An anonymous reader quotes a report from ZDNet: Cloudflare is testing out the possibility of security keys replacing one of the most irritating aspects of web browsing: the CAPTCHA. CAPTCHAs are used to catch out bots that are trawling websites and are often implemented to prevent online services from being abused. "CAPTCHAs are effectively businesses putting friction in front of their users, and as anyone who has managed a high-performing online business will tell you, it's not something you want to do unless you have no choice," Cloudflare says.

To highlight the amount of time lost to these tests, Cloudflare said that based on calculations of an average of 32 seconds to complete a CAPTCHA, one test being performed every 10 days, and 4.6 billion internet users worldwide, roughly "500 human years [are] wasted every single day -- just for us to prove our humanity." On Thursday, Cloudflare research engineer Thibault Meunier said in a blog post that the company was "launching an experiment to end this madness" and get rid of CAPTCHAs completely. The means to do so? Using security keys as a way to prove we are human.

According to Meunier, Cloudflare is going to start with trusted security keys -- such as the YubiKey range, HyperFIDO keys, and Thetis FIDO U2F keys -- and use these physical authentication devices as a "cryptographic attestation of personhood." This is how it works: A user is challenged on a website, the user clicks a button along the lines of "I am human," and is then prompted to use a security device to prove themselves. A hardware security key is then plugged into their PC or tapped on a mobile device to provide a signature -- using wireless NFC in the latter example -- and a cryptographic attestation is then sent to the challenging website. Cloudflare says the test takes no more than three clicks and an average of five seconds -- potentially a vast improvement on the CAPTCHA's average of 32 seconds. You can access cloudflarechallenge.com to try out the system.

A division of Toshiba said in a statement on Friday that its European business has been hit by a cyberattack by cyber criminal group DarkSide, which is the same group that the U.S. FBI blamed for the Colonial Pipeline attack. According to a Toshiba spokesperson, the attack occurred the evening of May 4. CNBC reports: The Toshiba unit, which sells self-checkout technology and point-of-sale systems to retailers, told CNBC that it has not paid a ransom. "They required money, but we didn't contact them and didn't pay any money," a spokesperson said. Toshiba Tec said that a "minimal" amount of work data was stolen in a ransomware attack. No leaks of the data have been detected so far and protective measures were put in place after the cyber-attack, the company said. Further reading: Darkside Ransomware Gang Says It Lost Control of Its Servers, Money a Day After Biden Threat

sandbagger shares a report from The Register: FingerprintJS, maker of a browser-fingerprinting library for fraud prevention, on Thursday said it has identified a more dubious fingerprinting technique capable of generating a consistent identifier across different desktop browsers, including the Tor Browser. Konstantin Darutkin, senior software engineer at FingerprintJS, said in a blog post that the company has dubbed the privacy vulnerability "scheme flooding." The name refers to abusing custom URL schemes, which make web links like "skype://" or "slack://" prompt the browser to open the associated application. "The scheme flooding vulnerability allows an attacker to determine which applications you have installed," explains Darutkin. "In order to generate a 32-bit cross-browser device identifier, a website can test a list of 32 popular applications and check if each is installed or not."

Visiting the schemeflood.com site using a desktop (not mobile) browser and clicking on the demo will generate a flood of custom URL scheme requests using a pre-populated list of likely apps. A browser user would typically see a pop-up permission modal window that says something like, "Open Slack.app? A website wants to open this application. [canel] [Open Slack.app]." But in this case, the demo script just cancels if the app is present or reads the error as confirmation of the app's absence. It then displays the icon of the requested app if found, and moves on to its next query. The script uses each app result as a bit to calculate the identifier. The fact that the identifier remains consistent across different browsers means that cross-browser tracking is possible, which violates privacy expectations.

A day after US President Joe Biden said the US plans to disrupt the hackers behind the Colonial Pipeline cyberattack, the operator of the Darkside ransomware said the group lost control of its web servers and some of the funds it made from ransom payments. From a report: "A few hours ago, we lost access to the public part of our infrastructure, namely: Blog. Payment server. CDN servers," said Darksupp, the operator of the Darkside ransomware, in a post spotted by Recorded Future threat intelligence analyst Dmitry Smilyanets. "Now these servers are unavailable via SSH, and the hosting panels are blocked," said the Darkside operator while also complaining that the web hosting provider refused to cooperate. In addition, the Darkside operator also reported that cryptocurrency funds were also withdrawn from the gang's payment server, which was hosting ransom payments made by victims. The funds, which the Darkside gang was supposed to split between itself and its affiliates (the threat actors who breach networks and deploy the ransomware), were transferred to an unknown wallet, Darksupp said. This sudden development comes after US authorities announced their intention to go after the gang.

