Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 2 hours 43 min ago

Sprint Says Hackers Breached Customer Accounts Via Samsung Website

Tue, 07/16/2019 - 08:45
US mobile network operator Sprint said hackers broke into an unknown number of customer accounts via the Samsung.com "add a line" website. From a report: "On June 22, Sprint was informed of unauthorized access to your Sprint account using your account credentials via the Samsung.com 'add a line' website," Sprint said in a letter it is sending impacted customers. "The personal information of yours that may have been viewed includes the following: phone number, device type, device ID, monthly recurring charges, subscriber ID, account number, account creation date, upgrade eligibility, first and last name, billing address and add-on services," the US telco said. Sprint said the information hackers had access to did not pose "a substantial risk of fraud or identity theft," although, many might disagree with its assessment. The company said it re-secured all compromised accounts by resetting PIN codes, three days later, on June 25.

Permission-Greedy Apps Delayed Android 6 Upgrade So They Could Harvest More User Data

Tue, 07/16/2019 - 08:05
Android app developers intentionally delayed updating their applications to work on top of Android 6.0, so they could continue to have access to an older permission-requesting mechanism that granted them easy access to large quantities of user data, research published by the University of Maryland last month has revealed. From a report: The central focus of this research was the release of Android (Marshmallow) 6.0 in October 2015. The main innovation added in Android 6.0 was the ability for users to approve app permissions on a per-permission basis, selecting which permissions they wanted to allow an app to have. [...] In research published in June, two University of Maryland academics say they conducted tests between April 2016 and March 2018 to see how many apps initially coded to work on older Android SDKs were updated to work on the newer Android 6.0 SDK. The research duo says they installed 13,599 of the most popular Android apps on test devices. Each month, the research team would update the apps and scan the apps' code to see if they were updated for the newer Android 6.0 release. "We find that an app's likelihood of delaying upgrade to the latest platform version increases with an increase in the ratio of dangerous permissions sought by the apps, indicating that apps prefer to retain control over access to the users' private information," said Raveesh K. Mayya and Siva Viswanathan, the two academics behind the research.

Broadcom and Symantec End Buyout Talks

Mon, 07/15/2019 - 17:45
phalse phace writes: Earlier this month, there was a report that Broadcom was in advance talks with Symantec about a possible buyout. It's being reported that those talks have now ended. "Symantec and Broadcom have ceased deal negotiations, sources tell CNBC's David Faber," reports CNBC. "The people familiar with the matter added that Symantec would not accept less than $28 a share. People familiar with the matter added that Broadcom indicated in early conversations that it would be willing to pay $28.25 per share for Symantec, but that following due diligence knocked that figure down below $28."

Facebook's Libra Cryptocurrency Could Be Misused By Terrorists, Says Treasury Chief Mnuchin

Mon, 07/15/2019 - 15:20
In a press conference Monday, Treasury Secretary Steven Mnuchin said Facebook's proposed digital currency, Libra, "could be misused by money launderers and terrorist financiers" and that it was a "national security issue." CNBC reports: "Cryptocurrencies such as bitcoin have been exploited to support billions of dollars of illicit activity like cyber crime, tax evasion, extortion, ransomware, illicit drugs and human trafficking," Mnuchin said, adding that he is "not comfortable today" with Facebook's launch. "They have a lot of work to do," he said. The press conference comes days after President Donald Trump said in a tweet that he was "not a fan" of cryptocurrencies like bitcoin. He also suggested Facebook, which plans on launching the global cryptocurrency next year, would need a bank charter to do so. Bitcoin dropped sharply on Monday following the president's criticism on Twitter. The world's first and most valuable digital currency fell roughly 10% to a low of $9,872 to start the week. "The president does have concerns as it relates to bitcoin and cryptocurrencies -- those are legitimate concerns that we have been working on for a long period of time," Mnuchin said. In response to the Treasury secretary's comments, Facebook told CNBC that "they anticipated critical feedback from regulators, central banks, lawmakers around the world." The tech giant also said they announced Libra a year before its anticipated launch date, "so that we could have those conversations."

