Government

Warrantless Surveillance Can Continue Even If Law Expires, Officials Say (theverge.com) 68

According to a New York Times report citing American officials, the Trump administration has decided that the National Security Agency and the FBI can lawfully keep operating their warrantless surveillance program even if Congress fails to extend the law authorizing it before an expiration date of New Year's Eve. The Verge reports: The White House believes the Patriot Act's surveillance provisions won't expire until four months into 2018. Lawyers point to a one-year certification that was granted on April 26th of last year. If that certification is taken as a legal authorization for the FISA court overall -- as White House lawyers suggest -- then Congress will have another four months to work out the details of reauthorization. There are already several proposals for Patriot Act reauthorization in the Senate, which focus the Section 702 provisions that authorize certain types of NSA surveillance. Some of the proposals would close the backdoor search loophole that allows for warrantless surveillance of U.S. citizens, although a recent House proposal would leave it in place. But with Congress largely focused on tax cuts and the looming debt ceiling fight, it's unlikely the differences could be reconciled before the end of the year.
AMD

AMD Quietly Made Some Radeon RX 560 Graphics Cards Worse (pcworld.com) 40

Brad Chacos: When the Radeon RX 560 launched in April it was the only RX 500-series card with a meaningful under-the-hood tech boost compared to the RX 400-series. The graphics processor in the older RX 460 cards packed 14 compute units and 896 stream processors; the upgraded Radeon RX 560 bumped that to 16 CUs and 1,024 SPs. Now, some -- but not all -- of the Radeon RX 560s you'll find online have specs that match the older 460 cards, and sometimes run at lower clock speeds to boot. AMD's Radeon RX 560 page was also quietly altered to include the new configurations at some point, Heise.de discovered. The last snapshot of the page by the Internet Archive's Wayback Machine occurred on July 7 and only lists the full-fat 16 CU version of the card, so the introduction of the nerfed 896 SP model likely occurred some time after that. Sifting through all of the available Radeon RX 560s on Newegg this morning reveals a fairly even split between the two configurations, all of which are being sold under the same RX 560 name. In a statement, AMD acknowledged the existence of 14 Compute Unit (896 stream processors) and 16 Compute Unit (1024 stream processor) versions of the Radeon RX 560. "We introduced the 14CU version this summer to provide AIBs and the market with more RX 500 series options. It's come to our attention that on certain AIB and etail websites there's no clear delineation between the two variants. We're taking immediate steps to remedy this: we're working with all AIB and channel partners to make sure the product descriptions and names clarify the CU count, so that gamers and consumers know exactly what they're buying. We apologize for the confusion this may have caused."
Security

Apple Issues Security Updates for MacOS, iOS, TvOS, WatchOS, and Safari (bleepingcomputer.com) 30

Catalin Cimpanu, writing for BleepingComputer: Over the course of the last four days, Apple has released updates to address security issues for several products, such as macOS High Sierra, Safari, watchOS, tvOS, and iOS. The most relevant security update is the one to macOS, as it also permanently fixes the bug that allowed attackers to access macOS root accounts without having to type a password. Apple issued a patch for the bug the next day after it was discovered, but because the patch was delivered as an out-of-band update that did not alter the macOS version number, when users from older macOS versions updated to 10.13.1 (the vulnerable version), the bug was still present. With today's update, the patch for the bug -- now known as "IAmRoot" (CVE-2017-13872) -- has received a permanent fix. All users who upgrade to macOS High Sierra 10.13.2 are safe.
Security

NiceHash Hacked, $62 Million of Bitcoin May Be Stolen (reddit.com) 79

New submitter Chir breaks the news to us that the NiceHash crypto-mining marketplace has been hacked. The crypto mining pool broke the news on Reddit, where users suggest that as many as 4,736.42 BTC -- an amount worth more than $62 million at current prices -- has been stolen. The NiceHash team is urging users to change their online passwords as a result of the breach and theft.
Encryption

US Says It Doesn't Need a Court Order To Ask Tech Companies To Build Encryption Backdoors (gizmodo.com) 249

schwit1 shares a report from Gizmodo: According to statements from July released this weekend, intelligence officials told members of the Senate Intelligence Committee that there's no need for them to approach courts before requesting a tech company help willfully -- though they can always resort to obtaining a Foreign Intelligence Surveillance Court order if the company refuses. The documents show officials testified they had never needed to obtain such an FISC order, though they declined to tell the committee whether they had "ever asked a company to add an encryption backdoor," per ZDNet. Other reporting has suggested the FISC has the power to authorize government personnel to compel such technical assistance without even notifying the FISC of what exactly is required. Section 702 of the Foreign Intelligence Surveillance Act gives authorities additional powers to compel service providers to build backdoors into their products.
Privacy

Germany Preparing Law for Backdoors in Any Type of Modern Device (bleepingcomputer.com) 251

Catalin Cimpanu, writing for BleepingComputer: German authorities are preparing a law that will force device manufacturers to include backdoors within their products that law enforcement agencies could use at their discretion for legal investigations. The law would target all modern devices, such as cars, phones, computers, IoT products, and more. Officials are expected to submit their proposed law for debate this week, according to local news outlet RedaktionsNetzwerk Deutschland (RND). The man supporting this proposal is Thomas de Maiziere, Germany's Interior Minister, who cites the difficulty law enforcement agents have had in past months investigating the recent surge of terrorist attacks and other crimes.
Security

A Popular Virtual Keyboard App Leaks 31 Million Users' Personal Data (zdnet.com) 65

Zack Whittaker, writing for ZDNet: Personal data belonging to over 31 million customers of a popular virtual keyboard app has leaked online, after the app's developer failed to secure the database's server. The server is owned by Eitan Fitusi, co-founder of AI.type, a customizable and personalizable on-screen keyboard, which boasts more than 40 million users across the world. But the server wasn't protected with a password, allowing anyone to access the company's database of user records, totaling more than 577 gigabytes of sensitive data. The database appears to only contain records on the app's Android users.
Security

PayPal Says 1.6 Million Customer Details Stolen In Breach At Canadian Subsidiary (bleepingcomputer.com) 24

