Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Get HideMyAss! VPN, PC Mag's Top 10 VPNs of 2016 for 55% off for a Limited Time ×

Submission + - LastPass Patches Remote Compromise Flaw

Trailrunner7 writes: LastPass has patched a remote compromise vulnerability disclosed this week by a Google researcher, a bug that could be used to gain full access to Firefox users’ LastPass data.

The vulnerability lies in the LastPass extension for Mozilla Firefox, and researcher Tavis Ormandy of Google, who discovered the bug, found that it could be used for a complete remote compromise of users. Ormandy disclosed the flaw to the maker of the popular password manager earlier this week, and the company has released a new version of the extension to fix the bug.

Submission + - AT&T to Head Up Anti-Robocall Strike Force

Trailrunner7 writes: Spurred by a directive from the FCC last week, AT&T will head up a new anti-robocall task force that will work to develop tools and technology to help users and carriers block robocalls.

The chairman of the FCC sent a letter to all of the major wireless and wireline carriers last week instructing them to start providing customers with tools to block robocalls. The letter tells carriers to work on free tools and to get them to customers as soon as possible.

In response, AT&T has said that it will step up and lead a new coalition that will work “to accelerate the development and adoption of new tools and solutions to abate the proliferation of robocalls”. AT&T Chairman and CEO Randall Stephenson said will chair the new Robocall Strike Force, the company said Monday.

Submission + - NIST Will Ban SMS for Two-Factor Authentication

Trailrunner7 writes: The move toward two-factor authentication and two-step verification for high-value services has been a positive one for user security, but many of those services use SMS as the channel for the second step in the authentication process, a method that the United States government is preparing to recommend against using.

The National Institute of Standards and Technology has published draft guidance that recommends against companies and government agencies using SMS as the channel for out-of-band verification. Many services that have deployed 2FA or 2SV as part of the authentication process use SMS to deliver short codes that users then enter into an app or site. However, text messaging isn’t considered a secure channel and NIST is now saying that the use of SMS as a channel for out-of-band verification won’t be permitted in future versions of its Digital Authentication Guideline.

Submission + - FCC Pressures Phone Carriers to Block Robocalls

Trailrunner7 writes: The FCC is putting new pressure on both wireless carriers and traditional phone companies to give customers technology to block unwanted robocalls.

FCC Chairman Tom Wheeler has told the carriers that they need to give their customers the option to block robocalls, which have become the largest source of complaints that the commission receives. The FCC is responsible for enforcing regulations about robocalls and texts, and the Wheeler said he has sent letters to the heads of all of the major carriers instructing them to begin offering blocking services to customers for free.

Robocalls have been a major annoyance to consumers and businesses for a long time, but they’re also now part of the fraud ecosystem. The groups that conduct phone fraud scams often use robocalls as part of their schemes, and allowing people to block unwanted robocalls could go a long way toward making those scams much less successful.

Submission + - Apple Patches Stagefright-Like Bug in iOS

Trailrunner7 writes: Apple has fixed a series of high-risk vulnerabilities in iOS, including three that could lead to remote code execution, with the release of iOS 9.3.3.

One of those code-execution vulnerabilities lies in the way that iOS handles TIFF files in various applications. Researchers at Cisco’s TALOS team, who discovered the flaw, said that the vulnerability has a lot of potential for exploitation.

“This vulnerability is especially concerning as it can be triggered in any application that makes use of the Apple Image I/O API when rendering tiled TIFF images. This means that an attacker could deliver a payload that successfully exploits this vulnerability using a wide range of potential attack vectors including iMessages, malicious web pages, MMS messages, or other malicious file attachments opened by any application that makes use of the Apple Image I/O API for rendering these types of files,” Cisco TALOS said in a blog post.

Submission + - ASN.1 Flaw Threatens Mobile Networks

Trailrunner7 writes: Researchers have identified a serious flaw that could allow an attacker to compromise a number of different devices and networks, including telecommunications networks and mobile phones, as well as a number of other embedded devices.

