Android

Some Low-Cost Android Phones Shipped With Malware Built In (techcrunch.com) 40

More than 100 different low-cost Android models from manufacturers such as ZTE, Archos, and myPhone ship with malware pre-installed, researchers at Avast Threat Labs reported on Thursday. Users in more than 90 countries, including the U.S., are affected by this, the researchers said. From a report: The malware, called called Cosiloon, overlays advertisements over the operating system in order to promote apps or even trick users into downloading apps. The app consists of a dropper and a payload. "The dropper is a small application with no obfuscation, located on the /system partition of affected devices. The app is completely passive, only visible to the user in the list of system applications under 'settings.' We have seen the dropper with two different names, 'CrashService' and 'ImeMess,'" wrote Avast.

The dropper then connects with a website to grab the payloads that the hackers wish to install on the phone. "The XML manifest contains information about what to download, which services to start and contains a whitelist programmed to potentially exclude specific countries and devices from infection. However, we've never seen the country whitelist used, and just a few devices were whitelisted in early versions. Currently, no countries or devices are whitelisted. The entire Cosiloon URL is hardcoded in the APK."

Bug

T-Mobile Bug Let Anyone See Any Customer's Account Details (zdnet.com) 32

An anonymous reader writes: A bug in T-Mobile's website let anyone access the personal account details of any customer with just their cell phone number, ZDNet reported Thursday. The flaw, since fixed, could have been exploited by anyone who knew where to look -- a little-known T-Mobile subdomain that staff use as a customer care portal to access the company's internal tools. The subdomain -- promotool.t-mobile.com, which can be easily found on search engines -- contained a hidden API that would return T-Mobile customer data simply by adding the customer's cell phone number to the end of the web address.

Although the API is understood to be used by T-Mobile staff to look up account details, it wasn't protected with a password and could be easily used by anyone. The returned data included a customer's full name, postal address, billing account number, and in some cases information about tax identification numbers. The data also included customers' account information, such as if a bill is past-due or if the customer had their service suspended.

Bitcoin

About $1.2 Billion in Cryptocurrency Stolen Since 2017 (reuters.com) 46

Criminals have stolen about $1.2 billion in cryptocurrencies since the beginning of 2017, as bitcoin's popularity and the emergence of more than 1,500 digital tokens have put the spotlight on the unregulated sector, according to estimates from the Anti-Phishing Working Group released on Thursday. From a report: The estimates were part of the non-profit group's research on cryptocurrency and include reported and unreported theft. "One problem that we're seeing in addition to the criminal activity like drug trafficking and money laundering using cryptocurrencies is the theft of these tokens by bad guys," Dave Jevans, chief executive officer of cryptocurrency security firm CipherTrace, told Reuters in an interview.
Privacy

Woman Says Alexa Device Recorded Her Private Conversation and Sent It To Random Contact; Amazon Confirms the Incident (kiro7.com) 224

Gary Horcher, reporting for KIRO7: A Portland family contacted Amazon to investigate after they say a private conversation in their home was recorded by Amazon's Alexa -- the voice-controlled smart speaker -- and that the recorded audio was sent to the phone of a random person in Seattle, who was in the family's contact list. "My husband and I would joke and say I'd bet these devices are listening to what we're saying," said Danielle, who did not want us to use her last name. Every room in her family home was wired with the Amazon devices to control her home's heat, lights and security system. But Danielle said two weeks ago their love for Alexa changed with an alarming phone call. "The person on the other line said, 'unplug your Alexa devices right now,'" she said. '"You're being hacked.'" That person was one of her husband's employees, calling from Seattle. "We unplugged all of them and he proceeded to tell us that he had received audio files of recordings from inside our house," she said. "At first, my husband was, like, 'no you didn't!' And the (recipient of the message) said 'You sat there talking about hardwood floors.' And we said, 'oh gosh, you really did hear us.'" Danielle listened to the conversation when it was sent back to her, and she couldn't believe someone 176 miles away heard it too. In a statement, an Amazon spokesperson said, "Amazon takes privacy very seriously. We investigated what happened and determined this was an extremely rare occurrence. We are taking steps to avoid this from happening in the future."

