US Border Officials Haven't Properly Verified Visitor Passports For More Than a Decade Due To Improper Software ( 141

An anonymous reader quotes a report from ZDNet: U.S. border officials have failed to cryptographically verify the passports of visitors to the U.S. for more than a decade -- because the government didn't have the proper software. The revelation comes from a letter by Sens. Ron Wyden (D-OR) and Claire McCaskill (D-MO), who wrote to U.S. Customs and Border Protection (CPB) acting commissioner Kevin K. McAleenan to demand answers. E-passports have an electronic chip containing cryptographic information and machine-readable text, making it easy to verify a passport's authenticity and integrity. That cryptographic information makes it almost impossible to forge a passport, and it helps to protect against identity theft. Introduced in 2007, all newly issued passports are now e-passports. Citizens of the 38 countries on the visa waiver list must have an e-passport in order to be admitted to the U.S. But according to the senators' letter, sent Thursday, border staff "lacks the technical capabilities to verify e-passport chips." Although border staff have deployed e-passport readers at most ports of entry, "CBP does not have the software necessary to authenticate the information stored on the e-passport chips." "Specifically, CBP cannot verify the digital signatures stored on the e-passport, which means that CBP is unable to determine if the data stored on the smart chips has been tampered with or forged," the letter stated. Wyden and McCaskill said in the letter that Customs and Border Protection has "been aware of this security lapse since at least 2010."

The Los Angeles Times Website Is Unintentionally Serving a Cryptocurrency Mining Script ( 58

troublemaker_23 shares a report from iTWire: The Los Angeles Times website is serving a cryptocurrency mining script which appears to have been placed there by malicious attackers, according to a well-known security expert. British infosec researcher Kevin Beaumont, who has warned that Amazon AWS servers could be held to ransom due to lax security, tweeted that the newspaper's site was serving a script created by Coinhive. The Coinhive script mines for the monero cryptocurrency. The S3 bucket used by the LA Times is apparently world-writable and an ethical hacker appears to have left a warning in the repository, warning of possible misuse and asking the owner to secure the bucket.

Botched npm Update Crashes Linux Systems, Forces Users to Reinstall ( 256

Catalin Cimpanu, reporting for BleepingComputer: A bug in npm (Node Package Manager), the most widely used JavaScript package manager, will change ownership of crucial Linux system folders, such as /etc, /usr, /boot. Changing ownership of these files either crashes the system, various local apps, or prevents the system from booting, according to reports from users who installed npm v5.7.0. -- the buggy npm update. Users who installed this update -- mostly developers and software engineers -- will likely have to reinstall their system from scratch or restore from a previous system image.

100-Page Report Warns of the Many Dangers of AI ( 62

dmoberhaus writes: Last year, 26 top AI researchers from around the globe convened in Oxford to discuss the biggest threats posed by artificial intelligence. The result of this two day conference was published today as a 100-page report. The report details three main areas where AI poses a threat: political, physical systems, and cybersecurity. It discusses the specifics of these threats, which range from political strife caused by fake AI-generated videos to catastrophic failure of smart homes and autonomous vehicles, as well as intentional threats, such as autonomous weapons. Although the researchers offer only general guidance for how to deal with these threats, they do offer a path forward for policy makers.

Intel Has a New Spectre and Meltdown Firmware Patch For You To Try Out ( 130

Mark Wilson writes: The Spectre/Meltdown debacle continues to rumble on, and now the chip manufacturer has announced the availability of a new 'microcode solution' to the vulnerability. The updated firmware applies to 6th, 7th and 8th Generation Intel Core devices, and the release sees the company crossing its fingers and hoping that everything works out this time.

This is Intel's second attempt at patching the vulnerability, and this time around both the company and its customers will be praying that the fix for Skylake, Kaby Lake and Coffee Lake chips actually does the job.


uTorrent Client Affected by Some Pretty Severe Security Flaws ( 95

A Google security researcher has found multiple security flaws affecting the uTorrent web and desktop client that allow an attacker to infect a victim with malware or collect data on the users' past downloads, reports BleepingComputer. From the report: The vulnerabilities have been discovered by Google Project Zero security researcher Tavis Ormandy, and they impact uTorrent Web, a new web-based version of the uTorrent BitTorrent client, and uTorrent Classic, the old uTorrent client that most people know. Ormandy says that both uTorrent clients are exposing an RPC server -- on port 10000 (uTorrent Classic) and 19575 (uTorrent Web). The expert says that attackers can hide commands inside web pages that interact with this open RPC server. The attacker only needs to trick a user with a vulnerable uTorrent client to access a malicious web page. Furthermore, the uTorrent clients are also vulnerable to DNS rebinding -- a vulnerability that allows the attacker to legitimize his requests to the RPC server.

Lawsuits Threaten Infosec Research -- Just When We Need it Most ( 51

This year, two security reporters and one researcher will fight for their professional lives in court. Steve Ragan, senior staff writer at tech news site CSO, and Dan Goodin, security editor at Ars Technica, were last year named defendants in two separate lawsuits. The cases are different, but they have a common theme: they are being sued by the companies covered in articles they wrote. From a report: Although lawsuits targeting reporters, particularly on the security beat, are rare, legal threats are an occupational hazard that reporters are all too aware of -- from companies threatening to call an editor to demand a correction -- or else -- to a full-blown lawsuit. But the inevitable aftermath is a "chilling effect." White-hat hackers and security researchers hesitate to report vulnerabilities and weaknesses to technology firms for fear of facing legal retribution. With nation state attackers targeting elections and critical national security infrastructure on a near-daily basis, security research is needed more than ever.

