Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 2 days 11 hours ago

Satellite Magnate Argues Post-Brexit Britain Will Be 'Lost In Space'

Sat, 03/09/2019 - 08:04
PolygamousRanchKid quotes the BBC: Will Marshall's "Planet" company operates the world's largest satellite imaging network, with 150 spacecraft able to fully picture Earth on a daily basis. He warns EU withdrawal will do immense harm to Britain's space industry. The UK will be "lost in space", he says. The UK Space Agency responded by saying home businesses had a positive outlook. The most recent survey of confidence across the sector found that three-quarters of organisations expected growth over the next three years, it added. Dr Marshall holds particular scorn for the UK government's actions on Galileo, the EU version of the Global Positioning System (GPS). Ministers have decided to walk away from the project because Brussels says a future Britain, as a "third country" outside the EU, cannot be involved in the system's most secure elements — this despite the UK having already invested £1.5bn in Galileo. London says it will build its own sat-nav system instead, but Dr Marshall calls this a "pie in the sky" plan that has significant economic and security implications.

North Korea Amassed Cryptocurrency Through Hacking, Says UN Panel

Fri, 03/08/2019 - 18:20
North Korea has used cyberattacks and blockchain technology to circumvent economic sanctions and obtain foreign currency, according to a panel of experts reporting to the U.N. Security Council. From a report: Pyongyang has amassed around $670 million in foreign and virtual currency through cyberthefts, using blockchain technology to cover its tracks, the panel told the Security Council's North Korea sanctions committee in its annual report, Nikkei has learned. It is the first time the panel has given details on how North Korea obtains foreign currency through cyberattacks. In its report, the panel recommended that member states "enhance their ability to facilitate robust information exchange on the cyberattacks by the Democratic People's Republic of Korea with other governments and with their own financial institutions," to detect and prevent attempts by North Korea to evade sanctions. The full report obtained by Nikkei, which has been approved by Security Council members for publication next week, says North Korea waged cyberattacks on overseas financial institutions from 2015 to 2018.

Hard Disks Can Be Turned Into Listening Devices, Researchers Find

Fri, 03/08/2019 - 15:30
Researchers from the University of Michigan and Zhejiang Univeristy in China have found that hard disk drives can be turned into listening devices, using malicious firmware and signal processing calculations. The Register reports: For a study titled "Hard Drive of Hearing: Disks that Eavesdrop with a Synthesized Microphone," computer scientists Andrew Kwong, Wenyuan Xu, and Kevin Fu describe an acoustic side-channel that can be accessed by measuring how sound waves make hard disk parts vibrate. "Our research demonstrates that the mechanical components in magnetic hard disk drives behave as microphones with sufficient precision to extract and parse human speech," their paper, obtained by The Register ahead of its formal publication, stated. "These unintentional microphones sense speech with high enough fidelity for the Shazam service to recognize a song recorded through the hard drive." The team's research work, scheduled to be presented in May at the 2019 IEEE Symposium on Security and Privacy, explores how it's possible to alter HDD firmware to measure the offset of a disk drive's read/write head from the center of the track it's seeking. The offset is referred to as the Positional Error Signal (PES) and hard drives monitor this signal to keep the read/write head in the optimal position for reading and writing data. PES measurements must be very fine because drive heads can only be off by a few nanometers before data errors arise. The sensitivity of the gear, however, means human speech is sufficient to move the needle, so to speak. Vibrations from HDD parts don't yield particularly good sound, but with digital filtering techniques, human speech can be discerned, given the right conditions. "Flashing HDD firmware is a prerequisite for the snooping [...] because the ATA protocol does not expose the PES," The Register reports. "To exfiltrate captured data, the three boffins suggest transmitting it over the internet by modifying Linux operating system files to create a reverse shell with root privileges or storing it to disk for physical recovery at a later date." The researchers note that this technique does require a fairly loud conversation to take place near the eavesdropping hard drive. "To record comprehensible speech, the conversation had to reach 85 dBA, with 75 dBA being the low threshold for capturing muffled sound," the report says. "To get Shazam to identify recordings captured through a hard drive, the source file had to be played at 90 dBA. Which is pretty loud. Like lawn mower or food blender loud."

