DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 internet speed test! ×
Security

WikiLeaks' New Dump Shows How The CIA Allegedly Hacked Macs and iPhones Almost a Decade Ago (vice.com) 10

WikiLeaks said on Thursday morning it will release new documents it claims are from the Central Intelligence Agency which show the CIA had the capability to bug iPhones and Macs even if their operating systems have been deleted and replaced. From a report on Motherboard: "These documents explain the techniques used by CIA to gain 'persistenc'' on Apple Mac devices, including Macs and iPhones and demonstrate their use of EFI/UEFI and firmware malware," WikiLeaks stated in a press release. EFI and UEFI is the core firmware for Macs, the Mac equivalent to the Bios for PCs. By targeting the UEFI, hackers can compromise Macs and the infection persists even after the operating system is re-installed. The documents are mostly from last decade, except a couple that are dated 2012 and 2013. While the documents are somewhat dated at this point, they show how the CIA was perhaps ahead of the curve in finding new ways to hacking and compromising Macs, according to Pedro Vilaca, a security researcher who's been studying Apple computers for years. Judging from the documents, Vilaca told Motherboard in an online chat, it "looks like CIA were very early adopters of attacks on EFI."
Bug

LastPass Bugs Allow Malicious Websites To Steal Passwords (bleepingcomputer.com) 102

Earlier this month, a Slashdot reader asked fellow Slashdotters what they recommended regarding the use of password managers. In their post, they voiced their uncertainty with password managers as they have been hacked in the past, citing an incident in early 2016 where LastPass was hacked due to a bug that allowed users to extract passwords stored in the autofill feature. Flash forward to present time and we now have news that three separate bugs "would have allowed a third-party to extract passwords from users visiting a malicious website." An anonymous Slashdot reader writes via BleepingComputer: LastPass patched three bugs that affected the Chrome and Firefox browser extensions, which if exploited, would have allowed a third-party to extract passwords from users visiting a malicious website. All bugs were reported by Google security researcher Tavis Ormandy, and all allowed the theft of user credentials, one bug affecting the LastPass Chrome extension, while two impacted the LastPass Firefox extension [1, 2]. The exploitation vector was malicious JavaScript code that could be very well hidden in any online website, owned by the attacker or via a compromised legitimate site.
DRM

W3C Erects DRM As Web Standard (theregister.co.uk) 180

The World Wide Web Consortium (W3C) has formally put forward highly controversial digital rights management as a new web standard. "Dubbed Encrypted Media Extensions (EME), this anti-piracy mechanism was crafted by engineers from Google, Microsoft, and Netflix, and has been in development for some time," reports The Register. "The DRM is supposed to thwart copyright infringement by stopping people from ripping video and other content from encrypted high-quality streams." From the report: The latest draft was published last week and formally put forward as a proposed standard soon after. Under W3C rules, a decision over whether to officially adopt EME will depend on a poll of its members. That survey was sent out yesterday and member organizations, who pay an annual fee that varies from $2,250 for the smallest non-profits to $77,000 for larger corporations, will have until April 19 to register their opinions. If EME gets the consortium's rubber stamp of approval, it will lock down the standard for web browsers and video streamers to implement and roll out. The proposed standard is expected to succeed, especially after web founder and W3C director Sir Tim Berners-Lee personally endorsed the measure, arguing that the standard simply reflects modern realities and would allow for greater interoperability and improve online privacy. But EME still faces considerable opposition. One of its most persistent vocal opponents, Cory Doctorow of the Electronic Frontier Foundation, argues that EME "would give corporations the new right to sue people who engaged in legal activity." He is referring to the most recent controversy where the W3C has tried to strike a balance between legitimate security researchers investigating vulnerabilities in digital rights management software, and hackers trying to circumvent content protection. The W3C notes that the EME specification includes sections on security and privacy, but concedes "the lack of consensus to protect security researchers remains an issue." Its proposed solution remains "establishing best practices for responsible vulnerability disclosure." It also notes that issues of accessibility were ruled to be outside the scope of the EME, although there is an entire webpage dedicated to those issues and finding solutions to them.
Microsoft

Microsoft's Edge Was Most Hacked Browser At Pwn2Own 2017, While Chrome Remained Unhackable (tomshardware.com) 140

