Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 21 hours 50 min ago

Huawei's Next Phone Will Not Have Google Apps

Fri, 08/30/2019 - 14:03
Huawei's next flagship smartphone will not come with Google's popular apps, such as Maps, YouTube, and Drive. The BBC reports: Google confirmed that due to a U.S. government ban on sales to Huawei, it could not license its apps to the Chinese smartphone giant. It also means the next Huawei phone will not have access to the Google Play app store, which could leave customers without access to other popular apps. The U.S. government restricted American companies from selling products and services to Huawei in May, citing national security concerns, which Huawei rejects. Huawei is just weeks away from launching its next flagship phone, the Mate 30 Pro. It will be Huawei's first major phone launch since the U.S. restrictions were applied in May. But analysts say launching without Google's apps in Europe will be a major blow. Consumers expect to have access to all the major apps they are used to - including Maps and YouTube. Without them, Huawei's phones will seem a lot less appealing. And losing the Play Store means Huawei will need to provide another way for customers to access other popular apps such as Facebook, Twitter and BBC News. Huawei said in a statement: "Huawei will continue to use the Android OS and ecosystem if the U.S. government allows us to do so. Otherwise, we will continue to develop our own operating system and ecosystem." Tom's Guide notes that consumers can still download apps from APK repositories like APKmirror.com. "While this is certainly a nuisance, it's far from crippling."

Twitter's Jack Dorsey Has Own Account Hacked

Fri, 08/30/2019 - 12:43
The co-founder and chief executive of Twitter has had his own account on the service taken over by hackers. From a report: A group referring to itself as the Chuckling Squad said it was behind the breach of Jack Dorsey's account. A spokeswoman for Twitter told the BBC that the site was urgently investigating. The account tweeted out a flurry of highly offensive and racist remarks. The offending tweets appear to have been mostly removed.

Google Says Hackers Have Put 'Monitoring Implants' in iPhones For Years

Fri, 08/30/2019 - 06:47
An unprecedented iPhone hacking operation, which attacked "thousands of users a week" until it was disrupted in January, has been revealed by researchers at Google's external security team. From a report: The operation, which lasted two and a half years, used a small collection of hacked websites to deliver malware on to the iPhones of visitors. Users were compromised simply by visiting the sites: no interaction was necessary, and some of the methods used by the hackers affected even fully up-to-date phones. Once hacked, the user's deepest secrets were exposed to the attackers. Their location was uploaded every minute; their device's keychain, containing all their passwords, was uploaded, as were their chat histories on popular apps including WhatsApp, Telegram and iMessage, their address book, and their Gmail database. The one silver lining is that the implant was not persistent: when the phone was restarted, it was cleared from memory unless the user revisited a compromised site. However, according to Ian Beer, a security researcher at Google: "Given the breadth of information stolen, the attackers may nevertheless be able to maintain persistent access to various accounts and services by using the stolen authentication tokens from the keychain, even after they lose access to the device."

China Intercepts WeChat Texts From US and Abroad, Researcher Says

Thu, 08/29/2019 - 15:30
China is intercepting texts from WeChat users living outside of the country, mostly from the U.S. Taiwan, South Korea, and Australia. NPR reports: The popular Chinese messaging app WeChat is Zhou Fengsuo's most reliable communication link to China. That's because he hasn't been back in over two decades. Zhou, a human rights activist, had been a university student in 1989, when the pro-democracy protests broke out in Beijing's Tiananmen Square. After a year in jail and another in political reeducation, he moved to the United States in 1995. But WeChat often malfunctions. Zhou began noticing in January that his chat groups could not read his messages. "I realized this because I was expecting some feedback [on a post] but there was no feedback," Zhou tells NPR at from his home in New Jersey. As Chinese technology companies expand their footprint outside China, they are also sweeping up vast amounts of data from foreign users. Now, analysts say they know where the missing messages are: Every day, millions of WeChat conversations held inside and outside China are flagged, collected and stored in a database connected to public security agencies in China, according to a Dutch Internet researcher. Zhou is not the only one experiencing recent issues. NPR spoke to three other U.S. citizens who have been blocked from sending messages in WeChat groups or had their accounts frozen earlier this year, despite registering with U.S. phone numbers. This March, [Victor Gevers, co-founder of the nonprofit GDI Foundation, an open-source data security collection] found a Chinese database storing more than 1 billion WeChat conversations, including more than 3.7 billion messages, and tweeted out his findings. Each message had been tagged with a GPS location, and many included users' national identification numbers. Most of the messages were sent inside China, but more than 19 million of them had been sent from people outside the country, mostly from the U.S., Taiwan, South Korea and Australia.