Citrix Discloses Security Breach of Internal Network

Fri, 03/08/2019 - 12:50
Citrix disclosed today a security breach during which hackers accessed the company's internal network. In a short statement posted on its blog, Citrix Chief Security Information Officer Stan Black said Citrix found out about the hack from the FBI earlier this week. From a report: "On March 6, 2019, the FBI contacted Citrix to advise they had reason to believe that international cyber criminals gained access to the internal Citrix network," Black said. "While not confirmed, the FBI has advised that the hackers likely used a tactic known as password spraying, a technique that exploits weak passwords. Once they gained a foothold with limited access, they worked to circumvent additional layers of security," the Citrix exec added. Black said hackers accessed and downloaded business documents, but Citrix wasn't able to identify what specific documents had been stolen at the time of his announcement today.

Woman Wins $10,000 For Reading Fine Print of Terms and Conditions of Travel Insurance Policy

Fri, 03/08/2019 - 12:10
Georgia high school teacher Donelan Andrews won a $10,000 reward after she closely read the terms and conditions that came with a travel insurance policy she purchased for a trip to England. Squaremouth, a Florida insurance company, had inserted language promising a reward to the first person who emailed the company. NPR reports: "We understand most customers don't actually read contracts or documentation when buying something, but we know the importance of doing so," the company said. "We created the top-secret Pays to Read campaign in an effort to highlight the importance of reading policy documentation from start to finish." Not every company is so generous. To demonstrate the importance of reading the fine print, many companies don't give; they take. The mischievous clauses tend to pop up from time to time, usually in cheeky England. The report continues to highlight a number of different cases where companies have intentionally inserted unusual clauses into their terms of service, knowing people wouldn't read them. Here's one such case: A few years earlier, several Londoners agreed (presumably inadvertently) to give away their oldest child in exchange for Wi-Fi access. Before they could get on the Internet, users had to check a box agreeing to "assign their first born child to us for the duration of eternity." According to the Guardian, six people signed up, but the company providing the Wi-Fi said the clause likely wouldn't be enforceable in a court of law. "It is contrary to public policy to sell children in return for free services," the company explained.

Google: Chrome Zero-Day Was Used Together With a Windows 7 Zero-Day

Fri, 03/08/2019 - 09:25
Google said this week that a Chrome zero-day the company patched last week was actually used together with a second one, a zero-day impacting the Microsoft Windows 7 operating system. From a report: The two zero-days were part of ongoing cyber-attacks that Clement Lecigne, a member of Google's Threat Analysis Group, discovered last week on February 27. The attackers were using a combination of a Chrome and Windows 7 zero-days to execute malicious code and take over vulnerable systems. The company revealed the true severity of these attacks in a blog post this week. Google said that Microsoft is working on a fix, but did not give out a timeline. The company's blog post comes to put more clarity into a confusing timeline of events that started last Friday, March 1, when Google released Chrome 72.0.3626.121, a new Chrome version that included one solitary security fix (CVE-2019-5786) for Chrome's FileReader --a web API that lets websites and web apps read the contents of files stored on the user's computer.

Machine Learning Can Use Tweets To Spot Critical Security Flaws

Fri, 03/08/2019 - 08:45
Researchers at Ohio State University, the security company FireEye, and research firm Leidos last week published a paper [PDF] describing a new system that reads millions of tweets for mentions of software security vulnerabilities, and then, using their machine-learning-trained algorithm, assessed how much of a threat they represent based on how they're described. From a report: They found that Twitter can not only predict the majority of security flaws that will show up days later on the National Vulnerability Database -- the official register of security vulnerabilities tracked by the National Institute of Standards and Technology -- but that they could also use natural language processing to roughly predict which of those vulnerabilities will be given a "high" or "critical" severity rating with better than 80 percent accuracy. "We think of it almost like Twitter trending topics," says Alan Ritter, an Ohio State professor who worked on the research and will be presenting it at the North American Chapter of the Association for Computational Linguistics in June. "These are trending vulnerabilities." A work-in-progress prototype they've put online, for instance, surfaces tweets from the last week about a fresh vulnerability in MacOS known as "BuggyCow," as well as an attack known as SPOILER that could allow webpages to exploit deep-seated vulnerabilities in Intel chips. Neither of the attacks, which the researchers' Twitter scanner labeled "probably severe," has shown up yet in the National Vulnerability Database.

