DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×
Security

Antivirus Webroot Deletes Windows Files, Causes Serious Problems For Users (pcworld.com) 54

Users of Webroot's endpoint security product, consumers and businesses alike, had a nasty surprise Monday when the program started flagging Windows files as malicious. From a report: The reports quickly popped up on Twitter and continued on the Webroot community forum -- 14 pages and counting. The company came up with a manual fix to address the issue, but many users still had problems recovering their affected systems. The problem is what's known in the antivirus industry as a "false positive" -- a case where a clean file is flagged as malicious and is blocked or deleted. False positive incidents can range in impact from merely annoying -- for example, when a program cannot run anymore -- to crippling, where the OS itself is affected and no longer boots. The Webroot incident falls somewhere in the middle because it affected legitimate Windows files and sent them to quarantine. This is somewhat unusual because antivirus firms typically build whitelists of OS files specifically to prevent false positive detections.
Botnet

BrickerBot, the Permanent Denial-of-Service Botnet, Is Back With a Vengeance (arstechnica.com) 90

An anonymous reader quotes a report from Ars Technica: BrickerBot, the botnet that permanently incapacitates poorly secured Internet of Things devices before they can be conscripted into Internet-crippling denial-of-service armies, is back with a new squadron of foot soldiers armed with a meaner arsenal of weapons. Pascal Geenens, the researcher who first documented what he calls the permanent denial-of-service botnet, has dubbed the fiercest new instance BrickerBot.3. It appeared out of nowhere on April 20, exactly one month after BrickerBot.1 first surfaced. Not only did BrickerBot.3 mount a much quicker number of attacks -- with 1,295 attacks coming in just 15 hours -- it used a modified attack script that added several commands designed to more completely shock and awe its targets. BrickerBot.1, by comparison, fired 1,895 volleys during the four days it was active, and the still-active BrickerBot.2 has spit out close to 12 attacks per day. Shortly after BrickerBot.3 began attacking, Geenens discovered BrickerBot.4. Together, the two newly discovered instances have attempted to attack devices in the research honeypot close to 1,400 times in less than 24 hours. Like BrickerBot.1, the newcomer botnets are made up of IoT devices running an outdated version of the Dropbear SSH server with public, geographically dispersed IP addresses. Those two characteristics lead Geenens to suspect the attacking devices are poorly secured IoT devices themselves that someone has compromised and used to permanently take out similarly unsecured devices. Geenens, of security firm Radware, has more details here.
Operating Systems

NSA's DoublePulsar Kernel Exploit a 'Bloodbath' (threatpost.com) 166

msm1267 quotes a report from Threatpost: A little more than two weeks after the latest ShadowBrokers leak of NSA hacking tools, experts are certain that the DoublePulsar post-exploitation Windows kernel attack will have similar staying power to the Conficker bug, and that pen-testers will be finding servers exposed to the flaws patched in MS17-010 for years to come. MS17-010 was released in March and it closes a number of holes in Windows SMB Server exploited by the NSA. Exploits such as EternalBlue, EternalChampion, EternalSynergy and EternalRomance that are part of the Fuzzbunch exploit platform all drop DoublePulsar onto compromised hosts. DoublePulsar is a sophisticated memory-based kernel payload that hooks onto x86 and 64-bit systems and allows an attacker to execute any raw shellcode payload they wish. "This is a full ring0 payload that gives you full control over the system and you can do what you want to it," said Sean Dillon, senior security analyst at RiskSense. Dillon was the first to reverse-engineer a DoublePulsar payload, and published his analysis last Friday. "This is going to be on networks for years to come. The last major vulnerability of this class was MS08-067, and it's still found in a lot of places," Dillon said. "I find it everywhere. This is the most critical Windows patch since that vulnerability." Dan Tentler, founder and CEO of Phobos Group, said internet-net wide scans he's running have found about 3.1 percent of vulnerable machines are already infected (between 62,000 and 65,000 so far), and that percentage is likely to go up as scans continue. "This is easily describable as a bloodbath," Tentler said.
Security

