Television

Samsung and Roku Smart TVs Vulnerable To Hacking, Consumer Reports Finds (consumerreports.org) 102

An anonymous reader quotes a report from Consumer Reports: Consumer Reports has found that millions of smart TVs can be controlled by hackers exploiting easy-to-find security flaws. The problems affect Samsung televisions, along with models made by TCL and other brands that use the Roku TV smart-TV platform, as well as streaming devices such as the Roku Ultra. We found that a relatively unsophisticated hacker could change channels, play offensive content, or crank up the volume, which might be deeply unsettling to someone who didn't understand what was happening. This could be done over the web, from thousands of miles away. (These vulnerabilities would not allow a hacker to spy on the user or steal information.) The findings were part of a broad privacy and security evaluation, led by Consumer Reports, of smart TVs from top brands that also included LG, Sony, and Vizio. The testing also found that all these TVs raised privacy concerns by collecting very detailed information on their users. Consumers can limit the data collection. But they have to give up a lot of the TVs' functionality -- and know the right buttons to click and settings to look for.
IOS

Key iPhone Source Code Gets Posted On GitHub (vice.com) 188

Jason Koebler shares a report from Motherboard: An anonymous person posted what experts say is the source code for a core component of the iPhone's operating system on GitHub, which could pave the way for hackers and security researchers to find vulnerabilities in iOS and make iPhone jailbreaks easier to achieve. The code is for "iBoot," which is the part of iOS that is responsible for ensuring a trusted boot of the operating system. It's the program that loads iOS, the very first process that runs when you turn on your iPhone. The code says it's for iOS 9, an older version of the operating system, but portions of it are likely to still be used in iOS 11. Bugs in the boot process are the most valuable ones if reported to Apple through its bounty program, which values them at a max payment of $200,000. "This is the biggest leak in history," Jonathan Levin, the author of a series of books on iOS and Mac OSX internals, told Motherboard in an online chat. "It's a huge deal." Levin, along with a second security researcher familiar with iOS, says the code appears to be the real iBoot code because it aligns with the code he reverse engineered himself.
United States

36 Indicted in Global Cybercrime Ring That Stole $530M (go.com) 40

U.S. prosecutors say 36 people have been indicted in connection with an international cybercrime ring that bought and sold stolen credit card information, leading to losses of more than $530 million. From a report: The Justice Department says Wednesday that the so-called Infraud Organization dealt in the large-scale acquisition and sale of stolen identities, credit card information and malware. Deputy Assistant Attorney General David Rybicki says it was "truly the premier one-stop shop for cybercriminals worldwide." He says the organization used an online forum on the dark web to sell financial and personal information. Investigators believe the organization's nearly 11,000 members targeted more than 4.3 million credit cards and bank accounts.
AI

'Humans Not Invited' Is a CAPTCHA Test That Welcomes Bots, Filters Out Humans (vice.com) 82

While most CAPTCHA tests we come across on the Web are usually meant to keep robots out, one website is welcoming them in. From a report: The conceit of Humans Not Invited is essentially a reverse CAPTCHA. Visitors to the site are greeted with a vision test not unlike the ones you've done before, but instead it's filled with seemingly indistinguishable blue and gray blurry boxes. When I tried, prompted to "select all squares with selfie sticks." Most humans, like me, will fail to decipher the hidden selfie sticks and will be shown a message that says "YOU'RE A HUMAN. YOU'RE NOT INVITED." To the human eye these boxes appear indistinguishable, a specially programmed bot can spot out the correct image simply by identifying a handful of pixels, according to the project's creator, Damjanski, (his real name is Danjan Pita).
Security

Meet the Tiny Startup That Sells IPhone and Android Zero Days To Governments (vice.com) 51

An anonymous reader writes: The story of Azimuth Security, a tiny startup in Australia, provides a rare peek inside the secretive industry that helps government hackers get around encryption. Azimuth is part of an opaque, little known corner of the intelligence world made of hackers who develop and sell expensive exploits to break into popular technologies like iOS, Chrome, Android and Tor.
Chrome

Scammers Use Download Bombs To Freeze Chrome Browsers on Shady Sites (bleepingcomputer.com) 72

An anonymous reader shares a report: The operators of some tech support scam websites have found a new trick to block visitors on their shady sites and scare non-technical users into paying for unneeded software or servicing fees. The trick relies on using JavaScript code loaded on these malicious pages to initiate thousands of file download operations that quickly take up the user's memory resources, freezing Chrome on the scammer's site. The trick is meant to drive panicked users into calling one of the tech support phone numbers shown on the screen. According to Jerome Segura -- Malwarebytes leading expert in tech support scam operations, malvertising, and exploit kits -- this new trick utilizes the JavaScript Blob method and the window.navigator.msSaveOrOpenBlob function to achieve the "download bomb" that freezes Chrome.
Bug

A Flaw In Hotspot Shield Can Expose VPN Users, Locations (zdnet.com) 25

An anonymous reader quotes a report from ZDNet: A security researcher has found a way to identify users of Hotspot Shield, a popular free virtual private network service that promises its users anonymity and privacy. Hotspot Shield, developed by AnchorFree, has an estimated 500 million users around the world relying on its privacy service. By bouncing a user's internet and browsing traffic through its own encrypted pipes, the service makes it harder for others to identify individual users and eavesdrop on their browsing habits. But an information disclosure bug in the privacy service results in a leak of user data, such as which country the user is located, and the user's Wi-Fi network name, if connected. That information leak can be used to narrow down users and their location by correlating Wi-Fi network name with public and readily available data.
Iphone

Apple Is Seeing 'Strong Demand' For Replacement iPhone Batteries (reuters.com) 83

