Security

Fireball Browser Hijack Impact Revised After Microsoft Analysis (eweek.com) 8

Sean Michael Kerner, writing for eWeek: A browser hijacking operation initially reported to have 250 million victims by security firm Check Point isn't quite that large, according to a new analysis by Microsoft. On June 1, security firm Check Point reported that a browser hijacking operation called "Fireball" had already claimed 250 million victims. According to a Microsoft analysis published June 22, Check Point's estimate of the number of victims was "overblown" and the attack is not nearly as widespread as initially reported. The Fireball attack is a browser hijacking that is potentially able to download malware onto victims' systems, as well as manipulate pageviews and redirect search requests. Check Point's initial analysis claimed that Fireball was being bundled as part of free software downloads to unsuspecting users. "Indeed, we have been working with Microsoft on their analysis, feeding them with some additional data," Maya Horowitz, group manager of threat intelligence at Check Point, said in a statement sent to eWEEK. "We tried to reassess the number of infections, and from recent data we know for sure that numbers are at least 40 million, but could be much more."
Firefox

Chrome and Firefox Headless Modes May Spur New Adware & Clickfraud Tactics (bleepingcomputer.com) 66

From a report: During the past month, both Google and Mozilla developers have added support in their respective browsers for "headless mode," a mechanism that allows browsers to run silently in the OS background and with no visible GUI. [...] While this feature sounds very useful for developers and very uninteresting for day-to-day users, it is excellent news for malware authors, and especially for the ones dabbling with adware. In the future, adware or clickfraud bots could boot-up Chrome or Firefox in headless mode (no visible GUI), load pages, and click on ads without the user's knowledge. The adware won't need to include or download any extra tools and could use locally installed software to perform most of its malicious actions. In the past, there have been quite a few adware families that used headless browsers to perform clickfraud. Martijn Grooten, an editor at Virus Bulletin, also pointed Bleeping Computer to a report where miscreants had abused PhantomJS, a headless browser, to post forum spam. The addition of headless mode in Chrome and Firefox will most likely provide adware devs with a new method of performing surreptitious ad clicks.
Microsoft

Microsoft Admits Disabling Anti-Virus Software For Windows 10 Users (bbc.com) 195

An anonymous reader quotes a report from the BBC: Microsoft has admitted that it does temporarily disable anti-virus software on Windows PCs, following an competition complaint to the European Commission by a security company. In early June, Kaspersky Lab filed the complaint against Microsoft. The security company claims the software giant is abusing its market dominance by steering users to its own anti-virus software. Microsoft says it implemented defenses to keep Windows 10 users secure. In an extensive blog post that does not directly address Kaspersky or its claims, Microsoft says it bundles the Windows Defender Antivirus with Windows 10 to ensure that every single device is protected from viruses and malware. To combat the 300,000 new malware samples being created and spread every day, Microsoft says that it works together with external anti-virus partners. The technology giant estimates that about 95% of Windows 10 PCs were using anti-virus software that was already compatible with the latest Windows 10 Creators Update. For the applications that were not compatible, Microsoft built a feature that lets users update their PCs and then reinstall a new version of the anti-virus software. "To do this, we first temporarily disabled some parts of the AV software when the update began. We did this work in partnership with the AV partner to specify which versions of their software are compatible and where to direct customers after updating," writes Rob Lefferts, a partner director of the Windows and Devices group in enterprise and security at Microsoft.
Software

NSA Opens GitHub Account, Lists 32 Projects Developed By the Agency (thehackernews.com) 61

An anonymous reader quotes a report from The Hacker News: The National Security Agency (NSA) -- the United States intelligence agency which is known for its secrecy and working in the dark -- has finally joined GitHub and launched an official GitHub page. GitHub is an online service designed for sharing code amongst programmers and open source community, and so far, the NSA is sharing 32 different projects as part of the NSA Technology Transfer Program (TTP), while some of these are "coming soon." "The NSA Technology Transfer Program (TTP) works with agency innovators who wish to use this collaborative model for transferring their technology to the commercial marketplace," the agency wrote on the program's page. "OSS invites the cooperative development of technology, encouraging broad use and adoption. The public benefits by adopting, enhancing, adapting, or commercializing the software. The government benefits from the open source community's enhancements to the technology." Many of the projects the agency listed are years old that have been available on the Internet for some time. For example, SELinux (Security-Enhanced Linux) has been part of the Linux kernel for years.
Network