New submitter Kargan shares a report from BleepingComputer: PayPal says that one of the companies it recently acquired suffered a security incident during which an attacker appears to have accessed servers that stored information for 1.6 million customers. The victim of the security breach is TIO Networks, a Canadian company that runs a network of over 60,000 utility and bills payment kiosks across North America. PayPal acquired TIO Networks this past July for $238 million in cash. PayPal reportedly suspended the operations of TIO's network on November 10th. "PayPal says the intruder(s) got access to the personal information of both TIO customers and customers of TIO billers," reports BleepingComputer. "The company did not reveal what type of information the attacker accessed, but since this is a payment system, attackers most likely obtained both personally-identifiable information (PII) and financial details." The company has started notifying customers and is offering free credit monitoring memberships.
IT

Man Hacks Jail Computer Network To Get Inmate Released Early (bleepingcomputer.com) 31

An anonymous reader writes: A Michigan man pleaded guilty last week to hacking the computer network of the Washtenaw County Jail, where he modified inmate records in an attempt to have an inmate released early. To breach the jail's network, the attacker used only spear-phishing emails and telephone social engineering.

The man called jail employees and posed as local IT staffers, tricking some into accessing a website, and downloading and installing malware under the guise of a jail system upgrade. Once the man (Konrads Voits) had access to this data, investigators said he accessed the XJail system, searched and accessed the records of several inmates, and modified at least one entry "in an effort to get that inmate released early." Jail employees noticed the modification right away and alerted the FBI. The man as arrested a month later and is now awaiting sentencing (maximum 10 years and a fine of up to $250,000).

Desktops (Apple)

Apple Snafu Means Updating To macOS 10.13.1 Could Reactivate Root Access Bug (betanews.com) 74

Mark Wilson writes: A few days ago, a serious security flaw with macOS High Sierra came to light. It was discovered that it was possible to log into the 'root' account without entering a password, and -- although the company seemed to have been alerted to the issue a couple of weeks back -- praise was heaped on Apple for pushing a fix out of the door quickly. But calm those celebrations. It now transpires that the bug fix has a bug of its own. Upgrade to macOS 10.13.1 and you could well find that the patch is undone. Slow hand clap.
Botnet

How 'Grinch Bots' Are Ruining Online Christmas Shopping (nypost.com) 283

Yes, U.S. Senator Chuck Schumer actually called them "Grinch bots." From the New York Post: The senator said as soon as a retailer puts a hard-to-get toy -- like Barbie's Dreamhouse or Nintendo game systems -- for sale on a website, a bot can snatch it up even before a kid's parents finish entering their credit card information... "Bots come in and buy up all the toys and then charge ludicrous prices amidst the holiday shopping bustle," the New York Democrat said on Sunday... For example, Schumer said, the popular Fingerlings -- a set of interactive baby monkey figurines that usually sell for around $15 -- are being snagged by the scalping software and resold on secondary websites for as much as $1,000 a pop...

In December 2016, Congress passed the Better Online Ticket Sales (BOTS) Act, which Schumer sponsored, to crack down on their use to buy concert tickets, but the measure doesn't apply to other consumer products. He wants that law expanded but knows that won't happen in time for this holiday season. In the meantime, Schumer wants the National Retail Federation and the Retail Industry Leaders Association to block the bots and lead the effort to stop them from buying toys at fair retail prices and then reselling them at outrageous markups.

Intel

Dell Begins Offering Laptops With Intel's 'Management Engine' Disabled (liliputing.com) 140

An anonymous reader quotes Liliputing.com Linux computer vendor System76 announced this week that it will roll out a firmware update to disable Intel Management Engine on laptops sold in the past few years. Purism will also disable Intel Management Engine on computers it sells moving forward. Those two computer companies are pretty small players in the multi-billion dollar PC industry. But it turns out one of the world's largest PC companies is also offering customers the option of buying a computer with Intel Management Engine disabled.

At least three Dell computers can be configured with an "Intel vPro -- ME Inoperable, Custom Order" option, although you'll have to pay a little extra for those configurations... While Intel doesn't officially provide an option to disable its Management Engine, independent security researchers have discovered methods for doing that and we're starting to see PC makers make use of those methods.

The option appears to be available on most of Dell's Latitude laptops (from the 12- to 15-inch screens), including the 7480, 5480, and 5580 and the Latitude 14 5000 Series (as well as several "Rugged" and "Rugged Extreme" models).

Dell is charging anywhere from $20.92 to $40 to disable Intel's Management Engine.
Security

StartCom Will Stop Issuing Certificates, Revoking Them All in 2020 (startcomca.com) 42

thegarbz writes: Startcom, a certificate authority which as we covered previously has been distrusted by Mozilla, by Google, and recently also by Microsoft, has announced that it will cease trading as a Certificate Authority. While their website currently shows no indication that their certificates have any problems, a news posting has announced their intentions to stop providing certificates as of January 2018, and to revoke all remaining certificates in 2020.
The original submission also says StartCom sent an email to all their former customers -- including customers of their free StartSSL certificates -- announcing their intentions. As you are surely aware, the browser makers distrusted StartCom around a year ago and therefore all the end entity certificates newly issued by StartCom are not trusted by default in browsers.

The browsers imposed some conditions in order for the certificates to be re-accepted. While StartCom believes that these conditions have been met, it appears there are still certain difficulties forthcoming. Considering this situation, the owners of StartCom have decided to terminate the company as a Certification Authority as mentioned in Startcoms website.

StartCom will stop issuing new certificates starting from January 1st, 2018 and will provide only CRL and OCSP services for two more years. StartCom would like to thank you for your support during this difficult time.

Encryption

PHP Now Supports Argon2 Next-Generation Password Hashing Algorithm (bleepingcomputer.com) 94

An anonymous reader quotes Bleeping Computer: PHP got a whole lot more secure this week with the release of the 7.2 branch, a version that improves and modernizes the language's support for cryptography and password hashing algorithms.

