Chrome

Google Chrome To Remove 'Secure' Indicator From HTTPS Pages in September (bleepingcomputer.com) 101

Google announced Thursday it plans to drop the "Secure" indicator from the Chrome URL address bar -- starting with Chrome v68, set for release in July -- and only show a lock icon when the user is navigating to an HTTPS-secured website. From a report: The move is scheduled to take effect with the release of Chrome 69, scheduled for September, this year. Emily Schechter, Product Manager for Chrome Security, said the company is now comfortable making this move as a large chunk of Chrome's traffic is now via HTTPS. Since most traffic is HTTPS anyway, it's not necessary to draw the user's attention to the "Secure" indicator anymore.
United States

Hacker Breaches Securus, the Company That Helps Cops Track Phones Across the US (vice.com) 68

Securus, the company which tracks nearly any phone across the US for cops with minimal oversight, has been hacked, Motherboard reported Wednesday. From the report: The hacker has provided some of the stolen data to Motherboard, including usernames and poorly secured passwords for thousands of Securus' law enforcement customers. Although it's not clear how many of these customers are using Securus's phone geolocation service, the news still signals the incredibly lax security of a company that is granting law enforcement exceptional power to surveill individuals. "Location aggregators are -- from the point of view of adversarial intelligence agencies -- one of the juiciest hacking targets imaginable," Thomas Rid, a professor of strategic studies at Johns Hopkins University, told Motherboard in an online chat.
Robotics

Researchers Create First Flying Wireless Robotic Insect (newatlas.com) 64

An anonymous reader quotes a report from New Atlas: You might remember RoboBee, an insect-sized robot that flies by flapping its wings. Unfortunately, though, it has to be hard-wired to a power source. Well, one of RoboBee's creators has now helped develop RoboFly, which flies without a tether. Slightly heavier than a toothpick, RoboFly was designed by a team at the University of Washington -- one member of that team, assistant professor Sawyer Fuller, was also part of the Harvard University team that first created RoboBee. That flying robot receives its power via a wire attached to an external power source, as an onboard battery would simply be too heavy to allow the tiny craft to fly. Instead of a wire or a battery, RoboFly is powered by a laser. That laser shines on a photovoltaic cell, which is mounted on top of the robot. On its own, that cell converts the laser light to just seven volts of electricity, so a built-in circuit boosts that to the 240 volts needed to flap the wings. That circuit also contains a microcontroller, which tells the robot when and how to flap its wings -- on RoboBee, that sort of "thinking" is handled via a tether-linked external controller. The robot can be seen in action here.
The Almighty Buck

Ecuador Spent $5 Million Protecting and Spying On Julian Assange, Says Report (theverge.com) 165

Citing reports from The Guardian and Focus Ecuador, The Verge reports that Ecuador's intelligence program spent at least $5 million "on an elaborate security and surveillance network around WikiLeaks founder Julian Assange." The intelligence program was known as "Operator Hotel," which began as "Operation Guest" when Assange took refuge in Ecuador's UK embassy in 2012. From the report: Operation Hotel has allegedly covered expenses like installing CCTV cameras and hiring a security team to "secretly film and monitor all activity in the embassy," including Assange's daily activities, moods, and interactions with staff and visitors. The Guardian estimates Ecuadorian intelligence agency Senain has spent at least $5 million on Assange-related operations, based on documents they reviewed. The report details attempts to improve Assange's public image and potentially smuggle him out of the embassy if he was threatened. But it also writes that relations between Assange and Ecuador have badly deteriorated over the past several years. In 2014, Assange allegedly breached the embassy's network security, reading confidential diplomatic material and setting up his own secret communications network.
Facebook

Justice Department, FBI Are Investigating Cambridge Analytica (cbsnews.com) 139

An anonymous reader quotes a report from CBS News: The Justice Department and FBI are investigating Cambridge Analytica, the now-shuttered political data firm that was once used by the Trump campaign and came under scrutiny for harvesting data of millions of users, The New York Times reported on Tuesday. The Times, citing a U.S. official and people familiar with the inquiry, reported federal investigators have looked to question former employees and banks connected to the firm.

The Times reports prosecutors have informed potential witnesses there is an open investigation into the firm, whose profiles of voters were intended to help with elections. One source tells CBS News correspondent Paula Reid prosecutors are investigating the firm for possible financial crimes. A company that has that much regulatory scrutiny is almost guaranteed to have federal prosecutors interested, Reid was told. Christopher Wylie, a former Cambridge Analytica employee who spoke out about the data sharing practices, told the Times federal investigators had contacted him. The American official told the Times investigators have also contacted Facebook as a part of the probe.

