×
Chrome

Google Disables Inline Installation For Chrome Extensions (venturebeat.com) 100

An anonymous reader writes: Google today announced that Chrome will no longer support inline installation of extensions. New extensions lose inline installation starting today, existing extensions will lose the ability in three months, and in early December the inline install API will be removed from the browser with the release of Chrome 71. Critics have pointed out such moves make the Chrome Web Store a walled garden, while Google insists pushing users to the store ultimately protects them.
Bug

Bugs Allowed Hackers To Make Malware Look Like Apple Software (vice.com) 72

An anonymous reader shares a report: For years, hackers could hide malware alongside legitimate Apple code and sneak it past several popular third-party security products for Mac computers, according to new research. This is not a flaw in MacOS but an issue in how third-party security tools implemented Apple's APIs. A researcher from security firm Okta found that several security products for Mac -- including Little Snitch, xFence, and Facebook's OSquery -- could be tricked into believing malware was Apple code, and let it past their defenses. "I can take malicious code and make it look like it's signed by Apple," Josh Pitts, the security researcher at Okta who discovered these bugs, told Motherboard. In a blog post published Tuesday, Pitts explained that the issue lies with how the third-party security tools implemented Apple's code-signing APIs when dealing with Mac's executable files known as Universal or Fat files.
Facebook

Facebook Offers Nearly 500 Pages of Answers To Congress' Questions From Zuckerberg's Testimony (washingtonpost.com) 62

An anonymous reader quotes a report from The Washington Post: Facebook pledged to continue refining its privacy practices and investigating its entanglement with Cambridge Analytica in nearly 500 pages of new information supplied to Congress and published Monday (Warning: source may be paywalled; alternative source) -- though the social giant sidestepped some of lawmakers' most critical queries. Much as it did during the hearing, Facebook told lawmakers on the Senate Judiciary Committee and the Senate Commerce Committee that it is reviewing all apps available on its platform that had access to large queries of data, a process that already has resulted in 200 suspensions.

Facebook did acknowledge that its consultants embedded in 2016 presidential campaigns, including President Trump's team, "did not identify any issues involving the improper use of Facebook data in the course of their interactions with Cambridge Analytica." In another exchange, Facebook said it had provided "technical support and best practices guidance to advertisers, including Cambridge Analytica, on using Facebook's advertising tools." Facebook also pointed to new tools meant to address its privacy practices, including a feature called Clear History, which "will enable people to see the websites and apps that send us information when they use them, delete this information from their accounts, and turn off our ability to store it associated with their accounts going forward," the company said.
The social network did continue to sidestep many of the lawmakers' questions and concerns. The Washington Post provides a couple examples: "Delaware Sen. Christopher A. Coons (Del.), for example, probed whether Facebook had ever learned of any application developer 'transferring or selling user data without user consent' and in violation of Facebook's policies. In response, Facebook only committed in writing that it would 'investigate all apps that it had access to large amounts of data.'"

Facebook also didn't address Democratic Sen. Patrick J. Leahy's concerns. He asked Facebook to detail if the Obama campaign in 2012 had violated "any of Facebook's policies, and thereby get banned from the platform." Facebook said: "Both the Obama and Romney campaigns had access to the same tools, and no campaign received any special treatment from Facebook."

You can view the nearly 500 pages of new information here.
Math

Canada's 'Random' Immigration Lottery Uses Microsoft Excel, Which Isn't Actually Random (gizmodo.com) 224

An anonymous reader writes: Last year, Canada introduced a new lottery system used to extend permanent-resident status to the parents and grandparents of Canadian citizens. The process was designed to randomly select applicants in order to make the process fairer than the old first-come, first-served system. There's just one problem: the software used to run the lottery isn't actually random. The Globe and Mail reported the Immigration, Refugees and Citizenship Canada (IRCC) uses Microsoft Excel to run the immigration lottery to select 10,000 people for permanent resident status from a field of about 100,000 applications received each year. Experts warned that the random number generating function in Excel isn't actually random and may put some applicants at a disadvantage.

