Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 6 hours 15 min ago

Civil Servant Watching Porn At Work Blamed For Government Malware Outbreak

Tue, 10/30/2018 - 05:00
An anonymous reader quotes a report from TechCrunch: A U.S. government network was infected with malware thanks to one employee's "extensive history" of watching porn on his work computer, investigators have found. The audit, carried out by the U.S. Department of the Interior's inspector general, found that a U.S. Geological Survey (USGS) network at the EROS Center, a satellite imaging facility in South Dakota, was infected after an unnamed employee visited thousands of porn pages that contained malware, which downloaded to his laptop and "exploited the USGS' network." Investigators found that many of the porn images were "subsequently saved to an unauthorized USB device and personal Android cell phone," which was connected to the employee's government-issued computer. Investigators found that his Android cell phone "was also infected with malware." The findings were made public in a report earlier this month but buried on the U.S. government's oversight website and went largely unreported.

Feds Expand Security Researchers' Ability To Hack Without Going To Jail

Mon, 10/29/2018 - 19:30
An anonymous reader quotes a report from Motherboard: Friday, the Librarian of Congress and U.S. Copyright Office renewed several key exemptions (and added a few new ones) to the Digital Millennium Copyright Act. This go round, they've extended some essential exemptions ensuring that computer security researchers won't be treated like nefarious criminals for their contributions to society. As part of an effort to keep the DMCA timely, Congress included a so-called "safety valve" dubbed the Section 1201 triennial review process that, every three years, mandates that activists and concerned citizens beg the Copyright Office and the Librarian of Congress to craft explicit exemptions from the law to ensure routine behavior won't be criminalized. The exemptions still have some caveats. Specifically, the Copyright Office ruling only applies to "use exemptions," not "tools exemptions" -- meaning security researchers still can't release things like pen-testing tools that bypass DRM, or even publish technical papers exploring how to bypass bootloaders or other Trusted Platform Modules to test the security of the systems behind them. But other modest changes to the rules were incredibly helpful, notes Blake Reid, Associate Clinical Professor at Colorado Law. Specifically, the new exemption removes a "device limitation" from previous exemptions that potentially limited researchers to investigating software only on "consumer" devices; hindering their ability to investigate security vulnerabilities in things like the cryptographic hardware used in banking applications, networking equipment, and industrial control systems. The new exemption also modified the "controlled environment limitation" from the previous exemption, which was often read to imply that researchers had to conduct their work in a formal laboratory, potentially hindering research into things like integrated building systems like internet-connected HVAC systems.

US Bans Exports To Chinese DRAM Maker Citing National Security Risk

Mon, 10/29/2018 - 15:20
An anonymous reader quotes a report from ZDNet: The Trump administration on Monday announced it was banning U.S. exports to a Chinese semiconductor firm named Fujian Jinhua Integrated Circuit Company, citing national security concerns. In a statement released by the U.S. Department of Commerce (DoC), officials said the Chinese chipmaker posed "a significant risk of being or becoming involved, in activities contrary to the national security or foreign policy interests of the United States." DoC officials are now barring US companies from selling any products to Fujian Jinhua, which was recently nearing completion of a new dynamic random access memory (DRAM) factory project. "When a foreign company engages in activity contrary to our national security interests, we will take strong action to protect our national security. Placing Jinhua on the Entity List will limit its ability to threaten the supply chain for essential components in our military systems," said Wilbur Ross, Secretary of Commerce.

The Linux Kernel Is Now VLA-Free: A Win For Security, Less Overhead and Better For Clang

Mon, 10/29/2018 - 12:45
With the in-development Linux 4.20 kernel, it is now effectively VLA-free. From a report: The variable-length arrays (VLAs) that can be convenient and part of the C99 standard but can have unintended consequences. VLAs allow for array lengths to be determined at run-time rather than compile time. The Linux kernel has long relied upon VLAs in different parts of the kernel -- including within structures -- but going on for months now (and years if counting the kernel Clang'ing efforts) has been to remove the usage of variable-length arrays within the kernel. The problems with them are: 1. Using variable-length arrays can add some minor run-time overhead to the code due to needing to determine the size of the array at run-time. 2. VLAs within structures is not supported by the LLVM Clang compiler and thus an issue for those wanting to build the kernel outside of GCC, Clang only supports the C99-style VLAs. 3. Arguably most importantly is there can be security implications from VLAs around the kernel's stack usage.