Sci-Hub founder Alexandra Elbakyan reports that she has received a worrying email, ostensibly from Apple, revealing that law enforcement has demanded and gained access to her account data. The email indicates an FBI investigation although the precise nature of any inquiry remains unclear. From a report: In a message posted to her personal Twitter account, which is not currently subject to a suspension, Elbakyan draws attention to an email she received to one of her accounts operated by Google. "At first I thought it was spam and was about to delete the email, but it turned out to be about FBI requesting my data from Apple," she writes. As the email reveals, the apparent request to access the data from Elbakyan's account dates back more than two years but due to its nature, Apple has only just been able to reveal its existence to the Sci-Hub founder. What this is about, however, remains unclear but perhaps the more pressing question is whether it is a genuine email from Apple.

Catalin Cimpanu, reporting for Record: Ireland's national health service, the Health Service Executive (HSE), temporarily shut down its IT systems today after suffering a ransomware attack overnight. The organization, which is in the mid of its COVID-19 vaccination program, said the attack did not impact its ability to provide urgent medical care but that some routine checks and services might be delayed or canceled. The HSE described the ransomware incident as "significant" and "human-operated," a term used to describe high-end sophisticated ransomware groups which orchestrate targeted attacks against carefully big organizations. In a morning radio show with public broadcaster RTE, HSE Chief Executive Paul Reid said the agency's IT teams are currently investigating the incident to find out its breadth. In a different radio show, Reid identified the ransomware gang behind the attack as Conti, a ransomware gang that started operating in the summer of 2020.

Big Tech is wading into a legal fight over visas in an attempt to preserve jobs of spouses of its foreign employees who are working in the U.S. From a report: Amazon.com, Apple, Google, Microsoft and more than 20 other companies and organizations, including the U.S. Chamber of Commerce, on Friday urged a federal court in Washington to reject a lawsuit seeking to eliminate work authorization for more than 90,000 H-4 visa holders. Eliminating H-4 visas "would not only siphon off U.S. gross domestic product, but gift that productivity -- and the innovation that comes with it -- to other nations, harming America's global economic competitiveness into the future," the companies and organizations said in a so-called friend-of-court brief.

Under the Obama-era "H-4 Rule," the U.S. Department of Homeland Security in 2015 issued visas to spouses, more than 90% of whom are women, of more than 580,000 highly skilled workers who live in the U.S. on H-1B visas, according to the companies' filing. H-4 visas are critical to couples' decisions to come to the U.S., buy homes and raise children, they argue. The Trump administration attempted to dismantle the rule, but never introduced regulation to do so.

An anonymous reader quotes a report from Motherboard: The Pentagon is carrying out warrantless surveillance of Americans, according to a new letter written by Senator Ron Wyden and obtained by Motherboard. Senator Wyden's office asked the Department of Defense (DoD), which includes various military and intelligence agencies such as the National Security Agency (NSA) and the Defense Intelligence Agency (DIA), for detailed information about its data purchasing practices after Motherboard revealed special forces were buying location data. The responses also touched on military or intelligence use of internet browsing and other types of data, and prompted Wyden to demand more answers specifically about warrantless spying on American citizens.

Some of the answers the DoD provided were given in a form that means Wyden's office cannot legally publish specifics on the surveillance; one answer in particular was classified. In the letter Wyden is pushing the DoD to release the information to the public. A Wyden aide told Motherboard that the Senator is unable to make the information public at this time, but believes it would meaningfully inform the debate around how the DoD is interpreting the law and its purchases of data. "I write to urge you to release to the public information about the Department of Defense's (DoD) warrantless surveillance of Americans," the letter, addressed to Secretary of Defense Lloyd J. Austin III, reads. Wyden and his staff with appropriate security clearances are able to review classified responses, a Wyden aide told Motherboard. Wyden's office declined to provide Motherboard with specifics about the classified answer. But a Wyden aide said that the question related to the DoD buying internet metadata.