Of all changes, the most significant is, by far, the support for Argon2, a password hashing algorithm developed in the early 2010s. Back in 2015, Argon2 beat 23 other algorithms to win the Password Hashing Competition, and is now in the midst of becoming a universally recognized Internet standard at the Internet Engineering Task Force (IETF), the reward for winning the contest. The algorithm is currently considered to be superior to Bcrypt, today's most widely used password hashing function, in terms of both security and cost-effectiveness, and is also slated to become a favorite among cryptocurrencies, as it can also handle proof-of-work operations.

The other major change in PHP 7.2 was the removal of the old Mcrypt cryptographic library from the PHP core and the addition of Libsodium, a more modern alternative.

Education

Massive Financial Aid Data Breach Proves Stanford Lied For Years To MBAs (poetsandquants.com) 116

14 terabytes of "highly confidential" data about 5,120 financial aid applications over seven years were exposed in a breach at Stanford's Graduate School of Business -- proving that the school "misled thousands of applicants and donors about the way it distributes fellowship aid and financial assistance to its MBA students," reports Poets&Quants. The information was unearthed by a current MBA student, Adam Allcock, in February of this year from a shared network directory accessible to any student, faculty member or staffer of the business school. In the same month, on Feb. 23, the student reported the breach to Jack Edwards, director of financial aid, and the records were removed within an hour of his meeting with Edwards. Allcock, however, says he spent 1,500 hours analyzing the data and compiling an 88-page report on it...

Allcock's discovery that more money is being used by Stanford to entice the best students with financial backgrounds suggests an admissions strategy that helps the school achieve the highest starting compensation packages of any MBA program in the world. That is largely because prior work experience in finance is generally required to land jobs in the most lucrative finance fields in private equity, venture capital and hedge funds.

Half the school's students are awarded financial aid, and though Stanford always insisted it was awarded based only on need, the report concluded the school had been "lying to their faces" for more than a decade, also identifying evidece of "systemic biases against international students."

Besides the embarrassing exposure of their financial aid policies, there's another obvious lesson, writes Slashdot reader twentysixV. "It's actually way too easy for users to improperly secure their files in a shared file system, especially if the users aren't particularly familiar with security settings." Especially since Friday the university also reported another university-wide file-sharing platform had exposed "a variety of information from several campus offices, including Clery Act reports of sexual violence and some confidential student disciplinary information from six to 10 years ago."
Republicans

Valuable Republican Donor Database Breached -- By Other Republicans (politico.com) 73

Politico reports: Staffers for Senate Republicans' campaign arm seized information on more than 200,000 donors from the House GOP campaign committee over several months this year by breaking into its computer system, three sources with knowledge of the breach told Politico... Multiple NRSC staffers, who previously worked for the NRCC, used old database login information to gain access to House Republicans' donor lists this year. The donor list that was breached is among the NRCC's most valuable assets, containing not only basic contact information like email addresses and phone numbers but personal information that could be used to entice donors to fork over cash -- information on top issues and key states of interest to different people, the names of family members, and summaries of past donation history... Donor lists like these are of such value to party committees that they can use them as collateral to obtain loans worth millions of dollars when they need cash just before major elections...

"The individuals on these lists are guaranteed money," said a Republican fundraiser. "They will give. These are not your regular D.C. PAC list"... The list has helped the NRCC raise over $77 million this year to defend the House in 2018... Though the House and Senate campaign arms share the similar goal of electing Republican candidates and often coordinate strategy in certain states, they operate on distinct tracks and compete for money from small and large donors.

Long-time Slashdot reader SethJohnson says the data breach "is the result of poor deprovisioning policies within the House Republican Campaign Committee -- allowing staff logins to persist after a person has left the organization."

NRCC officials who learned of the breach "are really pissed," one source told the site.
Space

A Programing Error Blasted 19 Russian Satellites Back Towards Earth (arstechnica.com) 90

An anonymous reader quotes Ars Technica's report on Russia's failed attempt to launch 19 satellites into orbit on Tuesday: Instead of boosting its payload, the Soyuz 2.1b rocket's Fregat upper stage fired in the wrong direction, sending the satellites on a suborbital trajectory instead, burning them up in Earth's atmosphere... According to normally reliable Russian Space Web, a programming error caused the Fregat upper stage, which is the spacecraft on top of the rocket that deploys satellites, to be unable to orient itself. Specifically, the site reports, the Fregat's flight control system did not have the correct settings for a mission launching from the country's new Vostochny cosmodrome. It evidently was still programmed for Baikonur, or one of Russia's other spaceports capable of launching the workhorse Soyuz vehicle. Essentially, then, after the Fregat vehicle separated from the Soyuz rocket, it was unable to find its correct orientation. Therefore, when the Fregat first fired its engines to boost the satellites into orbit, it was still trying to correct this orientation -- and was in fact aimed downward toward Earth. Though the Fregat space tug has been in operation since the 1990s, this is its fourth failure -- all of which have happened within the last 8 years.

"In each of the cases, the satellite did not reach its desired orbit," reports Ars Technica, adding "As the country's heritage rockets and upper stages continue to age, the concern is that the failure rate will increase."
Communications

Volunteers Around the World Build Surveillance-Free Cellular Network Called 'Sopranica' (vice.com) 77

dmoberhaus writes: Motherboard's Daniel Oberhaus spoke to Denver Gingerich, the programmer behind Sopranica, a DIY, community-oriented cell phone network. "Sopranica is a project intended to replace all aspects of the existing cell phone network with their freedom-respecting equivalents," says Gingerich. "Taking out all the basement firmware on the cellphone, the towers that track your location, the payment methods that track who you are and who owns the number, and replacing it so we can have the same functionality without having to give up all the privacy that we have to give up right now. At a high level, it's about running community networks instead of having companies control the cell towers that we connect to." Motherboard interviews Gingerich and shows you how to use the network to avoid cell surveillance. According to Motherboard, all you need to do to join Sopranica is "create a free and anonymous Jabber ID, which is like an email address." Jabber is slang for a secure instant messaging protocol called XMPP that let's you communicate over voice and text from an anonymous phone number. "Next, you need to install a Jabber app on your phone," reports Motherboard. "You'll also need to install a Session Initiation Protocol (SIP) app, which allows your phone to make calls and send texts over the internet instead of the regular cellular network." Lastly, you need to get your phone number, which you can do by navigating to Sopranica's JMP website. (JMP is the code, which was published by Gingerich in January, and "first part of Sopranica.") "These phone numbers are generated by Sopranica's Voice Over IP (VOIP) provider which provides talk and text services over the internet. Click whichever number you want to be your new number on the Sopranica network and enter your Jabber ID. A confirmation code should be sent to your phone and will appear in your Jabber app." As for how JMP protects against surveillance, Gingerich says, "If you're communicating with someone using your JMP number, your cell carrier doesn't actually know what your JMP number is because that's going over data and it's encrypted. So they don't know that that communication is happening."
Bitcoin