Windows Defender Becomes First Antivirus To Run Inside a Sandbox

Mon, 10/29/2018 - 07:20
An anonymous reader writes: Windows Defender is the first antivirus to gain the ability to run inside a sandbox environment, Microsoft said in an announcement. In software design, a "sandbox" is a security mechanism that works by separating a process inside a tightly controlled area of the operating system that gives that process access to limited disk and memory resources. The idea is to prevent bugs and exploit code from spreading from one process to another, or to the underlying OS. "We're in the process of gradually enabling this capability for Windows insiders and continuously analyzing feedback to refine the implementation," Microsoft said in a celebratory blog post. Users who can't wait until Microsoft finishes testing the feature can also enable it right now. Support for Windows Defender running inside a sandbox environment has been silently added since Windows 10 version 1703. To enable it right now, Windows 10 users can follow these steps.

China's OnePlus, Backed by Qualcomm and T-Mobile, Launches OnePlus 6T Smartphone in US

Mon, 10/29/2018 - 02:05
OnePlus, a five-year old Chinese smartphone company whose high-end products are little known outside a tech-savvy niche is entering the U.S. market on Monday with the backing of two key local allies: chipmaking giant Qualcomm and mobile operator T-Mobile. Reuters reports: The foray by Shenzhen-based OnePlus comes after U.S. mobile carriers AT&T and Verizon this year backed away from plans to work with China's Huawei on high-end phones in face of pressure from the U.S. government, which considers Huawei a security risk. But the OnePlus alliance, to be announced today in New York, shows how many U.S.-China business relationships, including those involving the most advanced technologies, are marching ahead despite the U.S. China trade war. OnePlus has quietly become the No. 3 client for Qualcomm's most expensive mobile phone chips, behind Samsung and LG Electronics, according to data from market researcher Canalys. The phone to be unveiled Monday, called the 6T, will sell for a price of $549 (for the base model, which offers 6GB of RAM and 128GB of internal storage) but packs features that are typically present only in pricier handsets. Xiaomi, a Chinese rival that also focuses on feature-packed phones at bargain prices, has said it plans to launch in the U.S. next year, but did not respond to a request for comment on whether those plans are still in place. The OnePlus 6T will laregely offer the same specs as its predecessor -- the OnePlus 6, which was launched earlier this year. Some of the key changes include a smaller notch on the front display and a built-in fingerprint scanner that is embedded in it. Full specs and review here.

IBM To Buy Red Hat, the Top Linux Distributor, For $34 Billion

Sun, 10/28/2018 - 11:00
International Business Machines (IBM) is acquiring software maker Red Hat in a deal valued at $34 billion, the companies said Sunday. From a report: The purchase, announced on Sunday afternoon, is the latest competitive step among large business software companies to gain an edge in the fast-growing market for Internet-style cloud computing. In June, Microsoft acquired GitHub, a major code-sharing platform for software developers, for $7.5 billion. IBM said its acquisition of Red Hat was a move to open up software development on computer clouds, in which software developers write applications that run on remote data centers. From a press release: This acquisition brings together the best-in-class hybrid cloud providers and will enable companies to securely move all business applications to the cloud. Companies today are already using multiple clouds. However, research shows that 80 percent of business workloads have yet to move to the cloud, held back by the proprietary nature of today's cloud market. This prevents portability of data and applications across multiple clouds, data security in a multi-cloud environment and consistent cloud management. IBM and Red Hat will be strongly positioned to address this issue and accelerate hybrid multi-cloud adoption. Together, they will help clients create cloud-native business applications faster, drive greater portability and security of data and applications across multiple public and private clouds, all with consistent cloud management. In doing so, they will draw on their shared leadership in key technologies, such as Linux, containers, Kubernetes, multi-cloud management, and cloud management and automation. IBM's and Red Hat's partnership has spanned 20 years, with IBM serving as an early supporter of Linux, collaborating with Red Hat to help develop and grow enterprise-grade Linux and more recently to bring enterprise Kubernetes and hybrid cloud solutions to customers. These innovations have become core technologies within IBM's $19 billion hybrid cloud business. Between them, IBM and Red Hat have contributed more to the open source community than any other organization.