In a letter addressed to the U.S. lawmakers, Apple said earlier this month that it was seeing "strong demand" for replacement iPhone batteries. The company added that it may offer rebates for consumers who paid full price for new batteries. From a report: Apple confirmed in December that software to deal with aging batteries in iPhone 6, iPhone 6s and iPhone SE models could slow down performance. The company apologized and lowered the price of battery replacements for affected models from $79 to $29. In the letter released Tuesday, amid nagging allegations that it slowed down phones with older batteries as a way to push people into buying new phones, the company said it was considering issuing rebates to consumers who paid full price for replacement batteries.
Chrome

A Bug in Browser Extension Grammarly, Now Patched, Could Have Allowed an Attacker To Read Everything Users Wrote Online (gizmodo.com) 57

Copyediting app Grammarly included a gaping security hole that left users of its browser extension open to more embarrassment than just misspelled words. From a report: The Grammarly browser extension for Chrome and Firefox contained a "high severity bug" that was leaking authentication tokens, according to a bug report by Tavis Ormandy, a security researcher with Google's Project Zero. This meant that any website a Grammarly user visited could access the user's "documents, history, logs, and all other data," according to Ormandy. Grammarly provides automated copyediting for virtually anything you type into a browser that has the extension enabled, from blogs to tweets to emails to your attorney. In other words, there is an unfathomable number of scenarios in which this kind of major vulnerability could result in disastrous real-world consequences. Grammarly has approximately 22 million users, according to Ormandy, and the company told Gizmodo in an email that it "has no evidence that any user information was compromised" by the security hole. "We're continuing to monitor actively for any unusual activity," a Grammarly spokesperson said.
Privacy

Apple is Sending Some Developers Ad Spend and Install Details For Other People's Apps (techcrunch.com) 14

An issue at Apple appears to be resulting in app developers getting emails of ad spend and install summaries for apps belonging to other developers. From a report: The issue -- which appears specific right now to developers using Search Ads Basic, pay-per-install ads that appear as promoted apps when people search on the App Store -- was raised on Twitter by a number of those affected, including prominent developer Steve Troughton-Smith, who posted a screenshot of an email that summarized January's ad spend and install data another developer's two apps. Several others replied noting the same issue, listing more developers and random apps.
Bitcoin

Man Sues T-Mobile For Allegedly Failing To Stop Hackers From Stealing His Cryptocurrency (theverge.com) 133

Over the weekend, a lawsuit was filed against T-Mobile claiming that the company's lack of security allowed hackers to enter his wireless account last fall and steal cryptocoins worth thousands of dollars. "Carlos Tapang of Washington state accuses T-Mobile of having 'improperly allowed wrongdoers to access' his wireless account on November 7th last year," reports The Verge. "The hackers then cancelled his number and transferred it to an AT&T account under their control. 'T-Mobile was unable to contain this security breach until the next day,' when it finally got the number back from AT&T, Tapang alleges in the suit, first spotted by Law360." From the report: After gaining control of his phone number, the hackers were able to change the password on one of Tapang's cryptocurrency accounts and steal 1,000 OmiseGo (OMG) tokens and 19.6 BitConnect coins, Tapang claims. The hackers then exchanged the coins for 2.875 Bitcoin and transferred it out of his account, the suit states. On November 7th, the price of Bitcoin was $7,118.80, so had the hackers cashed out then, they would have netted a profit of $20,466.55. Tapang goes on to say, "After the incident, BTC price reached more than $17,000.00 per coin," but given the volatility of bitcoin prices, the hackers may not have benefited from the soar.

The suit alleges T-Mobile is at fault partly because the carrier said it would add a PIN code to Tapang's account prior to the incident, but didn't actually implement it. Tapang also states that hackers are able to call T-Mobile's customer support multiple times to gain access to customer accounts, until they're able to get an agent on the line that would grant them access without requiring further identity verification. The complaint also lists several anonymous internet users who have posted about similar security breaches to their own T-Mobile accounts.

United Kingdom

Lauri Love Ruling 'Sets Precedent' For Trying Hacking Suspects in UK (theguardian.com) 222

A high court ruling blocking extradition to the US of Lauri Love, a student accused of breaking into US government websites, has been welcomed by lawyers and human rights groups as a precedent for trying hacking suspects in the UK in future. From a report: The decision delivered by the lord chief justice, Lord Burnett of Maldon, is highly critical of the conditions Love would have endured in US jails, warning of the risk of suicide. Lawyers for the 33-year-old, who lives in Suffolk, had argued that Love should be tried in Britain for allegedly hacking into US government websites and that he would be at risk of killing himself if sent to the US. There was cheering and applause in court on Monday when Burnett announced his decision. He asked supporters to be quiet, saying: "This is a court, not a theatre." In his judgment, Burnett said: "It would not be oppressive to prosecute Mr Love in England for the offences alleged against him. Far from it. Much of Mr Love's argument was based on the contention that this is indeed where he should be prosecuted
Security

NSA Exploits Ported To Work on All Windows Versions Released Since Windows 2000 (bleepingcomputer.com) 95

Catalin Cimpanu, reporting for BleepingComputer: A security researcher has ported three leaked NSA exploits to work on all Windows versions released in the past 18 years, starting with Windows 2000. The three exploits are EternalChampion, EternalRomance, and EternalSynergy; all three leaked last April by a hacking group known as The Shadow Brokers who claimed to have stolen the code from the NSA. Several exploits and hacking tools were released in the April 2017 Shadow Brokers dump, the most famous being EternalBlue, the exploit used in the WannaCry, NotPetya, and Bad Rabbit ransomware outbreaks.
Open Source

LKRG: A Loadable Linux Kernel Module for Runtime Integrity Checking (bleepingcomputer.com) 36

An anonymous reader quotes BleepingComputer: Members of the open source community are working on a new security-focused project for the Linux kernel. Named Linux Kernel Runtime Guard (LKRG), this is a loadable kernel module that will perform runtime integrity checking of the Linux kernel. Its purpose is to detect exploitation attempts for known security vulnerabilities against the Linux kernel and attempt to block attacks. LKRG will also detect privilege escalation for running processes, and kill the running process before the exploit code runs.

