Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 19 hours 44 min ago

Apple Is Telling Lawmakers People Will Hurt Themselves if They Try To Fix iPhones

Thu, 05/02/2019 - 12:02
In recent weeks, an Apple representative and a lobbyist for CompTIA, a trade organization that represents big tech companies, have been privately meeting with legislators in California to encourage them to kill legislation that would make it easier for consumers to repair their electronics Motherboard has learned. From a report: According to two sources in the California State Assembly, the lobbyists have met with members of the Privacy and Consumer Protection Committee, which is set to hold a hearing on the bill Tuesday afternoon. The lobbyists brought an iPhone to the meetings and showed lawmakers and their legislative aides the internal components of the phone. The lobbyists said that if improperly disassembled, consumers who are trying to fix their own iPhone could hurt themselves by puncturing the lithium-ion battery, the sources, who Motherboard is not naming because they were not authorized to speak to the media, said. The argument is similar to one made publicly by Apple executive Lisa Jackson in 2017 at TechCrunch Disrupt, when she said the iPhone is "too complex" for normal people to repair them. The bill has been pulled by its sponsor, Susan Talamantes-Eggman: "It became clear that the bill would not have the support it needed today, and manufacturers had sown enough doubt with vague and unbacked claims of privacy and security concerns," she said.

Mozilla Says It Will Ban Firefox Add-ons With Obfuscated Code

Thu, 05/02/2019 - 09:01
DarkRookie2 writes: As Mozilla continues to try to make it safer than ever to use Firefox, the organization has updated its Add-on Policy so that any updates that include obfuscated code are explicitly banned. Mozilla has also set out in plain terms its blocking process for add-ons and extensions. While there is nothing surprising here, the clarification should mean that there are fewer causes for disputes when an add-on is blocklisted. The updated Add-on policy comes into force on June 10, so add-on developers have a little more than a month to take note of the changes and comply. Mozilla says that the move is designed to help it better deal with malicious extensions. Mozilla also plans to be more aggressive towards taking down extensions that break its policies, with a heavy focus on security issues. ZDNet adds: [...] Starting with June 10, Mozilla's team will also be more aggressive in blocking and disabling Firefox add-ons in users' browsers that are found to be violating one of the company's policies."We will continue to block extensions for intentionally violating our policies, critical security vulnerabilities, and will also act on extensions compromising user privacy or circumventing user consent or control," Nieman said.

Netflix Says Python Programming Language is Behind Every Film You Stream

Thu, 05/02/2019 - 00:00
The next time you're streaming on Netflix, you can thank popular programming language Python and the developers who use it for much of the experience. From a report: According to Python developers at Netflix, the language is used through the "full content lifecycle", from security tools, to its recommendation algorithms, and its proprietary content distribution network (CDN) Open Connect, which ensures that content is streamed from network devices that are as close as possible to end users. Ahead of the Python Software Foundation's PyCon conference next week in Cleveland, the streaming giant has been detailing how it uses the open-source language.

Vodafone Denies Bloomberg Report on Security Flaws in Huawei Equipment

Tue, 04/30/2019 - 08:00
Vodafone denied a Bloomberg report on Tuesday that stated it had found "backdoors" hidden in Huawei equipment supplied to its Italian business dating back years, per BBC . From a report: What they're saying: Vodafone said the "backdoors" in the report were actually a common industry protocol: "The 'backdoor' that Bloomberg refers to is Telnet, which is a protocol that is commonly used by many vendors in the industry for performing diagnostic functions. It would not have been accessible from the internet. Bloomberg is incorrect in saying that this 'could have given Huawei unauthorised access to the carrier's fixed-line network in Italy.' In addition, we have no evidence of any unauthorised access. This was nothing more than a failure to remove a diagnostic function after development."

