Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 12 hours 24 min ago

Security Researcher Cracks Google's Widevine DRM (L3 Only)

Fri, 01/04/2019 - 02:00
The L3 protection level of Google's Widevine DRM technology has been cracked by a British security researcher who can now decrypt content transferred via DRM-protected multimedia streams. ZDNet's Catalin Cimpanu notes that while this "sounds very cool," it's not likely to fuel a massive piracy wave because "the hack works only against Widevine L3 streams, and not L2 and L1, which are the ones that carry high-quality audio and video content." From the report: Google designed its Widevine DRM technology to work on three data protection levels --L1, L2, and L3-- each usable in various scenarios. According to Google's docs, the differences between the three protection levels is as follows: L1 - all content processing and cryptography operations are handled inside a CPU that supports a Trusted Execution Environment (TEE). L2 - only cryptography operations are handled inside a TEE. L3 - content processing and cryptography operations are (intentionally) handled outside of a TEE, or the device doesn't support a TEE "Soooo, after a few evenings of work, I've 100% broken Widevine L3 DRM," [British security researcher David Buchanan] said on Twitter. "Their Whitebox AES-128 implementation is vulnerable to the well-studied DFA attack, which can be used to recover the original key. Then you can decrypt the MPEG-CENC streams with plain old ffmpeg." Albeit Buchanan did not yet release any proof-of-concept code, it wouldn't help anyone if he did. In order to get the DRM-encrypted data blob that you want to decrypt, an attacker would still need "the right/permission" to receive the data blob in the first place. If a Netflix pirate would have this right (being an account holder), then he'd most likely (ab)use it to pirate a higher-quality version of the content, instead of bothering to decrypt low-res video and lo-fi audio. The only advantage is in regards to automating the pirating process, but as some users have pointed out, this isn't very appealing in today's tech scene where almost all devices are capable of playing HD multimedia [1, 2].

OSNews Suffered 'Likely' Data Breach, Contemplated Going Offline Permanently

Thu, 01/03/2019 - 15:40
hmckee writes: OSNews was offline for a few days for upgrades. It is now back up with a message that indicates they encountered a data breach and considered going offline for good due to maintenance and financial difficulties. "Our best guess is that someone was able to exploit a vulnerability in old, unmaintained code in the site's content management system, and made off with at least some user data, which may be as little as a few user records or, at worst, our entire database," writes Publisher David Adams. "Your email addresses were in there, and the encryption on the passwords wasn't up to modern standards (unsalted SHA1). [...] Other than potential spam, though, we're not aware of any other nefarious use of your data, we don't store much beyond email addresses and passwords..." David goes on to cite poor advertising revenues and a lack of time for reasons to throw in the towel and go offline permanently.

Apple To Pull Some iPhones From German Stores After Qualcomm Enforces Ban

Thu, 01/03/2019 - 15:03
Qualcomm is enforcing a court order banning the sale of some iPhones in Germany that violate its patents on power-saving technology. As a result, Apple is likely going to pull some iPhone models from its German stores. Reuters reports: The chipmaker posted the [security] bonds of 1.34 billion euros ($1.52 billion) as part of a legal requirement by a German court, which found on Dec. 20 that Apple had infringed Qualcomm patents on power-saving technology used in smartphones. The iPhone maker had earlier said it would pull iPhone 7 and 8 models from its 15 stores in Germany when the order came into force. The order took effect when Qualcomm posted the bond. According to the court order, Apple has to stop the sale, offer for sale and importation for sale of all infringing iPhones in Germany. Apple had said it was appealing the decision. The court also ordered Apple to recall the affected iPhones from third-party resellers in Germany, according to a statement by Qualcomm.

