Privacy

A Photo Accidentally Revealed a Password For Hawaii's Emergency Agency (qz.com) 124

An anonymous reader quotes a report from Quartz: In the aftermath of an erroneous missile warning that terrified Hawaiians on Saturday (Jan. 13), the state's emergency management agency has come under increased scrutiny, from the poor design of the software that enables alerts to a particularly slapdash security measure by one of its employees. Old photos from the Associated Press inside the agency's office appear to show an unspecified password on a yellow Post-It note, stuck to a computer monitor. The image, which shows operations manger Jeffrey Wong standing in front of the computer, was taken in July and appeared in articles published at the time about the agency's preparedness in the face of a nuclear threat. The agency verified that the password is indeed real but wouldn't go into specifics on what program the password was supposed to be used for.
Mozilla

Mozilla Restricts All New Firefox Features To HTTPS Only (bleepingcomputer.com) 212

An anonymous reader shares a report: In a groundbreaking statement earlier this week, Mozilla announced that all web-based features that will ship with Firefox in the future must be served on over a secure HTTPS connection (a "secure context"). "Effective immediately, all new features that are web-exposed are to be restricted to secure contexts," said Anne van Kesteren, a Mozilla engineer and author of several open web standards. This means that if Firefox will add support for a new standard/feature starting tomorrow, if that standard/feature carries out communications between the browser and an external server, those communications must be carried out via HTTPS or the standard/feature will not work in Firefox. The decision does not affect already existing standards/features, but Mozilla hopes all Firefox features "will be considered on a case-by-case basis," and will slowly move to secure contexts (HTTPS) exclusively in the future.
Nintendo

Hackers Seem Close To Publicly Unlocking the Nintendo Switch (arstechnica.com) 86

Ars Technica reports that "hackers have been finding partial vulnerabilities in early versions of the [Nintendo] Switch firmware throughout 2017." They have discovered a Webkit flaw that allows for basic "user level" access to some portions of the underlying system and a service-level initialization flaw that gives hackers slightly more control over the Switch OS. "But the potential for running arbitary homebrew code on the Switch really started looking promising late last month, with a talk at the 34th Chaos Communication Congress (34C3) in Leipzig Germany," reports Ars. "In that talk, hackers Plutoo, Derrek, and Naehrwert outlined an intricate method for gaining kernel-level access and nearly full control of the Switch hardware." From the report: The full 45-minute talk is worth a watch for the technically inclined, it describes using the basic exploits discussed above as a wedge to dig deep into how the Switch works at the most basic level. At one point, the hackers sniff data coming through the Switch's memory bus to figure out the timing for an important security check. At another, they solder an FPGA onto the Switch's ARM chip and bit-bang their way to decoding the secret key that unlocks all of the Switch's encrypted system binaries. The team of Switch hackers even got an unexpected assist in its hacking efforts from chipmaker Nvidia. The "custom chip" inside the Switch is apparently so similar to an off-the-shelf Nvidia Tegra X1 that a $700 Jetson TX1 development kit let the hackers get significant insight into the Switch's innards. More than that, amid the thousand of pages of Nvidia's public documentation for the X1 is a section on how to "bypass the SMMU" (the System Memory Management Unit), which gave the hackers a viable method to copy and write a modified kernel to the Switch's system RAM. As Plutoo put it in the talk, "Nvidia backdoored themselves."
Security

Many Enterprise Mobile Devices Will Never Be Patched Against Meltdown, Spectre (betanews.com) 102

Mark Wilson shares a report from BetaNews: The Meltdown and Spectre bugs have been in the headlines for a couple of weeks now, but it seems the patches are not being installed on handsets. Analysis of more than 100,000 enterprise mobile devices shows that just a tiny percentage of them have been protected against the vulnerabilities -- and some simply may never be protected. Security firm Bridgeway found that just 4 percent of corporate phones and tablets in the UK have been patched against Spectre and Meltdown. Perhaps more worryingly, however, its research also found that nearly a quarter of enterprise mobile devices will never receive a patch because of their age. Organizations are advised to check for the availability of patches for their devices, and to install them as soon as possible. Older devices that will never be patched -- older than Marshmallow, for example -- should be replaced to ensure security, says Bridgeway.
Security