Further reading: Amazon Admits Its AI Alexa is Creepily Laughing at People.
Botnet

FBI Seizes Control of Russian Botnet (thedailybeast.com) 169

The Daily Beast reports that the FBI has seized control of a key server in the Kremlin's global botnet of 500,000 hacked routers. "The move positions the bureau to build a comprehensive list of victims of the attack, and short-circuits Moscow's ability to reinfect its targets," writes Kevin Poulsen. From the report: The FBI counter-operation goes after "VPN Filter," a piece of sophisticated malware linked to the same Russian hacking group, known as Fancy Bear, that breached the Democratic National Committee and the Hillary Clinton campaign during the 2016 election. On Wednesday security researchers at Cisco and Symantec separately provided new details on the malware, which has turned up in 54 countries including the United States.

VPN Filter uses known vulnerabilities to infect home office routers made by Linksys, MikroTik, NETGEAR, and TP-Link. Once in place, the malware reports back to a command-and-control infrastructure that can install purpose-built plug-ins, according to the researchers. One plug-in lets the hackers eavesdrop on the victim's Internet traffic to steal website credentials; another targets a protocol used in industrial control networks, such as those in the electric grid. A third lets the attacker cripple any or all of the infected devices at will.

Security

Personal Records of Nearly 1 Million South Africans Leaked Online (iafrikan.com) 22

Tefo Mohapi, reporting for iAfrikan: Barely a year after South Africa's largest data leak was revealed in 2017, the country has suffered yet another data leak as 934,000 personal records of South Africans have been leaked publicly online. The data includes, among others, national identity numbers (ID numbers), e-mail addresses, full names, as well as plain text passwords to what appears to be a traffic fines related online system. Working together with Troy Hunt, an Australian Security consultant and founder of haveibeenpwned, along with an anonymous source that has been communicating with iAfrikan and Hunt, we've managed to establish that the data was backed up or posted publicly by one of the companies responsible for traffic fines online payments in South Africa. "I have a new leak which might be worthwhile, the database leak contains 1 million records of personal information of South African citizens. Including Identity numbers, cell phone numbers, email addresses, and passwords. I am aware of the website this was leaked from," said our source upon initial contact.
Government

US Government Can't Get Controversial Kaspersky Lab Software Off Its Networks (thedailybeast.com) 119

The law says American agencies must eliminate the use of Kaspersky Lab software by October. But U.S. officials say that's impossible as the security suite is embedded too deep in our infrastructure, The Daily Beast reported Wednesday. From a report: Multiple divisions of the U.S. government are confronting the reality that code written by the Moscow-based security company is embedded deep within American infrastructure, in routers, firewalls, and other hardware -- and nobody is certain how to get rid of it. "It's messy, and it's going to take way longer than a year," said one U.S. official. "Congress didn't give anyone money to replace these devices, and the budget had no wiggle-room to begin with."

At issue is a provision of the National Defense Authorization Act (NDAA) enacted last December that requires the government to fully purge itself of "any hardware, software, or services developed or provided, in whole or in part," by Kaspersky Lab. The law was a dramatic expansion of an earlier DHS directive that only outlawed "Kaspersky-branded" products. Both measures came after months of saber rattling by the U.S., which has grown increasingly anxious about Kaspersky's presence in federal networks in the wake of Russia's 2016 election interference campaign.

