Security

LinkedIn's AutoFill Plugin Could Leak user Data, Secret Fix Failed (techcrunch.com) 25

TechCrunch reports of a flaw in LinkedIn's AutoFill plugin that could have allowed hackers to steal your full name, phone number, email address, location (ZIP code), company, and job title. "Malicious sites have been able to invisibly render the plugin on their entire page so if users who are logged into LinkedIn click anywhere, they'd effectively be hitting a hidden 'AutoFill with LinkedIn' button and giving up their data." From the report: Researcher Jack Cable discovered the issue on April 9th, 2018 and immediately disclosed it to LinkedIn. The company issued a fix on April 10th but didn't inform the public of the issue. Cable quickly informed LinkedIn that its fix, which restricted the use of its AutoFill feature to whitelisted sites who pay LinkedIn to host their ads, still left it open to abuse. If any of those sites have cross-site scripting vulnerabilities, which Cable confirmed some do, hackers can still run AutoFill on their sites by installing an iframe to the vulnerable whitelisted site. He got no response from LinkedIn over the last 9 days so Cable reached out to TechCrunch. A LinkedIn spokesperson issued this statement to TechCrunch: "We immediately prevented unauthorized use of this feature, once we were made aware of the issue. We are now pushing another fix that will address potential additional abuse cases and it will be in place shortly. While we've seen no signs of abuse, we're constantly working to ensure our members' data stays protected. We appreciate the researcher responsibly reporting this and our security team will continue to stay in touch with them. For clarity, LinkedIn AutoFill is not broadly available and only works on whitelisted domains for approved advertisers. It allows visitors to a website to choose to pre-populate a form with information from their LinkedIn profile."
Chrome

Millions of Chrome Users Have Installed Malware Posing as Ad Blockers (vice.com) 42

Kaleigh Rogers, writing for Motherboard: Andrey Meshkov, the cofounder of ad-blocker AdGuard, recently got curious about the number of knock-off ad blocking extensions available for Google's popular browser Chrome. These extensions were deliberately styled to look like legitimate, well-known ad blockers, but Meshkov wondered why they existed at all, so he downloaded one and took a look at the code. "Basically I downloaded it and checked what requests the extension was making," Meshkov told me over the phone. "Some strange requests caught my attention."

Meshkov discovered that the AdRemover extension for Chrome -- which had over 10 million users -- had code hidden inside an image that was loaded from the remote command server, giving the extension creator the ability to change its functions without updating. This alone is against Google's policy, and after Meshkov wrote about a few examples on AdGuard's blog, many of which had millions of downloads, Chrome removed the extensions from the store. I reached out to Google, and a spokesperson confirmed that these extensions had been removed.

Government

FDA Wants Medical Devices To Have Mandatory Built-In Update Mechanisms (bleepingcomputer.com) 96

Catalin Cimpanu, writing for BleepingComputer: The US Food & Drug Administration plans to ask Congress for more funding and regulatory powers to improve its approach towards medical device safety, including on the cybersecurity front. An FDA document released this week reveals several of the FDA's plans, including the desire to force device makers to include mandatory update systems inside products for the purpose of delivering critical security patches.

In addition, the FDA also plans to force device makers to create a document called "Software Bill of Materials" that will be provided for each medical device and will include software-related details for each product. Hospitals, healthcare units, contractors, or users will be able to consult the medical device's bill of materials and determine how it functions, what software is needed for what feature, and what technologies are used in each device.

Facebook

'Login With Facebook' Data Hijacked By JavaScript Trackers (techcrunch.com) 91

An anonymous reader quotes a report from TechCrunch: Facebook confirms to TechCrunch that it's investigating a security research report that shows Facebook user data can be grabbed by third-party JavaScript trackers embedded on websites using Login With Facebook. The exploit lets these trackers gather a user's data including name, email address, age range, gender, locale, and profile photo depending on what users originally provided to the website. It's unclear what these trackers do with the data, but many of their parent companies including Tealium, AudienceStream, Lytics, and ProPS sell publisher monetization services based on collected user data. The abusive scripts were found on 434 of the top 1 million websites including freelancer site Fiverr.com, camera seller B&H Photo And Video, and cloud database provider MongoDB. That's according to Steven Englehardt and his colleagues at Freedom To Tinker, which is hosted by Princeton's Center For Information Technology Policy.
Microsoft

Microsoft Ports Edge Anti-Phishing Technology To Google Chrome (bleepingcomputer.com) 75

An anonymous reader writes: Microsoft has released a Chrome extension named "Windows Defender Browser Protection" that ports Windows Defender's -- and inherently Edge's -- anti-phishing technology to Google Chrome. The extension works by showing bright red-colored pages whenever users are tricked into accessing malicious links. The warnings are eerily similar to the ones that Chrome natively shows via the Safe Browsing API, but are powered by Microsoft's database of malicious links —also known as the SmartScreen API.

Chrome users should be genuinely happy that they can now use both APIs for detecting phishing and malware-hosting URLs. The SmartScreen API isn't as known as Google's more famous Safe Browsing API, but works in the same way, and possibly even better. An NSS Labs benchmark revealed that Edge (with its SmartScreen API) caught 99 percent of all phishing URLs thrown at it during a test last year, while Chrome only detected 87 percent of the malicious links users accessed.

Security

Data Firm Leaks 48 Million User Profiles it Scraped From Facebook, LinkedIn, Others (zdnet.com) 56

Zack Whittaker, reporting for ZDNet: A little-known data firm was able to build 48 million personal profiles, combining data from sites and social networks like Facebook, LinkedIn, Twitter, and Zillow, among others -- without the users' knowledge or consent. Localblox, a Bellevue, Wash.-based firm, says it "automatically crawls, discovers, extracts, indexes, maps and augments data in a variety of formats from the web and from exchange networks." Since its founding in 2010, the company has focused its collection on publicly accessible data sources, like social networks Facebook, Twitter, and LinkedIn, and real estate site Zillow to name a few, to produce profiles.

But earlier this year, the company left a massive store of profile data on a public but unlisted Amazon S3 storage bucket without a password, allowing anyone to download its contents. The bucket, labeled "lbdumps," contained a file that unpacked to a single file over 1.2 terabytes in size. The file listed 48 million individual records, scraped from public profiles, consolidated, then stitched together.