Hackers Steal and Ransom Financial Data Related To Some of the World's Largest Companies

Tue, 04/30/2019 - 04:25
Hackers have broken into an internet infrastructure firm that provides services to dozens of the world's largest and most valuable companies, including Oracle, Volkswagen, Airbus, and many more as part of an extortion attempt, Motherboard reported Tuesday. From the report: The attackers have also threatened to release data from all of those companies, according to a website seemingly set up by the hackers to distribute the stolen material. Citycomp, the impacted Germany-based firm, provides servers, storage, and other computer equipment to large companies, according to the company's website. Michael Bartsch, executive director of Deutor Cyber Security Solutions, a firm Citycomp said was authorized to speak about the case, confirmed the breach to Motherboard in an email Tuesday. "Citycomp has been hacked and blackmailed and the attack is ongoing," Bartsch wrote. "We have to be careful as the whole case is under police investigation and the attacker is trying all tricks."

Vodafone Says It Found Hidden Backdoors in Huawei Equipment

Tue, 04/30/2019 - 00:40
For months, Huawei has faced U.S. allegations that it flouted sanctions on Iran, attempted to steal trade secrets from a business partner and has threatened to enable Chinese spying through the telecom networks it's built across the West. Now Vodafone Group has acknowledged to Bloomberg that it found vulnerabilities going back years with equipment supplied by Shenzhen-based Huawei for the carrier's Italian business. From the report: While Vodafone says the issues were resolved, the revelation may further damage the reputation of a major symbol of China's global technology prowess. Europe's biggest phone company identified hidden backdoors in the software that could have given Huawei unauthorized access to the carrier's fixed-line network in Italy, a system that provides internet service to millions of homes and businesses, according to Vodafone's security briefing documents from 2009 and 2011 seen by Bloomberg, as well as people involved in the situation.

How an Obsolete Medical Device With a Security Flaw Became a Must-Have For Some Patients With Type 1 Diabetes

Mon, 04/29/2019 - 13:00
From a report on The Atlantic: In 2014, a few hackers realized that the security flaw in certain Medtronic pumps could be exploited for a DIY revolution. Type 1 diabetes is a disease where the pancreas is unable to produce insulin to control blood sugar. For years, Boss (the anecdote in the story who purchased used insulin pumps from some dealer on Craiglist) had counted, down to the gram, the carbohydrates in every meal and told his pump how much insulin to dispense. [...] By 2014, the hardware components of a DIY artificial pancreas -- a small insulin pump that attaches via thin disposable tubing to the body and a continuous sensor for glucose, or sugar, that slips just under the skin -- were available, but it was impossible to connect the two. That's where the security flaw came in. The hackers realized they could use it to override old Medtronic pumps with their own algorithm that automatically calculates insulin doses based on real-time glucose data. It closed the feedback loop. They shared this code online as OpenAPS, and "looping," as it's called, began to catch on. Instead of micromanaging their blood sugar, people with diabetes could offload that work to an algorithm. In addition to OpenAPS, another system called Loop is now available. Dozens, then hundreds, and now thousands of people are experimenting with DIY artificial-pancreas systems -- none of which the Food and Drug Administration has officially approved. And they've had to track down discontinued Medtronic pumps. It can sometimes take months to find one. Obviously, you can't just call up Medtronic to order a discontinued pump with a security flaw. "It's eBay, Craigslist, Facebook. It's like this underground market for these pumps," says Aaron Kowalski, a DIY looper and also CEO of JDRF, a nonprofit that funds type 1 diabetes research. This is not exactly how a market for lifesaving medical devices is supposed to work. And yet, this is the only way it can work -- for now.

Cloud Database Removed After Exposing Details on 80 Million US Households

Mon, 04/29/2019 - 12:00
The addresses and demographic details of more than 80 million US households were exposed on an unsecured database stored on the cloud, independent security researchers have found. From a report: The details listed included names, ages and genders as well as income levels and marital status. The researchers, led by Noam Rotem and Ran Locar, were unable to identify the owner of the database, which until Monday was online and required no password to access. Some of the information was coded, like gender, marital status and income level. Names, ages and addresses were not coded. The data didn't include payment information or Social Security numbers. The 80 million households affected make up well over half of the households in the US, according to Statista. "I wouldn't like my data to be exposed like this," Rotem said in an interview with CNET. "It should not be there." Rotem and his team verified the accuracy of some data in the cache but didn't download the data in order to minimize the invasion of privacy of those listed, he said.

