Iphone

Hackers Using iCloud's Find My iPhone Feature To Remotely Lock Macs, Demand Ransom Payments (macrumors.com) 40

AmiMoJo shares a report from Mac Rumors: Over the last day or two, several Mac users appear to have been locked out of their machines after hackers signed into their iCloud accounts and initiated a remote lock using Find My iPhone. With access to an iCloud user's username and password, Find My iPhone on iCloud.com can be used to "lock" a Mac with a passcode even with two-factor authentication turned on, and that's what's going on here. Affected users who have had their iCloud accounts hacked are receiving messages demanding money for the passcode to unlock a locked Mac device. The usernames and passwords of the iCloud accounts affected by this "hack" were likely found through various site data breaches and have not been acquired through a breach of Apple's servers. Impacted users likely used the same email addresses, account names, and passwords for multiple accounts, allowing people with malicious intent to figure out their iCloud details.
Google

Google Experiment Tests Top 5 Browsers, Finds Safari Riddled With Security Bugs (bleepingcomputer.com) 69

An anonymous reader writes from a report via Bleeping Computer: The Project Zero team at Google has created a new tool for testing browser DOM engines and has unleashed it on today's top five browsers, finding most bugs in Apple's Safari. Results showed that Safari had by far the worst DOM engine, with 17 new bugs discovered after Fratric's test. Second was Edge with 6, then IE and Firefox with 4, and last was Chrome with only 2 new issues. The tests were carried out with a new fuzzing tool created by Google engineers named Domato, also open-sourced on GitHub. This is the third fuzzing tool Google creates and releases into open-source after OSS-Fuzz and syzkaller. Researchers focused on testing DOM engines for vulnerabilities because they expect them to be the next target for browser exploitation after Flash reaches end-of-life in 2020.
Security

Adobe Security Team Accidentally Posts Private PGP Key On Blog (arstechnica.com) 42

A member of Adobe's Product Security Incident Response Team (PSIRT) accidentally posted the PGP keys for PSIRT's email account -- both the public and the private keys. According to Ars Technica, "the keys have since been taken down, and a new public key has been posted in its stead." From the report: The faux pas was spotted at 1:49pm ET by security researcher Juho Nurminen. Nurminen was able to confirm that the key was associated with the psirt@adobe.com e-mail account. To be fair to Adobe, PGP security is harder than it should be. What obviously happened is that a PSIRT team member exported a text file from PSIRT's shared webmail account using Mailvelope, the Chrome and Firefox browser extension, to add to the team's blog. But instead of clicking on the "public" button, the person responsible clicked on "all" and exported both keys into a text file. Then, without realizing the error, the text file was cut/pasted directly to Adobe's PSIRT blog.
Privacy

Passwords For 540,000 Car Tracking Devices Leaked Online (thehackernews.com) 31

An anonymous reader quotes a report from The Hacker News: Login credentials of more than half a million records belonging to vehicle tracking device company SVR Tracking have leaked online, potentially exposing the personal data and vehicle details of drivers and businesses using its service. Just two days ago, Viacom was found exposing the keys to its kingdom on an unsecured Amazon S3 server, and this data breach is yet another example of storing sensitive data on a misconfigured cloud server. The Kromtech Security Center was first to discover a wide-open, public-facing misconfigured Amazon Web Server (AWS) S3 cloud storage bucket containing a cache belonging to SVR that was left publicly accessible for an unknown period. Stands for Stolen Vehicle Records, the SVR Tracking service allows its customers to track their vehicles in real time by attaching a physical tracking device to vehicles in a discreet location, so their customers can monitor and recover them in case their vehicles are stolen. The leaked cache contained details of roughly 540,000 SVR accounts, including email addresses and passwords, as well as users' vehicle data, like VIN (vehicle identification number), IMEI numbers of GPS devices. The leaked database also exposed 339 logs that contained photographs and data about vehicle status and maintenance records, along with a document with information on the 427 dealerships that use SVR's tracking services.
Security

Major Cyber-Attack Will Happen Soon, Warns UK's Security Boss (theguardian.com) 64

Alex Hern, writing for The Guardian: A "category one" cyber-attack, the most serious tier possible, will happen "sometime in the next few years", a director of the National Cybersecurity Centre has warned. According to the agency, which reports to GCHQ and has responsibly for ensuring the UK's information security, a category one cybersecurity incident requires a national government response. Speaking at an event about the next decade of information security, Levy warned that "sometime in the next few years we're going to have our first category one cyber-incident." The only way to prevent such a breach, he said, was to change the way businesses and governments think about cybersecurity. Rather than obsessing about buying the right security products, Levy argued, organisations should instead focus on managing risk: understanding the data they hold, the value it has, and how much damage it could do if it was lost, for instance.
Iphone

'Dear Apple, The iPhone X and Face ID Are Orwellian and Creepy' (hackernoon.com) 419