The Internet

Russia Admits To Blocking Millions of IP Addresses (sfgate.com) 73

It turns out, the Russian government, in its quest to block Telegram, accidentally shut down several other services as well. From a report: The chief of the Russian communications watchdog acknowledged Wednesday that millions of unrelated IP addresses have been frozen in a so-far futile attempt to block a popular messaging app. Telegram, the messaging app that was ordered to be blocked last week, was still available to users in Russia despite authorities' frantic attempts to hit it by blocking other services. The row erupted after Telegram, which was developed by Russian entrepreneur Pavel Durov, refused to hand its encryption keys to the intelligence agencies. The Russian government insists it needs them to pre-empt extremist attacks but Telegram dismissed the request as a breach of privacy. Alexander Zharov, chief of the Federal Communications Agency, said in an interview with the Izvestia daily published Wednesday that Russia is blocking 18 networks that are used by Amazon and Google and which host sites that they believe Telegram is using to circumvent the ban.
China

Huawei To Back Off US Market Amid Rising Tensions (nytimes.com) 91

Huawei is reportedly going to give up on selling its products and services in the United States (Warning: source may be paywalled; alternative source) due to Washington's accusations that the company has ties to the Chinese government. The change in tactics comes a week after the company laid off five American employees, including its biggest American lobbyist. The New York Times reports: Huawei's tactics are changing as its business prospects in the United States have darkened considerably. On Tuesday, the Federal Communications Commission voted to proceed with a new rule that could effectively kill off what little business the company has in the United States. Although the proposed rule does not mention Huawei by name, it would block federally subsidized telecommunications carriers from using suppliers deemed to pose a risk to American national security. Huawei's latest moves suggest that it has accepted that its political battles in the United States are not ones it is likely to win. "Some things cannot change their course according to our wishes," Eric Xu, Huawei's deputy chairman, said at the company's annual meeting with analysts on Tuesday. "With some things, when you let them go, you actually feel more at ease."
Security

Windows 10 Update Will Support More Password-Free Logins (engadget.com) 66

An anonymous reader writes: It's not just web browsers that are moving beyond passwords. Microsoft has revealed that Windows 10's next update will support the new FIDO 2.0 standard, promising password-free logins on any Windows 10 device managed by your company or office. You could previously use Windows Hello to avoid typing in a password, of course, but this promises to be more extensive -- you could use a USB security key to sign into your Azure Active Directory.
Microsoft

Microsoft Delays Windows 10 Spring Creators Update Because of 'Higher Percentage of BSODs' (bleepingcomputer.com) 108

Microsoft has admitted that it had to postpone the release of Spring Creators Update, the upcoming major update to its Windows 10 desktop operating system due to technical issues. BleepingComputer notes: More precisely, Microsoft says it encountered a higher percentage of Blue Screen of Death (BSOD) errors on PCs, the company's Insiders Program managers said in a blog post yesterday. Microsoft says that instead of shipping the Springs Creators Update faulty as it was, and then delivering an update later to fix the issues, it decided to hold off on deploying the defective build altogether. The OS maker says it will create and test a new Windows 10 build that also includes the BSOD fixes, and ship that one instead of Windows 10 Insider Preview Build 17134, the build that was initially scheduled to be launched as the Spring Creators Update on April 10, last week.
Businesses

Cybersecurity Tech Accord: More Than 30 Tech Firms Pledge Not to Assist Governments in Cyberattacks (cybertechaccord.org) 67

Over 30 major technology companies, led by Microsoft and Facebook, on Tuesday announced what they are calling the Cybersecurity Tech Accord, a set of principles that include a declaration that they will not help any government -- including that of the United States -- mount cyberattacks against "innocent civilians and enterprises from anywhere."

The companies that are participating in the initiative are: ABB, Arm, Avast, Bitdefender, BT, CA Technologies, Cisco, Cloudflare, DataStax, Dell, DocuSign, Facebook, Fastly, FireEye, F-Secure, GitHub, Guardtime, HP Inc., HPE, Intuit, Juniper Networks, LinkedIn, Microsoft, Nielsen, Nokia, Oracle, RSA, SAP, Stripe, Symantec, Telefonica, Tenable, Trend Micro, and VMware.

The announcement comes at the backdrop of a growing momentum in political and industry circles to create a sort of Digital Geneva Convention that commits the entire tech industry and governments to supporting a free and secure internet. The effort comes after attacks such as WannaCry and NotPetya hobbled businesses around the world last year, and just a day after the U.S. and U.K. issued an unprecedented joint alert citing the threat of cyberattacks from Russian state-sponsored actors. The Pentagon has said Russian "trolling" activity increased 2,000 percent after missile strikes in Syria.

Interestingly, Amazon, Apple, Google, and Twitter are not participating in the program, though the Tech Accord says it "remains open to consideration of new private sector signatories, large or small and regardless of sector."
Wireless Networking

Planet Fitness Evacuated After WiFi Network Named 'Remote Detonator' Causes Scare (windsorstar.com) 168

An anonymous reader quotes a report from Windsor Star: A Michigan gym patron looking for a Wi-Fi connection found one named "remote detonator," prompting an evacuation and precautionary search of the facility by a bomb-sniffing dog. The Saginaw News reports nothing was found in the search Sunday at Planet Fitness in Saginaw Township, about 85 miles (140 kilometers) northwest of Detroit. Saginaw Township police Chief Donald Pussehl says the patron brought the Wi-Fi connection's name to the attention of a manager, who evacuated the building and called police. The gym was closed for about three hours as police responded. Pussehl says there's "no crime or threat," so no charges are expected. He notes people often have odd names for WiFi connections. Planet Fitness says the manager was following company procedure for when there's suspicion about a safety issue.
Communications

France is Building Its Own Encrypted Messaging Service To Ease Fears That Foreign Entities Could Spy on Private Conversations (reuters.com) 87

The French government is building its own encrypted messenger service to ease fears that foreign entities could spy on private conversations between top officials, the digital ministry said on Monday. From a report: None of the world's major encrypted messaging apps, including Facebook's WhatsApp and Telegram -- a favorite of President Emmanuel Macron -- are based in France, raising the risk of data breaches at servers outside the country.

