Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Submission + - Two Backdoors Found in Sony IP Cameras

Trailrunner7 writes: A long list of IP-enabled security cameras made by Sony contain backdoors in their firmware that can allow an attacker to run arbitrary code remotely on the devices and potentially opening them up for use in a botnet.

The cameras affected by the vulnerabilities are surveillance cameras, mainly used in enterprises and retail settings and there are dozens of models that contain the vulnerable firmware. Researchers at SEC Consult discovered the backdoors and found that an attacker could use one of them to enable hidden Telnet and SSH services on the cameras and then use the other backdoor to gain root privileges.

“After enabling Telnet/SSH, another backdoor allows an attacker to gain access to a Linux shell with root privileges! The vulnerabilities are exploitable in the default configuration over the network. Exploitation over the Internet is possible, if the web interface of the device is exposed," the researchers said.

Submission + - New Google Trusted Contacts Service Shares User Location in Real Time

Trailrunner7 writes: Google has spent a lot of time and money on security over the last few years, developing new technologies and systems to protect users’ devices. One of the newer technologies the company has come up with is designed to provide security for users themselves rather than their laptops or phones.

On Monday Google launched a new app for Android called Trusted Contacts that allows users to share their locations and some limited other information with a set of close friends and family members. The system is a two-way road, so a user can actively share her location with her Trusted Contacts, and stop sharing it at her discretion. But, when a problem or potential emergency comes up, one of those contacts can request to get that user’s location to see where she is at any moment. The app is designed to give users a way to reassure contacts that they’re safe, or request help if there’s something wrong.

Submission + - FBI, Europol Dismantle Avalanche Cybercrime Crew

Trailrunner7 writes: A large group of law enforcement officials, security researchers, registrars, and others have dismantled a huge malware, phishing, and cybercrime network known as Avalanche, taking down more than 800,000 domains in the process.

The operation, which was a collaborative effort by Europol, the FBI, German police, and security groups, resulted in five arrests and the seizure of 39 servers in various countries. Officials say the Avalanche crew and its infrastructure was distributed around the world and estimated that damages from the group’s activities were in the hundreds of millions of Euros. The group conducted spam, phishing, and malware attacks using a wide variety of malware strains and tactics.

Investigators began looking at the Avalanche infrastructure in 2012 after a widespread ransomware attack that was attributed to the group. Many victims also were infected with banker malware that stole banking credentials and other private data. Like many cybercrime crews, Avalanche used money mules to cash out their profits and layers of personnel to handle specific tasks in an effort to avoid detection. The group also employed technical methods to attempts to confuse law enforcement and security researchers.

Submission + - ESPN Loses Another 555,000 Subscribers Per Nielsen (outkickthecoverage.com)

An anonymous reader writes: Last month ESPN lost 621,000 subscribers according to Nielsen media estimates, which was the worst month in the company's history. This month things weren't much better — ESPN lost another 555,000 subscribers according to Nielsen media estimates, meaning that the worst month in the history of ESPN has now been followed up by the second worst month in ESPN history. ESPN has now lost a jawdropping 1.176 million subscribers in the past two months.

Putting that into perspective, that means nearly 20,000 people a day are leaving ESPN for each of the past two months. If that annual average subscriber loss continued, ESPN would lose over seven million subscribers in the next 12 months. And at an absolute minimum, these 1.176 million lost subscribers in the past two months will lead to a yearly loss in revenue of over $100 million. According to Nielsen ESPN now has 88.4 million cable and satellite subscribers, a precipitous decline from well over 100 million subscribers just a few years ago.

Submission + - Matt Taibbi: 'Washington Post' 'Blacklist' Story Is Shameful and Disgusting (rollingstone.com)

MyFirstNameIsPaul writes: From the article:

Most high school papers wouldn't touch sources like these. But in November 2016, both the president-elect of the United States and the Washington Post are equally at ease with this sort of sourcing.

Even worse, the Post apparently never contacted any of the outlets on the "list" before they ran their story. Yves Smith at Naked Capitalism says she was never contacted. Chris Hedges of Truthdig, who was part of a group that won the Pulitzer Prize for The New York Times once upon a time, said the same. "We were named," he tells me. "I was not contacted."

Hedges says the Post piece was an "updated form of Red-Baiting."

"This attack signals an open war on the independent press," he says. "Those who do not spew the official line will be increasingly demonized in corporate echo chambers such as the Post or CNN as useful idiots or fifth columnists."


Submission + - More Than 1 Million Android Devices Rooted by Gooligan Malware

Trailrunner7 writes: A new version of an existing piece of malware has emerged in some third-party Android app stores and researchers say it has infected more than a million devices around the world, giving the attackers full access to victims’ Google accounts in the process.

The malware campaign is known as Gooligan, and it’s a variant of older malware called Ghost Push that has been found in many malicious apps. Researchers at Check Point recently discovered several dozen apps, mainly in third-party app stores, that contain the malware, which is designed to download and install other apps and generate income for the attackers through click fraud. The malware uses phantom clicks on ads to generate revenue for the attackers through pay-per-install schemes, but that’s not the main concern for victims.