Ask Slashdot: Best Way To Isolate a Network And Allow Data Transfer? 221

Futurepower(R) writes: What is the best way to isolate a network from the internet and prevent intrusion of malware, while allowing carefully examined data transfer from internet-facing computers? An example of complete network isolation could be that each user would have two computers with a KVM switch and a monitor and keyboard, or two monitors and two keyboards. An internet-facing computer could run a very secure version of Linux. Any data to be transferred to that user's computer on the network would perhaps go through several Raspberry Pi computers running Linux; the computers could each use a different method of checking for malware. Windows computers on the isolated network could be updated using Autopatcher, so that there would never be a direct connection with the internet. Why not use virtualization? Virtualization does not provide enough separation; there is the possibility of vulnerabilities. Do you have any ideas about improving the example above?
Security

Facial Recognition Is Coming To US Airports (theverge.com) 142

Facial recognition systems will be coming to U.S. airports in the very near future. "Customs and Border Protection first started testing facial recognition systems at Dulles Airport in 2015, then expanded the tests to New York's JFK Airport last year," reports The Verge. "Now, a new project is poised to bring those same systems to every international airport in America." From the report: Called Biometric Exit, the project would use facial matching systems to identify every visa holder as they leave the country. Passengers would have their photos taken immediately before boarding, to be matched with the passport-style photos provided with the visa application. If there's no match in the system, it could be evidence that the visitor entered the country illegally. The system is currently being tested on a single flight from Atlanta to Tokyo, but after being expedited by the Trump administration, it's expected to expand to more airports this summer, eventually rolling out to every international flight and border crossing in the U.S. U.S. Customs and Border Protection's Larry Panetta, who took over the airport portion of the project in February, explained the advantages of facial recognition at the Border Security Expo last week. "Facial recognition is the path forward we're working on," Panetta said at the conference. "We currently have everyone's photo, so we don't need to do any sort of enrollment. We have access to the Department of State records so we have photos of U.S. Citizens, we have visa photos, we have photos of people when they cross into the U.S. and their biometrics are captured into [DHS biometric database] IDENT."
Privacy

California May Restore Broadband Privacy Rules Killed By Congress and Trump (arstechnica.com) 84

An anonymous reader quotes a report from Ars Technica: A proposed law in California would require Internet service providers to obtain customers' permission before they use, share, or sell the customers' Web browsing history. The California Broadband Internet Privacy Act, a bill introduced by Assembly member Ed Chau (D-Monterey Park) on Monday, is very similar to an Obama-era privacy rule that was scheduled to take effect across the US until President Trump and the Republican-controlled Congress eliminated it. If Chau's bill becomes law, ISPs in California would have to get subscribers' opt-in consent before using browsing history and other sensitive information in order to serve personalized advertisements. Consumers would have the right to revoke their consent at any time. The opt-in requirement in Chau's bill would apply to "Web browsing history, application usage history, content of communications, and origin and destination Internet Protocol (IP) addresses of all traffic." The requirement would also apply to geolocation data, IP addresses, financial and health information, information pertaining to minors, names and billing information, Social Security numbers, demographic information, and personal details such as physical addresses, e-mail addresses, and phone numbers.
Security

How Hollywood Got Hacked: Studio at Center of Netflix Leak Breaks Silence (variety.com) 78

Earlier this year, hackers obtained and leaked the episodes of TV show Orange Is the New Black. In a candid interview, Larson Studios' chief engineer David Dondorf explained how the audio post-production business allowed the hacker group to gain access to the Netflix original content. Dandorf says the company hired private data security experts to find how it was breached. The investigation found that the hacker group had been searching the internet for PCs running older versions of Windows and stumbled across an old computer at Larson Studios still running Windows 7. From the report: Larson's employees just didn't know all that much about it. Having a computer running an ancient version of Windows on the network was clearly a terrible lack of oversight, as was not properly separating internal servers from the internet. "A lot of what went on was ignorance," admitted Rick Larson. "We are a small company. Did we even know what the content security departments were at our clients? Absolutely not. I couldn't have told you who to call. I can now." It's a fascinating story about how the hacker group first made contact and tried to threaten Larson Studios' president and his wife, and how they responded. Worth a read.
Security

Honda Shuts Down Factory After Finding NSA-derived Wcry In Its Networks (arstechnica.com) 62

