Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 21 hours 56 min ago

The U.S. Considers Ban on Exporting Surveillance Technology To China

Sat, 12/07/2019 - 13:34
The South China Morning Post reports that the U.S. may be taking a stand against China. This week the U.S. House of Representatives passed a new bill that would "tighten export controls on China-bound U.S. technology that could be used to 'suppress individual privacy, freedom of movement and other basic human rights' [and] ordering the U.S. president, within four months of the legislation's enactment, to submit to Congress a list of Chinese officials deemed responsible for, or complicit in, human rights abuses in Xinjiang... "The UIGHUR Act also demands that, on the same day, those individuals are subject to sanctions under the Global Magnitsky Act, seizing their U.S.-based assets and barring them from entry onto U.S. soil." Reuters notes that American government officials "have sounded the alarm on China's detention of at least a million Uighur Muslims, by U.N. estimates, in the northwestern region of Xinjiang as a grave abuse of human rights and religious freedom..." U.S. congressional sources and China experts say Beijing appears especially sensitive to provisions in the Uighur Act passed by the House of Representatives this week banning exports to China of items that can be used for surveillance of individuals, including facial and voice-recognition technology... A U.S. congressional source also said a Washington-based figure close to the Chinese government told him recently it disliked the Uighur bill more than the Hong Kong bill for "dollars and cents reasons," because the former measure contained serious export controls on money-spinning security technology, while also threatening asset freezes and visa bans on individual officials. Victor Shih, an associate professor of China and Pacific Relations at the University of California, San Diego, said mass surveillance was big business in China and a number of tech companies there could be hurt by the law if it passes. China spent roughly 1.24 trillion yuan ($176 billion) on domestic security in 2017 -- 6.1% of total government spending and more than was spent on the military. Budgets for internal security, of which surveillance technology is a part, have doubled in regions including Xinjiang and Beijing.

Trump Administration Drops Plans For Mandatory Face Scans of Citizens

Fri, 12/06/2019 - 15:30
schwit1 shares a report from U.S. News & World Report: The Department of Homeland Security is dropping plans to propose a regulation requiring all travelers -- including U.S. citizens -- to have their photos taken and faces scanned by facial recognition technology when entering and exiting the country, according to multiple reports. The proposed rule was slated to be issued in July of next year and would be part of a larger effort by U.S. Customs and Border Protection to better track those who enter and exit the country. Privacy advocates pointed to a June data breach as one of the reasons that the agency should not collect the information. DHS last summer acknowledged a cyberattack against a contractor that exposed the photos and license plates of nearly 100,000 people traveling in and out of the country at a border crossing.

Keep Your IoT Devices on a Separate Network, FBI Says

Fri, 12/06/2019 - 11:30
The FBI says owners of IoT (Internet of Things) devices should isolate this equipment on a separate WiFi network, different from the one they're using for their primary devices, such as laptops, desktops, or smartphones. From a report: "Your fridge and your laptop should not be on the same network," the FBI's Portland office said in a weekly tech advice column. "Keep your most private, sensitive data on a separate system from your other IoT devices," it added. The same advice -- to keep devices on a separate WiFi network or LAN -- has been shared in the past by multiple IT and security experts. The reasoning behind it is simple. By keeping all the IoT equipment on a separate network, any compromise of a "smart" device will not grant an attacker a direct route to a user's primary devices -- where most of their data is stored. Jumping across the two networks would require considerable effort from the attacker. However, placing primary devices and IoT devices on separate networks might not sound that easy for non-technical users. The simplest way is to use two routers. Further reading: Now Even the FBI is Warning About Your Smart TV's Security.