Ransomware Hits Hundreds of Dentist Offices in the US

Thu, 08/29/2019 - 09:30
Hundreds of dental practice offices in the US have had their computers infected with ransomware this week, ZDNet reported Thursday. From a report: The incident is another case of a ransomware gang compromising a software provider and using its product to deploy ransomware on customers' systems. In this case, the software providers are The Digital Dental Record and PerCSoft, two Wisconsin-based companies who collaborated on DDS Safe, a medical records retention and backup solution advertised to dental practice offices in the US. Over the last weekend, a hacker group breached the infrastructure behind this software, and used it to deploy the REvil (Sodinokibi) ransomware on computers at hundreds of dentist offices across the US. The security breach came to light on Monday, when dentists returned to work, only to find out they couldn't access any patient information. A source impacted by the ransomware tells ZDNet that the two companies opted to pay the ransom demand. The Digital Dental Record and PerCSoft have been sharing a decrypter with impacted dental offices since Monday, helping companies recover encrypted files.

Mozilla CEO Chris Beard Will Step Down at the End of the Year

Thu, 08/29/2019 - 08:08
Chris Beard announced today his plans to step down as Mozilla Corporation CEO at the end of 2019. Beard joined the web software company in 2004, remaining an employee since then, with the exception of 2013, when he left to become Greylock's "executive-in-residence," while remaining on as an advisor. From a report: Beard was appointed interim CEO for Mozilla in April 2014, coming on as full time chief executive in July of that same year. The company has seen a bit of a resurgence in recent years, after having ceded much of its browser marketshare to the likes of Google and Apple. Firefox has undergone something of a renaissance over the past year, as have the company's security tools. "Today our products, technology and policy efforts are stronger and more resonant in the market than ever, and we have built significant new organizational capabilities and financial strength to fuel our work," Beard said in the blog post. "From our new privacy-forward product strategy to initiatives like the State of the Internet we're ready to seize the tremendous opportunity and challenges ahead to ensure we're doing even more to put people in control of their connected lives and shape the future of the internet for the public good."

Cops Hijack Botnet, Remotely Wipe Malware From 850,000 Computers

Wed, 08/28/2019 - 18:03
French police, with help from an antivirus firm, took control of a server that was used by cybercriminals to spread a worm programmed to mine cryptocurrency from more than 850,000 computers. Once in control of the server, the police remotely removed the malware from those computers. Motherboard reports: Antivirus firm Avast, which helped France's National Gendarmerie cybercrime center, announced the operation on Wednesday. Avast said that they found that the command and control server, which was located in France, had a design flaw in its protocol that made it possible to remove the malware without "making the victims execute any extra code," as the company explained in its lengthy report. Cybersecurity firms such as Avast, as well as Trend Micro, had been tracking the worm, called Retadup, since last spring. Most of the infected computers were used by the malware authors to mine the cryptocurrency Monero, but in some cases it was also used to push ransomware and password-stealing malware, according to Avast. As the antivirus firm reported, most Retadup victims were in South America, with Peru, Venezuela, Bolivia and Mexico at the top of the list.

US Cyberattack Hurt Iran's Ability To Target Oil Tankers, Officials Say

Wed, 08/28/2019 - 17:25
"A secret cyberattack against Iran in June wiped out a critical database used by Iran's paramilitary arm to plot attacks against oil tankers and degraded Tehran's ability to covertly target shipping traffic in the Persian Gulf, at least temporarily," reports The New York Times, citing senior American officials. From the report: Iran is still trying to recover information destroyed in the June 20 attack and restart some of the computer systems -- including military communications networks -- taken offline, the officials said. Senior officials discussed the results of the strike in part to quell doubts within the Trump administration about whether the benefits of the operation outweighed the cost -- lost intelligence and lost access to a critical network used by the Islamic Revolutionary Guards Corps, Iran's paramilitary forces. The United States and Iran have long been involved in an undeclared cyberconflict, one carefully calibrated to remain in the gray zone between war and peace. The June 20 strike was a critical attack in that ongoing battle, officials said, and it went forward even after President Trump called off a retaliatory airstrike that day after Iran shot down an American drone. Iran has not escalated its attacks in response, continuing its cyberoperations against the United States government and American corporations at a steady rate, according to American government officials.