Crime

Suspect Identified In CIA 'Vault 7' Leak (nytimes.com) 106

An anonymous reader quotes a report from The New York Times: In weekly online posts last year, WikiLeaks released a stolen archive of secret documents about the Central Intelligence Agency's hacking operations, including software exploits designed to take over iPhones and turn smart television sets into surveillance devices. It was the largest loss of classified documents in the agency's history and a huge embarrassment for C.I.A. officials. Now, The New York Times has learned the identity of the prime suspect in the breach (Warning: source may be paywalled; alternative source): a 29-year-old former C.I.A. software engineer who had designed malware used to break into the computers of terrorism suspects and other targets.

F.B.I. agents searched the Manhattan apartment of the suspect, Joshua A. Schulte, one week after WikiLeaks released the first of the C.I.A. documents in March last year, and then stopped him from flying to Mexico on vacation, taking his passport, according to court records and family members. The search warrant application said Mr. Schulte was suspected of "distribution of national defense information," and agents told the court they had retrieved "N.S.A. and C.I.A. paperwork" in addition to a computer, tablet, phone and other electronics. But instead of charging Mr. Schulte in the breach, referred to as the Vault 7 leak, prosecutors charged him last August with possessing child pornography, saying agents had found the material on a server he created as a business in 2009 while he was a student at the University of Texas.

Security

Smarter People Don't Have Better Passwords, Study Finds (bleepingcomputer.com) 109

An anonymous reader shares a report: A study carried out at a college in the Philippines shows that students with better grades use bad passwords in the same proportion as students with bad ones. The study's focused around a new rule added to the National Institute of Standards and Technology (NIST) guideline for choosing secure passwords -- added in its 2017 edition. The NIST recommendation was that websites check if a user's supplied password was compromised before by verifying if the password is also listed in previous public breaches. If the password is included in previous breaches, the website is to consider the password insecure because all of these exposed passwords have most likely been added to even the most basic password-guessing brute-forcing tools.
United States

Homeland Security Unveils New Cyber Security Strategy Amid Threats (reuters.com) 75

The U.S. Department of Homeland Security on Tuesday unveiled a new national strategy for addressing the growing number of cyber security risks as it works to assess them and reduce vulnerabilities. From a report: "The cyber threat landscape is shifting in real-time, and we have reached a historic turning point," DHS chief Kirstjen Nielsen said in a statement. "It is clear that our cyber adversaries can now threaten the very fabric of our republic itself." The announcement comes amid concerns about the security of the 2018 U.S. midterm congressional elections and numerous high-profile hacking of U.S. companies.
Security

Kaspersky Lab Moving Core Infrastructure To Switzerland (securityweek.com) 78

wiredmikey writes: As part of its Global Transparency Initiative, Russia-based Kaspersky Lab today announced that it will adjust its infrastructure to move a number of "core processes" from Russia to Switzerland. The security firm has faced challenges after several governments have banned Kaspersky software over security concerns, despite no hard evidence that Kaspersky has ever colluded with the Russian government. As an extension to its transparency initiative, announced in October 2017, the firm is now going further by making plans for its processes and source code to be independently supervised by a qualified third-party. To this end, it is supporting the creation of a new, non-profit "Transparency Center" able to assume this responsibility not just for itself, but for other partners and members who wish to join. Noticeably, Kaspersky Lab does not link the move specifically to the effects of the U.S. ban, but sees wider issues of global trust emerging.
Encryption

Encrypted Email Has a Major, Divisive Flaw (wired.com) 116

An anonymous reader quotes a report from Wired: The ubiquitous email encryption schemes PGP and S/MIME are vulnerable to attack, according to a group of German and Belgian researchers who posted their findings on Monday. The weakness could allow a hacker to expose plaintext versions of encrypted messages -- a nightmare scenario for users who rely on encrypted email to protect their privacy, security, and safety. The weakness, dubbed eFail, emerges when an attacker who has already managed to intercept your encrypted emails manipulates how the message will process its HTML elements, like images and multimedia styling. When the recipient gets the altered message and their email client -- like Outlook or Apple Mail -- decrypts it, the email program will also load the external multimedia components through the maliciously altered channel, allowing the attacker to grab the plaintext of the message.

