Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 2 hours 20 min ago

GitLab Survey Finds Positive Results For Both DevOps and Working Remotely

Sun, 07/21/2019 - 08:34
GitLab's CEO and co-founder says there was one big takeaway from their recent "2019 Global Developer Report: DevSecOps": that early adopters of a strong Devops model experience greater security. "Security teams in a longstanding DevOps environment reported they are three times more likely to discover bugs before code is merged," according to the GitLab blog, "and 90% more likely to test between 91% and 100% of code than teams who encounter early-stage DevOps." But after polling over 4,000 software professionals, the survey also found positive results from another workplace arrangement, which they report under the headline "Remote work works." According to our survey respondents, working remotely leads to greater collaboration, better documentation, and transparency. In fact, developers in a mostly remote environment are 23% more likely to have good insight into what colleagues are working on and rate the maturity of their organization's security practices 29% higher than those who work in a traditional office environment.

Is There Tension Between Developers and Security Professionals?

Sat, 07/20/2019 - 17:34
"Everyone knows security needs to be baked into the development lifecycle, but that doesn't mean it is," writes ZDNet, reporting on a new survey they say showed that "long-standing friction between security and development teams remain." The results came from GitLab's "2019 Global Developer Report: DevSecOps" survey of over 4,000 software professionals. Nearly half of security pros surveyed, 49%, said they struggle to get developers to make remediation of vulnerabilities a priority. Worse still, 68% of security professionals feel fewer than half of developers can spot security vulnerabilities later in the life cycle. Roughly half of security professionals said they most often found bugs after code is merged in a test environment. At the same time, nearly 70% of developers said that while they are expected to write secure code, they get little guidance or help. One disgruntled programmer said, "It's a mess, no standardization, most of my work has never had a security scan." Another problem is it seems many companies don't take security seriously enough. Nearly 44% of those surveyed reported that they're not judged on their security vulnerabilities. ZDNet also cites Linus Torvalds' remarks on the Linux kernel mailing list in 2017, complaining about how security people celebrate when code is hardened against an invalid access. "[F]rom a developer standpoint, things really are not done. Not even close. From a developer standpoint, the bad access was just a symptom, and it needs to be reported, and debugged, and fixed, so that the bug actually gets corrected. So from a developer standpoint, the end point of hardening is just the starting point, and when you think you're done, we're really only getting started." Torvalds then pointed out that the user community also has a third set of entirely different expectations, adding that "the number one rule of kernel development is that 'we don't break users'. Because without users, your program is pointless, and all the development work you've done over decades is pointless... and security is pointless too, in the end." Juggling the interest of users and developers, Torvalds suggests security people should adopt "do no harm" as their mantra, and "when adding hardening features, the first step should *ALWAYS* be 'just report it'. Not killing things, not even stopping the access. Report it. Nothing else."

Microsoft Warns of Political Cyberattacks, Announces Free Vote-Verification Software

Sat, 07/20/2019 - 14:44
"Microsoft on Wednesday announced that it would give away software designed to improve the security of American voting machines," reports NBC News. Microsoft also said its AccountGuard service has already spotted 781 cyberattacks by foreign adversaries targeting political organizations -- 95% of which were located in the U.S. The company said it was rolling out the free, open-source software product called ElectionGuard, which it said uses encryption to "enable a new era of secure, verifiable voting." The company is working with election machine vendors and local governments to deploy the system in a pilot program for the 2020 election. The system uses an encrypted tracking code to allow a voter to verify that his or her vote has been recorded and has not been tampered with, Microsoft said in a blog post... Edward Perez, an election security expert with the independent Open Source Election Technology Institute, said Microsoft's move signals that voting systems, long a technology backwater, are finally receiving attention from the county's leading technical minds. "We think that it's good when a technology provider as significant as Microsoft is stepping into something as nationally important as election security," Perez told NBC News. "ElectionGuard does provide verification and it can help to detect attacks. It's important to note that detection is different from prevention." Microsoft also said its notified nearly 10,000 customers that they've been targeted or compromised by nation-state cyberattacks, according to the article -- mostly from Russia, Iran, and North Korea. "While many of these attacks are unrelated to the democratic process," Microsoft said in a blog post, "this data demonstrates the significant extent to which nation-states continue to rely on cyberattacks as a tool to gain intelligence, influence geopolitics, or achieve other objectives."

