Security

Flush Times For Hackers in Booming Cyber Security Job Market (reuters.com) 14

The surge in far-flung and destructive cyber attacks is not good for national security, but for an increasing number of hackers and researchers, it is great for job security. From a report: The new reality is on display in Las Vegas this week at the annual Black Hat and Def Con security conferences, which now have a booming side business in recruiting. "Hosting big parties has enabled us to meet more talent in the community, helping fill key positions and also retain great people," said Jen Ellis, a vice president with cybersecurity firm Rapid7 Inc, which filled the hip Hakkasan nightclub on Wednesday at one of the week's most popular parties. Twenty or even 10 years ago, career options for technology tinkerers were mostly limited to security firms, handfuls of jobs inside mainstream companies, and in government agencies. But as tech has taken over the world, the opportunities in the security field have exploded.
Government

Intelligence Chairman Accuses Obama Aids of Hundreds of Unmasking Requests (thehill.com) 180

mi writes: When American spies capture our communications with foreigners, the identities of Americans on the other side of the conversation are generally protected -- if not by bona-fide laws, then certainly by rules and regulations. A transcript of the conversation should have their name replaced with labels like "U.S. person 1". The citizen involved can only be "unmasked" with a good reason. In 2011, Obama relaxed these rules, making it much simpler even for officials without any intelligence role to obtain the identities. Predictably, certain top officials of the Obama Administration abused their access to get this information: "The [House Intelligence] committee has learned that one official, whose position had no apparent intelligence related function, made hundreds of unmasking requests during the final year of the Obama administration," [Intelligence Chairman Devin] Nunes wrote. "Of those requests, only one offered a justification that was not boilerplate."
Power

Researchers Discover Critical Security Flaws Found In Nuke Plant Radiation Monitors (securityweek.com) 39

wiredmikey writes from a report via Security Week: Researchers have discovered multiple unpatched vulnerabilities in radiation monitoring devices that could be leveraged by attackers to reduce personnel safety, delay detection of radiation leaks, or help international smuggling of radioactive material. Ruben Santamarta, a security consultant at Seattle-based IOActive, at the Black Hat conference on Wednesday, saying that radiation monitors supplied by Ludlum, Mirion and Digi contain multiple vulnerabilities. There are many kinds of radiation monitors used in many different environments. IOActive concentrated its research on portal monitors, used at airports and seaports; and area monitors, used at Nuclear Power Plants (NPPs). However, little effort was required for the portal monitors: "the initial analysis revealed a complete lack of security in these devices, so further testing wasn't necessary to identify significant vulnerabilities," Santamarta explained in his report (PDF). In the Ludlum Model 53 personnel portal, IOActive found a backdoor password, which could be used to bypass authentication and take control of the device, preventing the triggering of proper alarms.
Bitcoin

US Indicts Suspected Russian 'Mastermind' of $4 Billion Bitcoin Laundering Scheme (reuters.com) 92

schwit1 shares a report from Reuters: A U.S. jury indicted a Russian man on Wednesday as the operator of a digital currency exchange he allegedly used to launder more than $4 billion for people involved in crimes ranging from computer hacking to drug trafficking. Alexander Vinnik was arrested in a small beachside village in northern Greece on Tuesday, according to local authorities, following an investigation led by the U.S. Justice Department along with several other federal agencies and task forces. U.S. officials described Vinnik in a Justice Department statement as the operator of BTC-e, an exchange used to trade the digital currency bitcoin since 2011. They alleged Vinnik and his firm "received" more than $4 billion in bitcoin and did substantial business in the United States without following appropriate protocols to protect against money laundering and other crimes. U.S. authorities also linked him to the failure of Mt. Gox, a Japan-based bitcoin exchange that collapsed in 2014 after being hacked. Vinnik "obtained" funds from the hack of Mt. Gox and laundered them through BTC-e and Tradehill, another San Francisco-based exchange he owned, they said in the statement.
Bitcoin

SEC Rules That ICO Tokens Are Securities (vice.com) 96

schwit1 shares a report from Business Insider: On Tuesday, the Securities and Exchange Commission (SEC) said that "ICOs" (Initial Coin Offerings) can sometimes be considered securities -- and as such are subject to strict laws and regulations. For the uninitiated, ICOs are a fancy new way of fundraising enabled by digital currencies like Ethereum -- participants invest money and receive digital "tokens" in return. Thus far, it has been largely unregulated, with some ICO crowdfunding events raising hundreds of millions of dollars -- leading some observers to argue that it is a massive bubble. But the SEC's warning means that this free-for-all may not last forever.

