What's the story with these ads on Slashdot? Check out our new blog post to find out. ×
Security

Persistent Cyber Spies Try To Impersonate Security Researchers 6

An anonymous reader writes: Rocket Kitten, a cyber espionage group that mostly targets individuals in the Middle East, has been spotted attempting to impersonate security researchers. "We feel fairly certain that Rocket Kitten's prime targets are not companies and political organizations as entire bodies but individuals that operate in strategically interesting fields such as diplomacy, foreign policy research, and defense-related businesses. We believe the espionage factor and political context make their attacks unique and very different from traditional targeted attacks," researchers noted in a recently published new paper (PDF).
Government

Snowden: Clinton's Private Email Server Is a 'Problem' 177

An anonymous reader points out comments from NSA whistleblower Edward Snowden in a new interview with Al Jazeera about Hillary Clinton's use of a private email server while she was the U.S. Secretary of State. Snowden said, "Anyone who has the clearances that the Secretary of State has or the director of any top level agency has knows how classified information should be handled. When the unclassified systems of the United States government — which has a full time information security staff — regularly get hacked, the idea that someone keeping a private server ... is completely ridiculous." While Snowden didn't feel he had enough information to say Clinton's actions were a threat to national security, he did say that less prominent government employees would have probably been prosecuted for doing the same thing. For her part, Clinton said she used the private server out of convenience: "I was not thinking a lot when I got in. There was so much work to be done. We had so many problems around the world. I didn't really stop and think what kind of email system will there be."
Mozilla

Bugzilla Breached, Private Vulnerability Data Stolen 60

darthcamaro writes: Mozilla today publicly announced that secured areas of bugzilla, where non-public zero days are stored, were accessed by an attacker. The attacker got access to as many as 185 security bugs before they were made public. They say, "We believe they used that information to attack Firefox users." The whole hack raises the issue of Mozilla's own security, since it was a user password that was stolen and the bugzilla accounts weren't using two-factor authentication. According to Mozilla's FAQ about the breach (PDF), "The earliest confirmed instance of unauthorized access dates to September 2014. There are some indications that the attacker may have had access since September 2013."
Cellphones

20+ Chinese Android Smartphones Models Come With Pre-Installed Malware 60

An anonymous reader writes: Security researchers from G DATA have published research (PDF) into Android phones produced in China, which found that a large number of devices ship with pre-installed malware and spyware. Affected models include the Xiaomi MI3, Huawei G510, Lenovo S860, Alps A24, Alps 809T, Alps H9001, Alps 2206, Alps PrimuxZeta, Alps N3, Alps ZP100, Alps 709, Alps GQ2002, Alps N9389, Android P8, ConCorde SmartPhone6500, DJC touchtalk, ITOUCH, NoName S806i, SESONN N9500, SESONN P8, Xido X1111, Star N9500, Star N8000 and IceFox Razor. The researchers do not believe the manufacturers are responsible for the malware; rather, they suspect middlemen within distribution channels. "According to G DATA, the contamination of these smartphones is done by hiding malware as add-on code in legitimate apps. Since users don't usually interact with the malware and the add-on runs in the app's background, unless using a mobile antivirus solution, these infections are rarely discovered."
Security

Government Still Hasn't Notified Individuals Whose Personal Data Was Hacked 71

schwit1 writes: Months after the federal government admitted publicly that the personal data of more than 20 million government employees had been hacked they still have not sent notifications to those millions. The agency whose data was hacked, the Office of Personnel Management (OPM), said the Defense Department will begin "later this month" to notify employees and contractors across the government that their personal information was accessed by hackers. OPM said notifications would continue over several weeks and "will be sent directly to impacted individuals." OPM also announced that it hired a contractor to help protect the identities and credit ratings of employees whose data was hacked. In a statement, OPM said it had awarded a contract initially worth more than $133 million to a company called Identity Theft Guard Solutions LLC, doing business as ID experts, for identity theft protections for the 21.5 million victims of the security data breach. The contractor will provide credit and identity monitoring services for three years, as well as identity theft insurance, to affected individuals and dependent children aged under 18, the agency said.
Security

Despite Reports of Hacking, Baby Monitors Remain Woefully Insecure 108

itwbennett writes: Researchers from security firm Rapid7 have found serious vulnerabilities in nine video baby monitors from various manufacturers. Among them: Hidden and hard-coded credentials providing local and remote access over services like SSH or Telnet; unencrypted video streams sent to the user's mobile phone; unencrypted Web and mobile application functions and unprotected API keys and credentials; and other vulnerabilities that could allow attackers to abuse the devices, according to a white paper released Tuesday. Rapid7 reported the issues it found to the affected manufacturers and to US-CERT back in July, but many vulnerabilities remain unpatched.
Security