Do Complex Systems Require Higher Safety Standards From Managers and Engineers?

Sun, 04/28/2019 - 15:38
An anonymous reader quotes TechCrunch: Automotive emissions, nuclear power plants, airplanes, application platforms, and electrical grids all share one thing in common: they are very complex, highly coupled systems... Engineers have matched some of this growing complexity with more sophisticated tools, mostly derived from greater computing power and better modeling. But there are limits to how far the technical tools can help here given our limits of organizational behavior about complexity in these systems. Even if engineers are (potentially) acquiring more sophisticated tools, management itself most definitely is not.... One pattern that binds all of these engineering disasters together is that they all had whistleblowers who were aware of the looming danger before it happened. Someone, somewhere knew what was about to transpire, and couldn't hit the red button to stop the line... Engineering managers probably have the most challenging role, since they both need to sell upwards and downwards within an organization in order to maintain safety standards. The pattern that I have gleaned from reading many reports on disasters over the years indicates that most safety breakdowns start right here. The eng manager starts to prioritize business concerns from their leadership over the safety of their own product. Resistance of these pecuniary impulses is not enough -- safety has to be the watchword for everyone... Finally, for individual contributors and employees, the key is to always be observant, to be thinking about safety and security while conducting engineering work, and to bring up any concerns early and often. Safety requires tenacity. And if the organization you are working for is sufficiently corrupt, then frankly, it might be incumbent on you to pull that proverbial red button and whistleblow to stop the madness.... [T]he demise of the ethical engineer doesn't have to be a fait accompli.

Teenager Claims Apple's In-Store Facial Recognition System Mistakenly Led To His Arrest

Sun, 04/28/2019 - 14:39
An 18-year-old from New York is suing Apple for $1 billion -- saying an erroneous facial recognition system in their stores wrongfully led to his arrest. An anonymous reader quotes the Washington Post: Ousmane Bah, who was arrested at his home in November, claims the warrant included a photo of someone else. The lawsuit also said a detective with the New York Police Department concluded the thief caught on the shop's surveillance camera "looked nothing like" Bah. The lawsuit, citing the detective, says Apple uses facial recognition technology to identify shoplifters. Apple did not immediately respond to a request for comment. Bah said he had an interim learner's permit, which does not have a photo, that had either been lost or stolen. His lawyer said the permit may have been presented as identification at Apple stores, erroneously matching Bah's name with the thief's face in the company's security system. That means every time the perpetrator walked into an Apple store, his face would register as Bah on Apple's surveillance. Bah had been charged in multiple jurisdictions including New York, Massachusetts, Delaware and New Jersey, according to the lawsuit. Charges in three cases against Bah have been dropped, but the New Jersey case is pending.

Does Open Source Have a 'Working For Free' Problem?

Sun, 04/28/2019 - 03:04
"Let's abandon the notion that open source is exclusively charity," writes Havoc Pennington, a free software engineer (and former Red Hat engineer) who's now a co-founder of Tidelift: Look around. We do have a problem, and it's time we do something about it.... The lack of compensation isn't just bad for individual developers -- it also creates social problems, by amplifying existing privilege.... The narrative around open source is that it's completely OK -- even an expectation -- that we're all doing this for fun and exposure; and that giant companies should get huge publicity credit for throwing peanuts-to-them donations at a small subset of open source projects. There's nothing wrong with doing stuff for fun and exposure, or making donations, as an option. It becomes a problem when the free work is expected and the donations are seen as enough... What would open source be like if we had a professional class of independent maintainers, constantly improving the code we all rely on? The essay suggests some things consider, including asking people to pay for: Support requests Security audits/hardening and extremely good test coverage Supporting old releases License-metadata-annotation practices that are helpful for big companies trying to audit the code they use, but sort of a pain in the ass and nobody cares other than these big companies. "Right now many users expect, and demand, that all of this will be free. As an industry, perhaps we should push back harder on that expectation. It's OK to set some boundaries..." "Of course this relates to what we do at Tidelift -- the company came out of discussions about this problem, among others... In our day-to-day right now we're specifically striving to give subscribers a way to pay maintainers of their application dependencies for additional value, through the Tidelift Subscription. But we hope to see many more efforts and discussions in this area.... [I]n between a virtual tip jar and $100 million in funding, there's a vast solution space to explore."

