OS X

macOS Sequoia Makes It Harder To Run Apps That Aren't Properly Signed or Notarized (9to5mac.com) 82

Ryan Christoffel writes via 9to5Mac: Since the Mac doesn't have the same locked-down app distribution system of iOS and iPadOS, Apple has created other tools meant to protect users. Some of those tools include app signing and notarization. Essentially, these provide a way for Apple to perform a level of vetting for macOS apps, even ones that don't hit the Mac App Store. The intent is to ultimately prevent harmful software from being inadvertently opened by Mac users. Trying to open an app that isn't correctly signed or notarized results in some scary warnings. But until now, power users could bypass those warnings -- and Apple's overall security process -- using a Control-click shortcut. But that shortcut is going away in macOS Sequoia.

According to a new post on the Apple Developer site: "In macOS Sequoia, users will no longer be able to Control-click to override Gatekeeper when opening software that isn't signed correctly or notarized. They'll need to visit System Settings > Privacy & Security to review security information for software before allowing it to run." The post then urges developers to make sure their software is properly signed so users won't need to jump through these hoops.

Microsoft

Your Windows Updates Can All Be Downgraded, Says Security Researcher (theregister.com) 45

Security researchers from SafeBreach have found what they say is a Windows downgrade attack that's invisible, persistent, irreversible and maybe even more dangerous than last year's BlackLotus UEFI bootkit. From a report: After seeing the damage that UEFI bootkit could do by bypassing secure boot processes in Windows, SafeBreach's Alon Leviev became curious whether there were any other fundamental Windows components that could be abused in a similar manner. He hit the jackpot in one of the most unlikely places: The Windows update process.

"I found a way to take over Windows updates to update the system, but with control over all of the actual update contents," Leviev told us in an interview ahead of his Black Hat USA conference presentation today detailing his findings. Using his technique, having compromised a machine so that he could get in as a normal user, Leviev was able to control which files get updated, which registry keys are changed, which installers get used, and the like. And he was able to do all of it while side-stepping every single integrity verification implemented in the Windows update process. After that, "I was able to downgrade the OS kernel, DLLs, drivers ... basically everything that I wanted." To make matters worse, Leviev said that poking and prodding around the vulnerabilities he found enabled him to attack the entire Windows virtualization stack, including virtualization-based security (VBS) features that are supposed to isolate the kernel and make attacker access less valuable.

Hardware

NVMe 2.1 Specifications Published With New Capabilities (phoronix.com) 22

At the Flash Memory Summit 2024 this week, NVM Express published the NVMe 2.1 specifications, which hope to enhance storage unification across AI, cloud, client, and enterprise. Phoronix's Michael Larabel writes: New NVMe capabilities with the revised specifications include:

- Enabling live migration of PCIe NVMe controllers between NVM subsystems.
- New host-directed data placement for SSDs that simplifies ecosystem integration and is backwards compatible with previous NVMe specifications.
- Support for offloading some host processing to NVMe storage devices.
- A network boot mechanism for NVMe over Fabrics (NVMe-oF).
- Support for NVMe over Fabrics zoning.
- Ability to provide host management of encryption keys and highly granular encryption with Key Per I/O.
- Security enhancements such as support for TLS 1.3, a centralized authentication verification entity for DH-HMAC-CHAP, and post sanitization media verification.
- Management enhancements including support for high availability out-of-band management, management over I3C, out-of-band management asynchronous events and dynamic creation of exported NVM subsystems from underlying NVM subsystem physical resources.
You can learn more about these updates at NVMExpress.org.
Security

Cyberattack Knocks Mobile Guardian MDM Offline, Wipes Thousands of Student Devices (techcrunch.com) 17

Zack Whittaker reports via TechCrunch: A cyberattack on Mobile Guardian, a U.K.-based provider of educational device management software, has sparked outages at schools across the world and has left thousands of students unable to access their files. Mobile Guardian acknowledged the cyberattack in a statement on its website, saying it identified "unauthorized access to the iOS and ChromeOS devices enrolled to the Mobile Guardian platform." The company said the cyberattack "affected users globally," including in North America, Europe and Singapore, and that the incident resulted in an unspecified portion of its userbase having their devices unenrolled from the platform and "wiped remotely." "Users are not currently able to log in to the Mobile Guardian Platform and students will experience restricted access on their devices," the company said.