Is Russia Trying to Deanonymize Tor Traffic?

Sat, 07/20/2019 - 11:34
A contractor for Russia's intelligence agency suffered a breach, revealing projects they were pursuing -- including one to deanonymize Tor traffic. An anonymous reader shared this report from ZDNet: The breach took place last weekend, on July 13, when a group of hackers going by the name of 0v1ru$ hacked into SyTech's Active Directory server from where they gained access to the company's entire IT network, including a JIRA instance. Hackers stole 7.5TB of data from the contractor's network, and they defaced the company's website with a "yoba face," an emoji popular with Russian users that stands for "trolling..." Per the different reports in Russian media, the files indicate that SyTech had worked since 2009 on a multitude of projects. In February ZDNet reported that Russia disconnected itself from the rest of the internet in a test -- and suggests today that it was a real-world test of one of these leaked "secret projects" from the Russian intelligence agency. But the other projects include: Nautilus-S - a project for deanonymizing Tor traffic with the help of rogue Tor servers. Nautilus - a project for collecting data about social media users (such as Facebook, MySpace, and LinkedIn). Reward - a project to covertly penetrate P2P networks, like the one used for torrents. Mentor - a project to monitor and search email communications on the servers of Russian companies. Tax-3 - a project for the creation of a closed intranet to store the information of highly-sensitive state figures, judges, and local administration officials, separate from the rest of the state's IT networks. ZDNet also reports that the Tor-deanonymizing project, started in 2012, "appears to have been tested in the real world," citing a 2014 paper which found 18 malicious Tor exit nodes located in Russia. Each of those hostile Russian exit nodes used version of Tor -- the same one described in these leaked files.

New Map Shows Where America's Police, Businesses Are Using Facial Recognition and Other Surveillance Tech

Sat, 07/20/2019 - 09:34
"Fight For the Future, a tech-focused nonprofit, on Thursday released its Ban Facial Recognition map, logging the states and cities using surveillance technology," reports CNET -- noting that "surveillance technology" in this case includes Amazon's Ring doorbell security cameras. A CNET investigation earlier this year highlighted the close ties between Ring and police departments across the US, many of which offer free or discounted Ring doorbells using taxpayer money. The cameras have helped police create an easily accessible surveillance network in neighborhoods and allowed law enforcement to request videos through an app. The arrangement has critics worried about the erosion of privacy. Until the release of Fight for the Future's map, there was no comprehensive directory of all the police departments that had partnered with Ring. Now you can find them by going on the map and toggling it to "Police (Local)." It lists more than 40 cities where police have partnered with Amazon for Ring doorbells.... The map is far from complete. Police departments aren't always up front about the technology that they're using. On the interactive map, Fight for the Future asked visitors to send it any new entries to add to the map.... The map also has filters for airports, stores and stadiums that are using facial recognition, as well as states that provide driver's license photos to the FBI's database of faces... . Fight for the Future's map also features a filter for regions where facial recognition use by government is banned. For now, that's only in San Francisco; Somerville, Massachusetts; and Oakland, California. The group's deputy director told CNET that the map's goal is allowing people "to turn their ambient anxiety into effective action by pushing at the local and state level to ban this dangerous tech. "No amount of regulation will fix the threat posed by facial recognition," he added. "It must be banned."

QuickBooks Cloud Hosting Firm iNSYNQ Hit In Ransomware Attack

Fri, 07/19/2019 - 15:20
Cloud hosting provider iNSYNQ says it was hit with a ransomware attack that shut down its network and left customers unable to access their accounting data for the past three days. "Unfortunately for iNSYNQ, the company appears to be turning a deaf ear to the increasingly anxious cries from its users for more information about the incident," reports Krebs On Security." From the report: Gig Harbor, Wash.-based iNSYNQ specializes in providing cloud-based QuickBooks accounting software and services. In a statement posted to its status page, iNSYNQ said it experienced a ransomware attack on July 16, and took its network offline in a bid to contain the spread of the malware. "The attack impacted data belonging to certain iNSYNQ clients, rendering such data inaccessible,"; the company said. "As soon as iNSYNQ discovered the attack, iNSYNQ took steps to contain it. This included turning off some servers in the iNSYNQ environment." iNSYNQ said it has engaged outside cybersecurity assistance and to determine whether any customer data was accessed without authorization, but that so far it has no estimate for when those files might be available again to customers.