Hackers Hijacked Tesla's Amazon Cloud Account To Mine Cryptocurrency 29

An unidentified hacker or hackers broke into a Tesla-owned Amazon cloud account and used it to "mine" cryptocurrency, security researchers said. The breach also exposed proprietary data for the electric carmaker. From a report: The researchers, who worked for RedLock, a 3-year-old cybersecurity startup, said they discovered the intrusion last month while trying to determine which organization left credentials for an Amazon Web Services (AWS) account open to the public Internet. The owner of the account turned out to be Tesla, they said. "We weren't the first to get to it," Varun Badhwar, CEO and cofounder of RedLock, told Fortune on a call. "Clearly, someone else had launched instances that were already mining cryptocurrency in this particular Tesla environment." The incident is the latest in a string of so-called cryptojacking attacks, which involve thieves hijacking unsuspecting victims' computers to generate virtual currencies like Bitcoin. The schemes have seen a resurgence in popularity as cryptocurrency prices have soared over the past year. In a statement, Tesla said, "We maintain a bug bounty program to encourage this type of research, and we addressed this vulnerability within hours of learning about it. The impact seems to be limited to internally-used engineering test cars only, and our initial investigation found no indication that customer privacy or vehicle safety or security was compromised in any way."

Apple Updates All of Its Operating Systems To Fix App-crashing Bug ( 70

It took a few days, but Apple already has a fix out for a bug that caused crashes on each of its platforms. From a report: The company pushed new versions of iOS, macOS and watchOS to fix the issue, which was caused when someone pasted in or received a single Indian-language character in select communications apps -- most notably in iMessages, Safari and the app store. Using a specific character in the Telugu language native to India was enough to crash a variety of chat apps, including iMessage, WhatsApp, Twitter, Facebook Messenger, Gmail and Outlook, though Telegram and Skype were seemingly immune.

Flight Sim Company Embeds Malware To Steal Pirates' Passwords ( 225

TorrentFreak: Flight sim company FlightSimLabs has found itself in trouble after installing malware onto users' machines as an anti-piracy measure. Code embedded in its A320-X module contained a mechanism for detecting 'pirate' serial numbers distributed on The Pirate Bay, which then triggered a process through which the company stole usernames and passwords from users' web browsers.
The Courts

Man, Seeking New Copy of Windows 7 After Forced Windows 10 Upgrade, Sues Microsoft ( 357

Catalin Cimpanu, writing for BleepingComputer: An Albuquerque man has sued Microsoft and its CEO -- Satya Nadella -- seeking a fresh copy of Windows 7 or $600 million in damages. According to a civil complaint filed last week on February 14, Frank K. Dickman Jr. of Albuquerque, New Mexico, is suing Microsoft because of a botched forced Windows 10 upgrade. "I own a ASUS 54L laptop computer which has an OEM license for Windows Version 7," Dickman's claim reads. "The computer was upgraded to Windows Version 10 and became non-functional immediately. The upgrade deleted the cached, or backup, version of Windows 7." Dickman says that the laptop's original OEM vendor is "untrustworthy," hence, he cannot obtain a legitimate copy of Windows 7 to downgrade his laptop.

Contractors Pose Cyber Risk To Government Agencies ( 78

Ian Barker, writing for BetaNews: While US government agencies are continuing to improve their security performance over time, the contractors they employ are failing to meet the same standards according to a new report. The study by security rankings specialist BitSight sampled over 1,200 federal contractors and finds that the security rating for federal agencies was 15 or more points higher than the mean of any contractor sector. It finds more than eight percent of healthcare and wellness contractors have disclosed a data breach since January 2016. Aerospace and defense firms have the next highest breach disclosure rate at 5.6 percent. While government has made a concerted effort to fight botnets in recent months, botnet infections are still prevalent among the government contractor base, particularly for healthcare and manufacturing contractors. The study also shows many contractors are not following best practices for network encryption and email security.

US's Greatest Vulnerability is Ignoring the Cyber Threats From Our Adversaries, Foreign Policy Expert Says ( 102

America's greatest vulnerability is its continued inability to acknowledge the extent of its adversaries' capabilities when it comes to cyber threats, says Ian Bremmer, founder and president of leading political risk firm Eurasia Group. From a report: Speaking to CNBC from the Munich Security Conference on Saturday, the prominent American political scientist emphasized that there should be much more government-level concern and urgency over cyber risk. The adversarial states in question are what U.S. intelligence agencies call the "big four": Russia, China, North Korea, and Iran. "We're vulnerable because we continue to underestimate the capabilities in those countries. WannaCry, from North Korea -- no one in the U.S. cybersecurity services believed the North Koreans could actually do that," Bremmer described, naming the ransomware virus that crippled more than 200,000 computer systems across 150 countries in May of 2017.

Borge Brende, president of the World Economic Forum, weighed in, stressing the economic cost of cyber crimes. "It is very hard to attribute cyberattacks to different actors or countries, but the cost is just unbelievable. Annually more than a thousand billion U.S. dollars are lost for companies or countries due to these attacks and our economy is more and more based on internet and data."