First, it's best to understand just how the lottery system works. An Access to Information request filed by The Globe and Mail shows that IRCC inputs the application number for every person entering the lottery into Excel, then assigns them a random number to each using a variation of the program's RAND command. They then sort the list from smallest to largest based on the random number assigned and take the first 10,000 applications with the lowest numbers. The system puts a lot of faith in Excel's random function, which it might not deserve. According to Universite de Montreal computer science professor Pierre L'Ecuyer, Excel is "very bad" at generating random numbers because it relies on an old generator that is out of date. He also warned that Excel doesn't pass statistical tests and is less random than it appears, which means some people in the lottery may actually have a lower chance of being selected than others.

United States

US Sanctions Russians Over Military, Intelligence Hacking (reuters.com) 159

The U.S. Treasury imposed sanctions on three Russian individuals and five companies on Monday, saying they had worked with Moscow's military and intelligence services on ways to conduct cyber attacks against the United States and its allies. From a report: "The United States is engaged in an ongoing effort to counter malicious actors working at the behest of the Russian Federation and its military and intelligence units to increase Russiaâ(TM)s offensive cyber capabilities," Treasury Secretary Steven Mnuchin said in a statement. "The entities designated today have directly contributed to improving Russia's cyber and underwater capabilities through their work with the FSB and therefore jeopardize the safety and security of the United States and our allies," Mnuchin said, using an acronym for Russia's Federal Security Service.
IT

It's 2018 and USB Type-C Is Still a Mess (androidauthority.com) 330

An anonymous reader shares a column: USB Type-C was billed as the solution for all our future cable needs, unifying power and data delivery with display and audio connectivity, and ushering in an age of the one-size-fits-all cable. Unfortunately for those already invested in the USB Type-C ecosystem, which is anyone who has bought a flagship phone in the past couple of years, the standard has probably failed to live up to the promises. Even the seemingly most basic function of USB Type-C -- powering devices -- has become a mess of compatibility issues, conflicting proprietary standards, and a general lack of consumer information to guide purchasing decisions. The problem is that the features supported by different devices aren't clear, yet the defining principle of the USB Type-C standard makes consumers think everything should just work.

The charging example clearly demonstrates a very common frustration with the standard as it currently stands. Moving phones between different chargers, even of the same current and voltage ratings, often won't produce the same charging speeds. Furthermore, picking a third party USB Type-C cable to replace the typically too short included cable can result in losing fast charging capabilities.

Security

Hackers Stole Over $20 Million From Misconfigured Ethereum Clients (bleepingcomputer.com) 65

Catalin Cimpanu, writing for BleepingComputer: A group of hackers has stolen over $20 million worth of Ethereum from Ethereum-based apps and mining rigs, Chinese cyber-security firm Qihoo 360 Netlab reported today. The cause of these thefts is Ethereum software applications that have been configured to expose an RPC [Remote Procedure Call] interface on port 8545. The purpose of this interface is to provide access to a programmatic API that an approved third-party service or app can query and interact or retrieve data from the original Ethereum-based service -- such as a mineror wallet application that users or companies have set up for mining or managing funds. Because of its role, this RPC interface grants access to some pretty sensitive functions, allowing a third-party app the ability to retrieve private keys, move funds, or retrieve the owner's personal details.
Microsoft

Microsoft To Stop Offering Support For Windows 7, Windows 8.1, Old Surface Devices in Forums (betanews.com) 156

An anonymous reader shares a report: Microsoft has announced that starting next month it will no longer be participating in the technical support forums for Windows 7, 8.1, 8.1 RT and numerous other products. On the software front, the company says that it will also no longer provide support for Microsoft Security Essentials, Internet Explorer 10, Office 2010 and 2013 as of July. It is not just software that is affected. Microsoft is also stopping support for Surface Pro, Surface Pro 2, Surface RT, Surface 2, Microsoft Band and Zune. Some forums will be locked, preventing users from helping each other as well.
Microsoft

