Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Crime

Geek Avenges Stolen Laptop By Remotely Accessing Thief's Facebook Account (hothardware.com) 37

An anonymous reader quotes Hot Hardware: Stu Gale, who just so happens to be a computer security expert, had the misfortune of having his laptop stolen from his car overnight. However, Gale did have remote software installed on the device which allowed him to track whenever it came online. So, he was quite delighted to see that a notification popped up on one of his other machines alerting him that his stolen laptop was active. Gale took the opportunity to remote into the laptop, only to find that the not-too-bright thief was using his laptop to login to her Facebook account.

The thief eventually left her Facebook account open and left the room, after which Gale had the opportunity to snoop through her profile and obtain all of her private information. "I went through and got her phone numbers, friends list and pictures..." Given that Gale was able to see her phone numbers listed on Facebook, he sent text messages to all of those numbers saying that he was going to report her to the police. He also posted her info to a number of Facebook groups, which spooked the thief enough to not only delete her Facebook account, but also her listed phone numbers.

In 2008 Slashdot ran a similar story, where it took several weeks of remote monitoring before a laptop thief revealed his identity. (The victim complained that "It was kind of frustrating because he was mostly using it to watch porn.") But in this case, Gale just remotely left a note on the laptop -- and called one of the thief's friends -- and eventually turned over all the information to the police, who believe an arrest will follow.

Gale seems less confident, and tells one Calgary newspaper "I'm realistic. I'm not going to see that computer again. But at least I got some comic relief."
Firefox

The SHA-1 End Times Have Arrived (threatpost.com) 27

"Deadlines imposed by browser makers deprecating support for the weakened SHA-1 hashing algorithm have arrived," writes Slashdot reader msm1267. "And while many websites and organizations have progressed in their migrations toward SHA-2 and other safer hashing algorithms, pain points and potential headaches still remain." Threatpost reports: Starting on Jan. 24, Mozilla's Firefox browser will be the first major browser to display a warning to its users who run into a site that doesn't support TLS certificates signed by the SHA-2 hashing algorithm... "SHA-1 deprecation in the context of the browser has been an unmitigated success. But it's just the tip of the SHA-2 migration iceberg. Most people are not seeing the whole problem," said Kevin Bocek, VP of security strategy and threat intelligence for Venafi. "SHA-1 isn't just a problem to solve by February, there are thousands more private certificates that will also need migrating"...

Experts warn the move to SHA-2 comes with a wide range of side effects; from unsupported applications, new hardware headaches tied to misconfigured equipment and cases of crippled credit card processing gear unable to communicate with backend servers. They say the entire process has been confusing and unwieldy to businesses dependent on a growing number of digital certificates used for not only their websites, but data centers, cloud services, and mobile apps... According to Venafi's research team, 35 percent of the IPv4 websites it analyzed in November are still using insecure SHA-1 certificates. However, when researchers scanned Alexa's top 1 million most popular websites for SHA-2 compliance it found only 536 sites were not compliant.
The article describes how major tech companies are handling the move to SHA-2 compliance -- including Apple, Google, Microsoft, Facebook, Salesforce and Cloudflare
Security

Pwn2Own 2017 Offers Big Bounties For Linux, Browser, and Apache Exploits (eweek.com) 33

Now that TrendMicro owns TippingPoint, there'll be "more targets and more prize money" according to eWeek, and something special for Pwn2Own's 10th anniversary in March. Slashdot reader darthcamaro writes: For the first time in its ten-year history, the annual Pwn2Own hacking competition is taking direct aim at Linux. Pwn2Own in the past has typically focused mostly on web browsers, running on Windows and macOS. There is a $15,000 reward for security researchers that are able to get a local user kernel exploit on Ubuntu 16.10. The bigger prize though is a massive $200,000 award for exploiting Apache Web Server running on Ubuntu.
"We are nine weeks away," TrendMicro posted Wednesday, pointing out that they're giving out over $1 million in bounties, including the following:
  • $100,000 for escaping a virtualization hypervisor
  • $80,000 for a Microsoft Edge or Google Chrome exploit
  • $50,000 for an exploit of Adobe Reader, Microsoft Word, Excel or PowerPoint
  • $50,000 for an Apple Safari exploit
  • $30,000 for a Firefox exploit
  • $30,000, $20,000 and $15,000 for privilege-escalating kernel vulnerabilities on Windows, macOS and Linux (respectively)
  • $200,000 for an Apache Web Server exploit