Mobile device management (MDM) software allows businesses and schools to remotely monitor and manage entire fleets of devices used by employees or students. Singapore's Ministry of Education, touted as a significant customer of Mobile Guardian on the company's website since 2020, said in a statement overnight that thousands of its students had devices remotely wiped during the cyberattack. "Based on preliminary checks, about 13,000 students in Singapore from 26 secondary schools had their devices wiped remotely by the perpetrator," the Singaporean education ministry said in a statement. The ministry said it was removing the Mobile Guardian software from its fleet of student devices, including affected iPads and Chromebooks.

Google

Google Discontinues the Chromecast Line (theverge.com) 64

Speaking of Google launching a new TV streaming device, the company says it's "ending production of Chromecast" after 11 years of selling the streaming dongles. From a report: Even though Chromecast devices will now be available "while supplies last," Google says it will continue to push software and security updates to its newer devices without specifying which ones. The most recent update to the lineup was the Chromecast with Google TV released in 2022.

But now, Google says "technology has evolved dramatically" since the launch of the original Chromecast in 2013. "We invested heavily in embedding Google Cast technology into millions of TV devices, including Android TV," Google writes. "We are taking the next step in evolving how streaming TV devices can add even more capabilities to your smart TV, built on top of the same Chromecast technology."

Security

Mac and Windows Users Infected By Software Updates Delivered Over Hacked ISP (arstechnica.com) 68

An anonymous reader quotes a report from Ars Technica: Hackers delivered malware to Windows and Mac users by compromising their Internet service provider and then tampering with software updates delivered over unsecure connections, researchers said. The attack, researchers from security firm Volexity said, worked by hacking routers or similar types of device infrastructure of an unnamed ISP. The attackers then used their control of the devices to poison domain name system responses for legitimate hostnames providing updates for at least six different apps written for Windows or macOS. The apps affected were the 5KPlayer, Quick Heal, Rainmeter, Partition Wizard, and those from Corel and Sogou.

Because the update mechanisms didn't use TLS or cryptographic signatures to authenticate the connections or downloaded software, the threat actors were able to use their control of the ISP infrastructure to successfully perform machine-in-the-middle (MitM) attacks that directed targeted users to hostile servers rather than the ones operated by the affected software makers. These redirections worked even when users employed non-encrypted public DNS services such as Google's 8.8.8.8 or Cloudflare's 1.1.1.1 rather than the authoritative DNS server provided by the ISP. "That is the fun/scary part -- this was not the hack of the ISPs DNS servers," Volexity CEO Steven Adair wrote in an online interview. "This was a compromise of network infrastructure for Internet traffic. The DNS queries, for example, would go to Google's DNS servers destined for 8.8.8.8. The traffic was being intercepted to respond to the DNS queries with the IP address of the attacker's servers."

In other words, the DNS responses returned by any DNS server would be changed once it reached the infrastructure of the hacked ISP. The only way an end user could have thwarted the attack was to use DNS over HTTPS or DNS over TLS to ensure lookup results haven't been tampered with or to avoid all use of apps that deliver unsigned updates over unencrypted connections. As an example, the 5KPlayer app uses an unsecure HTTP connection rather than an encrypted HTTPS one to check if an update is available and, if so, to download a configuration file named Youtube.config. StormBamboo, the name used in the industry to track the hacking group responsible, used DNS poisoning to deliver a malicious version of the Youtube.config file from a malicious server. This file, in turn, downloaded a next-stage payload that was disguised as a PNG image. In fact, it was an executable file that installed malware tracked under the names MACMA for macOS devices or POCOSTICK for Windows devices.
As for the hacked ISP, the security firm said "it's not a huge one or one you'd likely know."