At the Pwn2Own 2017 hacking event, Microsoft's Edge browser proved itself to be the least secure browser at the event, after it was hacked no less than five times. Google's Chrome browser, on the other hand, remained unhackable during the contest. Tom's Hardware reports: On the first day, Team Ether (Tencent Security) was the first to hack Edge through an arbitrary write in the Chakra JavaScript engine. The team also used a logic bug in the sandbox to escape that, as well. The team got an $80,000 prize for this exploit. On the second day, the Edge browser was attacked fast and furious by multiple teams. However, one was disqualified for using a vulnerability that was disclosed the previous day. (The teams at Pwn2Own are supposed to only use zero-day vulnerabilities that are unknown to the vendor. Two other teams withdrew their entries against Edge. However, Team Lance (Tencent Security) successfully exploited Microsoft's browser using a use-after-free (UAF) vulnerability in Chakra, and then another UAF bug in the Windows kernel to elevate system privileges. The exploit got the team $55,000. Team Sniper (Tencent Security) also exploited Edge and the Windows kernel using similar techniques, which gained this team the same amount of money, as well. The most impressive exploit by far, and also a first for Pwn2Own, was a virtual machine escape through an Edge flaw by a security team from "360 Security." The team leveraged a heap overflow bug in Edge, a type confusion in the Windows kernel, and an uninitialized buffer in VMware Workstation for a complete virtual machine escape. The team hacked its way in via the Edge browser, through the guest Windows OS, through the VM, all the way to the host operating system. This impressive chained-exploit gained the 360 Security team $105,000. The fifth exploit against Edge was done by Richard Zhu, who used two UAF bugs--one in Edge and one in a Windows kernel buffer overflow--to complete the hack. The attack gained Zhu $55,000. At last year's Pwn2Own 2016, Edge proved to be more secure than Internet Explorer and Safari, but it still ended up getting hacked twice. Chrome was only partially hacked once, notes Tom's Hardware.
Google

Burglars Can Easily Make Google Nest Security Cameras Stop Recording (helpnetsecurity.com) 69

Orome1 quotes a report from Help Net Security: Google Nest's Dropcam, Dropcam Pro, Nest Cam Outdoor and Nest Cam Indoor security cameras can be easily disabled by an attacker that's in their Bluetooth range. The vulnerabilities are present in the latest firmware version running on the devices (v5.2.1). They were discovered by researcher Jason Doyle last fall, and their existence responsibly disclosed to Google, but have still not been patched. The first two flaws can be triggered and lead to a buffer overflow condition if the attacker sends to the camera a too-long Wi-Fi SSID parameter or a long encrypted password parameter, respectively. Triggering one of these flaws will make the devices crash and reboot. The third flaw is a bit more serious, as it allows the attacker to force the camera to temporarily disconnect from the wireless network to which it is connected by supplying it a new SSID to connect to. If that particular SSID does not exist, the camera drops its attempt to associate with it and return to the original Wi-Fi network, but the whole process can last from 60 to 90 seconds, during which the camera won't be recording. Nest has apparently already prepared a patch but hasn't pushed it out yet. (It should be rolling out "in the coming days.")
Twitter

Twitter Suspended Hundreds of Thousands of Accounts Amid 'Violent Extremism' (fortune.com) 198

Twitter said on Tuesday it had suspended more than half a million accounts since the middle of 2015 as the company steps up efforts to tackle "violent extremism" on its microblogging platform. From a report: The company shut down a total of 376,890 accounts in the last six months of 2016, Twitter said in its latest transparency report.
Security

New Technology Combines Lip Motion and Passwords For User Authentication (bleepingcomputer.com) 54

An anonymous reader writes: "Scientists from the Hong Kong Baptist University (HKBU) have developed a new user authentication system that relies on reading lip motions while the user speaks a password out loud," reports BleepingComputer. Called "lip password" the system combines the best parts of classic password-based systems with the good parts of biometrics. The system relies on the uniqueness of someone's lips, such as shape, texture, and lip motions, but also allows someone to change the lip motion (password), in case the system ever gets compromised. Other biometric solutions, such as fingerprints, iris scans, and facial features, become eternally useless once compromised.
IBM

IBM Unveils Blockchain As a Service Based On Open Source Hyperledger Fabric Technology (techcrunch.com) 42