How America's Tech Giants Are Helping Build China's Surveillance State

Sun, 07/14/2019 - 19:36
"An American organization founded by tech giants Google and IBM is working with a company that is helping China's authoritarian government conduct mass surveillance against its citizens," the Intercept reports. The OpenPower Foundation -- a nonprofit led by Google and IBM executives with the aim of trying to "drive innovation" -- has set up a collaboration between IBM, Chinese company Semptian, and U.S. chip manufacturer Xilinx. Together, they have worked to advance a breed of microprocessors that enable computers to analyze vast amounts of data more efficiently. Shenzhen-based Semptian is using the devices to enhance the capabilities of internet surveillance and censorship technology it provides to human rights-abusing security agencies in China, according to sources and documents. A company employee said that its technology is being used to covertly monitor the internet activity of 200 million people... Semptian presents itself publicly as a "big data" analysis company that works with internet providers and educational institutes. However, a substantial portion of the Chinese firm's business is in fact generated through a front company named iNext, which sells the internet surveillance and censorship tools to governments. iNext operates out of the same offices in China as Semptian, with both companies on the eighth floor of a tower in Shenzhen's busy Nanshan District. Semptian and iNext also share the same 200 employees and the same founder, Chen Longsen. [The company's] Aegis equipment has been placed within China's phone and internet networks, enabling the country's government to secretly collect people's email records, phone calls, text messages, cellphone locations, and web browsing histories, according to two sources familiar with Semptian's work. Promotional documents obtained from the company promise "location information for everyone in the country." One company representative even told the Intercept they were processing "thousands of terabits per second," and -- not knowing they were talking to a reporter -- forwarded a 16-minute video detailing their technology. "If a government operative enters a person's cellphone number, Aegis can show where the device has been over a given period of time: the last three days, the last week, the last month, or longer," the Intercept reports. Joss Wright, a senior research fellow at the University of Oxford's Internet Institute, told the Intercept that "by any meaningful definition, this is a vast surveillance effort." Read what the U.S. companies had to say about their involvement with Chinese surveillance technology:

Should Local Governments Pay Ransomware Attackers?

Sun, 07/14/2019 - 10:34
At least 170 local or state government systems in America have been hit with ransomware, and the French Interior Ministry received reports of 560 incidents just in 2018, according to Phys.org. (Though the French ministry also notes that most incidents aren't reported.) But when a government system is hit by ransomware, do they have a responsibility to pay the ransomware to restore their data -- or to not pay it? "You have to do what's right for your organization," said Gregory Falco, a researcher at Stanford University specializing in municipal network security. "It's not the FBI's call. You might have criminal justice information, you could have decades of evidence. You have to weigh this for yourself." Josh Zelonis at Forrester Research offered a similar view, saying in a blog post that victims need to consider paying the ransom as a valid option, alongside other recovery efforts. But Randy Marchany, chief information security officer for Virginia Tech University, said the best answer is to take a hardline "don't pay" attitude. "I don't agree with any organization or city paying the ransom," Marchany said. "The victims will have to rebuild their infrastructure from scratch anyway. If you pay the ransom, the hackers give you the decryption key but you have no assurance the ransomware has been removed from all of your systems. So, you have to rebuild them anyway." Victims often fail to take preventive measures such as software updates and data backups that would limit the impact of ransomware. But victims may not always be aware of potential remedies that don't involve paying up, said Brett Callow of Emsisoft, one of several security firms that offer free decryption tools. "If the encryption in ransomware is implemented properly, there is a zero chance of recovery unless you pay the ransom," Callow said. "Often it isn't implemented properly, and we find weaknesses in the encryption and undo it." Callow also points to coordinated efforts of security firms including the No More Ransom Project, which partners with Europol, and ID Ransomware, which can identify some malware and sometimes unlock data.