"In our case the incident is contained but we see other servers that are actively serving malicious updates but we do not know where they are being served from. We suspect there are other active attacks around the world we do not have purview into. This could be from an ISP compromise or a localized compromise to an organization such as on their firewall."
AI

OpenAI Co-Founder John Schulman Is Joining Anthropic (cnbc.com) 3

OpenAI co-founder John Schulman announced Monday that he is leaving to join rival AI startup Anthropic. CNBC reports: The move comes less than three months after OpenAI disbanded a superalignment team that focused on trying to ensure that people can control AI systems that exceed human capability at many tasks. Schulman had been a co-leader of OpenAI's post-training team that refined AI models for the ChatGPT chatbot and a programming interface for third-party developers, according to a biography on his website. In June, OpenAI said Schulman, as head of alignment science, would join a safety and security committee that would provide advice to the board. Schulman has only worked at OpenAI since receiving a Ph.D. in computer science in 2016 from the University of California, Berkeley.

"This choice stems from my desire to deepen my focus on AI alignment, and to start a new chapter of my career where I can return to hands-on technical work," Schulman wrote in the social media post. He said he wasn't leaving because of a lack of support for new work on the topic at OpenAI. "On the contrary, company leaders have been very committed to investing in this area," he said. The leaders of the superalignment team, Jan Leike and company co-founder Ilya Sutskever, both left this year. Leike joined Anthropic, while Sutskever said he was helping to start a new company, Safe Superintelligence Inc. "Very excited to be working together again!" Leike wrote in reply to Schulman's message.

The Almighty Buck

iPhone Driver's License Support Coming Soon To California (macrumors.com) 60

iPhone and Apple Watch users in California will soon be able to add their digital ID and driver's license to the Wallet app, as revealed by new landing pages on the state DMV website. This feature follows a slow rollout since its announcement, with only five states currently supporting it. MacRumors reports: "Now you can add your California driver's license or state ID to Apple Wallet on iPhone and Apple Watch so you can present it easily and securely in person and in app," reads the landing page, which contains broken links and placeholder images, and is still missing a proper website security certificate. The webpages were discovered on Sunday by Jimmy Obomsawin, after someone added a link to the landing pages in an Apple Wallet Wikipedia entry last Wednesday.
Windows

Windows 11 Hits 30% Market Share For the First Time (neowin.net) 105

With Windows 10's end-of-life update coming next October, it appears that users are finally making the jump to its successor. As spotted by Neowin, Windows 11 crossed the 30% market share mark for the first time since its release. From the report: According to Statcounter's latest findings, last month, Windows 11 reached a new all-time high of 30.83%, gaining 1.08 points in just one month or 7.17 points year-over-year (it was at 23.66% in July 2023). Just as Windows 11 climbs, Windows 10 loses its market share. It is now below 65%, or 64.99%, to be precise, or -1.06 points in one month. Year-over-year change is 11.15 points (it was at 71.14% in July 2023). [...]

Other Windows versions, which are now long unsupported, still have a fair share of customers who refuse to jump-ship. Windows 7, for one, is the third most popular Windows with a 3.04% market share (+0.08 points). Windows 8.1 is fourth with 0.42% (+0.02 points), and Windows XP is fifth with 0.38% (-0.01 points).

Security

Design Flaw Has Microsoft Authenticator Overwriting MFA Accounts, Locking Users Out (csoonline.com) 68

snydeq writes: CSO Online's Evan Schuman reports on a design flaw in Microsoft Authenticator that causes it to often overwrite authentication accounts when a user adds a new one via QR scan. "But because of the way the resulting lockout happens, the user is not likely to realize the issue resides with Microsoft Authenticator. Instead, the company issuing the authentication is considered the culprit, resulting in wasted corporate helpdesk hours trying to fix an issue not of that company's making."

Schuman writes: "The core of the problem? Microsoft Authenticator will overwrite an account with the same username. Given the prominent use of email addresses for usernames, most users' apps share the same username. Google Authenticator and just about every other authenticator app add the name of the issuer -- such as a bank or a car company -- to avoid this issue. Microsoft only uses the username."

The flaw appears to have been in place since Authenticator was released in 2016. Users have complained about this issue in the past to no avail. In its two correspondences with Schuman, Microsoft first laid blame on users, then on issuers. Several IT experts confirmed the flaw, with one saying, "It's possible that this problem occurs more often than anyone realizes because [users] don't realize what the cause is. If you haven't picked an authentication app, why would you pick Microsoft?"