The Elite Intel Team Still Fighting Meltdown and Spectre

Thu, 01/03/2019 - 10:55
Throughout 2018, researchers inside and outside Intel continued to find exploitable weaknesses related to Meltdown and Spectre class of "speculative execution" vulnerabilities. Fixing many of them takes not just software patches, but conceptually rethinking how processors are made. From a report: At the center of these efforts for Intel is STORM, the company's strategic offensive research and mitigation group, a team of hackers from around the world tasked with heading off next-generation security threats. Reacting to speculative execution vulnerabilities in particular has taken extensive collaboration among product development teams, legacy architecture groups, outreach and communications departments to coordinate response, and security-focused research groups at Intel. STORM has been at the heart of the technical side. "With Meltdown and Spectre we were very aggressive with how we approached this problem," says Dhinesh Manoharan, who heads Intel's offensive security research division, which includes STORM. "The amount of products that we needed to deal with and address and the pace in which we did this -- we set a really high bar." Intel's offensive security research team comprises about 60 people who focus on proactive security testing and in-depth investigations. STORM is a subset, about a dozen people who specifically work on prototyping exploits to show their practical impact. They help shed light on how far a vulnerability really extends, while also pointing to potential mitigations. The strategy helped them catch as many variants as possible of the speculative execution vulnerabilities that emerged in a slow trickle throughout 2018. "Every time a new state of the art capability or attack is discovered we need to keep tracking it, doing work on it, and making sure that our technologies are still resilient," says Rodrigo Branco, who heads STORM. "It was no different for Spectre and Meltdown. The only difference in that case is the size, because it also affected other companies and the industry as a whole."

Tim Cook to Investors: People Bought Fewer New iPhones Because They Repaired Their Old Ones

Thu, 01/03/2019 - 10:15
On Wednesday, Apple CEO Tim Cook issued a dire warning to his investors. Apple, the world's first trillion dollar company, lowered its revenue forecast for the first time since 2002, thanks primarily to China, he said. But there was at least one more issue at play. Motherboard: The lengthy letter cites, specifically, that people are buying fewer iPhones because they are repairing their old ones. Apple has long fought efforts that would make iPhones easier to repair: It has lobbied against right to repair efforts in several states, doesn't sell iPhone replacement parts, sued an independent repair professional in Norway, worked with Amazon to get iPhone and MacBook refurbishers kicked off Amazon Marketplace, and has deals with electronics recyclers that require them to shred iPhones and MacBooks (as opposed to allowing them to be refurbished.) The Department of Homeland Security, meanwhile, has seized iPhone replacement parts from prominent right to repair activists in the United States. [...] Apple has never clearly articulated why it doesn't want people to fix their own iPhones or to have independent experts repair them. It has previously said that iPhones are "too complex" for users to repair them, even though replacing a battery is pretty easy and is done by average users all the time. But the fact that repair hurts Apple's bottom line came out in Cook's official communication with shareholders, who he is legally obligated to tell the truth to.

Paul Whelan, American Accused of Spying, is Said to Be Charged in Russia

Thu, 01/03/2019 - 07:34
Russian investigative agencies on Thursday indicted Whelan, a 48-year-old former U.S. Marine, on charges of spying, Interfax cited an informed source as saying. From a report: Mr. Whelan's lawyer, Vladimir A. Zherebenkov, who said he spent much of Wednesday with Mr. Whelan, said he had found his client in an upbeat mood despite the long legal road that he faces. "I was surprised to see him being so confident," said Mr. Zherebenkov, a high-profile criminal defense lawyer. Mr. Whelan, 48, the head of global security for the Michigan auto parts maker BorgWarner and a Marine Corps veteran, was arrested last Friday and is being held in solitary confinement in Moscow's notorious Lefortovo Prison. Russia's domestic security agency, the F.S.B., issued a brief statement on Monday saying that Mr. Whelan had been caught in "an act of espionage" but provided no other details. Mr. Zherebenkov said that he had not seen all the evidence, but that he suspected that the American had been under surveillance for some time. "I presume that he is innocent, because for now I haven't seen any evidence against him that would prove otherwise," said Mr. Zherebenkov, who said that Mr. Whelan would petition the court for bail. Rosbalt, a Russian news agency close to the security services, quoted an unidentified intelligence source on Wednesday as saying that Mr. Whelan had been apprehended during a meeting with a Russian citizen in his room at the Metropol Hotel in Moscow. He is accused of trying to recruit this person to obtain classified information about staff members at various Russian agencies, the account said. Mr. Whelan was arrested five minutes after receiving a USB stick containing a list of all the employees at a classified security agency, the report said.

