Government

US Senators Propose Bug Bounties For Hacking Homeland Security (cnn.com) 15

An anonymous reader quotes CNN: U.S. senators want people to hack the Department of Homeland Security. On Thursday, Senators Maggie Hassan, a Democrat and Republican Rob Portman introduced the Hack DHS Act to establish a federal bug bounty program in the DHS... It would be modeled off the Department of Defense efforts, including Hack the Pentagon, the first program of its kind in the federal government. Launched a year ago, Hack the Pentagon paved the way for more recent bug bounty events including Hack the Army and Hack the Air Force...

The Hack the DHS Act establishes a framework for bug bounties, including establishing "mission-critical" systems that aren't allowed to be hacked, and making sure researchers who find bugs in DHS don't get prosecuted under the Computer Fraud and Abuse Act. "It's better to find vulnerabilities through someone you have engaged with and vetted," said Jeff Greene, the director of government affairs and policy at security firm Symantec. "In an era of constrained budgets, it's a cost-effective way of identifying vulnerabilities"... If passed, it would be among the first non-military bug bounty programs in the public sector.

The Media

Walt Mossberg's Last Column Calls For Privacy and Security Laws (recode.net) 49

70-year-old Walt Mossberg wrote his last weekly column Thursday, looking back on how "we've all had a hell of a ride for the last few decades" and revisiting his famous 1991 pronouncement that "Personal computers are just too hard to use, and it isn't your fault." Not only were the interfaces confusing, but most tech products demanded frequent tweaking and fixing of a type that required more technical skill than most people had, or cared to acquire. The whole field was new, and engineers weren't designing products for normal people who had other talents and interests. But, over time, the products have gotten more reliable and easier to use, and the users more sophisticated... So, now, I'd say: "Personal technology is usually pretty easy to use, and, if it's not, it's not your fault." The devices we've come to rely on, like PCs and phones, aren't new anymore. They're refined, built with regular users in mind, and they get better each year. Anything really new is still too close to the engineers to be simple or reliable.
He argues we're now in a strange lull before entering an unrecognizable world where major new breakthroughs in areas like A.I., robotics, smart homes, and augmented reality lead to "ambient computing", where technology itself fades into the background. And he uses his final weekly column to warn that "if we are really going to turn over our homes, our cars, our health and more to private tech companies, on a scale never imagined, we need much, much stronger standards for security and privacy than now exist. Especially in the U.S., it's time to stop dancing around the privacy and security issues and pass real, binding laws."
United States

Leaked 'Standing Rock' Documents Reveal Invasive Counterterrorism Measures (theintercept.com) 128

An anonymous reader writes: "A shadowy international mercenary and security firm known as TigerSwan targeted the movement opposed to the Dakota Access Pipeline with military-style counterterrorism measures," reports The Intercept, decrying "the fusion of public and private intelligence operations." Saying the private firm started as a war-on-terror contractor for the U.S. military and State Department, the site details "sweeping and invasive" surveillance of protesters, citing over 100 documents leaked by one of the firm's contractors.

The documents show TigerSwan even havested information about the protesters from social media, and "provide extensive evidence of aerial surveillance and radio eavesdropping, as well as infiltration of camps and activist circles... The leaked materials not only highlight TigerSwan's militaristic approach to protecting its client's interests but also the company's profit-driven imperative to portray the nonviolent water protector movement as unpredictable and menacing enough to justify the continued need for extraordinary security measures... Internal TigerSwan communications describe the movement as 'an ideologically driven insurgency with a strong religious component' and compare the anti-pipeline water protectors to jihadist fighters."

The Intercept reports that recently "the company's role has expanded to include the surveillance of activist networks marginally related to the pipeline, with TigerSwan agents monitoring 'anti-Trump' protests from Chicago to Washington, D.C., as well as warning its client of growing dissent around other pipelines across the country." They also report that TigerSwan "has operated without a license in North Dakota for the entirety of the pipeline security operation."
Android

Malicious Apps Brought Ad-Clicking 'Judy' Malware To Millions Of Android Phones (fortune.com) 30