Since the project is in such early development, current versions of LKRG will only report kernel integrity violations via kernel messages, but a full exploit mitigation system will be deployed as the system matures... While LKRG will remain an open source project, LKRG maintainers also have plans for an LKRG Pro version that will include distro-specific LKRG builds and support for the detection of specific exploits, such as container escapes. The team plans to use the funds from LKRG Pro to fund the rest of the project.

The first public version of LKRG -- LKRG v0.0 -- is now live and available for download on this page. A wiki is also available here, and a Patreon page for supporting the project has also been set up. LKRG kernel modules are currently available for main Linux distros such as RHEL7, OpenVZ 7, Virtuozzo 7, and Ubuntu 16.04 to latest mainlines.

Security

Malware Exploiting Spectre, Meltdown CPU Flaws Emerges (securityweek.com) 84

wiredmikey quotes SecurityWeek: Researchers have discovered more than 130 malware samples designed to exploit the recently disclosed Spectre and Meltdown CPU vulnerabilities. While a majority of the samples appear to be in the testing phase, we could soon start seeing attacks... On Wednesday, antivirus testing firm AV-TEST told SecurityWeek that it has obtained 139 samples from various sources, including researchers, testers and antivirus companies... Fortinet, which also analyzed many of the samples, confirmed that a majority of them were based on available proof of concept code. Andreas Marx, CEO of AV-TEST, believes different groups are working on the PoC exploits to determine if they can be used for some purpose. "Most likely, malicious purposes at some point," he said.
Encryption

Camera Makers Resist Encryption, Despite Warnings From Photographers (zdnet.com) 291

An anonymous reader shares an article from the security editor of ZDNet: A year after photojournalists and filmmakers sent a critical letter to camera makers for failing to add a basic security feature to protect their work from searches and hacking, little progress has been made. The letter, sent in late 2016, called on camera makers to build encryption into their cameras after photojournalists said they face "a variety of threats..." Even when they're out in the field, collecting footage and documenting evidence, reporters have long argued that without encryption, police, the military, and border agents in countries where they work can examine and search their devices. "The consequences can be dire," the letter added.

Although iPhones and Android phones, computers, and instant messengers all come with encryption, camera makers have fallen behind. Not only does encryption protect reported work from prying eyes, it also protects sources -- many of whom put their lives at risk to expose corruption or wrongdoing... The lack of encryption means high-end camera makers are forcing their customers to choose between putting their sources at risk, or relying on encrypted, but less-capable devices, like iPhones. We asked the same camera manufacturers if they plan to add encryption to their cameras -- and if not, why. The short answer: don't expect much any time soon.

IT

What Are Today's Most Difficult IT Hires? (cio.com) 281

Slashdot reader snydeq shared an article from CIO: The IT talent gap is driving up demand for skilled IT pros, but for certain roles and skillsets, finding -- and signing -- the right candidate can feel a bit like trying to capture a unicorn... AI and data science jobs are at the top of the list, in part because they're relatively young technologies, and they're being introduced in all sorts of companies going through their digital transformation. At the same time, there are some surprises... The experts we talked with name-checked a laundry list of desirable skills and needed experience with emerging areas like cognitive computing, machine learning, data analytics, IoT and blockchain. But the true unicorns are candidates who can not only deepen their bench of tech skills but keep an eye on the bottom line.
The article also cites high demand for data privacy experts, penetration testers with a scientific mind-set, and adaptable developers (including DevOps engineers), as well as experts in robotics and cryptology. But everyone's experiencing the job market differently, so the original submission ends with a question for Slashdot readers.

"What hires are you having the most difficulty making these days?"
Microsoft

Surface Pro 4 Owners Are Putting Their Tablets in Freezers To Fix Screen Flickering Issues (theverge.com) 87

Hundreds of Surface Pro 4 owners have been complaining about screen flickering issues on their tablets, and many are putting it in freezers to "fix" it. From a report: A thread over at Microsoft's support forums shows that the problems have been occurring for more than a year, and most devices affected are out of warranty. Dubbed "Flickergate," a website to report the issues claims at least 1,600 Surface Pro 4 owners have experienced the screen flickering problems. The flickering appears to be a hardware issue, which occurs after the device heats up during use. Some owners have even started freezing their tablets to stop the screen flickering temporarily. "I get about half an hour's use out of it after ten minutes in the freezer," says one owner. Another user posted a video showing how the flickering stops as soon as the Surface Pro 4 is placed in a freezer.
Firefox

Firefox 59 Will Stop Websites Snooping on Where You've Just Been (zdnet.com) 121

Firefox 59 will reduce how much information websites pass on about visitors in an attempt to improve privacy for users of its private browsing mode. From a report: When you click a link in your browser to navigate to a new site, the site you go on to visit receives the address of the site you came from, via the so-called "referrer value." While this helps websites understand where visitors are coming from, it can also leak data about the individual browsing, because it tells the site the exact page you were looking at when you clicked the link, said Mozilla. Browsers also send a referrer value when requesting other details like ads, or other social media snippets integrated in a modern website, which means these embedded content features also know exactly what page you're visiting.
Security

New Zero-Day Vulnerability Found In Adobe Flash Player (gbhackers.com) 87

GBHackers On Cyber Security and an anonymous Slashdot reader have shared a story about a new zero-day vulnerability found in Adobe's Flash Player. Bleeping Computer reports: South Korean authorities have issued a warning regarding a brand new Flash zero-day deployed in the wild. According to a security alert issued by the South Korean Computer Emergency Response Team (KR-CERT), the zero-day affects Flash Player installs 28.0.0.137 and earlier. Flash 28.0.0.137 is the current Flash version number.

