Security

Phishing Attack Scores Credentials For More Than 50,000 Snapchat Users (theverge.com) 11

An anonymous reader quotes an exclusive report from The Verge: In late July, Snap's director of engineering emailed the company's team in response to an unfolding privacy threat. A government official from Dorset in the United Kingdom had provided Snap with information about a recent attack on the company's users: a publicly available list, embedded in a phishing website named klkviral.org, that listed 55,851 Snapchat accounts, along with their usernames and passwords. The attack appeared to be connected to a previous incident that the company believed to have been coordinated from the Dominican Republic, according to emails obtained by The Verge. Not all of the account credentials were valid, and Snap had reset the majority of the accounts following the initial attack. But for some period of time, thousands of Snapchat account credentials were available on a public website. According to a person familiar with the matter, the attack relied on a link sent to users through a compromised account that, when clicked, opened a website designed to mimic the Snapchat login screen.
Security

A Hacker Has Wiped a Spyware Company's Servers -- Again (vice.com) 62

Last year, a vigilante hacker broke into the servers of a company that sells spyware to everyday consumers and wiped their servers, deleting photos captured from monitored devices. A year later, the hacker has done it again. Motherboard: Thursday, the hacker said he started wiping some cloud servers that belong to Retina-X Studios, a Florida-based company that sells spyware products targeted at parents and employers, but that are also used by people to spy on their partners without their consent. Retina-X was one of two companies that were breached last year in a series of hacks that exposed the fact that many otherwise ordinary people surreptitiously install spyware on their partners' and children's phones in order to spy on them. This software has been called "stalkerware" by some.
Intel

Intel Hit With More Than 30 Lawsuits Over Security Flaws (reuters.com) 94

Intel said on Friday shareholders and customers had filed 32 class action lawsuits against the company in connection with recently-disclosed security flaws in its microchips. From a report: Most of the lawsuits -- 30 -- are customer class action cases that claim that users were harmed by Intel's "actions and/or omissions" related to the flaws, which could allow hackers to steal data from computers. Intel said in a regulatory filing it was not able to estimate the potential losses that may arise out of the lawsuits. Security researchers at the start of January publicized two flaws, dubbed Spectre and Meltdown, that affected nearly every modern computing device containing chips from Intel, Advanced Micro Devices and ARM.
Security

Google Exposes How Malicious Sites Can Exploit Microsoft Edge (zdnet.com) 50

Google's Project Zero team has published details of an unfixed bypass for an important exploit-mitigation technique in Edge. From a report: The mitigation, Arbitrary Code Guard (ACG), arrived in the Windows 10 Creators Update to help thwart web attacks that attempt to load malicious code into memory. The defense ensures that only properly signed code can be mapped into memory. However, as Microsoft explains, Just-in-Time (JIT) compilers used in modern web browsers create a problem for ACG. JIT compilers transform JavaScript into native code, some of which is unsigned and runs in a content process.

To ensure JIT compilers work with ACG enabled, Microsoft put Edge's JIT compiling in a separate process that runs in its own isolated sandbox. Microsoft said this move was "a non-trivial engineering task." "The JIT process is responsible for compiling JavaScript to native code and mapping it into the requesting content process. In this way, the content process itself is never allowed to directly map or modify its own JIT code pages," Microsoft says. Google's Project Zero found an issue is created by the way the JIT process writes executable data into the content process.

Twitter

Pro-Gun Russian Bots Flood Twitter After Parkland Shooting (wired.com) 677

An anonymous reader quotes a report from Wired: In the wake of Wednesday's Parkland, Florida school shooting, which resulted in 17 deaths, troll and bot-tracking sites reported an immediate uptick in related tweets from political propaganda bots and Russia-linked Twitter accounts. Hamilton 68, a website created by Alliance for Securing Democracy, tracks Twitter activity from accounts it has identified as linked to Russian influence campaigns. On RoBhat Labs' Botcheck.me, a website created by two Berkeley students to track 1500 political propaganda bots, all of the top two-word phrases used in the last 24 hours -- excluding President Trump's name -- are related to the tragedy: School shooting, gun control, high school, Florida school. The top hashtags from the last 24 hours include Parkland, guncontrol, and guncontrolnow.

While RoBhat Labs tracks general political bots, Hamilton 68 focuses specifically on those linked to the Russian government. According to the group's data, the top link shared by Russia-linked accounts in the last 48 hours is a 2014 Politifact article that looks critically at a statistic cited by pro-gun control group Everytown for Gun Safety. Twitter accounts tracked by the group have used the old link to try to debunk today's stats about the frequency of school shootings. Another top link shared by the network covers the "deranged" Instagram account of the shooter, showing images of him holding guns and knives, wearing army hats, and a screenshot of a Google search of the phrase "Allahu Akbar." Characterizing shooters as deranged lone wolves with potential terrorist connections is a popular strategy of pro-gun groups because of the implication that new gun laws could not have prevented their actions. Meanwhile, some accounts with large bot followings are already spreading misinformation about the shooter's ties to far-left group Antifa, even though the Associated Press reported that he was a member of a local white nationalist group. The Twitter account Education4Libs, which RoBhat Labs shows is one among the top accounts tweeted at by bots, is among the prominent disseminators of that idea.