Blockchains Are Poised To End the Password Era (technologyreview.com) 129

schwit1 shares a report from MIT Technology Review: Blockchain technology can eliminate the need for companies and other organizations to maintain centralized repositories of identifying information, and users can gain permanent control over who can access their data (hence "self-sovereign"), says Drummond Reed, chief trust officer at Evernym, a startup that's developing a blockchain network specifically for managing digital identities. Self-sovereign identity systems rely on public-key cryptography, the same kind that blockchain networks use to validate transactions. Although it's been around for decades, the technology has thus far proved difficult to implement for consumer applications. But the popularity of cryptocurrencies has inspired fresh commercial interest in making it more user-friendly.

Public-key cryptography relies on pairs of keys, one public and one private, which are used to authenticate users and verify their encrypted transactions. Bitcoin users are represented on the blockchain by strings of characters called addresses, which are derived from their public keys. The "wallet" applications they use to hold and exchange digital coins are essentially management systems for their private keys. Just like a real wallet, they can also hold credentials that serve as proof of identification, says Reed. Using a smartphone or some other device, a person could use a wallet-like application to manage access to these credentials. But will regular consumers buy in? Technologists will need to create a form factor and user experience compelling enough to convince them to abandon their familiar usernames and passwords, says Meltem Demirors, development director at Digital Currency Group, an investment firm that funds blockchain companies. The task calls for reinforcements, she says: "The geeks are working on it right now, but we need the designers, we need the sociologists, and we need people who study ethics of technology to participate."

Businesses

Homeland Security Claims DJI Drones Are Spying For China (engadget.com) 82

A memo from the Los Angeles office of the Immigration and Customs Enforcement bureau (ICE) says that the officials assess "with moderate confidence that Chinese-based company DJI Science and Technology is providing U.S. critical infrastructure and law enforcement data to the Chinese government." It also says that the information is based on "open source reporting and a reliable source within the unmanned aerial systems industry with first and secondhand access." Engadget reports: Part of the memo focuses on targets that the LA ICE office believes to be of interest to DJI. "DJI's criteria for selecting accounts to target appears to focus on the account holder's ability to disrupt critical infrastructure," it said. The memo goes on to say that DJI is particularly interested in infrastructure like railroads and utilities, companies that provide drinking water as well as weapon storage facilities. The LA ICE office concludes that it, "assesses with high confidence the critical infrastructure and law enforcement entities using DJI systems are collecting sensitive intelligence that the Chinese government could use to conduct physical or cyber attacks against the United States and its population." The accusation that DJI is using its drones to spy on the US and scope out particular facilities for the Chinese government seems pretty wacky and the company itself told the New York Times that the memo was "based on clearly false and misleading claims."
Businesses

US 'Orchestrated' Russian Spies Scandal, Says Kaspersky Founder (theguardian.com) 141

Alex Hern, writing for The Guardian: Eugene Kaspersky, chief executive and co-founder of the embattled Russian cybersecurity firm that bears his name, believes his company is at the centre of a "designed and orchestrated attack" to destroy its reputation. Over a short period in the summer of 2017, Kaspersky Labs was the subject of multiple media reports alleging that the company had helped Russian intelligence agencies spy on the US, a number of FBI raids on staff members, and a nationwide ban on the use of its software by federal government agencies. "This media attack and government attack from the United States, it was designed and orchestrated," Mr Kaspersky said at a press conference in London. "Because at the same time, there was government, there was FBI, there was media attack. That is expensive ... I mean all kinds of resources: political influence, money, lobbyists, the media etc." When asked directly whether he had ever been asked to help Russian intelligence agencies spy on the US, Kaspersky vehemently denied any such conversations had ever happened saying: "They have never asked us to spy on people. Never." "If the Russian government comes to me and asks me to do anything wrong, I will move the business out of Russia," he added. "We never helped the espionage agencies, the Russians or any other nation."
Chrome

Google Will Block Third-Party Software From Injecting Code Into Chrome (bleepingcomputer.com) 40

Catalin Cimpanu, writing for BleepingComputer: Google has laid out a plan for blocking third-party applications from injecting code into the Chrome browser. The most impacted by this change are antivirus and other security products that often inject code into the user's local browser process to intercept and scan for malware, phishing pages, and other threats. Google says these changes will take place in three main phases over the next 14 months. Phase 1: In April 2018, Chrome 66 will begin showing affected users a warning after a crash, alerting them that other software is injecting code into Chrome and guiding them to update or remove that software. Phase 2: In July 2018, Chrome 68 will begin blocking third-party software from injecting into Chrome processes. If this blocking prevents Chrome from starting, Chrome will restart and allow the injection, but also show a warning that guides the user to remove the software. Phase 3: In January 2019, Chrome 72 will remove this accommodation and always block code injection.
Businesses

The Underground Uber Networks Driven by Russian Hackers (thedailybeast.com) 49

Joseph Cox, reporting for DailyBeat: Uber's ride-sharing service has given birth to some of the most creative criminal scams to date, including using a GPS-spoofing app to rip off riders in Nigeria, and even ginning up fake drivers by using stolen identities. Add to those this nefariously genius operation: Cybercriminals, many working in Russia, have created their own illegitimate taxi services for other crooks by piggybacking off Uber's ride-sharing platform, sometimes working in collaboration with corrupt drivers. Based on several Russian-language posts across a number of criminal-world sites, this is how the scam works: The scammer needs an emulator, a piece of software which allows them to run a virtual Android phone on their laptop with the Uber app, as well as a virtual private network (VPN), which routes their computer's traffic through a server in the same city as the rider. The scammer acts, in essence, as a middleman between an Uber driver and the passenger -- ordering trips through the Uber app, but relaying messages outside of it. Typically, this fraudulent dispatcher uses the messaging app Telegram to chat with the passenger, who provides pickup and destination addresses. The scammer orders the trip, and then provides the car brand, driver name, and license plate details back to the passenger through Telegram.
Government