W3C Recommends WebAssembly To Push the Limits For Speed, Efficiency and Responsiveness

Fri, 12/06/2019 - 09:30
The WebAssembly Working Group has published today the three WebAssembly specifications as W3C Recommendations, marking the arrival of a new language for the Web which allows code to run in the browser. From a report: WebAssembly Core Specification defines a low-level virtual machine which closely mimicks the functionality of many microprocessors upon which it is run. Either through Just-In-Time compilation or interpretation, the WebAssembly engine can perform at nearly the speed of code compiled for a native platform. A .wasm resource is analogous to a Java .class file in that it contains static data and code segments which operate over that static data. Unlike Java, WebAssembly is typically produced as a compilation target from other programming languages like C/C++ and Rust. WebAssembly Web API defines a Promise-based interface for requesting and executing a .wasm resource. The structure of a .wasm resource is optimized to allow execution to begin before the entire resource has been retrieved, which further enhances responsiveness of WebAssembly applications. WebAssembly JavaScript Interface provides a JavaScript API for invoking and passing parameters to WebAssembly functions. In Web browsers, WebAssembly's interactions with the host environment are all managed through JavaScript, which means that WebAssembly relies on JavaScript's highly-engineered security model.

Most of the Largest US Voting Districts Are Vulnerable To Email Spoofing

Thu, 12/05/2019 - 17:50
Researchers at Valimail found that only 5% of the largest voting counties in the U.S. are protected against email impersonation and phishing attacks. TechCrunch reports: Researchers at Valimail, which has a commercial stake in the email security space, looked at the largest three electoral districts in each U.S. state, and found only 10 out of 187 domains were protected with DMARC, an email security protocol that verifies the authenticity of a sender's email and rejects fraudulent or spoofed emails. DMARC, when enabled and properly enforced, rejects fake emails that hackers design to spoof a genuine email address by sending to spam or bouncing it from the target's inbox altogether. Hackers often use spoofed emails to try to trick victims into opening malicious links from people they know. But the research found that although DMARC is enabled on many domains, it's not properly enforced, rendering its filtering efforts largely ineffective. The researchers said 66% of the district election-related domains had no DMARC entry at all, while 28% had either a valid DMARC entry but no enforcement, or an invalid DMARC entry altogether. [...] The worry is that attackers could use the lack of DMARC to impersonate legitimate email addresses to send targeted phishing or malware in order to gain a foothold on election networks or launch attacks, steal data or delete it altogether, a move that would potentially disrupt the democratic process.

China Resurrects Great Cannon For DDoS Attacks On Hong Kong Forum

Thu, 12/05/2019 - 16:10
An anonymous reader quotes a report from ZDNet: After more than two years since it's been used the last time, the Chinese government deployed an infamous DDoS tool named the "Great Cannon" to launch attacks against LIHKG, an online forum where Hong Kong residents are organizing anti-Beijing protests. [...] DDoS attacks with the Great Cannon have been rare, mainly because they tend to generate a lot of bad press for the Chinese government. But in a report published today, AT&T Cybersecurity says the tool has been deployed once again. This time, the Great Cannon's victim was LIHKG.com, an online platform where the organizers of the Hong Kong 2019 protests have been sharing information about the locations of daily demonstrations. The site is also a place where Hong Kong residents congregate to recant stories of Chinese police abuse and upload video evidence. AT&T Cybersecurity says the first Great Cannon DDoS attacks targeted LIHKG on August 31, while the last one being recorded on November 27. AT&T Cybersecurity researcher Chris Doman said the August attacks used JavaScript code that was very similar to the one spotted in the 2017 attacks on Mingjingnews.com. According to LIHKG, the site received more than 1.5 billion requests per hour during the August attack, compared to the site's previous traffic record that was only a meager 6.5 million requests per hour.

44 Million Microsoft Users Reused Passwords in the First Three Months of 2019

Thu, 12/05/2019 - 15:30
The Microsoft threat research team scanned all Microsoft user accounts and found that 44 million users were employing usernames and passwords that leaked online following security breaches at other online services. From a report: The scan took place between January and March 2019. Microsoft said it scanned user accounts using a database of over three billion leaked credentials, which it obtained from multiple sources, such as law enforcement and public databases. The scan effectively helped Microsoft identify users who reused the same usernames and passwords across different online accounts. The 44 million total included Microsoft Services Accounts (regular user accounts), but also Azure AD accounts.

