Phishing Attack Scores Credentials For More Than 50,000 Snapchat Users ( 11

An anonymous reader quotes an exclusive report from The Verge: In late July, Snap's director of engineering emailed the company's team in response to an unfolding privacy threat. A government official from Dorset in the United Kingdom had provided Snap with information about a recent attack on the company's users: a publicly available list, embedded in a phishing website named, that listed 55,851 Snapchat accounts, along with their usernames and passwords. The attack appeared to be connected to a previous incident that the company believed to have been coordinated from the Dominican Republic, according to emails obtained by The Verge. Not all of the account credentials were valid, and Snap had reset the majority of the accounts following the initial attack. But for some period of time, thousands of Snapchat account credentials were available on a public website. According to a person familiar with the matter, the attack relied on a link sent to users through a compromised account that, when clicked, opened a website designed to mimic the Snapchat login screen.

A Hacker Has Wiped a Spyware Company's Servers -- Again ( 64

Last year, a vigilante hacker broke into the servers of a company that sells spyware to everyday consumers and wiped their servers, deleting photos captured from monitored devices. A year later, the hacker has done it again. Motherboard: Thursday, the hacker said he started wiping some cloud servers that belong to Retina-X Studios, a Florida-based company that sells spyware products targeted at parents and employers, but that are also used by people to spy on their partners without their consent. Retina-X was one of two companies that were breached last year in a series of hacks that exposed the fact that many otherwise ordinary people surreptitiously install spyware on their partners' and children's phones in order to spy on them. This software has been called "stalkerware" by some.

Google Exposes How Malicious Sites Can Exploit Microsoft Edge ( 51

Google's Project Zero team has published details of an unfixed bypass for an important exploit-mitigation technique in Edge. From a report: The mitigation, Arbitrary Code Guard (ACG), arrived in the Windows 10 Creators Update to help thwart web attacks that attempt to load malicious code into memory. The defense ensures that only properly signed code can be mapped into memory. However, as Microsoft explains, Just-in-Time (JIT) compilers used in modern web browsers create a problem for ACG. JIT compilers transform JavaScript into native code, some of which is unsigned and runs in a content process.

To ensure JIT compilers work with ACG enabled, Microsoft put Edge's JIT compiling in a separate process that runs in its own isolated sandbox. Microsoft said this move was "a non-trivial engineering task." "The JIT process is responsible for compiling JavaScript to native code and mapping it into the requesting content process. In this way, the content process itself is never allowed to directly map or modify its own JIT code pages," Microsoft says. Google's Project Zero found an issue is created by the way the JIT process writes executable data into the content process.


Two Years After FBI vs Apple, Encryption Debate Remains ( 175

It's been two years since the FBI and Apple got into a giant fight over encryption following the San Bernardino shooting, when the government had the shooter's iPhone, but not the password needed to unlock it, so it asked Apple to create a way inside. What's most surprising is how little has changed since then. From a report: The encryption debate remains unsettled, with tech companies largely opposed and some law enforcement agencies still making the case to have a backdoor. The case for strong encryption: Those partial to the tech companies' arguments will note that cyberattacks and hacking incidents have become even more common, with encryption serving as a valuable way to protect individuals' personal information. The case for backdoors: Criminals are doing bad stuff and when devices are strongly encrypted they can do it in what amounts to the perfect dark alley, completely hidden from public view.

Pro-Gun Russian Bots Flood Twitter After Parkland Shooting ( 705

An anonymous reader quotes a report from Wired: In the wake of Wednesday's Parkland, Florida school shooting, which resulted in 17 deaths, troll and bot-tracking sites reported an immediate uptick in related tweets from political propaganda bots and Russia-linked Twitter accounts. Hamilton 68, a website created by Alliance for Securing Democracy, tracks Twitter activity from accounts it has identified as linked to Russian influence campaigns. On RoBhat Labs', a website created by two Berkeley students to track 1500 political propaganda bots, all of the top two-word phrases used in the last 24 hours -- excluding President Trump's name -- are related to the tragedy: School shooting, gun control, high school, Florida school. The top hashtags from the last 24 hours include Parkland, guncontrol, and guncontrolnow.

While RoBhat Labs tracks general political bots, Hamilton 68 focuses specifically on those linked to the Russian government. According to the group's data, the top link shared by Russia-linked accounts in the last 48 hours is a 2014 Politifact article that looks critically at a statistic cited by pro-gun control group Everytown for Gun Safety. Twitter accounts tracked by the group have used the old link to try to debunk today's stats about the frequency of school shootings. Another top link shared by the network covers the "deranged" Instagram account of the shooter, showing images of him holding guns and knives, wearing army hats, and a screenshot of a Google search of the phrase "Allahu Akbar." Characterizing shooters as deranged lone wolves with potential terrorist connections is a popular strategy of pro-gun groups because of the implication that new gun laws could not have prevented their actions. Meanwhile, some accounts with large bot followings are already spreading misinformation about the shooter's ties to far-left group Antifa, even though the Associated Press reported that he was a member of a local white nationalist group. The Twitter account Education4Libs, which RoBhat Labs shows is one among the top accounts tweeted at by bots, is among the prominent disseminators of that idea.

United Kingdom

UK Blames Russia For Cyber Attack, Says Won't Tolerate Disruption ( 143

Britain blamed Russia on Thursday for a cyber-attack last year, publicly pointing the finger at Moscow for spreading a virus which disrupted companies across Europe including UK-based Reckitt Benckiser. From a report: Russia denied the accusation, saying it was part of "Russophobic" campaign it said was being waged by some Western countries. The so-called NotPetya attack in June started in Ukraine where it crippled government and business computers before spreading around the world, halting operations at ports, factories and offices. Britain's foreign ministry said the attack originated from the Russian military. "The decision to publicly attribute this incident underlines the fact that the UK and its allies will not tolerate malicious cyber activity," the ministry said in a statement. "The attack masqueraded as a criminal enterprise but its purpose was principally to disrupt," it said.