Should Airlines Weigh Passengers To Help Cut Carbon Emissions?

Sat, 04/27/2019 - 17:34
"The equation is simple: The heavier the plane, the more environmentally unfriendly the trip is," notes one report -- yet airplanes are still relying on estimates for their total weight. "A British tech start-up thinks it has a solution: weighing customers to more accurately calculate fuel costs..." "The capture of passenger weights is not complicated," says Roy Fuscone, Chairman & CEO of Fuel Matrix Limited. "A simple weighing device added to the current equipment will capture the weight and the software will register and transmit it in relation to a flight but not necessarily identified to a particular passenger...." The company's website states that benefits from this system include statistically robust information feedback based on airlines' data, significant reduction of CO2 emissions, significant fuel savings, and reduced mechanical stress on aircraft. If you're worried about this data being made public, Fuscone says that the company plans to enable the passenger to retain direct control of their own data so that they can delete it once it has been "employed in the interests of fuel efficiency." It seems like it'd be easier to just weigh the plane after everyone's onboard -- or find some way to calculate weights using the boarding ramp. But the current plans aren't that simple, CNN reports: One proposal is for passengers to supply the information ahead of arriving at the airport, in the same way that they supply passport details. Otherwise, it could be made part of the security process before boarding. "You stand in a scanner that goes round you -- now, clearly while you're standing there being scanned, you could also be being weighed -- very discreetly -- if you haven't wanted to supply your information ahead of time," says Fuel Matrix CEO Roy Fuscone. "It would be very discreet, very private and very confidential." Fuscone stresses that Fuel Matrix has been working with GDPR consultants to ensure the data would remain classified. He points out that airports already collect a lot of information on passengers. This would be just one more element to the equation. "Airports already use biometric data on passengers because they associate an image of your face with your boarding card, so that means that when you buy a ticket it's already in the contract that they can do that," says Fuscone. "So there's no problem with us introducing this, it can be done at various places during the journey through the airport and so we're starting to discuss with people involved in those various phases of the airport. If this is all done properly [...] it will alleviate carbon in the atmosphere and climate change and air pollution."

Google Bans Developer With Half a Billion App Downloads From Play Store

Fri, 04/26/2019 - 14:40
Google is banning app developer DO Global and removing their apps from the Google Play Store after it discovered the company was committing ad fraud. "As of today, 46 apps from DO Global, which is partly owned by internet giant Baidu, are gone from the Play store," reports BuzzFeed. "BuzzFeed News also found that DO Global apps no longer offer ad inventory for purchase via Google's AdMob network, suggesting the ban has also been extended to the internet giant's ad products." From the report: Prior to the app removals, DO Global had roughly 100 apps in the Play store with over 600 million installs. Their removal from the Play store marks one of the biggest bans, if not the biggest, Google has ever instituted against an app developer. DO Global was a subsidiary of Baidu until it was spun out last summer; Baidu retains a 34% stake. BuzzFeed News reported last week that at least six apps from DO included code that made them fraudulently click on ads even when a user was not using the app. The apps were also listed in the Play store under the generic developer names "Pic Tools Group" and "Photo Artist Studio," hosted their privacy policies on Tumblr, and did not disclose they were owned by DO. It's a violation of Play store policy to conceal ownership information, and to commit ad fraud. The ad fraud was detected by Check Point security, which responded to a request from BuzzFeed News to examine apps uncovered during its investigation. Google removed those six apps, and claimed its internal systems had also flagged most of them for removal. Another 40 DO apps disappeared from the Play store this week, including 20 using the Do Global Games developer name, and 14 listed under Applecheer Studio. The apps listed different addresses and contact information in the store, making it difficult for the average user to see they were all owned by the same major developer.