Power

Are Squirrels A Bigger Threat To Our Critical Infrastructure? (bbc.com) 128

"The real threat to global critical infrastructure is not enemy states or organizations but squirrels, according to one security expert." Long-time Slashdot reader randomErr quotes the BBC. Cris Thomas has been tracking power cuts caused by animals since 2013... His Cyber Squirrel 1 project was set up to counteract what he called the "ludicrousness of cyber-war claims by people at high levels in government and industry", he told the audience at the Shmoocon security conference in Washington. Squirrels topped the list with 879 "attacks", followed by birds with 434 attacks and then snakes at 83 attacks.
Those three animals -- along with rats -- have caused 1,700 different power cuts affecting nearly 5,000,000 people .
Google

Google Pressured 90,000 Android Developers Over Insecure Apps (pcworld.com) 46

An anonymous reader quotes PCWorld: Over the past two years, Google has pressured developers to patch security issues in more than 275,000 Android apps hosted on its official app store. In many cases this was done under the threat of blocking future updates to the insecure apps...

In the early days of the App Security Improvement program, developers only received notifications, but were under no pressure to do anything. That changed in 2015 when Google expanded the types of issues it scanned for and also started enforcing deadlines for fixing many of them... Google added checks for six new vulnerabilities in 2015, all of them with a patching deadline, and 17 in 2016, 12 of which had a time limit for fixes. These issues ranged from security flaws in third-party libraries, development frameworks and advertising SDKs to insecure implementations of Android Java classes and interfaces.

100,000 applications had been patched by April of 2016, but that number tripled over the next nine months, with 90,000 developers fixing flaws in over 275,000 apps.
Microsoft

Microsoft To Lay Off 700 Employees Next Week, Report Says (geekwire.com) 153

According to a report by Business Insider (Warning: may be paywalled), Microsoft will cut about 700 jobs in conjunction with its quarterly earnings release next week. GeekWire reports: The latest layoffs are part of the company's previously announced plan to cut about 2,850 roles globally during its current fiscal year, according to the Business Insider report. The company declined to comment this afternoon, but we understand the report to be accurate, based on our own sources. Next week's cuts will be spread across a variety of job functions inside the company. The company's previous job cuts have come in areas including its smartphone business and global sales team. Microsoft announced its largest cuts in July 2014, eliminating 18,000 jobs, or 14 percent of the company at the time.
Encryption

Lavabit Is Relaunching (theintercept.com) 51

The encrypted email service once used by whistleblower Edward Snowden is relaunching today. Ladar Levison, the founder of the encrypted email service Lavabit, announced on Friday that he's relaunching the service with a new architecture that fixes the SSL problem and includes other privacy-enhancing features as well, such as one that obscures the metadata on emails to prevent government agencies like the NSA and FBI from being able to find out with whom Lavabit users communicate. In addition, he's also announcing plans to roll out end-to-end encryption later this year. The Intercept provides some backstory in its report: In 2013, [Levison] took the defiant step of shutting down the company's service rather than comply with a federal law enforcement request that could compromise its customers' communications. The FBI had sought access to the email account of one of Lavabit's most prominent users -- Edward Snowden. Levison had custody of his service's SSL encryption key that could help the government obtain Snowden's password. And though the feds insisted they were only after Snowden's account, the key would have helped them obtain the credentials for other users as well. Lavabit had 410,000 user accounts at the time. Rather than undermine the trust and privacy of his users, Levison ended the company's email service entirely, preventing the feds from getting access to emails stored on his servers. But the company's users lost access to their accounts as well. Levison, who became a hero of the privacy community for his tough stance, has spent the last three years trying to ensure he'll never have to help the feds break into customer accounts again. "The SSL key was our biggest threat," he says.
Security