Data of 2.4 Million Blur Password Manager Users Left Exposed Online

Thu, 01/03/2019 - 06:45
Abine, the company behind the Blur password manager and the DeleteMe online privacy protection service, revealed on Monday a data breach impacting nearly 2.4 million Blur users, ZDNet reports. From the report: The breach came to light last year, on December 13, when a security researcher contacted the company about a server that exposed a file containing sensitive information about Blur users, an Abine spokesperson told ZDNet via email. The company said it followed this initial report with an internal security audit to determine the size of the breach. The audit concluded last week, and the company made the data leak public on Monday in a post on its blog. The data that was available on the web included each user's email addresses, some users' first and last names, some users' password hints but only from our old MaskMe product, and each user's encrypted Blur password.

Hackers Are Taking Over Chromecasts To Promote a YouTube Channel

Wed, 01/02/2019 - 16:10
In what is being referred to as CastHack, hackers j3ws3r and HackerGiraffe are promoting Felix "PewDiePie" Kjellberg by forcing TVs to display a message encouraging people to subscribe to his YouTube channel. "The hack takes advantage of a router setting that makes smart devices, like Chromecasts and Google Homes, publicly viewable on the internet," reports The Verge. "The attackers are then able to gain control of the devices and broadcast videos on a connected TV." From the report: A website for the attack claims to count the number of TVs forced to show the PewDiePie message and currently says more than 3,000 have been affected. While it's not clear that this is an accurate number (it has reset several times), a number of people posted on Reddit that the video had appeared on their TV. Google tells The Verge it has received reports from people who had "an unauthorized video played on their TVs via a Chromecast device," but said the issue was the result of router settings. Both HackerGiraffe and Google told The Verge the best way for affected users to fix the issue is to turn off Universal Plug and Play (UPnP) on their routers. The two hackers said they were behind a hack in November that forced printers around the world to print out sheets of paper telling people to subscribe to PewDiePie.

Iran Extends Social Media Crackdown With Move To Bar Instagram

Wed, 01/02/2019 - 15:30
An anonymous reader quotes a report from Bloomberg: Authorities in Iran are preparing to block access to Instagram, extending their crackdown on social media to the only major platform still freely available. The National Cyberspace Council approved steps toward blocking the service, Javad Javidnia, deputy for cyberspace affairs at the public prosecutor's office, was cited as saying by the semi-official Donya-e Eqtesad newspaper. Instagram would join Twitter, Facebook, YouTube and Telegram in being banned in the Islamic Republic, ostensibly for reasons of national security. Despite the restrictions, Iranians including Supreme Leader Ali Khamenei, President Hassan Rouhani and Foreign Minister Mohammad Javad Zarif continue to use the services, which are widely accessible via proxy servers. Rouhani's verified Twitter account has over 800,000 followers. Javidnia said efforts to filter Instagram hadn't worked. While judicial and political officials involved were yet to reach a consensus on barring the site, the prosecutor can take a unilateral decision to do so, he said.

USB Type-C Authentication Program Launched

Wed, 01/02/2019 - 12:51
With the arrival of USB-C a few years back, plugging into laptops, tablets and smartphones became even easier than before. But there are potential security risks. The USB Type-C Authentication Program launched today aims to address such issues. From a report: The new protocol from the USB Implementers Forum (USB-IF) can be used to validate the authenticity of a cable, charger or hardware at the moment of connection, and stop attacks in their tracks. The USB-IF has chosen DigiCert to operate registrations and certificate authority services for the new specification, which makes use of 128-bit cryptographic-based authentication for certificate format, digital signing, hash and random number generation. "USB Type-C Authentication gives OEMs the opportunity to use certificates that enable host systems to confirm the authenticity of a USB device or USB charger, including such product aspects as the descriptors, capabilities and certification status," said DigiCert in a press release. "This protects against potential damage from non-compliant USB chargers and the risks from maliciously embedded hardware or software in devices attempting to exploit a USB connection."