Facebook Admits SMS Notifications Sent Using Two-Factor Number Was Caused by Bug ( 50

Facebook has clarified the situation around SMS notifications sent using the company's two-factor authentication (2FA) system, admitting that the messages were indeed caused by a bug. From a report: In a blog post penned by Facebook Chief Security Officer Alex Stamos, the company says the error led it to "send non-security-related SMS notifications to these phone numbers." Facebook uses the automated number 362-65, or "FBOOK," as its two-factor authentication number, which is a secure way of confirming a user's identity by sending a numeric code to a secondary device like a mobile phone. That same number ended up sending users Facebook notifications without their consent. When users would attempt to get the SMS notifications to stop, the replies were posted to their own Facebook profiles as status updates.

Phishing Attack Scores Credentials For More Than 50,000 Snapchat Users ( 11

An anonymous reader quotes an exclusive report from The Verge: In late July, Snap's director of engineering emailed the company's team in response to an unfolding privacy threat. A government official from Dorset in the United Kingdom had provided Snap with information about a recent attack on the company's users: a publicly available list, embedded in a phishing website named, that listed 55,851 Snapchat accounts, along with their usernames and passwords. The attack appeared to be connected to a previous incident that the company believed to have been coordinated from the Dominican Republic, according to emails obtained by The Verge. Not all of the account credentials were valid, and Snap had reset the majority of the accounts following the initial attack. But for some period of time, thousands of Snapchat account credentials were available on a public website. According to a person familiar with the matter, the attack relied on a link sent to users through a compromised account that, when clicked, opened a website designed to mimic the Snapchat login screen.

A Hacker Has Wiped a Spyware Company's Servers -- Again ( 64

Last year, a vigilante hacker broke into the servers of a company that sells spyware to everyday consumers and wiped their servers, deleting photos captured from monitored devices. A year later, the hacker has done it again. Motherboard: Thursday, the hacker said he started wiping some cloud servers that belong to Retina-X Studios, a Florida-based company that sells spyware products targeted at parents and employers, but that are also used by people to spy on their partners without their consent. Retina-X was one of two companies that were breached last year in a series of hacks that exposed the fact that many otherwise ordinary people surreptitiously install spyware on their partners' and children's phones in order to spy on them. This software has been called "stalkerware" by some.

Google Exposes How Malicious Sites Can Exploit Microsoft Edge ( 51

Google's Project Zero team has published details of an unfixed bypass for an important exploit-mitigation technique in Edge. From a report: The mitigation, Arbitrary Code Guard (ACG), arrived in the Windows 10 Creators Update to help thwart web attacks that attempt to load malicious code into memory. The defense ensures that only properly signed code can be mapped into memory. However, as Microsoft explains, Just-in-Time (JIT) compilers used in modern web browsers create a problem for ACG. JIT compilers transform JavaScript into native code, some of which is unsigned and runs in a content process.

To ensure JIT compilers work with ACG enabled, Microsoft put Edge's JIT compiling in a separate process that runs in its own isolated sandbox. Microsoft said this move was "a non-trivial engineering task." "The JIT process is responsible for compiling JavaScript to native code and mapping it into the requesting content process. In this way, the content process itself is never allowed to directly map or modify its own JIT code pages," Microsoft says. Google's Project Zero found an issue is created by the way the JIT process writes executable data into the content process.


Two Years After FBI vs Apple, Encryption Debate Remains ( 175

It's been two years since the FBI and Apple got into a giant fight over encryption following the San Bernardino shooting, when the government had the shooter's iPhone, but not the password needed to unlock it, so it asked Apple to create a way inside. What's most surprising is how little has changed since then. From a report: The encryption debate remains unsettled, with tech companies largely opposed and some law enforcement agencies still making the case to have a backdoor. The case for strong encryption: Those partial to the tech companies' arguments will note that cyberattacks and hacking incidents have become even more common, with encryption serving as a valuable way to protect individuals' personal information. The case for backdoors: Criminals are doing bad stuff and when devices are strongly encrypted they can do it in what amounts to the perfect dark alley, completely hidden from public view.

Pro-Gun Russian Bots Flood Twitter After Parkland Shooting ( 705

An anonymous reader quotes a report from Wired: In the wake of Wednesday's Parkland, Florida school shooting, which resulted in 17 deaths, troll and bot-tracking sites reported an immediate uptick in related tweets from political propaganda bots and Russia-linked Twitter accounts. Hamilton 68, a website created by Alliance for Securing Democracy, tracks Twitter activity from accounts it has identified as linked to Russian influence campaigns. On RoBhat Labs', a website created by two Berkeley students to track 1500 political propaganda bots, all of the top two-word phrases used in the last 24 hours -- excluding President Trump's name -- are related to the tragedy: School shooting, gun control, high school, Florida school. The top hashtags from the last 24 hours include Parkland, guncontrol, and guncontrolnow.

While RoBhat Labs tracks general political bots, Hamilton 68 focuses specifically on those linked to the Russian government. According to the group's data, the top link shared by Russia-linked accounts in the last 48 hours is a 2014 Politifact article that looks critically at a statistic cited by pro-gun control group Everytown for Gun Safety. Twitter accounts tracked by the group have used the old link to try to debunk today's stats about the frequency of school shootings. Another top link shared by the network covers the "deranged" Instagram account of the shooter, showing images of him holding guns and knives, wearing army hats, and a screenshot of a Google search of the phrase "Allahu Akbar." Characterizing shooters as deranged lone wolves with potential terrorist connections is a popular strategy of pro-gun groups because of the implication that new gun laws could not have prevented their actions. Meanwhile, some accounts with large bot followings are already spreading misinformation about the shooter's ties to far-left group Antifa, even though the Associated Press reported that he was a member of a local white nationalist group. The Twitter account Education4Libs, which RoBhat Labs shows is one among the top accounts tweeted at by bots, is among the prominent disseminators of that idea.