How Microsoft's Windows Red Team Keeps PCs Safe (wired.com) 83

Wired has a story on Windows' red team, which consists of a group of hackers (one of whom jailbroke Nintendo handhelds in a former life, another has more than one zero-day exploit to his name, and a third signed on just prior to the devastating Shadow Brokers leak), who are tasked with finding holes in the world's most used desktop operating system. From the story: The Windows red team didn't exist four years ago. That's around the time that David Weston, who currently leads the crew as principal security group manager for Windows, made his pitch for Microsoft to rethink how it handled the security of its marquee product. "Most of our hardening of the Windows operating system in previous generations was: Wait for a big attack to happen, or wait for someone to tell us about a new technique, and then spend some time trying to fix that," Weston says. "Obviously that's not ideal when the stakes are very high."

[...] Together, the red teamers spend their days attacking Windows. Every year, they develop a zero-day exploit to test their defensive blue-team counterparts. And when emergencies like Spectre or EternalBlue happen, they're among the first to get the call. Again, red teams aren't novel; companies that can afford them -- and that are aware they could be targeted -- tend to use them. If anything, it may come as a surprise that Microsoft hadn't sicced one on Windows until so recently. Microsoft as a company already had several other red teams in place by the time Weston built one for Windows, though those focused more on operational issues like unpatched machines. "Windows is still the central repository of malware and exploits. Practically, there's so much business done around the world on Windows. The attacker mentality is to get the biggest return on investment in what you develop in terms of code and exploits," says Aaron Lint, who regularly works with red teams in his role as chief scientist at application protection provider Arxan. "Windows is the obvious target."

United Kingdom

Digital IDs Needed To End 'Mob Rule' Online, Says UK's Security Minister (independent.co.uk) 510

Digital IDs should be brought in to end online anonymity that permits "mob rule" and lawlessness online, the security minister of United Kingdom has said. From a report: Ben Wallace said authentication used by banks could also by employed by internet firms to crack down on bullying and grooming, as he warned that people had to make a choice between "the wild west or a civilised society" online. He also took aim at the "phoniness" of Silicon Valley billionaires, and called for companies such as WhatsApp to contribute to society over the negative costs of their technology, such as end-to-end encryption. It comes after Theresa May took another step against tech giants, saying they would be ordered to clamp down on vile attacks against women on their platforms. The prime minister will target firms such as Facebook and Twitter as she makes the pitch at the G7 summit this weekend, where she will urge social media firms to treat violent misogyny with the same urgency as they do terror threats. Mr Wallace told The Times: "A lot of the bullying on social media and the grooming is because those people know you cannot identify them. It is mob rule on the internet. You shouldn't be able to hide behind anonymity."
Security

Hackers Crashed a Bank's Computers While Attempting a SWIFT Hack (bleepingcomputer.com) 53

An anonymous reader writes: Hackers have used a disk-wiping malware to sabotage hundreds of computers at a bank in Chile to distract staff while they were attempting to steal money via the bank's SWIFT money transferring system. The attempted hack took place at the end of May when hackers wiped the HDD MBR of over 9,000 computers and over 500 servers. Fortunately the hackers failed to steal money from the bank (an estimated $11 million). This is the same hacker group who failed last month when they tried to steal over $110 million from a Mexico bank. Further reading: Ripple and SWIFT slug it out over cross-border payments.
Android

BlackBerry Key2 is the 'Most Secure Android Smartphone', Company Claims (betanews.com) 53

The Key2 smartphone, which BlackBerry unveiled earlier this week, is the "most secure Android smartphone," the Canadian company claims. Brian Fagioli, writing for BetaNews: While BlackBerry no longer makes smartphones, it does license its name to a company called TCL which makes Android devices that carry the branding -- and sometimes, a physical keyboard. It isn't just slapping the BlackBerry name on a random low-quality Android phone, however. Actually, these TCL devices have been fairly well received thanks to an adherence to traditional BlackBerry designs. Today, TCL unveils its latest such smartphone, called "KEY2," and it looks quite nice. In fact, the company says it is "the most secure Android smartphone."
Programming