Security

Every Microsoft Employee Is Now Being Judged on Their Security Work (theverge.com) 100

Reeling from security and optics issues, Microsoft appears to be trying to correct its story. An anonymous reader shares a report: Microsoft made it clear earlier this year that it was planning to make security its top priority, following years of security issues and mounting criticisms. Starting today, the software giant is now tying its security efforts to employee performance reviews. Kathleen Hogan, Microsoft's chief people officer, has outlined what the company expects of employees in an internal memo obtained by The Verge. "Everyone at Microsoft will have security as a Core Priority," says Hogan. "When faced with a tradeoff, the answer is clear and simple: security above all else."

A lack of security focus for Microsoft employees could impact promotions, merit-based salary increases, and bonuses. "Delivering impact for the Security Core Priority will be a key input for managers in determining impact and recommending rewards," Microsoft is telling employees in an internal Microsoft FAQ on its new policy. Microsoft has now placed security as one of its key priorities alongside diversity and inclusion. Both are now required to be part of performance conversations -- internally called a "Connect" -- for every employee, alongside priorities that are agreed upon between employees and their managers.

Programming

DARPA Wants to Automatically Transpile C Code Into Rust - Using AI (theregister.com) 236

America's Defense Department has launched a project "that aims to develop machine-learning tools that can automate the conversion of legacy C code into Rust," reports the Register — with an online event already scheduled later this month for those planning to submit proposals: The reason to do so is memory safety. Memory safety bugs, such buffer overflows, account for the majority of major vulnerabilities in large codebases. And DARPA's hope [that's the Defense Department's R&D agency] is that AI models can help with the programming language translation, in order to make software more secure. "You can go to any of the LLM websites, start chatting with one of the AI chatbots, and all you need to say is 'here's some C code, please translate it to safe idiomatic Rust code,' cut, paste, and something comes out, and it's often very good, but not always," said Dan Wallach, DARPA program manager for TRACTOR, in a statement. "The research challenge is to dramatically improve the automated translation from C to Rust, particularly for program constructs with the most relevance...."

DARPA's characterization of the situation suggests the verdict on C and C++ has already been rendered. "After more than two decades of grappling with memory safety issues in C and C++, the software engineering community has reached a consensus," the research agency said, pointing to the Office of the National Cyber Director's call to do more to make software more secure. "Relying on bug-finding tools is not enough...."

Peter Morales, CEO of Code Metal, a company that just raised $16.5 million to focus on transpiling code for edge hardware, told The Register the DARPA project is promising and well-timed. "I think [TRACTOR] is very sound in terms of the viability of getting there and I think it will have a pretty big impact in the cybersecurity space where memory safety is already a pretty big conversation," he said.

DARPA's statement had an ambitious headline: "Eliminating Memory Safety Vulnerabilities Once and For All."

"Rust forces the programmer to get things right," said DARPA project manager Wallach. "It can feel constraining to deal with all the rules it forces, but when you acclimate to them, the rules give you freedom. They're like guardrails; once you realize they're there to protect you, you'll become free to focus on more important things."

Code Metal's Morales called the project "a DARPA-hard problem," noting the daunting number of edge cases that might come up. And even DARPA's program manager conceded to the Register that "some things like the Linux kernel are explicitly out of scope, because they've got technical issues where Rust wouldn't fit."