Researchers Uncover Android Malware With Never-Before-Seen Spying Capabilities (arstechnica.com) 102

An anonymous reader quotes a report from Ars Technica: According to a report published Tuesday by antivirus provider Kaspersky Lab, "Skygofree" is most likely an offensive security product sold by an Italy-based IT company that markets various surveillance wares. With 48 different commands in its latest version, the malware has undergone continuous development since its creation in late 2014. It relies on five separate exploits to gain privileged root access that allows it to bypass key Android security measures. Skygofree is capable of taking pictures, capturing video, and seizing call records, text messages, gelocation data, calendar events, and business-related information stored in device memory. Skygofree also includes the ability to automatically record conversations and noise when an infected device enters a location specified by the person operating the malware. Another never-before-seen feature is the ability to steal WhatsApp messages by abusing the Android Accessibility Service that's designed to help users who have disabilities or who may temporarily be unable to fully interact with a device. A third new feature: the ability to connect infected devices to Wi-Fi networks controlled by attackers. Skygofree also includes other advanced features, including a reverse shell that gives malware operators better remote control of infected devices. The malware also comes with a variety of Windows components that provide among other things a reverse shell, a keylogger, and a mechanism for recording Skype conversations.
Bug

Now Meltdown Patches Are Making Industrial Control Systems Lurch (theregister.co.uk) 98

Patches for the Meltdown vulnerability are causing stability issues in industrial control systems. From a report: SCADA vendor Wonderware admitted that Redmond's Meltdown patch made its Historian product wobble. "Microsoft update KB4056896 (or parallel patches for other Operating System) causes instability for Wonderware Historian and the inability to access DA/OI Servers through the SMC," an advisory on Wonderware's support site explains. Rockwell Automation revealed that the same patch had caused issues with Studio 5000, FactoryTalk View SE, and RSLinx Classic (a widely used product in the manufacturing sector). "In fairness [this] may be RPC [Remote Procedure Call] change related," said cybersecurity vulnerability manager Kevin Beaumont.
AT&T

US Lawmakers Urge AT&T To Cut Commercial Ties With Huawei and Oppose China Mobile Citing National Security Concerns (reuters.com) 60

U.S. lawmakers are urging AT&T, the No. 2 wireless carrier, to cut commercial ties to Chinese phone maker Huawei Technologies and oppose plans by telecom operator China Mobile to enter the U.S. market because of national security concerns, two congressional aides told Reuters. From the report: The warning comes after the administration of U.S. President Donald Trump took a harder line on policies initiated by his predecessor Barack Obama on issues ranging from Beijing's role in restraining North Korea to Chinese efforts to acquire U.S. strategic industries. Earlier this month, AT&T was forced to scrap a plan to offer its customers Huawei handsets after some members of Congress lobbied against the idea with federal regulators, sources told Reuters. The U.S. government has also blocked a string of Chinese acquisitions over national security concerns, including Ant Financial's proposed purchase of U.S. money transfer company MoneyGram International.
Software

'Very High Level of Confidence' Russia Used Kaspersky Software For Devastating NSA Leaks (yahoo.com) 231

bricko shares a report from Yahoo Finance: Three months after U.S. officials asserted that Russian intelligence used popular antivirus company Kaspersky to steal U.S. classified information, there are indications that the alleged espionage is related to a public campaign of highly damaging NSA leaks by a mysterious group called the Shadow Brokers. In August 2016, the Shadow Brokers began leaking classified NSA exploit code that amounted to hacking manuals. In October 2017, U.S. officials told major U.S. newspapers that Russian intelligence leveraged software sold by Kaspersky to exfiltrate classified documents from certain computers. (Kaspersky software, like all antivirus software, requires access to everything stored on a computer so that it can scan for malicious software.) And last week the Wall Street Journal reported that U.S. investigators "now believe that those manuals [leaked by Shadow Brokers] may have been obtained using Kaspersky to scan computers on which they were stored." Members of the computer security industry agree with that suspicion. "I think there's a very high level of confidence that the Shadow Brokers dump was directly related to Kaspersky ... and it's very much attributable," David Kennedy, CEO of TrustedSec, told Yahoo Finance. "Unfortunately, we can only hear that from the intelligence side about how they got that information to see if it's legitimate."
The Almighty Buck