Over 800 Million Emails Leaked Online By Email Verification Service

Fri, 03/08/2019 - 05:00
Security researchers Bob Diachenko and Vinny Troia discovered an unprotected MongoDB database containing 150GB of detailed, plaintext marketing data -- including hundreds of millions of unique email addresses. An anonymous Slashdot reader shares Diachenko's findings, which were made public today: On February 25th, 2019, I discovered a non-password protected 150GB-sized MongoDB instance. This is perhaps the biggest and most comprehensive email database I have ever reported. Upon verification I was shocked at the massive number of emails that were publicly accessible for anyone with an internet connection. Some of data was much more detailed than just the email address and included personally identifiable information (PII). This database contained four separate collections of data and combined was an astounding 808,539,939 records. As part of the verification process I cross-checked a random selection of records with Troy Hunt's HaveIBeenPwned database. Based on the results, I came to conclusion that this is not just another "Collection" of previously leaked sources but a completely unique set of data. Although, not all records contained the detailed profile information about the email owner, a large amount of records were very detailed. We are still talking about millions of records. In addition to the email databases, this unprotected Mongo instance also uncovered details on the possible owner of the database -- a company named "Verifications.io" -- which offered the services of "Enterprise Email Validation." Unfortunately, it appears that once emails were uploaded for verification they were also stored in plain text. Once I reported my discovery to Verifications.io the site was taken offline and is currently down at the time of this publication.

Huawei Sues the US In Pushback Against Security Risk Claims

Thu, 03/07/2019 - 17:23
hackingbear writes: A suit filed by Huawei in Texas, where an American subsidy is located, this week is the latest maneuver in the Chinese telecommunications giant's global offensive against American pressure and persistent criticisms that it poses a national security risk. The company's lawsuit contends that the law which bans Huawei equipment without evidence and trial is a violation of the U.S. Constitution. The U.S. also argues that Huawei poses an unacceptable security risk due to its tie with the Chinese government, though a 2003 due diligence by Motorola in a merger talk found Huawei was independent (Warning: source paywalled) of Chinese government or military (the merger failed after Motorola board thought the $7.5 billion price tag for Huawei was too high.) In the lawsuit announcement, Huawei Chairman Guo Ping also accused U.S. agencies of hacking Huawei servers and stealing emails and source code. In a similar case, China's Sanyi sued the Obama administration and forced CFIUS to determine that the the company's acquisitions "have not raised national security objections."

Egypt Government Used Gmail Third-Party Apps To Phish Activists

Thu, 03/07/2019 - 16:03
An anonymous reader quotes a report from ZDNet: Members of Amnesty International say that Egyptian authorities are behind a recent wave of spear-phishing attacks that have targeted prominent local human rights defenders, media, and civil society organizations' staff. The attacks used a relatively new spear-phishing technique called "OAuth phishing," Amnesty experts said. OAuth phishing is when attackers aim to steal a user account's OAuth token instead of the account password. When a user grants a third-party app the right to access their account, the app receives an OAuth token instead of the user's password. These tokens work as authorization until the user revokes their access. Amnesty investigators said that in the recent spear-phishing campaign that targeted Egyptian activists, authorities created Gmail third-party apps through which they gained access to victim's accounts. Victims would receive an email that looked like a legitimate Gmail security alert. But when they clicked the link, they'd be redirected to a page where a third-party app would request access to their account. Once the victim granted the app access to their Gmail account, the user would be redirected to the account's legitimate security settings page where they'd be left to change their password. Even if the victim changes their password, at this point, the phishers would still have access to the account via the newly acquired OAuth token. The Amnesty International report says the spear-phishing campaign also targeted Yahoo, Outlook and Hotmail users.