'Never Commit a Crime When Your Phone Is Connected to a Wi-Fi Network'

Sat, 07/13/2019 - 16:34
"Like many bad ideas, this one started with Bud Light," reports Slate. As four high school seniors sat around shooting the breeze before graduation, they decided to vandalize their school as a senior prank. Disguised with T-shirts over their faces to evade security cameras, the young men originally set out to spray-paint "Class of 2018," but in a moment one of the men describes to the Washington Post as "a blur," their graffiti fest took a turn toward swastikas, racial slurs attacking the school's principal, and other hateful symbols. Despite their covered faces, school officials had no problem finding who was responsible: The students' phones had automatically connected with the school's Wi-Fi using their unique logins. Their digital fingerprints tipped off administrators to who was on campus just before midnight, and, as the Post describes, they were held accountable for their crime. But the incident also showcases how little we know about what we're giving away with our digital footprints. These men had clearly given thought about how to stay anonymous -- they knew they needed masks to foil the cameras -- but they didn't think the devices in their pockets could give them away. The AP adds that the prison sentences for the four teenagers "ranged from eight to 18 weekends behind bars."

What Happens When Landlords Can Get Cheap Surveillance Software?

Sat, 07/13/2019 - 15:34
"Cheap surveillance software is changing how landlords manage their tenants and what laws police can enforce," reports Slate. For example, there's a private company contracting with property managers that says they now have 475 security cameras in place and can sometimes scan more than 1.5 million license plates in a week. (According to Clayton Burnett, Watchstore Security's director of "innovation and new technology".) Burnett's company regularly hands over location data to police, he says, as evidence for cases large and small. But that investigative firepower also comes in handy for more routine landlord-tenant affairs. They've investigated tree trimmers charging for a day of work they didn't do and caught people dumping trash on private property. Sometimes, he says, a tenant will claim her car was hit in the building's parking lot and ask for free rent. His company can search for her plate and see that one day, she left the lot with her bumper intact and then came back later with a dent in it. Probably once a week, Burnett says, Watchtower uses it to prove that a tenant has "a buddy crashing on their couch," violating their lease. "Normally, there's some limit to how long they can stay, like five days," he says, "and we can prove they're going over that." One search, and they have proof that that buddy has been coming over every night for a month. I was wondering how tenants felt about this, and I asked Burnett whether anyone had ever complained about the license plate readers. "No," he said with a laugh. "I'd say they probably don't know about it...." [A]s the technology has matured, it's gotten in the hands of organizations that, five years ago, would never have been able to consider it. Small-town police departments can suddenly afford to conduct surveillance at a massive scale. Neighborhood homeowners associations and property managers are buying up cameras by the dozen. And in many jurisdictions, cheap automatic license plate reader (ALPR) cameras are creeping into neighborhoods -- with almost nothing restricting how they're used besides the surveiller's own discretion.... If you know that a bald guy in a gray Toyota illegally dumped trash in your lawn, the police won't try to track him down. But if they have the plate, enforcing lower-level crime becomes much easier. Several of the property managers and homeowners associations I spoke to emphasized that this is one of the main benefits of their ALPR systems. Along with burglaries, they're mostly concerned about people breaking into cars to steal personal belongings; police wouldn't investigate that before, but now homeowners associations can do the investigation for them and hand over the evidence. As Burnett put it, "[Police] are not going to be able to investigate [a small crime] unless we hand it to them on a silver platter. Which we've done plenty of times." The article points out that today's software can detect dents on cars and watch for specific bumper stickers (or Lyft tags) -- and often the software can be retrofitted to existing traffic cameras. A contractor working with police in one Pennsylvania county says they've now "virtually gated" an entire 20,000-person town south of Pittsburgh. "Any way you can come in and out, you're on camera." A senior investigative researcher at the EFF points out that "Now a cop can look up your license plate and see where you've been for the past two years."

Intel Patches Two New Security Flaws

Sat, 07/13/2019 - 12:34
This week Intel announced two new patches, according to Tom's Hardware: The flaw in the processor diagnostic tool (CVE-2019-11133) is rated 8.2 out 10 on the CVSS 3.0 scale, making it a high-severity vulnerability. The flaw [found by security researcher Jesse Michael from Eclypsium] "may allow an authenticated user to potentially enable escalation of privilege, information disclosure or denial of service via local access," according to Intel's latest security advisory. Versions of the tool that are older than 4.1.2.24 are affected. The second vulnerability, found by Intel's internal team, is a medium-severity vulnerability in Intel's SSD DC S4500/S4600 series sold to data center customers. The flaw found in the SSD firmware versions older than SCV10150 obtained a 5.3 score on the CVSS 3.0 scale, so it was labeled medium-severity. The bug may allow an unprivileged user to enable privilege escalation via physical access. As one of the flaws was uncovered by Intel itself and for the other the Eclypsium research coordinated with Intel for its disclosure, Intel was able to have ready the patches in time for the public announcement.