My Browser, the Spy: How Extensions Slurped Up Browsing Histories From 4M Users

Fri, 07/19/2019 - 12:45
Dan Goodin, reporting for ArsTechnica: When we use browsers to make medical appointments, share tax returns with accountants, or access corporate intranets, we usually trust that the pages we access will remain private. DataSpii, a newly documented privacy issue in which millions of people's browsing histories have been collected and exposed, shows just how much about us is revealed when that assumption is turned on its head. DataSpii begins with browser extensions -- available mostly for Chrome but in more limited cases for Firefox as well -- that, by Google's account, had as many as 4.1 million users. These extensions collected the URLs, webpage titles, and in some cases the embedded hyperlinks of every page that the browser user visited. Most of these collected Web histories were then published by a fee-based service called Nacho Analytics, which markets itself as "God mode for the Internet" and uses the tag line "See Anyone's Analytics Account." Web histories may not sound especially sensitive, but a subset of the published links led to pages that are not protected by passwords -- but only by a hard-to-guess sequence of characters (called tokens) included in the URL. Thus, the published links could allow viewers to access the content at these pages. (Security practitioners have long discouraged the publishing of sensitive information on pages that aren't password protected, but the practice remains widespread.) Further reading: More on DataSpii: How extensions hide their data grabs -- and how they're discovered.

A Rust-Based TLS Library Outperformed OpenSSL in Almost Every Category

Fri, 07/19/2019 - 12:05
A tiny and relatively unknown TLS library written in Rust, an up-and-coming programming language, outperformed the industry-standard OpenSSL in almost every major category. From a report: The findings are the result of a recent four-part series of benchmarks carried out by Joseph Birr-Pixton, the developer behind the Rustls library. The findings showed that Rustls was 10% faster when setting up and negotiating a new server connection, and between 20 and 40% faster when setting up a client connection. But while handshake speeds for new TLS connections are important, most TLS traffic relies on resuming previously negotiated handshakes. Here, too, Rustls outperformed the aging OpenSSL, being between 10 and 20% in resuming a connection on the server-side, and being between 30 and 70% quicker to resume a client connection. Furthermore, Rustls also fared better in sheer bulk performance -- or the speed at which data is transferred over the TLS connection. Birr-Pixton said Rustls could send data 15% faster than OpenSSL, and receive it 5% faster as well.

Huawei Says Hongmeng OS Isn't Designed as an Android Replacement

Fri, 07/19/2019 - 09:25
Huawei reportedly wants to keep using Google's Android operating system in its phones instead of jumping to its self-developed Hongmeng system. From a report: Company senior vice president Catherine Chen told reporters in Brussels this week that the Hongmeng OS isn't even designed for phones, according to Chinese state news agency Xinhua. Chen apparently said Hongmeng is for industrial use, noting that it contains far fewer lines of code than a phone OS, and has much lower latency than a phone, meaning it can process a very high volume of data messages with little delay. Latest episode in a confusing narrative about what Huawei even intends to do. The company's executives have previously said on record that its homegrown operating system is designed to replace Android on its handsets. One executive said the operating system would be released by last month -- a target that Huawei has missed.

Kazakhstan Government is Now Intercepting All HTTPS Traffic

Fri, 07/19/2019 - 08:46
Artem S. Tashkinov writes: Starting Wednesday, July 17, 2019, the Kazakhstan government has started intercepting all HTTPS internet traffic inside its borders. Local internet service providers (ISPs) have been instructed by the local government to force their respective users into installing a government-issued certificate on all devices, and in every browser. The certificate, once installed, will allow local government agencies to decrypt users' HTTPS traffic, look at its content, encrypt it again with their certificate, and send it to its destination. Kazakh users trying to access the internet since yesterday have been redirected to web pages that contained instructions on how to install the government's root certificate in their respective browsers, may it be a desktop or mobile device.