Thanks to long-time Slashdot reader RoccamOccam for sharing the news.
Government

Artist and Musician Sue SEC Over Its NFT Regulatory Jurisdiction (decrypt.co) 32

"Five years ago, Brian Frye set an elaborate trap," writes Decrypt.co. "Now the law professor is teaming up with a singer-songwriter to finally spring it" on America's Security and Exchange Commission "in a novel lawsuit — and in the process, prevent the regulator from ever coming after NFT art projects again." Over and again, the SEC has sued cherry-picked NFT projects it says qualify as unregistered securities — but never once has the regulator defined what types of NFT projects are legal and which are not, casting a chill over the nascent industry... [In 2019] Frye, an expert in securities law and a fan of novel technologies, minted an NFT of a letter he sent to the SEC in which he declared his art project to constitute an illegal, unregistered security. If the conceptual art project wasn't a security, Frye challenged the agency, then it needed to say so. The SEC never responded to Frye — not then, and not after several more self-incriminating correspondences from the professor. But in due time, the agency began vigorously pursuing, and suing, NFT projects.
So 10 months ago, Jonathan Mann — who writes a new song every day and shares it online — crafted a song titled "This Song is A Security." As a seller of NFTs himself, Mann wrote the song "to fight back against the SEC, and defend his right — plus the rights of other artists like him — to earn revenue," according to the article: Frye, who'd practically been salivating for such an opportunity for half a decade, was a natural fit.... In the lawsuit filed against the SEC in Louisiana earlier this week, they challenged the SEC's standing to regulate their NFT-backed artworks as securities, and demanded the agency declare that their respective art projects do not constitute illegal, unregistered securities offerings.
More from the International Business Times: The complaint asked the court to clarify whether the SEC should regulate art and whether artists were supposed to "register" their artworks before selling the pieces to the general public. The complaint also asked whether artists should be "forced to make public disclosures about the 'risks' of buying their art," and whether artists should be "required to comply" with federal securities laws...

The Blockchain Association, a collective crypto group that includes some of the biggest digital asset firms, asserted that the SEC has no authority over NFT art. "We support the plaintiffs in their quest for legal clarity," the group said.

In an interview with Slashdot, Mann says he started his "Song a Day" project almost 17 years ago (when he was 26 years old) — and his interest in NFTs is sincere: "Over the years, I've always sought a way to make Song A Day sustainable financially, through video contests, conference gigs, ad revenue, royalties, Patreon and more.

"When I came across NFTs in 2017, they didn't have a name. We just called them 'digital collectibles'. For the last 2+ years, NFTs have become that self-sustaining model for my work.

"I know most people believe NFTs are a joke at best and actively harmful at worst. Even most people in the crypto community have given up on them. Despite all that, I still believe they're worth pursuing.

"Collecting an NFT from an artist you love is the most direct way to support them. There's no multinational corporation, no payment processor, and no venture capitalists between you and the artist you want to support."

Slashdot also tracked down the SEC's Office of Public Affairs, and got an official response from SEC public affairs specialist Ryan White.

Slashdot: The suit argues that the SEC's approach "threatens the livelihoods of artists and creators that are simply experimenting with a novel, fast-growing technology," and seeks guidance in the face of a "credible threat of enforcement". Is the SEC going to respond to this lawsuit? And if you don't have an answer at this time, can you give me a general comment on the issues and concerns being raised?

SEC Public Affairs Specialist Ryan White: We would decline comment.

Decrypt.co points out that the lawsuit "has no guarantee of offering some conclusive end to the NFT regulation question... That may only come with concrete legislation or a judgment by the Supreme Court."

But Mann's song still makes a very public show out of their concerns — with Mann even releasing a follow-up song titled "I'm Suing the SEC." (Its music video mixes together wacky clips of Mila Kunis's Stoner Cats and Fonzie jumping a shark with footage of NFT critics like Elizabeth Warren and SEC chairman Gary Gensler.)

And an earlier song also used auto-tune to transform Gensler's remarks about cryptocurrencies into the chorus of a song titled "Hucksters, Fraudsters, Scam Artists, Ponzi Schemes".

Mann later auctioned an NFT of the song — for over $3,000 in Ethereum.
Government

Why DARPA is Funding an AI-Powered Bug-Spotting Challenge (msn.com) 43

Somewhere in America's Defense Department, the DARPA R&D agency is running a two-year contest to write an AI-powered program "that can scan millions of lines of open-source code, identify security flaws and fix them, all without human intervention," reports the Washington Post. [Alternate URL here.]

But as they see it, "The contest is one of the clearest signs to date that the government sees flaws in open-source software as one of the country's biggest security risks, and considers artificial intelligence vital to addressing it." Free open-source programs, such as the Linux operating system, help run everything from websites to power stations. The code isn't inherently worse than what's in proprietary programs from companies like Microsoft and Oracle, but there aren't enough skilled engineers tasked with testing it. As a result, poorly maintained free code has been at the root of some of the most expensive cybersecurity breaches of all time, including the 2017 Equifax disaster that exposed the personal information of half of all Americans. The incident, which led to the largest-ever data breach settlement, cost the company more than $1 billion in improvements and penalties.