Should Developers Abandon Agile? (ronjeffries.com) 438

An anonymous reader quotes InfoQ: Ron Jeffries, author, speaker, one of the creators of Extreme Programming (XP), and a signatory of the Agile Manifesto back in 2001, shared a post on his blog in which he advocates that developers should abandon "Agile". The post further elaborated that developers should stay away from the "Faux Agile" or "Dark Agile" forms, and instead get closer to the values and principles of the Manifesto. The terms "Faux Agile" and "Dark Agile" are used by the author to give emphasis to the variety of the so-called "Agile" approaches that have contributed, according to him, to make the life of the developers worse rather than better, which is the antithesis of one of the initial ideas of the Agile Manifesto...
Jeffries writes that "When 'Agile' ideas are applied poorly, they often lead to more interference with developers, less time to do the work, higher pressure, and demands to 'go faster'. This is bad for the developers, and, ultimately, bad for the enterprise as well, because doing 'Agile' poorly will result, more often than not, in far more defects and much slower progress than could be attained. Often, good developers leave such organizations, resulting in a less effective enterprise than prior to installing 'Agile'...

"it breaks my heart to see the ideas we wrote about in the Agile Manifesto used to make developers' lives worse, instead of better. It also saddens me that the enterprise isn't getting what it could out of the deal, but my main concern is for the people doing the work..." He argues developers should instead just focus on good general software development practices -- like regularly producing fully-tested software and consciously avoiding "crufty" complex designs.

But what do Slashdot's readers think? Should developers abandon Agile?
Security

WiFi Phishing Attacks Discovered Around Atlanta City Hall (helpnetsecurity.com) 16

As Atlanta continues to fully recover from March's ransomware attack, new evidence discovered today by Coronet reveals hundreds of active Wi-Fi phishing attacks currently ongoing both inside of and in close proximity to Atlanta City Hall. From a report: The research also found attacks currently underway in Georgia's State Capitol Building, which is just a few blocks away. In total, Coronet identified 678 active threats within a 5-mile radius of Atlanta's City Hall. Specifically, Coronet has validated that an undetermined number of attackers are currently deploying advanced phishing techniques, including but not limited to Evil Twins, Captive Portals and ARP poisoning, in what is likely their attempt to gain unauthorized access to user credentials to cloud services that the government relies on for daily business operations and continuity.
United States

China Hacked a Navy Contractor and Secured a Trove of Highly Sensitive Data on Submarine Warfare (washingtonpost.com) 112

Ellen Nakashima and Paul Sonne, reporting for The Washington Post: Chinese government hackers have compromised the computers of a Navy contractor, stealing massive amounts of highly sensitive data related to undersea warfare -- including secret plans to develop a supersonic anti-ship missile for use on U.S. submarines by 2020, according to American officials. The breaches occurred in January and February, the officials said, speaking on the condition of anonymity to discuss an ongoing investigation. The hackers targeted a contractor who works for the Naval Undersea Warfare Center, a military organization headquartered in Newport, R.I., that conducts research and development for submarines and underwater weaponry. The officials did not identify the contractor. Taken were 614 gigabytes of material relating to a closely held project known as Sea Dragon, as well as signals and sensor data, submarine radio room information relating to cryptographic systems, and the Navy submarine development unit's electronic warfare library. The Washington Post agreed to withhold certain details about the compromised missile project at the request of the Navy, which argued that their release could harm national security.
Security

Cisco Removes Backdoor Account, Fourth Incident in the Last Four Months (bleepingcomputer.com) 51