Researchers Easily Trick Security Firm Cylance's AI-Based Antivirus Into Thinking Programs Like WannaCry and Other Malware Are Benign

Fri, 07/19/2019 - 07:23
By taking strings from an online gaming program and appending them to malicious files, researchers were able to trick Cylance's AI-based antivirus engine into thinking programs like WannaCry and other malware are benign. From a report: AI has been touted by some in the security community as the silver bullet in malware detection. Its proponents say it's superior to traditional antivirus since it can catch new variants and never-before-seen malware -- think zero-day exploits -- that are the Achilles heel of antivirus. One of its biggest proponents is the security firm BlackBerry Cylance, which has staked its business model on the artificial intelligence engine in its endpoint PROTECT detection system, which the company says has the ability to detect new malicious files two years before their authors even create them. But researchers in Australia say they've found a way to subvert the machine-learning algorithm in PROTECT and cause it to falsely tag already known malware as "goodware." The method doesn't involve altering the malicious code, as hackers generally do to evade detection. Instead, the researchers developed a "global bypass" method that works with almost any malware to fool the Cylance engine. It involves simply taking strings from a non-malicious file and appending them to a malicious one, tricking the system into thinking the malicious file is benign. The benign strings they used came from an online gaming program, which they have declined to name publicly so that Cylance will have a chance to fix the problem before hackers exploit it. "As far as I know, this is a world-first, proven global attack on the ML [machine learning] mechanism of a security company," says Adi Ashkenazy, CEO of the Sydney-based company Skylight Cyber, who conducted the research with CTO Shahar Zini. "After around four years of super hype [about AI], I think this is a humbling example of how the approach provides a new attack surface that was not possible with legacy [antivirus software]."

NSO Spyware 'Targets Big Tech Cloud Services'

Fri, 07/19/2019 - 06:00
The Israeli company whose spyware hacked WhatsApp has told buyers its technology can surreptitiously scrape all of an individual's data from the servers of Apple, Google, Facebook, Amazon and Microsoft, Financial Times reported on Friday. [Editor's note: the link may be paywalled; alternative source] From the report: NSO Group's flagship smartphone malware, nicknamed Pegasus, has for years been used by spy agencies and governments to harvest data from targeted individuals' smartphones. But it has now evolved to capture the much greater trove of information stored beyond the phone in the cloud, such as a full history of a target's location data, archived messages or photos, according to people who shared documents with the Financial Times and described a recent product demonstration. The documents raise difficult questions for Silicon Valley's technology giants, which are trusted by billions of users to keep critical personal information, corporate secrets and medical records safe from potential hackers. NSO denied promoting hacking or mass-surveillance tools for cloud services. However, it did not specifically deny that it had developed the capability described in the documents.

Bulgaria's Hacked Database Leaks To Hacking Forums

Thu, 07/18/2019 - 09:28
The database of Bulgaria's National Revenue Agency (NRA), which was hacked over the weekend and sent to local reporters, is now being shared on hacking forums, ZDNet has learned from sources in the threat intelligence community. From a report: Download links to the hacked database have been shared by a hacked data trader known as Instakilla, believed to be operating out of Bulgaria. ZDNet obtained a copy of the database and verified its authenticity with local sources, and this is a copy of the same database sent to local media over the weekend. The database contains 57 folders, 10.7 GB in size, and holds personal and financial information consistent with what Bulgarian newspapers reported receiving over the weekend. This includes personally identifiable information, tax information, from both the NRA, and from other government agencies who shared their data.

