Hackers Are So Fed Up With Twitter Bots They're Hunting Them Down Themselves ( 16

An anonymous reader writes: Even if Twitter hasn't invested much in anti-bot software, some of its most technically proficient users have. They're writing and refining code that can use Twitter's public application programming interface, or API, as well as Google and other online interfaces, to ferret out fake accounts and bad actors. The effort, at least among the researchers I spoke with, has begun with hunting bots designed to promote pornographic material -- a type of fake account that is particularly easy to spot -- but the plan is to eventually broaden the hunt to other types of bots. The bot-hunting programming and research has been a strictly volunteer, part-time endeavor, but the efforts have collectively identified tens of thousands of fake accounts, underlining just how much low-hanging fruit remains for Twitter to prune.

Among the part-time bot-hunters is French security researcher and freelance Android developer Baptiste Robert, who in February of this year noticed that Twitter accounts with profile photos of scantily clad women were liking his tweets or following him on Twitter. Aside from the sexually suggestive images, the bots had similarities. Not only did these Twitter accounts typically include profile photos of adult actresses, but they also had similar bios, followed similar accounts, liked more tweets than they retweeted, had fewer than 1,000 followers, and directed readers to click the link in their bios.


When China Hoards Its Hackers Everyone Loses ( 78

An anonymous reader shares a report: For over a decade Pwn2Own -- happening this week -- has brought together security talent from across the globe in a friendly hacking competition that is a cornerstone of research and advancement on par with Black Hat and Def Con. China's hackers routinely win, sweeping the board -- notably, the Tencent and Keen teams. Pwn2Own is good-natured, and all in the name of researchers finding big bugs, nabbing great bounties and drawing attention to security holes and zero-days that need to be fixed. But this year, according to Pwn2Own manager Brian Gorenc, China is no longer allowing its researchers to compete. Prior to the start of Pwn2Own this week, Gorenc told press "There have been regulatory changes in some countries that no longer allow participation in global exploit contests, such as Pwn2Own and Capture the Flag competitions."

One thing's for certain: yearly champions Tencent's Keen Labs and Qihoo 360's 360Vulcan team are nowhere to be found and Trend Micro, the conference organizer, has confirmed to Engadget that there are no Chinese competitors in this year's competition. [...] It's a worrying development in the direction of isolationism and away from the benefits of competition in the spirit of improving security for all. It comes at a time when relations between the US and China strain under the weight of Huawei security concerns, which are not at all new, but are certainly coming to a head as American companies sever business ties with the firm.


Firefox Master Password System Has Been Poorly Secured for the Past 9 Years, Researcher Says ( 64

Catalin Cimpanu, writing for BleepingComputer: For at past nine years, Mozilla has been using an insufficiently strong encryption mechanism for the "master password" feature. Both Firefox and Thunderbird allow users to set up a "master password" through their settings panel. This master password plays the role of an encryption key that is used to encrypt each password string the user saves in his browser or email client. Experts have lauded the feature because up until that point browsers would store passwords locally in cleartext, leaving them vulnerable to malware or attackers with physical access to a victim's computer. But Wladimir Palant, the author of the AdBlock Plus extension, says the encryption scheme used by the master password feature is weak and can be easily brute-forced. "I looked into the source code," Palant says, "I eventually found the sftkdb_passwordToKey() function that converts a [website] password into an encryption key by means of applying SHA-1 hashing to a string consisting of a random salt and your actual master password."

Are Google and Facebook Surveilling Their Own Employees? ( 103

The Guardian just ran an article titled " 'They'll squash you like a bug': how Silicon Valley keeps a lid on leakers," which begins with the story of an employee confronted by Facebook's secretive "rat-catching" team: They had records of a screenshot he'd taken, links he had clicked or hovered over, and they strongly indicated they had accessed chats between him and the journalist, dating back to before he joined the company. "It's horrifying how much they know," he told the Guardian, on the condition of anonymity... "You get on their bad side and all of a sudden you are face to face with Mark Zuckerberg's secret police"... One European Facebook content moderator signed a contract, seen by the Guardian, which granted the company the right to monitor and record his social media activities, including his personal Facebook account, as well as emails, phone calls and internet use. He also agreed to random personal searches of his belongings including bags, briefcases and car while on company premises. Refusal to allow such searches would be treated as gross misconduct...

Some employees switch their phones off or hide them out of fear that their location is being tracked. One current Facebook employee who recently spoke to Wired asked the reporter to turn off his phone so the company would have a harder time tracking if it had been near the phones of anyone from Facebook. Two security researchers confirmed that this would be technically simple for Facebook to do if both people had the Facebook app on their phone and location services switched on. Even if location services aren't switched on, Facebook can infer someone's location from wifi access points.

The article cites a 2012 report that Microsoft read a French blogger's Hotmail account to identify a former employee who had leaked trade secrets. And it also reports that tech companies hire external agencies to surveil their employees. "One such firm, Pinkerton, counts Google and Facebook among its clients." Though Facebook and Google both deny this, "Among other services, Pinkerton offers to send investigators to coffee shops or restaurants near a company's campus to eavesdrop on employees' conversations...