Top Security Researchers Ask The Guardian To Retract Its WhatsApp Backdoor Report (technosociology.org) 69

Earlier this month The Guardian reported what it called a "backdoor" in WhatsApp, a Facebook-owned instant messaging app. Some security researchers were quick to call out The Guardian for what they concluded was irresponsible journalism and misleading story. Now, a group of over three dozen security researchers including Matthew Green and Bruce Schneier (as well as some from companies such as Google, Mozilla, Cloudflare, and EFF) have signed a long editorial post, pointing out where The Guardian's report fell short, and also asking the publication to retract the story. From the story: The WhatsApp behavior described is not a backdoor, but a defensible user-interface trade-off. A debate on this trade-off is fine, but calling this a "loophole" or a "backdoor" is not productive or accurate. The threat is remote, quite limited in scope, applicability (requiring a server or phone number compromise) and stealthiness (users who have the setting enabled still see a warning; "even if after the fact). The fact that warnings exist means that such attacks would almost certainly be quickly detected by security-aware users. This limits this method. Telling people to switch away from WhatsApp is very concretely endangering people. Signal is not an option for many people. These concerns are concrete, and my alarm is from observing what's actually been happening since the publication of this story and years of experience in these areas. You never should have reported on such a crucial issue without interviewing a wide range of experts. The vaccine metaphor is apt: you effectively ran a "vaccines can kill you" story without interviewing doctors, and your defense seems to be, "but vaccines do kill people [through extremely rare side effects]."
China

Viral Chinese Selfie App Meitu, Valued at Over $5 Billion, Phones Home With Personal Data (theregister.co.uk) 79

The Meitu selfie horrorshow app going viral through Western audiences is a privacy nightmare, researchers say. The app, which has been featured on several popular outlets including the NYTimes, USA Today, and NYMag, harvests information about the devices on which it runs, includes invasive advertising tracking features and is just badly coded. From a report: But worst of all, the free app appears to be phoning some to share personal data with its makers. Meitu, a Chinese production, includes in its code up to three checks to determine if an iPhone handset is jailbroken, according to respected forensics man Jonathan Zdziarski, a function to grab mobile provider information, and various analytics capabilities. Zdziarski says the app also appears to build a unique device profile based in part on a handset's MAC address. "Meitu is a throw-together of multiple analytics and marketing/ad tracking packages, with something cute to get people to use it," Zdziarski says. Unique phone IMEI numbers are shipped to dozens of Chinese servers, malware researcher FourOctets found. The app, which was valued at over $5 billion last year due its popularity, seeks access to device and app history; accurate location; phone status; USB, photos, and files storage read and write; camera; Wifi connections; device ID & call information; full network access, run at startup, and prevent device from sleeping on Android phones.
Android

Trump Trades in Android Phone For Secret Service-Approved Device (cnet.com) 199

Who's got two thumbs and a Secret Service-approved phone to tweet from? On arriving in Washington on Thursday ahead of his inauguration, Donald Trump has handed in his Android device in exchange for an unidentified locked-down phone, according to Associated Press. From a report: The phone comes with a new number that is known only to a limited number of people. This marks a big change for Trump, who's frequently on the line with friends, business contacts, reporters, foreign leaders and politicians. Barack Obama was the first president to use a mobile device approved by security agencies because of hacking concerns. Initially he had a heavily modified BlackBerry and later switched to another phone that had most features totally disabled. He was not known to use it for making or receiving calls, but it was one of few devices that had access to the @POTUS Twitter account.
Security

ProtonMail Adds Tor Onion Site To Fight Risk Of State Censorship (techcrunch.com) 26