The 'Vast Majority' of America's Voting Machines Use Windows 7 or Older Systems

Sat, 07/13/2019 - 11:34
Many of America's voting machines are depending on an outdated Microsoft operating system, reports the Associated Press. "The vast majority of 10,000 election jurisdictions nationwide use Windows 7 or an older operating system to create ballots, program voting machines, tally votes and report counts." That's significant because Windows 7 reaches its "end of life" on Jan. 14, meaning Microsoft stops providing technical support and producing "patches" to fix software vulnerabilities, which hackers can exploit. In a statement to the AP, Microsoft said Friday it would offer continued Windows 7 security updates for a fee through 2023. Critics say the situation is an example of what happens when private companies ultimately determine the security level of election systems with a lack of federal requirements or oversight.... It's unclear whether the often hefty expense of security updates would be paid by vendors operating on razor-thin profit margins or cash-strapped jurisdictions. It's also uncertain if a version running on Windows 10, which has more security features, can be certified and rolled out in time for primaries. The Associated Press contacted the Coalition for Good Governance, an election integrity advocacy organization, and received this comment from the group's the executive director. "Is this a bad joke?"

US Mayors Resolve Not To Pay Hackers Over Ransomware Attacks

Fri, 07/12/2019 - 17:30
More than 225 U.S. mayors have signed on to a resolution not to pay ransoms to hackers. It's a collective stand against the ransomware attacks that have crippled city government computer systems in recent years. CNET reports: The resolution was adopted at the U.S. Conference of Mayors annual meeting, which took place late June and early July in Honolulu. "The United States Conference of Mayors stands united against paying ransoms in the event of an IT security breach," the resolution reads. This could give city leaders across the US some leverage against hackers. The 227 mayors who attended the meeting agreed to adopt the resolution, but the US Conference of Mayors represents more than 1,400 cities with populations over 30,000.

Monroe College Hit With Ransomware, $2 Million Demanded

Fri, 07/12/2019 - 14:50
A ransomware attack in New York City's Monroe College has shut down the college's computer systems at campuses located in Manhattan, New Rochelle and St. Lucia. The attackers are seeking 170 bitcoins or approximately $2 million dollars in order to decrypt the entire college's network. Bleeping Computer reports: According to the Daily News, Monroe College was hacked on Wednesday at 6:45 AM and ransomware was installed throughout the college's network. It is not known at this time what ransomware was installed on the system, but it is likely to be Ryuk, IEncrypt, or Sodinokibi, which are known to target enterprise networks. The college has not indicated at this time whether they will be paying the ransom or restoring from backups while gradually bringing their network back online. "The good news is that the college was founded in 1933, so we know how to teach and educate without these tools," Monroe College spokesperson Jackie Ruegger told the Daily News. "Right now we are finding workarounds for our students taking online classes so they have their assignments."

Revealed: This Is Palantir's Top-Secret User Manual For Cops

Fri, 07/12/2019 - 12:50
New submitter popcornfan679 shares a report: Through a public record request, Motherboard has obtained a user manual that gives unprecedented insight into Palantir Gotham (Palantir's other services, Palantir Foundry, is an enterprise data platform), which is used by law enforcement agencies like the Northern California Regional Intelligence Center. (Palantir is one of the most significant and secretive companies in big data analysis.) The NCRIC serves around 300 communities in northern California and is what is known as a "fusion center," a Department of Homeland Security intelligence center that aggregates and investigates information from state, local, and federal agencies, as well as some private entities, into large databases that can be searched using software like Palantir. Fusion centers have become a target of civil liberties groups in part because they collect and aggregate data from so many different public and private entities. The guide doesn't just show how Gotham works. It also shows how police are instructed to use the software. This guide seems to be specifically made by Palantir for the California law enforcement because it includes examples specific to California. We don't know exactly what information is excluded, or what changes have been made since the document was first created. The first eight pages that we received in response to our request is undated, but the remaining twenty-one pages were copyrighted in 2016. (Palantir did not respond to multiple requests for comment.) The Palantir user guide shows that police can start with almost no information about a person of interest and instantly know extremely intimate details about their lives.