Facebook Is Spamming Users Via Their 2FA Phone Numbers ( 119

According to Mashable, Facebook account holder Gabriel Lewis tweeted that Facebook texted "spam" to the phone number he submitted for the purposes of 2-factor authentication. Lewis insists that he did not have mobile notifications turned on, and when he replied "stop" and "DO NOT TEXT ME," he says those messages showed up on his Facebook wall. From the report: Lewis explained his version of the story to Mashable via Twitter direct message. "[Recently] I decided to sign up for 2FA on all of my accounts including FaceBook, shortly afterwards they started sending me notifications from the same phone number. I never signed up for it and I don't even have the FB app on my phone." Lewis further explained that he can go "for months" without signing into Facebook, which suggests the possibility that Mark Zuckerberg's creation was feeling a little neglected and trying to get him back. According to Lewis, he signed up for 2FA on Dec. 17 and the alleged spamming began on Jan. 5. Importantly, Lewis isn't the only person who claims this happened to him. One Facebook user says he accidentally told "friends and family to go [to] hell" when he "replied to the spam."

Google's Chrome Ad Blocking Arrives Tomorrow ( 211

Google is enabling its built-in ad blocker for Chrome tomorrow (February 15th). From a report: Chrome's ad filtering is designed to weed out some of the web's most annoying ads, and push website owners to stop using them. Google is not planning to wipe out all ads from Chrome, just ones that are considered bad using standards from the Coalition for Better Ads. Full page ads, ads with autoplaying sound and video, and flashing ads will be targeted by Chrome's ad filtering, which will hopefully result in less of these annoying ads on the web. Google is revealing today exactly what ads will be blocked, and how the company notifies site owners before a block is put in place. On desktop, Google is planning to block pop-up ads, large sticky ads, auto-play video ads with sound, and ads that appear on a site with a countdown blocking you before the content loads. Google is being more aggressive about its mobile ad blocking, filtering out pop-up ads, ads that are displayed before content loads (with or without a countdown), auto-play video ads with sound, large sticky ads, flashing animated ads, fullscreen scroll over ads, and ads that are particularly dense.

Kaspersky Says Telegram Flaw Used For Cryptocurrency Mining ( 42

According to Kaspersky Lab, hackers have been exploiting a vulnerability in Telegram's desktop client to mine cryptocurrencies such as Monero and ZCash. "Kaspersky said on its website that users were tricked into downloading malicious software onto their computers that used their processing power to mine currency, or serve as a backdoor for attackers to remotely control a machine," reports Bloomberg. From the report: While analyzing the servers of malicious actors, Kaspersky researchers also found archives containing a cache of Telegram data that had been stolen from victims. The Russian security firm said it "reported the vulnerability to Telegram and, at the time of publication, the zero-day flaw has not since been observed in messenger's products."

Many ID-Protection Services Fail Basic Security ( 47

Paul Wagenseil, writing for Tom's Guide: For a monthly fee, identity-protection services promise to do whatever they can to make sure your private personal information doesn't fall into the hands of criminals. Yet many of these services -- including LifeLock, IDShield and Credit Sesame -- put personal information at risk, because they don't let customers use two-factor authentication (2FA). This simple security precaution is offered by many online services. Without 2FA, anyone who has your email address and password -- which might be obtained from a data breach or a phishing email -- could log in to the account for your identity-protection service and, depending on how the service protects them, possibly steal your bank-account, credit-card and Social Security numbers.

Facebook is Pushing Its Data-tracking Onavo VPN Within Its Main Mobile App ( 40

TechCrunch reports: Onavo Protect, the VPN client from the data-security app maker acquired by Facebook back in 2013, has now popped up in the Facebook app itself, under the banner "Protect" in the navigation menu. Clicking through on "Protect" will redirect Facebook users to the "Onavo Protect -- VPN Security" app's listing on the App Store. We're currently seeing this option on iOS only, which may indicate it's more of a test than a full rollout here in the U.S. Marketing Onavo within Facebook itself could lead to a boost in users for the VPN app, which promises to warn users of malicious websites and keep information secure as you browse. But Facebook didn't buy Onavo for its security protections. Instead, Onavo's VPN allow Facebook to monitor user activity across apps, giving Facebook a big advantage in terms of spotting new trends across the larger mobile ecosystem. For example, Facebook gets an early heads up about apps that are becoming breakout hits; it can tell which are seeing slowing user growth; it sees which apps' new features appear to be resonating with their users, and much more. Further reading: Do Not, I Repeat, Do Not Download Onavo, Facebook's Vampiric VPN Service (Gizmodo).

Skype Can't Fix a Nasty Security Bug Without a Massive Code Rewrite ( 151

ZDNet reports of a security flaw in Skype's updater process that "can allow an attacker to gain system-level privileges to a vulnerable computer." If the bug is exploited, it "can escalate a local unprivileged user to the full 'system' level rights -- granting them access to every corner of the operating system." What's worse is that Microsoft, which owns Skype, won't fix the flaw because it would require the updater to go through "a large code revision." Instead, Microsoft is putting all its resources on building an altogether new client. From the report: Security researcher Stefan Kanthak found that the Skype update installer could be exploited with a DLL hijacking technique, which allows an attacker to trick an application into drawing malicious code instead of the correct library. An attacker can download a malicious DLL into a user-accessible temporary folder and rename it to an existing DLL that can be modified by an unprivileged user, like UXTheme.dll. The bug works because the malicious DLL is found first when the app searches for the DLL it needs. Once installed, Skype uses its own built-in updater to keep the software up to date. When that updater runs, it uses another executable file to run the update, which is vulnerable to the hijacking. The attack reads on the clunky side, but Kanthak told ZDNet in an email that the attack could be easily weaponized. He explained, providing two command line examples, how a script or malware could remotely transfer a malicious DLL into that temporary folder.