Nobody's Cellphone Is Really That Secure, Bruce Schneier Reminds

Sun, 10/28/2018 - 06:00
Earlier this week, The New York Times reported that the Russians and the Chinese were eavesdropping on President Donald Trump's personal cellphone and using the information gleaned to better influence his behavior. This should surprise no one, writes Bruce Schneier. From a story: Security experts have been talking about the potential security vulnerabilities in Trump's cellphone use since he became president. And President Barack Obama bristled at -- but acquiesced to -- the security rules prohibiting him from using a "regular" cellphone throughout his presidency. Three broader questions obviously emerge from the story. Who else is listening in on Trump's cellphone calls? What about the cellphones of other world leaders and senior government officials? And -- most personal of all -- what about my cellphone calls? There are two basic places to eavesdrop on pretty much any communications system: at the end points and during transmission. This means that a cellphone attacker can either compromise one of the two phones or eavesdrop on the cellular network. Both approaches have their benefits and drawbacks. The NSA seems to prefer bulk eavesdropping on the planet's major communications links and then picking out individuals of interest. In 2016, WikiLeaks published a series of classified documents listing "target selectors": phone numbers the NSA searches for and records. These included senior government officials of Germany -- among them Chancellor Angela Merkel -- France, Japan, and other countries. Other countries don't have the same worldwide reach that the NSA has, and must use other methods to intercept cellphone calls. We don't know details of which countries do what, but we know a lot about the vulnerabilities. Insecurities in the phone network itself are so easily exploited that 60 Minutes eavesdropped on a U.S. congressman's phone live on camera in 2016. Back in 2005, unknown attackers targeted the cellphones of many Greek politicians by hacking the country's phone network and turning on an already-installed eavesdropping capability. The NSA even implanted eavesdropping capabilities in networking equipment destined for the Syrian Telephone Company. Alternatively, an attacker could intercept the radio signals between a cellphone and a tower. Encryption ranges from very weak to possibly strong, depending on which flavor the system uses. Don't think the attacker has to put his eavesdropping antenna on the White House lawn; the Russian Embassy is close enough.

New SystemD Vulnerability Discovered

Sat, 10/27/2018 - 12:34
The Register reports that a new security bug in systemd "can be exploited over the network to, at best, potentially crash a vulnerable Linux machine, or, at worst, execute malicious code on the box" by a malicious host on the same network segment as the victim. According to one Red Hat security engineer, "An attacker could exploit this via malicious DHCP server to corrupt heap memory on client machines, resulting in a denial of service or potential code execution." According to the bug description, systemd-networkd "contains a DHCPv6 client which is written from scratch and can be spawned automatically on managed interfaces when IPv6 router advertisements are received." OneHundredAndTen shared this article from the Register: In addition to Ubuntu and Red Hat Enterprise Linux, systemd has been adopted as a service manager for Debian, Fedora, CoreOS, Mint, and SUSE Linux Enterprise Server. We're told RHEL 7, at least, does not use the vulnerable component by default. Systemd creator Leonard Poettering has already published a security fix for the vulnerable component -- this should be weaving its way into distros as we type. If you run a systemd-based Linux system, and rely on systemd-networkd, update your operating system as soon as you can to pick up the fix when available and as necessary.