Trent Lapinski from Hacker Noon writes an informal letter to Apple, asking "who the hell actually asked for Face ID?" and calling the iPhone X and new face-scanning security measure "Orwellian" and "creepy": For the company that famously used 1984 in its advertising to usher in a new era of personal computing, it is pretty ironic that 30+ years later they would announce technology that has the potential to eliminate global privacy. I've been waiting 10-years since the first iPhone was announced for a full-screen device that is both smaller in my hand but has a larger display and higher capacity battery. However, I do not want these features at the cost of my privacy, and the privacy of those around me. While the ease of use and user experience of Face ID is apparent, I am not questioning that, the privacy concerns are paramount in today's world of consistent security breaches. Given what we know from Wikileaks Vault7 and the CIA / NSA capabilities to hijack any iPhone, including any sensor on the phone, the very thought of handing any government a facial ID system for them to hack into is a gift the world may never be able to return. Face ID will have lasting privacy implications from 2017 moving forward, and I'm pretty sure I am not alone in not wanting to participate.

The fact of the matter is the iPhone X does not need Face ID, Apple could have easily put a Touch ID sensor on the back of the phone for authentication (who doesn't place their finger on the back of their phone?). I mean imagine how cool it would be to put your finger on the Apple logo on the back of your iPhone for Touch ID? It would have been a highly marketable product feature that is equally as effective as Face ID without the escalating Orwellian privacy implications. [...] For Face ID to work, the iPhone X actively has to scan faces looking for its owner when locked. This means anyone within a several foot range of an iPhone X will get their face scanned by other people's phones and that's just creepy.

Encryption

Distrustful US Allies Force Spy Agency To Back Down In Encryption Fight (reuters.com) 100

schwit1 shares a report from Reuters: An international group of cryptography experts has forced the U.S. National Security Agency to back down over two data encryption techniques it wanted set as global industry standards, reflecting deep mistrust among close U.S. allies. In interviews and emails seen by Reuters, academic and industry experts from countries including Germany, Japan and Israel worried that the U.S. electronic spy agency was pushing the new techniques not because they were good encryption tools, but because it knew how to break them. The NSA has now agreed to drop all but the most powerful versions of the techniques -- those least likely to be vulnerable to hacks -- to address the concerns.
Security

Security Researchers Warn that Third-Party GO Keyboard App is Spying on Millions of Android Users (betanews.com) 65

An anonymous reader shares a report: Security researchers from Adguard have issued a warning that the popular GO Keyboard app is spying on users. Produced by Chinese developers GOMO Dev Team, GO Keyboard was found to be transmitting personal information about users back to remote servers, as well as "using a prohibited technique to download dangerous executable code." Adguard made the discovery while conducting research into the traffic consumption and unwanted behavior of various Android keyboards. The AdGuard for Android app makes it possible to see exactly what traffic an app is generating, and it showed that GO Keyboard was making worrying connections, making use of trackers, and sharing personal information. Adguard notes that there are two versions of the keyboard in Google Play which it claims have more than 200 million users in total.
Security

SEC Discloses Hackers Penetrated EDGAR, Profited in Trading (usatoday.com) 48

Chris Woodyard, writing for USA Today: Hackers made their way into the Security and Exchange Commission's EDGAR electronic filing system last year, retrieving private data that appear to have resulted in "an illicit gain through trading," the agency said. It was only in August that the commission learned that hackers may have been able to use their illegal activities to make ill-gotten gains through market trading, said Chairman Jay Clayton in a lengthy statement posted on the SEC's website. EDGAR, which stands for Electronic Data Gathering Analysis and Retrieval, is considered critical to the SEC's operation and the ability of investors to see the electronic filings of companies and markets. The SEC says about 50 million documents are viewed through EDGAR on a typical day. It receives about 1.7 million filings a year.
Security

The CCleaner Malware Fiasco Targeted at Least 20 Specific Tech Firms (wired.com) 146

An anonymous reader shares a report: Hundreds of thousands of computers getting penetrated by a corrupted version of an ultra-common piece of security software was never going to end well. But now it's becoming clear exactly how bad the results of the recent CCleaner malware outbreak may be. Researchers now believe that the hackers behind it were bent not only on mass infections, but on targeted espionage that tried to gain access to the networks of at least 20 tech firms. Earlier this week, security firms Morphisec and Cisco revealed that CCleaner, a piece of security software distributed by Czech company Avast, had been hijacked by hackers and loaded with a backdoor that evaded the company's security checks. It wound up installed on more than 700,000 computers. On Wednesday, researchers at Cisco's Talos security division revealed that they've now analyzed the hackers' "command-and-control" server to which those malicious versions of CCleaner connected. On that server, they found evidence that the hackers had attempted to filter their collection of backdoored victim machines to find computers inside the networks of 20 tech firms, including Intel, Google, Microsoft, Akamai, Samsung, Sony, VMware, HTC, Linksys, D-Link and Cisco itself. In about half of those cases, says Talos research manager Craig Williams, the hackers successfully found a machine they'd compromised within the company's network, and used their backdoor to infect it with another piece of malware intended to serve as a deeper foothold, one that Cisco now believes was likely intended for industrial espionage.
Security

Equifax Has Been Sending Consumers To a Fake Phishing Site for Almost Two Weeks (gizmodo.com) 154