Consumers Prefer Security Over Convenience For the First Time Ever, IBM Security Report Finds ( 50

A new study by IBM Security surveying 4,000 adults from a few different regions of the world found that consumers are now ranking security over convenience. For the first time ever, business users and consumers are now preferring security over convenience. From a report: TechRepublic spoke with executive security advisor at IBM Security Limor Kessem to discuss this new trend. "We always talk about the ease of use, and not impacting user experience, etc, but it turns out that when it comes to their financial accounts...people actually would go the extra mile and will use extra security," Kessem said. Whether it's using two factor authentication, an SMS message on top of their password, or any other additional step for extra protection, people still want to use it. Some 74% of respondents said that they would use extra security when it comes to those accounts, she said.

The Insane Amount of Backward Compatibility in Google Maps ( 73

Huan Truong, a software developer, writes in a blog post: There is always an unlikely app that consistently works on all of my devices, regardless of their OS and how old they are: Google Maps. Google Maps still works today on Android 1.0, the earliest version available (Maps actually still works with some of the beta versions before that). I believe Maps was only a prototype app in Android 1.0. If I recall correctly, Google didn't have any official real device to run Android 1.0. That was back all the way in 2007. But then, you say, Android is Google's OS for Pete's sake. How about iOS? Google Maps for iOS, version 1.0, released late 2012, still works just fine. That was the first version of Google Maps ever released as a standalone app after Apple ditched Google's map solution on iOS. But wait... there is more. There is native iOS Maps on iOS 6, which was released in early 2012, and it still works. But that's only 6 years ago. Let's go hardcore. How about Google Maps on Java phones (the dumb bricks that run Java "midlets" or whatever the ancient Greeks call it)? It works too. [...] The Palm OS didn't even have screenshot functionality. But lo and behold, Google Maps worked.

Why Paper Jams Persist ( 122

A trivial problem reveals the limits of technology. Fascinating story from The New Yorker: Unsurprisingly, the engineers who specialize in paper jams see them differently. Engineers tend to work in narrow subspecialties, but solving a jam requires knowledge of physics, chemistry, mechanical engineering, computer programming, and interface design. "It's the ultimate challenge," Ruiz said.

"I wouldn't characterize it as annoying," Vicki Warner, who leads a team of printer engineers at Xerox, said of discovering a new kind of paper jam. "I would characterize it as almost exciting." When she graduated from the Rochester Institute of Technology, in 2006, her friends took jobs in trendy fields, such as automotive design. During her interview at Xerox, however, another engineer showed her the inside of a printing press. All Xerox printers look basically the same: a million-dollar printing press is like an office copier, but twenty-four feet long and eight feet high. Warner watched as the heavy, pale-gray double doors swung open to reveal a steampunk wonderland of gears, wheels, conveyor belts, and circuit boards. As in an office copier, green plastic handles offer access to the "paper path" -- the winding route, from "feeder" to "stacker," along which sheets of paper are shocked and soaked, curled and decurled, vacuumed and superheated. "Printers are essentially paper torture chambers," Warner said, smiling behind her glasses. "I thought, This is the coolest thing I've ever seen."


Games Organizers at Pyeongchang Winter Olympics Confirm Cyber Attack, Won't Reveal Source ( 73

Pyeongchang Winter Olympics organizers confirmed on Sunday that the Games had fallen victim to a cyber attack during Friday's opening ceremony, but they refused to reveal the source. From a report: The Games' systems, including the internet and television services, were affected by the hack two days ago but organizers said it had not compromised any critical part of their operations. "Maintaining secure operations is our purpose," said International Olympic Committee (IOC) spokesman Mark Adams. "We are not going to comment on the issue. It is one we are dealing with. We are making sure our systems are secure and they are secure."

Hackers Hijack Government Websites To Mine Crypto-Cash ( 48

BBC reports: The Information Commissioner's Office (ICO) took down its website after a warning that hackers were taking control of visitors' computers to mine cryptocurrency. Security researcher Scott Helme said more than 4,000 websites, including many government ones, were affected. He said the affected code had now been disabled and visitors were no longer at risk. The ICO said: "We are aware of the issue and are working to resolve it." Mr Helme said he was alerted by a friend who had received a malware warning when he visited the ICO website. He traced the problem to a website plug-in called Browsealoud, used to help blind and partially sighted people access the web. The cryptocurrency involved was Monero -- a rival to Bitcoin that is designed to make transactions in it "untraceable" back to the senders and recipients involved. The plug-in had been tampered with to add a program, Coinhive, which "mines" for Monero by running processor-intensive calculations on visitors' computers. The Register: A list of 4,200-plus affected websites can be found here: they include The City University of New York (, Uncle Sam's court information portal (, Lund University (, the UK's Student Loans Company (, privacy watchdog The Information Commissioner's Office ( and the Financial Ombudsman Service (, plus a shedload of other and sites, UK NHS services, and other organizations across the globe.

Sandboxed Mac Apps Can Record Screen Any Time Without You Knowing ( 59

Catalin Cimpanu, writing for BleepingComputer: Malicious app developers can secretly abuse a macOS API function to take screenshots of the user's screen and then use OCR (Optical Character Recognition) to programmatically read the text found in the image. The function is CGWindowListCreateImage, often utilized by Mac apps that take screenshots or live stream a user's desktop. According to Fastlane Tools founder Felix Krause, any Mac app, sandboxed or not, can access this function and secretly take screenshots of the user's screen. Krause argues that miscreants can abuse this privacy loophole and utilize CGWindowListCreateImage to take screenshots of the screen without the user's permission.