The eFail attack requires hackers to have a high level of access in the first place that, in itself, is difficult to achieve. They need to already be able to intercept encrypted messages, before they begin waylaying messages to alter them. PGP is a classic end-to-end encryption scheme that has been a go-to for secure consumer email since the late 1990s because of the free, open-source standard known as OpenPGP. But the whole point of doing the extra work to keep data encrypted from the time it leaves the sender to the time it displays for the receiver is to reduce the risk of access attacks -- even if someone can tap into your encrypted messages, the data will still be unreadable. eFail is an example of these secondary protections failing.

Facebook

Researchers Reportedly Exposed Facebook Quiz Data On 3 Million Users (newscientist.com) 19

According to a report from New Scientist, researchers exposed quiz data on over three million Facebook users via an insecure website. The data includes answers to intimate questionnaires, and was held by academics from the University of Cambridge's Psychometrics Centre. While the breach isn't as severe as the Cambridge Analytica leak, it is distantly connected as the project previously involved Alexandr Kogan, the researcher at the center of the scandal. From the report: Facebook suspended myPersonality from its platform on April 7 saying the app may have violated its policies due to the language used in the app and on its website to describe how data is shared. More than 6 million people completed the tests on the myPersonality app and nearly half agreed to share data from their Facebook profiles with the project. All of this data was then scooped up and the names removed before it was put on a website to share with other researchers. The terms allow the myPersonality team to use and distribute the data "in an anonymous manner such that the information cannot be traced back to the individual user."

However, for those who were not entitled to access the data set because they didn't have a permanent academic contract, for example, there was an easy workaround. For the last four years, a working username and password has been available online that could be found from a single web search. Anyone who wanted access to the data set could have found the key to download it in less than a minute.

AMD

AMD Integrates Ryzen PRO and Radeon Vega Graphics In Next-Gen APUs (zdnet.com) 76

The three biggest PC OEMs -- Dell, HP, and Lenovo -- are now offering AMD Ryzen PRO mobile and desktop accelerated processing units (APUs) with built-in Radeon Vega graphics in a variety of commercial systems. There are a total of seven new APUs -- three for the mobile space and four for the desktop. As AMD notes in its press release, the first desktops to ship with these latest chips include: the HP Elitedesk G4 and 285 Desktop, the Lenovo ThinkCentre M715, and the Dell Optiplex 5055. ZDNet's Adrian Kingsley-Hughes writes about what makes Ryzen PRO so appealing: Ryzen PRO has been built from the ground up to focus on three pillars -- power, security and reliability. Built-in security means integrated GuardMI technology, an AES 128-bit encryption engine, Windows 10 Enterprise Security support, and support for fTPM/TPM 2.0 Trusted Platform Module. One of the features of Ryzen PRO that AMD hopes will appeal to commercial users is the enterprise-grade reliability that the chips come backed with, everything from 18-moths of planned software availability, 24-months processor availability, a commercial-grade QA process, 36-moth warranty, and enterprise-class manageability.

There are no worries on the performance front either, with the Ryzen PRO with Vega Graphics being the world's fastest processor currently available for ultrathin commercial notebooks, with the AMD Ryzen 7 PRO 2700U offering up to 22 percent more productivity performance than Intel's 8th-generation Core i7-8550U in testing carried out by AMD. AMD has also designed the Ryzen PRO processors to be energy-efficient, enabling up to 16 hours of battery life in devices, or 10.5 hours of video playback. The Ryzen PRO with Vega Graphics desktop processors are also no slouches, opening up a significant performance gap when compared to Intel Core i5 8400 and Core i3 8100 parts.
AMD also announced that it is sampling its second-generation Threadripper 2900X, 2920X and 2950X products. "For Threadripper Gen2 you can expect a refresh of the current line-up; an 8-core Threadripper 2900X, a 12-core Threadripper 2920X and of course a 16-core Threadripper 2950X," reports Guru3D.com. "AMD will apply the same Zen+ tweaks to the processors; including memory latency optimizations and higher clock speeds."