Australian Who Says He Invented Bitcoin Ordered To Hand Over Up To $5B

Wed, 08/28/2019 - 10:00
The Australian man who claimed to have invented cryptocurrency bitcoin has been ordered to hand over half of his alleged bitcoin holdings, reported to be worth up to $5 billion. From a report: The IT security consultant Craig Wright, 49, was sued by the estate of David Kleiman, a programmer who died in 2013, for a share of Wright's bitcoin haul over the pair's involvement in the inception of the cryptocurrency from 2009 to 2013. Kleiman's estate alleges Wright and Kleiman were partners, and therefore his family is entitled to a share of the bitcoin that was mined by the pair in that time. Wright denies there was a partnership. A US district court in Florida on Tuesday ruled that half of the bitcoin mined and half of the intellectual property held by Wright from that time belongs to Kleiman. One issue is it is not known exactly how much bitcoin Wright holds. It has been claimed that the Kleiman estate could get anywhere between 410,000 and 500,000 bitcoin, putting the value at between $4.1 billion and $4.99 billion as of Wednesday. Wright claimed to the court that he couldn't access the bitcoin because he doesn't have a list of the public addresses of that bitcoin. He claimed in 2011, after seeing the cryptocurrency had begun to be associated with drug dealers and human traffickers, he put the bitcoin he mined in 2009 and 2010 into an encrypted file and into a blind trust. The encrypted key was divided into multiple key slices, and the key slices were given to Kleiman who distributed them to people through the trust.

Apple is Turning Siri Audio Clip Review Off by Default and Bringing it in House

Wed, 08/28/2019 - 07:20
Apple is making changes to the way that Siri audio review, or 'grading' works across all of its devices. From a report: First, it is making audio review an explicitly opt-in process in an upcoming software update. This will be applicable for every current and future user of Siri. Second, only Apple employees, not contractors, will review any of this opt-in audio in an effort to bring any process that uses private data closer to the company's core processes. Apple has released a blog post outlining some Siri privacy details that may not have been common knowledge as they were previously described in security white papers. Apple apologizes for the issue. In a statement, the company said, "as a result of our review, we realize we haven't been fully living up to our high ideals, and for that we apologize. As we previously announced, we halted the Siri grading program. We plan to resume later this fall when software updates are released to our users -- but only after making the following changes..."

National-Security Concerns Threaten Undersea Data Link Backed by Google, Facebook

Wed, 08/28/2019 - 06:40
U.S. officials are seeking to block an undersea cable backed by Google, Facebook, and a Chinese partner, in a national-security review that could rewrite the rules of internet connectivity between the U.S. and China, WSJ reported Wednesday [Editor's note: the link may be paywalled; alternative source], citing people involved in the discussions. From the report: The Justice Department, which leads a multiagency panel that reviews telecommunications matters, has signaled staunch opposition to the project because of concerns over its Chinese investor, Beijing-based Dr. Peng Telecom & Media Group, and the direct link to Hong Kong the cable would provide, the people said. Ships have already draped most of the 8,000-mile Pacific Light Cable Network across the seafloor between the Chinese territory and Los Angeles, promising faster connections for its investors on both sides of the Pacific. The work so far has been conducted under a temporary permit expiring in September. But people familiar with the review say it is in danger of failing to win the necessary license to conduct business because of the objections coming from the panel, known as Team Telecom. Team Telecom has consistently approved past cable projects, including ones directly linking the U.S. to mainland China or involving state-owned Chinese telecom operators, once they were satisfied the company responsible for its U.S. beachhead had taken steps to prevent foreign governments from blocking or tapping traffic.

Trojan Dropper Malware Found In CamScanner Android App With 100+ Million Downloads

Tue, 08/27/2019 - 14:43
Kaspersky security researchers have discovered a Trojan Dropper malicious module hidden within the Android app CamScanner that's been downloaded over 100 million times on the Google Play Store. After they reported their findings, Google removed the app, but added, "it looks like the app developers got rid of the malicious code with the latest update of CamScanner." They conclude: "Keep in mind, though, that versions of the app vary for different devices, and some of them may still contain malicious code." BleepingComputer reports: As a confirmation to sudden increases in negative ratings and user reviews usually pointing out to something not exactly going right with an app, the researchers found "that the developer added an advertising library to it that contains a malicious dropper component." In this case, while CamScanner was initially a legitimate Android app using in-app purchases and ad-based monetization, "at some point, that changed, and recent versions of the app shipped with an advertising library containing a malicious module," says Kaspersky. The module dubbed Trojan-Dropper.AndroidOS.Necro.n is a Trojan Dropper, a malware strain used to download and install a Trojan Downloader on already compromised Android devices which can be employed to infect the infected smartphones or tablets with other malware. When the CamScanner app is launched on the Android device, the dropper decrypts and executes malicious code stored within a mutter.zip file discovered in the app's resources. "As a result, the owners of the module can use an infected device to their benefit in any way they see fit, from showing the victim intrusive advertising to stealing money from their mobile account by charging paid subscriptions," found the researchers.