New Linux Vulnerability Lets Attackers Hijack VPN Connections

Thu, 12/05/2019 - 12:50
An anonymous reader writes: Security researchers found a new vulnerability allowing potential attackers to hijack VPN connections on affected *NIX devices and inject arbitrary data payloads into IPv4 and IPv6 TCP streams. They disclosed the security flaw tracked as CVE-2019-14899 to distros and the Linux kernel security team, as well as to others impacted such as Systemd, Google, Apple, OpenVPN, and WireGuard. The vulnerability is known to impact most Linux distributions and Unix-like operating systems including FreeBSD, OpenBSD, macOS, iOS, and Android. A currently incomplete list of vulnerable operating systems and the init systems they came with is available below, with more to be added once they are tested and found to be affected: Ubuntu 19.10 (systemd), Fedora (systemd), Debian 10.2 (systemd), Arch 2019.05 (systemd), Manjaro 18.1.1 (systemd), Devuan (sysV init), MX Linux 19 (Mepis+antiX), Void Linux (runit), Slackware 14.2 (rc.d), Deepin (rc.d), FreeBSD (rc.d), and OpenBSD (rc.d). This security flaw "allows a network adjacent attacker to determine if another user is connected to a VPN, the virtual IP address they have been assigned by the VPN server, and whether or not there is an active connection to a given website," according to William J. Tolley, Beau Kujath, and Jedidiah R. Crandall, Breakpointing Bad researchers at University of New Mexico. "Additionally, we are able to determine the exact seq and ack numbers by counting encrypted packets and/or examining their size. This allows us to inject data into the TCP stream and hijack connections," the researchers said.

A Billion Surveillance Cameras Forecast To Be Watching Within Two Years

Thu, 12/05/2019 - 10:10
As governments and companies invest more in security networks, hundreds of millions more surveillance cameras will be watching the world in 2021, mostly in China, according to a new report. From a report: The report, from industry researcher IHS Market, to be released Thursday, said the number of cameras used for surveillance would climb above 1 billion by the end of 2021. That would represent an almost 30% increase from the 770 million cameras today. China would continue to account for a little over half the total. Fast-growing, populous nations such as India, Brazil and Indonesia would also help drive growth in the sector, the report said. IHS analyst Oliver Philippou said government programs to implement widespread video surveillance to monitor the public would be the biggest catalyst for the growth in China. City surveillance also was driving demand elsewhere.

Hackers Trick Venture Capital Firm Into Sending Them $1 Million

Thu, 12/05/2019 - 07:30
Security researchers at Check Point say the company has uncovered evidence that Chinese hackers managed to hijack $1 million in seed money during a wire transfer between a Chinese venture capital firm and an Israeli startup -- without either side realizing anything was wrong. From a report: The VC firm and the startup, whose names Check Point hasn't released, reached out to the security firm after the funds failed to arrive. Once Check Point dug into the details, it discovered a man in the middle attack that took a lot of planning and plenty of patience. After analyzing the server logs, emails, and the computers involved in correspondence between the companies, Check Point noticed some abnormalities. Some of the emails, analysts discovered, had been modified. Others hadn't even been written by either organization. After seeing the original email thread announcing the upcoming multi-million dollar seeding fund, the hacker took action. Instead of monitoring subsequent emails by creating an auto forwarding rule (standard practice in traditional attacks), the hacker started by creating two lookalike domains.

Huawei Launches New Legal Challenge Against US Ban

Thu, 12/05/2019 - 06:50
Chinese telecoms giant Huawei has launched a legal challenge to a decision by US regulators to classify it as a national security threat. From a report: It comes after the US Federal Communications Commission put curbs on rural mobile providers using a $8.5bn government fund to buy Huawei equipment. The firm said evidence that it was a threat to security "does not exist." The move is the latest in a series of challenges between Huawei and the US. The company has asked the US Court of Appeal to overturn the decision. Speaking at a news conference at Huawei's headquarters in Shenzhen, the company's chief legal officer, Song Liuping, said: "The US government has never presented real evidence to show that Huawei is a national security threat. That's because this evidence does not exist."