An anonymous reader shares a Gizmodo report (condensed for space): For nearly two weeks, the company's official Twitter account has been directing users to a fake lookalike website. After announcing the breach, Equifax directed its customers to equifaxsecurity2017.com, a website where they can enroll in identity theft protection services and find updates about how Equifax is handing the "cybersecurity incident." But the decision to create "equifaxsecurity2017" in the first place was monumentally stupid. The URL is long and it doesn't look very official -- that means it's going to be very easy to emulate. To illustrate how idiotic Equifax's decision was, developer Nick Sweeting created a fake website of his own: securityequifax2017.com. (He simply switched the words "security" and "equifax" around.) As if to demonstrate Sweeting's point, Equifax appears to have been itself duped by the fake URL. The company has directed users to Sweeting's fake site sporadically over the past two weeks. Gizmodo found eight tweets containing the fake URL dating back to September 9th.
Security

Ransomware Hack Targeting 2 Million an Hour (axios.com) 38

New submitter Zorro writes: A ransomware attack sweeping the globe right now is launching about 8,000 different versions of the virus script at Barracuda's customers, Eugene Weiss, lead platform architect at Barracuda, told Axios, and it's hitting at a steady rate of about 2 million attacks per hour. What to watch out for: An incoming email spoofing the destination host, with a subject about "Herbalife" or a "copier" file delivery. Two of the latest variants Barracuda has detected include a paragraph about legalese to make it seem official, or a line about how a "payment is attached," which tricks you to click since, as Weiss puts it, "everyone wants a payment."
IOS

Turning Off Wi-Fi and Bluetooth in iOS 11's Control Center Doesn't Actually Turn Off Wi-Fi or Bluetooth (vice.com) 226

An anonymous reader shares a Motherboard report: Turning off Bluetooth and Wi-Fi when you're not using them on your smartphone has long been standard, common sense, advice. Unfortunately, with the iPhone's new operating system iOS 11 - which was released to the general public yesterday - turning them off is not as easy as it used to be. Now, when you toggle Bluetooth and Wi-Fi off from the iPhone's Control Center -- the somewhat confusing menu that appears when you swipe up from the bottom of the phone -- it actually doesn't completely turn them off. While that might sound like a bug, that's actually what Apple intended in the new operating system. But security researchers warn that users might not realize this and, as a consequence, could leave Bluetooth and Wi-Fi on without noticing. Numerous Slashdot readers have complained about this "feature" this week.
Electronic Frontier Foundation

EFF Resigns From Web Consortium In Wake of EME DRM Standardization (eff.org) 220

New submitter Frobnicator writes: Four years ago, the W3C began standardizing Encrypted Media Extensions, or EME. Several organizations, including the EFF, have argued against DRM within web browsers. Earlier this year, after the W3C leadership officially recommended EME despite failing to reach consensus, the EFF filed the first-ever official appeal that the decision be formally polled for consensus. That appeal has been denied, and for the first time the W3C is endorsing a standard against the consensus of its members.

In response, the EFF published their resignation from the body: "The W3C is a body that ostensibly operates on consensus. Nevertheless, as the coalition in support of a DRM compromise grew and grew -- and the large corporate members continued to reject any meaningful compromise -- the W3C leadership persisted in treating EME as topic that could be decided by one side of the debate. [...] Today, the W3C bequeaths an legally unauditable attack-surface to browsers used by billions of people. Effective today, EFF is resigning from the W3C."
Jeff Jaffe, CEO of W3C said: "I know from my conversations that many people are not satisfied with the result. EME proponents wanted a faster decision with less drama. EME critics want a protective covenant. And there is reason to respect those who want a better result. But my personal reflection is that we took the appropriate time to have a respectful debate about a complex set of issues and provide a result that will improve the web for its users. My main hope, though, is that whatever point-of-view people have on the EME covenant issue, that they recognize the value of the W3C community and process in arriving at a decision for an inherently contentious issue. We are in our best light when we are facilitating the debate on important issues that face the web."
Privacy

In a 'Plot Twist', Wikileaks Releases Documents It Claims Detail Russia Mass Surveillance Apparatus (techcrunch.com) 167

WikiLeaks, believed by many to be a Kremlin front, surprised some observers Tuesday morning (Snowden called it a "plot twist") when it released documents linking a Russian tech company with access to thousands of citizens' telephone and internet communications with Moscow. From a report: Writing a summary of the cache of mostly Russian-language documents, Wikileaks claims they show how a long-established Russian company which supplies software to telcos is also installing infrastructure, under state mandate, that enables Russian state agencies to tap into, search and spy on citizens' digital activity -- suggesting a similar state-funded mass surveillance program to the one utilized by the U.S.'s NSA or by GCHQ in the U.K. (both of which were detailed in the 2013 Snowden disclosures). The documents which Wikileaks has published (there are just 34 "base documents" in this leak) relate to a St. Petersburg-based company, called Peter-Service, which it claims is a contractor for Russian state surveillance. The company was set up in 1992 to provide billing solutions before going on to become a major supplier of software to the mobile telecoms industry.

Slashdot Top Deals