×
Microsoft

Microsoft Explains How it Decides Whether a Vulnerability Will Be Patched Swiftly or Left For a Version Update (zdnet.com) 45

Microsoft has published a new draft document clarifying which security bugs will get a rapid fix and which it will let stew for a later release. From a report: The document outlines the criteria the Microsoft Security Response Center uses to decide whether a reported vulnerability gets fixed swiftly, usually in a Patch Tuesday security update, or left for a later version update. Microsoft said in a blogpost the document is intended to offer researchers "better clarity around the security features, boundaries and mitigations which exist in Windows and the servicing commitments which come with them." The criteria revolve around two key questions: "Does the vulnerability violate a promise made by a security boundary or a security feature that Microsoft has committed to defending?"; and, "Does the severity of the vulnerability meet the bar for servicing?" If the answer to both questions is 'yes', the bug will be patched in a security update, but if the answer to both is 'no', the vulnerability will be considered for the next version or release of the affected product or feature.
United Kingdom

UK Watchdog Issues $334K Fine For Yahoo's 2014 Data Breach (theregister.co.uk) 29

An anonymous reader quotes a report from The Register: Yahoo's U.K. limb has finally been handed a $334,300 (250,000 GBP) fine for the 2014 cyber attack that exposed data of half a million Brit users. Today, the Information Commissioner's Office issued Yahoo U.K. Services Ltd a $334,300 (250,000 GBP) fine following an investigation that focused on the 515,121 U.K. accounts that the London-based branch of the firm had responsibility for. The ICO said "systemic failures" had put user data at risk as the U.K. arm of Yahoo did not take appropriate technical and organizational measures to prevent a data breach of this size.

In particular, the watchdog said there should have been proper monitoring systems in place to protect the credentials of Yahoo employees who could access customer's data, and to ensure that instructions to transfer very large quantities of personal data from Yahoo's servers would be flagged for investigation. It also noted that, as a data controller, Yahoo U.K. services Ltd had a responsibility to ensure its processors -- in this case Yahoo, whose U.S. servers held the data on U.K. users -- complied with data protection standards.

Security

5% of All Monero Currently In Circulation Has Been Mined Using Malware (bleepingcomputer.com) 37

An anonymous reader writes: According to a report released yesterday, criminal groups have mined an approximate total of 798,613.33 Monero coins (XMR) using malware on infected devices. That's over $108 million in US currency, just from coin-mining operations alone. This sum also represents around 5% of all the Monero currently in circulation -- 15,962,350 XMR. Furthermore, during the past year, infected devices were responsible for 19,503,823.54 hashes/second, which is roughly 2% of the entire hashing power of the Monero network. The total hashrate of roughly 19MH/s would result in approximately $30,443 per day based on today's current exchange rates and network difficulty," researchers said. "Similarly, the top three hash-rates will mine approximately $2,737, $2,022 and $1,596 per day, respectively."
EU

Internet Luminaries Urge EU To Kill Off Automated Copyright Filter Proposal (theregister.co.uk) 40

A large group of Internet pioneers have sent an open letter to the European Union urging it to scrap a proposal to introduce automated upload filters, arguing that it could damage the internet as we know it. The Register: The European Parliament's Legal Affairs (Juri) Committee will vote on the proposal contained in Article 13 of the Copyright in the Digital Single Market Directive next week. The proposal would see all companies that "store and provide to the public access to large amounts of works" obliged to "prevent the availability... of works... identified by rightholders." Despite the inclusion of language that says such measures need to be "appropriate and proportionate," it has caused many to worry that the law will lead to a requirement for all platforms to introduce automated content filtering, and shift liability for any copyrighted material that appears online from the user that posts it to the platform itself.

"By inverting this liability model and essentially making platforms directly responsible for ensuring the legality of content in the first instance, the business models and investments of platforms large and small will be impacted," warns the letter [PDF] signed by "Father of the Internet" Vint Cerf, world world web inventor Tim Berners-Lee, as well a host of other internet luminaries including Wikipedia's Jimmy Wales, security expert Bruce Schneier and net neutrality namer Tim Wu.