OnePlus Customers Report Credit Card Fraud After Buying From the Company's Website (androidpolice.com) 60

If you purchased a OnePlus smartphone recently from the official OnePlus website, you might want to check your transactions to make sure there aren't any you don't recognize. "A poll was posted on the OnePlus forum on Thursday asking users if they had noticed fraudulent charges on their credit cards since purchasing items on the OnePlus site," reports Android Police. "More than 70 respondents confirmed that they had been affected, with the majority saying they had bought from the site within the past 2 months." From the report: A number of FAQs and answers follow, in which OnePlus confirms that only customers who made credit card payments are affected, not those who used PayPal. Apparently, card info isn't stored on the site but is instead sent directly to a "PCI-DSS-compliant payment processing partner" over an encrypted connection. [...] OnePlus goes on to say that intercepting information should be extremely difficult as the site is HTTPS encrypted, but that it is nevertheless carrying out a complete audit. In the meantime, affected customers are advised to contact their credit card companies immediately to get the payments canceled/reversed (called a chargeback). OnePlus will continue to investigate alongside its third-party service providers, and promises to update with its findings as soon as possible.

According to infosec firm Fidus, there is actually a brief window in which data could be intercepted. Between entering your card details into the form and hitting 'submit,' the details are apparently hosted on-site, which could give attackers all the time they need to steal those precious digits and head off on a spending spree. Fidus also notes that the company doesn't appear to be PCI-compliant, but that directly contradicts OnePlus' own statement. We'll have to wait until more details emerge before we pass judgment.
Here's OnePlus' official statement on the matter: "At OnePlus, we take information privacy extremely seriously. Over the weekend, members of the OnePlus community reported cases of unknown credit card transactions occurring on their credit cards post purchase from oneplus.net. We immediately began to investigate as a matter of urgency, and will keep you updated. This FAQ document will be updated to address questions raised."
Network

Lenovo Discovers and Removes Backdoor In Networking Switches (bleepingcomputer.com) 42

An anonymous reader writes: Lenovo engineers have discovered a backdoor in the firmware of RackSwitch and BladeCenter networking switches. The company released firmware updates last week. The Chinese company said it found the backdoor after an internal security audit of firmware for products added to its portfolio following the acquisitions of other companies. Lenovo says the backdoor affects only RackSwitch and BladeCenter switches running ENOS (Enterprise Network Operating System).

The backdoor was added to ENOS in 2004 when ENOS was maintained by Nortel's Blade Server Switch Business Unit (BSSBU). Lenovo claims Nortel appears to have authorized the addition of the backdoor "at the request of a BSSBU OEM customer." In a security advisory regarding this issue, Lenovo refers to the backdoor under the name of "HP backdoor." The backdoor code appears to have remained in the firmware even after Nortel spun BSSBU off in 2006 as BLADE Network Technologies (BNT). The backdoor also remained in the code even after IBM acquired BNT in 2010. Lenovo bought IBM's BNT portfolio in 2014.