Check Point Introduces New CPU-Level Threat Prevention 130

An anonymous reader writes: After buying Israeli startup company Hyperwise earlier this year, Check Point Software Technologies (Nasdaq: CHKP) now unveils its newest solution for defeating malware. Their new offering called SandBlast includes CPU-Level Threat Emulation that was developed in Hyperwise which is able to defeat exploits faster and more accurately than any other solution by leveraging CPU deubgging instruction set in Intel Haswell, unlike known anti-exploitation solutions like kBouncer or ROPecker which use older instruction sets and are therefore bypassable. SandBlast also features Threat Extraction — the ability to extract susceptible parts from incoming documents.
Security

"Extremely Critical" OS X Keychain Vulnerability Steals Passwords Via SMS 118

Mark Wilson writes: Two security researchers have discovered a serious vulnerability in OS X that could allow an attacker to steal passwords and other credentials in an almost invisible way. Antoine Vincent Jebara and Raja Rahbani — two of the team behind the myki identity management security software — found that a series of terminal commands can be used to extract a range of stored credentials. What is particularly worrying about the vulnerability is that it requires virtually no interaction from the victim; simulated mouse clicks can be used to click on hidden buttons to grant permission to access the keychain. Apple has been informed of the issue, but a fix is yet to be issued. The attack, known as brokenchain, is disturbingly easy to execute. Ars reports that this weakness has been exploited for four years.
Open Source

Netflix Open Sources Sleepy Puppy XSS Hunter 12

msm1267 writes: Netflix has released a tool it calls Sleepy Puppy. The tool injects cross-site scripting payloads into a target app that may not be vulnerable, but could be stored in a database and tracks the payload if it's reflected to a secondary application that makes use of the data in the same field. "We were looking for a way to provide coverage on applications that come from different origins or may not be publicly accessible," said co-developer Scott Behrens, a senior application security engineer at Netflix. "We also wanted to observe where stored data gets reflected back, and how data that may be stored publicly could also be reflected in a large number of internal applications." Sleepy Puppy is available on Netflix's Github repository and is one of a slew of security tools its engineers have released to open source.
Medicine

Hacking Medical Mannequins 35

An anonymous reader writes: A team of researchers at the University of South Alabama is investigating potential breaches of medical devices used in training, taking the mannequin iStan as its prime target in its scenario-based research. Identifying the network security solution and network protocol as the vulnerable components, the team was able to carry out brute force attacks against the router PIN, and denial of service (DDoS) attacks, using open source tools such as BackTrack.
Security

Shifu Banking Trojan Has an Antivirus Feature To Keep Other Malware At Bay 60

An anonymous reader writes: Shifu is a banking trojan that's currently attacking 14 Japanese banks. Once it has infected a victim's machine, it will install a special module that keeps other banking-related trojans at bay. If this module sees suspicious, malware-looking content (unsigned executables) from unsecure HTTP connections, it tries to stop them. If it fails, it renames them to "infected.exx" and sends them to its C&C server. If the file is designed to autorun, Shifu will spoof an operating system "Out of memory" message.
Encryption

Browser Makers To End RC4 Support In Early 2016 40

msm1267 writes: Google, Microsoft and Mozilla today announced they've settled on an early 2016 timeframe to permanently deprecate the shaky RC4 encryption algorithm in their respective browsers. Mozilla said Firefox's shut-off date will coincide with the release of Firefox 44 on Jan. 26. Google and Microsoft said that Chrome and Internet Explorer 11 (and Microsoft Edge) respectively will also do so in the January-February timeframe. Attacks against RC4 are growing increasingly practical, rendering the algorithm more untrustworthy by the day.
Chrome

Chrome 45 Launches, Automatically Pauses Less Important Flash Content, Like Ads 87

An anonymous reader writes: Google today launched Chrome 45 for Windows, Mac, Linux, and Android with some expected changes and new developer tools. First and foremost, Chrome now automatically pauses less important Flash content (rolling out gradually, so be patient). This has been a longtime coming from both Google and Adobe, with the goal to make Flash content more power-efficient in Chrome: In March, a setting was introduced to play less Flash content on the page, but it wasn't turned on by default, and in June, the option was enabled in the browser's beta channel. Now it's being turned on for everyone.
Security

Bugs In Belkin Routers Allow DNS Spoofing, Credential Theft 48

Trailrunner7 writes: The CERT/CC is warning users that some Belkin home routers contain a number of vulnerabilities that could allow an attacker to spoof DNS responses, intercept credentials sent in cleartext, access the web management interface, and take other actions on vulnerable routers. The vulnerabilities affect the Belkin N600 DB Wireless Dual Band N+ router, model F9K1102 v2 with firmware version 2.10.17, and potentially earlier versions of the firmware, as well. The vulnerabilities have not been patched by Belkin, the advisory from the CERT/CC says there aren't any practical workarounds for them. "DNS queries originating from the Belkin N600, such as those to resolve the names of firmware update and NTP servers, use predictable TXIDs that start at 0x0002 and increase incrementally. An attacker with the ability to spoof DNS responses can cause the router to contact incorrect or malicious hosts under the attacker's control," the advisory says.
Cellphones