"Going forward, according to the SEC, companies that are issuing tokens as part of an ICO (if they are considered securities) need to register with the commission," reports Motherboard. "This will force companies to comply with regulations that ask them to reveal their financial position and the identities of their management. The SEC also concluded that online exchanges where tokens are bought and traded may have to register as security exchanges."

schwit1 adds a quote from Benito Mussolini: "All within the state, nothing outside the state, nothing against the state."

Crime

Feds Crack Trump Protesters' Phones To Charge Them With Felony Rioting (thedailybeast.com) 442

An anonymous reader quotes a report from The Daily Beast: Officials seized Trump protesters' cell phones, cracked their passwords, and are now attempting to use the contents to convict them of conspiracy to riot at the presidential inauguration. Prosecutors have indicted over 200 people on felony riot charges for protests in Washington, D.C. on January 20 that broke windows and damaged vehicles. Some defendants face up to 75 years in prison, despite little evidence against them. But a new court filing reveals that investigators have been able to crack into at least eight defendants' locked cell phones. Now prosecutors want to use the internet history, communications, and pictures they extracted from the phones as evidence against the defendants in court. [A] July 21 court document shows that investigators were successful in opening the locked phones. The July 21 filing moved to enter evidence from eight seized phones, six of which were "encrypted" and two of which were not encrypted. A Department of Justice representative confirmed that "encrypted" meant additional privacy settings beyond a lock screen. For the six encrypted phones, investigators were able to compile "a short data report which identifies the phone number associated with the cell phone and limited other information about the phone itself," the filing says. But investigators appear to have bypassed the lock on the two remaining phones to access the entirety of their contents.
Government

Travelers' Electronics At US Airports To Get Enhanced Screening, TSA Says (arstechnica.com) 149

An anonymous reader quotes a report from Ars Technica: Aviation security officials will begin enhanced screening measures of passengers' electronics at US airports, the Transportation Security Administration announced Wednesday. Travelers must remove electronics larger than a mobile phone from their carry-on bags and "place them in a bin with nothing on top or below, similar to how laptops have been screened for years. This simple step helps TSA officers obtain a clearer X-ray image," the TSA announced amid growing fears that electronic devices can pose as homemade bombs. The TSA was quick to point out that the revised security measures do not apply to passengers enrolled in the TSA Precheck program.

"Whether you're flying to, from, or within the United States, TSA is committed to raising the baseline for aviation security by strengthening the overall security of our commercial aviation network to keep flying as a safe option for everyone," TSA Acting Administrator Huban A. Gowadia said. "It is critical for TSA to constantly enhance and adjust security screening procedures to stay ahead of evolving threats and keep passengers safe. By separating personal electronic items such as laptops, tablets, e-readers and handheld game consoles for screening, TSA officers can more closely focus on resolving alarms and stopping terror threats."

Microsoft

Microsoft Launches Windows Bug Bounty Program With Rewards Ranging From $500 To $250,000 (venturebeat.com) 33

Microsoft on Wednesday announced the Windows Bounty Program. Rewards start at a minimum of $500 and can go up to as high as $250,000. From a report: To be clear, Microsoft already offers many bug bounty programs. This is also not the first to target Windows features -- the company has launched many Windows-specific bounties for those starting in 2012. The Windows Bounty Program, however, encompasses Windows 10 and even the Windows Insider Preview, the company's program for testing Windows 10 preview builds. Furthermore, it also has specific focus areas: Hyper-V, Mitigation bypass, Windows Defender Application Guard, and Microsoft Edge.
Security

Some Low-Cost Android Phones Come at a Price -- Your Privacy (cnet.com) 86

Cheap phones are coming at the price of your privacy, security analysts discovered. From a report: At $60, the BLU R1 HD is the top-selling phone on Amazon. Last November, researchers caught it secretly sending private data to China. Shanghai Adups Technology, the group behind the spying software on the BLU R1 HD, called it a mistake. But analysts at Kryptowire found the software provider is still making the same "mistake" on other phones. At the Black Hat security conference in Las Vegas on Wednesday, researchers from Kryptowire, a security firm, revealed that Adups' software is still sending a device's data to the company's server in Shanghai without alerting people. But now, it's being more secretive about it. "They replaced them with nicer versions," Ryan Johnson, a research engineer and co-founder at Kryptowire, said. "I have captured the network traffic of them using the Command and Control channel when they did it." An Adups spokeswoman said that it had resolved the issues in 2016 and that the issues "are not existing anymore." Kryptowire said it has observed the company sending data without telling users on at least three different phones.
Businesses