"An attacker can persuade users to open Microsoft Office documents, web pages, spam e-mails, etc. that contain Flash files that distribute the malicious [Flash] code," KR-CERT said. The malicious code is believed to be a Flash SWF file embedded in MS Word documents. Simon Choi, a security researcher with Hauri Inc., a South Korean security firm, says the zero-day has been made and deployed by North Korean threat actors and used since mid-November 2017. Choi says attackers are trying to infect South Koreans researching North Korea.
Adobe said it plans to patch this zero-day on Monday, February 5.
Businesses

How DIY Rebels Are Working To Replace Tech Giants (theguardian.com) 115

mspohr shares an excerpt from an "interesting article about groups working to make a safer internet": Balkan and Kalbag form one small part of a fragmented rebellion whose prime movers tend to be located a long way from Silicon Valley. These people often talk in withering terms about Big Tech titans such as Mark Zuckerberg, and pay glowing tribute to Edward Snowden. Their politics vary, but they all have a deep dislike of large concentrations of power and a belief in the kind of egalitarian, pluralistic ideas they say the internet initially embodied. What they are doing could be seen as the online world's equivalent of punk rock: a scattered revolt against an industry that many now think has grown greedy, intrusive and arrogant -- as well as governments whose surveillance programs have fueled the same anxieties. As concerns grow about an online realm dominated by a few huge corporations, everyone involved shares one common goal: a comprehensively decentralized internet. Balkan energetically travels the world, delivering TED-esque talks with such titles as "Free is a Lie" and "Avoiding Digital Feudalism."

[David Irvine, computer engineer and founder of MaidSafe, has devised an alternative to the "modern internet" he calls the Safe network]: the acronym stands for "Safe Access for Everyone." In this model, rather than being stored on distant servers, people's data -- files, documents, social-media interactions -- will be broken into fragments, encrypted and scattered around other people's computers and smartphones, meaning that hacking and data theft will become impossible. Thanks to a system of self-authentication in which a Safe user's encrypted information would only be put back together and unlocked on their own devices, there will be no centrally held passwords. No one will leave data trails, so there will be nothing for big online companies to harvest. The financial lubricant, Irvine says, will be a cryptocurrency called Safecoin: users will pay to store data on the network, and also be rewarded for storing other people's (encrypted) information on their devices. Software developers, meanwhile, will be rewarded with Safecoin according to the popularity of their apps. There is a community of around 7,000 interested people already working on services that will work on the Safe network, including alternatives to platforms such as Facebook and YouTube.

Businesses

Ask Slashdot: Which Tech Company Do You Respect Most? 311

dryriver writes: On Slashdot, we often discuss the missteps and non consumer-friendly behavior of various tech companies. This company forced people into a subscription payment model. That tech company doesn't respect people's privacy. Yet another tech company failed to fix a dangerous exploit quickly, protect people's cloud data properly, or innovate and improve where innovation and improvement was badly needed.

Here's a question to the contrary: Of all the tech companies you know well and follow -- small, medium, or large -- which are the ones that you respect the most, and why? Which are the companies that still -- or newly -- create great tech in a landscape dotted with profiteers? Also, what is your personal criteria for judging whether a tech company is "good," "neutral," or "bad?"
Security

Equifax Releases Credit Locking App That Doesn't Work (arstechnica.com) 40

An anonymous reader quotes a report from Ars Technica: On Wednesday, the beleaguered credit reporting agency Equifax launched a new service to protect people from the risks of identity theft that the company vastly magnified with a breach of over 145 million people's credit records last year. The service, called Lock & Alert, is fronted by a mobile application and a Web application. It is intended to allow individuals to control access to their credit report on demand. "Lock & Alert allows You to lock and unlock your EIS credit report ('Equifax credit report')," the services' terms of service agreement states. "Locking or unlocking your Equifax credit report usually takes less than a minute." Except when it doesn't.

As Tara Siegel Bernard and Ron Lieber of the New York Times reported, the new service -- which is different from a "freeze" in some ways that are not clear from a legal and regulatory standpoint -- has not been working for some (and possibly all) mobile app users. The idea of the "lock" is that it can be undone in an instant with a swipe of the screen, without incurring a charge to freeze or unfreeze the report or having to provide a PIN number. But attempts by Siegel Bernard to lock her husband's credit report resulted in application timeouts.

Microsoft

Windows Defender Will Soon Start Removing Applications With Coercive Messaging: Cleaners and Optimizers Put on Notice (cso.com.au) 112

Microsoft is stepping up its efforts to protect Windows users from programs that use fear to convince people to buy or upgrade products. From a report: The Redmond company is taking aim at all software that use scary messaging to convince people to upgrade to a paid product that purportedly fixes a problem detected by a free version. Specifically it is targeting registry cleaners and optimizers, which Microsoft previously didn't endorse but also didn't blacklist them as unwanted programs or malware. That's changing on March 1. "We find this practice problematic because it can pressure customers into making unnecessary purchase decisions," said Barak Shein, a member of the Windows Defender security research team. From March 1 Microsoft's Windows Defender and other security products will "classify programs that display coercive messages as unwanted software, which will be detected and removed," Shein said.
Privacy

Messaging App Telegram Pulled From Apple's App Store Due To 'Inappropriate Content' (theverge.com) 86

An anonymous reader shares a report: Apple has removed Telegram's official app from its iOS App Store. The app disappeared yesterday, shortly after Telegram launched a rewritten Telegram X app for Android. Telegram X is currently in testing on iOS, and it was also removed from the App Store. "We were alerted by Apple that inappropriate content was made available to our users and both apps were taken off the App Store," says Telegram CEO Pavel Durov. "Once we have protections in place we expect the apps to be back on the App Store."
Twitter

Twitter Notifies 1.4 Million Users of Interaction With Russian Accounts (recode.net) 178