Democrat Senators Introduce National Data Breach Notification Law (cyberscoop.com) 162

New submitter unarmed8 shares a report from CyberScoop: Three Democratic senators introduced legislation on Thursday requiring companies to notify customers of data breaches within thirty days of their discovery and imposing a five year prison sentence on organizations caught concealing data breaches. The new bill, called the Data Security and Breach Notification Act, was introduced in the wake of reports that Uber paid $100,000 to cover up a 2016 data breach that affected 57 million users. The scope of what kind of data breach falls under this is limited. For instance, if only a last name, address or phone number is breached, the law would not apply. If an organization "reasonably concludes that there is no reasonable risk of identity theft, fraud, or other unlawful conduct," the incident is considered exempt from the legislation.

"We need a strong federal law in place to hold companies truly accountable for failing to safeguard data or inform consumers when that information has been stolen by hackers," Sen. Bill Nelson, D-Fla., said in a statement. "Congress can either take action now to pass this long overdue bill or continue to kowtow to special interests who stand in the way of this commonsense proposal. When it comes to doing what's best for consumers, the choice is clear."

Intel

System76 Will Disable Intel Management Engine On Its Linux Laptops (liliputing.com) 148

System76 is rolling out a firmware update for its recent laptops that will disable the Intel Management Engine altogether. The decision comes after a major security vulnerability was discovered that would allow an attacker with local access to execute arbitrary code. Liliputing reports: What's noteworthy in the System76 announcement is that the PC maker isn't just planning to disable Intel ME in computers that ship from now on. The company will send out an update that disables it on existing computers with 6th, 7th, or 8th-gen Intel Core processors. System76 also notes that Intel ME "provides no functionality for System76 laptop customers and is safe to disable." Right now the firmware update will only be available for computers running Ubuntu 16.04 or later or a related operating system with the System76 driver. But the company says it's working on developing a command line tool that should work on laptops running other GNU/Linux-based operating systems. System76 says it will also release an update for its desktop computers... but on those machines the update will patch the security vulnerability rather than disabling Intel ME altogether.
Desktops (Apple)

High Sierra Root Login Bug Was Mentioned on Apple's Support Forums Two Weeks Ago (daringfireball.net) 85

John Gruber, reporting for DaringFireball: It's natural to speculate how a bug as egregious as the now-fixed High Sierra root login bug could escape notice for so long. It seems to have been there ever since High Sierra 10.3.0 shipped on September 25, and may have existed in the betas through the summer. One explanation is that logging in with the username "root" and a blank password is so bizarre that it's the sort of thing no one would think to try. More insidious though, is the notion that it might not have escaped notice prior to its widespread publicization yesterday -- but that the people who had heretofore discovered it kept it to themselves. This exploit was in fact posted to Apple's own support forums on November 13. It's a bizarre thread. The thread started back on June 8 when a user ran into a problem after installing the WWDC developer beta of High Sierra.
Security

'Bomb on Board' Wi-Fi Network Causes Turkish Airlines Flight To Be Diverted (reuters.com) 177

A Turkish Airlines flight from Nairobi to Istanbul was diverted after the detection of a wi-fi network called "bomb on board" that alarmed the passengers, the airline said on Thursday. From a report: In a statement, Turkish Airlines said the flight made an emergency landing at the Khartoum airport in Sudan, but the flight was safely resumed after security inspections on all passengers and the aircraft. Individuals can create personal wi-fi networks on devices such as mobile phones and name them what they want.
Bug

American Airlines Accidentally Let Too Many Pilots Take Off The Holidays (npr.org) 200

A glitch in American Airlines' pilot scheduling system means that thousands of flights during the holiday season currently do not have pilots assigned to fly them. From a report: The shortage was caused by an error in the system pilots use to bid for time off, the Allied Pilots Association told NPR. The union represents the airline's 15,000 pilots. "The airline is a 24/7 op," union spokesman Dennis Tajer told CNBC. "The system went from responsibly scheduling everybody to becoming Santa Claus to everyone." "The computer said, 'Hey ya'll. You want the days off? You got it.'"
Facebook

Facebook's New Captcha Test: 'Upload A Clear Photo of Your Face' (wired.com) 302

An anonymous reader shares a report: Facebook may soon ask you to "upload a photo of yourself that clearly shows your face," to prove you're not a bot. The company is using a new kind of captcha to verify whether a user is a real person. According to a screenshot of the identity test shared on Twitter on Tuesday and verified by Facebook, the prompt says: "Please upload a photo of yourself that clearly shows your face. We'll check it and then permanently delete it from our servers." The process is automated, including identifying suspicious activity and checking the photo. To determine if the account is authentic, Facebook looks at whether the photo is unique.
Privacy

Sensitive Personal Information of 246,000 DHS Employees Found on Home Computer (usatoday.com) 59

The sensitive personal information of 246,000 Department of Homeland Security employees was found on the home computer server of a DHS employee in May, according to documents obtained by USA TODAY. From the report: Also discovered on the server was a copy of 159,000 case files from the inspector general's investigative case management system, which suspects in an ongoing criminal investigation intended to market and sell, according to a report sent by DHS Inspector General John Roth on Nov. 24 to key members of Congress. The information included names, Social Security numbers and dates of birth, the report said. The inspector general's acting chief information security officer reported the breach to DHS officials on May 11, while IG agents reviewed the details. Acting DHS Secretary Elaine Duke decided on Aug. 21 to notify affected employees who were employed at the department through the end of 2014 about the breach.
Desktops (Apple)

Apple To Review Software Practices After Patching Serious Mac Bug (reuters.com) 192

Apple said on Wednesday it would review its software development process after scrambling to patch a serious bug it learned of on Tuesday in its macOS operating system for desktop and laptop computers. From a report: "We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused," Apple said in a statement. "Our customers deserve better. We are auditing our development processes to help prevent this from happening again."
Android