Kaspersky Launches Its Free Antivirus Software Worldwide (engadget.com) 141

Kaspersky has finally launched its free antivirus software after a year-and-a-half of testing it in select regions. From a report: While the software was only available in Russia, Ukraine, Belarus, China and in Nordic countries during its trial run, Kaspersky is releasing it worldwide. The free antivirus doesn't have VPN, Parental Controls and Online Payment Protection its paid counterpart offers, but it has all the essential features you need to protect your PC. It can scan files and emails, protect your PC while you use the web and quarantine malware that infects your system. The company says the software isn't riddled with advertisements like other free antivirus offerings. Instead of trying to make ad money off your patronage, Kaspersky will use the data you contribute to improve machine learning across its products. The free antivirus will be available in the US, Canada and most Asia-Pacific countries over the next couple of days, if it isn't yet. After this initial release, the company will roll it out in other regions from September to November.
Education

US Defense Budget May Help Fund 'Hacking For Defense' Classes At Universities (ieee.org) 34

According to an instructor at Stanford, eight universities in addition to Stanford will offer a Hacking for Defense class this year: Boise State, Columbia, Georgetown, James Madison, the University of California at San Diego, the University of Pittsburgh, the University of Southern California, and the University of Southern Mississippi. IEEE Spectrum reports: The class has spun out Hacking for Diplomacy, Hacking for Energy, and other targeted classes that use the same methodology. The snowballing effort is now poised to get a big push. This month, the U.S. House of Representatives passed an amendment originated by Rep. Dan Lipinski (D-Ill.) to support development of curriculum, best practices, and recruitment materials for the program to the tune of $15 million (a drop in the $700 billion defense budget but a big deal for a university program). In arguing for the amendment, Lipinski said, "Rapid, low-cost technological innovation is what makes Silicon Valley revolutionary, but the DOD hasn't historically had the mechanisms in place to harness this American advantage. Hacking for Defense creates ways for talented scientists and engineers to work alongside veterans, military leaders, and business mentors to innovate solutions that make America safer."
China

China Forces Muslim Minority To Install Spyware On Their Phones (bleepingcomputer.com) 375

An anonymous reader quotes a report from Bleeping Computer: Chinese authorities in the province of Xinjiang are forcing locals of the Uyghur Muslim minority to install an app on their phones that will allow the government to scan their device for "terrorist propaganda," local media reports. In reality, the app creates MD5 hashes for the user's files and matches them against a database of known terrorist content. The app also makes copies of the user's Weibo and WeChat databases and uploads it to a government server, along with the user's IMEI, IMSI, and WiFi login information. The app is called Jingwang (Citizen Safety) and was developed by police forces from Urumqi, Xinjiang's capital. Authorities launched the app in April, and also included the ability to report suspicious activity to the police. At the start of July, Xinjiang officials started sending WeChat messages in Uyghur and Chinese to locals, asking them to install the app or face detainment of up to 10 days. Police have also stopped people on the street to check if they installed the app. Several were detained for refusing to install it. Locals are now sharing the locations of checkpoints online, so others can avoid getting arrested.
Medicine

Global Network of Labs Will Test Security of Medical Devices (securityledger.com) 49

chicksdaddy shares a report from The Security Ledger: Amid increasing concerns about cyber threats to healthcare environments, a global network of labs will test the security of medical devices, according to an announcement on Monday by a consortium of healthcare industry firms, universities and technology firms, The Security Ledger reports. The "World Health Information Security Testing Labs (or "WHISTL") will adopt a model akin to the Underwriters Laboratory, which started out testing electrical devices, and focus on issues related to cyber security and privacy, helping medical device makers "address the public health challenges" created by connected health devices and complex, connected healthcare environments, according to a statement by The Medical Device Innovation, Safety and Security Consortium. "MDISS WHISTL facilities will dramatically improve access to medical device security know-how while protecting patient privacy and the intellectual property of our various stakeholders," said Dr. Nordenberg, MD, Executive Director of MDISS.