Google's Project Zero Team Releases Details On High-Severity macOS Bug 'BuggyCow'

Thu, 03/07/2019 - 15:20
Google's bug-hunting researchers known as Project Zero have revealed a fresh zero-day vulnerability in macOS called "BuggyCow." "The attack takes advantage of an obscure oversight in Apple's protections on its machines' memory to enable so-called privilege escalation, allowing a piece of malware with limited privileges to, in some cases, pierce into deeper, far more trusted parts of a victim's Mac," reports Wired. "The trick's name is based on a loophole the hackers found in the so-called copy-on-write, or CoW, protection built into how MacOS manages a computer's memory." From the report: Some programs, when dealing with large quantities of data, use an efficiency trick that leaves data on a computer's hard drive rather than potentially clog up resources by pulling it into memory. That data, like any data in a computer's memory, can sometimes be used by multiple processes at once. The MacOS memory manager keeps a map of its physical location to help coordinate, but if one of those processes tries to change the data, the memory manager's copy-on-write safeguard requires it to make its own copy. Which is to say, a program can't simply change the data shared by all the other processes -- some of which could be more highly privileged, sensitive programs than the one requesting the change. Google's BuggyCow trick, however, takes advantage of the fact that when a program mounts a new file system on a hard drive -- basically loading a whole collection of files rather than altering just one -- the memory manager isn't warned. So a hacker can unmount a file system, remount it with new data, and in doing so silently replace the information that some sensitive, highly privileged code is using. Technically, as a zero-day vulnerability with no patch in sight, BuggyCow applies to anyone with an Apple laptop or desktop. But given the technical skill and access needed to pull it off, you shouldn't lose much sleep over it. To even start carrying out this Rube Goldberg -- style attack, a hacker would need a victim to already have some form of malware running on their computer. And while BuggyCow would allow that malware to potentially mess with the inner workings of higher-privileged parts of the computer, it could do so only if it found a highly privileged program that kept its sensitive data on the hard drive rather than memory. Project Zero says it warned Apple about BuggyCow back in November, but Apple hadn't acted to patch it ahead of last week's public reveal.

Philadelphia Bans Cashless Stores

Thu, 03/07/2019 - 13:25
An anonymous reader quotes a report from Ars Technica: This week, Philadelphia's mayor signed a bill that would ban cashless retail stores, according to The Morning Call. The move makes Philadelphia the first major city to require that brick-and-mortar retail stores accept cash. Besides Philadelphia, Massachusetts has required that retailers accept cash since 1978, according to CBS. The law takes effect July 1, and it will not apply to stores like Costco that require a membership, nor will it apply to parking garages or lots, or to hotels or rental car companies that require a credit or debit card as security for future charges, according to the Wall Street Journal. Retailers caught refusing cash can be fined up to $2,000. Amazon, whose new Amazon Go stores are cashless and queue-less, reportedly pushed back against the new law, asking for an exemption. According to the WSJ, Philadelphia lawmakers said that Amazon could work around the law under the exemption for stores that require a membership to shop there, but Amazon told the city that a Prime membership is not required to shop at Amazon Go stores, so its options are limited. A top official in Philadelphia's Chamber of Commerce said that the ban will prevent Philadelphia from modernizing with the rest of the country. Cashless companies argue that cash slows down transactions when change needs to be counted and creates security risks for employees locking up at the end of the night. Supporters of the new law argue that "not accepting cash hurts poorer residents who may not be able to afford or qualify for a credit card or who want to avoid fees that come with changing cash into a prepaid debit card," reports Ars. "Additionally, privacy advocates say that being forced to use a digital form of payment to buy things is a de facto requirement to share records of their purchases with third-party companies."

