Encryption

Why You Shouldn't Use Texts For Two-Factor Authentication (theverge.com) 86

An anonymous reader quotes a report from The Verge: A demonstration video posted by Positive Technologies (and first reported by Forbes) shows how easy it is to hack into a bitcoin wallet by intercepting text messages in transit. The group targeted a Coinbase account protected by two-factor authentication, which was registered to a Gmail account also protected by two-factor. By exploiting known flaws in the cell network, the group was able to intercept all text messages sent to the number for a set period of time. That was enough to reset the password to the Gmail account and then take control of the Coinbase wallet. All the group needed was the name, surname and phone number of the targeted Bitcoin user. These were security researchers rather than criminals, so they didn't actually steal anyone's bitcoin, although that would have been an easy step to take. At a glance, this looks like a Coinbase vulnerability, but the real weakness is in the cellular system itself. Positive Technologies was able to hijack the text messages using its own research tool, which exploits weaknesses in the cellular network to intercept text messages in transit. Known as the SS7 network, that network is shared by every telecom to manage calls and texts between phone numbers. There are a number of known SS7 vulnerabilities, and while access to the SS7 network is theoretically restricted to telecom companies, hijacking services are frequently available on criminal marketplaces. The report notes of several ways you can protect yourself from this sort of attack: "On some services, you can revoke the option for SMS two-factor and account recovery entirely, which you should do as soon as you've got a more secure app-based method established. Google, for instance, will let you manage two-factor and account recovery here and here; just set up Authenticator or a recovery code, then go to the SMS option for each and click 'Remove Phone.'"
AI

AI Just Made Guessing Your Password a Whole Lot Easier (sciencemag.org) 119

sciencehabit shares a report from Science Magazine: The Equifax breach is reason for concern, of course, but if a hacker wants to access your online data by simply guessing your password, you're probably toast in less than an hour. Now, there's more bad news: Scientists have harnessed the power of artificial intelligence (AI) to create a program that, combined with existing tools, figured more than a quarter of the passwords from a set of more than 43 million LinkedIn profiles.

Researchers at Stevens Institute of Technology in Hoboken, New Jersey, started with a so-called generative adversarial network, or GAN, which comprises two artificial neural networks. A "generator" attempts to produce artificial outputs (like images) that resemble real examples (actual photos), while a "discriminator" tries to detect real from fake. They help refine each other until the generator becomes a skilled counterfeiter. The Stevens team created a GAN it called PassGAN and compared it with two versions of hashCat and one version of John the Ripper. The scientists fed each tool tens of millions of leaked passwords from a gaming site called RockYou, and asked them to generate hundreds of millions of new passwords on their own. Then they counted how many of these new passwords matched a set of leaked passwords from LinkedIn, as a measure of how successful they'd be at cracking them. On its own, PassGAN generated 12% of the passwords in the LinkedIn set, whereas its three competitors generated between 6% and 23%. But the best performance came from combining PassGAN and hashCat. Together, they were able to crack 27% of passwords in the LinkedIn set, the researchers reported this month in a draft paper posted on arXiv. Even failed passwords from PassGAN seemed pretty realistic: saddracula, santazone, coolarse18.

Security

Equifax Suffered a Hack Almost Five Months Earlier Than the Date It Disclosed (bloomberg.com) 86

Bloomberg is reporting that Equifax, the credit reporting company that recently reported a cybersecurity incident impacting roughly 143 million U.S. consumers, learned about a breach of its computer systems in March -- almost five months before the date it has publicly disclosed. The company said the March breach was unrelated to the recent hack involving millions of U.S. consumers, but one of the people familiar with the situation said the breaches involve the same intruders. From the report: Equifax hired the security firm Mandiant on both occasions and may have believed it had the initial breach under control, only to have to bring the investigators back when it detected suspicious activity again on July 29, two of the people said. Equifax's hiring of Mandiant the first time was unrelated to the July 29 incident, the company spokesperson said. The revelation of a March breach will complicate the company's efforts to explain a series of unusual stock sales by Equifax executives. If it's shown that those executives did so with the knowledge that either or both breaches could damage the company, they could be vulnerable to charges of insider trading. The U.S. Justice Department has opened a criminal investigation into the stock sales, according to people familiar with the probe.