Should GitHub Allow Username Reuse? ( 84

Jesse Donat argues via Donut Studios why GitHub should never allow usernames to be valid again once they are deleted. He provides an example of a user who deleted his GitHub account and personal domain with a popular tool used for embedding data files into Go binaries. "While this is within his rights to do, this broke a dependency many people had within their projects," Donat writes. "To fix this, some users of the project recreated the account and the repository based on a fork of the project." Donat goes on to write: Allowing username reuse completely breaks any trust that what I pull is what it claims to be. What if this user had been malicious? It may have taken a while before someone actually noticed this wasn't the original user and the code was doing something more than it claimed to.

While Go's "go get" functionality is no doubt naive and just pulls the head of a repository, this is not exclusively Go's problem as this affects any package manager that runs on tags. Simply tag malicious changes beyond the current release and it would be deployed to many users likely with little actual review.


Hackers In Equifax Breach Accessed More Personal Information Than Previously Disclosed ( 58

An anonymous reader quotes a report from The Wall Street Journal (Warning: source may be paywalled; alternative source): Equifax said, in a document submitted to the Senate Banking Committee and reviewed by The Wall Street Journal, that cyberthieves accessed records across numerous tables in its systems that included such data as tax identification numbers, email addresses and drivers' license information beyond the license numbers it originally disclosed. The revelations come some five months after Equifax announced it had been breached and personal information belonging to 145.5 million consumers had been compromised, including names, Social Security numbers, dates of birth and addresses. It's unclear how many of the 145.5 million people are affected by the additional data including tax ID numbers, which are often assigned to people who don't have Social Security numbers. Hackers also accessed email addresses for some consumers, according to the document and an Equifax spokeswoman, who said "an insignificant number" of email addresses were affected. She added that email addresses aren't considered sensitive personal information because they are commonly searchable in public domains.

As for tax ID numbers, the Equifax spokeswoman said they "were generally housed in the same field" as Social Security numbers. She added that individuals without a Social Security number could use their tax ID number to see if they were affected by the hack. Equifax also said, in response to questions from The Wall Street Journal, that some additional drivers' license information had been accessed. The company publicly disclosed in its Sept. 7 breach announcement that drivers' license numbers were accessed; the document submitted to the banking committee also includes drivers' license issue dates and states.


Turkey Rolls Out Domestic Rival To WhatsApp, Raising Surveillance Concerns ( 36

Turkey has launched a domestic messaging app to rival Facebook's popular WhatsApp Messenger service, raising concerns among government critics that Ankara (capital of Turkey) could use the new platform to tighten surveillance and bolster an 18-month-old crackdown. From a report: The app, called PttMessenger after Turkey's Post and Telegraph General Directorate (PTT), was introduced in a limited roll-out to state institutions and some private companies this week. It is expected to be publicly available in six months. PttMessenger will provide a "system safer than WhatsApp," government spokesman Bekir Bozdag told a news conference. "Since no data is stored with the host, it will be impossible to access these data. A system safer than WhatsApp has been developed." Critics cast doubt on the suggestion PttMessenger data could not be retrieved, fearing it will give authorities greater ability to monitor dissent, pointing to the widespread crackdown that was launched after a failed military coup in July 2016.

32 Senators Want To Know If US Regulators Halted Equifax Probe ( 93

An anonymous reader quotes a report from Engadget: Earlier this week, a Reuters report suggested that the Consumer Financial Protection Bureau (CFPB) had halted its investigation into last year's massive Equifax data breach. Reuters sources said that even basic steps expected in such a probe hadn't been taken and efforts had stalled since Mick Mulvaney took over as head of the CFPB late last year. Now, 31 Democratic senators and one Independent have written a letter to Mulvaney asking if that is indeed the case and if so, why.

In their letter, the senators expressed their concern over these reports and reiterated the duty the CFPB has to not only investigate the breach but to bring action against Equifax if deemed necessary. "Consumer reporting agencies and the data they collect play a central role in consumers' access to credit and the fair and competitive pricing of that credit," they wrote. "Therefore, the CFPB has a duty to supervise consumer reporting agencies, investigate how this breach has or will harm consumers and bring enforcement actions as necessary."


Google Chrome Pushes For User Protection With 'Not secure' Label ( 85

In an effort to force websites to better protect their users, the Chrome web browser will label all sites not encrypted traffic as "Not secure" in the web address bar, Google announced Thursday. From a report: Encrypted traffic allows users to access data on a website without allowing potential eavesdroppers to see anything the users visit. HTTPS also prevents meddlers from changing information in transit. During normal web browsing, Google currently displays a "Not secure" warning in the next to a site's URL if it forgoes HTTPS encryption and a user enters data. Now the browser will label all sites without HTTPS encryption this way.

Apple Says the Leaked iPhone Source Code is Outdated ( 80

Apple has responded to security concerns surrounding leaked iPhone source code, pointing out that any potential vulnerabilities would be outdated. From a report: "Old source code from three years ago appears to have been leaked," Apple said in a statement, "but by design the security of our products doesn't depend on the secrecy of our source code. There are many layers of hardware and software protections built in to our products, and we always encourage customers to update to the newest software releases to benefit from the latest protections." The iBoot source code for iOS 9, a core part of what keeps your iPhones and iPads secure when they turn on, was leaked on GitHub, Motherboard first reported. The source code leak was considered a major security issue for Apple, as hackers could dig through it and search for any vulnerabilities in iBoot. Apple had used a DMCA notice to get the Github page hosting the leaked code taken down, but multiple copies of the code have already spread online.