Google Gives Free Security Keys to Activists, But Not if You're in Iran or Syria

Fri, 04/26/2019 - 06:05
An anonymous reader shares a report: Go to an activist, technologist, or journalist gathering, and you may find a free pile of Google's security keys, dubbed Titan. These are small devices a Gmail user can plug into their computer via USB to make their account much harder to hack. The keys don't just work with Google accounts; Twitter and other large sites now support hardware security tokens too. But if you're an activist inside Iran, Sudan, Syria, Cuba, the region of Crimea, or North Korea, Google probably won't give you a Titan key. Google bars nonprofits and other groups from providing these tools, or promoting the availability of any Google product to activists in those countries, according to two independent sources familiar with Google's approach and a legal document viewed by Motherboard.

Ask Slashdot: Would a Separate, Walled-Off 'SafeNet' Help Reduce Cybercrime?

Thu, 04/25/2019 - 15:20
dryriver writes: Imagine for a second that a second, smaller internet infrastructure is built parallel to, but separate from, the regular internet. Lets call this the SafeNet. The SafeNet, which does not allow anonymous use, is not intended for general purpose use like watching Youtube videos, downloading a Steam game, or going on Facebook. Rather, it is a safer, more policed mini-internet that you access through a purpose-built terminal device and use for security critical tasks like online banking, stock trading, medical data transfer and sending confidential business emails, text messages or documents or other things that you don't trust the general internet with. For example, if you are buying a $250,000 home for your family, you would issue the payments and documents side of this via the SafeNet with a SafeNet terminal device, not over the internet, with a generic computing device. SafeNet requires every user to be government photo-ID registered -- you cannot use SafeNet anonymously like the internet. The network knows who you are, where you are, and you can't hide behind VPNs, proxies or other anonymizers on this network. SafeNet also has a police force that can be alerted if you are hacked, tricked or scammed in any way. Would an internet alternative -- a smaller, separate parallel network -- like this reduce Cybercrime? Again, you wouldn't use the SafeNet for everyday crap like ordering pizza, buying movie tickets, or arguing over something on an internet forum. SafeNet would be used in situations where you are concerned that hackers, cybercriminals or other malevolent agents could get hold of your personal data, steal money from you, impersonate you, or snoop into your confidential communications. Other uses would include letting minors communicate with each other in a controlled fashion without exposing them to the big bad internet itself. Basically, in many situations where you deem performing a task over the larger internet as risky or dangerous, you could perform that task over a SafeNet terminal instead. Shouldn't an "alternative internet" like this exist in some form by now?

Microsoft Drops 60-Day Password Expiration Policy

Thu, 04/25/2019 - 14:03
Microsoft is dropping its 60-day password expiration policy starting with the Windows 10 May 2019 Update. "Once removed, the preset password expiration settings should be replaced by organizations with more modern and better password-security practices such as multi-factor authentication, detection of password-guessing attacks, detection of anomalous log on attempts, and the enforcement of banned passwords lists (such as Azure AD's password protection currently available in public preview)," reports Bleeping Computer. From the report: Microsoft's Aaron Margosis states that the password expiration mechanism which requires periodic password changes is in itself a flawed defense method given that, once a password is stolen, mitigation measures should be taken immediately instead of waiting for it to expire as per the set expiration policy. In addition, the soon to be removed policies are "a defense only against the probability that a password (or hash) will be stolen during its validity interval and will be used by an unauthorized entity." The removal of the password-expiration policies without the addition of other password-oriented security configurations does not directly translate into a decrease in security but, instead, it simply stands as proof that security-conscious organizations need to implement extra measures to enforce their users' security. As Microsoft further detailed, "to try to avoid inevitable misunderstandings, we are talking here only about removing password-expiration policies -- we are not proposing changing requirements for minimum password length, history, or complexity."