United Kingdom

UK Blames Russia For Cyber Attack, Says Won't Tolerate Disruption ( 143

Britain blamed Russia on Thursday for a cyber-attack last year, publicly pointing the finger at Moscow for spreading a virus which disrupted companies across Europe including UK-based Reckitt Benckiser. From a report: Russia denied the accusation, saying it was part of "Russophobic" campaign it said was being waged by some Western countries. The so-called NotPetya attack in June started in Ukraine where it crippled government and business computers before spreading around the world, halting operations at ports, factories and offices. Britain's foreign ministry said the attack originated from the Russian military. "The decision to publicly attribute this incident underlines the fact that the UK and its allies will not tolerate malicious cyber activity," the ministry said in a statement. "The attack masqueraded as a criminal enterprise but its purpose was principally to disrupt," it said.

Facebook Is Spamming Users Via Their 2FA Phone Numbers ( 119

According to Mashable, Facebook account holder Gabriel Lewis tweeted that Facebook texted "spam" to the phone number he submitted for the purposes of 2-factor authentication. Lewis insists that he did not have mobile notifications turned on, and when he replied "stop" and "DO NOT TEXT ME," he says those messages showed up on his Facebook wall. From the report: Lewis explained his version of the story to Mashable via Twitter direct message. "[Recently] I decided to sign up for 2FA on all of my accounts including FaceBook, shortly afterwards they started sending me notifications from the same phone number. I never signed up for it and I don't even have the FB app on my phone." Lewis further explained that he can go "for months" without signing into Facebook, which suggests the possibility that Mark Zuckerberg's creation was feeling a little neglected and trying to get him back. According to Lewis, he signed up for 2FA on Dec. 17 and the alleged spamming began on Jan. 5. Importantly, Lewis isn't the only person who claims this happened to him. One Facebook user says he accidentally told "friends and family to go [to] hell" when he "replied to the spam."

Google's Chrome Ad Blocking Arrives Tomorrow ( 211

Google is enabling its built-in ad blocker for Chrome tomorrow (February 15th). From a report: Chrome's ad filtering is designed to weed out some of the web's most annoying ads, and push website owners to stop using them. Google is not planning to wipe out all ads from Chrome, just ones that are considered bad using standards from the Coalition for Better Ads. Full page ads, ads with autoplaying sound and video, and flashing ads will be targeted by Chrome's ad filtering, which will hopefully result in less of these annoying ads on the web. Google is revealing today exactly what ads will be blocked, and how the company notifies site owners before a block is put in place. On desktop, Google is planning to block pop-up ads, large sticky ads, auto-play video ads with sound, and ads that appear on a site with a countdown blocking you before the content loads. Google is being more aggressive about its mobile ad blocking, filtering out pop-up ads, ads that are displayed before content loads (with or without a countdown), auto-play video ads with sound, large sticky ads, flashing animated ads, fullscreen scroll over ads, and ads that are particularly dense.

Kaspersky Says Telegram Flaw Used For Cryptocurrency Mining ( 42

According to Kaspersky Lab, hackers have been exploiting a vulnerability in Telegram's desktop client to mine cryptocurrencies such as Monero and ZCash. "Kaspersky said on its website that users were tricked into downloading malicious software onto their computers that used their processing power to mine currency, or serve as a backdoor for attackers to remotely control a machine," reports Bloomberg. From the report: While analyzing the servers of malicious actors, Kaspersky researchers also found archives containing a cache of Telegram data that had been stolen from victims. The Russian security firm said it "reported the vulnerability to Telegram and, at the time of publication, the zero-day flaw has not since been observed in messenger's products."

Many ID-Protection Services Fail Basic Security ( 47

Paul Wagenseil, writing for Tom's Guide: For a monthly fee, identity-protection services promise to do whatever they can to make sure your private personal information doesn't fall into the hands of criminals. Yet many of these services -- including LifeLock, IDShield and Credit Sesame -- put personal information at risk, because they don't let customers use two-factor authentication (2FA). This simple security precaution is offered by many online services. Without 2FA, anyone who has your email address and password -- which might be obtained from a data breach or a phishing email -- could log in to the account for your identity-protection service and, depending on how the service protects them, possibly steal your bank-account, credit-card and Social Security numbers.

Facebook is Pushing Its Data-tracking Onavo VPN Within Its Main Mobile App ( 40

TechCrunch reports: Onavo Protect, the VPN client from the data-security app maker acquired by Facebook back in 2013, has now popped up in the Facebook app itself, under the banner "Protect" in the navigation menu. Clicking through on "Protect" will redirect Facebook users to the "Onavo Protect -- VPN Security" app's listing on the App Store. We're currently seeing this option on iOS only, which may indicate it's more of a test than a full rollout here in the U.S. Marketing Onavo within Facebook itself could lead to a boost in users for the VPN app, which promises to warn users of malicious websites and keep information secure as you browse. But Facebook didn't buy Onavo for its security protections. Instead, Onavo's VPN allow Facebook to monitor user activity across apps, giving Facebook a big advantage in terms of spotting new trends across the larger mobile ecosystem. For example, Facebook gets an early heads up about apps that are becoming breakout hits; it can tell which are seeing slowing user growth; it sees which apps' new features appear to be resonating with their users, and much more. Further reading: Do Not, I Repeat, Do Not Download Onavo, Facebook's Vampiric VPN Service (Gizmodo).