Intel Replaces its Buggy Fix for Skylake PCs ( 57

Intel has released new microcode to address the stability and reboot issues on systems after installing its initial mitigations for Variant 2 of the Meltdown and Spectre attacks. From a report: The stability issues caused by Intel's microcode updates resulted in Lenovo, HP, and Dell halting their deployment of BIOS updates last month as Intel worked to resolve the problems. Intel initially said unexpected reboots were only seen on Broadwell and Haswell chips, but later admitted newer Skylake architecture chips were also affected. Microsoft also said it had also seen Intel's updates cause data loss or corruption in some cases.

Attackers Drain CPU Power From Water Utility Plant In Cryptojacking Attack ( 76

darthcamaro writes: Apparently YouTube isn't the only site that is draining CPU power with unauthorized cryptocurrency miners. A water utility provider in Europe is literally being drained of its CPU power via an cryptojacking attack that was undetected for three weeks. eWeek reports: "At this point, Radiflow's (the security firm that discovered the cryptocurrency mining malware) investigation indicates that the cryptocurrency mining malware was likely downloaded from a malicious advertising site. As such, the theory that Radiflow CTO Yehonatan Kfir has is that an operator at the water utility was able to open a web browser and clicked on an advertising link that led the mining code being installed on the system. The actual system that first got infected is what is known as a Human Machine Interface (HMI) to the SCADA network and it was running the Microsoft Windows XP operating system. Radiflow's CEO, Ilan Barda, noted that many SCADA environments still have Windows XP systems deployed as operators tend to be very slow to update their operating systems." Radiflow doesn't know how much Monero (XMR) cryptocurrency was mined by the malware, but a recent report from Cisco's Talos research group revealed that some of the top un-authorized cryptocurrency campaigns generate over a million dollars per year. The average system would generate nearly $200,000 per year.

Police In China Are Scanning Travelers With Facial Recognition Glasses ( 87

Baron_Yam shares a report from Engadget: Police in China are now sporting glasses equipped with facial recognition devices and they're using them to scan train riders and plane passengers for individuals who may be trying to avoid law enforcement or are using fake IDs. So far, police have caught seven people connected to major criminal cases and 26 who were using false IDs while traveling, according to People's Daily. The Wall Street Journal reports that Beijing-based LLVision Technology Co. developed the devices. The company produces wearable video cameras as well and while it sells those to anyone, it's vetting buyers for its facial recognition devices. And, for now, it isn't selling them to consumers. LLVision says that in tests, the system was able to pick out individuals from a database of 10,000 people and it could do so in 100 milliseconds. However, CEO Wu Fei told the Wall Street Journal that in the real world, accuracy would probably drop due to "environmental noise." Additionally, aside from being portable, another difference between these devices and typical facial recognition systems is that the database used for comparing images is contained in a hand-held device rather than the cloud."

Samsung and Roku Smart TVs Vulnerable To Hacking, Consumer Reports Finds ( 102

An anonymous reader quotes a report from Consumer Reports: Consumer Reports has found that millions of smart TVs can be controlled by hackers exploiting easy-to-find security flaws. The problems affect Samsung televisions, along with models made by TCL and other brands that use the Roku TV smart-TV platform, as well as streaming devices such as the Roku Ultra. We found that a relatively unsophisticated hacker could change channels, play offensive content, or crank up the volume, which might be deeply unsettling to someone who didn't understand what was happening. This could be done over the web, from thousands of miles away. (These vulnerabilities would not allow a hacker to spy on the user or steal information.) The findings were part of a broad privacy and security evaluation, led by Consumer Reports, of smart TVs from top brands that also included LG, Sony, and Vizio. The testing also found that all these TVs raised privacy concerns by collecting very detailed information on their users. Consumers can limit the data collection. But they have to give up a lot of the TVs' functionality -- and know the right buttons to click and settings to look for.

Key iPhone Source Code Gets Posted On GitHub ( 188

Jason Koebler shares a report from Motherboard: An anonymous person posted what experts say is the source code for a core component of the iPhone's operating system on GitHub, which could pave the way for hackers and security researchers to find vulnerabilities in iOS and make iPhone jailbreaks easier to achieve. The code is for "iBoot," which is the part of iOS that is responsible for ensuring a trusted boot of the operating system. It's the program that loads iOS, the very first process that runs when you turn on your iPhone. The code says it's for iOS 9, an older version of the operating system, but portions of it are likely to still be used in iOS 11. Bugs in the boot process are the most valuable ones if reported to Apple through its bounty program, which values them at a max payment of $200,000. "This is the biggest leak in history," Jonathan Levin, the author of a series of books on iOS and Mac OSX internals, told Motherboard in an online chat. "It's a huge deal." Levin, along with a second security researcher familiar with iOS, says the code appears to be the real iBoot code because it aligns with the code he reverse engineered himself.
United States

36 Indicted in Global Cybercrime Ring That Stole $530M ( 40

U.S. prosecutors say 36 people have been indicted in connection with an international cybercrime ring that bought and sold stolen credit card information, leading to losses of more than $530 million. From a report: The Justice Department says Wednesday that the so-called Infraud Organization dealt in the large-scale acquisition and sale of stolen identities, credit card information and malware. Deputy Assistant Attorney General David Rybicki says it was "truly the premier one-stop shop for cybercriminals worldwide." He says the organization used an online forum on the dark web to sell financial and personal information. Investigators believe the organization's nearly 11,000 members targeted more than 4.3 million credit cards and bank accounts.