Al Gidari, consulting director of privacy at the Stanford Center for Internet and Society, says that these tools "are common, widespread, intrusive and legal."

1 in 3 Michigan Workers Tested Opened A Password-Phishing Email ( 111

An anonymous reader quotes the AP: Michigan auditors who conducted a fake "phishing" attack on 5,000 randomly selected state employees said Friday that nearly one-third opened the email, a quarter clicked on the link and almost one-fifth entered their user ID and password. The covert operation was done as part of an audit that uncovered weaknesses in the state government's computer network, including that not all workers are required to participate in cybersecurity awareness training... Auditors made 14 findings, including five that are "material" -- the most serious. They range from inadequate management of firewalls to insufficient processes to confirm if only authorized devices are connected to the network. "Unauthorized devices may not meet the state's requirements, increasing the risk of compromise or infection of the network," the audit said.

Apple's Newest iPhone X Ad Captures an Embarrassing iOS 11 Bug ( 79

Tom Warren, writing for The Verge: If you blink during Apple's latest iPhone ad, you might miss a weird little animation bug. It's right at the end of a slickly produced commercial, where the text from an iMessage escapes the animated bubble it's supposed to stay inside. It's a minor issue and easy to brush off, but the fact it's captured in such a high profile ad just further highlights Apple's many bugs in iOS 11. 9to5Mac writer Benjamin Mayo spotted the bug in Apple's latest ad, and he's clearly surprised "that this was signed off for the commercial," especially as he highlighted it months ago and has filed a bug report with Apple.

Hacker Adrian Lamo Dies At 37 ( 133

Adrian Lamo, a well-known hacker known for his involvement in passing information on whistleblower Chelsea Manning and hacking into systems at The New York Times, Microsoft, and Yahoo in the early-2000s, has died at 37. ZDNet reports: His father, Mario, posted a brief tribute to his son in a Facebook group on Friday. "With great sadness and a broken heart I have to let know all of Adrian's friends and acquittances that he is dead. A bright mind and compassionate soul is gone, he was my beloved son," he wrote. The coroner for Sedgwick County, where Lamo lived, confirmed his death, but provided no further details. Circumstances surrounding Lamo's death are not immediately known. A neighbor who found his body said he had been dead for some time.

Yet Again, Google Tricked Into Serving Scam Amazon Ads ( 49

Zack Whittaker, reporting for ZDNet: For hours on Thursday, the top Google search result for "Amazon" was pointed to a scam site. The bad ad appeared at the very top of the search result for anyone searching for the internet retail giant -- even above the legitimate search result for Anyone who clicked on the ad was sent to a page that tried to trick the user into calling a number for fear that their computer was infected with malware -- and not sent to as they would have hoped.

The page presents itself as an official Apple or Windows support page, depending on the type of computer you're visiting the page from. An analysis of the webpage's code showed that anyone trying to dismiss the popup box on the page would likely trigger the browser expanding to full-screen, giving the appearance of ransomware. A one-off event would be forgivable. But this isn't the first time this has happened. It's at least the second time in two years that Google has served up a malicious ad under Amazon's name.


Android Is Now as Safe as the Competition, Google Says ( 113

In an interview with CNET, David Kleidermacher, Google's head of security for Android, Google Play and Chrome OS, said Android is now as safe as the competition. From the interview: That's a big claim, considering that Android's main competitor is Apple's iPhone. This bold idea permeates the annual Android Security Report that Google released Thursday. "Android security made a significant leap forward in 2017 and many of our protections now lead the industry," the report says on page one. Echoing the report, Kleidermacher told CNET that Android flaws have become harder for researchers to find and that the software now protects users from malicious software so well the problems that used to leave users exposed to bad actors aren't such a big problem anymore.

Microsoft Launches Bounty Program For Speculative Execution Side Channel Vulnerabilities ( 21

An anonymous reader shares a report: Microsoft has launched a bug bounty program that will reward anyone who finds the next Meltdown or Spectre vulnerability. Known as speculative execution side channel vulnerabilities, Microsoft is willing to reward anyone who reports bugs that could cause problems like earlier in the year. The rewards on offer range from $5,000 up to $250,000 depending on the severity of the vulnerability, and the bounty program runs until the end of 2018. Microsoft says that it will operate under the principles of coordinated vulnerability disclosure.

The 600+ Companies PayPal Shares Your Data With ( 48

AmiMoJo shares a report from Schneier on Security: One of the effects of GDPR -- the new EU General Data Protection Regulation -- is that we're all going to be learning a lot more about who collects our data and what they do with it. Consider PayPal, that just released a list of over 600 companies they share customer data with. Here's a good visualization of that data. Is 600 companies unusual? Is it more than average? Less? We'll soon know.