An anonymous reader quotes Fortune: The security firm Checkpoint on Thursday uncovered dozens of Android applications that infected users' devices with malicious ad-click software. In at least one case, an app bearing the malware was available through the Google Play app store for more than a year. While the actual extent of the malicious code's spread is unknown, Checkpoint says it may have reached as many as 36.5 million users, making it potentially the most widely-spread malware yet found on Google Play... The nefarious nature of the programs went unnoticed in large part, according to Checkpoint, because its malware payload was downloaded from a non-Google server after the programs were installed. The code would then use the infected phone to click on Google ads, generating fraudulent revenue for the attacker.
Networking

New Privacy Vulnerability In IOT Devices: Traffic Rate Metadata (helpnetsecurity.com) 18

Orome1 quotes Help Net Security: Even though many IoT devices for smart homes encrypt their traffic, a passive network observer -- e.g. an ISP, or a neighborhood WiFi eavesdropper -- can infer consumer behavior and sensitive details about users from IoT device-associated traffic rate metadata. A group of researchers from the Computer Science Department of Princeton University have proven this fact by setting up smart home laboratory with a passive network tap, and examining the traffic rates of four IoT smart home devices: a Sense sleep monitor, a Nest Cam Indoor security camera, a WeMo smart outlet, and an Amazon Echo smart speaker... "Once an adversary identifies packet streams for a particular device, one or more of the streams are likely to encode device state. Simply plotting send/receive rates of the streams revealed potentially private user interactions for each device we tested," the researchers noted. [PDF]
In addition, the article notes, "Separating recorded network traffic into packet streams and associating each stream with an IoT device is not that hard."
Microsoft

Security Analyst Concludes Windows 10 Enterprise 'Tracks Too Much' (xato.net) 253

A viral Twitter rant about Windows 10 Enterprise supposedly ignoring users' privacy settings has since been clarified. "I made mistakes on my original testing and therefore saw more connections than I should have," writes IT security analyst Mark Burnett, "including some to Google ads." But his qualified results -- quoted below -- are still critical of Microsoft:
  • You can cut back even more using the Windows Restricted Traffic Limited Functionality Baseline but break many things.
  • Settings can be set wrong if you aren't paying attention. Also, settings are not consistent and can be confusing to beginners.
  • You are opted-in to just about everything by default and have to set hundreds of settings to opt out, even on an Enterprise Windows system. Sometimes multiple settings for the same feature. Most Microsoft documentation discourages opting out and warns of a less optimal experience... But you can't completely opt-out. Windows still tracks too much.
  • Home and Professional users are much worse off due to limitations of some settings and lack of an IT staff... I'm not saying ditch Windows. I'm saying let's fix this. If we can't fix it, then we ditch Windows.

Data Storage

SSD Drives Vulnerable To Rowhammer-Like Attacks That Corrupt User Data (bleepingcomputer.com) 89

An anonymous reader writes: NAND flash memory chips, the building blocks of solid-state drives (SSDs), include what could be called "programming vulnerabilities" that can be exploited to alter stored data or shorten the SSD's lifespan. According to research published earlier this year, the programming logic powering of MLC NAND flash memory chips (the tech used for the latest generation of SSDs), is vulnerable to at least two types of attacks.

The first is called "program interference," and takes place when an attacker manages to write data with a certain pattern to a target's SSD. Writing this data repeatedly and at high speeds causes errors in the SSD, which then corrupts data stored on nearby cells. This attack is similar to the infamous Rowhammer attack on RAM chips.

The second attack is called "read disturb" and in this scenario, an attacker's exploit code causes the SSD to perform a large number of read operations in a very short time, which causes a phenomenon of "read disturb errors," that alters the SSD ability to read data from nearby cells, even long after the attack stops.

Bug

Wormable Code-Execution Bug Lurked In Samba For 7 Years (arstechnica.com) 79

Long-time Slashdot reader williamyf was the first to share news of "a wormable bug [that] has remained undetected for seven years in Samba verions 3.5.0 onwards." Ars Technica reports: Researchers with security firm Rapid7...said they detected 110,000 devices exposed on the internet that appeared to run vulnerable versions of Samba. 92,500 of them appeared to run unsupported versions of Samba for which no patch was available... Those who are unable to patch immediately can work around the vulnerability by adding the line nt pipe support = no to their Samba configuration file and restart the network's SMB daemon. The change will prevent clients from fully accessing some network computers and may disable some expected functions for connected Windows machines.
The U.S. Department of Homeland Security's CERT group issued an anouncement urging sys-admins to update their systems, though SC Magazine cites a security researcher arguing this attack surface is much smaller than that of the Wannacry ransomware, partly because Samba is just "not as common as Windows architectures." But the original submission also points out that while the patch came in fast, "the 'Many eyes' took seven years to 'make the bug shallow'."
Republicans