New Iranian Wiper Discovered In Attacks On Middle Eastern Companies

Wed, 12/04/2019 - 19:30
An anonymous reader quotes a report from Ars Technica: IBM X-Force, the company's security unit, has published a report of a new form of "wiper" malware connected to threat groups in Iran and used in a destructive attack against companies in the Middle East. The sample was discovered in a response to an attack on what an IBM spokesperson described as "a new environment in the [Middle East] -- not in Saudi Arabia, but another regional rival of Iran." Dubbed ZeroCleare, the malware is "a likely collaboration between Iranian state-sponsored groups," according to a report by IBM X-Force researchers. The attacks were targeted against specific organizations and used brute-force password attacks to gain access to network resources. The initial phase of the attacks was launched from Amsterdam IP addresses owned by a group tied to what IBM refers to as the "ITG13 Group" -- also known as "Oilrig" and APT34. Another Iranian threat group may have used the same addresses to access accounts prior to the wiper campaign. In addition to brute force attacks on network accounts, the attackers exploited a SharePoint vulnerability to drop web shells on a SharePoint server. These included China Chopper, Tunna, and another Active Server Pages-based webshell named "extensions.aspx," which "shared similarities with the ITG13 tool known as TWOFACE/SEASHARPEE," the IBM researchers reported. They also attempted to install TeamViewer remote access software and used a modified version of the Mimikatz credential-stealing tool -- obfuscated to hide its intent -- to steal more network credentials off the compromised servers. From there, they moved out across the network to spread the ZeroCleare malware. "While X-Force IRIS cannot attribute the activity observed during the destructive phase of the ZeroCleare campaign," the researchers noted, "we assess that high-level similarities with other Iranian threat actors, including the reliance on ASPX web shells and compromised VPN accounts, the link to ITG13 activity, and the attack aligning with Iranian objectives in the region, make it likely this attack was executed by one or more Iranian threat groups."

Apple's Activation Lock Will Make It Very Difficult To Refurbish Macs

Wed, 12/04/2019 - 16:10
Apple's Activation Lock is an anti-theft feature built into iOS, watchOS, and macOS Catalina that prevents people from restoring your Apple devices without your permission. "With the release of macOS Catalina earlier this fall, any Mac that's equipped with Apple's new T2 security chip now comes with Activation Lock," writes iFixit's Craig Lloyd. What this means is that there will likely be thousands of perfectly good Macs being parted out or scrapped instead of being put into the hands of people who could really use them. From the report: Activation Lock was designed to prevent anyone else from using your device if it's ever lost or stolen, and it's built into the "Find My" service on iPhones, iPads, and other Apple devices. When you're getting rid of an old phone, you want to use Apple's Reset feature to wipe the phone clean, which also removes it from Find My iPhone and gets rid of the Activation Lock. But if you forget, and sell your old iPhone to a friend before you properly wipe it, the phone will just keep asking them for your Apple ID before they can set it up as a new phone. In other words, they won't be able to do much with it besides scrap it for parts. That seems like a nice way to thwart tech thieves, but it also causes unnecessary chaos for recyclers and refurbishers who are wading through piles of locked devices they can't reuse. This reduces the supply of refurbished devices, making them more expensive -- oh, and it's an environmental nightmare. [...] The T2 security chip, however, erases any hope and makes it impossible to do anything on a Mac without the proper Apple ID credentials. Attempting any kind of hardware tinkering on a T2-enabled Mac activates a hardware lock, which can only be undone by connecting the device to Apple-authorized repair software. It's great for device security, but terrible for repair and refurbishment. While recyclers may not be dealing with as many locked Macs as locked iPhones (especially since Activation Lock on Macs is still very new, and there are specific software criteria that need to be met), it's only a matter of time before thousands upon thousands of perfectly working Macs are scrapped or shredded, for lack of an unknown password.