Slack Resets Passwords For 1% of Its Users Because of 2015 Hack

Thu, 07/18/2019 - 07:42
ZDNet: Slack published more details about a password reset operation that ZDNet reported earlier today. According to a statement the company published on its website, the password reset operation is related to the company's 2015 security breach. In March 2015, Slack said hackers gained access to some Slack infrastructure, including databases storing user credentials. Hackers stole hashed passwords, but they also planted code on the company's site to capture plaintext passwords that users entered when logging in. At the time, Slack reset passwords for users who it believed were impacted, and also added support for two-factor authentication for all accounts. But as ZDNet reported earlier today, the company recently received a batch of Slack users credentials, which prompted the company to start an investigation into its source and prepare a password reset procedure. "We immediately confirmed that a portion of the email addresses and password combinations were valid, reset those passwords, and explained our actions to the affected users," Slack said. In a message on its website, Slack said this batch of credentials came via its bug bounty program. The company said it initially believed the data came from users who had their PCs infected with malware, or users who reused passwords across different services.

To Foil Hackers, 'Morpheus' Chip Can Change Its Code In the Blink of An Eye

Wed, 07/17/2019 - 23:00
Todd Austin, a professor at the University of Michigan, is working on an approach known as Morpheus that aims to frustrate hackers trying to gain control of microchips by presenting them with a rapidly changing target. At a conference in Detroit this week organized by the U.S. Defense Department's Defense Advanced Research Projects Agency (DARPA), Austin described how the prototype Morpheus chip works. MIT Technology Review reports: The aim is to make it incredibly difficult for hackers to exploit key software that helps govern the chip's operation. Morpheus does this by repeatedly randomizing elements of the code that attackers need access to in order to compromise the hardware. This can be achieved without disrupting the software applications that are powered by the processor. Austin has been able to get the chip's code "churning" to happen once every 50 milliseconds -- way faster than needed to frustrate the most powerful automated hacking tools. So even if hackers find a vulnerability, the information needed to exploit it disappears in the blink of an eye. There's a cost to all this: the technology causes a slight drop in performance and requires somewhat bigger chips. The military may accept this trade-off in return for greater security on the battlefield, but it could limit Morpheus's appeal to businesses and consumers. Austin said a prototype has already resisted every known variant of a widely-used hacking technique known as a control-flow attack, which does things like tampering with the way a processor handles memory in order to allow hackers to sneak in malware. More tests lie ahead. A team of U.S. national security experts will soon begin probing the prototype chip to see if they can compromise its defenses, and Austin also plans to post some of Morpheus's code online so that other researchers can try to find flaws in it, too.

Making the Case For a Microsoft Surface Phone That Runs Android

Wed, 07/17/2019 - 16:03
Zac Bowden from Windows Central makes the case for why Microsoft may want to make a Surface phone that runs Android. An anonymous reader shares an excerpt from the report: While a Surface Phone running Android would never sell to the quantity that Samsung smartphones do (or at least not a first- or second-generation phone), Microsoft could utilize the Surface brand to showcase the best of Microsoft's Android efforts all in one place, just like it has done for Windows PCs. I'm picturing a Surface-branded, Microsoft-built smartphone that comes with Microsoft Launcher, Edge, Office, Your Phone phone-mirroring integration, and more, out of the box. In fact, that's one of four unique selling points that a Surface Phone running Android could have: -- Showcase the best of Microsoft's efforts on Android. -- Seamless integration with Windows PCs using Your Phone. -- Provide the best security and update support on Android. -- Brand recognition that can rival Apple and Samsung. That last point is more for Microsoft fans, but the first three are important. A Surface Phone running Android would be the only smartphone out there that's always guaranteed to work with all of Your Phone's features. I have a wide array of Android smartphones, yet 90 percent of them don't support all of Your Phone's features on Windows 10. Screen mirroring is only available on select devices, and while that may improve, there's no guarantee your smartphone will ever get it, or if it'll work well. Microsoft could also provide enhanced features, such as the ability to take cellular phone calls on your PC directly from your Surface Phone. It could also build out dedicated Phone and SMS apps that sync up with the Messages app on your PC, instead of having to relay it through the Your Phone app. There's so much more potential when you build your own Android phone.

