, German investigators wanted the U.S. intelligence agency to lean on Twitter to shut down profiles with links to the data, Bild said, citing unidentified security officials. German authorities argued that U.S. citizens were among thousands of people exposed by the data dump. As investigators seek to find out how data including email addresses, mobile phone numbers and private chat protocols were exposed, politicians took aim at Germany's Federal Office for Information Security, known as BSI, for failing to respond after receiving initial indications in December.

National Parks Face Years of Damage From Government Shutdown

Mon, 01/07/2019 - 01:30
When the government eventually reopens, park experts warn reversing damage won't be as easy as throwing out the trash. From a report: National parks are America's public lands, but right now they're America's trashcans. That's because the U.S. federal government, embattled over funding for a border wall, has shut down, leaving national parks open and largely unattended. Since the shutdown began, brimming trashcans, overflowing toilets, and trespassing has been reported at many parks locations. "Never before have I seen the federal government tempt fate in national parks the way we are today," says Diane Regas, president of the Trust for Public Land. "It's not about what has happened already. It's about what could happen if you don't have the appropriate staffing." According to the National Parks Conservation Association (NPCA), staffing varies by park, but some 16,000 parks service employees are furloughed, leaving a small number active for policing and security. The government shut down three times in 2018, but only three days last January and less than a day that following February. As of Friday, the government had been partially shut down for 13 days. Further reading: Government Shutdown is Putting a Damper on Science in Seattle and Elsewhere.

NSA To Release a Free Reverse Engineering Tool

Sun, 01/06/2019 - 12:33
The US National Security Agency will release a free reverse engineering tool at the upcoming RSA security conference that will be held at the start of March, in San Francisco. From a report: The software's name is GHIDRA and in technical terms, is a disassembler, a piece of software that breaks down executable files into assembly code that can then be analyzed by humans. The NSA developed GHIDRA at the start of the 2000s, and for the past few years, it's been sharing it with other US government agencies that have cyber teams who need to look at the inner workings of malware strains or suspicious software. GHIDRA's existence was never a state secret, but the rest of the world learned about it in March 2017 when WikiLeaks published Vault7, a collection of internal documentation files that were allegedly stolen from the CIA's internal network. Those documents showed that the CIA was one of the agencies that had access to the tool.

Researchers Fool ReCAPTCHA With Google's Own Speech-To-Text Service

Fri, 01/04/2019 - 16:50
Researchers at the University of Maryland have managed to trick Google's reCaptcha system by using Google's own speech-to-text service. "[The researchers] claim that their CAPTCHA-fooling method, unCaptcha, can fool Google's reCaptcha, one of the most popular CAPTCHA systems currently used by hundreds of thousands of websites, with a 90 percent success rate," reports Motherboard. From the report: The researchers originally developed UnCaptcha in 2017, which uses Google's own free speech-to-text service to trick the system into thinking a robot is a human. It's an oroborus of bots: According to their paper, UnCaptcha downloads the audio captcha, segments the audio into individual digit audio clips, uploads the segments to multiple other speech-to-text services (including Google's), then converts these services' responses to digits. After a little homophone guesswork, it then decides which speech-to-text output is closest to accurate, and uploads the answer to the CAPTCHA field. This old method returned an 85% success rate. After the release of that version of unCaptcha, Google fixed some of the loopholes that made it work, including better browser automation detection and switching to spoken phrases, rather than digits. The researchers claim that their new method, updated in June, gets around these improvements and is even more accurate than before, at 90 percent. "We have been in contact with the ReCaptcha team for over six months and they are fully aware of this attack," the researchers write. "The team has allowed us to release the code, despite its current success."

Marriott Says Hackers Stole More Than 5 Million Passport Numbers

Fri, 01/04/2019 - 08:57
Marriott has downsized its original estimate on a major data breach, but the number of people affected is still historic. The hotel group announced Friday that it now believes hackers accessed the records of up to 383 million guests, following an investigation it conducted with a forensics and analytics team. In November, it had reported an estimate of as many as 500 million guests. From a report: Even at that lower figure, the Marriott incident remains one of the largest personal data breaches in history, more than double that of Equifax, which exposed the personal data of 147.7 million American. Data breaches have become a common issue for massive companies that collect and store information on millions of people. In 2018, tech giants like Facebook and Reddit have fallen victim to data breaches. Hackers look for poor protection that they can bypass to steal valuable details like Social Security numbers, birth dates, email addresses and credit card numbers.

Hundreds of German Lawmakers Targeted in Mass Cyber Attack

Fri, 01/04/2019 - 06:47
A stolen cache of personal information belonging to nearly 1,000 German politicians -- including outgoing Chancellor Angela Merkel -- has been leaked, according to a report published Thursday. From a report: The information includes everything from phone numbers and credit card details to private messages with family members, German media said. The hack has impacted national, regional and EU politicians from all major parties except for members of the far-right Alternative for Germany (Alternative fur Deutschland, or AfD) party. Journalists, musicians, comedians and activists were also targeted. There is currently no indication of who was behind the attack, but the hacker or hackers leaked information for more than a month on Twitter before the media picked it up. The scale of the hack was first reported by RBB, leading Justice Minister Katarina Barley to call it a "serious attack" Friday morning. "The people behind this want to damage confidence in our democracy and institutions," Barley said. The federal office for information security (BSI) said Friday it was investigating, adding that government networks had not been affected.