Privacy

India To Add Facial Authentication For Its Aadhaar Card Security (reuters.com) 20

India will build facial recognition into its national identity card in addition to fingerprints after a series of breaches in the world's biggest biometric identification programme, the government said on Monday. From a report: A local newspaper reported this month that access to the "Aadhaar" database which has identity details of more than 1 billion citizens was being sold for just $8 on social media. The Unique Identification Authority of India (UIDAI), which issues the identity cards, said it would add face recognition software as an additional layer of security from July. Card holders will be required to match their photographs with that stored in the data base for authentication in addition to fingerprints and iris scans, the agency said in a statement.
The Almighty Buck

Hackers Hijack DNS For Lumens Cryptocurrency Site 'BlackWallet', Steal $400,000 (bleepingcomputer.com) 91

An anonymous reader quotes BleepingComputer: Unknown hackers (or hacker) have hijacked the DNS server for BlackWallet.co, a web-based wallet application for the Stellar Lumen cryptocurrency (XLM), and have stolen over $400,000 from users' accounts. The attack happened late Saturday afternoon (UTC timezone), January 13, when the attackers hijacked the DNS entry of the BlackWallet.co domain and redirected it to their own server. "The DNS hijack of Blackwallet injected code," said Kevin Beaumont, a security researcher who analyzed the code before the BlackWallet team regained access over their domain and took down the site. "If you had over 20 Lumens it pushes them to a different wallet," Beaumont added...

According to Bleeping Computer's calculations, as of writing, the attacker collected 669,920 Lumens, which is about $400,192 at the current XML/USD exchange rate. The BlackWallet team and other XLM owners have tried to warn users via alerts on Reddit, Twitter, GitHub, the Stellar Community and GalacticTalk forums, but to no avail, as users continued to log into the rogue BlackWallet.co domain, enter their credentials, and then see funds mysteriously vanish from their wallets.

Virtualization

VMware Bug Allowed Root Access (arstechnica.com) 32

c4231 quotes Ars Technica: While everyone was screaming about Meltdown and Spectre, another urgent security fix was already in progress for many corporate data centers and cloud providers who use products from Dell's EMC and VMware units. A trio of critical, newly reported vulnerabilities in EMC and VMware backup and recovery tools -- EMC Avamar, EMC NetWorker, EMC Integrated Data Protection Appliance, and vSphere Data Protection -- could allow an attacker to gain root access to the systems or to specific files, or inject malicious files into the server's file system. These problems can only be fixed with upgrades. While the EMC vulnerabilities were announced late last year, VMware only became aware of its vulnerability last week.
Music

Japan's Latest Sensation is a Cryptocurrency Pop Group (engadget.com) 57

An anonymous reader quotes Engadget: If you're starting a pop group in Japan, where giant rosters and virtual superstars are par for the course, how do you stand out? By tying yourself to something trendy -- and in 2018, that means cryptocurrency. Meet Kasotsuka Shojo (Virtual Currency Girls), a J-pop group where each of the eight girls represents one of the larger digital monetary formats. Yes, you're supposed to cheer for bitcoin or swoon over ethereum (what, no litecoin?). The group played its first concert on January 12th, and naturally you had to pay in cryptocurrency to be one of the few members of the general public to get in. The group's first single, "The Moon and Virtual Currencies and Me," warns listeners about the perils of fraud and extols the virtues of good online security.
"It isn't clear how French maid outfits symbolize cryptocurrency or blockchain technology," notes Quartz, "but they're popular costumes in Japan's anime and cosplay circles."
The Military

Russian Military Base Attacked By Drones (bellingcat.com) 183

A Russian military base in Syria was recently attacked -- 20 miles from the frontline. The only video of the attack is from a Facebook group for a nearby town, which identifies the noises as an "anti-aircraft response to a remote-controlled aircraft," while the Russian Ministry of Defence claims at least 13 drones were involved in the attack, displaying pictures of drones with a wingspan around 13 feet (four meters).

Long-time Slashdot reader 0x2A shares a report from a former British Army officer who calls drones "the poor man's Air Force," who writes that the attack shows "a strategic grasp of the use of drones, as well as a high level of planning." The lack of cameras on the drones suggest that they are likely pre-loaded with a flight plan and then flown autonomously to their target, where they dropped their payload en masse on a given GPS coordinate... The lack of any kind of claim, or even rumours from the rebels, indicates that whoever is producing these drone and launching these attacks has a high level of discipline and an understanding of operational and personal security...

