Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
Compare cell phone plans using Wirefly's innovative plan comparison tool ×

Submission + - 68 Million Hashed Dropbox Passwords Dumped Online

Trailrunner7 writes: The scope of a compromise of Dropbox four years ago that the company initially said only involved customer email addresses being stolen has now expanded, with more than 68 million user passwords dumped online.

The cache comprises passwords that are hashed with either SHA-1 or bcrypt and none of them are in plaintext. When Dropbox first disclosed the breach in 2012, company officials said that the attackers had taken users’ email addresses and some users were receiving spam on those accounts. The compromise was the result of a Dropbox employee reusing an internal password.

Submission + - L0phtCrack 7 Shows Windows Passwords Only Getting Weaker

Trailrunner7 writes: Time waits for no man, and neither does L0phtCrack. Nearly 20 years after the first version of the password auditing and cracking tool was released, L0phtCrack 7, released Tuesday, shows that Windows passwords are even easier to crack now than they were in 1997.

L0phtCrack was the first password auditing tool released for Windows and its availability had a concrete effect on the way that Microsoft handled passwords. After its released, Microsoft abandoned the hash algorithm it had been using, known as LANMAN, and changed to NTLM instead. When L0phtCrack hit the streets in 1997, it could crack an eight-character Windows password in about 24 hours on a typical commodity PC available at the time.

Hardware advances and improvements in the cracking engine have made a huge dent in the time needed to recover that same eight-character alphanumeric password now.

“Things haven’t improved due to backwards compatibility. Windows AD is relied on by so many systems now. Microsoft slowly deprecated the older LANMAN hash between 1997 Windows NT and Vista. Now it is completely gone but the current MD4 hash is actually weaker today then LANMAN was back when we were inspired to create L0phtCrack,” Chris Wysopal, one of the founders of the L0pht, said.

Submission + - Google Login Bug Allows Credential Theft

Trailrunner7 writes: Attackers can add an arbitrary page to the end of a Google login flow that can steal users’ credentials. or alternatively, send users an arbitrary file any time a login form is submitted, due to a bug in the login process.

A researcher in the UK identified the vulnerability recently and notified Google of it, but Google officials said they don’t consider it a security issue. The bug results from the fact that the Google login page will take a specific, weak GET parameter.

Using this bug, an attacker could add an extra step to the end of the login flow that could steal a user’s credentials. For example, the page could mimic an incorrect password dialog and ask the user to re-enter the password. Woods said an attacker also could send an arbitrary file to the target’s browser any time the login form is submitted.

In an email interview, Woods said exploiting the bug is a simple matter.

“Attacker would not need to intercept traffic to exploit – they only need to get the user to click a link that they have crafted to exploit the bug in the continue parameter,” Woods said.

Google told Woods they don't consider this a security issue.

Submission + - Apples Fixes Three Zero Days Used in Government Targeted Attack

Trailrunner7 writes: Apple has patched three critical vulnerabilities in iOS that were identified when an attacker targeted a human rights activist in the UAE with an exploit chain that used the bugs to attempt to remotely jailbreak and infect his iPhone.

The vulnerabilities include two kernel flaws and one in WebKit and Apple released iOS 9.3.5 to fix them. The attack that set off the investigation into the vulnerabilities targeted Ahmed Mansoor, an activist living in the UAE. Earlier this month, he received a text message that included a link to what was supposedly new information on human rights abuses. Suspicious, Manor forwarded the link to researchers at the University of Toronto’s Citizen Lab, who recognized what they were looking at.

“On August 10 and 11, 2016, Mansoor received SMS text messages on his iPhone promising “new secrets” about detainees tortured in UAE jails if he clicked on an included link. Instead of clicking, Mansoor sent the messages to Citizen Lab researchers. We recognized the links as belonging to an exploit infrastructure connected to NSO Group, an Israel-based ‘cyber war’ company that sells Pegasus, a government-exclusive “lawful intercept” spyware product,” Citizen Lab said in a new report on the attack and iOS flaws.

Submission + - New SWEET32 Crypto Attacks Speed Up Deprecation of 3DES, Blowfish (

msm1267 writes: New attacks revealed today against 64-bit block ciphers push cryptographic ciphers such as Triple-DES (3DES) and Blowfish closer to extinction.

The attacks, known as SWEET32, allow for the recovery of authentication cookies from HTTPS traffic protected by 3DES, and BasicAUTH credentials from OpenVPN traffic protected by default by Blowfish.