UK Minister: Huawei Leaks 'Unacceptable', Criminal Investigation Possible

Thu, 04/25/2019 - 11:25
The UK Culture Secretary Jeremy Wright said on Thursday he could not rule out a criminal investigation over the "unacceptable" disclosure of confidential discussions on the role of China's Huawei in 5G network supply chains. From a report: Huawei, the world's biggest producer of telecoms equipment, is under intense scrutiny after the United States told allies not to use its technology because of fears it could be a vehicle for Chinese spying. Huawei has categorically denied this. Sources told Reuters on Wednesday Britain's National Security Council (NSC) had decided to bar Huawei from all core parts of the country's 5G network and restrict its access to non-core parts. The leak of information from a meeting of the NSC, first reported in national newspapers, has sparked anger in parliament because the committee's discussion are supposed to be secret. "We cannot exclude the possibility of a criminal investigation here," Wright said, speaking in response to an urgent question on Huawei in parliament. "I do not think that the motivation for this leak matters in the slightest. This was unacceptable and it is corrosive to the ability to deliver good government."

GoDaddy Removes a Massive Network of Bogus Sales Sites

Thu, 04/25/2019 - 10:45
GoDaddy removed a cluster of more than 15,000 fraudulent websites discovered by a researcher at Palo Alto Networks' Unit 42 analysis team. From a report: The scam, which sold products like weight loss pills, used breached websites to add legitimacy to its sales and involved using fake celebrity endorsements. Jeff White, the researcher at Unit 42, started researching the network of sites more than 2 years ago when he noticed spam messages that looked visually similar and used similar language. The products were sold on commission as part of an affiliate marketing program and used low initial pricing and tiny print to get people signed up for costly subscriptions. The sales took place on hacked GoDaddy websites, where hackers had set up subdomains on legitimate websites.

NSA Recommends Dropping Phone-Surveillance Program

Thu, 04/25/2019 - 05:00
An anonymous reader quotes a report from The Wall Street Journal: The National Security Agency has recommended that the White House abandon a surveillance program that collects information about U.S. phone calls and text messages (Warning: source paywalled; alternative source), saying the logistical and legal burdens of keeping it outweigh its intelligence benefits, according to people familiar with the matter. The recommendation against seeking the renewal of the once-secret spying program amounts to an about-face by the agency, which had long argued in public and to congressional overseers that the program was vital to the task of finding and disrupting terrorism plots against the U.S. The latest view is rooted in a growing belief among senior intelligence officials that the spying program provides limited value to national security and has become a logistical headache. Frustrations about legal-compliance issues forced the NSA to halt use of the program earlier this year, the people said. Its legal authority will expire in December unless Congress reauthorizes it. It is up to the White House, not the NSA, to decide whether to push for legislation to renew the phone-records program. The White House hasn't yet reached a policy decision about the surveillance program, according to the people familiar with the matter.

UK To Let Huawei Firm Help Build 5G Network

Wed, 04/24/2019 - 16:03
AmiMoJo writes: The UK government has given Chinese telecoms giant Huawei the go-ahead to supply equipment for the UK 5G data network. The company will help build some "non-core" parts such as antennas. But the plans have concerned the home, defense and foreign secretaries. The U.S. also wants its allies in the "Five Eyes" intelligence grouping -- the UK, Canada, Australia and New Zealand -- to exclude Huawei. Huawei said it was "pleased that the UK is continuing to take an evidence-based approach to its work," adding it would continue to work cooperatively with the government and the industry.