IBM has unveiled its "Blockchain as a Service," which is based on the open source Hyperledger Fabric, version 1.0 from The Linux Foundation. "IBM Blockchain is a public cloud service that customers can use to build secure blockchain networks," TechCrunch reports, noting that it's "the first ready-for-primetime implementation built using that technology." From the report: Although the blockchain piece is based on the open source Hyperledger Fabric project of which IBM is a participating member, it has added a set of security services to make it more palatable for enterprise customers, while offering it as a cloud service helps simplify a complex set of technologies, making it more accessible than trying to do this alone in a private datacenter. The Hyperledger Fabric project was born around the end of 2015 to facilitate this, and includes other industry heavyweights such as State Street Bank, Accenture, Fujitsu, Intel and others as members. While the work these companies have done to safeguard blockchain networks, including setting up a network, inviting members and offering encrypted credentials, was done under the guise of building extra safe networks, IBM believes it can make them even safer by offering an additional set of security services inside the IBM cloud. While Jerry Cuomo, VP of blockchain technology at IBM, acknowledges that he can't guarantee that IBM's blockchain service is unbreachable, he says the company has taken some serious safeguards to protect it. This includes isolating the ledger from the general cloud computing environment, building a security container for the ledger to prevent unauthorized access, and offering tamper-responsive hardware, which can actually shut itself down if it detects someone trying to hack a ledger. What's more, IBM claims their blockchain product is built in a highly auditable way to track all of the activity that happens within a network, giving administrators an audit trail in the event something did go awry.
Bitcoin

Ask Slashdot: How Does One Freely Use Bitcoin In the Land of the Free? 268

New submitter devrtm writes: It appears that Bitcoin, a currency designed with anonymity in mind, can be effectively used almost anywhere in the world, except in a few countries where it is regulated, and in one country where you can only use it if you give up your privacy. That country is the United States. I have accumulated quite a few BTC from the currency's early days where block rewards were still at $50. There was a period of time where one could get a nearly anonymous debit card, or use BTC online with merchants. Nowadays, non-U.S. payment providers no longer issue debit cards to the U.S. residents and the U.S.-based merchants accepting BTC are nearly extinct. The only way to use BTC in the U.S. is to convert it to USD. Unfortunately, that conversion requires giving up your personal information to a U.S.-based BTC payment processor, and there are rumors that signing up for those services raises red flags with certain three letter acronym organizations. I have nothing to hide, but I do value my privacy. Can one freely and anonymously live off of their Bitcoin wallet in the U.S.? I am afraid the answer is no. Does anyone have an experience that proves me wrong? Please share.
Security

Royal Jordanian Airlines Bans Use of Electronics After US Voices Security 'Concerns' (theverge.com) 107

An anonymous reader quotes a report from The Verge: Royal Jordanian airlines banned the use of electronics on flights servicing the U.S. after government officials here expressed concerns. Details are scant, but CNN is reporting that other carriers based on the Middle East and Africa may be affected as well. The news broke when Royal Jordanian, a state-owned airline that operates around 500 flights a week, posted this cryptic notice on its Twitter feed. The ban, which includes laptops, tablets, and video games, but does not include smartphones or medical devices, is effective for Royal Jordanian flights servicing New York, Chicago, Detroit, and Montreal. A spokesperson for Royal Jordanian was not immediately available for clarification. Meanwhile, CNN is reporting that Royal Jordanian may not be the only carrier affected by these new security provisions. Jon Ostrower, the network's aviation editor, just tweeted that as many as 12 airlines based in the Middle East and Africa could be impacted. A Saudi executive also tweeted that "directives by U.S. authorities" could affect passengers traveling from 13 countries, with the new measure set to go into effect over the next 96 hours.
Communications

Hundreds of Cisco Switches Vulnerable To Flaw Found in WikiLeaks Files (zdnet.com) 76

Zack Whittaker, writing for ZDNet: Cisco is warning that the software used in hundreds of its products are vulnerable to a "critical"-rated security flaw, which can be easily and remotely exploited with a simple command. The vulnerability can allow an attacker to remotely gain access and take over an affected device. More than 300 switches are affected by the vulnerability, Cisco said in an advisory. According to the advisory, the bug is found in the cluster management protocol code in Cisco's IOS and IOS XE software, which the company installs on the routers and switches it sells. An attacker can exploit the vulnerability by sending a malformed protocol-specific Telnet command while establishing a connection to the affected device, because of a flaw in how the protocol fails to properly process some commands. Cisco said that there are "no workarounds" to address the vulnerability, but it said that disabling Telnet would "eliminate" some risks.
Encryption