The vulnerability is in a specific compiler that’s used for software in several programming languages in a number of industries, including aviation, telecom, defense, and networking. The compiler, sold by Objective Systems, is for the ASN.1 standard, and one of the code libraries in the compiler contains a heap overflow vulnerability that could allow a high-level attacker to execute arbitrary code remotely on vulnerable systems. Discovered by researcher Lucas Molas, the vulnerability could affect products from a wide range of vendors who use the compiler. Right now, only products from Qualcomm are known to be affected.

Iván Arce, who leads the research team at Programa STIC of Fundación Sadosky in Argentina, of which Molas is a member, said that any exploitation of the vulnerability would need to be specific to a given target.

“In practice, aka the real world, an exploit would be highly dependent and custom-built for the actual target. Target here should be understood as an specific device brand, model and vulnerable software version. I use ‘software’ a generic term that includes embedded software, firmware, baseband, etc.,” Arce said by email.

Submission + - Researcher Finds Way to Steal Cash from Google, Facebook Through the Phone

Trailrunner7 writes: A security researcher has discovered a method that would have enabled fraudsters to steal thousands of dollars from Facebook, Microsoft, and Google by linking premium-rate numbers to various accounts as part of the two-step verification process.

Arne Swinnen discovered the issue several months ago after looking at the way that several of these companies’s services set up their two-step verification procedures. Facebook uses two-step verification for some of its services, including Instagram, and Google and Microsoft also employ it for some of their user accounts. Swinnen realized that the companies made a mistake in not checking to see whether the numbers that users supply as contact points are legitimate.

“They all offer services to supply users with a token via a computer-voiced phone call, but neglected to properly verify whether supplied phone numbers were legitimate, non-premium numbers. This allowed a dedicated attacker to steal thousands of EUR/USD/GBP,” Swinnen said.

Submission + - Facebook Testing End-to-End Encryption on Messenger 1

Trailrunner7 writes: Facebook is planning to begin a test of end-to-end encryption for its Messenger service, which could eventually bring encrypted conversations to the company’s more than 1.5 billion users.

The test is due to begin today, and will involve a small fraction of the Facebook user base at the beginning. Facebook Messenger is the company’s text messaging app, and it has nearly a billion active users. The company is now testing an option called “secret conversations” for Messenger, which will enable the end-to-end encryption capability.

However, the encryption option is not turned on by default. Users will have to opt-in to the encrypted mode, something that makes the Messenger security different from that of secure messaging apps such as Signal.

Submission + - Ransomware Simulator Shows Glimpse of Damage Infection Can Do

Trailrunner7 writes: Much of the way that ransomware behaves is virtually identical to how normal malware acts. Infecting machines, looking for data, reporting back to C&C servers. The key difference is its encryption behavior, and understanding how all of that works is key to discovering how to break the chain. So researchers at NCC Group have developed a ransomware simulator that can reproduce the behavior of ransomware on a system to allow defenders to see what kind of damage could happen in a real-world infection.

In its basic form, the simulator will go through a system and enumerate the files on the local system, as well as on any removable and network storage devices. But there is also a second mode for the tool, emulation mode, which will go several steps further in simulating a ransomware attack. In that mode, which the user needs to enable manually, the tool will masquerade as a real piece of ransomware, stealing files and encrypting them.

Submission + - New OS X Backdoor Emerges With Tor C&C

Trailrunner7 writes: Researchers have discovered a new backdoor for Mac OS X that gives attackers essentially complete control over an infected machine. The malware is disguised as a common file converter utility and uses Tor for some communication functions.

Known as Eleanor, the backdoor has a wide range of functionality, including the ability for the attacker to remotely control the infected machine, steal data, take pictures from the machine’s camera, and take many other actions. The infection routine starts when the user downloads and runs the malicious app, called EasyDoc Converter, which looks like a drag-and-drop conversion utility. Once on a new machine, the app executes a script that serves as an installer for the rest of the malware’s functionality, including a Tor component, a Web service agent, and a Pastebin agent.