Security

Backdoor Account Found in D-Link DIR-620 Routers (bleepingcomputer.com) 113

Catalin Cimpanu, writing for BleepingComputer: Security researchers have found a backdoor account in the firmware of D-Link DIR-620 routers that allows hackers to take over any device reachable via the Internet. Discovered by Kaspersky Lab researchers, this backdoor grants an attacker access to the device's web panel, and there's no way in which device owners can disable this secret account. The only way to protect devices from getting hacked is to avoid having the router expose its admin panel on the WAN interface, and hence, reachable from anywhere on the Internet.
Security

Cyber Firms Warn on Suspected Russian Plan To Attack Ukraine (reuters.com) 70

Jim Finkle, reporting for Reuters: Cisco Systems on Wednesday warned that hackers have infected at least 500,000 routers and storage devices in dozens of countries with highly sophisticated malicious software, possibly in preparation for another massive cyber attack on Ukraine. Cisco's Talos cyber intelligence unit said it has high confidence that the Russian government is behind the campaign, dubbed VPNFilter, because the hacking software shares code with malware used in previous cyber attacks that the U.S. government has attributed to Moscow. Cisco said the malware could be used for espionage, to interfere with internet communications or launch destructive attacks on Ukraine, which has previously blamed Russia for massive hacks that took out parts of its energy grid and shuttered factories. Head of Ukraine's cyber police said on Wednesday that the agency is aware of new large malware campaign, and that it is working to protect Ukraine against possible new cyber threat.
Encryption

FBI Repeatedly Overstated Encryption Threat Figures To Congress, Public (techcrunch.com) 152

mi shares a report from The Washington Post (Warning: source may be paywalled; alternative source): The FBI has repeatedly provided grossly inflated statistics to Congress and the public about the extent of problems posed by encrypted cellphones, claiming investigators were locked out of nearly 7,800 devices connected to crimes last year when the correct number was much smaller, probably between 1,000 and 2,000.

Over a period of seven months, FBI Director Christopher A. Wray cited the inflated figure as the most compelling evidence for the need to address what the FBI calls "Going Dark" -- the spread of encrypted software that can block investigators' access to digital data even with a court order. "The FBI's initial assessment is that programming errors resulted in significant over-counting of mobile devices reported,'' the FBI said in a statement Tuesday. The bureau said the problem stemmed from the use of three distinct databases that led to repeated counting of phones. Tests of the methodology conducted in April 2016 failed to detect the flaw, according to people familiar with the work.

Open Source

The Percentage of Open Source Code in Proprietary Apps is Rising (helpnetsecurity.com) 60

Zeljka Zorz, writing for Help Net Security: The number of open source components in the codebase of proprietary applications keeps rising and with it the risk of those apps being compromised by attackers leveraging vulnerabilities in them, a recent report has shown. Compiled after examining the findings from the anonymized data of over 1,100 commercial codebases audited in 2017 by the Black Duck On-Demand audit services group, the report revealed two interesting findings:

96 percent of the scanned applications contain open source components, with an average 257 components per application. The average percentage of open source in the codebases of the applications scanned grew from 36% last year to 57%, suggesting that a large number of applications now contain much more open source than proprietary code.

Security

90% of Financial Institutions Targeted By Ransomware in the Last Year (betanews.com) 19

An anonymous reader shares a report: A new report from cloud security specialist Carbon Black, based on responses from CISOs at 40 major financial institutions -- including six of the top 10 global banks -- seeks to better understand the attack landscape. Among the findings are that 90 percent of financial institutions report being the subject of a ransomware attack in 2017. In addition one in 10 respondents report encountering destructive attacks unrelated to ransomware, such as application attacks and fileless malware. These potentially enable cybercriminals to move freely and laterally within an organization's network and often go completely overlooked until it's too late.
Microsoft

Microsoft To Block Flash In Office 365 Starting January 2019 (bleepingcomputer.com) 40

An anonymous reader writes: Microsoft plans to soon block Flash, Shockwave, and Silverlight content from activating in Office 365, it said. The block, however, will only be applicable in Office 365 subscription clients -- and not in Office 2016, Office 2013, or Office 2010 distributions, the company added. The change is set to come into effect starting January 2019. This is a full-on block, and not just Microsoft disabling problematic controls with the option to click on a button and view its content, BleepingComputer reports. The block means that Office 365 will prevent Flash, Shockwave, or Silverlight content from playing inside Office documents altogether.