Ask Slashdot: How Would You Implement Site-Wide File Encryption? 151

Recently-leaked CIA documents prove that encryption works, according to the Associated Press. But how should sys-admins implement site-wide file encryption? Very-long-time Slashdot reader Pig Hogger writes: If you decide to implement server-level encryption across all your servers, how do you manage the necessary keys/passwords/passphrases to insure that you have both maximum uptime (you can access your data if you need to reboot your servers), yet that the keys cannot be compromised... What are established practices to address this issue?
Keep in mind that you can't change your password once the server's been seized, bringing up the issue of how many people know that password. Or is there a better solution? Share you suggestions and experiences in the comments. How would you implement site-wide file encryption?
Google

Google Glass Enters The Manufacturing Sector (npr.org) 61

NPR recently profiled one of the 100 factory workers now using Google Glass at the agricultural equipment manufacturer AGCO. An anonymous reader quotes their report: Google Glass tells her what to do should she forget, for example, which part goes where. "I don't have to leave my area to go look at the computer every time I need to look up something," she says. With Google Glass, she scans the serial number on the part she's working on. This brings up manuals, photos or videos she may need. She can tap the side of headset or say "OK Glass" and use voice commands to leave notes for the next shift worker...

Peggy Gullick, business process improvement director with AGCO, says the addition of Google Glass has been "a total game changer." Quality checks are now 20 percent faster, she says, and it's also helpful for on-the-job training of new employees... Tiffany Tsai, who writes about technology, says it's one of a growing number of companies -- including General Electric and Boeing -- testing it out... Companies working in the health care, entertainment and energy industries are listed as some of the Google Glass certified partners.

AGCO plans to have 200 workers using Google Glass by the end of this year.
AI

Researchers Build An AI That's Better At Reading Lips Than Humans (bbc.com) 62

An anonymous reader quotes the BBC: Scientists at Oxford say they've invented an artificial intelligence system that can lip-read better than humans. The system, which has been trained on thousands of hours of BBC News programs, has been developed in collaboration with Google's DeepMind AI division. "Watch, Attend and Spell", as the system has been called, can now watch silent speech and get about 50% of the words correct. That may not sound too impressive - but when the researchers supplied the same clips to professional lip-readers, they got only 12% of words right...
The system now recognizes 17,500 words, and one of the researchers says, "As it keeps watching TV, it will learn."
Security

Windows 10 UAC Bypass Uses Backup and Restore Utility (bleepingcomputer.com) 58

An anonymous reader writes: "A new User Access Control (UAC) bypass technique relies on altering Windows registry app paths and using the Backup and Restore utility to load malicious code without any security warning," reports BleepingComputer. The technique works when an attacker launches the Backup and Restore utility, which loads its control panel settings page. Because the utility doesn't known where this settings page is located, it queries the Windows Registry. The problem is that low-privileged users can modify Windows Registry values and point to malware. Because the Backup and Restore utility is a trusted application, UAC prompts are suppressed. This technique only works in Windows 10 (not earlier OS versions) and was tested with Windows 10 build 15031. A proof-of-concept script is available on GitHub. The same researcher had previously found two other UAC bypass techniques, one that abuses the Windows Event Viewer, and one that relies on the Windows 10 Disk Cleanup utility
Crime

Judge Grants Search Warrant For Everyone Who Searched a Crime Victim's Name On Google (startribune.com) 101

Hennepin County District Judge Gary Larson has issued a search warrant to Edina, Minnesota police to collect information on people who searched for variations of a crime victim's name on Google from Dec. 1 through Jan. 7. Google would be required to provide Edina police with basic contact information for people targeted by the warrant, as well as Social Security numbers, account and payment information, and IP and MAC addresses. StarTribune reports: Information on the warrant first emerged through a blog post by public records researcher Tony Webster. Edina police declined to comment Thursday on the warrant, saying it is part of an ongoing investigation. Detective David Lindman outlined the case in his application for the search warrant: In early January, two account holders with SPIRE Credit Union reported to police that $28,500 had been stolen from a line of credit associated with one of their accounts, according to court documents. Edina investigators learned that the suspect or suspects provided the credit union with the account holder's name, date of birth and Social Security number. In addition, the suspect faxed a forged U.S. passport with a photo of someone who looked like the account holder but wasn't. Investigators ran an image search of the account holder's name on Google and found the photo used on the forged passport. Other search engines did not turn up the photo. According to the warrant application, Lindman said he had reason to believe the suspect used Google to find a picture of the person they believed to be the account holder. Larson signed off on the search warrant on Feb. 1. According to court documents, Lindman served it about 20 minutes later.
Google