The Gooligan malware also employs exploits that take advantage of several known vulnerabilities in older versions of Android, including Kit Kat and Lollipop to install a rootlet that is capable of stealing users’ Google credentials.Although the malware has full remote access to infected devices, it doesn’t appear to be stealing user data, but rather is content to go the click-fraud route. Most users are being infected through the installation of apps that appear to be legitimate but contain the Gooligan code, a familiar infection routine for mobile devices.

Submission + - Cerber Ransomware Using Tor Network to Hide

Trailrunner7 writes: Ransomware authors have adopted a number of new tactics recently to help avoid detection and stop takedown attempts, and the latest move by the gang behind the Cerber malware is the use of both Google redirection and the Tor network as evasion and obfuscation mechanisms.

Researchers from Cisco’s Talos group have come across a new version of the Cerber ransomware that uses these techniques, combined with pretty rudimentary email messages to trick victims into clicking on links that lead to the malicious files. Typically, sophisticated ransomware crews will use well-crafted emails with malicious attachments that contain the ransomware. But this Cerber campaign isn’t using any attachments in its spam emails and instead is relying on trickery to entice users into following the links, which are obfuscated and lead to sites on the Tor anonymity network.

Submission + - How Your Headphones Can Record Your Conversations Remotely 1

Trailrunner7 writes: As if attackers didn’t have enough methods for observing users’ actions, researchers have now developed a technique that allows them to use speakers or headphones plugged in to a PC as microphones to record victims’ discussions.

The attack involves a technique called re-tasking in which the researchers changed the functionality of the audio jacks on a target computer. So, whereas an input jack would normally be used by a microphone and the output jack would be used by the speakers, the researchers remapped the jacks so that the speakers can record sound when plugged into an output jack. The technique, developed by a team at Ben Gurion University of the Negev in Israel, involves the use of custom malware on the machine, but the researchers showed in their work that the attacks can succeed in recording audio from across a room.

The attack that the researchers developed allows them to record audio surreptitiously and then transmit it to another machine several meters away. The technique can be used without the user’s interaction.

“It’s pretty difficult to defend against such an attack, but it’s possible that anti-virus will detect such a microphone retasking and will block it. Chip manufacturers can redesign the internal commands that can be sent to the controller and regulate it in a better way,” Mordechai Guri, one of the paper's authors, said.

Submission + - The IRS Just Declared War on Bitcoin Privacy (fee.org)

SonicSpike writes: The Internal Revenue Service has filed a “John Doe” summons seeking to require U.S. Bitcoin exchange Coinbase to turn over records about every transaction of every user from 2013 to 2015.

That demand is shocking in sweep, and it includes: “complete user profile, history of changes to user profile from account inception, complete user preferences, complete user security settings and history (including confirmed devices and account activity), complete user payment methods, and any other information related to the funding sources for the account/wallet/vault, regardless of date.” And every single transaction.

The demand is not limited to owners of large amounts of Bitcoin or to those who have transacted in large amounts. Everything about everyone.

Equally shocking is the weak foundation for making this demand. In a declaration submitted to the court, an IRS agent recounts having learned of tax evasion on the part of one Bitcoin user and two companies. On this basis, he and the IRS claim “a reasonable basis for believing” that all U.S. Coinbase users “may fail or may have failed to comply” with the internal revenue laws.

The IRS’s effort to strip away the privacy of all Coinbase users is more broad than the government’s effort in recent cases dealing with cell site location information. In the CSLI cases, the government has sought data about particular suspects, using a standard below the probable cause standard required by the Fourth Amendment (“specific and articulable facts showing that there are reasonable grounds to believe”).

Submission + - Adobe VoCo, Google WaveNet Raise Voice Security Concerns

Trailrunner7 writes: As voice has continued to emerge as one of the key interfaces for new devices and apps, including vehicles, bank accounts, and home automation systems, concerns about the security of these systems have evolved, as well. Now, as both Google and Adobe have demonstrated systems that can insert and replace words in recorded speech or mimic human speech those concerns are becoming more concrete.

Adobe has revealed a project known as VoCo that has that it has compared to a Photoshop for voice recordings. The app can take a small piece of a person’s recorded voice and give the user the ability to rearrange or insert words or short phrases into the recording. The user types whatever text he wants into the app and the software can then add them into the recording wherever the user specifies.

Google also has been working on a synthetic speech system, known as WaveNet, which models raw audio waveforms to produce speech that sounds more human. Many existing text-to-speech systems rely on a database of recorded words to produce sentences. Google’s model doesn’t have that limitation.

Submission + - Lawmakers Try to Delay Expansion of Government Hacking

Trailrunner7 writes: As the deadline for Congress to act on a proposed change that would give federal law enforcement agencies expanded power to hack remote computers, a group of senators has introduced a bill to delay the rule change until next summer.

The proposed change to Rule 41 of the Federal Rules of Criminal Procedure would allow law enforcement officials to get a single warrant from essentially any judge where things related to a given crime have occurred to remotely search computers that might be involved in the crime. The modification also would allow officers to remotely search computers of victims of computer crimes.