An anonymous reader quotes a report from Recode: At least 1.4 million people on Twitter engaged with content created by Russian trolls during the 2016 presidential election, the company revealed on Wednesday. That's more than double the amount that Twitter initially identified -- and perhaps still just a fraction of the full universe of users who may have witnessed Kremlin propaganda over that period. In announcing the new data in a blog post, Twitter also said it had notified all 1.4 million affected users that they saw election disinformation. That fulfilled a pledge that the company previously made to members of Congress who are investigating Russia's tactics on social media. Notified users included those that followed one of the roughly 3,000 accounts belonging to the Internet Research Agency, the troll army tied to the Russian government, as well as users who retweeted, replied, liked or mentioned those IRA accounts in their tweets. But Twitter did not alert users who merely saw Russian troll tweets in their feeds but did not interact with the content. Nor did it reach out to users who saw tweets from the roughly 50,000 Russian bots that tweeted election-related content around November 2016.
Businesses

Big Backing For 'Universal Stylus' Campaign (bbc.com) 87

Google has backed an effort to standardise touch-screen styluses so they can be used on many devices. From a report: The Universal Stylus Initiative (USI) was launched, in 2015, to encourage companies to produce styluses that work on rivals' products Dell, Intel, Lenovo, LG and graphics tablet-maker Wacom have all backed the project. However, Apple, Microsoft and Samsung have not. One expert suggested the big brands would keep their proprietary pens. Styluses designed to work with modern touch-screen devices and graphics tablets usually contain sensors to detect pressure, movement and orientation of the pen.
Chrome

Google Chrome To Feature Built-In Image Lazy Loading (bleepingcomputer.com) 131

An anonymous reader writes: Future versions of Google Chrome will feature built-in support for lazy loading, a mechanism to defer the loading of images and iframes if they are not visible on the user's screen at load time. This system will first ship with Chrome for Android and Google doesn't rule out adding it to desktop versions if tests go as planned. The feature is called Blink LazyLoad, and as the name hints, it will implement the principle of "lazy loading" inside Chrome itself.

Google engineers reported page load speed improvements varying from 18% to 35%, depending on the underlying network. Other browser makers have been notified of the Chrome team's plan, but none have provided input if they plan to implement a similar feature. Compared to most JS-based lazy loading scripts that only target images, Google implementation will also target iframes.

Businesses

Apple: We Would Never Degrade the iPhone Experience To Get Users To Buy New Phones 282

Apple today responded to reports that the Justice Department and Securities and Exchange Commission are probing its decision to throttle older iPhones, confirming that the U.S government has asked questions. From a report: Apple said it would never intentionally "degrade the user experience to drive customer upgrades." Apple acknowledged in December that it was secretly slowing the speeds of iPhones in an effort to help preserve aging batteries. In response to consumer backlash, the company dropped the price of battery replacements for the iPhone 6, iPhone 6s and iPhone 6s Plus from $79 to $29.
Android

Google Play Removed 700,000 Bad Apps In 2017, 70 Percent More Than In 2016 (venturebeat.com) 38

Today, Google announced that it removed more than 700,000 apps that violated Google Play's policies, or 70 percent more apps than the year before. "Google does not share total Google Play app numbers anymore, so we have to rely on third-party estimates to put this 70 percent figure into perspective," reports VentureBeat. "Statista pegs the total number of apps on Google Play at 2.6 million in December 2016 and 3.5 million in December 2017, a 35 percent growth. How many of those were bad apps, however, is anyone's guess." From the report: All we know is that the number of bad apps removed grew faster than the total number of apps in the store, which makes sense if you take into account the next statistic Google revealed today: 99 percent of apps with abusive content were identified and rejected before anyone could install them in 2017. This was possible, Google says, thanks to its implementation of machine learning models and techniques to detect abusive app content and behaviors such as impersonation, inappropriate content, or malware. The company claims that the odds of getting malware is 10x lower via Google Play than if you install apps from outside sources.
Bug

Apple is Postponing Release of New Features To iOS This Year To Focus on Reliability and Performance: Report (axios.com) 106

For a change, Apple plans to not push new features to iOS devices this year so that it could focus on reliability and quality of the software instead, Axios reported on Tuesday. From the report: Apple has been criticized of late, both for security issues and for a number of quality issues, as well as for how it handles battery issues on older devices. Software head Craig Federighi announced the revised plan to employees at a meeting earlier this month, shortly before he and some top lieutenants headed to a company offsite. Pushed into 2019 are a number of features including a refresh of the home screen and in-car user interfaces, improvements to core apps like mail and updates to the picture-taking, photo editing and sharing experiences.
Government

Pentagon Reviews GPS Policies After Fitness Trackers Reveal Locations (npr.org) 83

An anonymous reader quotes a report from NPR: Locations and activity of U.S. military bases; jogging and patrol routes of American soldiers -- experts say those details are among the GPS data shared by the exercise tracking company Strava, whose Heat Map reflects more than a billion exercise activities globally. The Pentagon says it's looking at adding new training and policies to address security concerns. "Recent data releases emphasize the need for situational awareness when members of the military share personal information," Pentagon spokesman Major Adrian J.T. Rankine-Galloway of the U.S. Marine Corps said in a statement about the implications of the Strava data that has made international headlines. Strava -- which includes an option for keeping users' workout data private -- published the updated Heat Map late last year. The California-based company calls itself "the social network for athletes," saying that its mobile apps and website connect millions of people every day. Using data from fitness trackers such as the Fitbit, Strava's map shows millions of users' runs, walks, and bike trips from 2015 to September of 2017 -- and in some countries, the activities of military and aid personnel are seen in stark contrast, as their outposts shine brightly among the comparative darkness of their surroundings.
China

China Denies Report it Hacked African Union Headquarters (reuters.com) 37

China and the African Union dismissed on Monday a report in French newspaper Le Monde that Beijing had bugged the regional bloc's headquarters in the Ethiopian capital. From a report: An article published Friday in Le Monde, quoting anonymous AU sources, reported that data from computers in the Chinese-built building had been transferred nightly to Chinese servers for five years. After the massive hack was discovered a year ago, the building's IT system including servers was changed, according to Le Monde. During a sweep for bugs after the discovery, microphones hidden in desks and the walls were also detected and removed, the newspaper reported. The $200 million headquarters was fully funded and built by China and opened to great fanfare in 2012. It was seen as a symbol of Beijing's thrust for influence in Africa, and access to the continent's natural resources.
Privacy