Skype Can't Fix a Nasty Security Bug Without a Massive Code Rewrite ( 151

ZDNet reports of a security flaw in Skype's updater process that "can allow an attacker to gain system-level privileges to a vulnerable computer." If the bug is exploited, it "can escalate a local unprivileged user to the full 'system' level rights -- granting them access to every corner of the operating system." What's worse is that Microsoft, which owns Skype, won't fix the flaw because it would require the updater to go through "a large code revision." Instead, Microsoft is putting all its resources on building an altogether new client. From the report: Security researcher Stefan Kanthak found that the Skype update installer could be exploited with a DLL hijacking technique, which allows an attacker to trick an application into drawing malicious code instead of the correct library. An attacker can download a malicious DLL into a user-accessible temporary folder and rename it to an existing DLL that can be modified by an unprivileged user, like UXTheme.dll. The bug works because the malicious DLL is found first when the app searches for the DLL it needs. Once installed, Skype uses its own built-in updater to keep the software up to date. When that updater runs, it uses another executable file to run the update, which is vulnerable to the hijacking. The attack reads on the clunky side, but Kanthak told ZDNet in an email that the attack could be easily weaponized. He explained, providing two command line examples, how a script or malware could remotely transfer a malicious DLL into that temporary folder.

Consumers Prefer Security Over Convenience For the First Time Ever, IBM Security Report Finds ( 50

A new study by IBM Security surveying 4,000 adults from a few different regions of the world found that consumers are now ranking security over convenience. For the first time ever, business users and consumers are now preferring security over convenience. From a report: TechRepublic spoke with executive security advisor at IBM Security Limor Kessem to discuss this new trend. "We always talk about the ease of use, and not impacting user experience, etc, but it turns out that when it comes to their financial accounts...people actually would go the extra mile and will use extra security," Kessem said. Whether it's using two factor authentication, an SMS message on top of their password, or any other additional step for extra protection, people still want to use it. Some 74% of respondents said that they would use extra security when it comes to those accounts, she said.

The Insane Amount of Backward Compatibility in Google Maps ( 73

Huan Truong, a software developer, writes in a blog post: There is always an unlikely app that consistently works on all of my devices, regardless of their OS and how old they are: Google Maps. Google Maps still works today on Android 1.0, the earliest version available (Maps actually still works with some of the beta versions before that). I believe Maps was only a prototype app in Android 1.0. If I recall correctly, Google didn't have any official real device to run Android 1.0. That was back all the way in 2007. But then, you say, Android is Google's OS for Pete's sake. How about iOS? Google Maps for iOS, version 1.0, released late 2012, still works just fine. That was the first version of Google Maps ever released as a standalone app after Apple ditched Google's map solution on iOS. But wait... there is more. There is native iOS Maps on iOS 6, which was released in early 2012, and it still works. But that's only 6 years ago. Let's go hardcore. How about Google Maps on Java phones (the dumb bricks that run Java "midlets" or whatever the ancient Greeks call it)? It works too. [...] The Palm OS didn't even have screenshot functionality. But lo and behold, Google Maps worked.

Why Paper Jams Persist ( 122

A trivial problem reveals the limits of technology. Fascinating story from The New Yorker: Unsurprisingly, the engineers who specialize in paper jams see them differently. Engineers tend to work in narrow subspecialties, but solving a jam requires knowledge of physics, chemistry, mechanical engineering, computer programming, and interface design. "It's the ultimate challenge," Ruiz said.

"I wouldn't characterize it as annoying," Vicki Warner, who leads a team of printer engineers at Xerox, said of discovering a new kind of paper jam. "I would characterize it as almost exciting." When she graduated from the Rochester Institute of Technology, in 2006, her friends took jobs in trendy fields, such as automotive design. During her interview at Xerox, however, another engineer showed her the inside of a printing press. All Xerox printers look basically the same: a million-dollar printing press is like an office copier, but twenty-four feet long and eight feet high. Warner watched as the heavy, pale-gray double doors swung open to reveal a steampunk wonderland of gears, wheels, conveyor belts, and circuit boards. As in an office copier, green plastic handles offer access to the "paper path" -- the winding route, from "feeder" to "stacker," along which sheets of paper are shocked and soaked, curled and decurled, vacuumed and superheated. "Printers are essentially paper torture chambers," Warner said, smiling behind her glasses. "I thought, This is the coolest thing I've ever seen."


Games Organizers at Pyeongchang Winter Olympics Confirm Cyber Attack, Won't Reveal Source ( 73

Pyeongchang Winter Olympics organizers confirmed on Sunday that the Games had fallen victim to a cyber attack during Friday's opening ceremony, but they refused to reveal the source. From a report: The Games' systems, including the internet and television services, were affected by the hack two days ago but organizers said it had not compromised any critical part of their operations. "Maintaining secure operations is our purpose," said International Olympic Committee (IOC) spokesman Mark Adams. "We are not going to comment on the issue. It is one we are dealing with. We are making sure our systems are secure and they are secure."