AMD has something for the datacenter enthusiasts out there too. Epyc, AMD's x86 server processor line based on the company's Zen microarchitecture, has a new promo video, claiming more performance, more security features, and more value than Intel Xeon. The company plans to market Epyc in an aggressive head-to-head format similar to how T-Mobile campaigns against Verizon and AT&T. Given Intel Xeon's 99% market share, they sort of have to...
Security

Attention PGP Users: New Vulnerabilities Require You To Take Action Now (eff.org) 129

A group of European security researchers have released a warning about a set of vulnerabilities affecting users of PGP and S/MIME. From a report: EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages. The full details will be published in a paper on Tuesday at 07:00 AM UTC (3:00 AM Eastern, midnight Pacific).

In order to reduce the short-term risk, we and the researchers have agreed to warn the wider PGP user community in advance of its full publication. Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email. Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email.
Further reading: People Are Freaking Out That PGP Is 'Broken' -- But You Shouldn't Be Using It Anyway (Motherboard).
Security

California High Schooler Changes Grades After Phishing Teachers, Gets 14 Felonies for His Efforts (gizmodo.com) 343

Police in Concord, California arrested a teenager earlier this week and charged him 14 felony counts after discovering the high schooler launched a phishing campaign directed at teachers in order to steal their passwords and change grades. From a report: The 16-year-old student, whose name was not released because he's a minor, was arrested Wednesday following an investigation launched by local law enforcement, with assistance from a Contra Costa County task force and the US Secret Service, KTVU reported. Reports of the hack first started to trickle into police two weeks ago, when teachers in the Mount Diablo Unified School District started receiving suspicious emails in their inbox. As it turns out, they were part of a phishing attempt launched by the student. The email messages contained a link that sent the recipients to a fake website constructed by the student to look like the school's portal. If a teacher clicked on the link, they were directed to the site that would prompt them to enter their username and password. The site would record any information entered, allowing the student to hijack the teacher's account.
Security

Card Breach Announced at Chili's Restaurant Chain (bleepingcomputer.com) 88

Catalin Cimpanu, reporting for BleepingComputer: Malware has harvested payment card details from some Chili's restaurants, Brinker International, the company behind the restaurant chain announced on Friday. Brinker says it detected the malware on Friday, May 11, the same day it made the announcement. The company said it is still investigating the incident together with law enforcement and third-party forensic experts. Based on the current details it was able to gather, the company said the malware appears to have infected some of its payment systems from where it gathered credit or debit card numbers and cardholder names.
Portables (Apple)

Class Action Suit Filed Against Apple Over the Keyboards in MacBook Pro and MacBook Laptops (theoutline.com) 217

On Friday, Apple was hit with a class action lawsuit over the butterfly-switch keyboards, found on the current generation MacBook Pro and MacBook lineups, that have plagued its customers since they were released in 2015. The suit, filed in the Northern District Court of California, alleges that Apple "promoted and sold laptops it knew were defective in that they contain a keyboard that is substantially certain to fail prematurely," The Outline reports, and that selling these computers not only directly to its customers but also to third party retailers constitutes a violation of good faith. From the report: The Outline was the first outlet to substantially cover the magnitude of the issue, writing that Apple Geniuses responsible for diagnosing and repairing these Apple computers would benevolently attribute dead keys and double-spacing spacebars to a "piece of dust" stuck under the keyboard. Under Apple's warranty, Geniuses might offer to replace the entire top case of the computer, a process that takes about a week. Out of warranty, it costs about $700 to replace this part on a MacBook Pro. Apple has declined repeatedly to comment on the issue, but directs sufferers to a support page that instructs users how to tilt the computer at an angle, blow canned air under the malfunctioning keys, light candles arranged in the shape of a pentagram, and recite an incantation to Gaia in hopes of fixing their machines. Earlier this month, users kickstarted a petition on Change.org that calls on Apple to recall MacBook Pro units released since late 2016 over the defective keyboard. The petition has garnered about 20,000 signatures. Widely respected iOS developer and Apple commentator Marco Arment tweeted on the news, "We can't know for sure that Apple knew the 2016 keyboards were defective and sold them anyway. But it's hard to see how they couldn't have known. They were released 18 months earlier in the 12" MacBook, and those had the same problems with high failure rates from the start."
Security

Malware Found In the Ubuntu Snap Store (linuxuprising.com) 90

An anonymous reader quotes a report from Linux Uprising: Oh, snap! Just because some packages are available to install directly from the Ubuntu Software Center doesn't make them safe. This is proved by a recent discovery of malware in some snap packages from the Ubuntu Snaps Store.