If people can't keep up with all the code being woven into every industrial sector, DARPA hopes machines can. "The goal is having an end-to-end 'cyber reasoning system' that leverages large language models to find vulnerabilities, prove that they are vulnerabilities, and patch them," explained one of the advising professors, Arizona State's Yan Shoshitaishvili.... Some large open-source projects are run by near-Wikipedia-size armies of volunteers and are generally in good shape. Some have maintainers who are given grants by big corporate users that turn it into a job. And then there is everything else, including programs written as homework assignments by authors who barely remember them.

"Open source has always been 'Use at your own risk,'" said Brian Behlendorf, who started the Open Source Security Foundation after decades of maintaining a pioneering free server software, Apache, and other projects at the Apache Software Foundation. "It's not free as in speech, or even free as in beer," he said. "It's free as in puppy, and it needs care and feeding."

40 teams entered the contest, according to the article — and seven received $1 million in funding to continue on to the next round, with the finalists to be announced at this year's Def Con, according to the article.

"Under the terms of the DARPA contest, all finalists must release their programs as open source," the article points out, "so that software vendors and consumers will be able to run them."
Privacy

Epic Games CEO Criticized For Calling Apple's 'Find My' Feature 'Super Creepy' (macrumors.com) 176

Slashdot reader Applehu Akbar shared this report from MacRumors: Epic Games CEO Tim Sweeney commented on Apple's 'Find My' service, referring to it as "super creepy surveillance tech" that "shouldn't exist." Sweeney went on to explain that several years ago, "a kid" stole a Mac laptop out of his car. Years later, Sweeney was checking Find My, and as the Mac was still connected to his Apple ID account, it showed him the location where the thief lived.
When someone asked Sweeney if he'd at least gotten his laptop back, Sweeney answered "No. I was creeped the hell out by having unexpectedly received the kid's address, and turned off Find My iPhone on all of my devices."

Slashdot reader crmarvin42 quipped "Tell me you are stupidly rich, without telling me you are stupidly rich... Next someone will be saying that it is 'Creepy' to have security footage of someone taking your Amazon packages off of your porch." And they also questioned Sweeney's sincerity, suggesting that he's "just saying that to try and make Apple look bad because of all the lawsuits going on."

MacRumors followed the ensuing discussion: Sweeney said that the location of a device in someone's possession can't be tracked without tracking the person, and "people have a right to privacy." ["This right applies to second hand device buyers and even to thieves."] He claims that detection and recovery of a lost or stolen device should be "mediated by due process of law" and not exposed to the device owner "in vigilante fashion."
Some responded to Sweeney's comments by sharing the headline of a Vox news story about Epic's own privacy polices. ("Fortnite maker Epic Games has to pay $520 million for tricking kids and violating their privacy.")

MacRumors cited a 2014 report that thefts of iPhones dropped after the introduction of Apple's "Activation Lock" feature (which prevents the disabling of 'Find My' without a password).

But when the blog AppleInsider accused Sweeney of "an incredibly bad leap of logic" — Sweeney responded. "You're idealizing this issue as good guys tracking criminals to their lairs, but when Find My or Google's similar tech points a device owner to a device possessor's home, one must anticipate the presence of families and kids and innocent used device buyers, and ask whether it's really appropriate for a platform to use GPS and shadowy mesh network tech to set up physical confrontations among individuals."

Sweeney also posted a quote from Steve Jobs about how at Apple, "we worry that some 14-year-old is going to get stalked and something terrible is going to happen because of our phone."
Privacy

NFL to Roll Out Facial Authentication Software to All Stadiums, League-Wide (therecord.media) 72

America's National Football League "is the latest organization to turn to facial authentication to bolster event security," reports the Record, citing a new announcement this week: All 32 NFL stadiums will start using the technology this season, after the league signed a contract with a company that uses facial scans to verify the identity of people entering event venues and other secure spaces.

The facial authentication platform, which counts the Cleveland Browns' owners as investors, will be used to "streamline and secure" entry for thousands of credentialed media, officials, staff and guests so they can easily access restricted areas such as press boxes and locker rooms, Jeff Boehm, the chief operating officer of Wicket, said in a LinkedIn post Monday. "Credential holders simply take a selfie before they come, and then Wicket verifies their identity and checks their credentials with Accredit (a credentialing platform) as they walk through security checkpoints," Boehm added.