2020 US Census Plagued By Hacking Threats, Cost Overruns

Wed, 12/04/2019 - 08:10
Reuters reports: In 2016, the U.S. Census Bureau faced a pivotal choice in its plan to digitize the nation's once-a-decade population count: build a system for collecting and processing data in-house, or buy one from an outside contractor. The bureau chose Pegasystems, reasoning that outsourcing would be cheaper and more effective. Three years later, the project faces serious reliability and security problems, according to Reuters interviews with six technology professionals currently or formerly involved in the census digitization effort. And its projected cost has doubled to $167 million -- about $40 million more than the bureau's 2016 cost projection for building the site in-house. The Pega-built website was hacked from IP addresses in Russia during 2018 testing of census systems, according to two security sources with direct knowledge of the incident. One of the sources said an intruder bypassed a "firewall" and accessed parts of the system that should have been restricted to census developers. "He got into the network," one of the sources said. "He got into where the public is not supposed to go." In a separate incident during the same test, an IP address affiliated with the census site experienced a domain name service attack, causing a sharp increase in traffic, according to one of the two sources and a third source with direct knowledge of the incident.

Two Malicious Python Libraries Caught Stealing SSH and GPG Keys

Wed, 12/04/2019 - 07:25
The Python security team removed two trojanized Python libraries from PyPI (Python Package Index) that were caught stealing SSH and GPG keys from the projects of infected developers. From a report: The two libraries were created by the same developer and mimicked other more popular libraries -- using a technique called typosquatting to register similarly-looking names. The first is "python3-dateutil," which imitated the popular "dateutil" library. The second is "jeIlyfish" (the first L is an I), which mimicked the "jellyfish" library. The two malicious clones were discovered on Sunday, December 1, by German software developer Lukas Martini. Both libraries were removed on the same day after Martini notified dateutil developers and the PyPI security team. While the python3-dateutil was created and uploaded on PyPI two days before, on November 29, the jeIlyfish library had been available for nearly a year, since December 11, 2018.

Ring Reportedly Outed Camera Owners To Police With a Heat Map

Tue, 12/03/2019 - 18:10
Amazon-owned home surveillance company Ring gave law enforcement a heat map that let police see all devices installed in an area, allowing them to view users down to the street level. CNET first reported the news. From a report: While the feature was removed in July, law enforcement could reportedly use the function to search for the concentration of cameras in a neighborhood, and even see circles drawn around individual user locations. The documents that revealed the feature were obtained by a privacy researcher and shared with the publication. The feature was so specific, according to CNET, that police could essentially obtain the specific location of Ring customers. While police can request videos from users through Ring, the company has denied that it provides information to law enforcement on who, specifically, owns their products. Ring said in a statement to CNET that zooming in on the map "would not provide actual device locations."

A Bug In Microsoft's Login System Put Users At Risk of Account Hijacks

Tue, 12/03/2019 - 17:00
Microsoft has fixed a vulnerability in its login system that could have been used to trick unsuspecting victims into giving over complete access to their online accounts. TechCrunch reports: The bug allowed attackers to quietly steal account tokens, which websites and apps use to grant users access to their accounts without requiring them to constantly re-enter their passwords. These tokens are created by an app or a website in place of a username and password after a user logs in. That keeps the user persistently logged into the site, but also allows users to access third-party apps and websites without having to directly hand over their passwords. Researchers at Israeli cybersecurity company CyberArk found that Microsoft left open an accidental loophole which, if exploited, could've been used to siphon off these account tokens used to access a victim's account -- potentially without ever alerting the user. CyberArk's latest research, shared exclusively with TechCrunch, found dozens of unregistered subdomains connected to a handful of apps built by Microsoft. These in-house apps are highly trusted and, as such, associated subdomains can be used to generate access tokens automatically without requiring any explicit consent from the user. With the subdomains in hand, all an attacker would need is to trick an unsuspecting victim into clicking on a specially crafted link in an email or on a website, and the token can be stolen. [...] Luckily, the researchers registered as many of the subdomains they could find from the vulnerable Microsoft apps to prevent any malicious misuse, but warned there could be more.