Chrome

Google Disables Inline Installation For Chrome Extensions (venturebeat.com) 100

An anonymous reader writes: Google today announced that Chrome will no longer support inline installation of extensions. New extensions lose inline installation starting today, existing extensions will lose the ability in three months, and in early December the inline install API will be removed from the browser with the release of Chrome 71. Critics have pointed out such moves make the Chrome Web Store a walled garden, while Google insists pushing users to the store ultimately protects them.
Bug

Bugs Allowed Hackers To Make Malware Look Like Apple Software (vice.com) 72

An anonymous reader shares a report: For years, hackers could hide malware alongside legitimate Apple code and sneak it past several popular third-party security products for Mac computers, according to new research. This is not a flaw in MacOS but an issue in how third-party security tools implemented Apple's APIs. A researcher from security firm Okta found that several security products for Mac -- including Little Snitch, xFence, and Facebook's OSquery -- could be tricked into believing malware was Apple code, and let it past their defenses. "I can take malicious code and make it look like it's signed by Apple," Josh Pitts, the security researcher at Okta who discovered these bugs, told Motherboard. In a blog post published Tuesday, Pitts explained that the issue lies with how the third-party security tools implemented Apple's code-signing APIs when dealing with Mac's executable files known as Universal or Fat files.
Facebook

Facebook Offers Nearly 500 Pages of Answers To Congress' Questions From Zuckerberg's Testimony (washingtonpost.com) 62

An anonymous reader quotes a report from The Washington Post: Facebook pledged to continue refining its privacy practices and investigating its entanglement with Cambridge Analytica in nearly 500 pages of new information supplied to Congress and published Monday (Warning: source may be paywalled; alternative source) -- though the social giant sidestepped some of lawmakers' most critical queries. Much as it did during the hearing, Facebook told lawmakers on the Senate Judiciary Committee and the Senate Commerce Committee that it is reviewing all apps available on its platform that had access to large queries of data, a process that already has resulted in 200 suspensions.

Facebook did acknowledge that its consultants embedded in 2016 presidential campaigns, including President Trump's team, "did not identify any issues involving the improper use of Facebook data in the course of their interactions with Cambridge Analytica." In another exchange, Facebook said it had provided "technical support and best practices guidance to advertisers, including Cambridge Analytica, on using Facebook's advertising tools." Facebook also pointed to new tools meant to address its privacy practices, including a feature called Clear History, which "will enable people to see the websites and apps that send us information when they use them, delete this information from their accounts, and turn off our ability to store it associated with their accounts going forward," the company said.
The social network did continue to sidestep many of the lawmakers' questions and concerns. The Washington Post provides a couple examples: "Delaware Sen. Christopher A. Coons (Del.), for example, probed whether Facebook had ever learned of any application developer 'transferring or selling user data without user consent' and in violation of Facebook's policies. In response, Facebook only committed in writing that it would 'investigate all apps that it had access to large amounts of data.'"

Facebook also didn't address Democratic Sen. Patrick J. Leahy's concerns. He asked Facebook to detail if the Obama campaign in 2012 had violated "any of Facebook's policies, and thereby get banned from the platform." Facebook said: "Both the Obama and Romney campaigns had access to the same tools, and no campaign received any special treatment from Facebook."