Wall Street IT Engineer Hacks Employer To See If He'll Be Fired (bleepingcomputer.com) 192

An anonymous reader writes: A Wall Street engineer was arrested for planting credentials-logging malware on his company's servers. According to an FBI affidavit, the engineer used these credentials to log into fellow employees' accounts. The engineer claims he did so only because he heard rumors of an acquisition and wanted to make sure he wouldn't be let go. In reality, the employee did look at archived email inboxes, but he also stole encryption keys needed to access the protected source code of his employer's trading platform and trading algorithms.

Using his access to the company's Unix network (which he gained after a promotion last year), the employee then rerouted traffic through backup servers in order to avoid the company's traffic monitoring solution and steal the company's source code. The employee was caught after he kept intruding and disconnecting another employee's RDP session. The employee understood someone hacked his account and logged the attacker's unique identifier. Showing his total lack of understanding for how technology, logging and legal investigations work, the employee admitted via email to a fellow employee that he installed malware on the servers and hacked other employees.

Businesses

Uber Tried To Hide Its Secret IPhone Fingerprinting From Apple (cnbc.com) 113

theodp quotes today's New York Times profile of Uber CEO Travis Kalanick: For months, Mr. Kalanick had pulled a fast one on Apple by directing his employees to help camouflage the ride-hailing app from Apple's engineers. The reason? So Apple would not find out that Uber had secretly been tracking iPhones even after its app had been deleted from the devices, violating Apple's privacy guidelines.
Uber told TechCrunch this afternoon that it still uses a form of this device fingerprinting, saying they need a way to identify those devices which committed fraud in the past -- especially in China, where Uber drivers used stolen iPhones to request dozens of rides from themselves to increase their pay rate. It's been modified to comply with Apple's rules, and "We absolutely do not track individual users or their location if they've deleted the app..." an Uber spokesperson said. "Being able to recognize known bad actors when they try to get back onto our network is an important security measure for both Uber and our users."

The article offers a longer biography of Kalanick, who dropped out of UCLA in 1998 to start a peer-to-peer music-sharing service named Scour. (The service eventually declared bankruptcy after being sued for $250 billion for alleged copyright infringement.) Desperately trying to save his next company, Kalanick "took the tax dollars from employee paychecks -- which are supposed to be withheld and sent to the Internal Revenue Service," according to the Times, "and reinvested the money into the start-up, even as friends and advisers warned him the action was potentially illegal." The money eventually reached the IRS as he "staved off bankruptcy for a second time by raising another round of funding." But the article ultimately argues that Kalanick's drive to win in life "has led to a pattern of risk-taking that has put his ride-hailing company on the brink of implosion."
Security

Companies Are Paying Millions For White Hat Hacking (nypost.com) 55

White hat hackers "are in very high demand," says PwC's director of cyber investigation and breach response, in a New York Post article titled "Companies are paying millions to get hacked -- on purpose." An anonymous reader quotes their report: HackerOne, a San Francisco-based "vulnerability coordination and bug bounty platform," reports that it has some 800 corporate customers who paid out more than $15 million in bonuses to white-hat hackers since its founding in 2012. Most of that bounty was paid in the past two years, as companies have become more aware of their cyber vulnerabilities. Clients that have used the platform include General Motors, Uber, Twitter, Starbucks and even the US Department of Defense.
Google paid $3 million last year through its own bounty program, according to HackerOne's CEO Marten Micko, who touts his company's "turn-key" solution -- a platform which now offers the services of 100,000 ethical (and vetted) hackers. "With a diverse group, all types of vulnerabilities can be found," Micko told TechRepublic. "This is a corollary to the 'given enough eyeballs' wisdom... they find them faster than other solutions, the hunting is ongoing and not happening at just one time, and the cost is a tenth of what it would be with other methods." And one of the platform's white hat hackers has already earned over $600,000 in just two years.
Programming