In early March, they said, Equifax began notifying a small number of outsiders and banking customers that it had suffered a breach and was bringing in a security firm to help investigate. The company's outside counsel, Atlanta-based law firm King & Spalding, first engaged Mandiant at about that time. While it's not clear how long the Mandiant and Equifax security teams conducted that probe, one person said there are indications it began to wrap up in May. Equifax has yet to disclose that March breach to the public.

Businesses

Slashdot Asks: Which IT Hiring Trends Are Hot, and Which Ones Are Going Cold? 175

snydeq writes: Recruiting and retaining tech talent remains IT's biggest challenge today, writes Paul Heltzel, in an article on what trends are heating up and what's cooling off when it comes to IT staffing. "One thing hasn't changed this year: Recruiting top talent is still difficult for most firms, and demand greatly outstrips supply," writes Heltzel. "That's influencing many of the areas we looked at, including compensation and retention. Whether you're looking to expand your team or job searching yourself, read on to see which IT hiring practices are trending and which ones are falling out of favor." What are you seeing companies favoring in the hiring market these days?
Microsoft

Microsoft Confirms Outlook Issues (bbc.com) 41

Microsoft has confirmed that some users of its email service Outlook are unable to send email or access their accounts. From a report: Hundreds from around Europe have commented on the website Downdetector that they have been affected by the problem -- many since Monday morning. One common issue seems to be that sent emails remain in the drafts folder and are not being delivered to recipients. On its website, Microsoft says the service dropped "unexpectedly" and it is working on a fix. Not all account holders are affected. "Intermittent connectivity is affecting customers in some European countries, which we are working to resolve as soon as possible," said a Microsoft representative.
IOS

Apple Officially Bans Scammy Antivirus Apps From iOS App Store (theverge.com) 51

Fake "virus scanning" apps have plagued the iOS App Store for a while, and Apple seems to finally be banning them once and for all in updated developer guidelines it published last week. From a report: The updated developer guidelines, compiled by Paul Hudson over at Hacking With Swift, now includes a ban on apps that claim to "including content or services that it does not actually offer" -- something that includes any iOS virus scanning apps, seeing as it wasn't possible to scan for viruses on iOS with third party apps, since iOS's sandboxing prevents applications from directly interacting with each other or the core of the iOS operating system.
Security

Avast's CCleaner Free Windows Application Infected With Malware (bleepingcomputer.com) 152

Reader Tinfoil writes: Cisco Talos announces that malware cleaning app, CCleaner, has been infected with malware for the past month. Version 5.33 of the CCleaner app offered for download between August 15 and September 12 was modified to include the Floxif malware, according to a report published by Cisco Talos a few minutes ago. Cisco Talos believes that a threat actor might have compromised Avast's supply chain and used its digital certificate to replace the legitimate CCleaner v5.33 app on its website with one that also contained the Floxif trojan. The company said more 2.27 million had downloaded the compromised version of CCleaner.
Privacy

Illinois Tests A Blockchain-Based Birth Registry/ID System (illinoisblockchain.tech) 142

An anonymous reader quotes Government Technology: The state of Illinois, which has six blockchain pilots underway, will partner with Utah-based Evernym for a birth registry pilot meant to individualize and secure identities... The endeavor, one of six distinct blockchain explorations Illinois began last summer with a working group, is expected to utilize the Sovrin Foundation's publicly available distributed identity ledger and expand upon accomplishments of the W3C Verifiable Claims Task Force, the state said... Recognizing that identity -- and, now, digital identity -- begin at birth, the state will explore using these technologies to create "a secure 'self-sovereign' identity for Illinois citizens during the birth registration process," it said in the announcement.
More from the Illinois Blockchain Initiative site: Self-sovereign identity refers to a digital identity that remains entirely under the individual's control. A self-sovereign identity can be efficiently and securely validated by entities who require it, free from reliance on a centralized repository. Jennifer O'Rourke, Blockchain Business Liaison for the Illinois Blockchain Initiative commented, "To structurally address the many issues surrounding digital identity, we felt it was important to develop a framework that examines identity from its inception at child birth... Identity is not only foundational to nearly every government service, but is the basis for trust and legitimacy in the public sector."