About 20 officials and top civil servants are testing the new app which a state-employed developer has designed, a ministry spokeswoman said, with the aim that its use will become mandatory for the whole government by the summer. "We need to find a way to have an encrypted messaging service that is not encrypted by the United States or Russia," the spokeswoman said. "You start thinking about the potential breaches that could happen, as we saw with Facebook, so we should take the lead."

Encryption

Russia Begins Blocking Telegram Messenger (reuters.com) 59

Russia's state telecommunications regulator said on Monday it had begun blocking access to Telegram messenger after the company refused to comply with an order to give Russian state security access to its users' secret messages (encryption keys). From a report: The watchdog, Roskomnadzor, said in a statement on its website that it had sent telecoms operators a notification about blocking access to Telegram inside Russia. The service, set up by a Russian entrepreneur, has more than 200 million global users and is ranked as the world's ninth most popular mobile messaging app.
Security

Hackers Stole a Casino's High-Roller Database Through a Thermometer in the Lobby Fish Tank (businessinsider.com) 246

From a report: Nicole Eagan, the CEO of cybersecurity company Darktrace, told the WSJ CEO Council in London on Thursday: "There's a lot of internet of things devices, everything from thermostats, refrigeration systems, HVAC [air conditioning] systems, to people who bring in their Alexa devices into the offices. There's just a lot of IoT. It expands the attack surface and most of this isn't covered by traditional defenses."

Eagan gave one memorable anecdote about a case Darktrace worked on where an unnamed casino was hacked via a thermometer in a lobby aquarium. "The attackers used that to get a foothold in the network. They then found the high-roller database and then pulled that back across the network, out the thermostat, and up to the cloud," she said.

Intel

Intel SPI Flash Flaw Lets Attackers Alter or Delete BIOS/UEFI Firmware (bleepingcomputer.com) 46

Catalin Cimpanu, writing for BleepingComputer: Intel has addressed a vulnerability in the configuration of several CPU series that allow an attacker to alter the behavior of the chip's SPI Flash memory -- a mandatory component used during the boot-up process [1, 2, 3]. According to Lenovo, who recently deployed the Intel fixes, "the configuration of the system firmware device (SPI flash) could allow an attacker to block BIOS/UEFI updates, or to selectively erase or corrupt portions of the firmware." Lenovo engineers say "this would most likely result in a visible malfunction, but could in rare circumstances result in arbitrary code execution."
Encryption

Former FBI Director James Comey Reveals How Apple and Google's Encryption Efforts Drove Him 'Crazy' (fastcompany.com) 351

An anonymous reader shares a report: In his explosive new book, A Higher Loyalty, fired FBI director James Comey denounces President Trump as "untethered to the truth" and likens him to a "mob boss," but he also touches on other topics during his decades-long career in law enforcement -- including his strong objection to the tech industry's encryption efforts. When Apple and Google announced in 2014 that they would be moving their mobile devices to default encryption, by emphasizing that making them immune to judicial orders was good for society, "it drove me crazy," he writes. He goes on to lament the lack of "true listening" between tech and law enforcement, saying that "the leaders of the tech companies don't see the darkness the FBI sees," such as terrorism and organized crime.

He writes, "I found it appalling that the tech types couldn't see this. I would frequently joke with the FBI 'Going Dark' team assigned to seek solutions, 'Of course the Silicon Valley types don't see the darkness -- they live where it's sunny all the time and everybody is rich and smart." But Comey understood it was an unbelievably difficult issue and that public safety had to be balanced with privacy concerns.

Encryption

Lawmakers Call FBI's 'Going Dark' Narrative 'Highly Questionable' After Motherboard Shows Cops Can Easily Hack iPhones (vice.com) 69

Joseph Cox, reporting for Motherboard: This week, Motherboard showed that law enforcement agencies across the country, including a part of the State Department, have bought GrayKey, a relatively cheap technology that can unlock fully up-to-date iPhones. That revelation, cryptographers and technologists said, undermined the FBI's renewed push for backdoors in consumer encryption products. Citing Motherboard's work, on Friday US lawmakers sent a letter to FBI Director Christopher Wray, doubting the FBI's narrative around 'going dark', where law enforcement officials say they are increasingly unable to obtain evidence related to crimes due to encryption. Politico was first to report the letter. "According to your testimony and public statements, the FBI encountered 7,800 devices last year that it could not access due to encryption," the letter, signed by 5 Democrat and 5 Republican n House lawmakers, reads. "However, in light of the availability of unlocking tools developed by third-parties and the OIG report's findings that the Bureau was uninterested in seeking available third-party options, these statistics appear highly questionable," it adds, referring to a recent report from the Justice Department's Office of the Inspector General. That report found the FBI barely explored its technical options for accessing the San Bernardino iPhone before trying to compel Apple to unlock the device. The lawmaker's letter points to Motherboard's report that the State Department spent around $15,000 on a GrayKey.
Businesses

Survey Finds 'Agile' Competency Is Rare In Organizations (sdtimes.com) 270

An anonymous reader writes: The 12th annual "State of Agile" report has just been released by CollabNet VersionOne, which calls it "the largest and longest-running Agile survey in the world." After surveying more than 1,400 software professionals in various roles and industries over the last four months of 2017, "Only 12% percent responded that their organizations have a high level of competency with agile practices across the organization, and only 4% report that agile practices are enabling greater adaptability to market conditions... The three most significant challenges to agile adoption and scaling are reported as organizational culture at odds with agile values (53%), general organizational resistance to change (46%), and Inadequate management support and sponsorship (42%)...

"The encouraging news is that 59% recognize that they are still maturing, indicating that they do not intend to plateau where they are." And agile adoption does appear to be growing. "25% of the respondents say that all or almost all of their teams are agile, whereas only 8% reported that in 2016."