ProtonMail now has a home on the dark web. The encrypted email provider announced Thursday it will allow its users to access the site through the Tor anonymity service. From a report: Swiss-based PGP end-to-end encrypted email provider, ProtonMail, now has an onion address, allowing users to access its service via a direct connection to the Tor anonymizing network -- in what it describes as an active measure aimed at defending against state-sponsored censorship. The startup, which has amassed more than two million users for its e2e encrypted email service so far, launching out of beta just over a year ago, says it's worried about an increased risk of state-level blocking of pro-privacy tools -- pointing to recent moves such as encryption messaging app Signal being blocked in Egypt, and the UK passing expansive surveillance legislation that mandates tracking of web activity and can also require companies to eschew e2e encryption and backdoor products. The service also saw a bump in sign ups after the election of Donald Trump as US president, last fall -- with web users apparently seeking a non-US based secure email provider in light of the incoming commander-in-chief's expansive digital surveillance powers.
Botnet

Krebs Pinpoints the Likely Author of the Mirai Botnet (engadget.com) 98

The Mirai botnet caused serious trouble last fall, first hijacking numerous IoT devices to make a historically massive Distributed Denial-Of-Service (DDoS) attack on KrebsOnSecurity's site in September before taking down a big chunk of the internet a month later. But who's responsible for making the malware? From a report on Engadget: After his site went dark, security researcher Brian Krebs went on a mission to identify its creator, and he thinks he has the answer: Several sources and corroborating evidence point to Paras Jha, a Rutgers University student and owner of DDoS protection provider Protraf Solutions. About a week after attacking the security site, the individual who supposedly launched the attack, going by the username Anna Senpai, released the source code for the Mirai botnet, which spurred other copycat assaults. But it also gave Krebs the first clue in their long road to uncover Anna Senpai's real-life identity -- an investigation so exhaustive, the Krebs made a glossary of cross-referenced names and terms along with an incomplete relational map.
Government

Julian Assange Will Not Hand Himself In Because Chelsea Manning's Release Won't Happen Immediately, Lawyer Says (independent.co.uk) 552

President Obama commuted Chelsea Manning's prison sentence yesterday, reducing her time required to serve behind bars from 35 years to just over seven years. Prior to the commutation, WikiLeaks' Julian Assange pledged to surrender himself to U.S. authorities if Manning was pardoned. Roughly 24 hours have passed since the news broke and it appears that Assange will not hand himself in to the Department of Justice. The Independent reports: Mr Assange's lawyers initially seemed to suggest that promise would be carried through -- telling reporters that he stood by his earlier comments -- but it appears now that Mr Assange will stay inside the embassy. The commitment to accept extradition to the U.S. was based on Ms Manning being released immediately, Mr Assange's lawyer told The Hill. Ms Manning won't actually be released until May -- to allow for a standard 120-day transition period, which gives people time to prepare and find somewhere to live, an official told The New York Times for its original report about Ms Manning's clemency. "Mr. Assange welcomes the announcement that Ms. Manning's sentence will be reduced and she will be released in May, but this is well short of what he sought," Barry Pollack, Assange's U.S.-based attorney, told the site. "Mr. Assange had called for Chelsea Manning to receive clemency and be released immediately."
Desktops (Apple)