In the proposed framework, government agencies will verify birth registration information and then cryptographically sign identity attributes such as legal name, date of birth, sex or blood type, creating what are called "verifiable claims" or attributes. Permission to view or share each of these government-verified claims is stored on the tamper-proof distributed ledger protocol in the form of a decentralized identifier... This minimizes the need for entities to establish, maintain and rely upon their own proprietary databases of identity information.

Evernym's "Chief Trust Officer" sees the program as "a major contribution to the larger effort of solving the online identity problem."
Windows

'Bashware' Attacks Exploit Windows 10's Subsystem for Linux (betanews.com) 79

Mark Wilson quote BetaNews: While many people welcomed the arrival of Windows Subsystem for Linux (WSL) in Windows 10, it has been found to be a potential security issue. A new technique known as a Bashware has been discovered by security researchers that makes it possible for malware to use the Linux shell to bypass security software.

While administrator access is needed to execute a Bashware attack, this is fairly easily obtained, and the technique can be used to disguise malicious operations from antivirus software and other security tools. Researchers from Check Point Research point out that the danger stems from the fact that "existing security solutions are still not adapted to monitor processes of Linux executables running on Windows."

Government

NSA Launches 'Codebreaker Challenge' For Students: Stopping an Infrastructure Attack (ltsnet.net) 53

Slashdot reader eatvegetables writes: The U.S. National Security Agency launched Codebreaker Challenge 2017 Friday night (Sept 15) at 9 p.m. EST. It started off as a reverse-engineering challenge a few years ago but has grown in scope to include network analysis, reverse-engineering, and vulnerability discovery/exploitation.

This year's challenge story centers around hackers attacking critical "supervisory control and data acquisition" (SCADA) infrastructure. Your mission, should you choose to accept it, is to figure out how the SCADA network is being attacked, find the attack vector(s), and stop the bad guy(s)/gal(s)/other(s).

Codebreaker-Challenge is unusual for capture-the-flag(ish) contests due to the scope/number of challenges and how long the contest runs (now until end of year). Also (this year, at least), the challenge is built around a less than well-known networking protocol, MQTT. It's open to anyone with a school.edu email address. A site leader-board shows which school/University has the most l33t students. Carnegie Mellon and Georgia Institute of Tech are at the top of the leader-board as of Saturday morning.

Last year, 3,300 students (from 481 schools) participated, with 15 completing all six tasks. One Carnegie Mellon student finished in less than 18 hours.

A resources page offers "information on reverse engineering," and the NSA says the first 50 students who complete all the tasks ths year will receive a "small token" of appreciation from the agency.
Security

Security.txt Standard Proposed, Similar To Robots.txt (bleepingcomputer.com) 84

An anonymous reader writes: Ed Foudil, a web developer and security researcher, has submitted a draft to the IETF — Internet Engineering Task Force — seeking the standardization of security.txt, a file that webmasters can host on their domain root and describe the site's security policies. The file is akin to robots.txt, a standard used by websites to communicate and define policies for web and search engine crawlers...

For example, if a security researcher finds a security vulnerability on a website, he can access the site's security.txt file for information on how to contact the company and securely report the issue. According to the current security.txt IETF draft, website owners would be able to create security.txt files that look like this:

#This is a comment
Contact: security@example.com
Contact: +1-201-555-0123
Contact: https://example.com/security
Encryption: https://example.com/pgp-key.tx...
Acknowledgement: https://example.com/acknowledg...
Disclosure: Full

Bug

Equifax CSO 'Retires'. Known Bug Was Left Unpatched For Nearly Five Months (marketwatch.com) 192

phalse phace quotes MarketWatch: Following on the heels of a story that revealed that Equifax hired a music major with no education related to technology or security as its Chief Security Officer, Equifax announced on Friday afternoon that Chief Security Officer Susan Mauldin has quit the company along with Chief Information Officer David Webb.