The researchers also note "the recognized necessity of accelerating the speed of delivery of high-quality software, and the emphasis on customer satisfaction," with 71% of the survey respondents reporting that a DevOps initiative is underway or planned for the next 12 months.
Security

PUBG Ransomware Decrypts Your Files If You Play PlayerUnknown's Battlegrounds (bleepingcomputer.com) 51

An anonymous reader quotes Bleeping Computer: In what could only be a joke, a new ransomware has been discovered called "PUBG Ransomware" that will decrypt your files if you play the game called PlayerUnknown's Battlegrounds... When the PUBG Ransomware is launched it will encrypt a user's files and folders on the user's desktop and append the .PUBG extension to them. When it has finished encrypting the files, it will display a screen giving you two methods that you can use to decrypt the encrypted files.
Users can unlock it either by entering a secret unlock code displayed on the screen -- or by playing PlayerUnknown's Battlegrounds. The ransomware checks to see if you played PlayerUnknown's Battlegrounds by monitoring the running processes for one named "TslGame"... Once a user plays the game and the process is detected, the ransomware will automatically decrypt the victim's files. This ransomware is not too advanced as it only looks for the process name and does not check for other information to confirm that the game is actually being played. That means you can simply run any executable called TslGame.exe and it will decrypt the files.
Security

The Long, Slow Demise of Credit Card Signatures Starts Today (cnet.com) 114

Last year, all four major U.S. payment providers -- Mastercard, Visa, American Express and Discover -- announced plans to remove the requirement that merchants collect signatures for card transactions. Those plans officially go into effect today, or Saturday in the case of Visa. CNET reports: [D]on't despair if you actually like writing your signature at retail stores, because their ultimate demise will likely take a while. The change is only optional, with merchants, not customers, given the new power to decide whether to get rid of signatures. So, if asked to sign, please don't insist to your next cashier that you no longer need to -- it won't work. Also, plenty of retailers will likely want to keep signatures, particularly if their workers are paid based on a lot of tips, or they sell pricey items. Still, the change marks a clear awareness from payment providers that the signature doesn't really work as a strong protector against fraud.

The change is being handled a little differently by each payment provider. For instance, Mastercard, Discover and American Express said they'll let retailers make every kind of card payment optional for a signature, regardless of whether you've got a new chip card or you still swipe. Visa, meanwhile, isn't changing its requirements for payments using a swipe card, but it did relax its policy for chip card and contactless payments like Apple Pay. Visa noted that over 75 percent of face-to-face transactions using its cards in North America already don't require a signature, thanks to lower-value transactions.

Google

Google is Testing Self-Destructing Emails in New Gmail (techcrunch.com) 172

The upcoming update to Gmail might include a feature which would allow users to send emails that expire after a user-defined period of time. From a report: Working on an email service is hard as you have to be compatible with all sorts of email providers and email clients. But it doesn't seem to be stopping Google as the company is now evolving beyond the simple POP3/IMAP/SMTP protocols. Based on those screenshots, expiring emails work pretty much like expiring emails in ProtonMail. After some time, the email becomes unreadable. In the compose screen, there's a tiny lock icon called "confidential mode." It says that the recipient won't be able to forward email content, copy and paste, download or print the email.
Chrome

Google Chrome To Boost User Privacy by Improving Cookies Handling Procedure (bleepingcomputer.com) 37

Catalin Cimpanu, writing for BleepingComputer: Google engineers plan to improve user privacy and security by putting a short lifespan on cookies delivered via HTTP connections. Google hopes that the move will force website developers and advertisers to send cookies via HTTPS, which "provides significant confidentiality protections against [pervasive monitoring] attacks."

Sending cookies via plaintext HTTP is considered both a user privacy and security risk, as these cookies could be intercepted and even modified by an attacker. Banning the sending of cookies via HTTP is not yet an option, so Chrome engineers hope that by limiting a cookie's lifespan, they would prevent huge troves of user data from gathering inside cookies, or advertisers using the same cookie to track users across different sites.

Iphone

Cops Around the Country Can Now Unlock iPhones, Records Show (vice.com) 98

Law enforcement agencies across the country have purchased GrayKey, a relatively cheap tool for bypassing the encryption on iPhones, while the FBI pushes again for encryption backdoors, Motherboard reported on Thursday. From the report: FBI Director Christopher Wray recently said that law enforcement agencies are "increasingly unable to access" evidence stored on encrypted devices. Wray is not telling the whole truth. Police forces and federal agencies around the country have bought relatively cheap tools to unlock up-to-date iPhones and bypass their encryption, according to a Motherboard investigation based on several caches of internal agency documents, online records, and conversations with law enforcement officials. Many of the documents were obtained by Motherboard using public records requests.

The news highlights the going dark debate, in which law enforcement officials say they cannot access evidence against criminals. But easy access to iPhone hacking tools also hamstrings the FBI's argument for introducing backdoors into consumer devices so authorities can more readily access their contents.

Security

Uber's 2016 Breach Affected More Than 20 Million US Users (bloomberg.com) 6

An anonymous reader quotes a report from Bloomberg: A data breach in 2016 exposed the names, phone numbers and email addresses of more than 20 million people who use Uber's service in the U.S., authorities said on Thursday, as they chastised the ride-hailing company for not revealing the lapse earlier. The Federal Trade Commission said Uber failed to disclose the leak last year as the agency investigated and sanctioned the company for a similar data breach that happened in 2014. "After misleading consumers about its privacy and security practices, Uber compounded its misconduct," said Maureen Ohlhausen, the acting FTC chairman. She announced an expansion of last year's settlement with the company and said the new agreement was "designed to ensure that Uber does not engage in similar misconduct in the future."

In the 2016 breach, intruders in a data-storage service run by Amazon.com Inc. obtained unencrypted consumer personal information relating to U.S. riders and drivers, including 25.6 million names and email addresses, 22.1 million names and mobile phone numbers, and 607,000 names and driver's license numbers, the FTC said in a complaint. Under the revised settlement, Uber could be subject to civil penalties if it fails to notify the FTC of future incidents, and it must submit audits of its data security, the agency said.