66 Percent of Popular Android Cryptocurrency Apps Don't Use Encryption (vice.com) 32

An anonymous reader shares a report: High-Tech Bridge used its free mobile app analysis software, called Mobile X-Ray, to peek under the hood of the top 30 cryptocurrency apps in the Google Play store at three different popularity levels: apps with up to 100,000 downloads, up to 500,000 downloads, and apps with more than 500,000 downloads. So, a total of 90 apps altogether. Of the most popular apps, 94 percent used outdated encryption, 66 percent didn't use HTTPS to encrypt user information in transit, 44 percent used hard-coded default passwords (stored in plain text in the code), and overall 94 percent of the most popular apps were found to have "at least three medium-risk vulnerabilities."
Software

Three Quarters of Android Apps Track Users With Third Party Tools, Says Study (theguardian.com) 46

A study by French research organization Exodus Privacy and Yale University's Privacy Lab analyzed the mobile apps for the signatures of 25 known trackers and found that more than three in four Android apps contain at least one third-party "tracker." The Guardian reports: Among the apps found to be using some sort of tracking plugin were some of the most popular apps on the Google Play Store, including Tinder, Spotify, Uber and OKCupid. All four apps use a service owned by Google, called Crashlytics, that primarily tracks app crash reports, but can also provide the ability to "get insight into your users, what they're doing, and inject live social content to delight them." Other less widely-used trackers can go much further. One cited by Yale is FidZup, a French tracking provider with technology that can "detect the presence of mobile phones and therefore their owners" using ultrasonic tones. FidZup says it no-longer uses that technology, however, since tracking users through simple wifi networks works just as well.
Bug

MacOS High Sierra Bug Allows Login As Root With No Password (theregister.co.uk) 237

An anonymous reader quotes a report from The Register: A trivial-to-exploit flaw in macOS High Sierra, aka macOS 10.13, allows users to gain admin rights, or log in as root, without a password. The security bug is triggered via the authentication dialog box in Apple's operating system, which prompts you for an administrator's username and password when you need to do stuff like configure privacy and network settings. If you type in "root" as the username, leave the password box blank, hit "enter" and then click on unlock a few times, the prompt disappears and, congrats, you now have admin rights. You can do this from the user login screen. The vulnerability effectively allows someone with physical access to the machine to log in, cause extra mischief, install malware, and so on. You should not leave your vulnerable Mac unattended until you can fix the problem. And while obviously this situation is not the end of the world -- it's certainly far from a remote hole or a disk decryption technique -- it's just really, really sad to see megabucks Apple drop the ball like this. Developer Lemi Orhan Ergan was the first to alert the world to the flaw. The Register notes: "If you have a root account enabled and a password for it set, the black password trick will not work. So, keep the account enabled and set a root password right now..."
Security

New NSA Leak Exposes Red Disk, the Army's Failed Intelligence System (zdnet.com) 67

Zack Whittaker, reporting for ZDNet: The contents of a highly sensitive hard drive belonging to a division of the National Security Agency have been left online. The virtual disk image contains over 100 gigabytes of data from an Army intelligence project, codenamed "Red Disk." The disk image belongs to the US Army's Intelligence and Security Command, known as INSCOM, a division of both the Army and the NSA. The disk image was left on an unlisted but public Amazon Web Services storage server, without a password, open for anyone to download. Unprotected storage buckets have become a recurring theme in recent data leaks and exposures. In the past year alone, Accenture, Verizon, and Viacom, and several government departments, were all dinged by unsecured data.
HP

HP Quietly Installs System-Slowing Spyware On Its PCs, Users Say (computerworld.com) 127

It hasn't been long since Lenovo settled a massive $3.5 million fine for preinstalling adware on laptops without users' consent, and it appears HP is on to the same route already. According to numerous reports gathered by news outlet Computer World, the brand is deploying a telemetry client on customer computers without asking permission. The software, called "HP Touchpoint Analytics Service", appears to replace the self-managed HP Touchpoint Manager solution. To make matter worse, the suite seems to be slowing down PCs, users say. From the report: Dubbed "HP Touchpoint Analytics Service," HP says it "harvests telemetry information that is used by HP Touchpoint's analytical services." Apparently, it's HP Touchpoint Analytics Client version 4.0.2.1435. There are dozens of reports of this new, ahem, service scattered all over the internet. According to Gunter Born, reports of the infection go all the way back to Nov. 15, when poster MML on BleepingComputer said: "After the latest batch of Windows updates, about a half hour after installing the last, I noticed that this had been installed on my computer because it showed up in the notes of my Kaspersky, and that it opened the Windows Dump File verifier and ran a disk check and battery test." According to Gartner, HP was the largest PC vendor in the quarter that ended in September this year.
Bug

iPhone Users Complain About the Word 'It' Autocorrecting To 'I.T' On iOS 11 and Later (macrumors.com) 116

An anonymous reader quotes a report from MacRumors: At least a few hundred iPhone users and counting have complained about the word "it" autocorrecting to "I.T" on iOS 11 and later. When affected users type the word "it" into a text field, the keyboard first shows "I.T" as a QuickType suggestion. After tapping the space key, the word "it" automatically changes to "I.T" without actually tapping the predictive suggestion. A growing number of iPhone users have voiced their frustrations about the issue on the MacRumors discussion forums, Twitter, and other discussion platforms on the web since shortly after iOS 11 was released in late September. Many users claim the apparent autocorrect bug persists even after rebooting the device and performing other basic troubleshooting. A temporary workaround is to tap Settings: General: Keyboard: Text Replacement and enter "it" as both the phrase and shortcut, but some users insist this solution does not solve the problem. A less ideal workaround is to toggle off auto-correction and/or predictive suggestions completely under Settings: General: Keyboard. MacRumors reader Tim shared a video that highlights the issue.
Cellphones