Chief Information Officer David Webb and Chief Security Officer Susan Mauldin retired immediately, Equifax said in a news release that did not mention either of those executives by name. Mark Rohrwasser, who had been leading Equifax's international information-technology operations since 2016, will replace Webb and Russ Ayres, a member of Equifax's IT operation, will replace Mauldin.

The company revealed Thursday that the attackers exploited Apache Struts bug CVE-2017-5638 -- "identified and disclosed by U.S. CERT in early March 2017" -- and that they believed the unauthorized access happened from May 13 through July 30, 2017.

Thus, MarketWatch reports, Equifax "admitted that the security hole that attackers used was known in March, about two months before the company believes the breach began." And even then, Equifax didn't notice (and remove the affected web applications) until July 30.
The Military

Mystery of Sonic Weapon Attacks At US Embassy In Cuba Deepens (theguardian.com) 214

An anonymous reader quotes a report from The Guardian: The blaring, grinding noise jolted the American diplomat from his bed in a Havana hotel. He moved just a few feet, and there was silence. He climbed back into bed. Inexplicably, the agonizing sound hit him again. It was as if he'd walked through some invisible wall cutting straight through his room. Soon came the hearing loss, and the speech problems, symptoms both similar and altogether different from others among at least 21 U.S. victims in an astonishing international mystery still unfolding in Cuba. The top U.S. diplomat has called them "health attacks." New details learned by the Associated Press indicate at least some of the incidents were confined to specific rooms or even parts of rooms with laser-like specificity, baffling U.S. officials who say the facts and the physics don't add up.

Suspicion initially focused on a sonic weapon, and on the Cubans. Yet the diagnosis of mild brain injury, considered unlikely to result from sound, has confounded the FBI, the state department and U.S. intelligence agencies involved in the investigation. Some victims now have problems concentrating or recalling specific words, several officials said, the latest signs of more serious damage than the U.S. government initially realized. The United States first acknowledged the attacks in August -- nine months after symptoms were first reported.

Privacy

Credit Karma To Launch Free ID Monitoring Following Equifax Hack (reuters.com) 24

Credit Karma is launching a new free service that will alert customers if their identity data has been compromised in hacks, the San Francisco-based fintech company said on Friday in the wake of massive breach at credit monitoring agency Equifax. From a report: The new ID monitoring service is being tested and will be available in October, the company said on Friday. Similar to services offered by Symantec-owned LifeLock, CreditKarma will keep track of data breaches and tell customers if they are one of the victims. Customers can then check to use the company's credit monitoring services and flag suspicious activities. The company said it was accelerating the launch of the new service in response to the large data breach at Equifax, where thieves may have stolen personal information of 143 million Americans.
Security

Warning: 'MetalKettle' Repository For Kodi Becomes Vulnerable After GitHub Takeover (betanews.com) 28

BrianFagioli shares a report from BetaNews: Unfortunately, there can apparently be security issues with repositories when they shut down. For example, when the metalkettle repo ended, the developer deleted its entry on GitHub. This in itself is not a cause for concern, but unfortunately, GitHub's allowance of project names to be recycled is. You see, someone re-registered the metalkettle name, making it possible for nefarious people to potentially serve up malware to Kodi users. The warning came from the metalkettle developer over on Twitter. He warns that devices with the repository installed could be in danger from a security standpoint. If a user was to search that repo, and the new owner of the GitHub name was to share malware, the user could assume it is safe and install it. We do not know 100 percent if the person that re-registered the metalkettle name on GitHub is planning anything evil, but it is better to be safe than sorry. If you still have the repository installed, you should remove it immediately. Not to mention, if you know someone using Kodi, such as a friend or family member, you should warn them too.
Security

Equifax Says Almost 400,000 Britons Hit In Data Breach (bbc.co.uk) 45

MalachiK shares a report from the BBC: Data about British people "may potentially have been accessed" during the data breach at the U.S. credit rating firm Equifax. The UK arm of the organization said files containing information on "fewer than 400,000" UK consumers was accessed in the breach. In a statement, the UK office of Equifax said an internal investigation had shown that data on UK consumers was accessed during the hack. It said data on Britons was being held in the U.S. due to a "process failure" which meant that a limited amount of information was stored in North America between 2011 and 2016. The information held included names, dates of birth, email addresses and telephone numbers. No addresses, passwords or financial data was involved.
Windows