Lenovo's Fingerprint Scanner Can Be Bypassed via a Hardcoded Password (bleepingcomputer.com) 67

Lenovo has issued an update to address a vulnerability in its fingerprint scanner app that it ships with ThinkPad, ThinkCentre, and ThinkStation models running Windows 8.1 or older version of Windows. From a report: Fingerprint Manager Pro is an application developed by Lenovo that allows users to log into Windows machines and online websites by scanning one of their fingerprints using the fingerprint scanner embedded in selected Lenovo products. "A vulnerability has been identified in Lenovo Fingerprint Manager Pro," said Lenovo in a security advisory published last week. "Sensitive data stored by Lenovo Fingerprint Manager Pro, including users' Windows logon credentials and fingerprint data, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system it is installed in," the company said.
Security

First 'Jackpotting' Attacks Hit US ATMs (krebsonsecurity.com) 101

Brian Krebs, reporting for Krebs on Security: ATM "jackpotting" -- a sophisticated crime in which thieves install malicious software and/or hardware at ATMs that forces the machines to spit out huge volumes of cash on demand -- has long been a threat for banks in Europe and Asia, yet these attacks somehow have eluded U.S. ATM operators. But all that changed this week after the U.S. Secret Service quietly began warning financial institutions that jackpotting attacks have now been spotted targeting cash machines here in the United States.

To carry out a jackpotting attack, thieves first must gain physical access to the cash machine. From there they can use malware or specialized electronics -- often a combination of both -- to control the operations of the ATM. On Jan. 21, 2018, KrebsOnSecurity began hearing rumblings about jackpotting attacks, also known as "logical attacks," hitting U.S. ATM operators. I quickly reached out to ATM giant NCR Corp. to see if they'd heard anything. NCR said at the time it had received unconfirmed reports, but nothing solid yet.

Intel

Intel Told Chinese Firms of Meltdown Flaws Before the US Government (engadget.com) 134

According to The Wall Street Journal, Intel initially told a handful of customers about the Meltdown and Spectre vulnerabilities, including Chinese tech companies like Alibaba and Lenovo, before the U.S. government. As a result, the Chinese government could have theoretically exploited the holes to intercept data before patches were available. Engadget reports: An Intel spokesman wouldn't detail who the company had informed, but said that the company couldn't notify everyone (including U.S. officials) in time because Meltdown and Spectre had been revealed early. Lenovo said the information was protected by a non-disclosure agreement. Alibaba has suggested that any accusations of sharing info with the Chinese government was "speculative and baseless," but this doesn't rule out officials intercepting details without Alibaba's knowledge. There's no immediate evidence to suggest that China has taken advantage of the flaws, but that's not the point -- it's that the U.S. government could have helped coordinate disclosures to ensure that enough companies had fixes in place.
Intel

Microsoft Issues Windows Out-of-Band Update That Disables Spectre Mitigations (bleepingcomputer.com) 90

An anonymous reader quotes BleepingComputer: Microsoft has issued on Saturday an emergency out-of-band Windows update that disables patches for the Spectre Variant 2 bug (CVE-2017-5715). The update -- KB4078130 -- targets Windows 7 (SP1), Windows 8.1, all versions of Windows 10, and all supported Windows Server distributions. Microsoft shipped mitigations for the Meltdown and Spectre bugs on January 3. The company said it decided to disable mitigations for the Spectre Variant 2 bug after Intel publicly admitted that the microcode updates it developed for this bug caused "higher than expected reboots and other unpredictable system behavior" that led to "data loss or corruption."

HP, Dell, and Red Hat took previous steps during the past week.

"We are also offering a new option -- available for advanced users on impacted devices -- to manually disable and enable the mitigation against Spectre Variant 2 (CVE 2017-5715) independently via registry setting changes..." Microsoft writes.

"We recommend Windows customers, when appropriate, reenable the mitigation against CVE-2017-5715 when Intel reports that this unpredictable system behavior has been resolved for your device. "
Bug

Malwarebytes Released Two Bad Web Protection Updates (csoonline.com) 70

Malwarebytes had a bad day Saturday, pushing out an update "that gobbled up memory and CPU resources and turned off web protection," reports CSO. The company's forums lit up with complaints that the software was hogging 90 percent or more of memory and CPU resources. One thread about RAM usage currently is 37-pages long. Aware of the problem, Malwarebytes tweeted that "all hands" were on deck to resolve the issue. Unfortunately, even though a new update package was pushed out in about an hour, it did not fix the problem. Even after rebooting their computers, some users reported that their systems locked up as soon as the Malwarebytes Service process started as it ate large amounts of RAM.
"Two bad updates later, Malwarebytes released a fix," CSO reports, noting the company's blog post with steps to resolve the issue.

Long-time Slashdot reader marquis111 shares a link to an apology from Malwarebytes CEO Marcin Kleczynski, who says that he'll be "personally available" to discuss the problem on both the forums and at his personal email address.
Government

Dutch Intelligence Agents Watched Russia Hack the DNC (volkskrant.nl) 358

Long-time Slashdot readers Agilulf, Sara Chan, and wiredmikey -- plus an anonymous reader -- all submitted the same story. Agilulf writes: Dutch hackers from AIVD (their intelligence agency) infiltrated Russian hackers, had access to their CCTV system, and followed them for more than a year, watched their attack on the DNC, provided the proof to the U.S. intelligence community that Russia was behind those hacks and the stolen emails, and were disappointed with the response from the U.S.
The Dutch agents also watched Russian agents breach a non-classified network at the U.S. State Department in 2014, where the Russians then sent a phishing email to the White House, successfully stole login credentials, and then accessed email from embassies and diplomats.