Hackers Hijack Government Websites To Mine Crypto-Cash ( 48

BBC reports: The Information Commissioner's Office (ICO) took down its website after a warning that hackers were taking control of visitors' computers to mine cryptocurrency. Security researcher Scott Helme said more than 4,000 websites, including many government ones, were affected. He said the affected code had now been disabled and visitors were no longer at risk. The ICO said: "We are aware of the issue and are working to resolve it." Mr Helme said he was alerted by a friend who had received a malware warning when he visited the ICO website. He traced the problem to a website plug-in called Browsealoud, used to help blind and partially sighted people access the web. The cryptocurrency involved was Monero -- a rival to Bitcoin that is designed to make transactions in it "untraceable" back to the senders and recipients involved. The plug-in had been tampered with to add a program, Coinhive, which "mines" for Monero by running processor-intensive calculations on visitors' computers. The Register: A list of 4,200-plus affected websites can be found here: they include The City University of New York (, Uncle Sam's court information portal (, Lund University (, the UK's Student Loans Company (, privacy watchdog The Information Commissioner's Office ( and the Financial Ombudsman Service (, plus a shedload of other and sites, UK NHS services, and other organizations across the globe.

Sandboxed Mac Apps Can Record Screen Any Time Without You Knowing ( 59

Catalin Cimpanu, writing for BleepingComputer: Malicious app developers can secretly abuse a macOS API function to take screenshots of the user's screen and then use OCR (Optical Character Recognition) to programmatically read the text found in the image. The function is CGWindowListCreateImage, often utilized by Mac apps that take screenshots or live stream a user's desktop. According to Fastlane Tools founder Felix Krause, any Mac app, sandboxed or not, can access this function and secretly take screenshots of the user's screen. Krause argues that miscreants can abuse this privacy loophole and utilize CGWindowListCreateImage to take screenshots of the screen without the user's permission.

Should GitHub Allow Username Reuse? ( 84

Jesse Donat argues via Donut Studios why GitHub should never allow usernames to be valid again once they are deleted. He provides an example of a user who deleted his GitHub account and personal domain with a popular tool used for embedding data files into Go binaries. "While this is within his rights to do, this broke a dependency many people had within their projects," Donat writes. "To fix this, some users of the project recreated the account and the repository based on a fork of the project." Donat goes on to write: Allowing username reuse completely breaks any trust that what I pull is what it claims to be. What if this user had been malicious? It may have taken a while before someone actually noticed this wasn't the original user and the code was doing something more than it claimed to.

While Go's "go get" functionality is no doubt naive and just pulls the head of a repository, this is not exclusively Go's problem as this affects any package manager that runs on tags. Simply tag malicious changes beyond the current release and it would be deployed to many users likely with little actual review.


Hackers In Equifax Breach Accessed More Personal Information Than Previously Disclosed ( 58

An anonymous reader quotes a report from The Wall Street Journal (Warning: source may be paywalled; alternative source): Equifax said, in a document submitted to the Senate Banking Committee and reviewed by The Wall Street Journal, that cyberthieves accessed records across numerous tables in its systems that included such data as tax identification numbers, email addresses and drivers' license information beyond the license numbers it originally disclosed. The revelations come some five months after Equifax announced it had been breached and personal information belonging to 145.5 million consumers had been compromised, including names, Social Security numbers, dates of birth and addresses. It's unclear how many of the 145.5 million people are affected by the additional data including tax ID numbers, which are often assigned to people who don't have Social Security numbers. Hackers also accessed email addresses for some consumers, according to the document and an Equifax spokeswoman, who said "an insignificant number" of email addresses were affected. She added that email addresses aren't considered sensitive personal information because they are commonly searchable in public domains.

As for tax ID numbers, the Equifax spokeswoman said they "were generally housed in the same field" as Social Security numbers. She added that individuals without a Social Security number could use their tax ID number to see if they were affected by the hack. Equifax also said, in response to questions from The Wall Street Journal, that some additional drivers' license information had been accessed. The company publicly disclosed in its Sept. 7 breach announcement that drivers' license numbers were accessed; the document submitted to the banking committee also includes drivers' license issue dates and states.


Turkey Rolls Out Domestic Rival To WhatsApp, Raising Surveillance Concerns ( 36

Turkey has launched a domestic messaging app to rival Facebook's popular WhatsApp Messenger service, raising concerns among government critics that Ankara (capital of Turkey) could use the new platform to tighten surveillance and bolster an 18-month-old crackdown. From a report: The app, called PttMessenger after Turkey's Post and Telegraph General Directorate (PTT), was introduced in a limited roll-out to state institutions and some private companies this week. It is expected to be publicly available in six months. PttMessenger will provide a "system safer than WhatsApp," government spokesman Bekir Bozdag told a news conference. "Since no data is stored with the host, it will be impossible to access these data. A system safer than WhatsApp has been developed." Critics cast doubt on the suggestion PttMessenger data could not be retrieved, fearing it will give authorities greater ability to monitor dissent, pointing to the widespread crackdown that was launched after a failed military coup in July 2016.

32 Senators Want To Know If US Regulators Halted Equifax Probe ( 93

An anonymous reader quotes a report from Engadget: Earlier this week, a Reuters report suggested that the Consumer Financial Protection Bureau (CFPB) had halted its investigation into last year's massive Equifax data breach. Reuters sources said that even basic steps expected in such a probe hadn't been taken and efforts had stalled since Mick Mulvaney took over as head of the CFPB late last year. Now, 31 Democratic senators and one Independent have written a letter to Mulvaney asking if that is indeed the case and if so, why.