In response, OpenSSL is expected tomorrow to remove 3DES from its default bulid in 1.1.0, and lower its designation from High to Medium 1.0.2 and 1.0.1. OpenVPN, meanwhile, is expected to release a new version this week as well with a warning about Blowfish and new configuration advice protecting against the SWEET32 attacks.

The researchers behind SWEET32 said this is a practical attack because collisions begin after a relatively short amount of data is introduced. By luring a victim to a malicious site, the attacker can inject JavaScript into the browser that forces the victim to connect over and over to a site they're authenticated to. The attacker can then collect enough of that traffic--from a connection that is kept alive for a long period of time--to recover the session cookie.

Submission + - Snowden's Long Shadow Darkens NSA Reputation

Trailrunner7 writes: The massive data dump by the Shadow Brokers has become a kind of fun house mirror for the security industry. People come at it with all of their suppositions, biases, and baggage, and walk away with a distorted view of what’s actually there and what it means.

There are nearly as many opinions on what the apparent theft and release of a big pile of NSA tools, binaries, and exploits says about the agency and its methods as there are files in the dump itself. Most of them have their merits, and nearly all of them have focused on the NSA’s practice of finding, hoarding, and using vulnerabilities for offensive intelligence gathering purposes. Whether that’s a moral practice can and has been debated ad nauseam in the security community, and not just for the last couple of weeks. For decades.

But that’s the wrong line of thinking, at least in this case. One thing it has illuminated, though, is that perhaps the NSA isn’t as good at keeping its secrets as the agency’s officials would like us to believe. A big part of being an organization thats is tasked with keeping secrets is not only being able to defend them, but convincing people–both allies and adversaries–that you can defend them. For decades, most Americans didn’t even know the NSA existed, let alone what it did or how. That changed gradually as journalists put the pieces together, and the agency became known as the repository and defender of the country’s most valuable secrets.

That image was shattered the day that Edward Snowden walked out the door with a still-unknown amount of the NSA’s most closely guarded information on methods and capabilities. Apart from the damage that Snowden’s actions did to ongoing intelligence operations, it also let Americans and, more importantly, the world at large, know that the NSA could be gotten. That’s where the true long-term effects from his decision may be felt, and we’re beginning to see them even now.

Whoever stole the information in the Shadow Brokers cache–be it an insider or an outside attacker–did so with the knowledge that someone had done the same thing before. And now the NSA, once seen as inscrutable and possibly invincible, has gotten got not once, but twice.

Submission + - SPAM: Critical Flaw in GPG, Present since 1998, Fixed

Trailrunner7 writes: Researchers have uncovered a critical vulnerability in the GnuPG and Libgcrypt that has been around since 1998 and allows an attacker to predict output from the software’s random number generator under some conditions.

The vulnerability was discovered by a team from Karlsruhe Institute of Technology in Germany, and the people behind the GnuPG Project, who maintain both applications, say that users should install the fixed version of the software as soon as possible. The bug affects every version of both GnuPG and Libgcrypt.

"An attacker who obtains 4640 bits from the RNG can trivially predict the next 160 bits of output. This bug exists since 1998 in all GnuPG and Libgcrypt versions,” the advisory from the GnuPG Project says.

Submission + - DataSploit, the Social Engineering Automation Framework

Trailrunner7 writes: Social engineering is a broad term applied to an ill-defined list of activities, and many of the techniques that criminals and white hats both use are developed ad hoc. But a new tool called DataSploit aims to pull together many of the reconnaissance activities into one framework that will gather large amounts of data on a target in a single place.

The tool is meant to help researchers and penetration testers gather intelligence on a given person or company, using things such as email addresses, domains, phone numbers, and other identifiers as the starting point. DatSploit automates the process of pulling together this information, which typically is a laborious manual task.

Submission + - Researchers: Strong Connection Between Shadow Brokers Dump and Equation Group

Trailrunner7 writes: The researchers who originally uncovered the Equation Group, a hacking team strongly believed to be tied to the NSA, says that the trove of offensive tools, exploits, and files apparently stolen from that group and dumped online this week has a “strong connection” to the Equation Group’s known toolsets.

Kaspersky’s researchers had a look at the tools dumped by Shadow Brokers, too, and found some very strong evidence that they came from the Equation Group’s arsenal. The Equation Group team uses a specific, unique implementation of the RC5 and RC6 ciphers, which is found in the Shadow Brokers dump.

“Comparing the older, known Equation RC6 code and the code used in most of the binaries from the new leak we observe that they are functionally identical and share rare specific traits in their implementation,” Kaspersky researchers said.