Communications

119,000 Passports, Photo IDs of FedEx Customers Found On Unsecured Amazon Server (gizmodo.com) 34

FedEx left scanned passports, drivers licenses, and other documentation belonging to thousands of its customers exposed on a publicly accessible Amazon S3 server, reports Gizmodo. "The scanned IDs originated from countries all over the world, including the United States, Mexico, Canada, Australia, Saudi Arabia, Japan, China, and several European countries. The IDs were attached to forms that included several pieces of personal information, including names, home addresses, phone numbers, and zip codes." From the report: The server, discovered by researchers at the Kromtech Security Center, was secured as of Tuesday. According to Kromtech, the server belonged to Bongo International LLC, a company that aided customers in performing shipping calculations and currency conversations, among other services. Bongo was purchased by FedEx in 2014 and renamed FedEx Cross-Border International a little over a year later. The service was discontinued in April 2017. According to Kromtech, more than 119,000 scanned documents were discovered on the server. As the documents were dated within the 2009-2012 range, its unclear if FedEx was aware of the server's existence when it purchased Bongo in 2014, the company said.
United Kingdom

UK Blames Russia For Cyber Attack, Says Won't Tolerate Disruption (reuters.com) 142

Britain blamed Russia on Thursday for a cyber-attack last year, publicly pointing the finger at Moscow for spreading a virus which disrupted companies across Europe including UK-based Reckitt Benckiser. From a report: Russia denied the accusation, saying it was part of "Russophobic" campaign it said was being waged by some Western countries. The so-called NotPetya attack in June started in Ukraine where it crippled government and business computers before spreading around the world, halting operations at ports, factories and offices. Britain's foreign ministry said the attack originated from the Russian military. "The decision to publicly attribute this incident underlines the fact that the UK and its allies will not tolerate malicious cyber activity," the ministry said in a statement. "The attack masqueraded as a criminal enterprise but its purpose was principally to disrupt," it said.
Facebook

Facebook Is Spamming Users Via Their 2FA Phone Numbers (mashable.com) 119

According to Mashable, Facebook account holder Gabriel Lewis tweeted that Facebook texted "spam" to the phone number he submitted for the purposes of 2-factor authentication. Lewis insists that he did not have mobile notifications turned on, and when he replied "stop" and "DO NOT TEXT ME," he says those messages showed up on his Facebook wall. From the report: Lewis explained his version of the story to Mashable via Twitter direct message. "[Recently] I decided to sign up for 2FA on all of my accounts including FaceBook, shortly afterwards they started sending me notifications from the same phone number. I never signed up for it and I don't even have the FB app on my phone." Lewis further explained that he can go "for months" without signing into Facebook, which suggests the possibility that Mark Zuckerberg's creation was feeling a little neglected and trying to get him back. According to Lewis, he signed up for 2FA on Dec. 17 and the alleged spamming began on Jan. 5. Importantly, Lewis isn't the only person who claims this happened to him. One Facebook user says he accidentally told "friends and family to go [to] hell" when he "replied to the spam."
Government

Kaspersky Lab Sues Over Second Federal Ban (axios.com) 97

Cybersecurity firm Kaspersky Lab has filed a lawsuit targeting the second of two federal bans on its wares. The latest suit goes after language in a defense law explicitly blocking the purchase of Kaspersky products. An earlier suit targets a Homeland Security directive doing the same. From a report: The bigger picture: With the White House reluctant to institute additional sanctions on Russia, White House Cyber Czar Rob Joyce pointed to Kaspersky as an example of the Trump administration taking Russia seriously. While Kaspersky isn't alleged to be involved in the election hacks of 2016, it's hard not to see the actions against the firm in the context of deteriorated relations with Moscow, as part of a growing spat between the two countries.
Bitcoin

Kaspersky Says Telegram Flaw Used For Cryptocurrency Mining (bloomberg.com) 42

According to Kaspersky Lab, hackers have been exploiting a vulnerability in Telegram's desktop client to mine cryptocurrencies such as Monero and ZCash. "Kaspersky said on its website that users were tricked into downloading malicious software onto their computers that used their processing power to mine currency, or serve as a backdoor for attackers to remotely control a machine," reports Bloomberg. From the report: While analyzing the servers of malicious actors, Kaspersky researchers also found archives containing a cache of Telegram data that had been stolen from victims. The Russian security firm said it "reported the vulnerability to Telegram and, at the time of publication, the zero-day flaw has not since been observed in messenger's products."
Privacy

Seattle To Remove Controversial City Spying Network After Public Backlash (seattletimes.com) 83

schwit1 shares a report from Activist Post: Following years of resistance from citizens, the city of Seattle has decided to completely remove controversial surveillance equipment -- at a cost of $150,000. In November 2013, Seattle residents pushed back against the installation of several mesh network nodes attached to utility poles around the downtown area. The American Civil Liberties Union of Washington and privacy advocates were immediately concerned about the ability of the nodes to gather user information via the Wi-Fi connection. The Seattle Times reports on the latest developments: "Seattle's wireless mesh network, a node of controversy about police surveillance and the role of federal funding in city policing, is coming down. Megan Erb, spokeswoman for Seattle Information Technology, said the city has budgeted $150,000 for contractor Prime Electric and city employees to remove dozens of surveillance cameras and 158 'wireless access points' -- little, off-white boxes with antennae mounted on utility poles around the city."