"Are any DoD components buying and using without a court order internet metadata, including 'netflow' and Domain Name System (DNS) records," the question read, and asked whether those records were about "domestic internet communications (where the sender and recipient are both U.S. IP addresses)" and "internet communications where one side of the communication is a U.S. IP address and the other side is located abroad." Netflow data creates a picture of traffic flow and volume across a network. DNS records relate to when a user looks up a particular domain, and a system then converts that text into the specific IP address for a computer to understand; essentially a form of internet browsing history. Wyden's new letter to Austin urging the DoD to release that answer and others says "Information should only be classified if its unauthorized disclosure would cause damage to national security. The information provided by DoD in response to my questions does not meet that bar."

A few days ago, Disney added a new anti-piracy patent to its arsenal: a blockchain-based distribution system that aims to make it harder for pirates to intercept films being distributed to movie theaters. TorrentFreak reports: The patent in question, titled "Blockchain configuration for secure content delivery," focuses on the distribution of content to movie theaters. This is a vulnerable process where pirates with the right connections can make copies during or after delivery. There are already several security mechanisms in place to prevent leaks from happening. Theaters have to adhere to strict rules, for example, and movies are all watermarked. Nevertheless, Disney believes that this isn't sufficient to stop pirates. "[S]uch security mechanisms are often reactive rather than preventative. For example, watermarking configurations insert a watermark into content to track piracy after the piracy has already occurred. As a result, current configurations do not adequately prevent piracy," the company explains.

Disney argues that by implementing a secure blockchain-based system, the distribution process can be more tightly controlled. Among other things, it will make it impossible for a movie to be played before it arrives at the intended location. "In contrast with previous configurations, the blockchain configuration verifies that the content is received at the intended destination prior to allowing playback of the content at that destination," the patent reads.

The system can also be configured with other anti-piracy features. For example, it can track the number of times a movie is played to prevent bad actors from showing it more often than they should. "Further, the blockchain configuration has an automated auditing mechanism that tracks playback of the content at the destination to ensure that the quantity of playbacks is accurately recorded. Therefore, piracy by the intended recipient, in the form of a greater quantity of actual playbacks than reported playbacks, is prevented.' While Disney regularly refers to movie theaters and projectors, it specifically states that the patent also applies to other 'playback environments.' For example, when Disney content is sent to other streaming providers, which will need the proper credentials to play the content. There are several possible practical implementations but whether Disney has concrete plans to use these in the real world is unknown.

Computer hardware maker MSI is warning gamers not to visit a website that's impersonating the brand and its graphics card overclocking software, Afterburner, to push malware. From a report: On Thursday, MSI published a press release warning of "a malicious software being disguised as the official MSI Afterburner." "The malicious software is being unlawfully hosted on a suspicious website impersonating as MSI's official website with the domain name https:// afterburner - msi [ . ] space," the company wrote. "MSI has no relation with this website or the aforementioned domain. [...] This webpage is hosting software which may contain virus, trojan, keylogger, or other type of malicious program that have been disguised to look like MSI Afterburner," the company added. "DO NOT DOWNLOAD ANY SOFTWARE FROM THIS WEBSITE."

Colonial Pipeline paid nearly $5 million to Eastern European hackers on Friday, contradicting reports earlier this week that the company had no intention of paying an extortion fee to help restore the country's largest fuel pipeline,
Bloomberg reported Thursday, citing two people familiar with the transaction. From the report: The company paid the hefty ransom in untraceable cryptocurrency within hours after the attack, underscoring the immense pressure faced by the Georgia-based operator to get gasoline and jet fuel flowing again to major cities along the Eastern Seaboard, those people said. Once they received the payment, the hackers provided the operator with a decrypting tool to restore its disabled computer network. The tool was so slow that the company continued using its own backups to help restore the system, one of the people familiar with the company's efforts said.

PolygamousRanchKid shares a report from CNBC: The hacker group DarkSide claimed on Wednesday to have attacked three more companies, despite the global outcry over its attack on Colonial Pipeline this week, which has caused shortages of gasoline and panic buying on the East Coast of the U.S. Over the past 24 hours, the group posted the names of three new companies on its site on the dark web, called DarkSide Leaks. The information posted to the site includes summaries of what the hackers appear to have stolen but do not appear to contain raw data. DarkSide is a criminal gang, and its claims should be treated as potentially misleading.