Hackers Have Targeted Both the Trump Organization And Democrat Election Data (arstechnica.com) 220

An anonymous reader writes: Two recent news stories give new prominence to politically-motivated data breaches. Friday the Wall Street Journal reported that last year Guccifer 2.0 sent 2.5 gigabytes of Democratic Congressional Campaign Committee election data to a Republican operative in Florida, including their critical voter turnout projections. At the same time ABC News is reporting that the FBI is investigating "an attempted overseas cyberattack against the Trump Organization," adding that such an attack would make his network a high priority for government monitoring.

"In the course of its investigation," they add, "the FBI could get access to the Trump Organization's computer network, meaning FBI agents could possibly find records connected to other investigations." A senior FBI official (now retired) concedes to ABC that "There could be stuff in there that they [the Trump organization] do not want to become part of a separate criminal investigation."

It seems like everyone's talking about the privacy of their communications. Tonight the Washington Post writes that Trump's son-in-law/senior advisor Jared Kushner "discussed the possibility of setting up a secret and secure communications channel between Trump's transition team and the Kremlin, using Russian diplomatic facilities in an apparent move to shield their pre-inauguration discussions from monitoring, according to U.S. officials briefed on intelligence reports." And Friday Hillary Clinton was even quoted as saying, "I would have won had I not been subjected to the unprecedented attacks by Comey and the Russians..."
Encryption

10 Years Later: FileZilla Adds Support For Master Password That Encrypts Your Logins (bleepingcomputer.com) 79

An anonymous reader writes: "Following years of criticism and user requests, the FileZilla FTP client is finally adding support for a master password that will act as a key for storing FTP login credentials in an encrypted format," reports BleepingComputer. "This feature is scheduled to arrive in FileZilla 3.26.0, but you can use it now if you download the 3.26.0 (unstable) release candidate from here." By encrypting its saved FTP logins, FileZilla will finally thwart malware that scrapes the sitemanager.xml file and steals FTP credentials, which were previously stolen in plain text. The move is extremely surprising, at least for the FileZilla user base. Users have been requesting this feature for a decade, since 2007, and they have asked it many and many times since then. All their requests have fallen on deaf ears and met with refusal from FileZilla maintainer, Tim Kosse. In November 2016, a user frustrated with Koose's stance forked the FileZilla FTP client and added support for a master password via a spin-off app called FileZilla Secure.
Bug

Two Different Studies Find Thousands of Bugs In Pacemakers, Insulin Pumps and Other Medical Devices 48

Two studies are warning of thousands of vulnerabilities found in pacemakers, insulin pumps and other medical devices. "One study solely on pacemakers found more than 8,000 known vulnerabilities in code inside the cardiac devices," reports BBC. "The other study of the broader device market found only 17% of manufacturers had taken steps to secure gadgets." From the report: The report on pacemakers looked at a range of implantable devices from four manufacturers as well as the "ecosystem" of other equipment used to monitor and manage them. Researcher Billy Rios and Dr Jonathan Butts from security company Whitescope said their study showed the "serious challenges" pacemaker manufacturers faced in trying to keep devices patched and free from bugs that attackers could exploit. They found that few of the manufacturers encrypted or otherwise protected data on a device or when it was being transferred to monitoring systems. Also, none was protected with the most basic login name and password systems or checked that devices they were connecting to were authentic. Often, wrote Mr Rios, the small size and low computing power of internal devices made it hard to apply security standards that helped keep other devices safe. In a longer paper, the pair said device makers had work to do more to "protect against potential system compromises that may have implications to patient care." The separate study that quizzed manufacturers, hospitals and health organizations about the equipment they used when treating patients found that 80% said devices were hard to secure. Bugs in code, lack of knowledge about how to write secure code and time pressures made many devices vulnerable to attack, suggested the study.
Security

Chipotle Says 'Most' of Its Restaurants Were Infected With Credit Card Stealing Malware (theverge.com) 115