"Three American intelligence services state with 'high confidence' that the Kremlin was behind the attack on the Democratic Party," according to the article, which adds that that certainty "is derived from the AIVD hackers having had access to the office-like space in the center of Moscow for years."
Networking

Is It Time For Zero-Trust Corporate Networks? (csoonline.com) 150

An anonymous reader quotes CSO: "The strategy around Zero Trust boils down to don't trust anyone. We're talking about, 'Let's cut off all access until the network knows who you are. Don't allow access to IP addresses, machines, etc. until you know who that user is and whether they're authorized,'" says Charlie Gero, CTO of Enterprise and Advanced Projects Group at Akamai Technologies in Cambridge, Mass... The Zero Trust model of information security basically kicks to the curb the old castle-and-moat mentality that had organizations focused on defending their perimeters while assuming everything already inside didn't pose a threat and therefore was cleared for access. Security and technology experts say the castle-and-moat approach isn't working. They point to the fact that some of the most egregious data breaches happened because hackers, once they gained access inside corporate firewalls, were able move through internal systems without much resistance...

Experts say that today's enterprise IT departments require a new way of thinking because, for the most part, the castle itself no longer exists in isolation as it once did. Companies don't have corporate data centers serving a contained network of systems but instead today typically have some applications on-premises and some in the cloud with users -- employees, partners, customers -- accessing applications from a range of devices from multiple locations and even potentially from around the globe... The Zero Trust approach relies on various existing technologies and governance processes to accomplish its mission of securing the enterprise IT environment. It calls for enterprises to leverage micro-segmentation and granular perimeter enforcement based on users, their locations and other data to determine whether to trust a user, machine or application seeking access to a particular part of the enterprise... Zero Trust draws on technologies such as multifactor authentication, Identity and Access Management (IAM), orchestration, analytics, encryption, scoring and file system permissions. Zero Trust also calls for governance policies such as giving users the least amount of access they need to accomplish a specific task.

"Most organizational IT experts have been trained, unfortunately, to implicitly trust their environments," says the chief product officer at an IAM/PIM solutions supplier.

"Everybody has been [taught] to think that the firewall is keeping the bad guys out. People need to adjust their mindset and understand that the bad actors are already in their environment."
Android

OnePlus Is Again Sending User Data To a Chinese Company Without User Consent (bgr.com) 152

In October 2017, a researcher caught OnePlus silently collecting all sorts of data from its users. Now, a new report says that there's still a OnePlus app that can grab data from the phone and send it to servers in China without a user's knowledge or express consent. BGR reports: The French security researcher hiding behind the name Elliot Alderson on Twitter detailed OnePlus's data collection practices back in October, and he has now discovered a strange file in the OnePlus clipboard app. A Badword.txt file contains various keywords, including "Chairman, Vice President, Deputy Director, Associate Professor, Deputy Heads, General, Private Message, shipping, Address, email," and others. The file is then duplicated in a zip file called pattern alongside six other .txt files. All these files are apparently used in "in an obfuscated package which seems to be an #Android library from teddymobile." Now, TeddyMobile is a Chinese company that works with plenty of smartphone makers from China. The company seems to be able to recognize words and numbers in text messages. And OnePlus is apparently sending your phone's IMEI number to a TeddyMobile server, too. It looks like the TeddyMobile package might be able to grab all sorts of data from a phone. Even bank numbers are apparently recognized. OnePlus has yet to issue a statement on the matter.
Crime

Crooks Created 28 Fake Ad Agencies To Disguise Massive Malvertising Campaign (bleepingcomputer.com) 36

An anonymous reader quotes a report from Bleeping Computer: A group of cyber-criminals created 28 fake ad agencies and bought over 1 billion ad views in 2017, which they used to deliver malicious ads that redirected unsuspecting users to tech support scams or sneaky pages peddling malware-laden software updates or software installers. The entire operation -- codenamed Zirconium -- appears to have started in February 2017, when the group started creating the fake ad agencies which later bought ad views from larger ad platforms. These fake ad agencies each had individual websites and even LinkedIn profiles for their fake CEOs. Their sole purpose was to interface with larger advertising platforms, appearing as legitimate businesses. Ad security company Confiant, the one who discovered this entire operation, says ads bought by this group reached 62% of ad-monetized websites on a weekly basis. All in all, Confiant believes that about 2.5 million users who've encountered Zirconium's malicious ads were redirected to a malicious site, with 95% of the victims being based in the U.S.
Databases

ICE Is About To Start Tracking License Plates Across the US 167

Presto Vivace shares a report from The Verge: The Immigration and Customs Enforcement (ICE) agency has officially gained agency-wide access to a nationwide license plate recognition database, according to a contract finalized earlier this month. The system gives the agency access to billions of license plate records and new powers of real-time location tracking, raising significant concerns from civil libertarians. The source of the data is not named in the contract, but an ICE representative said the data came from Vigilant Solutions, the leading network for license plate recognition data. While it collects few photos itself, Vigilant Solutions has amassed a database of more than 2 billion license plate photos by ingesting data from partners like vehicle repossession agencies and other private groups. ICE agents would be able to query that database in two ways. A historical search would turn up every place a given license plate has been spotted in the last five years, a detailed record of the target's movements. That data could be used to find a given subject's residence or even identify associates if a given car is regularly spotted in a specific parking lot. Presto Vivace adds, "This will not end well."
Government

Washington Bill Makes It Illegal To Sell Gadgets Without Replaceable Batteries (vice.com) 384

Jason Koebler writes: A bill that would make it easier to fix your electronics is rapidly hurtling through the Washington state legislature. The bill's ascent is fueled by Apple's iPhone-throttling controversy, which has placed a renewed focus on the fact that our electronics have become increasingly difficult to repair.

Starting in 2019, the bill would ban the sale of electronics that are designed "in such a way as to prevent reasonable diagnostic or repair functions by an independent repair provider. Preventing reasonable diagnostic or repair functions includes permanently affixing a battery in a manner that makes it difficult or impossible to remove."