'Humans Not Invited' Is a CAPTCHA Test That Welcomes Bots, Filters Out Humans ( 82

While most CAPTCHA tests we come across on the Web are usually meant to keep robots out, one website is welcoming them in. From a report: The conceit of Humans Not Invited is essentially a reverse CAPTCHA. Visitors to the site are greeted with a vision test not unlike the ones you've done before, but instead it's filled with seemingly indistinguishable blue and gray blurry boxes. When I tried, prompted to "select all squares with selfie sticks." Most humans, like me, will fail to decipher the hidden selfie sticks and will be shown a message that says "YOU'RE A HUMAN. YOU'RE NOT INVITED." To the human eye these boxes appear indistinguishable, a specially programmed bot can spot out the correct image simply by identifying a handful of pixels, according to the project's creator, Damjanski, (his real name is Danjan Pita).

Meet the Tiny Startup That Sells IPhone and Android Zero Days To Governments ( 51

An anonymous reader writes: The story of Azimuth Security, a tiny startup in Australia, provides a rare peek inside the secretive industry that helps government hackers get around encryption. Azimuth is part of an opaque, little known corner of the intelligence world made of hackers who develop and sell expensive exploits to break into popular technologies like iOS, Chrome, Android and Tor.

Scammers Use Download Bombs To Freeze Chrome Browsers on Shady Sites ( 72

An anonymous reader shares a report: The operators of some tech support scam websites have found a new trick to block visitors on their shady sites and scare non-technical users into paying for unneeded software or servicing fees. The trick relies on using JavaScript code loaded on these malicious pages to initiate thousands of file download operations that quickly take up the user's memory resources, freezing Chrome on the scammer's site. The trick is meant to drive panicked users into calling one of the tech support phone numbers shown on the screen. According to Jerome Segura -- Malwarebytes leading expert in tech support scam operations, malvertising, and exploit kits -- this new trick utilizes the JavaScript Blob method and the window.navigator.msSaveOrOpenBlob function to achieve the "download bomb" that freezes Chrome.

A Flaw In Hotspot Shield Can Expose VPN Users, Locations ( 25

An anonymous reader quotes a report from ZDNet: A security researcher has found a way to identify users of Hotspot Shield, a popular free virtual private network service that promises its users anonymity and privacy. Hotspot Shield, developed by AnchorFree, has an estimated 500 million users around the world relying on its privacy service. By bouncing a user's internet and browsing traffic through its own encrypted pipes, the service makes it harder for others to identify individual users and eavesdrop on their browsing habits. But an information disclosure bug in the privacy service results in a leak of user data, such as which country the user is located, and the user's Wi-Fi network name, if connected. That information leak can be used to narrow down users and their location by correlating Wi-Fi network name with public and readily available data.

Apple Is Seeing 'Strong Demand' For Replacement iPhone Batteries ( 83

In a letter addressed to the U.S. lawmakers, Apple said earlier this month that it was seeing "strong demand" for replacement iPhone batteries. The company added that it may offer rebates for consumers who paid full price for new batteries. From a report: Apple confirmed in December that software to deal with aging batteries in iPhone 6, iPhone 6s and iPhone SE models could slow down performance. The company apologized and lowered the price of battery replacements for affected models from $79 to $29. In the letter released Tuesday, amid nagging allegations that it slowed down phones with older batteries as a way to push people into buying new phones, the company said it was considering issuing rebates to consumers who paid full price for replacement batteries.

A Bug in Browser Extension Grammarly, Now Patched, Could Have Allowed an Attacker To Read Everything Users Wrote Online ( 57

Copyediting app Grammarly included a gaping security hole that left users of its browser extension open to more embarrassment than just misspelled words. From a report: The Grammarly browser extension for Chrome and Firefox contained a "high severity bug" that was leaking authentication tokens, according to a bug report by Tavis Ormandy, a security researcher with Google's Project Zero. This meant that any website a Grammarly user visited could access the user's "documents, history, logs, and all other data," according to Ormandy. Grammarly provides automated copyediting for virtually anything you type into a browser that has the extension enabled, from blogs to tweets to emails to your attorney. In other words, there is an unfathomable number of scenarios in which this kind of major vulnerability could result in disastrous real-world consequences. Grammarly has approximately 22 million users, according to Ormandy, and the company told Gizmodo in an email that it "has no evidence that any user information was compromised" by the security hole. "We're continuing to monitor actively for any unusual activity," a Grammarly spokesperson said.

Apple is Sending Some Developers Ad Spend and Install Details For Other People's Apps ( 14

An issue at Apple appears to be resulting in app developers getting emails of ad spend and install summaries for apps belonging to other developers. From a report: The issue -- which appears specific right now to developers using Search Ads Basic, pay-per-install ads that appear as promoted apps when people search on the App Store -- was raised on Twitter by a number of those affected, including prominent developer Steve Troughton-Smith, who posted a screenshot of an email that summarized January's ad spend and install data another developer's two apps. Several others replied noting the same issue, listing more developers and random apps.

Man Sues T-Mobile For Allegedly Failing To Stop Hackers From Stealing His Cryptocurrency ( 133

Over the weekend, a lawsuit was filed against T-Mobile claiming that the company's lack of security allowed hackers to enter his wireless account last fall and steal cryptocoins worth thousands of dollars. "Carlos Tapang of Washington state accuses T-Mobile of having 'improperly allowed wrongdoers to access' his wireless account on November 7th last year," reports The Verge. "The hackers then cancelled his number and transferred it to an AT&T account under their control. 'T-Mobile was unable to contain this security breach until the next day,' when it finally got the number back from AT&T, Tapang alleges in the suit, first spotted by Law360." From the report: After gaining control of his phone number, the hackers were able to change the password on one of Tapang's cryptocurrency accounts and steal 1,000 OmiseGo (OMG) tokens and 19.6 BitConnect coins, Tapang claims. The hackers then exchanged the coins for 2.875 Bitcoin and transferred it out of his account, the suit states. On November 7th, the price of Bitcoin was $7,118.80, so had the hackers cashed out then, they would have netted a profit of $20,466.55. Tapang goes on to say, "After the incident, BTC price reached more than $17,000.00 per coin," but given the volatility of bitcoin prices, the hackers may not have benefited from the soar.