Bluetooth Exploit Can Track and Identify iOS, Microsoft Mobile Device Users

Wed, 07/17/2019 - 10:11
A flaw in the Bluetooth communication protocol may expose modern device users to tracking and could leak their ID, researchers claim. From a report: The vulnerability can be used to spy on users despite native OS protections that are in place and impacts Bluetooth devices on Windows 10, iOS, and macOS machines. This includes iPhones, iPads, Apple Watch models, MacBooks, and Microsoft tablets & laptops. On Wednesday, researchers from Boston University David Starobinski and Johannes Becker presented the results of their research at the 19th Privacy Enhancing Technologies Symposium, taking place in Stockholm, Sweden. According to the research paper, Tracking Anonymized Bluetooth Devices, many Bluetooth devices will use MAC addresses when advertising their presence to prevent long-term tracking, but the team found that it is possible to circumvent the randomization of these addresses to permanently monitor a specific device. Android is immune as the OS does not continually send out advertising messages, the researchers said.

AI Photo Editor FaceApp Goes Viral Again on iOS, Raises Questions About Photo Library Access

Wed, 07/17/2019 - 09:34
FaceApp, an app that applies filters to photos, is having another moment in the spotlight this week. An anonymous reader shares a report: The app has gone viral again after first doing so two years ago or so. The effect has gotten better but these apps, like many other one-off viral apps, tend to come and go in waves driven by influencer networks or paid promotion. We first covered this particular AI photo editor from a team of Russian developers about two years ago. It has gone viral again now due to some features that allow you to edit a person's face to make it appear older or younger. You may remember at one point it had an issue because it enabled what amounted to digital blackface by changing a person from one ethnicity to another. In this current wave of virality, some new questions are floating around about FaceApp. The first is whether it uploads your camera roll in the background. We found no evidence of this and neither did security researcher and Guardian App CEO Will Strafach or researcher Baptiste Robert. The second is how it allows you to pick photos without giving photo access to the app.

Microsoft To Explore Using Rust

Wed, 07/17/2019 - 08:49
Microsoft plans to explore using the Rust programming language as an alternative to C, C++, and others, as a way to improve the security posture of its and everyone else's apps. From a report: The announcement was made yesterday by Gavin Thomas, Principal Security Engineering Manager for the Microsoft Security Response Center (MSRC). "You're probably used to thinking about the Microsoft Security Response Center as a group that responds to incidents and vulnerabilities," Thomas said. "We are a response organization, but we also have a proactive role, and in a new blog series we will highlight Microsoft's exploration of safer system programming languages, starting with Rust." The end game is to find a way to move developers from the aging C and C++ programming language to so-called "memory-safe languages." Memory-safe languages, such as Rust, are designed from the ground up with protections against memory corruption vulnerabilities, such as buffer overflows, race conditions, memory leaks, use-after free and memory pointer-related bugs.

Nokia 2.2 Brings Back the Removable Battery

Tue, 07/16/2019 - 17:25
HMD is bringing the latest version of the Nokia 2, called the "Nokia 2.2," to the U.S. For $139, it features a notched camera design, a plastic body, and a removable battery. Ars Technica reports: HMD is delivering a good package for the price, with a fairly modern design, the latest version of Android, and a killer update package with two years of major OS updates and three years of security updates. On the front, you have a 5.71-inch, 1520x720 IPS LCD with a flagship-emulating notch design and rounded corners. There's a sizable bezel on the bottom with a big "Nokia" logo on it, but it's hard to complain about that for $140. This is a cheap phone, so don't expect a ton in the specs department. Powering the Nokia 2.2 is a MediaTek Helio A22 SoC, which is just four Cortex A53 cores at 2GHz. The U.S. version gets 3GB of RAM and 32GB of storage version with an option to add a MicroSD card. The back and sides are plastic, and on the side you'll find an extra physical button, which will summon the Google Assistant. The back actually comes off, and -- get this -- you can remove the 3000mAh battery! Speaking of unnecessarily removed smartphone features from the past, there's also a headphone jack. Unfortunately, it's missing some key features to keep the price down. There's a microUSB port instead of a USB-C port, no fingerprint reader, and cameras that have low expectations. Since it is a GSM phone, it will be supported by T-Mobile and AT&T networks, along with all their MVNOs.