Bitpoint Cryptocurrency Exchange Hacked For $32 Million

Fri, 07/12/2019 - 08:15
Japan-based cryptocurrency exchange Bitpoint announced it lost 3.5 billion yen (roughly $32 million) worth of cryptocurrency assets after a hack that happened late yesterday, July 11. From a report: The exchange suspended all deposits and withdrawals this morning to investigate the hack, it said in a press release. In a more detailed document released by RemixPoint, the legal entity behind Bitpoint, the company said that hackers stole funds from both of its "hot" and "cold" wallets. This suggests the exchange's network was thoroughly compromised. Hot wallets are used to store funds for current transactions, while the cold wallets are offline devices storing emergency and long-term funds. Bitpoint reported the attackers stole funds in five cryptocurrencies, including Bitcoin, Bitcoin Cash, Litecoin, Ripple, and Ethereal. The exchange said it detected the hack because of errors related to the remittance of Ripple funds to customers. Twenty-seven minutes after detecting the errors, Bitpoint admins realized they had been hacked, and three hours later, they discovered thefts from other cryptocurrency assets.

Microsoft is Making Windows 10 Passwordless

Fri, 07/12/2019 - 06:44
Microsoft is planning to make Windows 10 PCs work without passwords. From a report: While the company has been working on removing passwords from Windows 10 and its Microsoft Accounts for a number of months now, the next major update to Windows 10 next year will go one step further. You'll soon be able to enable a passwordless sign-in for Microsoft accounts on a Windows 10 device. This means PCs will use Windows Hello face authentication, fingerprints, or a PIN code. The password option will simply disappear from the login screen, if you decide to opt in to this new "make your device passwordless" feature. [...] This will also extend to business users through Azure Active Directory, allowing businesses to go fully passwordless with security keys, the authenticator app, or Windows Hello.

Parks and Recreation Centers Are Using Sonic Devices That Play High-Pitched Noises To Repel Teens

Thu, 07/11/2019 - 18:10
NPR reports of the various parks and recreation centers in North America that are using sonic devices to repel teens from the premises. Philadelphia, for example, has 30 parks and recreation centers that are outfitted with a small speaker called the Mosquito. "It blares a constant, high-pitched ringing noise all night long -- but one that only teenagers and young adults can hear," reports NPR. "Anyone over age 25 is supposed to be immune because, basically, their ear cells have started to die off." From the report: Philadelphia parks officials have been installing the device since 2014, reported WHYY's Billy Penn, intending to shoo rowdy youths from the premises. And it's not the only U.S. city to do so. Mosquito's Vancouver-based manufacturer Moving Sound Technologies works with roughly 20 parks departments around the country to implement the youth-repellent devices, says president Michael Gibson. It's intended to prevent loitering and vandalism by teens and young adults at public facilities. But some say this age-based targeting is a form of prejudice. Philadelphia City Council member Helen Gym refers to the devices as "sonic weapons" -- and she's working to get them removed. [I]n Philadelphia, Parks & Recreation defends its use of the Mosquito, saying the devices are operational from 10 p.m. to 6 a.m. only, and they're just one part of an overall anti-vandalism strategy that includes fences and gates, security cameras and night watch staff. For now, the city is moving forward with installation. Despite the backlash, two new Mosquito devices are being installed at other city playgrounds as part of major renovation projects.