You can view the nearly 500 pages of new information here.
United States

US Sanctions Russians Over Military, Intelligence Hacking (reuters.com) 159

The U.S. Treasury imposed sanctions on three Russian individuals and five companies on Monday, saying they had worked with Moscow's military and intelligence services on ways to conduct cyber attacks against the United States and its allies. From a report: "The United States is engaged in an ongoing effort to counter malicious actors working at the behest of the Russian Federation and its military and intelligence units to increase Russiaâ(TM)s offensive cyber capabilities," Treasury Secretary Steven Mnuchin said in a statement. "The entities designated today have directly contributed to improving Russia's cyber and underwater capabilities through their work with the FSB and therefore jeopardize the safety and security of the United States and our allies," Mnuchin said, using an acronym for Russia's Federal Security Service.
Security

Hackers Stole Over $20 Million From Misconfigured Ethereum Clients (bleepingcomputer.com) 65

Catalin Cimpanu, writing for BleepingComputer: A group of hackers has stolen over $20 million worth of Ethereum from Ethereum-based apps and mining rigs, Chinese cyber-security firm Qihoo 360 Netlab reported today. The cause of these thefts is Ethereum software applications that have been configured to expose an RPC [Remote Procedure Call] interface on port 8545. The purpose of this interface is to provide access to a programmatic API that an approved third-party service or app can query and interact or retrieve data from the original Ethereum-based service -- such as a mineror wallet application that users or companies have set up for mining or managing funds. Because of its role, this RPC interface grants access to some pretty sensitive functions, allowing a third-party app the ability to retrieve private keys, move funds, or retrieve the owner's personal details.
Microsoft

Microsoft To Stop Offering Support For Windows 7, Windows 8.1, Old Surface Devices in Forums (betanews.com) 156

An anonymous reader shares a report: Microsoft has announced that starting next month it will no longer be participating in the technical support forums for Windows 7, 8.1, 8.1 RT and numerous other products. On the software front, the company says that it will also no longer provide support for Microsoft Security Essentials, Internet Explorer 10, Office 2010 and 2013 as of July. It is not just software that is affected. Microsoft is also stopping support for Surface Pro, Surface Pro 2, Surface RT, Surface 2, Microsoft Band and Zune. Some forums will be locked, preventing users from helping each other as well.
Microsoft

How Microsoft's Windows Red Team Keeps PCs Safe (wired.com) 83

Wired has a story on Windows' red team, which consists of a group of hackers (one of whom jailbroke Nintendo handhelds in a former life, another has more than one zero-day exploit to his name, and a third signed on just prior to the devastating Shadow Brokers leak), who are tasked with finding holes in the world's most used desktop operating system. From the story: The Windows red team didn't exist four years ago. That's around the time that David Weston, who currently leads the crew as principal security group manager for Windows, made his pitch for Microsoft to rethink how it handled the security of its marquee product. "Most of our hardening of the Windows operating system in previous generations was: Wait for a big attack to happen, or wait for someone to tell us about a new technique, and then spend some time trying to fix that," Weston says. "Obviously that's not ideal when the stakes are very high."

[...] Together, the red teamers spend their days attacking Windows. Every year, they develop a zero-day exploit to test their defensive blue-team counterparts. And when emergencies like Spectre or EternalBlue happen, they're among the first to get the call. Again, red teams aren't novel; companies that can afford them -- and that are aware they could be targeted -- tend to use them. If anything, it may come as a surprise that Microsoft hadn't sicced one on Windows until so recently. Microsoft as a company already had several other red teams in place by the time Weston built one for Windows, though those focused more on operational issues like unpatched machines. "Windows is still the central repository of malware and exploits. Practically, there's so much business done around the world on Windows. The attacker mentality is to get the biggest return on investment in what you develop in terms of code and exploits," says Aaron Lint, who regularly works with red teams in his role as chief scientist at application protection provider Arxan. "Windows is the obvious target."

United Kingdom

Digital IDs Needed To End 'Mob Rule' Online, Says UK's Security Minister (independent.co.uk) 510