Although some regard the threat from commerical off-the-shelf and improvised drones as negligible, they have the power to inflict losses at both a tactical and strategic level... Although the plastic sheeting, tape and simple design may belie the illusion of sophistication, it seems that the use of drones, whether military, commerical off-the-shelf or improvised, is taking another step to becoming the future of conflict.

The article notes there's already been four weaponized drone attacks in Syria over the last two weeks, which according to CNBC may be part of a growing trend. "Experts said swarm-like attacks using weaponized drones is a growing threat and likely to only get worse. They also said the possibility exists of terrorists using these drones in urban areas against civilians."
Businesses

Following Other Credit Cards, Visa Will Also Stop Requiring Signatures (siliconbeat.com) 170

An anonymous reader quotes SiliconBeat: Visa, the largest U.S. credit card issuer, became the last of the major credit card companies to announce its plan to make signatures optional... Visa joined American Express, Discover, and Mastercard in the phase-out. Mastercard was the first one to announce the move in October, and American Express and Discover followed suit in December... However, this change does not apply to every credit card in circulation; older credit cards without EMV chips will still require signatures for authentication... Since 2011, Visa has deployed more than 460 million EMV chip cards and EMV chip-enabled readers at more than 2.5 million locations.
"Businesses that accepted EMV cards reported a 66 percent decline in fraud in the first two years of EMV deployment," the article notes -- suggesting a future where fewer shoppers are signing their receipts.

"In Canada, Australia and most of Europe, credit cards have long abandoned the signature for the EMV chip and a PIN to authenticate the transaction, like one does with a debit card."
EU

Is Finland's Universal Basic Income Trial Too Good To Be True? (theguardian.com) 534

It was one year ago that Finland began giving money to 2,000 unemployed people -- roughly $652 a month (€560 or £475). But have we learned anything about universal basic incomes? An anonymous reader quotes the Guardian: Amid this unprecedented media attention, the experts who devised the scheme are concerned it is being misrepresented. "It's not really what people are portraying it as," said Markus Kanerva, an applied social and behavioural sciences specialist working in the prime minister's office in Helsinki. "A full-scale universal income trial would need to study different target groups, not just the unemployed. It would have to test different basic income levels, look at local factors. This is really about seeing how a basic unconditional income affects the employment of unemployed people."

While UBI tends often to be associated with progressive politics, Finland's trial was launched -- at a cost of around €20m (£17.7m or $24.3 million) -- by a centre-right, austerity-focused government interested primarily in spending less on social security and bringing down Finland's stubborn 8%-plus unemployment rate. It has a very clear purpose: to see whether an unconditional income might incentivise people to take up paid work. Authorities believe it will shed light on whether unemployed Finns, as experts believe, are put off taking up a job by the fear that a higher marginal tax rate may leave them worse off. Many are also deterred by having to reapply for benefits after every casual or short-term contract... According to Kanerva, the core data the government is seeking -- on whether, and how, the job take-up of the 2,000 unemployed people in the trial differs from a 175,000-strong control group -- will be "robust, and usable in future economic modelling" when it is published in 2019.

Although the experiment may be impacted by all the hype it's generating, according to the Guardian. "One participant who hoped to start his own business with the help of the unconditional monthly payment complained that, after speaking to 140 TV crews and reporters from as far afield as Japan and Korea, he has simply not been able to find the time."
Government

Will Facial Recognition in China Lead To Total Surveillance? (washingtonpost.com) 122

schwit1 shares a new Washington Post article about China's police and security state -- including the facial recognition cameras allow access to apartment buildings. "If I am carrying shopping bags in both hands, I just have to look ahead and the door swings open," one 40-year-old woman tells the Post. "And my 5-year-old daughter can just look up at the camera and get in. It's good for kids because they often lose their keys." But for the police, the cameras that replaced the residents' old entry cards serve quite a different purpose. Now they can see who's coming and going, and by combining artificial intelligence with a huge national bank of photos, the system in this pilot project should enable police to identify what one police report, shared with The Washington Post, called the "bad guys" who once might have slipped by... Banks, airports, hotels and even public toilets are all trying to verify people's identities by analyzing their faces. But the police and security state have been the most enthusiastic about embracing this new technology.