Network

Cyber-Espionage Groups Are Increasingly Leveraging Routers in Their Attacks (bleepingcomputer.com) 22

Catalin Cimpanu, reporting for BleepingComputer: Cyber-espionage groups -- also referred to as advanced persistent threats (APTs) -- are using hacked routers more and more during their attacks, according to researchers at Kaspersky Lab. "It's not necessarily something new. Not something that just exploded," said Costin Raiu, director of Global Research and Analysis Team (GReAT) at Kaspersky Lab, in a webinar today. "We've seen a bunch of router attack throughout the years. A very good example is SYNful Knock, a malicious implant for Cisco [routers] that was discovered by FireEye but also threat actors such as Regin and CloudAtlas. Both APTs have been known to have and own proprietary router implants." But the number of APTs leveraging routers for attacks has gone steadily up in the past year, and the tactic has become quite widespread in 2018. For example, the Slingshot APT (believed to be a US Army JSOC operation targeting ISIS militants) has used hacked MikroTik routers to infect victims with malware.
Android

Some Android Device Makers Are Lying About Security Patch Updates (phonedog.com) 116

An anonymous reader shares a report: Security patches for smartphones are extremely important because many people store personal data on their devices. Lots of Android phones out there get regularly security patches, but according to a new report, some of them are lying about the patches that they've actually gotten. According to a study by Security Research Labs, some Android phones are missing patches that they claim to have. Wired explains that SRL tested 1,200 phones from more than a dozen phone makers for every Android security patch released in 2017. The devices tested include ones from Google, Samsung, Motorola, LG, HTC, Xiaomi, OnePlus, Nokia, TCL, and ZTE. The study found that outside of Google and its Pixel phones, well-known phone makers had devices that were missing patches that they claimed to have. "We found several vendors that didn't install a single patch but changed the patch date forward by several months," says SRL founder Karsten Nohl.
Encryption

Researchers Devise a Way To Generate Provably Random Numbers Using Quantum Mechanics (newatlas.com) 139

No random number generator you've ever used is truly, provably random. Until now, that is. Researchers have used an experiment developed to test quantum mechanics to generate demonstrably random numbers, which could come in handy for encryption. From a report: The method uses photons to generate a string of random ones and zeros, and leans on the laws of physics to prove that these strings are truly random, rather than merely posing as random. The researchers say their work could improve digital security and cryptography. The challenge for existing random number generators is not only creating truly random numbers, but proving that those numbers are random. "It's hard to guarantee that a given classical source is really unpredictable," says Peter Bierhorst, a mathematician at the National Institute of Standards and Technology (NIST), where this research took place. "Our quantum source and protocol is like a fail-safe. We're sure that no one can predict our numbers." For example, random number algorithms often rely on a source of data which may ultimately prove predictable, such as atmospheric noise. And however complex the algorithm, it's still applying consistent rules. Despite these potential imperfections, these methods are relied on in the day-to-day encryption of data. This team's method, however, makes use of the properties of quantum mechanics, or what Einstein described as "spooky action at a distance." Further reading: Wired, LiveScience, and CNET.
Security

You Think Discovering a Computer Virus Is Hard? Try Naming One (wsj.com) 49

Like astronomers who discover new stars, security experts who first identify computer bugs, viruses, worms, ransomware and other coding catastrophes often get to name their finds. Such discoveries now number in the thousands each year, so crafting a standout moniker can be a serious challenge. From a report: Two years ago, German security firm SerNet GmbH figured a punchy name for their bug discovery would give the company a publicity jolt. They called it Badlock, designed a fractured-lock logo and set up a website. The marketing push backfired when some security experts decided Badlock wasn't that bad. Cynical hackers called it Sadlock. "We would not do this again," says SerNet Chief Executive Johannes Loxen of the branding blitz, which he says was overkill because a relatively small number of people were affected by Badlock. Hackers are no fans of marketing. They brand things in their own way. Puns and historic references are the name of the game. "They see it as a kind of grass-roots initiative," says Gabriella Coleman, an anthropologist who teaches courses on hacker culture at McGill University in Montreal.

Some venerable names that have stood the test of time: The Love Bug, for the worm that attacked millions of Windows personal computers in 2000, and Y2K, a turn-of-the-century programming scare that didn't live up to its hype. Many names tend more toward geekspeak. The title of hacker magazine 2600 is a tip of the hat to 2600 hertz, the frequency old-school hackers reproduced to trick AT&T phone lines into giving them free calls. Computer worm Conficker is an amalgam of "configure" and a German expletive. Code Red is named after the Mountain Dew drink researchers guzzled while investigating the worm.

Security

Data Exfiltrators Send Info Over PCs' Power Supply Cables (theregister.co.uk) 131

From a report on The Register: If you want your computer to be really secure, disconnect its power cable. So says Mordechai Guri and his team of side-channel sleuths at the Ben-Gurion University of the Negev. The crew have penned a paper titled PowerHammer: Exfiltrating Data from Air-Gapped Computers through Power Lines that explains how attackers could install malware that regulates CPU utilisation and creates fluctuations in the current flow that could modulate and encode data. The variations would be "propagated through the power lines" to the outside world.

Depending on the attacker's approach, data could be exfiltrated at between 10 and 1,000 bits-per-second. The higher speed would work if attackers can get at the cable connected to the computer's power supply. The slower speed works if attackers can only access a building's electrical services panel. The PowerHammer malware spikes the CPU utilisation by choosing cores that aren't currently in use by user operations (to make it less noticeable). Guri and his pals use frequency shift keying to encode data onto the line.

Google

Google's Phone App Is Getting the Power To Send Spam Calls Straight To Voicemail (9to5google.com) 85

According to 9to5Google, Google's dialer app for Pixel, Nexus, and Android One devices is being upgraded with the ability to send spam calls straight to voicemail. "In 2016, the app began alerting users to potential spam callers by flashing the incoming call screen bright red, with another 'Suspected spam caller' alert just underneath the phone number," reports 9to5Google. The new spam filtering feature goes a step further. From the report: [U]sers will not receive a missed call or voicemail notification, though filtered calls will appear in call history and any voicemails left will still show up in that respective tab. This feature is rolling out worldwide over the next few weeks, but those who join the new beta will have initial access to it. Like its other programs, Google notes that the test allows you to use experimental features before they're released. Google warns that features will still be in-development, might be unstable, and have "a few problems." Meanwhile, users will have the ability to submit in-app feedback throughout the process. Head to the Google Play listing for the Phone app and scroll down to "Become a tester" in order to join.
AMD

AMD Releases Spectre v2 Microcode Updates for CPUs Going Back To 2011 (bleepingcomputer.com) 54