Dutch Politician Faces 3 Years In Prison For Hacking iCloud Accounts, Leaking Nudes

Tue, 12/03/2019 - 16:30
An anonymous reader writes: "Dutch prosecutors have asked a judge for a three-year prison sentence for a local politician who doubled as a hacker and breached the personal iCloud accounts of more than 100 women, stealing and then leaking sexually explicit photos and videos online," reports ZDNet. The hacker (VVD politician Mitchel van der K.) is believed to have been part of the Celebgate (TheFappening) movement. Between 2015 and 2017, van der K. used credentials leaked at other sites to hack into iCloud accounts belonging to acquaintances and Dutch celebrities, from where he stole nudes and sex tapes. Some he leaked online, some he kept for himself. Victims included acquaintances, but also local celebrities, such as Dutch YouTube star Laura Ponticorvo and Dutch field hockey star Fatima Moreira de Melo. After he was arrested, van der K. claimed he was forced to hack his victims by other hackers, an excuse which the prosecution quickly knocked down, pointing out that half of his victims were friends and acquaintances, and not celebrities that would be of interest to other hackers. Days before he was arrested, van der K. was also elected to his city's council, a position from which he resigned.

FaceApp and Other Russian Apps Pose Potential Counterintelligence Threats, Says FBI

Tue, 12/03/2019 - 15:50
The FBI warned in a letter to Senate Minority Leader Chuck Schumer (D-N.Y.) Monday that it considers mobile applications developed in Russia, including the popular photo-aging app "FaceApp," to be "potential counterintelligence threats." Axios reports: FaceApp is a Russian-owned mobile application that allows users to upload photos of themselves and see what they may look like at a different age. Experts warned about potential privacy and national security concerns when the app spiked in popularity this past summer, prompting Schumer to request that the FBI and Federal Trade Commission look into the matter in July. "The FBI considers any mobile application or similar product developed in Russia, such as FaceApp, to be a potential counterintelligence threat, based on the data the product collects, its privacy and terms of use policies, and the legal mechanisms available to the Government of Russia that permit access to data within Russia's borders." The agency goes on to say: "Russia's intelligence services maintain robust cyber exploitation capabilities [...] the [Russian Federal Security Service] can remotely access all communications and servers on Russian networks without making a request to ISPs." The FBI said it will coordinate for notifications and investigations, and will work with applicable task forces if the app is perceived as a threat to "elected officials, candidates, political campaigns or political parties." Schumer said in a statement: "In light of FBI's warning that FaceApp, and similar applications developed in Russia, poses a potential counterintelligence threat to the United States, I strongly urge all Americans to consider deleting apps like FaceApp immediately and proceed with extreme caution when downloading apps developed in hostile foreign countries."

Mozilla Removes Avast and AVG Extensions From Add-on Portal Over Snooping Claims

Tue, 12/03/2019 - 08:05
Mozilla today removed four Firefox extensions made by Avast and its subsidiary AVG after receiving credible reports that the extensions were harvesting user data and browsing histories. From a report: The four extensions are Avast Online Security, AVG Online Security, Avast SafePrice, and AVG SafePrice. The first two are extensions that show warnings when navigating to known malicious or suspicious sites, while the last two are extensions for online shoppers, showing price comparisons, deals, and available coupons. Mozilla removed the four extensions from its add-ons portal after receiving a report from Wladimir Palant, the creator of the AdBlock Plus ad-blocking extension. Palant analyzed the Avast Online Security and AVG Online Security extensions in late October and found that the two were collecting much more data than they needed to work -- including detailed user browsing history, a practice prohibited by both Mozilla and Google.