In their letter, the senators expressed their concern over these reports and reiterated the duty the CFPB has to not only investigate the breach but to bring action against Equifax if deemed necessary. "Consumer reporting agencies and the data they collect play a central role in consumers' access to credit and the fair and competitive pricing of that credit," they wrote. "Therefore, the CFPB has a duty to supervise consumer reporting agencies, investigate how this breach has or will harm consumers and bring enforcement actions as necessary."


Google Chrome Pushes For User Protection With 'Not secure' Label ( 85

In an effort to force websites to better protect their users, the Chrome web browser will label all sites not encrypted traffic as "Not secure" in the web address bar, Google announced Thursday. From a report: Encrypted traffic allows users to access data on a website without allowing potential eavesdroppers to see anything the users visit. HTTPS also prevents meddlers from changing information in transit. During normal web browsing, Google currently displays a "Not secure" warning in the next to a site's URL if it forgoes HTTPS encryption and a user enters data. Now the browser will label all sites without HTTPS encryption this way.

Apple Says the Leaked iPhone Source Code is Outdated ( 80

Apple has responded to security concerns surrounding leaked iPhone source code, pointing out that any potential vulnerabilities would be outdated. From a report: "Old source code from three years ago appears to have been leaked," Apple said in a statement, "but by design the security of our products doesn't depend on the secrecy of our source code. There are many layers of hardware and software protections built in to our products, and we always encourage customers to update to the newest software releases to benefit from the latest protections." The iBoot source code for iOS 9, a core part of what keeps your iPhones and iPads secure when they turn on, was leaked on GitHub, Motherboard first reported. The source code leak was considered a major security issue for Apple, as hackers could dig through it and search for any vulnerabilities in iBoot. Apple had used a DMCA notice to get the Github page hosting the leaked code taken down, but multiple copies of the code have already spread online.

Intel Replaces its Buggy Fix for Skylake PCs ( 57

Intel has released new microcode to address the stability and reboot issues on systems after installing its initial mitigations for Variant 2 of the Meltdown and Spectre attacks. From a report: The stability issues caused by Intel's microcode updates resulted in Lenovo, HP, and Dell halting their deployment of BIOS updates last month as Intel worked to resolve the problems. Intel initially said unexpected reboots were only seen on Broadwell and Haswell chips, but later admitted newer Skylake architecture chips were also affected. Microsoft also said it had also seen Intel's updates cause data loss or corruption in some cases.

Attackers Drain CPU Power From Water Utility Plant In Cryptojacking Attack ( 76

darthcamaro writes: Apparently YouTube isn't the only site that is draining CPU power with unauthorized cryptocurrency miners. A water utility provider in Europe is literally being drained of its CPU power via an cryptojacking attack that was undetected for three weeks. eWeek reports: "At this point, Radiflow's (the security firm that discovered the cryptocurrency mining malware) investigation indicates that the cryptocurrency mining malware was likely downloaded from a malicious advertising site. As such, the theory that Radiflow CTO Yehonatan Kfir has is that an operator at the water utility was able to open a web browser and clicked on an advertising link that led the mining code being installed on the system. The actual system that first got infected is what is known as a Human Machine Interface (HMI) to the SCADA network and it was running the Microsoft Windows XP operating system. Radiflow's CEO, Ilan Barda, noted that many SCADA environments still have Windows XP systems deployed as operators tend to be very slow to update their operating systems." Radiflow doesn't know how much Monero (XMR) cryptocurrency was mined by the malware, but a recent report from Cisco's Talos research group revealed that some of the top un-authorized cryptocurrency campaigns generate over a million dollars per year. The average system would generate nearly $200,000 per year.

Police In China Are Scanning Travelers With Facial Recognition Glasses ( 87

Baron_Yam shares a report from Engadget: Police in China are now sporting glasses equipped with facial recognition devices and they're using them to scan train riders and plane passengers for individuals who may be trying to avoid law enforcement or are using fake IDs. So far, police have caught seven people connected to major criminal cases and 26 who were using false IDs while traveling, according to People's Daily. The Wall Street Journal reports that Beijing-based LLVision Technology Co. developed the devices. The company produces wearable video cameras as well and while it sells those to anyone, it's vetting buyers for its facial recognition devices. And, for now, it isn't selling them to consumers. LLVision says that in tests, the system was able to pick out individuals from a database of 10,000 people and it could do so in 100 milliseconds. However, CEO Wu Fei told the Wall Street Journal that in the real world, accuracy would probably drop due to "environmental noise." Additionally, aside from being portable, another difference between these devices and typical facial recognition systems is that the database used for comparing images is contained in a hand-held device rather than the cloud."

Samsung and Roku Smart TVs Vulnerable To Hacking, Consumer Reports Finds ( 102

An anonymous reader quotes a report from Consumer Reports: Consumer Reports has found that millions of smart TVs can be controlled by hackers exploiting easy-to-find security flaws. The problems affect Samsung televisions, along with models made by TCL and other brands that use the Roku TV smart-TV platform, as well as streaming devices such as the Roku Ultra. We found that a relatively unsophisticated hacker could change channels, play offensive content, or crank up the volume, which might be deeply unsettling to someone who didn't understand what was happening. This could be done over the web, from thousands of miles away. (These vulnerabilities would not allow a hacker to spy on the user or steal information.) The findings were part of a broad privacy and security evaluation, led by Consumer Reports, of smart TVs from top brands that also included LG, Sony, and Vizio. The testing also found that all these TVs raised privacy concerns by collecting very detailed information on their users. Consumers can limit the data collection. But they have to give up a lot of the TVs' functionality -- and know the right buttons to click and settings to look for.