Twelve Malicious Python Libraries Found and Removed From PyPI

Sat, 10/27/2018 - 11:34
An anonymous reader writes: A software security engineer has identified 12 Python libraries uploaded on the official Python Package Index (PyPI) that contained malicious code. The 12 packages used typo-squatting in the hopes a user would install them by accident or carelessness when doing a "pip install" operation for a mistyped more popular package, like Django (ex: diango). Eleven libraries would attempt to either collect data about each infected environment, obtain boot persistence, or even open a reverse shell on remote workstations. A twelfth package, named "colourama," was financially-motivated and hijacked an infected users' operating system clipboard, where it would scan every 500ms for a Bitcoin address-like string, which it would replace with the attacker's own Bitcoin address in an attempt to hijack Bitcoin payments/transfers made by an infected user. 54 users downloaded that package -- although all 12 malicious packages have since been taken down. Four of the packages were misspellings of django -- diango, djago, dajngo, and djanga.

Canonical Releases Statistics Showing Adoption of Snap Packages

Sat, 10/27/2018 - 07:34
Canonical is applauding what it calls "exceptional adoption" of snaps -- and has shared some new statistics about its whole "Snappy" software deployment and package management system. Long-time Slashdot reader AmiMoJo shared this article from Neowin: snaps are seeing 100,000 installs every day on cloud, server, container, desktop and on IoT devices, which works out to around three million installs each month. Of course, these statistics don't only take into account snap installs on Ubuntu, but other distributions too. Canonical said that snaps are supported on 41 Linux distributions including Ubuntu, Debian, Linux Mint, Arch Linux, Fedora, and many more... Snap packages first launched alongside Ubuntu 16.04 which was released in 2016. They have several benefits over typical Linux packages, for example, their dependencies are bundled into the package making them easy to install, they get automatic updates and can be rolled back by the maintainer if issues arise, and they're sandboxed, giving the user more security.

Trivial Bug In X.Org Server Gives Root Permissions On Linux, BSD Systems

Fri, 10/26/2018 - 14:38
An anonymous reader quotes a report from Bleeping Computer: A vulnerability that is trivial to exploit allows privilege escalation to root level on Linux and BSD distributions using X.Org server, the open source implementation of the X Window System that offers the graphical environment. The flaw is now identified as CVE-2018-14665 (credited to security researcher Narendra Shinde). It has been present in xorg-server for two years, since version 1.19.0 and is exploitable by a limited user as long as the X server runs with elevated permissions. An advisory on Thursday describes the problem as an "incorrect command-line parameter validation" that also allows an attacker to overwrite arbitrary files. Privilege escalation can be accomplished via the -modulepath argument by setting an insecure path to modules loaded by the X.org server. Arbitrary file overwrite is possible through the -logfile argument, because of improper verification when parsing the option. Apart from OpenBSD, other operating systems affected by the bug include Debian and Ubuntu, Fedora and its downstream distro Red Hat Enterprise Linux along with its community-supported counterpart CentOS.

Worried About Trump iPhone Eavesdroppers? China Recommends a Huawei

Fri, 10/26/2018 - 05:00
China's foreign ministry has some suggestions for the Trump administration if it is worried about foreign eavesdropping on the U.S. president's iPhones: use a Huawei handset instead. Or just cut all forms of modern communication with the outside world. From a report: The riposte came after the New York Times reported that American intelligence reports indicated that Chinese and Russian spies often listen in on President Donald Trump when he uses his Apple cellphones to chat with old friends. Aides have repeatedly told him that his cellphone calls are not secure, but although the president has been persuaded to use his secure White House landline more often, he has refused to give up the phones, the Times said. Trump called the Times report incorrect on Thursday, and dismissed it as "long and boring." "I only use Government Phones, and have only one seldom used government cell phone. Story is soooo wrong!" Trump wrote on Twitter. In a later tweet, he said, "I rarely use a cellphone, & when I do it's government authorized. I like Hard Lines. Just more made up Fake News!"