A Honda factory near Tokyo was shuttered for over 24 hours this week after its computers became infected with WannaCry, the same ransomware virus responsible for crippling systems in dozens of countries last month, the car manufacturer said Wednesday. From a report: The automaker shut down its Sayama plant northwest of Tokyo on Monday after finding that WCry had affected networks across Japan, North America, Europe, China, and other regions, Reuters reported Wednesday. Discovery of the infection came on Sunday, more than five weeks after the onset of the NSA-derived ransomware worm, which struck an estimated 727,000 computers in 90 countries. [...] Honda officials didn't explain why engineers found WCry in their networks 37 days after the kill switch was activated. One possibility is that engineers had mistakenly blocked access to the kill-switch domain. That would have caused the WCry exploit to proceed as normal, as it did in the 12 or so hours before the domain was registered. Another possibility is that the WCry traces in Honda's networks were old and dormant, and the shutdown of the Sayama plant was only a precautionary measure. In any event, the discovery strongly suggests that as of Monday, computers inside the Honda network had yet to install a highly critical patch that Microsoft released in March.
Privacy

If It Uses Electricity, It Will Connect To the Internet: F-Secure's CRO (theregister.co.uk) 287

New submitter evolutionary writes: According to F-Secure's Chief Research Officer "IoT is unavoidable. If it uses electricity, it will become a computer. If it uses electricity, it will be online. In future, you will only buy IoT appliances, whether you like it or not, whether you know it or not." F-Secure's new product to help mitigate data leakage, "Sense", is a IoT Firewall, combining a traditional firewall with a cloud service and uses concepts including behaviour-based blocking and device reputation to figure out whether you have insecure devices.
Electronic Frontier Foundation

EFF Launches New AI Progress Measurement Project (eff.org) 48

Reader Peter Eckersley writes: There's a lot of real progress happening in the field of machine learning and artificial intelligence, and also a lot of hype. These technologies already have serious policy implications, and may have more in the future. But what's the ratio of hype to real progress? At EFF, we decided to find out.

Today we are launching a pilot project to measure the progress of AI research. It breaks the field into a taxonomy of subproblems like game playing, reading comprehension, computer vision, and asking neural networks to write computer programs, and tracks progress on metrics across these fields. We're hoping to get feedback and contributions from the machine learning community, with the aim of using this data to improve the conversations around the social implications, transparency, safety, and security of AI.

Bitcoin

South Korean Web Hosting Provider Pays $1 Million In Ransomware Demand (bleepingcomputer.com) 97

An anonymous reader writes: Nayana, a web hosting provider based in South Korea, announced it is in the process of paying a three-tier ransom demand of nearly $1 million worth of Bitcoin, following a ransomware infection that encrypted data on customer' servers. The ransomware infection appears has taken place on June 10, but Nayana admitted to the incident two days later, in a statement on its website.

Attackers asked for an initial ransom payment of 550 Bitcoin, which was worth nearly $1.62 million at the time of the request. After two days of negotiations, Nayana staff said they managed to reduce the ransom demand to 397.6 Bitcoin, or nearly $1 million. In a subsequent announcement, Nayana officials stated that they negotiated with the attackers to pay the ransom demand in three installments, due to the company's inability to produce such a large amount of cash in a short period of time.

On Saturday, June 17, the company said it already paid two of the three payment tranches. In subsequent announcements, Nayana updated clients on the server decryption process, saying the entire operation would take up to ten days due to the vast amount of encrypted data. The company said 153 Linux servers were affected, servers which stored the information of more than 3,400 customers.

Security

Cisco Subdomain Private Key Found in Embedded Executable (google.com) 53

Earlier this month, a developer accidentally discovered the private key of a Cisco subdomain. An anonymous reader shares the post: Last weekend, in an attempt to get Sky's NOW TV video player (for Mac) to work on my machine, I noticed that one of the Cisco executables contains a private key that is associated with the public key in a trusted certificate for a cisco.com sub domain. This certificate is used in a local WebSocket server, presumably to allow secure Sky/NOW TV origins to communicate with the video player on the users' local machines. I read the Baseline Requirements document (version 1.4.5, section 4.9.1.1), but I wasn't entirely sure whether this is considered a key compromise. I asked Hanno Bock on Twitter, and he advised me to post the matter to this mailing list. The executable containing the private key is named 'CiscoVideoGuardMonitor', and is shipped as part of the NOW TV video player. In case you are interested, the installer can be found here (SHA-256: 56feeef4c3d141562900f9f0339b120d4db07ae2777cc73a31e3b830022241e6). I would recommend to run this installer in a virtual machine, because it drops files all over the place, and installs a few launch items (agents/daemons). The executable 'CiscoVideoGuardMonitor' can be found at '$HOME/Library/Cisco/VideoGuardPlayer/VideoGuardMonitor/ VideoGuardMonitor.bundle/Contents/MacOS/CiscoVideoGuardMonitor'. Certificate details: Serial number: 66170CE2EC8B7D88B4E2EB732E738FE3A67CF672, DNS names: drmlocal.cisco.com, Issued by: HydrantID SSL ICA G2. The issuer HydrantID has since communicated with the certificate holder Cisco, and the certificate has been revoked.
Businesses