Submission + - New Wave Of Targeted Attacks Focus On Industrial Organizations (

An anonymous reader writes: Kaspersky Lab researchers discovered a new wave of targeted attacks against the industrial and engineering sectors in 30 countries around the world. Dubbed Operation Ghoul, these cybercriminals use spear-phishing emails and malware based on a commercial spyware kit to hunt for valuable business-related data stored in their victims’ networks. Operation Ghoul is only one among several other campaigns that are supposedly controlled by the same group. The group is still active, and in total more than 130 organizations from 30 countries, including Spain, Pakistan, United Arab Emirates, India, Egypt, United Kingdom, Germany, Saudi Arabia and other countries, were successfully attacked by this group.

Submission + - Serious Flaws in iMessage Crypto Allow for Message Decryption

Trailrunner7 writes: New research from a team at Johns Hopkins University shows that there are serious problems with the way Apple implemented encryption on its iMessage system, leaving it open to retrospective decryption attacks that can reveal the contents of all of a victim’s past iMessage texts.

The iMessage system, like much of what Apple does, is opaque and its inner workings have not been made available to outsiders. One of the key things that is known about the system is that messages are encrypted from end to end and Apple has said that it does not have the ability to decrypt users’ messages. The researchers at JHU, led by Matthew Green, a professor of computer science at the school, reverse engineered the iMessage protocol and discovered that Apple made some mistakes in its encryption implementation that could allow an attacker who has access to encrypted messages to decrypt them.

Submission + - Cache Attacks on Android Devices Can Steal Crypto Keys, Virtually Any Data

Trailrunner7 writes: Researchers from an Austrian university have developed techniques that allow them to perform cache attacks on non-rooted Android phones that can monitor the keystrokes, screen taps, and even observe code execution inside the ARM processor’s TrustZone secure execution environment.

The attacks the team developed are complex and rely on a number of individual building blocks. The techniques are similar to some used against Intel x86 processor-based systems, but the team from Graz University of Technology in Austria shows that they can be used on ARM-based systems, such as Android phones, as well.

Based on our techniques, we demonstrate covert channels that outperform state-of-the-art covert channels on Android by several orders of magnitude. Moreover, we present attacks to monitor tap and swipe events as well as keystrokes, and even derive the lengths of words entered on the touchscreen,” the researchers wrote

Submission + - Widespread Linux Flaw Allows TCP Session Hijacking, Data Injection

Trailrunner7 writes: The TCP implementation in all Linux systems built since 2012 has a serious flaw that can allow an attacker to terminate or inject data into a session between any two vulnerable machines on the Internet. The bug could also be used to end encrypted connections or downgrade the privacy of connections run through Tor or other anonymity networks.

The vulnerability was introduced in Linux 3.6 and an attacker does not need to be in a man-in-the-middle position in order to exploit it. The researchers at the University of California Riverside who discovered the flaw say that it results from an attackers ability to infer the TCP sequence numbers for the packets flowing between two hosts.

Submission + - How InMobi Abused iOS and Android APIs to Track Mobile Users

Trailrunner7 writes: As Apple and Google add better privacy protections to their mobile platforms, advertising firms have had to get more and more creative with how they display ads to users and track them as they move around the physical world as well as the Internet.

One of the companies that has been at the center of this is InMobi, a major mobile ad company, that offers products to clients that allow them to geo-target users and show them targeted ads. The FTC in June reached a settlement with InMobi over the company’s practices, charging that the company tracked consumers, specifically children, without their consent. InMobi said that it obtains consent from users before geotracking them, but the FTC found that wasn’t true, and the commission has now detailed exactly how the tracking worked.

According to the FTC’s investigation, InMobi was able to circumvent privacy protections on both iOS and Android that prevent apps from using APIs to track users without their permission. The company did this by constructing its own geocoded database.

Submission + - Apple Launches iOS Bug Bounty

Trailrunner7 writes: Vulnerabilities in iPhone hardware and software are among the more valuable bugs there are especially those that give an attacker full access to the device. Apple knows this as well as anyone, and today the company announced that it is starting an invitation-only bug bounty program that will pay up to $200,000 for the most critical iPhone bugs.

The announcement was a long time coming, as many of the larger security, software, and hardware companies have had bounty programs for years. Microsoft, Google, Facebook, and many others have well-established reward programs for researchers, but Apple had been resistant to the idea. On Thursday at the Black Hat conference here, Ivan Krstic, the head of Apple’s security engineering and architecture team, said the program would begin in September and would initially be by invitation only.

Slashdot Top Deals

"It may be that our role on this planet is not to worship God but to create him." -Arthur C. Clarke