Submission + - Congress Wants Ransomware Attacks to Trigger Breach Notifications

Trailrunner7 writes: A powerful California congressman is pushing the federal government to treat ransomware attacks on medical facilities as data breaches and require notifications of patients.

The pressure is coming from Rep. Ted Lieu (D-Calif.) and follows comments from officials at the Department of Health and Human Services about the department’s plan to issue guidance to health care organizations about ransomware attacks. The Office for Civil Rights section of HHS, which has responsibility for health information privacy, will provide guidance on how to handle ransomware attacks, and Lieu is eager to ensure that the guidance specifically addresses how ransomware attacks relate to data breach regulations.

Submission + - Sen. Wyden Halts Bill to Expand FBI Surveillance Powers

Trailrunner7 writes: The Senate last week voted against an expansion of FBI surveillance powers, a vote that was seen as a temporary barrier at best. Now, a key member of the Senate intelligence committee has placed a hold on the bill that includes that provision, saying the measure “would dramatically and unnecessarily expand government surveillance authorities”.

Sen. Ron Wyden (D-Ore.) said on Monday on the Senate floor that he objects to the portion of the Intelligence Authorization Bill that would allow the FBI to use National Security Letters to obtain electronic communications transactional records, a broad term that can include email and Web browsing records. Right now, NSLs are used to gain access to phone and financial records, including phone metadata information. The language that’s in the intelligence budget bill would give the FBI the authority to use NSLs for a much broader group of records.

Submission + - Feds Contemplate Bounty Program for Medical Devices (securityledger.com)

chicksdaddy writes: The Security Ledger notes (https://securityledger.com/2016/06/report-feds-mull-bug-bounty-contest-for-medical-devices/) that the U.S. Department of Health and Human Services is considering a bug bounty program for medical devices and healthcare technology, modeled after the Department of Defense's recently launched Hack the Pentagon program. (https://yro.slashdot.org/story/16/03/31/2013254/hack-the-pentagon-bug-bounty-program-opens-for-registration)

The Chief Privacy Officer at the Department of Health and Human Services (HHS) has made public statements that suggest HHS is considering a similar program.

Speaking at the Collaboration of Health IT Policy and Standards Committees meeting on June 23, Lucia Savage, chief privacy officer at HHS’s Office of the National Coordinator for Health Information Technology, said that the practice could show promise at HHS if it was scaled up to meet health care needs, Federal Times reported on June 23rd. (http://www.federaltimes.com/story/government/it/health/2016/06/23/ethical-hacking-dod-draws-interest-hhs/86301606/)

"This is a struggle for devices as well,” she said. “You can’t hack something in the field, because what if the hacker disrupts the operation of the device. Similarly, health data and EHRs, we may not want to have the hacker accessing your live data because that might cause other problems relative to your obligation to keep that data confidential."

"Given that space and given the need to improve cybersecurity, is there something that ONC can do to improve that rate at which ethical hacking occurs in health care?” Savage wondered.

On June 17, U.S. Secretary of Defense Ash Carter announced preliminary results from the program, which invited some 1,400 vulnerability hunters to try their luck on DOD systems. In all, the DOD paid bounties for 138 vulnerabilities submitted by 250 researchers. In all, the DOD paid out $150,000 in bounties, with about half going to the hackers.

Submission + - Crypto Ransomware Attacks Jump 500% in Last Year

Trailrunner7 writes: There appears to be no end in sight to the ransomware epidemic. New stats released by security researchers at Kaspersky Lab show that the number of users who came across crypto ransomware in the last year increased by more than 500 percent over the previous year.

Data compiled by Kaspersky researchers from the company’s cloud network shows that from April 2015 to March 2016, the volume of crypto ransomware encountered by users leapt from 131,111 to 718,536. That’s a massive increase, especially considering the fact that ransomware is a somewhat mature threat. It didn’t just burst onto the scene a couple of years ago. Kaspersky’s researchers said the spike in crypto ransomware can be attributed to a small group of variants.

Slashdot Top Deals

As in certain cults it is possible to kill a process if you know its true name. -- Ken Thompson and Dennis M. Ritchie

Working...