The nodes were purchased by the Seattle Police Department via a $3.6 million grant from the Department of Homeland Security. The Seattle Police Department argued the network would be helpful for protecting the port and for first-responder communication during emergencies. As the Times notes, "the mesh network, according to the ACLU, news reports and anti-surveillance activists from Seattle Privacy Coalition, had the potential to track and log every wireless device that moved through its system: people attending protests, people getting cups of coffee, people going to a hotel in the middle of the workday." However, by November 2013, SPD spokesman Sean Whitcomb announced, "The wireless mesh network will be deactivated until city council approves a draft (privacy) policy and until there's an opportunity for vigorous public debate." The privacy policy for the network was never developed and, instead, the city has now opted to remove the devices at a cost of $150,000. The Times notes that, "crews are tearing its hardware down and repurposing the usable parts for other city agencies, including Seattle Department of Transportation traffic cameras."

Security

Many ID-Protection Services Fail Basic Security (tomsguide.com) 47

Paul Wagenseil, writing for Tom's Guide: For a monthly fee, identity-protection services promise to do whatever they can to make sure your private personal information doesn't fall into the hands of criminals. Yet many of these services -- including LifeLock, IDShield and Credit Sesame -- put personal information at risk, because they don't let customers use two-factor authentication (2FA). This simple security precaution is offered by many online services. Without 2FA, anyone who has your email address and password -- which might be obtained from a data breach or a phishing email -- could log in to the account for your identity-protection service and, depending on how the service protects them, possibly steal your bank-account, credit-card and Social Security numbers.
Facebook

Facebook is Pushing Its Data-tracking Onavo VPN Within Its Main Mobile App (techcrunch.com) 40

TechCrunch reports: Onavo Protect, the VPN client from the data-security app maker acquired by Facebook back in 2013, has now popped up in the Facebook app itself, under the banner "Protect" in the navigation menu. Clicking through on "Protect" will redirect Facebook users to the "Onavo Protect -- VPN Security" app's listing on the App Store. We're currently seeing this option on iOS only, which may indicate it's more of a test than a full rollout here in the U.S. Marketing Onavo within Facebook itself could lead to a boost in users for the VPN app, which promises to warn users of malicious websites and keep information secure as you browse. But Facebook didn't buy Onavo for its security protections. Instead, Onavo's VPN allow Facebook to monitor user activity across apps, giving Facebook a big advantage in terms of spotting new trends across the larger mobile ecosystem. For example, Facebook gets an early heads up about apps that are becoming breakout hits; it can tell which are seeing slowing user growth; it sees which apps' new features appear to be resonating with their users, and much more. Further reading: Do Not, I Repeat, Do Not Download Onavo, Facebook's Vampiric VPN Service (Gizmodo).
Businesses

'Troll' Loses Cloudflare Lawsuit, Has Weaponized Patent Invalidated (arstechnica.com) 48

A federal judge in San Francisco has unequivocally ruled against a non-practicing entity that had sued Cloudflare for patent infringement. From a report: The judicial order effectively ends the case that Blackbird -- which Cloudflare had dubbed a "patent troll" -- had brought against the well-known security firm and content delivery network. "Abstract ideas are not patentable," US District Judge Vincent Chhabria wrote in a Monday order. The case revolved around US Patent No. 6,453,335, which describes providing a "third party data channel" online. When the case was filed in May 2017, the invention claims it can incorporate third-party data into an existing Internet connection "in a convenient and flexible way."
China

US Senators Voice Concern Over Chinese Access To Intellectual Property (reuters.com) 115

Leaders of the U.S. Senate Intelligence Committee said on Tuesday they were concerned about what they described as China's efforts to gain access to sensitive U.S. technologies and intellectual property through Chinese companies with government ties. From a report: Senator Richard Burr, the committee's Republican chairman, cited concerns about the spread of foreign technologies in the United States, which he called "counterintelligence and information security risks that come prepackaged with the goods and services of certain overseas vendors. The focus of my concern today is China, and specifically Chinese telecoms (companies) like Huawei and ZTE that are widely understood to have extraordinary ties to the Chinese government," Burr said. Senator Mark Warner, the committee's Democratic vice chairman, said he had similar concerns. "I'm worried about the close relationship between the Chinese government and Chinese technology firms, particularly in the area of commercialization of our surveillance technology and efforts to shape telecommunications equipment markets," Warner said.

Slashdot Top Deals