Using Multi-Factor Authentication Blocks 99.9% of Account Hacks, Microsoft Says

Tue, 08/27/2019 - 08:05
Microsoft says that users who enable multi-factor authentication (MFA) for their accounts will end up blocking 99.9% of automated attacks. From a report: The recommendation stands not only for Microsoft accounts but also for any other profile, on any other website or online service. If the service provider supports multi-factor authentication, Microsoft recommends using it, regardless if it's something as simple as SMS-based one-time passwords, or advanced biometrics solutions. "Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA," said Alex Weinert, Group Program Manager for Identity Security and Protection at Microsoft. Weinert said that old advice like "never use a password that has ever been seen in a breach" or "use really long passwords" doesn't really help. He should know. Weinert was one of the Microsoft engineers who worked to ban passwords that became part of public breach lists from Microsoft's Account and Azure AD systems back in 2016. As a result of his work, Microsoft users who were using or tried to use a password that was leaked in a previous data breach were told to change their credentials.

US Officials Fear Ransomware Attack Against 2020 Election

Mon, 08/26/2019 - 21:30
The U.S. government plans to launch a program in roughly one month that narrowly focuses on protecting voter registration databases and systems ahead of the 2020 presidential election. From a report: These systems, which are widely used to validate the eligibility of voters before they cast ballots, were compromised in 2016 by Russian hackers seeking to collect information. Intelligence officials are concerned that foreign hackers in 2020 not only will target the databases but attempt to manipulate, disrupt or destroy the data, according to current and former U.S. officials. "We assess these systems as high risk," said a senior U.S. official, because they are one of the few pieces of election technology regularly connected to the Internet. The Cybersecurity Infrastructure Security Agency, or CISA, a division of the Homeland Security Department, fears the databases could be targeted by ransomware, a type of virus that has crippled city computer networks across the United States, including recently in Texas, Baltimore and Atlanta. "Recent history has shown that state and county governments and those who support them are targets for ransomware attacks," said Christopher Krebs, CISA's director. "That is why we are working alongside election officials and their private sector partners to help protect their databases and respond to possible ransomware attacks."

It Was Sensitive Data From a US Anti-Terror Program -- and Terrorists Could Have Gotten To It For Years, Records Show

Mon, 08/26/2019 - 19:00
The Department of Homeland Security stored sensitive data from the nation's bioterrorism defense program on an insecure website where it was vulnerable to attacks by hackers for over a decade, according to government documents reviewed by The Times. From a report: The data included the locations of at least some BioWatch air samplers, which are installed at subway stations and other public locations in more than 30 U.S. cities and are designed to detect anthrax or other airborne biological weapons, Homeland Security officials confirmed. It also included the results of tests for possible pathogens, a list of biological agents that could be detected and response plans that would be put in place in the event of an attack. The information -- housed on a dot-org website run by a private contractor -- has been moved behind a secure federal government firewall, and the website was shut down in May. But Homeland Security officials acknowledge they do not know whether hackers ever gained access to the data. Internal Homeland Security emails and other documents show the issue set off a bitter clash within the department over whether keeping the information on the dot-org website posed a threat to national security. A former BioWatch security manager filed a whistleblower complaint alleging he was targeted for retaliation after criticizing the program's lax security. The website shared information among local, state and federal officials. It was easily identifiable through online search engines, but a user name and password were required to access sensitive data.

Apple Patches iPhone Jailbreaking Bug

Mon, 08/26/2019 - 11:10
Apple has released today an iOS security update to patch a bug the company accidentally un-patched in an earlier release, introducing a security weakness that allowed hackers to craft new jailbreaks for current iOS versions. From a report: The original bug, discovered by Ned Williamson, a Google Project Zero security engineer, allows a malicious app to exploit a "user-after-free" vulnerability and run code with system privileges in the iOS kernel. iOS version 12.4.1, released today, re-patches this bug that was initially fixed in iOS 12.3 but was accidentally unpatched in iOS 12.4, last month. Sadly, Apple's blunder didn't go unnoticed and earlier this month, a security researcher named Pwn20wnd released a public exploit based on Williamson's bug that could be used to jailbreak up-to-date iOS devices and grant users complete control over their iPhones. But while users taking a risk and jailbreaking their own devices doesn't sound that dangerous, a lesser-known fact is that malware operators and spyware vendors can also use Pwn20wnd's jailbreak as well.