The posting indicates that the hacker collective is not backing down in the face of an FBI investigation and denunciations of the attack from the Biden administration. It also signals that the group intends to carry out more ransom attacks on companies, even after it posted a cryptic message earlier this week indicating regret about the impact of the Colonial Pipeline hack and pledging to introduce "moderation" to "avoid social consequences in the future." One of the companies is based in the United States, one is in Brazil and the third is in Scotland. None of them appear to engage in critical infrastructure. Each company appears to be small enough that a crippling hack would otherwise fly under the radar if the hackers hadn't received worldwide notoriety by crippling gasoline supplies in the United States. In a separate report from The Associated Press, the East Coast pipeline company was found to have "atrocious" information management practices and "a patchwork of poorly connected and secured systems," according to an outside audit from three years ago. Slashdot reader wiredmikey shares an excerpt from the report: "We found glaring deficiencies and big problems," said Robert F. Smallwood, whose consulting firm delivered an 89-page report in January 2018 after a six-month audit. "I mean an eighth-grader could have hacked into that system." Colonial said it initiated the restart of pipeline operations on Wednesday afternoon and that it would take several days for supply delivery to return to normal.

The Senate Homeland Security and Governmental Affairs Committee unanimously passed a bill that would ban U.S. federal workers from downloading the popular app TikTok onto U.S. government devices, Senator Josh Hawley, a bill sponsor, said in a press statement on Wednesday. Reuters reports: The U.S. Senate unanimously approved a similar measure in August 2020. Representative Ken Buck has introduced a similar bill in the House. The app, which is popular with teens eager to show off dance moves, has come under fire in the United States because of concerns over its Chinese owner, ByteDance. TikTok has sought to distance itself from Beijing with mixed success. Hawley called the company "an immediate security threat." "This should not be a partisan issue and I'm glad to see my colleagues in the Senate act together to address Beijing's covert data collection campaign," Hawley said in a statement after the vote.

Colonial Pipeline, operator of the largest U.S. fuel pipeline, said Wednesday it is restarting operations after being shut down for five days due to a cyberattack. NBC News reports: The company shut down its entire operation Friday after its financial computer networks were infected by a Russia-tied hacker gang known as DarkSide, fearing that the hackers could spread to its industrial operations as well. The shutdown led to widespread gasoline shortages and caused temporary price spikes. "Colonial Pipeline initiated the restart of pipeline operations today at approximately 5 p.m. ET," the company said in a statement on its website. "Following this restart, it will take several days for the product delivery supply chain to return to normal."

An anonymous reader quotes a report from ZDNet: The Auditor-General of Western Australia on Wednesday tabled a report into the computer systems used at 50 local government entities, revealing 328 control weakness across the group. It was Auditor-General Caroline Spencer's intention to list the entities, but given the nature of her findings, all case studies included in Local Government General Computer Controls [PDF] omit entity, and system, names.

The report states that none of the 11 entities that the Auditor-General performed capability maturity assessments on met minimum targets. For the remaining 39, general computer controls audits were conducted. The audit probed information security, business continuity, management of IT risks, IT operations, change control, and physical security. Of the 328 control weaknesses, 33 rated as significant and 236 as moderate. Like last year, nearly half of all issues were about information security. The capability assessment results, meanwhile, showed that none of the 11 audited entities met the auditor's expectations across the six control categories, with 79% of the audit results below the minimum benchmark. [...] The report provided six recommendations, one for each of the security types audited. These included implementing appropriate frameworks and management structures, identifying IT risks, and patching.

The company targeted in the biggest pipeline hack in history began searching for a cyber-security chief two months ago. From a report: Colonial Pipeline sought someone with a master's degree in computer science to develop and maintain "an incident response plan and processes to address potential threats," according to the company's website. The ad also was posted on LinkedIn and job-seeking sites. A criminal hack paralyzed North America's biggest fuel pipeline late last week choking off almost half of the gasoline and diesel burned on the U.S. East Coast. Gas stations across several states have run dry amid panic buying and soaring retail prices. "The cybersecurity position was not created as a result of the recent ransomware attack," the company said in an email.

The Federal Bureau of Investigation says that cybercrime gangs are using search results and search engine ads to lure victims on phishing sites for financial institutions in order to collect their login credentials. From a report: "The schemes resulted in illicit ACH transfers amounting to hundreds of thousands of dollars in financial losses," the FBI said in a private industry notification (PIN) send to the US private sector on Tuesday. The PIN alert, which The Record cannot share due to TLP sharing restrictions, describes a particular phishing campaign mimicking the brand of an unnamed US-based financial institution. "The cyber actors conducted two versions of the scheme," the FBI said. In the first version, the threat actor used search engine ads, while in the second version, they relied on the phishing site appearing in organic search results on its own.