Privacy advocates and some legislators say that the change would constitute a huge a expansion of government hacking powers, while Department of Justice officials and supporters of the change say it’s simply a procedural change. The United States Supreme Court approved the change in April and it is scheduled to go into effect on Dec. 1. Congress has the ability to enact legislation to prevent the change, but so far has not.

On Thursday, a group of five senators introduced a bill that would keep Rule 41 as-is for now and delay the change until July 1, 2017. The idea is to give Congress time to consider the consequences of the proposed change. Sen. Ron Wyden (D-Ore.), one of the sponsors of the new bill, has expressed concern about the change to the rule for months.

Submission + - Facebook fake-news writer: "Donald Trump is in the White House because of me" (washingtonpost.com) 1

JoeyRox writes: "Paul Horner, the 38-year-old impresario of a Facebook fake-news empire, has made his living off viral news hoaxes for several years. He has twice convinced the Internet that he’s British graffiti artist Banksy; he also published the very viral, very fake news of a Yelp vs. “South Park” lawsuit last year. But in recent months, Horner has found the fake-news ecosystem growing more crowded, more political and vastly more influential: In March, Donald Trump’s son Eric and his then-campaign manager, Corey Lewandowski, even tweeted links to one of Horner’s faux-articles. His stories have also appeared as news on Google."

Submission + - Carbanak Gang Calling Hotels to Convince Victims to Install Malware

Trailrunner7 writes: The Carbanak gang, one of the more successful and prolific cybercrime groups at work today, is using a new tactic to get its malware onto target networks: calls to customer service representatives at hotels that convince victims to open malicious attachments.

The technique is a simple one but has proven to be quite effective. Rather than spamming out huge volumes of email with rigged attachments, the attackers are calling selected hotels and telling the customer service reps that they’re having trouble using the online reservation system. They then ask if they can email over a document with their travel details. The attacker will stay on the phone with the victim until he opens the attachment, which is a Word document loaded with a malicious VBS script, according to researchers at Trustwave, who have investigated several incidents involving this technique recently.

This attack represents an interesting mixture of social engineering tactics and traditional spear phishing methods. Even highly targeted phishing campaigns typically involve several different waves of emails. But this technique allows the attacker to choose his target individually and receive immediate confirmation that the attack succeeded. The malware that’s involved in the attack is powerful and has a long list of capabilities. Once installed, it connects to a remote server and downloads a second stage tool that’s disguised as an Adobe file. It installs a persistence mechanism and might download even more tools.

Submission + - Schneier: We Need a New Agency for IoT Security

Trailrunner7 writes: The recent DDoS attacks by the Mirai botnet against various targets, including DNS provider Dyn, have drawn the attention of congressional leaders, who say there may be a need for regulation of IoT device security in order to address the problem of vulnerable embedded devices.

In a joint hearing on Wednesday, the House Subcommittee on Communications and Technology and the Subcommittee on Commerce, Manufacturing, and Trade delved into the issue of IoT security and several lawmakers said that they were reluctant to get the government involved in regulating this problem, but it may be inevitable. The problem, of course, is that many of the embedded devices that make up the IoT aren’t manufactured in the United States, so regulation would have no effect on their security.

Another piece of the puzzle is the fact that there’s no one federal agency or independent organization that oversees security standards for IoT devices. There are embedded computers in cars, appliances, medical devices, and hundreds of other kinds of devices. That cuts across many different industries and regulatory fields, a problem that the federal government is not set up to handle.

“I actually think we need a new agency. We can’t have different rules if a computer makes calls, or a computer has wheels, or is in your body,” said cryptographer Bruce Schneier, another witness during the hearing. “The government is getting involved here regardless, because the stakes are too high. The choice isn’t between government involvement and no government involvement. It’s between good government involvement and stupid government involvement. I’m not a regulatory fan but this is a world of dangerous things.”

Submission + - PoisonTap: The Tiny Internet-Hijacking, Cookie-Stealing, Backdoor-on-a-Board

Trailrunner7 writes: A renowned hardware hacker has released a cheap USB device that, when plugged in to any computer–even password-protected or locked ones–can hijack all of the Internet traffic from the PC, steal web cookies, and install a persistent backdoor that survives after device is removed.

Known as PoisonTap, the device is the work of Samy Kamkar, a security researcher and hardware hacker who built the tool on a cheap Raspberry Pi Zero board. He’s released the code for PoisonTap, which could be a key tool in the arsenal of any security researcher or hacker. The device sounds simple, but there’s a whole lot going on in the background.

The device tells the infected machine that the PoisonTap local network contains all of the IPv4 space, so all Internet requests go through the device. The device performs a similar trick in order to siphon off web cookies from HTTP requests. When a browser running on the infected machine makes an HTTP request, the device will perform DNS spoofing so that the request goes to the PoisonTap web server rather than the intended one. The device has the ability to grab cookies from any of the Alexa top one million sites, Kamkar said.

Slashdot Top Deals

It is difficult to soar with the eagles when you work with turkeys.

Working...