Earlier this year, Chipotle announced that the their payment processing system was hacked. Today, the company has released more information about the hack, identifying the malware that was responsible and releasing a new tool to help customers check whether the restaurant they visited was involved. The company did not say how many restaurants were affected, but it did tell The Verge that "most" locations nationwide may have been involved. The Verge reports: "The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the POS device," Chipotle said in a statement. "There is no indication that other customer information was affected." We browsed through the tool and found that every state Chipotle operates in had restaurants that were breached, including most major cities. The restaurants were vulnerable in various time frames between March 24th and April 18th, 2017. Chipotle also operates another chain called Pizzeria Locale, which was affected by the hack as well. (The list of identified restaurants can be found here, which includes locations in Kansas, Missouri, Colorado, and Ohio.) Chipotle noted that not all locations have been identified, but it's a starting guide to check whether your visit lines up with the breached period.
Government

Major US Tech Firms Press Congress For Internet Surveillance Reforms (reuters.com) 38

Dustin Volz, reporting for Reuters: Facebook, Amazon and more than two dozen other U.S. technology companies pressed Congress on Friday to make changes to a broad internet surveillance law, saying they were necessary to improve privacy protections and increase government transparency. The request marks the first significant public effort by Silicon Valley to wade into what is expected to be a contentious debate later the year over the Foreign Intelligence Surveillance Act, parts of which will expire on Dec. 31 unless Congress reauthorizes them. Of particular concern to the technology industry and privacy advocates is Section 702, which allows U.S. intelligence agencies to vacuum up vast amounts of communications from foreigners but also incidentally collects some data belonging to Americans that can be searched by analysts without a warrant.
Security

More Than Half of Streaming Users In US Are Sharing Their Passwords, Says Report (streamingobserver.com) 69

A new study conducted by Fluent shows a majority of Americans are sharing passwords to their streaming video services. While millennials lead the pack, non-millennials are doing the same. Streaming Observer reports: Nearly 3 out of every 4 (72% exactly) Americans who have cable also have access to at least one streaming service and 8% of cable subscribers plan to eliminate their service in the next year. But that doesn't necessarily mean they're paying for their streaming service. New numbers from a study conducted by Fluent show that the majority of Americans are sharing passwords to their streaming video services. Well over half of millennials (aged 18-34) -- 60% -- are either using someone someone else's password or giving their password to someone else. And just under half -- 48% -- of non-millennials are doing the same. The study also revealed that the main factor in what drives consumers to sign up for streaming video services is price, with 34% of Americans saying that low cost was the primary factor. That number jumps to 38% among millennials. When you take in to account that some streaming TV services start with prices as low as $20, it makes sense that price is the biggest issue. Convenience was the next biggest factor, coming in at just below 25%.
Government

Proposed Active-Defense Bill Would Allow Destruction of Data, Use of Beacon Tech (onthewire.io) 68

Trailrunner7 quotes a report from On the Wire: A bill that would allow victims of cybercrime to use active defense techniques to stop attacks and identify attackers has been amended to require victims to notify the FBI of their actions and also add an exemption to allow victims to destroy their data once they locate it on an attacker's machine. The Active Cyber Defense Certainty Act, drafted by Rep. Tom Graves (R-Ga.) in March, is designed to enable people who have been targets of cybercrime to employ certain specific techniques to trace the attack and identify the attacker. The bill defines active cyber defense as "any measure -- (I) undertaken by, or at the direction of, a victim"; and "(II) consisting of accessing without authorization the computer of the attacker to the victim" own network to gather information in order to establish attribution of criminal activity to share with law enforcement or to disrupt continued unauthorized activity against the victim's own network." After releasing an initial draft of the bill in March, Rep. Tom Graves held a public event in Georgia to collect feedback on the legislation. Based on that event and other feedback, Graves made several changes to the bill, including the addition of the notification of law enforcement and an exception in the Computer Fraud and Abuse Act for victims who use so-called beaconing technology to identify an attacker. "The provisions of this section shall not apply with respect to the use of attributional technology in regard to a defender who uses a program, code, or command for attributional purposes that beacons or returns locational or attributional data in response to a cyber intrusion in order to identify the source of the intrusion," the bill says.
Privacy

83 Percent Of Security Staff Waste Time Fixing Other IT Problems (betanews.com) 205

An anonymous reader shares a report: A new survey of security professionals reveals that 83 percent say colleagues in other departments turn to them to fix personal computer problems. The study by security management company FireMon shows a further 80 percent say this is taking up more than an hour of their working week, which in a year could equate to more than $88,000. For organizations, eight percent of professionals surveyed helping colleagues out five hours a week or more could be costing over $400,000. Organizations are potentially paying qualified security professionals salaries upwards of $100,000 a year and seeing up to 12.5 percent of that investment being spent on non-security related activities.
Security