Wicket technology was deployed in a handful of NFL stadiums last year as part of a pilot program. Other stadiums will start rolling it out beginning on Aug. 8, when the pre-season kicks off. Some teams also have extended their use of the technology to scan the faces of ticket holders. The Cleveland Browns, Atlanta Falcons and New York Mets all have used the company's facial authentication software to authenticate fans with tickets, according to Stadium Tech Report. "Fans come look at the tablet and, instantly, the tablet recognizes the fan," Brandon Covert, the vice president of information technology for the Cleveland Browns, said in a testimonial appearing on Wicket's website. "It's almost a half-second stop. It's not even a stop — more of a pause."

"The Browns also use Wicket to verify the ages of fans purchasing alcohol at concession stands, according to Wicket's LinkedIn page," the article points out.

And a July report from Privacy International found that 25 of the top 100 soccer stadiums in the world are already using facial recognition technology.

Thanks to long-time Slashdot reader schwit1 for sharing the news.
Security

How Chinese Attackers Breached an ISP to Poison Insecure Software Updates with Malware (bleepingcomputer.com) 11

An anonymous reader shared this report from BleepingComputer: A Chinese hacking group tracked as StormBamboo has compromised an undisclosed internet service provider (ISP) to poison automatic software updates with malware. Also tracked as Evasive Panda, Daggerfly, and StormCloud, this cyber-espionage group has been active since at least 2012, targeting organizations across mainland China, Hong Kong, Macao, Nigeria, and various Southeast and East Asian countries.

On Friday, Volexity threat researchers revealed that the Chinese cyber-espionage gang had exploited insecure HTTP software update mechanisms that didn't validate digital signatures to deploy malware payloads on victims' Windows and macOS devices... To do that, the attackers intercepted and modified victims' DNS requests and poisoned them with malicious IP addresses. This delivered the malware to the targets' systems from StormBamboo's command-and-control servers without requiring user interaction.

Volexity's blog post says they observed StormBamboo "targeting multiple software vendors, who use insecure update workflows..." and then "notified and worked with the ISP, who investigated various key devices providing traffic-routing services on their network. As the ISP rebooted and took various components of the network offline, the DNS poisoning immediately stopped."

BleepingComputer notes that "âAfter compromising the target's systems, the threat actors installed a malicious Google Chrome extension (ReloadText), which allowed them to harvest and steal browser cookies and mail data."
Safari

When It Comes to Privacy, Safari Is Only the Fourth-Best Browser (yahoo.com) 36

Apple's elaborate new ad campaign promises that Safari is "a browser that protects your privacy." And the Washington Post says Apple "deserves credit for making many privacy protections automatic with Safari..."

"But Albert Fox Cahn, executive director of the Surveillance Technology Oversight Project, said Safari is no better than the fourth-best web browser for your privacy." "If browser privacy were a sport at the Olympics, Apple isn't getting on the medal stand," Cahn said. (Apple did not comment about this.)

Safari stops third-party cookies anywhere you go on the web. So do Mozilla's Firefox and the Brave browser... Chrome allows third-party cookies in most cases unless you turn them off... Even without cookies, a website can pull information like the resolution of your computer screen, the fonts you have installed, add-on software you use and other technical details that in aggregate can help identify your device and what you're doing on it. The measures, typically called "fingerprinting," are privacy-eroding tracking by another name. Nick Doty with the Center for Democracy & Technology said there's generally not much you can do about fingerprinting. Usually you don't know you're being tracked that way. Apple says it defends against common fingerprinting techniques but Cahn said Firefox, Brave and the Tor Browser all are better at protecting you from digital surveillance. That's why he said Safari is no better than the fourth-best browser for privacy.

Safari's does offer extra privacy protections in its "private" mode, the article points out. "When you use this option, Apple says it does more to block use of 'advanced' fingerprinting techniques. It also steps up defenses against tracking that adds bits of identifying information to the web links you click."