Ex-Facebook Security Chief Calls Out Tim Cook and Apple's Practices in China

Thu, 10/25/2018 - 06:40
On Wednesday, Tim Cook lambasted at many companies, saying they are weaponizing data against people and societies. Cook's remarks made headlines across the world. But someone reminded that even Apple appears to be bending backwards at places. Agreeing with everything Tim Cook had shared, Alex Stamos, former CSO of Facebook called out the company over its actions to limit access to apps in China. From a report: "We don't want the media to create an incentive structure that ignores treating Chinese citizens as less-deserving of privacy protections because a CEO is willing to bad-mouth the business model of their primary competitor, who uses advertising to subsidize cheaper devices," Stamos said in a series of tweets responding to recent comments made by Apple CEO Tim Cook. [...] Though Stamos said he agreed with "almost everything" Cook said, in a series of tweets he called out Apple for blocking the ability to download VPN and encrypted messaging apps in China, which could provide ways to connect to the internet and send messages privately and without surveillance.

Cathay Pacific Data Breach Hits 9.4 Million People

Thu, 10/25/2018 - 05:00
An anonymous reader quotes a report from ZDNet: Hong Kong-based airline Cathay Pacific informed the Hong Kong stock exchange of a data breach late on Wednesday night that could affect 9.4 million people. In a notice, the airline said it would reach out to members of its Marco Polo Club, Asia Miles, and registered users. Otherwise, people who are worried about whether they have been hit should fill in an enquiry form. Cathay said that passenger details including name, nationality, date of birth, phone number, email address, passport number, identity card number, frequent flyer membership number, customer service remarks, and historical travel information could have been accessed. In its statement [PDF] to the exchange, Cathay said 860,000 passport numbers and approximately 245,000 Hong Kong identity card numbers were accessed. A small number of credit card numbers, 403 in total, were accessed, as well as 27 cards with no CVV. Don't worry, the airline is "offering ID monitoring services" and "free credit monitoring services" to those impacted...

New Study Claims Data Harvesting Among Android Apps Is 'Out of Control'

Wed, 10/24/2018 - 18:05
A new study from Oxford University revealed that almost 90 percent of free apps on the Google Play store share data with Alphabet. "The researchers, who analyzed 959,000 apps from the U.S. and UK Google Play stores, said data harvesting and sharing by mobile apps was now 'out of control,'" reports TechSpot. "'We find that most apps contain third party tracking, and the distribution of trackers is long-tailed with several highly dominant trackers accounting for a large portion of the coverage,' reads the report." From the report: It's revealed that most of the apps, 88.4 percent, could share data with companies owned by Google parent Alphabet. Next came a firm that's no stranger to data sharing controversies, Facebook (42.5 percent), followed by Twitter (33.8 percent), Verizon (26.27 percent), Microsoft (22.75 percent), and Amazon (17.91 percent). [I]nformation shared by these third-party apps can include age, gender, location, and information about a user's other installed apps. The data "enables construction of detailed profiles about individuals, which could include inferences about shopping habits, socio-economic class or likely political opinions." Big firms then use the data for a variety of purposes, such as credit scoring and for targeting political messages, but its main use is often ad targeting. Not surprising, given that revenue from online advertising is now over $59 billion per year. According to the research, the average app transfers data to five tracker companies, which pass the data on to larger firms. The biggest culprits are news apps and those aimed at children, both of which tend to have the most third-party trackers associated with them.

Thousands of Swedes Are Inserting Microchips Under Their Skin

Wed, 10/24/2018 - 16:03
An anonymous reader quotes a report from NPR: In Sweden, a country rich with technological advancement, thousands have had microchips inserted into their hands. The chips are designed to speed up users' daily routines and make their lives more convenient -- accessing their homes, offices and gyms is as easy as swiping their hands against digital readers. They also can be used to store emergency contact details, social media profiles or e-tickets for events and rail journeys within Sweden. Proponents of the tiny chips say they're safe and largely protected from hacking, but one scientist is raising privacy concerns around the kind of personal health data that might be stored on the devices. Around the size of a grain of rice, the chips typically are inserted into the skin just above each user's thumb, using a syringe similar to that used for giving vaccinations. The procedure costs about $180. So many Swedes are lining up to get the microchips that the country's main chipping company says it can't keep up with the number of requests. More than 4,000 Swedes have adopted the technology, with one company, Biohax International, dominating the market. The chipping firm was started five years ago by Jowan Osterlund, a former professional body piercer. After spending the past two years working full time on the project, he is currently developing training materials so he can hire Swedish doctors and nurses to help take on some of his heavy workload.