For the fourth time this year, Cisco has removed hardcoded credentials that were left inside one of its products, which an attacker could have exploited to gain access to devices and inherently to customer networks. From a report: This time around, the hardcoded password was found in Cisco's Wide Area Application Services (WAAS), which is a software package that runs on Cisco hardware that can optimize WAN traffic management. This backdoor mechanism (CVE-2018-0329) was in the form of a hardcoded, read-only SNMP community string in the configuration file of the SNMP daemon. SNMP stands for Simple Network Management Protocol, an Internet protocol for collecting data about and from remote devices. The community string was there so SNMP servers knowing the string's value could connect to the remote Cisco device and gather statistics and system information about it.
Security

Severe Firmware Vulnerabilities Found In Popular Supermicro Server Products (bleepingcomputer.com) 45

An anonymous reader quotes a report from Bleeping Computer: Security researchers have uncovered vulnerabilities affecting the firmware of the very popular Supermicro enterprise-line server products. These vulnerabilities affect both older and newer models of Supermicro products, but the vendor is working on addressing the issues. These vulnerabilities do not put the safety of Supermicro products at direct risk, as they can only be exploited via malicious software/code (aka malware) already running on a system. Nevertheless, exploiting these vulnerabilities allows the malware to obtain an almost permanent foothold on infected systems by gaining the ability to survive server OS reinstalls by hiding in the hardware's firmware. Technical details are available in an Eclypsium blog post, while a list of affected servers is available here.
Privacy

Ticketfly Says 27 Million Accounts Compromised During 'Malicious' Attack (billboard.com) 11

Earlier this month, we reported of a "cyber incident" that compromised the systems of Ticketfly, a large ticket distribution service. We have now learned that roughly 27 million user accounts were compromised during the attack. The information includes names, addresses, email addresses and phone numbers; thankfully, no credit/debit card info and passwords were stolen. Billboard reports: Ticketfly's website is fully back online a week after being targeted by what it describes as a "malicious cyber attack," though its mobile app for iOS remains offline "as we continue to prioritize bringing up the most critical parts of the platform first." Following the hack, the company rolled out a network of temporary venue and promoter websites so that events, including Riot Fest and Celebrate Brooklyn, could continue selling tickets. The "vast majority" of the temporary sites are now live, the firm said. All passwords for both ticket buyers and venue/promoter clients were reset following the hack, though they found no evidence that they were accessed. "It is possible, however, that hashed values of password credentials could have been accessed," the site warned. "Hashing is a way of scrambling a piece of data, making it generally incomprehensible."
Facebook

Facebook Alerts 14M To Privacy Bug That Changed Status Composer To Public (techcrunch.com) 36

Facebook has landed itself in yet another self-inflicted privacy debacle. As many as 14 million Facebook users who thought they were posting items that only their friends or smaller groups could see may have been posting that content to the entire world, the company said Thursday. From a report: Facebook's Chief Privacy Officer Erin Egan wrote to TechCrunch in a statement: "We recently found a bug that automatically suggested posting publicly when some people were creating their Facebook posts. We have fixed this issue and starting today we are letting everyone affected know and asking them to review any posts they made during that time. To be clear, this bug did not impact anything people had posted before -- and they could still choose their audience just as they always have. We'd like to apologize for this mistake." The bug was active from May 18th to May 27th, with Facebook able start rolling out a fix on May 22nd. It happened because Facebook was building a 'featured items' option on your profile that highlights photos and other content.
United Kingdom

UK Bank TSB Admits 1,300 Accounts Hit By Fraud Amid IT Meltdown (bbc.com) 28

An anonymous reader shares a BBC report: Life savings have been stolen from TSB accounts by fraudsters "exploiting" the bank's IT problems, with 1,300 people losing money. On occasions, people were waiting on the phone for up to nine hours to report cases, the bank's boss Paul Pester has told MPs. He said that 70 times the normal level of fraud attacks were seen last month. The introduction of a new IT system in April left customers struggling to make transactions and see their balances. The bank said it would compensate customers in full for any fraud they suffered. The evidence came after the financial regulator confirmed that it was investigating TSB and criticised Mr Pester for an "optimistic view" of services after the meltdown.

Slashdot Top Deals