Flawed Online Tutorials Led To Vulnerabilities In Software (helpnetsecurity.com) 93

An anonymous reader quotes Help Net Security: Researchers from several German universities have checked the PHP codebases of over 64,000 projects on GitHub, and found 117 vulnerabilities that they believe have been introduced through the use of code from popular but insufficiently reviewed tutorials. The researchers identified popular tutorials by inputting search terms such as "mysql tutorial", "php search form", "javascript echo user input", etc. into Google Search. The first five results for each query were then manually reviewed and evaluated for SQLi and XSS vulnerabilities by following the Open Web Application Security Project's Guidelines. This resulted in the discovery of 9 tutorials containing vulnerable code (6 with SQLi, 3 with XSS).
The researchers then checked for the code in GitHub repositories, and concluded that "there is a substantial, if not causal, link between insecure tutorials and web application vulnerabilities." Their paper is titled "Leveraging Flawed Tutorials for Seeding Large-Scale Web Vulnerability Discovery."
Government

CIA, FBI Launch Manhunt For WikiLeaks Source (cbsnews.com) 198

An anonymous reader quotes CBS: CBS News has learned that a manhunt is underway for a traitor inside the Central Intelligence Agency. The CIA and FBI are conducting a joint investigation into one of the worst security breaches in CIA history, which exposed thousands of top-secret documents that described CIA tools used to penetrate smartphones, smart televisions and computer systems. Sources familiar with the investigation say it is looking for an insider -- either a CIA employee or contractor -- who had physical access to the material... Much of the material was classified and stored in a highly secure section of the intelligence agency, but sources say hundreds of people would have had access to the material. Investigators are going through those names.
Homeland security expert Michael Greenberger told one CBS station that "My best guest is that when this is all said and done we're going to find out that this was done by a contractor, not by an employee of the CIA."
Microsoft

Microsoft Will Block Desktop 'Office' Apps From 'Office 365' Services In 2020 (techradar.com) 216

An anonymous reader writes: Microsoft is still encouraging businesses to rent their Office software, according to TechRadar. "In a bid to further persuade users of the standalone versions of Office to shift over to a cloud subscription (Office 365), Microsoft has announced that those who made a one-off purchase of an Office product will no longer get access to the business flavours of OneDrive and Skype come the end of the decade." PC World explains that in reality this affects very few users. "If you've been saving all of your Excel spreadsheets into your OneDrive for Business cloud, you'll need to download and move them over to a personal subscription -- or pony up for Office 365, as Microsoft really wants you to do."

Microsoft is claiming that when customers connect to Office 365 services using a legacy version of Office, "they're not enjoying all that the service has to offer. The IT security and reliability benefits and end user experiences in the apps is limited to the features shipped at a point in time. To ensure that customers are getting the most out of their Office 365 subscription, we are updating our system requirements." And in another blog post, they're almost daring people to switch to Linux. "Providing over three years advance notice for this change to Office 365 system requirements for client connectivity gives you time to review your long-term desktop strategy, budget and plan for any change to your environment."

In a follow-up comment, Microsoft's Alistair Speirs explained that "There is still an option to get monthly desktop updates, but we are changing the 3x a year update channel to be 2x a year to align closer to Windows 10 update model. We are trying to strike the right balance between agile, ship-when-ready updates and enterprise needs of predictability, reliability and advanced notice to validate and prepare."
Government

WikiLeaks Releases New CIA Secret: Tapping Microphones On Some Samsung TVs (fossbytes.com) 100

FossBytes reports: The whistleblower website Wikileaks has published another set of hacking tools belonging to the American intelligence agency CIA. The latest revelation includes a user guide for CIA's "Weeping Angel" tool... derived from another tool called "Extending" which belongs to UK's intelligence agency MI5/BTSS, according to Wikileaks. Extending takes control of Samsung F Series Smart TV. The highly detailed user guide describes it as an implant "designed to record audio from the built-in microphone and egress or store the data."