China, Russia Are Listening To Trump's Phone Calls, Says NYT Report

Wed, 10/24/2018 - 15:20
Rick Zeman writes: According to The New York Times, the Chinese are regularly listening to Donald Trump's cellphone calls (Warning: source may be paywalled; alternative source). While he has two NSA-hardened iPhones, and a secure landline, he insists on using a consumer-grade iPhone -- even while knowing he's being eavesdropped upon -- because it has his contact list on it. "White House officials say they can only hope he refrains from discussing classified information when he is on them," reports the New York Times. But, officials were also confident that "he was not spilling secrets because he rarely digs into the details of the intelligence he is shown and is not well versed in the operational specifics of military or covert activities"; in other words, security through ignorance. The article mentions the rationale is to be able to listen to his calls to find out what and whom influences him, and that the Russians also listen in, albeit with less frequency because of his unique relationship with Vladimir Putin.

New Windows Zero-Day Bug Helps Delete Any File, Exploit Available

Wed, 10/24/2018 - 14:00
An anonymous reader quotes a report from Bleeping Computer: Proof-of-concept code for a new zero-day vulnerability in Windows has been released by a security researcher before Microsoft was able to release a fix. The code exploits a vulnerability that allows deleting without permission any files on a machine, including system data, and it has the potential to lead to privilege escalation. The vulnerability could be used to delete application DLLs, thus forcing the programs to look for the missing libraries in other places. If the search reaches a location that grants write permission to the local user, the attacker could take advantage by providing a malicious DLL. The problem is with Microsoft Data Sharing Service, present in Windows 10, Server 2016 and 2019 operating systems, which provides data brokering between applications. Will Dormann, a vulnerability analyst at CERT/CC, tested the exploit code successfully on a Windows 10 operating system running the latest security updates. Behind the discovery is a researcher using the online alias SandboxEscaper, also responsible for publicly sharing in late August another security bug in Windows Task Scheduler component. Microsoft hasn't addressed the issue, but there is a temporary fix available through the oPatch platform. "A micropatch candidate was ready seven hours after the zero-day vulnerability announcement, and it blocked the exploit successfully," reports Bleeping Computer. "oPatch now delivers the stable version of the micropatch for fully updated Windows 10 1803.

Apple Just Killed The 'GrayKey' iPhone Passcode Hack

Wed, 10/24/2018 - 13:20
Apple's newest version of iOS has rendered the GrayKey hacking tech useless, a report said Wednesday. How Apple pulled it off wasn't immediately clear, but it would have a huge implication for the law enforcement agencies around the world that have relied on GrayKey to break into locked iPhones. Forbes reports: Apple has put up what may be an insurmountable wall. Multiple sources familiar with the GrayKey tech tell Forbes the device can no longer break the passcodes of any iPhone running iOS 12 or above. On those devices, GrayKey can only do what's called a "partial extraction," sources from the forensic community said. That means police using the tool can only draw out unencrypted files and some metadata, such as file sizes and folder structures. Previously, GrayKey used "brute forcing" techniques to guess passcodes and had found a way to get around Apple's protections preventing such repeat guesses. But no more. And if it's impossible for GrayKey, which counts an ex-Apple security engineer among its founders, it's a safe assumption few can break iPhone passcodes. Police officer Captain John Sherwin of the Rochester Police Department in Minnesota said of the claim iOS 12 was preventing GrayKey from unlocking iPhones: "That's a fairly accurate assessment as to what we have experienced."