Microsoft cited various reasons for taking this decision. It said that malware authors have abused this mechanism for exploit campaigns, but also that Office users rarely used these features. In addition, Microsoft said it was also taking this decision after Adobe announced Flash's end-of-life for 2020.

United States

Trump Ignores 'Inconvenient' Security Rules To Keep Tweeting On His iPhone, Says Report (politico.com) 523

According to Politico, "President Donald Trump uses a White House cellphone that isn't equipped with sophisticated security features designed to shield his communications." The decision is "a departure from the practice of his predecessors that potentially exposes him to hacking or surveillance." From the report: The president uses at least two iPhones, according to one of the officials. The phones -- one capable only of making calls, the other equipped only with the Twitter app and preloaded with a handful of news sites -- are issued by White House Information Technology and the White House Communications Agency, an office staffed by military personnel that oversees White House telecommunications. While aides have urged the president to swap out the Twitter phone on a monthly basis, Trump has resisted their entreaties, telling them it was "too inconvenient," the same administration official said. The president has gone as long as five months without having the phone checked by security experts. It is unclear how often Trump's call-capable phones, which are essentially used as burner phones, are swapped out.
Bug

Comcast Website Bug Leaks Xfinity Customer Data (zdnet.com) 43

An anonymous reader quotes a report from ZDNet: A bug in Comcast's website used to activate Xfinity routers can return sensitive information on the company's customers. The website, used by customers to set up their home internet and cable service, can be tricked into displaying the home address where the router is located, as well as the Wi-Fi name and password. Two security researchers, Karan Saini and Ryan Stevenson, discovered the bug. Only a customer account ID and that customer's house or apartment number is needed -- even though the web form asks for a full address.

ZDNet obtained permission from two Xfinity customers to check their information. We were able to obtain their full address and zip code -- which both customers confirmed. The site returned the Wi-Fi name and password -- in plaintext -- used to connect to the network for one of the customers who uses an Xfinity router. The other customer was using his own router -- and the site didn't return the Wi-Fi network name or password.

Security

Google and Microsoft Disclose New CPU Flaw, and the Fix Can Slow Machines Down (theverge.com) 83

An anonymous reader quotes a report from The Verge: Microsoft and Google are jointly disclosing a new CPU security vulnerability that's similar to the Meltdown and Spectre flaws that were revealed earlier this year. Labelled Speculative Store Bypass (variant 4), the latest vulnerability is a similar exploit to Spectre and exploits speculative execution that modern CPUs use. Browsers like Safari, Edge, and Chrome were all patched for Meltdown earlier this year, and Intel says "these mitigations are also applicable to variant 4 and available for consumers to use today." However, unlike Meltdown (and more similar to Spectre) this new vulnerability will also include firmware updates for CPUs that could affect performance. Intel has already delivered microcode updates for Speculative Store Bypass in beta form to OEMs, and the company expects them to be more broadly available in the coming weeks. The firmware updates will set the Speculative Store Bypass protection to off-by-default, ensuring that most people won't see negative performance impacts.

"If enabled, we've observed a performance impact of approximately 2-8 percent based on overall scores for benchmarks like SYSmark 2014 SE and SPEC integer rate on client 1 and server 2 test systems," explains Leslie Culbertson, Intel's security chief. As a result, end users (and particularly system administrators) will have to pick between security or optimal performance. The choice, like previous variants of Spectre, will come down to individual systems and servers, and the fact that this new variant appears to be less of a risk than the CPU flaws that were discovered earlier this year.

Privacy

'TeenSafe' Phone Monitoring App Leaked Thousands of User Passwords (zdnet.com) 44

An anonymous reader quotes a report from ZDNet: At least one server used by an app for parents to monitor their teenagers' phone activity has leaked tens of thousands of accounts of both parents and children. The mobile app, TeenSafe, bills itself as a "secure" monitoring app for iOS and Android, which lets parents view their child's text messages and location, monitor who they're calling and when, access their web browsing history, and find out which apps they have installed. But the Los Angeles, Calif.-based company left its servers, hosted on Amazon's cloud, unprotected and accessible by anyone without a password.