Leaked Recording: Inside Apple's Global War On Leakers (theoutline.com) 81

Reader citadrianne writes: A recording of an internal briefing at Apple earlier this month obtained by The Outline sheds new light on how far the most valuable company in the world will go to prevent leaks about new products. The briefing, titled 'Stopping Leakers -- Keeping Confidential at Apple,' was led by Director of Global Security David Rice, Director of Worldwide Investigations Lee Freedman, and Jenny Hubbert, who works on the Global Security communications and training team. According to the hour-long presentation, Apple's Global Security team employs an undisclosed number of investigators around the world to prevent information from reaching competitors, counterfeiters, and the press, as well as hunt down the source when leaks do occur. Some of these investigators have previously worked at U.S. intelligence agencies like the National Security Administration (NSA), law enforcement agencies like the FBI and the U.S. Secret Service, and in the U.S. military. Top-notch reporting from The Outline, consider reading the full report. During the briefing, a company executive said they have been able to find two employees who leaked information to media.
Encryption

Equipment Already In Space Can Be Adapted For Extremely Secure Data Encryption (helpnetsecurity.com) 20

Orome1 quotes a report from Help Net Security: In a new study, researchers from the Max Planck Institute in Erlangen, demonstrate ground-based measurements of quantum states sent by a laser aboard a satellite 38,000 kilometers above Earth. This is the first time that quantum states have been measured so carefully from so far away. A satellite-based quantum-based encryption network would provide an extremely secure way to encrypt data sent over long distances. Developing such a system in just five years is an extremely fast timeline since most satellites require around 10 years of development. For the experiments, the researchers worked closely with satellite telecommunications company Tesat-Spacecom GmbH and the German Space Administration. The German Space Administration previously contracted with Tesat-Spacecom on behalf of the German Ministry of Economics and Energy to develop an optical communications technology for satellites. This technology is now being used commercially in space by laser communication terminals onboard Copernicus -- the European Union's Earth Observation Program -- and by SpaceDataHighway, the European data relay satellite system. It turned out that this satellite optical communications technology works much like the quantum key distribution method developed at the Max Planck Institute. Thus, the researchers decided to see if it was possible to measure quantum states encoded in a laser beam sent from one of the satellites already in space. In 2015 and the beginning of 2016, the team made these measurements from a ground-based station at the Teide Observatory in Tenerife, Spain. They created quantum states in a range where the satellite normally does not operate and were able to make quantum-limited measurements from the ground. The findings have been published in the journal Optica.
Government

198 Million Americans Hit By 'Largest Ever' Voter Records Leak (zdnet.com) 119

Political data gathered on more than 198 million US citizens was exposed this month after a marketing firm contracted by the Republican National Committee stored internal documents on a publicly accessible Amazon server, reports say. From a ZDNet article: It's believed to be the largest ever known exposure of voter information to date. The various databases containing 198 million records on American voters from all political parties were found stored on an open Amazon S3 storage server owned by a Republican data analytics firm, Deep Root Analytics. UpGuard cyber risk analyst Chris Vickery, who found the exposed server, verified the data. Through his responsible disclosure, the server was secured late last week, and prior to publication. This leak shines a spotlight on the Republicans' multi-million dollar effort to better target potential voters by utilizing big data. The move largely a response to the successes of the Barack Obama campaign in 2008, thought to have been the first data-driven campaign. Further reading: Republican Data-Mining Firm Exposed Personal Information for Virtually Every American Voter - The Intercept; The RNC Files: Inside the Largest US Voter Data Leak - Upguard; Data on 198M voters exposed by GOP contractor Data On 198M Voters Exposed By GOP Contractor - The Hill.
The Almighty Buck

Is Coinbase Closing Accounts For Paying Ransoms With Bitcoins? (coindesk.com) 200

Even as some comparnies are stockpiling bitcoins so they can quickly pay ransom demands, security firms that try paying those ransoms may face losing their accounts on Coinbase. Slashdot reader Mosquito Bites quotes a report from CoinDesk: Less than a year ago, Vinny Troia, CEO and principal security consultant of Night Lion Security and a certified white hat hacker, was sent a compliance form by US bitcoin exchange Coinbase, where he had an account. Coinbase wanted to know how Troia was using bitcoin and his account. "I told them I run a security firm. I pay for ransoms and buy documents on the dark web when clients request it," Troia told CoinDesk. The ransoms Troia helps his clients pay are those stemming from ransomware attacks, which have surged in number over the past few years. Many, like the well-publicized WannaCry attack, are asking for bitcoin.