HP Users Complain About 10-Minute Login Lag During 'Win 10 Update' (theregister.co.uk) 105

A number of HP device owners are complaining of seeing black screens for around five to 10 minutes after entering their Windows login information. From a report: They appear to be pointing the finger of blame at Windows 10 updates released September 12 for x64-based systems. One, a quality update called KB4038788, offered a whopping 27 bullet points for general quality improvements and patches, such as an "issue that sometimes causes Windows File Explorer to stop responding and causes the system to stop working." Another, KB4038806, was a "critical" patch for Adobe Flash Player that allowed remote code execution.
Security

Equifax CEO Hired a Music Major as the Company's Chief Security Officer 428

Susan Mauldin, the person in charge of the Equifax's data security, has a bachelor's degree and a master of fine arts degree in music composition from the University of Georgia, according to her LinkedIn profile. Mauldin's LinkedIn profile lists no education related to technology or security. If that wasn't enough, news outlet MarketWatch reported on Friday that Susan Mauldin's LinkedIn page was made private and her last name was replaced with "M", in a move that appears to keep her education background secret.

Earlier this month Equifax, which is one of the three major consumer credit reporting agencies, said that hackers had gained access to company data that potentially compromised sensitive information for 143 million American consumers, including Social Security numbers and driver's license numbers. On Friday, the UK arm of the organisation said files containing information on "fewer than 400,000" UK consumers was accessed in the breach.

UPDATE (9/16/2017): CSO Susan Mauldin has abruptly 'retired' from Equifax.
Advertising

First Ever Malvertising Campaign Uses JavaScript To Mine Cryptocurrencies In Your Browser (bleepingcomputer.com) 70

An anonymous reader writes from a report via Bleeping Computer: Malware authors are using JavaScript code delivered via malvertising campaigns to mine different cryptocurrencies inside people's browsers (mostly Monero), without their knowledge. The way crooks pulled this off was by using an online advertising company that allows them to deploy ads with custom JavaScript code. The JavaScript code is a modified version of MineCrunch (also known as Web Miner), a script released in 2014 that can mine cryptocurrencies using JavaScript code executed inside the browser. Cryptocurrency mining operations are notoriously resource-intensive and tend to slow down a user's computer. To avoid raising suspicion, crooks delivered malicious ads mainly on video streaming and browser-based gaming sites (currently mostly Ukrainian and Russian sites). Both types of sites use lots of resources, and users wouldn't get suspicious when their computer slowed down while accessing the site. Furthermore, users tend to linger more on browser games and video streaming services, allowing the mining script to do its job and generate profits for the crooks.
Security

ISPs Claim a Privacy Law Would Weaken Online Security, Increase Pop-Ups (arstechnica.com) 86

An anonymous reader quotes a report from Ars Technica: The country's biggest Internet service providers and advertising industry lobby groups are fighting to stop a proposed California law that would protect the privacy of broadband customers. AT&T, Comcast, Charter, Frontier, Sprint, Verizon, and some broadband lobby groups urged California state senators to vote against the proposed law in a letter Tuesday. The bill would require Internet service providers to obtain customers' permission before they use, share, or sell the customers' Web browsing and application usage histories. California lawmakers could vote on the bill Friday of this week, essentially replicating federal rules that were blocked by the Republican-controlled Congress and President Trump before they could be implemented. The text and status of the California bill, AB 375, are available here.

The letter claims that the bill would "lead to recurring pop-ops to consumers that would be desensitizing and give opportunities to hackers" and "prevent Internet providers from using information they have long relied upon to prevent cybersecurity attacks and improve their service." The Electronic Frontier Foundation picked apart these claims in a post yesterday. The proposed law won't prevent ISPs from taking security measures because the bill "explicitly says that Internet providers can use customer's personal information (including things like IP addresses and traffic records) 'to protect the rights or property of the BIAS [Broadband Internet Access Service] provider, or to protect users of the BIAS and other BIAS providers from fraudulent, abusive, or unlawful use of the service,'" EFF Senior Staff Technologist Jeremy Gillula wrote.

Slashdot Top Deals