Bruce Schneier: It's Time For Technologists To Become Lawmakers

Thu, 03/07/2019 - 06:00
Bruce Schneier, a well-known security guru, this week called on technologists to become lawmakers and policy makers so countries can deal with issues such as the governance of artificial intelligence and cybersecurity. From a report: "The future is coming," Schneier said, speaking at the RSA security conference in San Francisco. "It's coming faster than we think. And it's coming faster than our existing policy tools can deal with. And the only way to fix this is to develop a new set of policy tools. With the help of the technologists, you understand the technologies." The issues are a lot larger than just computer security. Schneier wants more public interest technologists in all areas. [...] We saw the policy makers and technologies talk past each other when the FBI wanted Apple to break into an iPhone that belonged to a terrorist shooting suspect, Schneier said. The debate over Edward Snowden's disclosure of the National Security Agency's eavesdropping programs was another flash point. The need for policy makers to understand technology is clear. "This is no different than any other part of our complex world," he said. "We don't expect legislators to be experts in everything. We expect them to get and accept expertise. The second thing we need is for technologists to get involved in policy, and what we need is more public interest technologists" -- those who focus on social justice, the common good, and the public interest.

The Prototype iPhones That Hackers Use To Research Apple's Most Sensitive Code

Wed, 03/06/2019 - 15:01
Hackers and security researchers use rare "dev-fused" iPhones created for internal use at Apple to bypass Apple's protections and security features to uncover iPhone vulnerabilities and other sensitive info, Motherboard reported Wednesday, citing two dozen security researchers, current and former Apple employees, rare phone collectors, and members of the iPhone jailbreaking community. From the report: These rare iPhones have many security features disabled, allowing researchers to probe them much more easily than the iPhones you can buy at a store. Since the Black Hat talk, dev-fused iPhones have become a tool that security researchers around the world use to find previously unknown iPhone vulnerabilities (known as zero days), Motherboard has learned. Dev-fused iPhones were never intended to escape Apple's production pipeline have made their way to the gray market, where smugglers and middlemen sell them for thousands of dollars to hackers and security researchers. Using the information gleaned from probing a dev-fused device, researchers can sometimes parlay what they've learned into developing a hack for the normal iPhones hundreds of millions of people own.

Microsoft Open-Sources Windows Calculator

Wed, 03/06/2019 - 10:59
Microsoft said today it has made the source code for its Windows calculator available on GitHub. The company said it hopes to work with contributors to improve the user experience of Windows calculator. In a statement, Dave Grochocki and Howard Wolosky of Microsoft said: Today, we're excited to announce that we are open sourcing Windows Calculator on GitHub under the MIT License. This includes the source code, build system, unit tests, and product roadmap. Our goal is to build an even better user experience in partnership with the community. We are encouraging your fresh perspectives and increased participation to help define the future of Calculator. As developers, if you would like to know how different parts of the Calculator app work, easily integrate Calculator logic or UI into your own applications, or contribute directly to something that ships in Windows, now you can. Calculator will continue to go through all usual testing, compliance, security, quality processes, and Insider flighting, just as we do for our other applications.

NSA Releases Ghidra, a Free Software Reverse Engineering Toolkit

Wed, 03/06/2019 - 06:40
An anonymous reader writes: At the RSA security conference this week, the National Security Agency released Ghidra, a free software reverse engineering tool that the agency had been using internally for well over a decade. The tool is ideal for software engineers, but will be especially useful for malware analysts first and foremost, being similar to other reverse engineering tools like IDA Pro, Hopper, HexRays, and others. The NSA's general plan was to release Ghidra so security researchers can get used to working with it before applying for positions at the NSA or other government intelligence agencies with which the NSA has previously shared Ghidra in private. Ghidra is currently available for download only through its official website, but the NSA also plans to release its source code under an open source license in the coming future.