White House Weighs Personal Mobile Phone Ban For Staff (bloomberg.com) 113

The White House is considering banning its employees from using personal mobile phones while at work. While President Trump has been vocal about press leaks since taking office, one official said the potential change is driven by cybersecurity concerns. Bloomberg reports: One official said that there are too many devices connected to the campus wireless network and that personal phones aren't as secure as those issued by the federal government. White House Chief of Staff John Kelly -- whose personal phone was found to be compromised by hackers earlier this year -- is leading the push for a ban, another official said. The White House already takes precautions with personal wireless devices, including by requiring officials to leave phones in cubbies outside of meeting rooms where sensitive or classified information is discussed. Top officials haven't yet decided whether or when to impose the ban, and if it would apply to all staff in the executive office of the president. While some lower-level officials support a ban, others worry it could result in a series of disruptive unintended consequences.
Education

Computer Science GCSE in Disarray After Tasks Leaked Online (bbc.com) 53

An anonymous reader shares a report: The new computer science GCSE has been thrown into disarray after programming tasks worth a fifth of the total marks were leaked repeatedly online. Exams regulator Ofqual plans to pull this chunk of the qualification from the overall marks as it has been seen by thousands of people. Ofqual said the non-exam assessment may have been leaked by teachers as well as students who had completed the task. The breach affects two year groups. The first will sit the exam in summer 2018. Last year 70,000 students were entered for computer science GCSE. A quick internet search reveals numerous posts about the the non-exam assessment, with questions and potential answers.
Iphone

Two Major Cydia Hosts Shut Down as Jailbreaking Fades in Popularity (macrumors.com) 90

Joe Rossignol, writing for MacRumors: ModMy last week announced it has archived its default ModMyi repository on Cydia, which is essentially an alternative App Store for downloading apps, themes, tweaks, and other files on jailbroken iPhone, iPad, and iPod touch devices. ZodTTD/MacCiti also shut down this month, meaning that two out of three of Cydia's major default repositories are no longer active as of this month. ModMy recommends developers in the jailbreaking community use the BigBoss repository, which is one of the last major Cydia sources that remains functional. The closure of two major Cydia repositories is arguably the result of a declining interest in jailbreaking, which provides root filesystem access and allows users to modify iOS and install unapproved apps on an iPhone, iPad, or iPod touch. When the iPhone and iPod touch were first released in 2007, jailbreaking quickly grew in popularity for both fun and practical reasons. Before the App Store, for example, it allowed users to install apps and games. Jailbreaking was even useful for something as simple as setting a wallpaper, not possible on early iOS versions.
Government

FBI Failed To Notify 70+ US Officials Targeted By Russian Hackers (apnews.com) 94

An anonymous reader quotes the AP: The FBI failed to notify scores of U.S. officials that Russian hackers were trying to break into their personal Gmail accounts despite having evidence for at least a year that the targets were in the Kremlin's crosshairs, The Associated Press has found. Nearly 80 interviews with Americans targeted by Fancy Bear, a Russian government-aligned cyberespionage group, turned up only two cases in which the FBI had provided a heads-up. Even senior policymakers discovered they were targets only when the AP told them, a situation some described as bizarre and dispiriting.

"It's utterly confounding," said Philip Reiner, a former senior director at the National Security Council, who was notified by the AP that he was targeted in 2015. "You've got to tell your people. You've got to protect your people." The FBI declined to answer most questions from AP about how it had responded to the spying campaign... A senior FBI official, who was not authorized to publicly discuss the hacking operation because of its sensitivity, declined to comment on timing but said that the bureau was overwhelmed by the sheer number of attempted hacks... A few more were contacted by the FBI after their emails were published in the torrent of leaks that coursed through last year's electoral contest. But to this day, some leak victims have not heard from the bureau at all.

Here's an interesting statistic from the AP's analysis. "Out of 312 U.S. military and government figures targeted by Fancy Bear, 131 clicked the links sent to them."
Security

Should Brokers Use 'Voice Prints' For Stock Transactions? (cnbc.com) 64

Fidelity and Charles Schwab now allow traders to use "voice prints" to authorize stock transactions. But there's more to the story, argues long-time Slashdot reader maiden_taiwan: Fidelity Investments is touting its new security feature, MyVoice, which allows a customer to access his/her financial accounts by telephone without a password. "When you call Fidelity, you'll no longer have to enter PINs or passwords because Fidelity MyVoice helps you interact with us securely and more conveniently. Through natural conversation, MyVoice will detect and verify your voiceprint in the first few moments of the call... Fidelity MyVoice performs even if you have a cold, allergies, or a sore throat."

Based on my own experience, Fidelity now enables MyVoice automatically for its customers who call in for other reasons. Apparently, their conversation with Fidelity customer service provides enough data for MyVoice to recognize them. (Customers are informed afterward that MyVoice has been enabled, and they can opt out, although they aren't told that opting out is possible.)

It's not clear whether Fidelity is creating voice profiles of their customers without asking first. (Fidelity's site says only that their representatives will "offer" to enroll you the next time you call.) But the original submission ends with two more questions. "In an era where Apple's face recognition is easily defeated by family members, is voice recognition any more secure?"

And "Is a 'voiceprint' even possible?"
Education

Why Do Employers Require College Degrees That Aren't Necessary? (thestreet.com) 358

Slashdot reader pefisher writes: A lot of us on Slashdot have noticed that potential employers advertise for things they don't need. To the point that sometimes they even ask for things that don't exist. Like asking for ten years of experience in a technology that has only just been introduced. It's frustrating because it makes you wonder "what's this employers real game?"

Do they just want to say they advertised for the position, or are they really so immensely stupid, so disconnected from their own needs, that they think they are actually asking for something they can have...? Here is a Harvard Study that addresses one particular angle of this. It doesn't answer any questions, but it does prove that you aren't crazy. And it quantifies the craziness.

The study's author calls it "degree inflation," and after studying 26 million job postings concluded that employers are now less willing to actually train new people on the job, possibly to save money. "Many companies have fallen into a lazy way of thinking about this," the study's author tells The Street, saying companies are "[looking for] somebody who is just job-ready to just show up." The irony is that college graduates will ultimately be paid a higher salary -- even though for many jobs, the study found that a college degree yields zero improvement in actual performance.