Malwarebytes Discovers 'First Mac Malware of 2017' (securityweek.com) 60

wiredmikey writes: Security researchers have a uncovered a Mac OS based espionage malware they have named "Quimitchin." The malware is what they consider to be "the first Mac malware of 2017," which appears to be a classic espionage tool. While it has some old code and appears to have existed undetected for some time, it works. It was discovered when an IT admin noticed unusual traffic coming from a particular Mac, and has been seen infecting Macs at biomedical facilities. From SecurityWeek.com: "Quimitchin comprises just two files: a .plist file that simply keeps the .client running at all times, and the .client file containing the payload. The latter is a 'minified and obfuscated' perl script that is more novel in design. It combines three components, Thomas Reed, director of Mac offerings at Malwarebytes and author of the blog post told SecurityWeek: 'a Mac binary, another perl script and a Java class tacked on at the end in the __DATA__ section of the main perl script. The script extracts these, writes them to /tmp/ and executes them.' Its primary purpose seems to be screen captures and webcam access, making it a classic espionage tool. Somewhat surprisingly the code uses antique system calls. 'These are some truly ancient functions, as far as the tech world is concerned, dating back to pre-OS X days,' he wrote in the blog post. 'In addition, the binary also includes the open source libjpeg code, which was last updated in 1998.' The script also contains Linux shell commands. Running the malware on a Linux machine, Malwarebytes 'found that -- with the exception of the Mach-O binary -- everything ran just fine.' It is possible that there is a specific Linux variant of the malware in existence -- but the researchers have not been able to find one. It did find two Windows executable files, courtesy of VirusTotal, that communicated with the same CC server. One of them even used the same libjpeg library, which hasn't been updated since 1998, as that used by Quimitchin."
Education

College Fires IT Admin, Loses Access To Google Email, Successfully Sues IT Admin For $250K (theregister.co.uk) 271

An anonymous reader quotes a report from The Register: Shortly after the American College of Education (ACE) in Indiana fired IT administrator Triano Williams in April, 2016, it found that it no longer had any employees with admin access to the Google email service used by the school. In a lawsuit [PDF] filed against Williams in July, 2016, the school alleges that it asked Williams to return his work laptop, which was supposed to have the password saved. But when Williams did so in May that year, the complaint says, the computer was returned wiped, with a new operating system, and damaged to the point it could no longer be used. ACE claimed that its students could not access their Google-hosted ACE email accounts or their online coursework. The school appealed to Google, but Google at the time refused to help because the ACE administrator account had been linked to William's personal email address. "By setting up the administrator account under a non-ACE work email address, Mr Williams violated ACE's standard protocol with respect to administrator accounts," the school's complaint states. "ACE was unaware that Mr Williams' administrator account was not linked to his work address until after his employment ended." According to the school's court filing, Williams, through his attorney, said he would help the school reinstate its Google administrator account, provided the school paid $200,000 to settle his dispute over the termination of his employment. That amount is less than half the estimated $500,000 in harm the school says it has suffered due to its inability to access its Google account, according to a letter from William's attorney in Illinois, Calvita J Frederick. Frederick's letter claims that another employee set up the Google account and made Williams an administrator, but not the controlling administrator. It says the school locked itself out of the admin account through too many failed password attempts. Williams, in a counter-suit [PDF] filed last month, claims his termination followed from a pattern of unlawful discrimination by the school in the wake of a change in management. Pointing to the complaint she filed with the court in Illinois, Frederick said Williams wrote a letter [PDF] to a supervisor complaining about the poor race relations at the school and, as a result of that letter, he was told he had to relocate to Indianapolis.
Crime

Ukraine's Power Outage Was a Cyber Attack, Says Power Supplier (reuters.com) 59

A power blackout in Ukraine's capital Kiev last month was caused by a cyber attack and investigators are trying to trace other potentially infected computers and establish the source of the breach, utility Ukrenergo told Reuters on Wednesday. From the report: When the lights went out in northern Kiev on Dec. 17-18, power supplier Ukrenergo suspected a cyber attack and hired investigators to help it determine the cause following a series of breaches across Ukraine. Preliminary findings indicate that workstations and Supervisory Control and Data Acquisition (SCADA) systems, linked to the 330 kilowatt sub-station "North", were influenced by external sources outside normal parameters, Ukrenergo said in comments emailed to Reuters. "The analysis of the impact of symptoms on the initial data of these systems indicates a premeditated and multi-level invasion," Ukrenergo said.
Crime

Dutch Developer Added Backdoor To Websites He Built, Phished Over 20,000 Users (bleepingcomputer.com) 122