Newly Discovered Vulnerability Raises Fears Of Another WannaCry (reuters.com) 107

A newly found flaw in widely used networking software leaves tens of thousands of computers potentially vulnerable to an attack similar to that caused by WannaCry, which infected more than 300,000 computers worldwide, cybersecurity researchers said on Thursday. From a Reuters report: The U.S. Department of Homeland Security on Wednesday announced the vulnerability, which could be exploited to take control of an affected computer, and urged users and administrators to apply a patch. Rebekah Brown of Rapid7, a cybersecurity company, told Reuters that there were no signs yet of attackers exploiting the vulnerability in the 12 hours since its discovery was announced. But she said it had taken researchers only 15 minutes to develop malware that made use of the hole. "This one seems to be very, very easy to exploit," she said. Rapid7 said it had found more than 100,000 computers running vulnerable versions of the software, Samba, free networking software developed for Linux and Unix computers.
Government

US Intelligence Community Has Lost Credibility Due To Leaks (bloomberg.com) 338

Two anonymous readers and Mi share an article: U.K. police investigating the Manchester terror attack say they have stopped sharing information with the U.S. after a series of leaks that have so angered the British government that Prime Minister Therese May wants to discuss them with President Donald Trump during a North Atlantic Treaty Organization meeting in Brussels. What can Trump tell her, though? The leaks drive him nuts, too. Since the beginning of this century, the U.S. intelligence services and their clients have acted as if they wanted the world to know they couldn't guarantee the confidentiality of any information that falls into their hands. At this point, the culture of leaks is not just a menace to intelligence-sharing allies. It's a threat to the intelligence community's credibility. [...] If this history has taught the U.S. intelligence community anything, it's that leaking classified information isn't particularly dangerous and those who do it largely enjoy impunity. Manning spent seven years in prison (though she'd been sentenced to 35), but Snowden, Assange, Petraeus, the unknown Chinese mole, the people who stole the hacking tools and the army of recent anonymous leakers, many of whom probably still work for U.S. intelligence agencies, have escaped any kind of meaningful punishment. President Donald Trump has just now announced that the administration would "get to the bottom" of leaks. In a statement, he said: "The alleged leaks coming out of government agencies are deeply troubling. These leaks have been going on for a long time and my Administration will get to the bottom of this. The leaks of sensitive information pose a grave threat to our national security. I am asking the Department of Justice and other relevant agencies to launch a complete review of this matter, and if appropriate, the culprit should be prosecuted to the fullest extent of the law. There is no relationship we cherish more than the Special Relationship between the United States and the United Kingdom.
The Internet

Manchester Attack Could Lead To Internet Crackdown (independent.co.uk) 381

New submitter boundary writes: The UK government looks to be about to put the most egregious parts of the Investigative Powers Act into force "soon after the election" (which is in a couple of weeks) in the wake of the recent bombing in Manchester. "Technical Capability Orders" require tech companies to break their own security. I wonder who'll comply? The Independent reports: "Government will ask parliament to allow the use of those powers if Theresa May is re-elected, senior ministers told The Sun. 'We will do this as soon as we can after the election, as long as we get back in,' The Sun said it was told by a government minister. 'The level of threat clearly proves there is no more time to waste now. The social media companies have been laughing in our faces for too long.'"
Databases

Vermont DMV Caught Using Illegal Facial Recognition Program (vocativ.com) 109

schwit1 quotes a report from Vocativ: The Vermont Department of Motor Vehicles has been caught using facial recognition software -- despite a state law preventing it. Documents obtained by the American Civil Liberties Union of Vermont describe such a program, which uses software to compare the DMV's database of names and driver's license photos with information with state and federal law enforcement. Vermont state law, however, specifically states that "The Department of Motor Vehicles shall not implement any procedures or processes that involve the use of biometric identifiers." The program, the ACLU says, invites state and federal agencies to submit photographs of persons of interest to the Vermont DMV, which it compares against its database of some 2.6 million Vermonters and shares potential matches. Since 2012, the agency has run at least 126 such searches on behalf of local police, the State Department, FBI, and Immigrations and Customs Enforcement.

Slashdot Top Deals