Digital IDs should be brought in to end online anonymity that permits "mob rule" and lawlessness online, the security minister of United Kingdom has said. From a report: Ben Wallace said authentication used by banks could also by employed by internet firms to crack down on bullying and grooming, as he warned that people had to make a choice between "the wild west or a civilised society" online. He also took aim at the "phoniness" of Silicon Valley billionaires, and called for companies such as WhatsApp to contribute to society over the negative costs of their technology, such as end-to-end encryption. It comes after Theresa May took another step against tech giants, saying they would be ordered to clamp down on vile attacks against women on their platforms. The prime minister will target firms such as Facebook and Twitter as she makes the pitch at the G7 summit this weekend, where she will urge social media firms to treat violent misogyny with the same urgency as they do terror threats. Mr Wallace told The Times: "A lot of the bullying on social media and the grooming is because those people know you cannot identify them. It is mob rule on the internet. You shouldn't be able to hide behind anonymity."
Security

Hackers Crashed a Bank's Computers While Attempting a SWIFT Hack (bleepingcomputer.com) 53

An anonymous reader writes: Hackers have used a disk-wiping malware to sabotage hundreds of computers at a bank in Chile to distract staff while they were attempting to steal money via the bank's SWIFT money transferring system. The attempted hack took place at the end of May when hackers wiped the HDD MBR of over 9,000 computers and over 500 servers. Fortunately the hackers failed to steal money from the bank (an estimated $11 million). This is the same hacker group who failed last month when they tried to steal over $110 million from a Mexico bank. Further reading: Ripple and SWIFT slug it out over cross-border payments.
Android

BlackBerry Key2 is the 'Most Secure Android Smartphone', Company Claims (betanews.com) 53

The Key2 smartphone, which BlackBerry unveiled earlier this week, is the "most secure Android smartphone," the Canadian company claims. Brian Fagioli, writing for BetaNews: While BlackBerry no longer makes smartphones, it does license its name to a company called TCL which makes Android devices that carry the branding -- and sometimes, a physical keyboard. It isn't just slapping the BlackBerry name on a random low-quality Android phone, however. Actually, these TCL devices have been fairly well received thanks to an adherence to traditional BlackBerry designs. Today, TCL unveils its latest such smartphone, called "KEY2," and it looks quite nice. In fact, the company says it is "the most secure Android smartphone."
Businesses

The World Isn't Prepared for Retirement (bloomberg.com) 319

An anonymous reader writes: Most online quizzes are relatively mindless, promising to reveal which vegetable, sandwich or rock band best represents your personality. That was not the case for a short online test given to 16,000 people in 15 countries this year. It revealed just how unprepared a good chunk of the world is for retirement. The three-question test, given as part of the Aegon Retirement Readiness Survey 2018, measured how well people understand basic financial concepts. Many of the participants failed the quiz, with big potential consequences for their future security.

Beyond the sobering lack of financial literacy, there were some rather curious data in Aegon's annual survey, published on Tuesday. For example, some 20 percent of workers surveyed in China envisioned spending retirement with a robot companion. But before we get to that, take a look at this question -- which only 45 percent of people around the world got right: Q. Do you think the following statement is true or false? "Buying a single company stock usually provides a safer return than a stock mutual fund."

The possible answers? True, false, do not know and refuse to answer. Sixteen percent of people got it wrong. "Do not know" was chosen by 38 percent. In the U.S., 46 percent of workers got it right. Good for you, America -- though Germany beat you handily. (The answer, in case you were wondering, is false.) It was an inflation question that had the highest percentage of wrong answers, however. More than 20 percent of workers didn't grasp how higher inflation hurts their buying power. Given that declining health was the most-cited retirement worry, at 49 percent, and health care is an area (in the U.S., especially) with high cost inflation, well, that makes the subject something older folks should have down cold.

Security

WiFi Phishing Attacks Discovered Around Atlanta City Hall (helpnetsecurity.com) 16

As Atlanta continues to fully recover from March's ransomware attack, new evidence discovered today by Coronet reveals hundreds of active Wi-Fi phishing attacks currently ongoing both inside of and in close proximity to Atlanta City Hall. From a report: The research also found attacks currently underway in Georgia's State Capitol Building, which is just a few blocks away. In total, Coronet identified 678 active threats within a 5-mile radius of Atlanta's City Hall. Specifically, Coronet has validated that an undetermined number of attackers are currently deploying advanced phishing techniques, including but not limited to Evil Twins, Captive Portals and ARP poisoning, in what is likely their attempt to gain unauthorized access to user credentials to cloud services that the government relies on for daily business operations and continuity.
United States