An anonymous reader quotes a report from BleepingComputer: A Dutch developer illegally accessed the accounts of over 20,000 users after he allegedly collected their login information via backdoors installed on websites he built. According to an official statement, Dutch police officials are now in the process of notifying these victims about the crook's actions. The hacker, yet to be named by Dutch authorities, was arrested on July 11, 2016, at a hotel in Zwolle, the Netherlands, and police proceeded to raid two houses the crook owned, in Leeuwarden and Sneek. According to Dutch police, the 35-years-old suspect was hired to build e-commerce sites for various companies. After doing his job, the developer also left backdoors in those websites, which he used to install various scripts that allowed him to collect information on the site's users. Police say that it's impossible to determine the full breadth of his hacking campaign, but evidence found on his laptop revealed he gained access to over 20,000 email accounts. Authorities say the hacker used his access to these accounts to read people's private email conversations, access their social media profiles, sign-up for gambling sites with the victim's credentials, and access online shopping sites to make purchases for himself using the victim's funds.
The Almighty Buck

Blockchain Technology Could Save Banks $12 Billion a Year (silicon.co.uk) 109

Mickeycaskill quotes a report from Silicon.co.uk: Accenture research has found Blockchain technology has the potential to reduce infrastructure costs by an average of 30 percent for eight of the world's ten biggest banks. That equates to annual cost savings of $8-12 billion. The findings of the "Banking on Blockchain: A Value Analysis for Investment Banks" report are based on an analysis of granular cost data from the eight banks to identify exactly where value could be achieved. A vast amount of cost for today's investment banks comes from complex data reconciliation and confirmation processes with their clients and counterparts, as banks maintain independent databases of transactions and customer information. However, Blockchain would enable banks to move to a shared, distributed database that spans multiple organizations. It has become increasingly obvious in recent months that blockchain will be key to the future of the banking industry, with the majority of banks expected to adopt the technology within the next three years.
Government

President Obama Commutes Chelsea Manning's Sentence (theverge.com) 794

The New York Times is reporting that President Obama has commuted Chelsea Manning's sentence. What this translates to is a reduced sentence for Manning, from 35 years to just over seven years. Since Manning has already served a majority of those years, she is due to be released from federal custody on May 17th. The Verge reports: While serving as an intelligence analyst in Iraq, Manning leaked more than 700,000 documents to Wikileaks, including video of a 2007 airstrike in Baghdad that killed two Reuters employees. In 2013, Manning was sentenced to 35 years in prison for her role in the leak and has been held at the U.S. Disciplinary Barracks at Fort Leavenworth for the past three years. Julian Assange, who has long been sought by U.S. and EU authorities for extradition on Swedish rape charges, had previously pledged to surrender himself to U.S. authorities if Manning was pardoned. Born Bradley Manning, Chelsea announced her gender transition the day after the verdict was handed down. "I am Chelsea Manning. I am a female," she said in a statement. "Given the way that I feel, and have felt since childhood, I want to begin hormone therapy as soon as possible." Obtaining the resulting medical treatments was extremely difficult for Manning, and was the subject of significant and sustained activism. After a lawsuit, Manning was approved for hormone therapy in 2015. In September 2016, she launched a hunger strike, demanding access to gender reassignment surgery; the military complied five days later.
Microsoft

Microsoft: Windows 7 Does Not Meet the Demands of Modern Technology; Recommends Windows 10 (neowin.net) 502

In a blog post, Microsoft says that continued usage of Windows 7 increases maintenance and operating costs for businesses. Furthermore, time is needlessly wasted on combating malware attacks that could have been avoided by upgrading to Windows 10. A report on Neowin adds: Microsoft also says that many hardware manufacturers do not provide drivers for Windows 7 any longer, and many developers and companies refrain from releasing programs on the outdated operating system. Markus Nitschke, Head of Windows at Microsoft Germany, had the following to say about Windows 7: "Today, it [Windows 7] does not meet the requirements of modern technology, nor the high security requirements of IT departments. As early as in Windows XP, we saw that companies should take early steps to avoid future risks or costs. With Windows 10, we offer our customers the highest level of security and functionality at the cutting edge.

Slashdot Top Deals