And the documents? Troia said, "We do breach investigations a lot of times. If a fraudster is saying they're selling my client's stolen documents, the only way to make sure they have what they say they have is to buy those documents." According to Troia, Coinbase "did not like that at all." Coinbase then asked the IT expert whether he had a letter from the Department of Justice giving him permission to do those things. No, Troia said. Upon further research, Troia has not found that any such permission exists. But, "I have my clients authorizing me to do this," he said. Coinbase sent Troia back an email explaining that those actions were against the exchange's rules and shut down his account... "My entire family is blocked from Coinbase," he said.

Businesses

How Can Businesses Close 'The Cybersecurity Gap'? (venturebeat.com) 179

Companies can't find enough qualified security personnel, and fixing it requires "a fundamental shift in how businesses recruit, hire, and keep security talent," according to a VentureBeat article by an Intermedia security executive: The trickle of security students emerging from post-secondary schools may not be fully prepared to tackle complicated security issues -- what we need are people who can protect businesses environments from everything from spam and BYOD vulnerabilities to complex threats like APTs and spear phishing. Second, certain companies may not know what to look for in a professional. Third, when skilled professionals are hired, they can often be overworked to the point where they don't have the time to keep up with the latest developments in the field -- and even in their own security tools... The fundamental problem facing the skills gap, however, is that there aren't enough people coming into the field to begin with. Here, companies need to do two things: step-up their advocacy when it comes to promoting cybersecurity careers, and look internally for employees who have the skills and desire to take on a security position but need the training and support to succeed...

Finally, businesses need to recognize that security threats today go well beyond just one department. Every employee should be responsible for knowing what to look for in an attack, how to report a suspected threat, and how they can simply disengage from content and files they deem suspicious. Basic security training needs to become a part of the onboarding process for any employee -- especially for those in the C-Suite, where a greater number of spear-phishing attacks occur.

The article also cites a study which found "about a quarter of all cybersecurity positions are left unfilled for about six months."
EU

European Parliament Committee Endorses End-To-End Encryption (tomshardware.com) 119

The civil liberties committee of the European Parliament has released a draft proposal "in direct contrast to the increasingly loud voices around the world to introduce regulations or weaken encryption," according to an anonymous Slashdot reader. Tom's Hardware reports: The draft recommends a regulation that will enforce end-to-end encryption on all communications to protect European Union citizens' fundamental privacy rights. The committee also recommended a ban on backdoors. Article 7 of the E.U.'s Charter of Fundamental Rights says that E.U. citizens have a right to personal privacy, as well as privacy in their family life and at home. According to the EP committee, the privacy of communications between individuals is also an important dimension of this right...

We've lately seen some EU member states push for increased surveillance and even backdoors in encrypted communications, so there seems to be some conflict here between what the European Parliament institutional bodies may want and what some member states do. However, if this proposal for the new Regulation on Privacy and Electronic Communications passes, it should significantly increase the privacy of E.U. citizens' communications, and it won't be so easy to roll back the changes to add backdoors in the future.

Security researcher Lukasz Olejnik says "the fact that policy is seriously considering these kind of aspects is unprecedented."
Privacy

Ask Slashdot: How Do You Prepare For The Theft Of Your PC? 262

A security-conscious Slashdot reader has theft insurance -- but worries whether it covers PC theft. And besides the hassles of recreating every customization after restoring from backups, there's also the issue of keeping personal data private. I currently keep important information on a hidden, encrypted partition so an ordinary thief won't get much off of it, but that is about the extent of my preparation... What would you do? Some sort of beacon to let you know where your stuff is? Remote wipe? Online backup?
There's a couple of issues here -- including privacy, data recovery, deterrence, compensation -- each leading to different ways to answer the question: what can you actually do to prepare for the possibility? So use the comments to share your own experiences. How have you prepared for the theft of your PC?

Slashdot Top Deals