Key iPhone Source Code Gets Posted On GitHub ( 188

Jason Koebler shares a report from Motherboard: An anonymous person posted what experts say is the source code for a core component of the iPhone's operating system on GitHub, which could pave the way for hackers and security researchers to find vulnerabilities in iOS and make iPhone jailbreaks easier to achieve. The code is for "iBoot," which is the part of iOS that is responsible for ensuring a trusted boot of the operating system. It's the program that loads iOS, the very first process that runs when you turn on your iPhone. The code says it's for iOS 9, an older version of the operating system, but portions of it are likely to still be used in iOS 11. Bugs in the boot process are the most valuable ones if reported to Apple through its bounty program, which values them at a max payment of $200,000. "This is the biggest leak in history," Jonathan Levin, the author of a series of books on iOS and Mac OSX internals, told Motherboard in an online chat. "It's a huge deal." Levin, along with a second security researcher familiar with iOS, says the code appears to be the real iBoot code because it aligns with the code he reverse engineered himself.
United States

36 Indicted in Global Cybercrime Ring That Stole $530M ( 40

U.S. prosecutors say 36 people have been indicted in connection with an international cybercrime ring that bought and sold stolen credit card information, leading to losses of more than $530 million. From a report: The Justice Department says Wednesday that the so-called Infraud Organization dealt in the large-scale acquisition and sale of stolen identities, credit card information and malware. Deputy Assistant Attorney General David Rybicki says it was "truly the premier one-stop shop for cybercriminals worldwide." He says the organization used an online forum on the dark web to sell financial and personal information. Investigators believe the organization's nearly 11,000 members targeted more than 4.3 million credit cards and bank accounts.

'Humans Not Invited' Is a CAPTCHA Test That Welcomes Bots, Filters Out Humans ( 82

While most CAPTCHA tests we come across on the Web are usually meant to keep robots out, one website is welcoming them in. From a report: The conceit of Humans Not Invited is essentially a reverse CAPTCHA. Visitors to the site are greeted with a vision test not unlike the ones you've done before, but instead it's filled with seemingly indistinguishable blue and gray blurry boxes. When I tried, prompted to "select all squares with selfie sticks." Most humans, like me, will fail to decipher the hidden selfie sticks and will be shown a message that says "YOU'RE A HUMAN. YOU'RE NOT INVITED." To the human eye these boxes appear indistinguishable, a specially programmed bot can spot out the correct image simply by identifying a handful of pixels, according to the project's creator, Damjanski, (his real name is Danjan Pita).

Meet the Tiny Startup That Sells IPhone and Android Zero Days To Governments ( 51

An anonymous reader writes: The story of Azimuth Security, a tiny startup in Australia, provides a rare peek inside the secretive industry that helps government hackers get around encryption. Azimuth is part of an opaque, little known corner of the intelligence world made of hackers who develop and sell expensive exploits to break into popular technologies like iOS, Chrome, Android and Tor.

Scammers Use Download Bombs To Freeze Chrome Browsers on Shady Sites ( 72

An anonymous reader shares a report: The operators of some tech support scam websites have found a new trick to block visitors on their shady sites and scare non-technical users into paying for unneeded software or servicing fees. The trick relies on using JavaScript code loaded on these malicious pages to initiate thousands of file download operations that quickly take up the user's memory resources, freezing Chrome on the scammer's site. The trick is meant to drive panicked users into calling one of the tech support phone numbers shown on the screen. According to Jerome Segura -- Malwarebytes leading expert in tech support scam operations, malvertising, and exploit kits -- this new trick utilizes the JavaScript Blob method and the window.navigator.msSaveOrOpenBlob function to achieve the "download bomb" that freezes Chrome.

A Flaw In Hotspot Shield Can Expose VPN Users, Locations ( 25

An anonymous reader quotes a report from ZDNet: A security researcher has found a way to identify users of Hotspot Shield, a popular free virtual private network service that promises its users anonymity and privacy. Hotspot Shield, developed by AnchorFree, has an estimated 500 million users around the world relying on its privacy service. By bouncing a user's internet and browsing traffic through its own encrypted pipes, the service makes it harder for others to identify individual users and eavesdrop on their browsing habits. But an information disclosure bug in the privacy service results in a leak of user data, such as which country the user is located, and the user's Wi-Fi network name, if connected. That information leak can be used to narrow down users and their location by correlating Wi-Fi network name with public and readily available data.

Apple Is Seeing 'Strong Demand' For Replacement iPhone Batteries ( 83

In a letter addressed to the U.S. lawmakers, Apple said earlier this month that it was seeing "strong demand" for replacement iPhone batteries. The company added that it may offer rebates for consumers who paid full price for new batteries. From a report: Apple confirmed in December that software to deal with aging batteries in iPhone 6, iPhone 6s and iPhone SE models could slow down performance. The company apologized and lowered the price of battery replacements for affected models from $79 to $29. In the letter released Tuesday, amid nagging allegations that it slowed down phones with older batteries as a way to push people into buying new phones, the company said it was considering issuing rebates to consumers who paid full price for replacement batteries.

Slashdot Top Deals