Catalin Cimpanu, writing for BleepingComputer: AMD has released CPU microcode updates for processors affected by the Spectre variant 2 (CVE-2017-5715) vulnerability. The company has forwarded these microcode updates to PC and motherboard makers to include them in BIOS updates. Updates are available for products released as far as 2011, for the first processors of the Bulldozer line. Microsoft has released KB4093112, an update that also includes special OS-level patches for AMD users in regards to the Spectre v2 vulnerability. Similar OS-level updates have been released for Linux users earlier this year. Yesterday's microcode patches announcement is AMD keeping a promise it made to users in January, after the discovery of the Meltdown and Spectre (v1 and v2) vulnerabilities.
Microsoft

Microsoft Removes Antivirus Registry Key Check for All Windows Versions (bleepingcomputer.com) 49

Microsoft has decided to remove a mandatory "registry key requirement" it introduced in the aftermath of the Meltdown and Spectre vulnerability disclosure. BleepingComputer: Microsoft used this registry key to prevent Windows updates from being installed on computers running antivirus software incompatible with the Meltdown and Spectre patches. Antivirus vendors were supposed to create this registry key on users' computers to signal that they've updated their product and will not interfere with Microsoft's patches. This was a big issue because incompatible antivirus products would crash and BSOD Windows systems. [...] The OS maker removed the registry key check for Windows 10 computers last month, in March, and has announced yesterday that the key is no longer necessary for other Windows operating system versions -- 7, 8, 8.1, Server 2008, and Windows Server 2012.
Businesses

FTC Warns Manufacturers That 'Warranty Void If Removed' Stickers Break the Law (vice.com) 143

schwit1 writes: The Federal Trade Commission put six companies on notice today, telling them in a warning letter that their warranty practices violate federal law. If you buy a car with a warranty, take it a repair shop to fix it, then have to return the car to the manufacturer, the car company isn't legally allowed to deny the return because you took your car to another shop. The same is true of any consumer device that costs more than $15, though many manufacturers want you to think otherwise.

Companies such as Sony and Microsoft pepper the edges of their game consoles with warning labels telling customers that breaking the seal voids the warranty. That's illegal. Thanks to the 1975 Magnuson-Moss Warranty Act, no manufacturer is allowed to put repair restrictions on a device it offers a warranty on. Dozens of companies do it anyway, and the FTC has put them on notice. Apple, meanwhile, routinely tells customers not to use third party repair companies, and aftermarket parts regularly break iPhones due to software updates.

United States

Emergency Alert Systems Used Across the US Can Be Easily Hijacked (helpnetsecurity.com) 44

A vulnerability affecting emergency alert systems supplied by ATI Systems, one of the leading suppliers of warning sirens in the USA, could be exploited remotely via radio frequencies to activate all the sirens and trigger false alarms. From a report: "We first found the vulnerability in San Francisco, and confirmed it in two other US locations including Sedgwick County, Wichita, Kansas," Balint Seeber, Director of Threat Research at Bastille, told Help Net Security. "Although we have not visited other locations to confirm the presence of the vulnerability, ATI Systems has customers in the US and overseas from the military, local government, educational and energy sectors.

"ATI features customers on its website around the US including One World Trade Center, WestPoint Military Academy and Entergy Nuclear Indian Point which are all in New York State, UMASS Amherst in Massachusetts, Eastern Arizona College, University of South Carolina and Eglin Air Force Base in Florida, amongst others." The vulnerability stems from the fact that the radio protocol used to control the sirens is not secure: activation commands are sent "in the clear," i.e. no encryption is used.

Mozilla

Firefox Follows Chrome and Blocks the Loading of Most FTP Resources (bleepingcomputer.com) 89

Mozilla says it will follow in the steps of Google Chrome and start blocking the loading of FTP subresources inside HTTP and HTTPS pages. From a report: By FTP subresources, we refer to files loaded via the FTP protocol inside img, script, or iframe tags that have a src="ftp://". FTP links placed inside normal angle bracket links or typed directly in the browser's address bar will continue to work. The reasoning is that FTP is an insecure protocol that doesn't support modern encryption techniques and will inherently break many other built-in browser security and privacy features, such as HSTS, CSP, XSA, or others. Furthermore, many malware distribution campaigns often rely on compromising FTP servers and redirecting or downloading malware on users' computers via FTP subresources. Mozilla engineers say FTP subresource blocking will ship with Firefox 61, currently scheduled for release on June 26.
Facebook

Some Facebook Employees Are Quitting or Asking To Switch Departments Over Ethical Concerns (businessinsider.com) 208

Some dissatisfied Facebook engineers are reportedly attempting to switch divisions to work on Instagram or WhatsApp, rather than continue work on the platform responsible for the Cambridge Analytica scandal, according to a recent report from the New York Times. An anonymous reader writes: Many believe Facebook should have done more to handle the data responsibly, and the events that followed increased scrutiny against Facebook, reportedly taking a toll on employees working on the platform. Since the news came out, CEO Mark Zuckerberg and COO Sheryl Sandberg have spoken to the media on a few occasions, but it was days before the company commented on the scandal, which it now estimates around 87 million total users affected. Then, a leaked memo from Facebook executive Andrew Bosworth written in 2016 revealed a "growth at all costs" mentality that put Facebook in a position to be held responsible for the situation it's found itself in. As it became evident that Facebook's core product might be to blame, engineers working on it reportedly found it increasingly difficult to stand by what it built.
Security

Linux: Beep Command Can Be Used to Probe for the Presence of Sensitive Files (bleepingcomputer.com) 109

Catalin Cimpanu, writing for BleepingComputer: A vulnerability in the "beep" package that comes pre-installed with Debian and Ubuntu distros allows an attacker to probe for the presence of files on a computer, even those owned by root users, which are supposed to be secret and inaccessible. The vulnerability, tracked as CVE-2018-0492, has been fixed in recent versions of Debian and Ubuntu (Debian-based OS). At its core, the bug is a race condition in the beep utility that allows the OS to emit a "beep" sound whenever it is deemed necessary. Security researchers have discovered a race condition in the beep package that allows an attacker to elevate his code to root-level access.
Chrome

Biometric and App Logins Will Soon Be Pushed Across the Web (vice.com) 161

Soon, it will be much easier to log into more websites using a hardware key plugged into your laptop, a dedicated app, or even the fingerprint scanner on your phone. Motherboard: On Tuesday, a spread of organizations and businesses, including top browser vendors such as Microsoft and Google, announced a new standards milestone that will streamline the process for web developers to add extra login methods to their sites, potentially keeping consumers' accounts and data more secure. "For users, this will be a natural transition. People everywhere are already using their fingers and faces to 'unlock' their mobile phones and PCs, so this will be natural to them -- and more convenient," Brett McDowell, executive director at the FIDO Alliance, one of the organizations involved in setting up the standard, told Motherboard in an email.