The article concludes that Safari users can "feel reasonably good about the privacy (and security) protections, but you can probably do better — either by tweaking your Apple settings or using a web browser that's even more private than Safari."
Japan

Japan Mandates App To Ensure National ID Cards Aren't Forged (theregister.com) 34

The Japanese government has released details of an app that verifies the legitimacy of its troubled My Number Card -- a national identity document. From a report: Beginning in 2015, every resident of Japan was assigned a 12 digit My Number that paved the way for linking social security, taxation, disaster response and other government services to both the number itself and a smartcard. The plan was to banish bureaucracy and improve public service delivery -- but that didn't happen.

My Number Card ran afoul of data breaches, reports of malfunctioning card readers, and database snafus that linked cards to other citizens' bank accounts. Public trust in the scheme fell, and adoption stalled. Now, according to Japan's Digital Ministry, counterfeit cards are proliferating to help miscreant purchase goods -- particularly mobile phones -- under fake identities. Digital minister Taro Kono yesterday presented his solution to the counterfeits: a soon to be mandatory app that confirms the legitimacy of the card. The app uses the camera on a smartphone to read information printed on the card -- like date of birth and name. It compares those details to what it reads from info stored in the smartcard's resident chip, and confirms the data match without the user ever needing to enter their four-digit PIN.

The Almighty Buck

'Venmo and Zelle May Not Be Free For Much Longer' (bloomberg.com) 49

An anonymous reader quotes an op-ed, written by former hedge fund manager Marc Rubinstein: With new technologies come new rules governing how they are used. Often, policy is framed via analogy: Are social media platforms publishers or are they town squares? Are instant messages water-cooler chatter or are they formal communication? So it is with peer-to-peer electronic payments. Last week a US Senate committee joined the debate over whether they're analogous to cash or to bank-payment channels. It's an essential distinction -- for both consumers and the companies that provide this free service. [...] Yet while no bank would accept liability if a customer lost their wallet to a pickpocket, the senators' debate focused on who's responsible when fraudsters target electronic wallets. Last year, customers of the three largest lenders -- Bank of America, JPMorgan Chase and Wells Fargo -- lost a total of $370 million via Zelle, the platform these banks jointly own with four others. According to the majority staff report (PDF) filed by the Permanent Subcommittee on Investigations, which convened the July 23 hearing, the banks reimbursed only around $100 million of that, leaving consumers to shoulder the rest. While small in the context of overall volume that go through Zelle -- $806 billion last year, of which these banks did 73% -- that's cold comfort for the customers.

Legally, a bank's obligation rests on whether clients fall victim to a "fraud" or to a "scam." In a fraud, money is transferred out of the user's account without their authorization, usually as the result of hacking. Under the Electronic Fund Transfer Act, banks are required to reimburse such losses. As long as the customer authorizes the transaction, though, even if fraudulently induced to do so, banks don't have to pick up the tab. Such scams are growing as fraudsters parade as a bank employee, a love interest or a potential new employer, often via social media. According to a Pew Research survey, 13% of P2P platform users reported sending money, only later to realize they were set up. Persuading your bank you are the victim of a fraud rather than a scam can take some work. [...] For bad guys, the speed of P2P payments makes them a particularly attractive target. A Zelle transfer can take 20 to 30 seconds to initiate. In most cases, by the time an unsuspecting consumer realizes they have been targeted, their money is already gone. Banks argue this is no different from cash. [...]

However, others see P2P transactions more akin to electronic payments and question why reimbursement rates, at 26% in the case of Zelle, are so much lower than for credit-card payments (47%) or debit-card payments (36%) at the three big banks. Despite critical differences, the subcommittee agrees. Its report recommends extending purchase protections standard in credit and debit-card markets to commercial P2P payments, and amending the Electronic Fund Transfer Act to make fraudulently induced transactions subject to reimbursement. Such a move has already been adopted in the UK, where new rules requiring financial institutions to fully reimburse victims of scams come into force in October this year. US bankers aren't keen. "We need to be thoughtful and think about unintended consequences," Adam Vancini, Wells Fargo's head of payments for Consumer, Small & Business Banking, said at the Senate hearing. For now, Zelle transfers enjoy all the benefits of cash. Layer in the benefits of card payments, too, and the no-cost model may disappear.

Slashdot Top Deals