The suit alleges T-Mobile is at fault partly because the carrier said it would add a PIN code to Tapang's account prior to the incident, but didn't actually implement it. Tapang also states that hackers are able to call T-Mobile's customer support multiple times to gain access to customer accounts, until they're able to get an agent on the line that would grant them access without requiring further identity verification. The complaint also lists several anonymous internet users who have posted about similar security breaches to their own T-Mobile accounts.

United Kingdom

Lauri Love Ruling 'Sets Precedent' For Trying Hacking Suspects in UK ( 222

A high court ruling blocking extradition to the US of Lauri Love, a student accused of breaking into US government websites, has been welcomed by lawyers and human rights groups as a precedent for trying hacking suspects in the UK in future. From a report: The decision delivered by the lord chief justice, Lord Burnett of Maldon, is highly critical of the conditions Love would have endured in US jails, warning of the risk of suicide. Lawyers for the 33-year-old, who lives in Suffolk, had argued that Love should be tried in Britain for allegedly hacking into US government websites and that he would be at risk of killing himself if sent to the US. There was cheering and applause in court on Monday when Burnett announced his decision. He asked supporters to be quiet, saying: "This is a court, not a theatre." In his judgment, Burnett said: "It would not be oppressive to prosecute Mr Love in England for the offences alleged against him. Far from it. Much of Mr Love's argument was based on the contention that this is indeed where he should be prosecuted

NSA Exploits Ported To Work on All Windows Versions Released Since Windows 2000 ( 95

Catalin Cimpanu, reporting for BleepingComputer: A security researcher has ported three leaked NSA exploits to work on all Windows versions released in the past 18 years, starting with Windows 2000. The three exploits are EternalChampion, EternalRomance, and EternalSynergy; all three leaked last April by a hacking group known as The Shadow Brokers who claimed to have stolen the code from the NSA. Several exploits and hacking tools were released in the April 2017 Shadow Brokers dump, the most famous being EternalBlue, the exploit used in the WannaCry, NotPetya, and Bad Rabbit ransomware outbreaks.
Open Source

LKRG: A Loadable Linux Kernel Module for Runtime Integrity Checking ( 36

An anonymous reader quotes BleepingComputer: Members of the open source community are working on a new security-focused project for the Linux kernel. Named Linux Kernel Runtime Guard (LKRG), this is a loadable kernel module that will perform runtime integrity checking of the Linux kernel. Its purpose is to detect exploitation attempts for known security vulnerabilities against the Linux kernel and attempt to block attacks. LKRG will also detect privilege escalation for running processes, and kill the running process before the exploit code runs.

Since the project is in such early development, current versions of LKRG will only report kernel integrity violations via kernel messages, but a full exploit mitigation system will be deployed as the system matures... While LKRG will remain an open source project, LKRG maintainers also have plans for an LKRG Pro version that will include distro-specific LKRG builds and support for the detection of specific exploits, such as container escapes. The team plans to use the funds from LKRG Pro to fund the rest of the project.

The first public version of LKRG -- LKRG v0.0 -- is now live and available for download on this page. A wiki is also available here, and a Patreon page for supporting the project has also been set up. LKRG kernel modules are currently available for main Linux distros such as RHEL7, OpenVZ 7, Virtuozzo 7, and Ubuntu 16.04 to latest mainlines.


Malware Exploiting Spectre, Meltdown CPU Flaws Emerges ( 84

wiredmikey quotes SecurityWeek: Researchers have discovered more than 130 malware samples designed to exploit the recently disclosed Spectre and Meltdown CPU vulnerabilities. While a majority of the samples appear to be in the testing phase, we could soon start seeing attacks... On Wednesday, antivirus testing firm AV-TEST told SecurityWeek that it has obtained 139 samples from various sources, including researchers, testers and antivirus companies... Fortinet, which also analyzed many of the samples, confirmed that a majority of them were based on available proof of concept code. Andreas Marx, CEO of AV-TEST, believes different groups are working on the PoC exploits to determine if they can be used for some purpose. "Most likely, malicious purposes at some point," he said.

Camera Makers Resist Encryption, Despite Warnings From Photographers ( 291

An anonymous reader shares an article from the security editor of ZDNet: A year after photojournalists and filmmakers sent a critical letter to camera makers for failing to add a basic security feature to protect their work from searches and hacking, little progress has been made. The letter, sent in late 2016, called on camera makers to build encryption into their cameras after photojournalists said they face "a variety of threats..." Even when they're out in the field, collecting footage and documenting evidence, reporters have long argued that without encryption, police, the military, and border agents in countries where they work can examine and search their devices. "The consequences can be dire," the letter added.

Although iPhones and Android phones, computers, and instant messengers all come with encryption, camera makers have fallen behind. Not only does encryption protect reported work from prying eyes, it also protects sources -- many of whom put their lives at risk to expose corruption or wrongdoing... The lack of encryption means high-end camera makers are forcing their customers to choose between putting their sources at risk, or relying on encrypted, but less-capable devices, like iPhones. We asked the same camera manufacturers if they plan to add encryption to their cameras -- and if not, why. The short answer: don't expect much any time soon.