"What they use today to 'unlock' will soon allow them to 'login' to all their favorite websites and a growing number of native apps that already includes Bank of America, PayPal, eBay and Aetna," he added. Passwords continue to be one of the weaker points in online security. A hacker may phish a target's password and log into their account, or take passwords from one data breach and use them to break into accounts on another site. The login standard, called Web Authentication (WebAuthn), will let potentially any website or online service use apps, security keys, or biometrics as a login method instead of a password, or use those alternative approaches as a second method of verification. The key here is making it easy and open for developers to use, and for it to work across all different brands of browsers. The functionality is already available in Mozilla's Firefox, and will be rolled out to Microsoft's Edge and Google Chrome in the new few months. Opera has committed to supporting WebAuthn as well.

Youtube

YouTube Hack: Several High-Profile Videos Mysteriously Disappear From Platform, Some Defaced 158

Several high-profile music videos on YouTube were mysteriously deleted early Tuesday, in what appears like the result of a security compromise. Some of the videos that have been pulled from Google's video platform include Luis Fonsi and Daddy Yankee's "Despacito" -- which is also the most popular video on the platform. Users reported Tuesday that the thumbnail of the video was replaced by a masked gang holding guns, who identify themselves as "Prosox and Kuroi'sh." Several songs from DJ Snake, Drake, Katy Perry, Selena Gomez, Shakira, and Taylor Swift have also been either deleted or altered with. On Twitter, a person who claims to be one of the hackers, said, "@YouTube Its just for fun i just use script "youtube-change-title-video" and i write "hacked" don t judge me i love youtube." Google has yet to acknowledge the incident. Further reading: BBC.
Security

Don't Give Away Historic Details About Yourself (krebsonsecurity.com) 158

Brian Krebs: Social media sites are littered with seemingly innocuous little quizzes, games and surveys urging people to reminisce about specific topics, such as "What was your first job," or "What was your first car?" The problem with participating in these informal surveys is that in doing so you may be inadvertently giving away the answers to "secret questions" that can be used to unlock access to a host of your online identities and accounts. I'm willing to bet that a good percentage of regular readers here would never respond -- honestly or otherwise -- to such questionnaires (except perhaps to chide others for responding). But I thought it was worth mentioning because certain social networks -- particularly Facebook -- seem positively overrun with these data-harvesting schemes. What's more, I'm constantly asking friends and family members to stop participating in these quizzes and to stop urging their contacts to do the same.

On the surface, these simple questions may be little more than an attempt at online engagement by otherwise well-meaning companies and individuals. Nevertheless, your answers to these questions may live in perpetuity online, giving identity thieves and scammers ample ammunition to start gaining backdoor access to your various online accounts.

Facebook

Steve Wozniak Drops Facebook: 'The Profits Are All Based On the User's Info' (arstechnica.com) 246

Apple cofounder Steve Wozniak has formally deactivated his Facebook account. In an email interview with USA Today, Wozniak wrote that he was no longer satisfied with Facebook, knowing that it makes money off of user data. "The profits are all based on the user's info, but the users get none of the profits back," he wrote. "Apple makes its money off of good products, not off of you. As they say, with Facebook, you are the product." Ars Technica reports: His Sunday announcement to his Facebook followers came just ahead of Facebook CEO Mark Zuckerberg's scheduled testimony before Congress on Tuesday. The CEO is also reportedly set to meet with members of Congress privately on Monday. Wozniak wrote that Facebook had "brought me more negatives than positives." Still, when Wozniak tried to change some of his privacy settings in the aftermath of Cambridge Analytica, he said he was "surprised" to find out how many categories for ads he had to remove. "I did not feel that this is what people want done to them," added Wozniak. "Ads and spam are bad things these days and there are no controls over them. Or transparency."
The Internet

A Broken Undersea Cable Knocked Mauritania Offline For Two Days, Affected Another Five Nations (fortune.com) 36

The West African nation of Mauritania lost all internet access for 48 hours due to an undersea cable break, according to infrastructure analysts. From a report: The break, which took place a couple weeks ago, provides a reminder of how much internet users rely on the cables that connect their countries. According to Dyn, the Oracle-owned internet performance firm, the African Coast to Europe (ACE) cable was cut near Noukachott in Mauritania on March 30. It's not clear what caused the break, but six countries entirely rely on that one cable for their connectivity, and all -- Sierra Leone, Mauritania, Liberia, Guinea-Bissau, Guinea and the Gambia -- saw a big impact. The impact in Mauritania was the worst, with its two-day outage, while Sierra Leone also had big problems. The latter country also had a big outage on April 1, but that may well have been down to government action -- African governments are notorious for interfering with citizens' internet access, particularly around election time or during periods of unrest.
Privacy

'Big Brother' In India Requires Fingerprint Scans For Food, Phones, Finances (nytimes.com) 132

The New York Times reports of the Indian government's intent to build an identification system of unprecedented scope. The country is reportedly "scanning the fingerprints, eyes and faces of its 1.3 billion residents (alternative source) and connecting the data to everything from welfare benefits to mobile phones." Here's an excerpt from the report: Civil libertarians are horrified, viewing the program, called Aadhaar, as Orwell's Big Brother brought to life. To the government, it's more like "big brother," a term of endearment used by many Indians to address a stranger when asking for help. For other countries, the technology could provide a model for how to track their residents. And for India's top court, the ID system presents unique legal issues that will define what the constitutional right to privacy means in the digital age. The government has made registration mandatory for hundreds of public services and many private ones, from taking school exams to opening bank accounts.