Mozilla Thunderbird Outlines Plans For 2019: Addressing UI Lags, Performance Issues; Improved 3rd-Party Email Integration, Encryption Usability

Wed, 01/02/2019 - 08:05
For years, Mozilla has largely neglected development of Thunderbird, an email client it owns. But the company, which grew its team to eight staff last year, says it plans to address most of the issues that users have complained about and add six more people to Thunderbird staff this year, it said in a blog post. In the blog post Wednesday, the company said: Our hires are already addressing technical debt and doing a fair bit of plumbing when it comes to Thunderbird's codebase. Our new hires will also be addressing UI-slowness and general performance issues across the application. This is an area where I think we will see some of the best improvements in Thunderbird for 2019, as we look into methods for testing and measuring slowness -- and then put our engineers on architecting solutions to these pain points. Beyond that, we will be looking into leveraging new, faster technologies in rewriting parts of Thunderbird as well as working toward a multi-process Thunderbird. [...] For instance, one area of usability that we are planning on addressing in 2019 is integration improvements in various areas. One of those in better Gmail support, as one of the biggest email providers it makes sense to focus some resources on this area. We are looking at addressing Gmail label support and ensuring that other features specific to the Gmail experience translate well into Thunderbird. We are looking at improving notifications in Thunderbird, by better integrating with each operating system's built-in notification system. By working on this feature Thunderbird will feel more "native" on each desktop and will make managing notifications from the app easier. The UX/UI around encryption and settings will get an overhaul in the coming year, whether or not all this work makes it into the next release is an open question â" but as we grow our team this will be a focus. It is our hope to make encrypting Email and ensuring your private communication easier in upcoming releases, we've even hired an engineer who will be focused primarily on security and privacy.

The Commerce Department is Considering National Security Restrictions on AI

Wed, 01/02/2019 - 07:31
An anonymous reader shares a report: A common belief among tech industry insiders is that Silicon Valley has dominated the internet because much of the worldwide network was designed and built by Americans. Now a growing number of those insiders are worried that proposed export restrictions could short-circuit the pre-eminence of American companies in the next big thing to hit their industry, artificial intelligence. In November, the Commerce Department released a list of technologies, including artificial intelligence, that are under consideration for new export rules because of their importance to national security. Technology experts worry that blocking the export of A.I. to other countries, or tying it up in red tape, will help A.I. industries flourish in those nations -- China, in particular -- and compete with American companies. "The number of cases where exports can be sufficiently controlled are very, very, very small, and the chance of making an error is quite large," said Jack Clark, head of policy at OpenAI, an artificial intelligence lab in San Francisco. "If this goes wrong, it could do real damage to the A.I. community." The export controls are being considered as the United States and China engage in a trade war. The Trump administration has been critical of the way China negotiates deals with American companies, often requiring the transfer of technology to Chinese partners as the cost of doing business in the country. And federal officials are making an aggressive argument that China has stolen American technology through hacking and industrial espionage.

Popular App Weather Forecast Collects Too Much User Data and is Attempting To Subscribe Some Users To Paid Services Without Permission

Wed, 01/02/2019 - 06:00
A popular weather app built by a Chinese tech conglomerate has been collecting an unusual amount of data from smartphones around the world and attempting to subscribe some users to paid services without permission, according to a London-based security firm's research. From a report: The free app, one of the world's most-downloaded weather apps in Google's Play store, is from TCL Communication Technology Holdings, of Shenzhen, China. TCL makes Alcatel- and BlackBerry -branded phones, while a sister company makes televisions. The app, called "Weather Forecast --World Weather Accurate Radar," collects data including smartphone users' geographic locations, email addresses and unique 15-digit International Mobile Equipment Identity (IMEI) numbers on TCL servers in China, according to Upstream Systems, the mobile commerce and security firm that found the activity. Until last month, the app was known as "Weather -- Simple weather forecast." The weather app also has attempted to surreptitiously subscribe more than 100,000 users of its low-cost Alcatel smartphones in countries such as Brazil, Malaysia and Nigeria to paid virtual-reality services, according to Upstream Systems. The security firm, which discovered the activity as part of its work for mobile operators, said users would have been billed more than $1.5 million had it not blocked the attempts.