Smartphone Malware Planted In Popular Apps Pre-sale 42

An anonymous reader writes with news from The Stack that makes it a little harder to scoff at malware on phones as being largely the fruit of dodgy sideloaded software, game cracks, et cetera. They report that even phones marketed as brand new, from well-known brands like Lenovo and Xiaomi, have been tampered with and "infected prior to sale with intelligent malware disguised in popular apps such as Facebook." (To U.S. buyers, those makers may be slightly obscure as cellphone vendors; the scheme this article addresses involves handsets sold by vendors in Europe and Asia, involving more than 20 different handset types.)
United States

US Weighs Sanctioning Russia As Well As China In Cyber Attacks 78

New submitter lvbees7 writes with news that U.S. officials have warned that the government may impose sanctions against Russia and China following cyber attacks to commercial targets. According to the Reuters story: The officials, who spoke on condition of anonymity, said no final decision had been made on imposing sanctions, which could strain relations with Russia further and, if they came soon, cast a pall over a state visit by Chinese President Xi Jinping in September. The Washington Post first reported the Obama administration was considering sanctioning Chinese targets, possibly within the next few weeks, and said that individuals and firms from other nations could also be targeted. It did not mention Russia.
Security

Six UK Teens Arrested For Being "Customers" of Lizard Squad's DDoS Service 94

An anonymous reader writes: UK officials have arrested six teenagers suspected of utilizing Lizard Squad's website attack tool called "Lizzard Stresser". Lizard Squad claimed responsibility for the infamous Christmas Day Xbox Live and PlayStation Network attacks. The teenagers "are suspected of maliciously deploying Lizard Stresser, having bought the tool using alternative payment services such as Bitcoin in a bid to remain anonymous," an NCA spokesperson wrote in an official statement on the case. "Organizations believed to have been targeted by the suspects include a leading national newspaper, a school, gaming companies, and a number of online retailers."
IOS

Over 225,000 Apple Accounts Compromised Via iOS Malware 213

An anonymous reader writes: Researchers from Palo Alto Networks and WeipTech have unearthed a scheme that resulted in the largest known Apple account theft caused by malware. All in all, some 225,000 valid Apple accounts have been compromised. The theft is executed via variants of the KeyRaider iOS malware, which targets jailbroken iOS devices. Most of the victims are Chinese — the malware is distributed through third-party Cydia repositories in China — but users in other countries have also been affected (European countries, the U.S., Australia, South Korea, and so on). "The malware hooks system processes through MobileSubstrate, and steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device," Palo Alto researcher Claud Xiao explained. "KeyRaider steals Apple push notification service certificates and private keys, steals and shares App Store purchasing information, and disables local and remote unlocking functionalities on iPhones and iPads."
Crime

The Coming Terrorist Threat From Autonomous Vehicles 214

HughPickens.com writes: Alex Rubalcava writes that autonomous vehicles are the greatest force multiplier to emerge in decades for criminals and terrorists and open the door for new types of crime not possible today. According to Rubalcava, the biggest barrier to carrying out terrorist plans until now has been the risk of getting caught or killed by law enforcement so that only depraved hatred, or religious fervor has been able to motivate someone to take on those risks as part of a plan to harm other people. "A future Timothy McVeigh will not need to drive a truck full of fertilizer to the place he intends to detonate it," writes Rubalcava. "A burner email account, a prepaid debit card purchased with cash, and an account, tied to that burner email, with an AV car service will get him a long way to being able to place explosives near crowds, without ever being there himself." A recent example is instructive. Dzhokhar and Tamerlan Tsarnaev were identified by an examination of footage from numerous private security cameras that were recording the crowd in downtown Boston during the Marathon. Imagine if they could have dispatched their bombs in the trunk of a car that they were never in themselves? Catching them might have been an order of magnitude more difficult than it was.

According to Rubalcava the reaction to the first car bombing using an AV is going to be massive, and it's going to be stupid. There will be calls for the government to issue a stop to all AV operations, much in the same way that the FAA made the unprecedented order to ground 4,000-plus planes across the nation after 9/11. "But unlike 9/11, which involved a decades-old transportation infrastructure, the first AV bombing will use an infrastructure in its infancy, one that will be much easier to shut down" says Rubalcava. "That shutdown could stretch from temporary to quasi-permanent with ease, as security professionals grapple with the technical challenge of distinguishing between safe, legitimate payloads and payloads that are intended to harm."
(And don't forget The Dead Pool.)
Security

Abusing Symbolic Links Like It's 1999 53

An anonymous reader writes with this snippet from James Forshaw's recent post at Google's Project Zero, which begins For the past couple of years I've been researching Windows elevation of privilege attacks. This might be escaping sandboxing or gaining system privileges. One of the techniques I've used multiple times is abusing the symbolic link facilities of the Windows operating system to redirect privileged code to create files or registry keys to escape the restrictive execution context. Symbolic links in themselves are not vulnerabilities, instead they're useful primitives for exploiting different classes of vulnerabilities such as resource planting or time-of-check time-of-use. Click through that link to see examples of this abuse in action, but also information about how the underlying risks have been (or can be) mitigated.