Planting GMOs Kills So Many Bugs That It Helps Non-GMO Crops ( 281

An anonymous reader quotes a report from Ars Technica: One of the great purported boons of GMOs is that they allow farmers to use fewer pesticides, some of which are known to be harmful to humans or other species. Bt corn, cotton, and soybeans have been engineered to express insect-killing proteins from the bacterium Bacillus thuringiensis, and they have indeed been successful at controlling the crops' respective pests. They even protect the non-Bt versions of the same crop that must be planted in adjacent fields to help limit the evolution of Bt resistance. But new work shows that Bt corn also controls pests in other types of crops planted nearby, specifically vegetables. In doing so, it cuts down on the use of pesticides on these crops, as well.

Entomologists and ecologists compared crop damage and insecticide use in four agricultural mid-Atlantic states: New Jersey, Delaware, Maryland, and Virginia. Their data came from the years before Bt corn was widespread (1976-1996) and continued after it was adopted (1996-2016). They also looked at the levels of the pests themselves: two different species of moths, commonly known as the European corn borer and corn earworm. They were named as scourges of corn, but their larvae eat a number of different crops, including peppers and green beans. After Bt corn was planted in 1996, the number of moths captured for analysis every night in vegetable fields dropped by 75 percent. The drop was a function of the percentage of Bt corn planted in the area and occurred even though moth populations usually go up with temperature. So the Bt corn more than counteracted the effect of the rising temperatures we've experienced over the quarter century covered by the study.


Linus Torvalds Slams CTS Labs Over AMD Vulnerability Report ( 115

Earlier this week, CTS Labs, a Tel Aviv-based cybersecurity startup claimed it has discovered critical security flaws in AMD chips that could allow attackers to access sensitive data from highly guarded processors across millions of devices. Linus Torvalds, Linux's creator doesn't buy it. ZDNet reports: Torvalds, in a Google+ discussion, wrote: "When was the last time you saw a security advisory that was basically 'if you replace the BIOS or the CPU microcode with an evil version, you might have a security problem?' Yeah." Or, as a commenter put it on the same thread, "I just found a flaw in all of the hardware space. No device is secure: if you have physical access to a device, you can just pick it up and walk away. Am I a security expert yet?" CTS Labs claimed in an interview they gave AMD less than a day because they didn't think AMD could fix the problem for "many, many months, or even a year" anyway. Why would they possibly do this? For Torvalds: "It looks more like stock manipulation than a security advisory to me."

These are real bugs though. Dan Guido, CEO of Trail of Bits, a security company with a proven track-record, tweeted: "Regardless of the hype around the release, the bugs are real, accurately described in their technical report (which is not public afaik), and their exploit code works." But, Guido also admitted, "Yes, all the flaws require admin [privileges] but all are flaws, not expected functionality." It's that last part that ticks Torvalds off. The Linux creator agrees these are bugs, but all the hype annoys the heck out of him. Are there bugs? Yes. Do they matter in the real world? No. They require a system administrator to be almost criminally negligent to work. To Torvalds, inflammatory security reports are annoying distractions from getting real work done.

United States

US Says Russia Hacked Energy Grid, Punishes 19 for Meddling ( 220

Associated Press: Pushing back harder on Russia, the Trump administration accused Moscow on Thursday of a concerted hacking operation targeting the U.S. energy grid, aviation systems and other infrastructure, and also imposed sanctions on Russians for alleged interference in the 2016 election. It was the strongest action to date against Russia by the administration, which has long been accused of being too soft on the Kremlin, and the first punishments for election meddling since President Donald Trump took office. The sanctions list included the 13 Russians indicted last month by special counsel Robert Mueller, whose Russia investigation the president has repeatedly sought to discredit. U.S. national security officials said the FBI, Department of Homeland Security and intelligence agencies had determined that Russian intelligence and others were behind a broad range of cyberattacks beginning a year ago that have infiltrated the energy, nuclear, commercial, water, aviation and manufacturing sectors. Further reading: Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors (US-Cert); U.S. blames Russia for cyber attacks on energy grid, other sectors (Reuters); U.S. says Russian hackers targeted American energy grid (Politico); Trump administration finally announces Russia sanctions over election meddling (CNN); U.S. sanctions on Russia cite 2016 election interference -- but remain largely symbolic (USA Today); U.S. Sanctions Russians Charged by Mueller for Election Meddling (Bloomberg); and Trump Administration Sanctions Russians for Election Meddling and Cyberattacks (The New York Times).

Encrypted Email Service ProtonMail is Being Blocked in Turkey ( 35

ProtonMail: We have confirmed that Internet service providers in Turkey have been blocking ProtonMail this week. Our support team first became aware of connectivity problems for Turkish ProtonMail users starting on Tuesday. After further investigation, we determined that was unreachable for both Vodafone Turkey mobile and fixed line users. Since then, we have also received some sporadic reports from users of other Turkish ISPs. At one point, the issue was prevalent in every single major city in Turkey. After investigating the issue along with members of the ProtonMail community in Turkey, we have confirmed this is a government-ordered block rather than a technical glitch. Internet censorship in Turkey tends to be fluid so the situation is constantly evolving. Sometimes ProtonMail is accessible, and sometimes it is unreachable. For the first time ever though, we have confirmed that ProtonMail was subject to a block, and could face further issues in the future. In the post, ProtonMail has also outlined ways to bypass the block.

Slashdot Top Deals