The labs will be one of the only independent, open and non-profit network of labs specifically designed for the needs of medical field, including medical device designers, hospital IT, and clinical engineering professionals. Experts will assess the security of medical devices using standards and specifications designed by testing organizations like Underwriters Labs. Evaluations will include application security testing like "fuzzing," static code analysis and penetration testing of devices. Any vulnerabilities found will be reported directly to manufacturers in accordance with best practices, and publicly disclosed to the international medical device vulnerability database (MDVIPER) which is maintained by MDISS and the National Health Information Sharing and Analysis Center (NH-ISAC). The group says it plans for 10 new device testing labs by the end of the year including in the U.S. in states like New York to Indiana, Tennessee and California and outside North America in the UK, Israel, Finland, and Singapore. The WHISTL facilities will work with Underwriters Labs as well as AAMI, the Association for the Advancement of Medical Instrumentation. Specifically, MDISS labs will base its work on the UL Cybersecurity Assurance Program specifications (UL CAP) and follow testing standards developed by both groups including the UL 2900 and AAMI 80001 standards.

Security

Fourth Ethereum Platform Hacked This Month: Hacker Steals $8.4 Million From Veritaseum Platform (bleepingcomputer.com) 99

An anonymous reader writes: "Veritaseum has confirmed today that a hacker stole $8.4 million from the platform's ICO on Sunday, July 23," reports Bleeping Computer. "This is the second ICO hack in the last week and the fourth hack of an Ethereum platform this month. An ICO (Initial Coin Offering) is similar to a classic IPO (Initial Public Offering), but instead of stocks in a company, buyers get tokens in an online platform. Users can keep tokens until the issuing company decides to buy them back, or they can sell the tokens to other users for Ethereum. Veritaseum was holding its ICO over the weekend, allowing users to buy VERI tokens for a product the company was preparing to launch in the realm of financial services." The hacker breached its systems, stole VERI tokens and immediately dumped them on the market due to the high-demand. The hacker made $8.4 million from the token sale, which he immediately started to launder. In a post-mortem announcement, Middleton posted online today, the Veritaseum CEO said "the amount stolen was miniscule (less than 00.07%) although the dollar amount was quite material." The CEO also suspects that "at least one corporate partner that may have dropped the ball and [might] be liable." Previous Ethereum services hacks include Parity, CoinDash, and Classic Ether Wallet.
Books

United Airlines Claims TSA Banned Comic Books In Checked Luggage For Comic-Con, TSA Denies It (boardingarea.com) 107

schwit1 shares a report: San Diego Comic-Con has become so much more than just a comic book convention. But comic books remain the heart and soul of Comic-Con. In addition to attendees being there to buy comic books, vendors flock to Comic-Con to sell their comic books as well. That's why participants in Comic-Con were shocked to find a notice waiting for them at the San Diego airport after Comic-Con: "COMIC-CON ATTENDEES: REMOVE ALL BOOKS FROM CHECKED BAGS." On Twitter, United Airlines confirmed the ban: "The restriction on checking comic books applies to all airlines operating out of San Diego this weekend and is set by the TSA. ^MD" Consumerist reached out to TSA and were told by a spokeswoman that the warnings about not allowing comic books -- or any kind of book -- in checked bags were simply not true. There is "no restriction on anything related to putting comics or any type of books" in baggage, and TSA never put out any guidance to that effect, she said. "In fact, they are allowed in both checked and carry-on baggage," the spokeswoman told Consumerist, adding that there were no delays in the processing of checked bags out of San Diego yesterday.
Biotech

Wisconsin Company Will Let Employees Use Microchip Implants To Buy Snacks, Open Doors (theverge.com) 112

A Wisconsin company called Three Square Market will soon offer employees implantable chips to open doors, buy snacks, log in to computers, and use office equipment like copy machines. The chips use near field communication (NFC) technology and will be implanted between the thumb and forefinger of participating employees. According to The Verge, around 50 people are supposedly getting the optional implants. From the report: NFC chips are already used in a couple of workplaces in Europe; The Los Angeles Times reported on startup workspace Epicenter's chip program earlier this year. In the US, installing them is also a form of simple biohacking. They're essentially an extension of the chips you'd find in contactless smart cards or microchipped pets: passive devices that store very small amounts of information. A Swedish rail company also lets people use implants as a substitute for fare cards. 32M CEO Todd Westby is clearly trying to head off misunderstandings and paranoia by saying that they contain "no GPS tracking at all" -- because again, it's comparable to an office keycard here.
Privacy

Sweden Accidentally Leaks Personal Details of Nearly All Citizens (thehackernews.com) 241

An anonymous reader quotes a report from The Hacker News: Swedish media is reporting of a massive data breach in the Swedish Transport Agency (Transportstyrelsen) after the agency mishandled an outsourcing deal with IBM, which led to the leak of the private data about every vehicle in the country, including those used by both police and military. The data breach exposed the names, photos and home addresses of millions of Swedish citizen, including fighter pilots of Swedish air force, members of the military's most secretive units, police suspects, people under the witness relocation program, the weight capacity of all roads and bridges, and much more. The incident is believed to be one of the worst government information security disasters ever.