Intel

Intel Plans To Release Chips That Have Built-in Meltdown and Spectre Protections Later This Year (businessinsider.com) 154

Intel plans to release chips that have built-in protections against the Spectre and Meltdown attacks later this year, company CEO Brian Krzanich said during company's quarterly earnings call this week. From a report: The company has "assigned some of our very best minds" to work on addressing the vulnerability that's exploited by those attacks, Krzanich said on a conference call following Intel's quarterly earnings announcement. That will result in "silicon-based" changes to the company's future chips, he said. "We've been working around clock" to address the vulnerability and attacks, Krzanich said. But, he added, "we're acutely aware we have more to do."
Security

Researchers Warn of Physics-Based Attacks On Sensors (securityledger.com) 85

chicksdaddy shares a report from The Security Ledger: Billions of sensors that are already deployed lack protections against attacks that manipulate the physical properties of devices to cause sensors and embedded devices to malfunction, researchers working in the U.S. and China have warned. In an article in Communications of the ACM, researchers Kevin Fu of the University of Michigan and Wenyuan Xu of Zhejiang University warn that analog signals such as sound or electromagnetic waves can be used as part of "transduction attacks" to spoof data by exploiting the physics of sensors. Researchers say a "return to classic engineering approaches" is needed to cope with physics-based attacks on sensors and other embedded devices, including a focus on system-wide (versus component-specific) testing and the use of new manufacturing techniques to thwart certain types of transduction attacks.

"This is about uncovering the physics of cyber security and how some of the physical properties of systems have been abstracted to the point that we don't have a good way to describe the security of the system," Dr Fu told The Security Ledger in a conversation last week. That is particularly true of sensor driven systems, like those that will populate the Internet of Things. Cyberattacks typically target vulnerabilities in software such as buffer overflows or cross-site scripting. But transduction attacks target the physics of the hardware that underlies that software, including the circuit boards that discrete components are deployed on, or the materials that make up the components themselves. Although the attacks target vulnerabilities in the hardware, the consequences often arise as software systems, such as the improper functioning or denial of service to a sensor or actuator, the researchers said. Hardware and software have what might be considered a "social contract" that analog information captured by sensors will be rendered faithfully as it is transformed into binary data that software can interpret and act on it. But materials used to create sensors can be influenced by other phenomenon -- such as sound waves. Through the targeted use of such signals, the behavior of the sensor can be interfered with and even manipulated. "The problem starts with the mechanics or physics of the material and bubbles up into the operating system," Fu told The Security Ledger.

Government

Tech Firms Let Russia Probe Software Widely Used by US Government (reuters.com) 115

Major global technology providers SAP, Symantec, and McAfee have allowed Russian authorities to hunt for vulnerabilities in software deeply embedded across the U.S. government, Reuters reported on Thursday. From the report: The practice potentially jeopardizes the security of computer networks in at least a dozen federal agencies, U.S. lawmakers and security experts said. It involves more companies and a broader swath of the government than previously reported. In order to sell in the Russian market, the tech companies let a Russian defense agency scour the inner workings, or source code, of some of their products. Russian authorities say the reviews are necessary to detect flaws that could be exploited by hackers. But those same products protect some of the most sensitive areas of the U.S government, including the Pentagon, NASA, the State Department, the FBI and the intelligence community, against hacking by sophisticated cyber adversaries like Russia.
United Kingdom

Admiral Charges Hotmail Users More For Car Insurance (thetimes.co.uk) 345

One of Britain's biggest car insurers has admitted increasing premiums for drivers who apply using a Hotmail account. From a report: Motorists seeking cover from Admiral could be charged $45 extra if they use certain email addresses. The insurer said some domain names were "associated with more accidents" than others, raising applicants' risk profile. Figures from the Association of British Insurers to be published today show that the cost of car insurance has increased by more than a quarter over the past three years. Admiral said that hundreds of factors were used by underwriters in setting car insurance, with riskier motorists paying more. Issues included the age of a driver and their postcode.
Encryption

Senator Asks FBI Director To Justify His 'Ill-Informed' Policy Proposal For Encryption (gizmodo.com) 372

In a speech earlier this month, FBI Director Christopher Wray said the inability of law enforcement authorities to access data from electronic devices due to powerful encryption is an "urgent public safety issue." He proposed that Silicon Valley companies should add a backdoor to their encryption so that they could both "provide data security and permit lawful access with a court order." One person is not amused by Wray's proposal. Senator Ron Wyden criticized Wray on Thursday for not consulting him before going public with the proposal for encryption. Wyden said today, via Gizmodo: Your stated position parrots the same debunked arguments espoused by your predecessors, all of whom ignored the widespread and vocal consensus of cryptographers. For years, these experts have repeatedly stated that what you are asking for is not, in fact, possible. Building secure software is extremely difficult, and vulnerabilities are often introduced inadvertently in the design process. Eliminating these vulnerabilities is a mammoth task, and experts are unified in their opinion that introducing deliberate vulnerabilities would likely create catastrophic unintended consequences that could debilitate software functionality and security entirely.

[...] I would like to learn more about how you arrived at and justify this ill-informed policy proposal. Please provide me with a list of the cryptographers with whom you've personally discussed this topic since our July 2017 meeting and specifically identify those experts who advised you that companies can feasibly design government access features into their products without weakening cybersecurity. Please provide this information by February 23, 2018.

Programming

Tim Cook: Coding Languages Were 'Too Geeky' For Students Until We Invented Swift (thestar.com) 335

theodp writes: Speaking to a class of Grade 7 students taking coding lessons at the Apple Store in Eaton Centre, the Toronto Star reports that Apple CEO Tim Cook told the kids that most students would shun programming because coding languages were 'too geeky' until Apple introduced Swift. "Swift came out of the fundamental recognition that coding languages were too geeky. Most students would look at them and say, 'that's not for me,'" Cook said as the preteens participated in an Apple-designed 'Everyone Can Code' workshop. "That's not our view. Our view is that coding is a horizontal skill like your native languages or mathematics, so we wanted to design a programming language that is as easy to learn as our products are to use."

Slashdot Top Deals