China Hacked a Navy Contractor and Secured a Trove of Highly Sensitive Data on Submarine Warfare (washingtonpost.com) 112

Ellen Nakashima and Paul Sonne, reporting for The Washington Post: Chinese government hackers have compromised the computers of a Navy contractor, stealing massive amounts of highly sensitive data related to undersea warfare -- including secret plans to develop a supersonic anti-ship missile for use on U.S. submarines by 2020, according to American officials. The breaches occurred in January and February, the officials said, speaking on the condition of anonymity to discuss an ongoing investigation. The hackers targeted a contractor who works for the Naval Undersea Warfare Center, a military organization headquartered in Newport, R.I., that conducts research and development for submarines and underwater weaponry. The officials did not identify the contractor. Taken were 614 gigabytes of material relating to a closely held project known as Sea Dragon, as well as signals and sensor data, submarine radio room information relating to cryptographic systems, and the Navy submarine development unit's electronic warfare library. The Washington Post agreed to withhold certain details about the compromised missile project at the request of the Navy, which argued that their release could harm national security.
Security

Cisco Removes Backdoor Account, Fourth Incident in the Last Four Months (bleepingcomputer.com) 51

For the fourth time this year, Cisco has removed hardcoded credentials that were left inside one of its products, which an attacker could have exploited to gain access to devices and inherently to customer networks. From a report: This time around, the hardcoded password was found in Cisco's Wide Area Application Services (WAAS), which is a software package that runs on Cisco hardware that can optimize WAN traffic management. This backdoor mechanism (CVE-2018-0329) was in the form of a hardcoded, read-only SNMP community string in the configuration file of the SNMP daemon. SNMP stands for Simple Network Management Protocol, an Internet protocol for collecting data about and from remote devices. The community string was there so SNMP servers knowing the string's value could connect to the remote Cisco device and gather statistics and system information about it.
Security

Severe Firmware Vulnerabilities Found In Popular Supermicro Server Products (bleepingcomputer.com) 45

An anonymous reader quotes a report from Bleeping Computer: Security researchers have uncovered vulnerabilities affecting the firmware of the very popular Supermicro enterprise-line server products. These vulnerabilities affect both older and newer models of Supermicro products, but the vendor is working on addressing the issues. These vulnerabilities do not put the safety of Supermicro products at direct risk, as they can only be exploited via malicious software/code (aka malware) already running on a system. Nevertheless, exploiting these vulnerabilities allows the malware to obtain an almost permanent foothold on infected systems by gaining the ability to survive server OS reinstalls by hiding in the hardware's firmware. Technical details are available in an Eclypsium blog post, while a list of affected servers is available here.
Privacy

Ticketfly Says 27 Million Accounts Compromised During 'Malicious' Attack (billboard.com) 11

Earlier this month, we reported of a "cyber incident" that compromised the systems of Ticketfly, a large ticket distribution service. We have now learned that roughly 27 million user accounts were compromised during the attack. The information includes names, addresses, email addresses and phone numbers; thankfully, no credit/debit card info and passwords were stolen. Billboard reports: Ticketfly's website is fully back online a week after being targeted by what it describes as a "malicious cyber attack," though its mobile app for iOS remains offline "as we continue to prioritize bringing up the most critical parts of the platform first." Following the hack, the company rolled out a network of temporary venue and promoter websites so that events, including Riot Fest and Celebrate Brooklyn, could continue selling tickets. The "vast majority" of the temporary sites are now live, the firm said. All passwords for both ticket buyers and venue/promoter clients were reset following the hack, though they found no evidence that they were accessed. "It is possible, however, that hashed values of password credentials could have been accessed," the site warned. "Hashing is a way of scrambling a piece of data, making it generally incomprehensible."

Slashdot Top Deals