Google's Allo App Can Reveal To Your Friends What You've Searched (recode.net) 61

Google's new messaging app Allo can reveal your search history and other personal information when you include the Google Assistant bot in chats, according to a report. From the article: My friend directed Assistant to identify itself. Instead of offering a name or a pithy retort, it responded with a link from Harry Potter fan website Pottermore. The link led to an extract from "Harry Potter and the Order of the Phoenix," the fifth book in J.K. Rowling's Harry Potter series. But the response was not merely a nonsequitur. It was a result related to previous searches my friend said he had done a few days earlier. [...] When I asked "What is my job?" in my conversation with my friend, Assistant responded by sharing a Google Maps image showing the address at which I used to work -- the address of a co-working space, not the publicly listed address of my previous employer. Google had the address on file because I had included it in my personal Google Maps settings. It did not ask my permission to share that.
Google

Judge Rejects Google Deal Over Email Scanning (fortune.com) 48

A federal judge in San Francisco slammed a legal settlement that proposed to pay $2.2 million to lawyers, but nothing to consumers who had the contents of their email scanned by Google without their knowledge or permission. From a report: In a 6-page order, Judge Lucy Koh told Google and class action attorneys the proposed settlement was insufficient, in part because it failed to clearly tell consumers what the search giant had done. "This notice is difficult to understand and does not clearly disclose the fact that Google intercepts, scans and analyzes the content of emails sent by non-Gmail users to Gmail users for the purpose of creating user profiles of the Gmail users to create targeted advertising for the Gmail users," Koh wrote.
Privacy

Buying a Samsung TV Online Could Jeopardize Your Data (cnet.com) 30

An anonymous reader shares a CNET report: If you buy a product from Samsung's online store, your name, address, order information and other data may be accessible to anyone who cares to look. Matt Metzger, a self-described "application security engineer" who said he has worked in shipping-industry compliance, wrote Wednesday on Medium about an accidental discovery. Metzger said he ordered a TV from the Samsung online store and was sent a URL to track his delivery. When he followed the URL, he discovered that his tracking number was the same one used for someone else's previous delivery and that he could see sensitive information, such as the person's name and items ordered, without any security measures getting in the way. Metzger also discovered that more information was attached in a TIFF file to his own order after the delivery was completed. The file included his full name, address and signature.Samsung told CNET it is aware of the issue and is looking into it.
China

NSA, DOE Say China's Supercomputing Advances Put US At Risk (computerworld.com) 129

dcblogs quotes a report from Computerworld: Advanced computing experts at the National Security Agency and the Department of Energy are warning that China is "extremely likely" to take leadership in supercomputing as early as 2020, unless the U.S. acts quickly to increase spending. China's supercomputing advances are not only putting national security at risk, but also U.S. leadership in high-tech manufacturing. If China succeeds, it may "undermine profitable parts of the U.S. economy," according to a report titled U.S. Leadership in High Performance Computing by HPC technical experts at the NSA, the DOE, the National Science Foundation and other agencies. The report stems from a workshop held in September that was attended by 60 people, many scientists, 40 of whom work in government, with the balance representing industry and academia. "Meeting participants, especially those from industry, noted that it can be easy for Americans to draw the wrong conclusions about what HPC investments by China mean -- without considering China's motivations," the report states. "These participants stressed that their personal interactions with Chinese researchers and at supercomputing centers showed a mindset where computing is first and foremost a strategic capability for improving the country; for pulling a billion people out of poverty; for supporting companies that are looking to build better products, or bridges, or rail networks; for transitioning away from a role as a low-cost manufacturer for the world; for enabling the economy to move from 'Made in China' to 'Made by China.'"

Slashdot Top Deals