The pilot in Chongqing forms one tiny part of an ambitious plan, known as "Xue Liang," which can be translated as "Sharp Eyes." The intent is to connect the security cameras that already scan roads, shopping malls and transport hubs with private cameras on compounds and buildings, and integrate them into one nationwide surveillance and data-sharing platform... At the back end, these efforts merge with a vast database of information on every citizen, a "Police Cloud" that aims to scoop up such data as criminal and medical records, travel bookings, online purchase and even social media comments -- and link it to everyone's identity card and face.

Programming

Erroneous 'Spam' Flag Affected 102 npm Packages (npmjs.org) 84

There was some trouble last weekend at the world's largest package repository. An anonymous reader quotes the official npm blog: On Saturday, January 6, 2018, we incorrectly removed the user floatdrop and blocked the discovery and download of all 102 of their packages on the public npm Registry. Some of those packages were highly depended on, such as require-from-string, and removal disrupted many users' installations... Within 60 seconds, it became clear that floatdrop was not a spammer -- and that their packages were in heavy use in the npm ecosystem. The staffer notified colleagues and we re-activated the user and began restoring the packages to circulation immediately. Most of the packages were restored quickly, because the restoration was a matter of unsetting the deleted tombstones in our database, while also restoring package data tarballs and package metadata documents. However, during the time between discovery and restoration, other npm users published a number of new packages that used the names of deleted packages. We locked this down once we discovered it, but cleaning up the overpublished packages and inspecting their contents took additional time...

In cases where the npm staff accepts a user's request to delete a package, we publish a replacement package by the same name -- a security placeholder. This both alerts those who had depended on it that the original package is no longer available and prevents others from publishing new code using that package name. At the time of Saturday's incident, however, we did not have a policy to publish placeholders for packages that were deleted if they were spam. This made it possible for other users to publish new versions of eleven of the removed packages. After a thorough examination of the replacement packages' contents, we have confirmed that none was malicious or harmful. Ten were exact replacements of the code that had just been removed, while the eleventh contained strings of text from the Bible -- and its publisher immediately contacted npm to advise us of its publication.

They're now implementing a 24-hour cooldown on republication of any deleted package names -- and are also updating their review process. "As a general rule, the npm Registry is and ought to be immutable, just like other package registries such as RubyGems and crates.io... However, there are legitimate cases for removing a package once it has been published. In a typical week, most of the npm support team's work is devoted to handling user requests for package deletion, which is more common than you might expect. Many people publish test packages then ask to have them deprecated or deleted. There also is a steady flow of requests to remove packages that contain contain private code that users have published inadvertently or inappropriately."
Security

Adult Themed VR Game Leaks Data On Thousands (securityledger.com) 41

chicksdaddy writes from The Security Ledger: Somebody deserves a spanking after personal information on thousands of users of an adult virtual reality game were exposed to security researchers in the UK by a balky application. Researchers at the firm Digital Interruption on Tuesday warned that an adult-themed virtual reality application, SinVR, exposes the names, email and other personal information via an insecure desktop application -- a potentially embarrassing security lapse. The company decided to go public with the information after being frustrated in multiple efforts to responsibly disclose the vulnerability to parent company inVR, Inc., Digital Interruption researcher and founder Jahmel Harris told The Security Ledger. Jahmel estimated that more than 19,000 records were leaked by the application, but did not have an exact count.

SinVR is a sex-themed virtual reality game that allows players to navigate in various adult-themed environments and interact with virtual characters in common pornographic themes including BDSM, cosplay, naughty teacher, and so on. The company discovered the data after reverse-engineering the SinVR desktop application and noticing a function named "downloadallcustomers." That function called a web service that returned thousands of SinVR customer records including email addresses, user names, computer PC names and so on. Passwords and credit card details were not part of the data dump, Harris said.

Slashdot Top Deals