First-Ever UEFI Rootkit Tied To Sednit APT

Tue, 01/01/2019 - 15:05
Researchers hunting cyber-espionage group Sednit (an APT also known as Sofacy, Fancy Bear and APT28) say they have discovered the first-ever instance of a rootkit targeting the Windows Unified Extensible Firmware Interface (UEFI) in successful attacks. From a report: The discussion of Sednit was part of the 35C3 conference, and a session given by Frederic Vachon, a malware researcher at ESET who published a technical write-up on his findings earlier this fall [PDF]. During his session, Vachon said that finding a rootkit targeting a system's UEFI is significant, given that rootkit malware programs can survive on the motherboard's flash memory, giving it both persistence and stealth. "UEFI rootkits have been researched and discussed heavily in the past few years, but sparse evidence has been presented of real campaigns actively trying to compromise systems at this level," he said. The rootkit is named LoJax. The name is a nod to the underlying code, which is a modified version of Absolute Software's LoJack recovery software for laptops. The purpose of the legitimate LoJack software is to help victims of a stolen laptop be able to access their PC without tipping off the bad guys who stole it. It hides on a system's UEFI and stealthily beacons its whereabouts back to the owner for possible physical recovery of the laptop.

Hackers Make a Fake Hand to Beat Vein Authentication

Mon, 12/31/2018 - 21:30
Devices and security systems are increasingly using biometric authentication to let users in and keep hackers out, be that fingerprint sensors or perhaps the iPhone's FaceID. Another method is so-called 'vein authentication,' which, as the name implies, involves a computer scanning the shape, size, and position of a users' veins under the skin of their hand. But hackers have found a workaround for that, too. From a report: On Thursday at the annual Chaos Communication Congress hacking conference in Leipzig, Germany, security researchers described how they created a fake hand out of wax to fool a vein sensor. "It makes you feel uneasy that the process is praised as a high-security system and then you modify a camera, take some cheap materials and hack it," Jan Krissler, who goes by the handle starbug, and who researched the vein authentication system along with Julian Albrecht, told Motherboard over email in German. Vein authentication works with systems that compare a user's placement of veins under their skin compared to a copy on record. According to a recent report from German news wire DPA, the BND, Germany's signals intelligence agency, uses vein authentication in its new headquarter building in Berlin. One attraction of a vein based system over, say, a more traditional fingerprint system is that it may be typically harder for an attacker to learn how a user's veins are positioned under their skin, rather than lifting a fingerprint from a held object or high quality photograph, for example. But with that said, Krissler and Albrecht first took photos of their vein patterns. They used a converted SLR camera with the infrared filter removed; this allowed them to see the pattern of the veins under the skin.

Severn Bridge, a Main Route Between England and Wales, Shuts as Drone Flown From Tower

Mon, 12/31/2018 - 10:01
A main route between England and Wales was closed after a man climbed a bridge and flew a drone from the top. An anonymous reader shares a report: Traffic was stopped on the M48 -- the older of two Severn crossings -- because of "concern for welfare," police said. The man, in his 20s, came down voluntarily from the 47m (154ft) bridge tower and was arrested on suspicion of causing a public nuisance. Highways England said it was deeply concerned and that "a person has put their life at serious risk". "The incident was quickly spotted on our security cameras and reported to police and thankfully there was no injury or worse on this occasion," it said. "Appropriate security is in place on the bridge, we are liaising with Avon and Somerset Police and will be undertaking investigations to determine if any damage was caused during the incident." Police said: "Officers attended the M48 Severn Bridge at 08:10 this morning after concerns were raised for a man who appeared to have climbed one of the towers and was flying a drone off it."