According to the user guide, the malware can be deployed on a TV via a USB stick after configuring it on a Linux system. It is possible to transfer the recorded audio files through the USB stick or by setting up a WiFi hotspot near the TV. Also, a Live Liston Tool, running on a Windows OS, can be used to listen to audio exfiltration in real-time. Wikileaks mentioned that the two agencies, CIA and MI5/BTSS made collaborative efforts to create Weeping Angel during their Joint Development Workshops.

Botnet

Developer of BrickerBot Malware Claims He Destroyed Over Two Million Devices (bleepingcomputer.com) 88

An anonymous reader writes: In an interview today, the author of BrickerBot, a malware that bricks IoT and networking devices, claimed he destroyed over 2 million devices, but he never intended to do so in the first place. His intentions were to fight the rising number of IoT botnets that were used to launch DDoS attacks last year, such as Gafgyt and Mirai. He says he created BrickerBot with 84 routines that try to secure devices so they can't be taken over by Mirai and other malware. Nevertheless, he realized that some devices are so badly designed that he could never protect them. He says that for these, he created a "Plan B," which meant deleting the device's storage, effectively bricking the device. His identity was revealed after a reporter received an anonymous tip about a HackForum users claiming he was destroying IoT devices since last November, just after BrickerBot appeared. When contacted, BrickerBot's author revealed that the malware is a personal project which he calls "Internet Chemotherapy" and he's "the doctor" who will kill all the cancerous unsecured IoT devices.
Crime

DOJ: Russian 'Superhacker' Gets 27 Years In Prison (thedailybeast.com) 50

According to the Justice Department, a 32-year-old Russian "superhacker" has been sentenced to 27 years in prison for stealing and selling millions of credit-card numbers, causing more than $169 million worth of damages to business and financial institutions. The Daily Beast reports: Roman Valeryevich Seleznev, 32, aka Track2, son of a prominent Russian lawmaker, was convicted last year on 38 counts of computer intrusion and credit-card fraud. "This investigation, conviction and sentence demonstrates that the United States will bring the full force of the American justice system upon cybercriminals like Seleznev who victimize U.S. citizens and companies from afar," said Acting Assistant Attorney General Kenneth Blanco said in a statement. "And we will not tolerate the existence of safe havens for these crimes -- we will identify cybercriminals from the dark corners of the Internet and bring them to justice."
Security

Teenage Hackers Motivated By Morality Not Money, Study Finds (theguardian.com) 74

Teenage hackers are motivated by idealism and impressing their mates rather than money, according to a study by the National Crime Agency. From a report: The law enforcement organisation interviewed teenagers and children as young as 12 who had been arrested or cautioned for computer-based crimes. It found that those interviewed, who had an average age of 17, were unlikely to be involved in theft, fraud or harassment. Instead they saw hacking as a "moral crusade", said Paul Hoare, senior manager at the NCA's cybercrime unit, who led the research. Others were motivated by a desire to tackle technical problems and prove themselves to friends, the report found. Speaking to BBC Radio 4's Today programme, Hoare said: "They don't understand the implications on business, government websites and individuals."
Crime