At least two of the snap packages, 2048buntu and hextris, uploaded to the Ubuntu Snaps Store by user Nicolas Tomb, contained malware. All packages by Nicolas have since been removed from the Ubuntu Snaps Store, "pending further investigations." The report comes from a bug which mentions that the 2048buntu snap package (and other packages by Nicolas Tomb) contains a hidden cryptocurrency miner inside.

Security

One Year After WannaCry, EternalBlue Exploit Is Bigger Than Ever (bleepingcomputer.com) 62

An anonymous reader quotes a report from Bleeping Computer: Exactly one year after the biggest cyber-security incident in history, the exploit at the heart of the WannaCry attack is now more popular than ever, according to telemetry data gathered by Slovak antivirus vendor ESET. Named EternalBlue, the exploit was supposedly developed by the cyber division of the U.S. National Security Agency. EternalBlue was part of a large cache of tools that a hacker group known as The Shadow Brokers stole from NSA servers in 2016 and then leaked online from August 2016 to April 2017. Many suspect the NSA might have notified Microsoft of what the Shadow Brokers stole, because in March 2017, a month before EternalBlue was released, Microsoft released MS17-010, a security bulletin containing patches for the many SMB-targeting exploits included in the Shadow Broker leak.

Even if EternalBlue is not being used anymore to help ransomware become a virulent nightmare on a global level (only on a network level), most regular users don't know that it's still one of today's biggest threats. This threat doesn't only come from malware authors continuing to weaponize it for a diverse set of operations. Malware authors wouldn't ever bother with an inefficient exploit. ExploitBlue continues to be a threat because of the vulnerable machines still available online. According to Nate Warfield of the Microsoft Security Response Center, there are still plenty of vulnerable Windows systems exposing their SMB service available online.

Security

Hacker Shuts Down Copenhagen's Public City Bikes System (bleepingcomputer.com) 72

An anonymous reader writes: "An unidentified hacker has breached Bycyklen -- Copenhagen's city bikes network -- and deleted the organization's entire database, disabling the public's access to bicycles over the weekend," reports Bleeping Computer. "The hack took place on the night between Friday, May 4, and Saturday, May 5, the organization said on its website. Bycyklen described the hack as "rather primitive," alluding it may have been carried out "by a person with a great deal of knowledge of its IT infrastructure." Almost 2,000 bikes were affected, and the company's employees have been working for days, searching for bikes docked across the city and installing a manual update to restore functionality. The company is holding a "treasure hunt," asking users to hunt down and identify non-functional bikes.
Cellphones

US Appeals Court Rules Border Agents Need Suspicion To Search Cellphones (reason.com) 116

On Thursday, a federal appeals court ruled that U.S. border agents need some sort of reason to believe a traveler has committed a crime before searching their cellphone. Slashdot reader Wrath0fb0b shares an analysis via Reason, written by Fourth Amendment scholar Orin Kerr: Traditionally, searches at the border don't require any suspicion on the theory that the government has a strong sovereign interest in regulating what enters and exits the country. But there is caselaw indicating that some border searches are so invasive that they do require some kind of suspicion. In the new case, Kolsuz (PDF), the Fourth Circuit agrees with the Ninth Circuit that at least some suspicion is required for a forensic search of a cell phone seized at the border. This is important for three reasons. First, the Fourth Circuit requires suspicion for forensic searches of cell phones seized at the border. Second, it clarifies significantly the forensic/manual distinction, which has always been pretty uncertain to me. Third, it leaves open that some suspicion may be required for manual searches, too.

But wait, that's not all. In fact, I don't think it's the most important part of the opinion. The most important part of the opinion comes in a different section, where the Fourth Circuit adds what seems to be a new and important limit on the border search exception: a case-by-case nexus requirement to the government interests that justify the border search exception. Maybe I'm misreading this passage, but it strikes me as doing something quite new and significant. It scrutinizes the border search that occurred to see if the government's cause for searching in this particular case satisfied "a 'nexus' requirement" of showing sufficient connection between the search and "the rationale for the border search exception," requiring a link between the "predicate for the search and the rationale for the border exception." In other words, the Fourth Circuit appears to be requiring the government to identify the border-search-related interest justifying that particular search in order to rely on the border search exception.
"The analysis is interesting throughout, and it would be a fairly large limitation on digital searches conducted at the border, both in requiring some articulable suspicion for digital searches and in the requirement to justify the relationship between the search and the border inspection," writes Wrath0fb0b.

Slashdot Top Deals