Technology has given governments around the world new tools to monitor their citizens. In China, the government is rolling out ways to use facial recognition and big data to track people, aiming to inject itself further into everyday life. Many countries, including Britain, deploy closed-circuit cameras to monitor their populations. But India's program is in a league of its own, both in the mass collection of biometric data and in the attempt to link it to everything -- traffic tickets, bank accounts, pensions, even meals for undernourished schoolchildren.

IT

Ask Slashdot: Are Companies Under-Investing in IT? 325

Long-time Slashdot reader johnpagenola writes: In the middle 1970's I had to choose between focusing on programming or accounting. I chose accounting because organizations were willing to pay for good accounting but not for good IT.

Forty years later the situation does not appear to have changed. Target, Equifax, ransomware, etc. show pathetically bad IT design and operation. Why does this pattern of underinvestment in and under-appreciation of IT continue?

Long-time Slashdot reader dheltzel argues that the problem is actually bad hiring practices, which over time leads to lower-quality employees. But it seems like Slashdot's readership should have their own perspective on the current state of the modern workplace.

So share your own thoughts and experiences in the comments. Are companies under-investing in IT?
Security

'Vigilante Hackers' Strike Routers In Russia and Iran, Reports Motherboard (vice.com) 121

An anonymous reader quotes Motherboard: On Friday, a group of hackers targeted computer infrastructure in Russia and Iran, impacting internet service providers, data centres, and in turn some websites. "We were tired of attacks from government-backed hackers on the United States and other countries," someone in control of an email address left in the note told Motherboard Saturday... "We simply wanted to send a message...." In addition to disabling the equipment, the hackers left a note on affected machines, according to screenshots and photographs shared on social media: "Don't mess with our elections," along with an image of an American flag...

In a blog post Friday, cybersecurity firm Kaspersky said the attack was exploiting a vulnerability in a piece of software called Cisco Smart Install Client. Using computer search engine Shodan, Talos (which is part of Cisco) said in its own blog post on Thursday it found 168,000 systems potentially exposed by the software. Talos also wrote it observed hackers exploiting the vulnerability to target critical infrastructure, and that some of the attacks are believed to be from nation-state actors...

Reuters reported that Iran's IT Minister Mohammad Javad Azari-Jahromi said the attack mainly impacted Europe, India, and the U.S.... The hackers said they did scan many countries for the vulnerable systems, including the U.K., U.S., and Canada, but only "attacked" Russia and Iran, perhaps referring to the post of an American flag and their message. They claimed to have fixed the Cisco issue on exposed devices in the US and UK "to prevent further attacks... As a result of our efforts, there are almost no vulnerable devices left in many major countries," they claimed in an email.

Their image of the American flag was a black-and-white drawing done with ASCII art.
Open Source

Torvalds Opposes Tying UEFI Secure Boot to Kernel Lockdown Mode (phoronix.com) 69

An anonymous reader quotes Phoronix: The kernel lockdown feature further restricts access to the kernel by user-space with what can be accessed or modified... Pairing that with UEFI SecureBoot unconditionally is meeting some resistance by Linus Torvalds. The goal of kernel lockdown, which Linus Torvalds doesn't have a problem with at all, comes down to "prevent both direct and indirect access to a running kernel image, attempting to protect against unauthorised modification of the kernel image and to prevent access to security and cryptographic data located in kernel memory, whilst still permitting driver modules to be loaded." But what has the Linux kernel creator upset with are developers trying to pair this unconditionally with UEFI SecureBoot. Linus describes Secure Boot as being "pushed in your face by people with an agenda." But his real problem is that Secure Boot would then imply Kernel Lockdown mode... "Tying these things magically together IS A BAD IDEA."
Security

T-Mobile Stores Part of Customers' Passwords In Plaintext, Says It Has 'Amazingly Good' Security (vice.com) 71

T-Mobile Austria admitted on Twitter that it stores at least part of their customer's passwords in plaintext. What this means is that "if anyone breaches T-Mobile (it's only a matter of time), they could likely guess or brute-force every user's password," reports Motherboard. "If the passwords were fully encrypted or hashed, it wouldn't be that easy. But having a portion of the credential in plaintext reduces the difficulty of decoding the hashed part and obtaining the whole password." From the report: "Based on what we know about how people choose their passwords," Per Thorsheim, the founder of the first-ever conference dedicated to passwords, told me via Twitter direct message, "knowing the first 4 characters of your password can make it DEAD EASY for an attacker to figure out the rest." T-Mobile doesn't see that as a problem because it has "amazingly good security." On Thursday, a T-Mobile Austria customer support employee made that stunning revelation in an incredibly nonchalant tweet. Twitter user Claudia Pellegrino was quick to point out that storing passwords in plaintext is wrong, but another T-Mobile customer rep didn't see it that way. "I really do not get why this is a problem. You have so many passwords for every app, for every mail-account and so on. We secure all data very carefully, so there is not a thing to fear," the rep wrote back.
Security

Best Buy Warns of Data Breach (usatoday.com) 25

Best Buy, along with Delta Air Lines and Sears, says that [24]7.ai, a company that provides the technology backing its chat services, was hacked between September 27 and October 12, potentially jeopardizing the personal payment details of "a number of Best Buy customers." The electronics company said in a statement that "as best we can tell, only a small fraction of our overall online customer population could have been caught up in this... incident whether or not they used the chat function." They will reach out to customers who were impacted.
Communications

Russia Files Lawsuit To Block Telegram Messaging App (reuters.com) 70

Russia's state communications watchdog, Roskomnadzor, has filed a lawsuit to block Telegram in the country because the instant messaging company has refused to hand over the encryption keys that would allow Russian authorities to read messages sent using the service. From a report: Ranked as the world's ninth most popular mobile messaging app, Telegram is widely used in countries across the former Soviet Union and Middle East. Active users of the app reached 200 million in March. As part of its services, Telegram allows users to communicate via encrypted messages which cannot be read by third parties, including government authorities. But Russia's FSB Federal Security service has said it needs access to some messages for its work, including guarding against terrorist attacks. Telegram has refused to comply with its demands, citing respect for user privacy.

Slashdot Top Deals