In 2015, the Swedish Transport Agency hand over IBM an IT maintenance contract to manage its databases and networks. However, the Swedish Transport Agency uploaded IBM's entire database onto cloud servers, which covered details on every vehicle in the country, including police and military registrations, and individuals on witness protection programs. The transport agency then emailed the entire database in messages to marketers that subscribe to it. And what's terrible is that the messages were sent in clear text. When the error was discovered, the transport agency merely thought of sending a new list in another email, asking the subscribers to delete the old list themselves.

Security

Mysterious Mac Malware Has Infected Hundreds of Victims For Years (vice.com) 125

An anonymous reader shares a report: A mysterious piece of malware has been infecting hundreds of Mac computers for years -- and no one noticed until a few months ago. The malware is called "FruitFly," and one of its variants, "FruitFly 2" has infected at least 400 victims over the years. FruitFly 2 is intriguing and mysterious: its goals, who's behind it, and how it infects victims, are all unknown. Earlier this year, an ex-NSA hacker started looking into a piece of malware he described to me as "unique" and "intriguing." It was a slightly different strain of a malware discovered on four computers earlier this year by security firm Malwarebytes, known as "FruitFly." This first strain had researchers scratching their heads. On the surface, the malware seemed "simplistic." It was programmed mainly to surreptitiously monitor victims through their webcams, capture their screens, and log keystrokes. But, strangely, it went undetected since at least 2015. There was no indication of who could be behind it, and it contained "ancient" functions and "rudimentary" remote control capabilities, Malwarebytes's Thomas Reed wrote at the time.
United States

US Agency Revokes All State Discounts For Kaspersky Products (thebaltimorepost.com) 92

The U.S. General Services Administration has removed Kapersky Lab from its list of approved vendors for federal systems, which also eliminates the discounts it previously offered to state governments. Long-time Slashdot reader Rick Zeman writes: "The agency's statement suggested a vulnerability exists in Kaspersky that could give the Russian government backdoor access to the systems it protects, though they offered no explanation or evidence of it," reports the Washington Post. Kaspersky, of course, denies this, offering their source code up for U.S. Government review... "Three current and former defense contractors told The Post that they knew of no specific warnings circulated about Kaspersky in recent years, but it has become an unwritten rule at the Pentagon not to include Kaspersky as a potential vendor on new projects."
"The lack of information from the GSA underscores a disconnect between local officials and the federal government about cybersecurity," the Post reports, adding that "the GSA's move on July 11 has left state and local governments to speculate about the risks of sticking with the company or abandoning taxpayer-funded contracts, sometimes at great cost."

The Post also quotes a cybersecurity expert at a prominent think tank -- the Center for Strategic and International Studies -- who believes that "it's difficult, if not impossible" for a company like Kaspersky to be headquartered in Moscow "if you don't cooperate with the government and the intelligence services."
EU

Company Gets 45,000 Bad Facebook Reviews After Teenaged Hacker's Unjust Arrest (bleepingcomputer.com) 293

An anonymous reader quotes BleepingComputer: Over 45,000 users have left one-star reviews on a company's Facebook page after the business reported a security researcher to police and had him arrested in the middle of the night instead of fixing a reported bug. The arrest took place this week in Hungary after an 18-year-old found a flaw in the online ticket-selling system of Budapesti Közlekedési Központ, Budapest's public transportation authority. The young man discovered that he could access BKK's website, press F12 to enter the browser's developer tools mode, and modify the page's source code to alter a ticket's price. Because there was no client or server-side validation put in place, the BKK system accepted the operation and issued a ticket at a smaller price...

The teenager -- who didn't want his name revealed -- reported the issue to BKK, but the organization chose to contact the police and file a complaint, accusing the young man of hacking their systems... BKK management made a fatal mistake when they brazenly boasted in a press conference about catching the hacker and declaring their systems "secure." Since then, other security flaws in BKK's system have surfaced on Twitter. As details of the case emerged, public outrage grew against BKK and its manager Kálmán Dabóczi, especially after it was revealed that BKK was paying around $1 million per year for maintenance of its IT systems, hacked in such a ludicrously simple manner.

Slashdot Top Deals