Google Confirms Android 10 Will Fix 193 Security Vulnerabilities

Sun, 08/25/2019 - 07:34
"Were it not for third-party components, the August Android Security Bulletin would have been the first report to be released with only a single critical vulnerability found," reports TechRepublic. "However, with the inclusion of Broadcom and Qualcomm components, there are seven in total." Meanwhile, Forbes reports on what's being fixed in September's release of Android 10: 193 Android security vulnerabilities needed to be fixed, covering a broad swathe of elevation of privilege, remote code execution, information disclosure and denial of service categories. Two of these are in the Android runtime itself, another two in the library and 24 in the framework. The bulk, however, is split between the Android media framework with 68 vulnerabilities and the Android system with 97. All have been scored as "moderate" severity. The good news is that all will be fixed by the default Android 10 patch level of 2019-09-01 on release of the new OS. Also on the positive news front, the security bulletin update stated that "we have had no reports of active customer exploitation or abuse of these newly reported issues."

UK Cybersecurity Agency Urges Devs To Drop Python 2

Sat, 08/24/2019 - 14:45
Python's End-of-Life date is 129 days away, warns the UK National Cyber Security Centre (NCSC). "There will be no more bug fixes, or security updates, from Python's core developers." An anonymous reader quotes ZDNet: The UK's cyber-security agency warned developers Thursday to consider moving Python 2.x codebases to the newer 3.x branch due to the looming end-of-life of Python 2, scheduled for January 1, 2020... "If you continue to use unsupported modules, you are risking the security of your organisation and data, as vulnerabilities will sooner or later appear which nobody is fixing." "If you maintain a library that other developers depend on, you may be preventing them from updating to 3," the agency added. "By holding other developers back, you are indirectly and likely unintentionally increasing the security risks of others... If migrating your code base to Python 3 is not possible, another option is to pay a commercial company to support Python 2 for you," the NCSC said. The agency warns that companies who don't invest in migrating their Python 2.x code might end up in the same position as Equifax or the WannaCry victims. "At the NCSC we are always stressing the importance of patching. It's not always easy, but patching is one of the most fundamental things you can do to secure your technology," the agency said. "The WannaCry ransomware provides a classic example of what can happen if you run unsupported software," it said. "By making the decision to continue using Python 2 past its end of life, you are accepting all the risks that come with using unsupported software, while knowing that a secure version is available."

Facebook Awards $100,000 Prize For New Code Isolation Technique

Sat, 08/24/2019 - 09:34
ZDNet reports: Facebook has awarded a $100,000 prize to a team of academics from Germany for developing a new code isolation technique that can be used to safeguard sensitive data while it's being processed inside a computer. The award is named the Internet Defense Prize, and is a $100,000 cash reward that Facebook has been giving out yearly since 2014 to the most innovative research presented at USENIX, a leading security conference that takes place every year in mid-August in the US. An anonymous reader writes: The new technique is called ERIM and leverages Intel's memory protection keys (MPKs) and binary code inspection to achieve both hardware and software-based in-process data isolation. The novelty of ERIM is that it has an near-zero performance overhead (compared to other techniques that induce a big performance dip), can be applied with little effort to new and existing applications, doesn't require compiler changes, and can run on a stock Linux kernel.

Why Are 'Supply Chain Attacks' on Open Source Libraries Getting Worse?

Sat, 08/24/2019 - 06:34
"A rash of supply chain attacks hitting open source software over the past year shows few signs of abating, following the discovery this week of two separate backdoors slipped into a dozen libraries downloaded by hundreds of thousands of server administrators," reports Ars Technica: The compromises of Webmin and the RubyGems libraries are only the latest supply chain attacks to hit open source software. Most people don't think twice about installing software or updates from the official site of a known developer. As developers continue to make software and websites harder to exploit, black hats over the past few years have increasingly exploited this trust to spread malicious wares by poisoning code at its source... To be fair, closed-source software also falls prey to supply-side attacks -- as evidenced by those that hit computer maker ASUS on two occasions, the malicious update to tax-accounting software M.E.Doc that seeded the NotPetya outbreak of 2017, and another backdoor that infected users of the CCleaner hard drive utility that same year. But the low-hanging fruit for supply chain attacks seems to be open source projects, in part because many don't make multi-factor authentication and code signing mandatory among its large base of contributors. "The recent discoveries make it clear that these issues are becoming more frequent and that the security ecosystem around package publication and management isn't improving fast enough," Atredis Partners Vice President of Research and Development HD Moore told Ars. "The scary part is that each of these instances likely resulted in even more developer accounts being compromised (through captured passwords, authorization tokens, API keys, and SSH keys). The attackers likely have enough credentials at hand to do this again, repeatedly, until all credentials are reset and appropriate MFA and signing is put in place."