The Street reports that "In a market where companies increasingly rely on computerized systems to cull out early-round applicants, that has led firms to often consider a bachelor's degree indicative of someone who can socialize, run a meeting and generally work well with others." One company tells them that "we removed the requirement to have a computer science degree, and we removed the requirement to have experience in development computer programming. And when we removed those things we found that the pool of potential really good team members drastically expanded."
Robotics

Is Sharp's Robot Vacuum Cleaner Vulnerable To Remote Take-over? (jvn.jp) 42

Slashdot reader AmiMoJo reports: Sharp's COCOROBO (heart-bot) vacuum cleaners can not just clean your house. They have cameras that can be viewed from a smart phone, and automatically take pictures of things they find under your sofa. They have microphones and voice recognition, and are able to ask how your day was when you get home from work. You can even activate their speakers and talk to your pets from the office. Unfortunately, so can anyone else if you don't install critical firmware updates.
JPCERT's warning says that the attacker must be on the same LAN to impersonate you, though "as a result, there is a possibility that an arbitrary operation may be conducted."
United States

Bipartisan US Election Group Issues Security Tips (reuters.com) 103

An anonymous reader quotes Reuters: A bipartisan Harvard University project aimed at protecting elections from hacking and propaganda will release its first set of recommendations today on how U.S. elections can be defended from hacking attacks. The 27-page guidebook calls for campaign leaders to emphasize security from the start and insist on practices such as two-factor authentication for access to email and documents and fully encrypted messaging via services including Signal and Wickr. The guidelines are intended to reduce risks in low-budget local races as well as the high-stakes Congressional midterm contests next year.

Though most of the suggestions cost little or nothing to implement and will strike security professionals as common sense, notorious attacks including the leak of the emails of Hillary Clinton's campaign chair, John Podesta, have succeeded because basic security practices were not followed... "We heard from campaigns that there is nothing like this that exists," said Debora Plunkett, a 31-year veteran of the National Security Agency who joined the Belfer Center this year. "We had security experts who understood security and election experts who understood campaigns, and both sides were eager to learn how the other part worked."

The group includes "top security experts" from both Google and Facebook.
Privacy

Imgur Confirms Email Addresses, Passwords Stolen In 2014 Hack (zdnet.com) 38

An anonymous reader quotes a report from ZDNet: Imgur, one of the world's most visited websites, has confirmed a hack dating back to 2014. The company confirmed to ZDNet that hackers stole 1.7 million email addresses and passwords, scrambled with the SHA-256 algorithm, which has been passed over in recent years in favor of stronger password scramblers. Imgur said the breach didn't include personal information because the site has "never asked" for real names, addresses, or phone numbers. The stolen accounts represent a fraction of Imgur's 150 million monthly users. The hack went unnoticed for four years until the stolen data was sent to Troy Hunt, who runs data breach notification service Have I Been Pwned. Hunt informed the company on Thursday, a US national holiday observing Thanksgiving, when most businesses are closed. A day later, the company started resetting the passwords of affected accounts, and published a public disclosure alerting users of the breach.
Communications

More Than a Million Pro-Repeal Net Neutrality Comments Were Likely Faked (hackernoon.com) 177

Jeff Kao from Hacker Noon used natural language processing techniques to analyze net neutrality comments submitted to the FCC from April-October 2017 and found that at least 1.3 million pro-repeal net neutrality comments were faked. From the report: NY Attorney General Schneiderman estimated that hundreds of thousands of Americans' identities were stolen and used in spam campaigns that support repealing net neutrality. My research found at least 1.3 million fake pro-repeal comments, with suspicions about many more. In fact, the sum of fake pro-repeal comments in the proceeding may number in the millions. In this post, I will point out one particularly egregious spambot submission, make the case that there are likely many more pro-repeal spambots yet to be confirmed, and estimate the public position on net neutrality in the "organic" public submissions. [The key findings include:]

1. One pro-repeal spam campaign used mail-merge to disguise 1.3 million comments as unique grassroots submissions.
2. There were likely multiple other campaigns aimed at injecting what may total several million pro-repeal comments into the system.
3. It's highly likely that more than 99% of the truly unique comments were in favor of keeping net neutrality.

Security

Data Breach Hits Australia's Department of Social Services Credit Card System (theguardian.com) 32

Paul Karp, reporting for The Guardian: The Department of Social Services has written to 8,500 current and former employees warning them their personal data held by a contractor has been breached. In letters sent in early November the department alerted the employees to "a data compromise relating to staff profiles within the department's credit card management system prior to 2016." Compromised data includes credit card information, employees' names, user names, work phone numbers, work emails, system passwords, Australian government services number, public service classification and organisation unit. The department failed to warn staff how long the data was exposed for but a DSS spokesman told Guardian Australia that the contractor, Business Information Services, had advised that the data was open from June 2016 until October 2017. The data related to the period 2004 to 2015.
Privacy

There's Now a Dark Web Version of Wikipedia (vice.com) 20

An anonymous reader shares a report: In many parts of the world, like North America, using Wikipedia is taken for granted; hell, there are even Twitter accounts to track government employees editing the internet's free encyclopedia while on the clock. But in other places, like Turkey or Syria, using Wikipedia can be difficult, and even dangerous. To make using Wikipedia safer for at-risk users, former Facebook security engineer Alec Muffett has started an experimental dark net Wikipedia service that gives visitors some strong privacy protections. The project is unofficial; for now, Wikipedia isn't involved. So it's a bit janky. The service uses self-signed certificates that may trigger a security warning in Tor, so you have to manually white-list the addresses, which takes a couple minutes.
Bitcoin

There's Some Intense Web Scans Going on for Bitcoin and Ethereum Wallets (bleepingcomputer.com) 34

Catalin Cimpanu, writing for BleepingComputer: With both Bitcoin and Ethereum price hitting all-time highs in the past seven days, cyber-criminals have stepped up efforts to search and steal funds stored in these two cryptocurrencies. These mass Internet scanning campaigns have been recently picked up by various honeypots installed by security researchers across the Internet. The first of these, aimed at Bitcoin owners, was picked up by security researcher Didier Stevens over the weekend, just two days before Bitcoin was about to jump from $7,000 to over $8,000.

Slashdot Top Deals