"We have taken action to close one of our servers to the public and begun alerting customers that could potentially be impacted," said a TeenSafe spokesperson told ZDNet on Sunday. The database stores the parent's email address associated with their associated child's Apple ID email address. It also includes the child's device name -- which is often just their name -- and their device's unique identifier. The data contains the plaintext passwords for the child's Apple ID. Because the app requires that two-factor authentication is turned off, a malicious actor viewing this data only needs to use the credentials to break into the child's account to access their personal content data.

Businesses

Chinese 'Accelerators' In Silicon Valley Aim To Bring Startups Home (reuters.com) 74

An anonymous reader quotes a report from Reuters: Beijing's unslakeable thirst for the latest technology has spurred a proliferation of "accelerators" in Silicon Valley that aim to identify promising startups and bring them to China. The surge in the number of China-focused accelerators -- which support, mentor and invest in early-stage startups -- is part of a larger wave of Chinese investment in Silicon Valley. At least 11 such programs have been created in the San Francisco Bay Area since 2013, according to the tech-sector data firm Crunchbase. Some work directly with Chinese governments, which provide funding. Reuters interviews with the incubators showed that many were focused on bringing U.S. startups to China. For U.S. government officials wary of China's growing high-tech clout, the accelerator boom reaffirms fears that U.S. technological know-how is being transferred to China through investments, joint ventures or licensing agreements. "Our intellectual property is the future of our economy and our security," Senator Mark Warner, the Democratic vice-chairman of the U.S. Senate Intelligence Committee, said in a statement to Reuters about Chinese accelerators. "China's government has clearly prioritized acquiring as much of that intellectual property as possible. Their ongoing efforts, legal or illegal, pose a risk that we have to look at very seriously."
The Almighty Buck

First Government Office in the US To Accept Bitcoin As Payment (orlandosentinel.com) 42

Long-time Slashdot reader SonicSpike quotes the Orlando Sentinel: If cash, check or credit card seems too old-fashioned, Seminole County, Florida Tax Collector Joel Greenberg said this week his office will begin accepting bitcoin as payment for new IDs, license plates and property taxes starting next month. Greenberg said accepting bitcoin and bitcoin cash as a payment method will promote transparency and accuracy in payment.

"There's no risk to the taxpayer," said Greenberg, who has often raised eyebrows since his 2016 election by moves including encouraging certain employees with concealed-weapons permits to carry a firearm openly as a security measure. "Blockchain technology is the future of the whole financial industry."

A spokesperson for a neighboring county's tax collector said they had no plans to follow the move. "Frankly, I think the currency is so volatile that I donâ(TM)t think it makes sense."

And an official at a nearby county said bitcoin payments were "not on our to-do list", adding that no one in the county had requested the ability to pay their taxes in bitcoin.
Encryption

IBM Warns Quantum Computing Will Break Encryption (zdnet.com) 197

Long-time Slashdot reader CrtxReavr shares a report from ZDNet: Quantum computers will be able to instantly break the encryption of sensitive data protected by today's strongest security, warns the head of IBM Research. This could happen in a little more than five years because of advances in quantum computer technologies. "Anyone that wants to make sure that their data is protected for longer than 10 years should move to alternate forms of encryption now," said Arvind Krishna, director of IBM Research... Quantum computers can solve some types of problems near-instantaneously compared with billions of years of processing using conventional computers... Advances in novel materials and in low-temperature physics have led to many breakthroughs in the quantum computing field in recent years, and large commercial quantum computer systems will soon be viable and available within five years...

In addition to solving tough computing problems, quantum computers could save huge amounts of energy, as server farms proliferate and applications such as bitcoin grow in their compute needs. Each computation takes just a few watts, yet it could take several server farms to accomplish if it were run on conventional systems.

The original submission raises another possibility. "What I wonder is, if encryption can be 'instantly broken,' does this also mean that remaining crypto-coins can be instantly discovered?"

Slashdot Top Deals