What Are Today's Most Difficult IT Hires? ( 281

Slashdot reader snydeq shared an article from CIO: The IT talent gap is driving up demand for skilled IT pros, but for certain roles and skillsets, finding -- and signing -- the right candidate can feel a bit like trying to capture a unicorn... AI and data science jobs are at the top of the list, in part because they're relatively young technologies, and they're being introduced in all sorts of companies going through their digital transformation. At the same time, there are some surprises... The experts we talked with name-checked a laundry list of desirable skills and needed experience with emerging areas like cognitive computing, machine learning, data analytics, IoT and blockchain. But the true unicorns are candidates who can not only deepen their bench of tech skills but keep an eye on the bottom line.
The article also cites high demand for data privacy experts, penetration testers with a scientific mind-set, and adaptable developers (including DevOps engineers), as well as experts in robotics and cryptology. But everyone's experiencing the job market differently, so the original submission ends with a question for Slashdot readers.

"What hires are you having the most difficulty making these days?"

Surface Pro 4 Owners Are Putting Their Tablets in Freezers To Fix Screen Flickering Issues ( 87

Hundreds of Surface Pro 4 owners have been complaining about screen flickering issues on their tablets, and many are putting it in freezers to "fix" it. From a report: A thread over at Microsoft's support forums shows that the problems have been occurring for more than a year, and most devices affected are out of warranty. Dubbed "Flickergate," a website to report the issues claims at least 1,600 Surface Pro 4 owners have experienced the screen flickering problems. The flickering appears to be a hardware issue, which occurs after the device heats up during use. Some owners have even started freezing their tablets to stop the screen flickering temporarily. "I get about half an hour's use out of it after ten minutes in the freezer," says one owner. Another user posted a video showing how the flickering stops as soon as the Surface Pro 4 is placed in a freezer.

Firefox 59 Will Stop Websites Snooping on Where You've Just Been ( 121

Firefox 59 will reduce how much information websites pass on about visitors in an attempt to improve privacy for users of its private browsing mode. From a report: When you click a link in your browser to navigate to a new site, the site you go on to visit receives the address of the site you came from, via the so-called "referrer value." While this helps websites understand where visitors are coming from, it can also leak data about the individual browsing, because it tells the site the exact page you were looking at when you clicked the link, said Mozilla. Browsers also send a referrer value when requesting other details like ads, or other social media snippets integrated in a modern website, which means these embedded content features also know exactly what page you're visiting.

New Zero-Day Vulnerability Found In Adobe Flash Player ( 87

GBHackers On Cyber Security and an anonymous Slashdot reader have shared a story about a new zero-day vulnerability found in Adobe's Flash Player. Bleeping Computer reports: South Korean authorities have issued a warning regarding a brand new Flash zero-day deployed in the wild. According to a security alert issued by the South Korean Computer Emergency Response Team (KR-CERT), the zero-day affects Flash Player installs and earlier. Flash is the current Flash version number.

"An attacker can persuade users to open Microsoft Office documents, web pages, spam e-mails, etc. that contain Flash files that distribute the malicious [Flash] code," KR-CERT said. The malicious code is believed to be a Flash SWF file embedded in MS Word documents. Simon Choi, a security researcher with Hauri Inc., a South Korean security firm, says the zero-day has been made and deployed by North Korean threat actors and used since mid-November 2017. Choi says attackers are trying to infect South Koreans researching North Korea.
Adobe said it plans to patch this zero-day on Monday, February 5.

How DIY Rebels Are Working To Replace Tech Giants ( 115

mspohr shares an excerpt from an "interesting article about groups working to make a safer internet": Balkan and Kalbag form one small part of a fragmented rebellion whose prime movers tend to be located a long way from Silicon Valley. These people often talk in withering terms about Big Tech titans such as Mark Zuckerberg, and pay glowing tribute to Edward Snowden. Their politics vary, but they all have a deep dislike of large concentrations of power and a belief in the kind of egalitarian, pluralistic ideas they say the internet initially embodied. What they are doing could be seen as the online world's equivalent of punk rock: a scattered revolt against an industry that many now think has grown greedy, intrusive and arrogant -- as well as governments whose surveillance programs have fueled the same anxieties. As concerns grow about an online realm dominated by a few huge corporations, everyone involved shares one common goal: a comprehensively decentralized internet. Balkan energetically travels the world, delivering TED-esque talks with such titles as "Free is a Lie" and "Avoiding Digital Feudalism."

[David Irvine, computer engineer and founder of MaidSafe, has devised an alternative to the "modern internet" he calls the Safe network]: the acronym stands for "Safe Access for Everyone." In this model, rather than being stored on distant servers, people's data -- files, documents, social-media interactions -- will be broken into fragments, encrypted and scattered around other people's computers and smartphones, meaning that hacking and data theft will become impossible. Thanks to a system of self-authentication in which a Safe user's encrypted information would only be put back together and unlocked on their own devices, there will be no centrally held passwords. No one will leave data trails, so there will be nothing for big online companies to harvest. The financial lubricant, Irvine says, will be a cryptocurrency called Safecoin: users will pay to store data on the network, and also be rewarded for storing other people's (encrypted) information on their devices. Software developers, meanwhile, will be rewarded with Safecoin according to the popularity of their apps. There is a community of around 7,000 interested people already working on services that will work on the Safe network, including alternatives to platforms such as Facebook and YouTube.


Ask Slashdot: Which Tech Company Do You Respect Most? 311

dryriver writes: On Slashdot, we often discuss the missteps and non consumer-friendly behavior of various tech companies. This company forced people into a subscription payment model. That tech company doesn't respect people's privacy. Yet another tech company failed to fix a dangerous exploit quickly, protect people's cloud data properly, or innovate and improve where innovation and improvement was badly needed.

Here's a question to the contrary: Of all the tech companies you know well and follow -- small, medium, or large -- which are the ones that you respect the most, and why? Which are the companies that still -- or newly -- create great tech in a landscape dotted with profiteers? Also, what is your personal criteria for judging whether a tech company is "good," "neutral," or "bad?"

Slashdot Top Deals