Microsoft Stirs Suspicions By Adding Telemetry Files To Security-Only Update

Thu, 07/11/2019 - 16:50
An anonymous reader quotes a report from ZDNet: As expected, Windows Update dropped off several packages of security and reliability fixes for Windows 7 earlier this week, part of the normal Patch Tuesday delivery cycle for every version of Windows. But some hawk-eyed observers noted a surprise in one of those Windows 7 packages. What was surprising about this month's Security-only update, formally titled the "July 9, 2019 -- KB4507456 (Security-only update)," is that it bundled the Compatibility Appraiser, KB2952664, which is designed to identify issues that could prevent a Windows 7 PC from updating to Windows 10. Among the fierce corps of Windows Update skeptics, the Compatibility Appraiser tool is to be shunned aggressively. The concern is that these components are being used to prepare for another round of forced updates or to spy on individual PCs. The word telemetry appears in at least one file, and for some observers it's a short step from seemingly innocuous data collection to outright spyware. [...] I strongly suspect that some part of the Appraiser component on Windows 7 SP1 had a security issue of its own. If that's the case, then the updates indisputably belong in a Security-only update. And if they happen to get installed on systems where administrators had taken special precautions not to install those components, Microsoft's reaction seems to be, "Well ... tough." "The Appraiser tool was offered via Windows Update, both separately and as part of a monthly rollup update two years ago; as a result, most of the declining population of Windows 7 PCs already has it installed," the report notes.

Malicious Apps Infect 25 Million Android Devices With 'Agent Smith' Malware

Thu, 07/11/2019 - 14:50
An anonymous reader quotes a report from Phys.Org: Malicious apps from a campaign called "Agent Smith" have been downloaded to 25 million Android devices, according to new research by cyber-security firm Check Point. The apps, most of them games, were distributed through third-party app stores by a Chinese group with a legitimate business helping Chinese developers promote their apps on outside platforms. Check Point is not identifying the company, because they are working with local law enforcement. About 300,000 devices were infected in the U.S. The malware was able to copy popular apps on the phone, including WhatsApp and the web browser Opera, inject its own malicious code and replace the original app with the weaponized version, using a vulnerability in the way Google apps are updated. The hijacked apps would still work just fine, which hid the malware from users. Armed with all the permissions users had granted to the real apps, "Agent Smith" was able to hijack other apps on the phone to display unwanted ads to users. That might not seem like a significant problem, but the same security flaws could be used to hijack banking, shopping and other sensitive apps, according to Aviran Hazum, head of Check Point's analysis and response team for mobile devices. There was also a "dormant" version of "Agent Smith" in 11 apps on the Play Store, which could have been triggered into action by a banner ad containing the keyword "infect." The apps have since been removed from the Play Store, but had over 10 million downloads.

German Banks Are Moving Away From SMS One-Time Passcodes

Thu, 07/11/2019 - 14:10
Multiple German banks have announced plans to drop support for SMS-based one-time passcodes (OTP) as a login authentication and transaction verification method. From a report: Postbank plans to drop support in August, while Raiffeisen Bank and Volksbank plan to do so in the fall, Handelsblatt reports. Deutsche Bank and Commerzbank also plan to drop support for SMS OTP but have not announced a deadline, while Consorsbank plans to discontinue it by the end of the year. Other banks like DKB and N26 have never deployed the technology, while ING has not made any public statements on its plans. The reason why German banks are dropping support for SMS OTP is because of legislation that the EU passed in 2015, set to enter into effect on September 14, this year. In 2015, the EU revised the Payment Services Directive (PSD), a set of rules that govern online payments in the EU, and issued an updated version called the PSD2. This legislation also included a clause for strong customer authentication (SCA) mechanisms.

Investigating Some Subscription Scam iOS Apps

Thu, 07/11/2019 - 13:30
Security engineer Ivan writes: For some reason Apple allows "subscription scam" apps on the App Store. These are apps that are free to download and then ask you to subscribe right on launch. It's called the freemium business model, except these apps ask you to subscribe for "X" feature(s) immediately when you launch them, and keep doing so, annoyingly, over and over until you finally subscribe. By subscribing you get a number of "free days" (trial) and then they charge you weekly/monthly/yearly for very basic features like scanning QR Codes. I've been trying to monitor apps that have these characteristics: 1. They have In-App purchases for their subscriptions. 2. They have bad reviews, specially with words like "scam" or "fraud". 3. Their "good" reviews are generic, potentially bot-generated. This weekend I focused on 5 apps from 2 different developers and to my surprise they are very similar, not only their UI/UX but also their code is shared and their patterns are absolutely the same. A side from being classic subscription scam apps, I wanted to examine how they work internally and how they communicate with their servers and what type of information are they sending.