FBI Director Christopher Wray On Encryption: We Can't Have an 'Entirely Unfettered Space Beyond the Reach of Law Enforcement'

Tue, 03/05/2019 - 16:03
An anonymous reader quotes a report from CNET: Encryption should have limits. That's the message FBI Director Christopher Wray had for cybersecurity experts Tuesday. The technology that scrambles up information so only intended recipients can read it is useful, he said, but it shouldn't provide a playground for criminals where law enforcement can't reach them. "It can't be a sustainable end state for there to be an entirely unfettered space that's utterly beyond law enforcement for criminals to hide," Wray said during a live interview at the RSA Conference, a major cybersecurity gathering in San Francisco. His comments are part of a back-and-forth between government agencies and security experts over the role of encryption technology in public safety. Agencies like the FBI have repeatedly voiced concerns like Wray's, saying encryption technology locks them out of communications between criminals. Cybersecurity experts say the technology is crucial for keeping data and critical computer systems safe from hackers. Letting law enforcement access encrypted information just creates a backdoor hackers will ultimately exploit for evil deeds, they say. Wray, a former assistant attorney general in the U.S. Department of Justice who counts among his biggest cases prosecutions against Enron officials, acknowledged Tuesday that encryption is "a provocative subject." As the leader of the nation's top law enforcement agency, though, he's focused on making sure the government can carry out criminal investigations. Hackers in other countries should expect more investigations and indictments, Wray said. "We're going to follow the facts wherever they lead, to whomever they lead, no matter who doesn't like it," he said. To applause, he added, "I don't really care what some foreign government has to say about it."

Why 'ji32k7au4a83' is a Remarkably Common Password

Tue, 03/05/2019 - 12:05
A seemingly complex set of characters like "ji32k7au4a83" is a very common password among users, it turns out. From a report: This interesting bit of trivia comes from self-described hardware/software engineer Robert Ou, who recently asked his Twitter followers if they could explain why this seemingly random string of numbers has been seen by Have I Been Pwned (HIBP) over a hundred times. Have I Been Pwned is an aggregator that was started by security expert Troy Hunt to help people find out if their email or personal data has shown up in any prominent data breaches. One service it offers is a password search that allows you to check if your password has shown up in any data breaches that are on the radar of the security community. In this case, "ji32k7au4a83" has been seen by HIBP in 141 breaches. Several of Ou's followers quickly figured out the solution to his riddle. The password is coming from the Zhuyin Fuhao system for transliterating Mandarin. The reason it's showing up fairly often in a data breach repository is because "ji32k7au4a83" translates to English as "my password."

Exploit Vendor Zerodium Announces Big Rewards For Cloud Zero-Days

Tue, 03/05/2019 - 10:48
Exploit vendor Zerodium said today it would pay up to $500,000 for zero-days in popular cloud products and services such as Microsoft's Hyper-V and (Dell) VMware's vSphere. From a report: Both Hyper-V and vSphere are what experts call virtualization software, also called hypervisors -- software that lets a single "host" server create and run one or more virtual "guest" operating systems. Virtualization software is often found in cloud-powered data centers. Hyper-V is the technology at the core of Microsoft's Azure cloud computing platform, while VMware's vSphere is used by Amazon Web Services and SAP. With cloud services growing in adoption, especially for hosting websites and crucial IT infrastructure, the importance of both technologies has been slowly increasing in recent years. This paradigm shift hasn't gone unnoticed in the exploit market, where Zerodium -- a Washington, DC-based exploit vendor -- is by far the leading company. In a tweet earlier today, Zerodium announced plans to pay up to $500,000 for fully-working zero-days in Hyper-V and vSphere that would allow an attacker to escape from the virtualized guest operating system to the host server's OS.

Vladimir Putin Wants His Own Internet

Tue, 03/05/2019 - 10:11
A bill that's progressing through Russia's legislature could grant local authorities deeper control over internet access. The so-called "Sovereign Internet" bill seeks to set up a centralized hub officials can use to manage the flow of information in the nation. From a report: Putin is touting the initiative as a defensive response to the Trump Administration's new cyber strategy, which permits offensive measures against Russia and other designated adversaries. But industry insiders, security experts and even senior officials say political upheaval is the bigger concern. "This law isn't about foreign threats, or banning Facebook and Google, which Russia can already do legally," said Andrei Soldatov, author of "The Red Web: The Kremlin's Wars on the Internet" and co-founder of Agentura.ru, a site that tracks the security services. "It's about being able to cut off certain types of traffic in certain areas during times of civil unrest."