An anonymous reader quotes a report from The Register: A dozen Wi-Fi design and implementation flaws make it possible for miscreants to steal transmitted data and bypass firewalls to attack devices on home networks, according to security researcher Mathy Vanhoef. On Tuesday, Vanhoef, a postdoctoral researcher in computer security at New York University Abu Dhabi, released a paper titled, "Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation" [PDF]. Scheduled to be presented later this year at the Usenix Security conference, the paper describes a set of wireless networking vulnerabilities, including three Wi-Fi design flaws and nine implementation flaws. Vanhoef, who in 2017 along with co-author Frank Piessens identified key reinstallation attacks (KRACKs) on the WPA2 protocol (used to secure Wi-Fi communication), has dubbed his latest research project FragAttacks, which stands for fragmentation and aggregation attacks.

The dozen vulnerabilities affect all Wi-Fi security protocols since the wireless networking technology debuted in 1997, from WEP up through WPA3. [...] In total, 75 devices -- network card and operating system combinations (Windows, Linux, Android, macOS, and iOS) -- were tested and all were affected by one or more of the attacks. NetBSD and OpenBSD were not affected because they don't support the reception of A-MSDUs (aggregate MAC service data units). [...]

Patches for many affected devices and software have already been deployed, thanks to a nine-month-long coordinated responsible disclosure overseen by the Wi-Fi Alliance and the Industry Consortium for Advancement of Security on the Internet (ICASI). Linux patches have been applied and the kernel mailing list note mentions that Intel has addressed the flaws in a recent firmware update without mentioning it. Microsoft released its patches on March 9, 2021 when disclosure was delayed tho Redmond had already committed to publication. Vanhoef advises checking with the vendor(s) of Wi-Fi devices about whether the FragAttacks have been addressed. "[F]or some devices the impact is minor, while for others it's disastrous," he said.

Obipale shares a press release from NASA: After nearly five years in space, NASA's Origins, Spectral Interpretation, Resource Identification, Security, Regolith Explorer (OSIRIS-REx) spacecraft is on its way back to Earth with an abundance of rocks and dust from the near-Earth asteroid Bennu. On Monday, May 10, at 4:23 p.m. EDT the spacecraft fired its main engines full throttle for seven minutes -- its most significant maneuver since it arrived at Bennu in 2018. This burn thrust the spacecraft away from the asteroid at 600 miles per hour (nearly 1,000 kilometers per hour), setting it on a 2.5-year cruise towards Earth. After releasing the sample capsule, OSIRIS-REx will have completed its primary mission. It will fire its engines to fly by Earth safely, putting it on a trajectory to circle the sun inside of Venus' orbit. After orbiting the Sun twice, the OSIRIS-REx spacecraft is due to reach Earth Sept. 24, 2023. Upon return, the capsule containing pieces of Bennu will separate from the rest of the spacecraft and enter Earth's atmosphere. The capsule will parachute to the Utah Test and Training Range in Utah's West Desert, where scientists will be waiting to retrieve it.

"OSIRIS-REx's many accomplishments demonstrated the daring and innovate way in which exploration unfolds in real time," said Thomas Zurbuchen, associate administrator for science at NASA Headquarters. "The team rose to the challenge, and now we have a primordial piece of our solar system headed back to Earth where many generations of researchers can unlock its secrets." To realize the mission's multi-year plan, a dozen navigation engineers made calculations and wrote computer code to instruct the spacecraft when and how to push itself away from Bennu. After departing from Bennu, getting the sample to Earth safely is the team's next critical goal. This includes planning future maneuvers to keep the spacecraft on course throughout its journey.

New submitter TheCowSaysMoo writes: Gas stations from Florida to Virginia began running dry and prices at the pump jumped on Tuesday as the shutdown of the biggest U.S. fuel pipeline by hackers extended into a fifth day and sparked panic buying by motorists. About 7.5% of gas stations in Virginia and 5% in North Carolina had no fuel on Tuesday as demand jumped 20%, tracking firm GasBuddy said. Prices rose to their highest in more than six years, and Georgia suspended sales tax on gas until Saturday to ease the strain on consumers. North Carolina declared an emergency. Colonial Pipeline has forecast that it will not substantially restore operations of the 5,500-mile pipeline network that supplies nearly half of the East Coast's fuel until the end of the week. The company preventively shut the pipeline on Friday after hackers locked its computers and demanded ransom, underscoring the vulnerability of U.S. energy infrastructure to cyberattack.