US Prepares Charges To Seek Arrest of WikiLeaks' Julian Assange (cnn.com) 369

An anonymous reader quotes a report from CNN: U.S. authorities have prepared charges to seek the arrest of WikiLeaks founder Julian Assange, U.S. officials familiar with the matter tell CNN. The Justice Department investigation of Assange and WikiLeaks dates to at least 2010, when the site first gained wide attention for posting thousands of files stolen by the former U.S. Army intelligence analyst now known as Chelsea Manning. Prosecutors have struggled with whether the First Amendment precluded the prosecution of Assange, but now believe they have found a way to move forward. During President Barack Obama's administration, Attorney General Eric Holder and officials at the Justice Department determined it would be difficult to bring charges against Assange because WikiLeaks wasn't alone in publishing documents stolen by Manning. Several newspapers, including The New York Times, did as well. The investigation continued, but any possible charges were put on hold, according to U.S. officials involved in the process then.
The U.S. view of WikiLeaks and Assange began to change after investigators found what they believe was proof that WikiLeaks played an active role in helping Edward Snowden, a former NSA analyst, disclose a massive cache of classified documents.
Attorney General Jeff Sessions said at a news conference Thursday that Assange's arrest is a "priority." "We are going to step up our effort and already are stepping up our efforts on all leaks," he said. "This is a matter that's gone beyond anything I'm aware of. We have professionals that have been in the security business of the United States for many years that are shocked by the number of leaks and some of them are quite serious. So yes, it is a priority. We've already begun to step up our efforts and whenever a case can be made, we will seek to put some people in jail." Meanwhile, Assange's lawyer said they have "had no communication with the Department of Justice."
Security

Ambient Light Sensors Can Be Used To Steal Browser Data (bleepingcomputer.com) 37

An anonymous reader writes: "Over the past decade, ambient light sensors have become quite common in smartphones, tablets, and laptops, where they are used to detect the level of surrounding light and automatically adjust a screen's intensity to optimize battery consumption... and other stuff," reports Bleeping Computer. "The sensors have become so prevalent, that the World Wide Web Consortium (W3C) has developed a special API that allows websites (through a browser) to interact with a device's ambient light sensors. Browsers such as Chrome and Firefox have already shipped versions of this API with their products." According to two privacy and security experts, Lukasz Olejnik and Artur Janc, malicious web pages can launch attacks using this new API and collect data on users, such as URLs they visited in the past and extract QR codes displayed on the screen. This is possible because the light coming from the screen is picked up by these sensors. Mitigating such attacks is quite easy, as it only requires browser makers and the W3C to adjust the default frequency at which the sensors report their readings. Furthermore, the researcher also recommends that browser makers quantize the result by limiting the precision of the sensor output to only a few values in a preset range. The two researchers filed bug reports with both Chrome and Firefox in the hopes their recommendations will be followed.
Security

Mastercard is Building Fingerprint Scanners Directly Into Its Cards (fastcompany.com) 85

Mastercard said on Thursday it's beginning trials of its "next-generation biometric card" in South Africa. In addition to the standard chip and pin, the new cards have a built-in fingerprint reader that the user can use to authenticate every purchase. From a report: Impressively, the new card is no thicker or larger than your current credit and debit cards.
Government

President Trump Misses 90-Day Deadline To Appoint a Cybersecurity Team After Alleged Russian Hacking (politico.com) 338

From a report: President-elect Donald Trump was very clear: "I will appoint a team to give me a plan within 90 days of taking office," he said in January, after getting a U.S. intelligence assessment of Russian interference in last year's elections and promising to address cybersecurity. Thursday, Trump hits his 90-day mark. There is no team, there is no plan, and there is no clear answer from the White House on who would even be working on what. It's the latest deadline Trump's set and missed -- from the press conference he said his wife would hold last fall to answer questions about her original immigration process to the plan to defeat ISIS that he'd said would come within his first 30 days in office. Since his inauguration, Trump's issued a few tweets and promises to get to the bottom of Russian hacking -- and accusations of surveillance of Americans, himself included, by the Obama administration.
China

China To Question Apple About Live-Streaming Apps On App Store That Violate Internet Regulations (theguardian.com) 31