Why Huawei Gives the US and Its Allies Security Nightmares

Mon, 12/31/2018 - 03:08
Perhaps the most insightful piece that sums up why the U.S. and its allies are apprehensive of using Huawei's products. Six reasons, we are just highlighting the pointers, click on the source story to read the description: 1. There could be "kill switches" in Huawei equipment. 2. ... That even close inspections miss. 3. Back doors could be used for data snooping. 4. The rollout of 5G wireless networks will make everything worse. 5. Chinese firms will ship tech to countries in defiance of a US trade embargo. 6. Huawei isn't as immune to Chinese government influence as it claims to be.

EU Offers Big Bug Bounties On 14 Open Source Software Projects

Sat, 12/29/2018 - 08:34
Julia Reda is a member of Germany's Pirate Party, a member of the European Parliament, and the Vice-President of The Greens-European Free Alliance. Thursday her official web site announced: In 2014, security vulnerabilities were found in important Free Software projects. One of the issues was found in the Open Source encryption library OpenSSL.... The issue made lots of people realise how important Free and Open Source Software is for the integrity and reliability of the Internet and other infrastructure.... That is why my colleague Max Andersson and I started the Free and Open Source Software Audit project: FOSSA... In 2017, the project was extended for three more years. This time, we decided to go one step further and added the carrying out of Bug Bounties on important Free Software projects to the list of measures we wanted to put in place to increase the security of Free and Open Source Software... In January the European Commission is launching 14 out of a total of 15 bug bounties on Free Software projects that the EU institutions rely on. The bounties start at 25.000,00 € -- about $29,000 USD -- rising as high as 90.000,00 € ($103,000). "The amount of the bounty depends on the severity of the issue uncovered and the relative importance of the software," Reda writes. Click through for a list of the software projects for which bug bounties will be offered.

Samsung Wants To Bring Web Browsing, Office Work To the TV

Fri, 12/28/2018 - 18:30
Samsung's 2019 smart TVs will allow consumers to browse the web, access their PCs and even edit work documents from the comfort of their living room couch. From a report: The company previewed a new feature dubbed Remote Access this week, which integrates both Samsung's own Knox security framework as well as remote access software from VMWare. Samsung stopped short on revealing key details about Remote Access. It did disclose that Remote Access will make it possible to remotely access a PC from a TV, which then seems to function as a gateway to the web, as well as a way to play PC-based games. To use Remote Access, consumers won't have to just rely on their TV remote controls. Instead, it will also work with a keyboard, mouse, and other input devices. These may come in handy when consumers access what Samsung vaguely described as a "web browser-based cloud office service" to "access files and work on documents."

Mark Zuckerberg on Facebook's 2018: We've Changed, We Promise

Fri, 12/28/2018 - 11:30
It's nearly the new year, which means time for some reflection on what's happened and what's to come. For Facebook CEO Mark Zuckerberg, that means looking back on one really tough year. From a report: In his year-end post on Friday, Zuckerberg is optimistic, if a little defensive. He ticked off changes the company's made -- or, as he put it, "We've fundamentally altered our DNA" -- to focus more on handling the bad stuff that happens on Facebook. That includes tackling Russian interference in our elections, stopping harmful and bullying posts, and promising to give people more control over their data. He also noted that Facebook now has 30,000 people working on safety and harassment issues, and it's investing billions of dollars in security each year. He also acknowledged these issues will take more than a year to fix. But he said the company's started multiyear plans to address them. That doesn't mean he thinks Facebook is fully on the ball. "In the past we didn't focus as much on these issues as we needed to, but we're now much more proactive," he wrote. "I've learned a lot from focusing on these issues and we still have a lot of work ahead," Zuckerberg added. "I'm proud of the progress we've made in 2018 and grateful to everyone who has helped us get here -- the teams inside Facebook, our partners and the independent researchers and everyone who has given us so much feedback. I'm committed to continuing to make progress on these important issues as we enter the new year."