Three Chinese government agencies are planning to tell Apple to "tighten up checks" on live-streaming software offered on its app store, which can be used to violate internet regulation in the country. "Law enforcement officers had already met with Apple representatives over live-streaming services, [state news agency Xinhua reported], but did not provide details of the meetings," reports The Guardian. From the report: The inquiry appears to be focused on third-party apps available for download through Apple's online marketplace. The company did not respond to requests for comment. China operates the world's largest internet censorship regime, blocking a host of foreign websites including Google, Facebook, Twitter and Instagram, but the authorities have struggled to control an explosion in popularity of live-streaming video apps. As part of the inquiry into live-streaming, three Chinese websites -- toutiao.com, huoshanzhibo.com and huajiao.com -- were already found to have violated internet regulations, and had broadcast content that violated Chinese law, including providing "pornographic content," the Xinhua report said. Pornography is banned in China. The three sites were told to increase oversight of live-broadcasting services, user registration and "the handling of tips-offs." Two of the websites, huoshanzhibo.com and huajiao.com, were under formal investigation and may have their cases transferred to the police for criminal prosecutions, the Xinhua report said. Casting a wide net, the regulations state that apps cannot "engage in activities prohibited by laws and regulations such as endangering national security, disrupting social order and violating the legitimate rights and interests of others."
Communications

Microsoft's Skype Is Most Used Messaging Service For Cyber Criminals, Study Finds (securityledger.com) 57

chicksdaddy quotes a report from The Security Ledger: Cyber criminals lurk in the dark recesses of the internet, striking at random and then disappearing into the virtual ether. But when they want to talk shop with their colleagues, they turn to Redmond, Washington-based Microsoft and its Skype communications tools, according to an analysis by the firm Flashpoint. Mentions of different platforms were used as a proxy for gauging interest in and use of these messaging services. Flashpoint analysts looked, especially, for invitations to continue conversation outside of cyber criminal marketplaces, like references to ICQ accounts or other platforms. The survey results show that, out of a population of around 80 instant messenger platforms and protocols, a short list of just five platforms accounts for between 80% and 90% of all mentions within the cyber underground. Of those, Microsoft's Skype was the chat king. It ranked among the top five platforms across all language groups. That, despite the platform's lack of end-to-end encryption or forward secrecy features and evidence, courtesy of NSA hacker Edward Snowden, that U.S. spies may have snooped on Skype video calls in recent years, The Security Ledger reports. The conclusion: while security is a priority amongst thieves, it isn't the sole concern that cyber criminals and their associates have. In fact, sophisticated hacking communities like those in Russia to continue to rely on legacy platforms like ICQ when provably more secure alternatives exist. The reason? Business. "These cyber criminals have a lot of different options that they're juggling and a lot of factors that weigh on their options," said Leroy Terrelonge III, the Director of Middle East and Africa Research at Flashpoint. "We might suspect that cyber criminals use the most secure means of communication all the time, that's not what our research showed."
Security

User-Made Patch Lets Owners of Next-Gen CPUs Install Updates On Windows 7 & 8.1 (bleepingcomputer.com) 218

An anonymous reader quotes a report from BleepingComputer: GitHub user Zeffy has created a patch that removes a limitation that Microsoft imposed on users of 7th generation processors, a limit that prevents users from receiving Windows updates if they still use Windows 7 and 8.1. This limitation was delivered through Windows Update KB4012218 (March 2017 Patch Tuesday) and has made many owners of Intel Kaby Lake and AMD Bristol Ridge CPUs very angry last week, as they weren't able to install any Windows updates. Microsoft's move was controversial, but the company did its due diligence, and warned customers of its intention since January 2016, giving users enough time to update to Windows 10, move to a new OS, or downgrade their CPU, if they needed to remain on Windows 7 or 8.1 for various reasons. When the April 2017 Patch Tuesday came around last week, GitHub user Zeffy finally had the chance to test four batch scripts he created in March, after the release of KB4012218. His scripts worked as intended by patching Windows DLL files, skipping the CPU version check, and delivering updates to Windows 7 and 8.1 computers running 7th generation CPUs.

Slashdot Top Deals