FCC Chairman Tom Wheeler has told the carriers that they need to give their customers the option to block robocalls, which have become the largest source of complaints that the commission receives. The FCC is responsible for enforcing regulations about robocalls and texts, and the Wheeler said he has sent letters to the heads of all of the major carriers instructing them to begin offering blocking services to customers for free.
Robocalls have been a major annoyance to consumers and businesses for a long time, but they’re also now part of the fraud ecosystem. The groups that conduct phone fraud scams often use robocalls as part of their schemes, and allowing people to block unwanted robocalls could go a long way toward making those scams much less successful.
“This vulnerability is especially concerning as it can be triggered in any application that makes use of the Apple Image I/O API when rendering tiled TIFF images. This means that an attacker could deliver a payload that successfully exploits this vulnerability using a wide range of potential attack vectors including iMessages, malicious web pages, MMS messages, or other malicious file attachments opened by any application that makes use of the Apple Image I/O API for rendering these types of files,” Cisco TALOS said in a blog post.
Trailrunner7 writes: Researchers have identified a serious flaw that could allow an attacker to compromise a number of different devices and networks, including telecommunications networks and mobile phones, as well as a number of other embedded devices.
The vulnerability is in a specific compiler that’s used for software in several programming languages in a number of industries, including aviation, telecom, defense, and networking. The compiler, sold by Objective Systems, is for the ASN.1 standard, and one of the code libraries in the compiler contains a heap overflow vulnerability that could allow a high-level attacker to execute arbitrary code remotely on vulnerable systems. Discovered by researcher Lucas Molas, the vulnerability could affect products from a wide range of vendors who use the compiler. Right now, only products from Qualcomm are known to be affected.
Iván Arce, who leads the research team at Programa STIC of Fundación Sadosky in Argentina, of which Molas is a member, said that any exploitation of the vulnerability would need to be specific to a given target.
“In practice, aka the real world, an exploit would be highly dependent and custom-built for the actual target. Target here should be understood as an specific device brand, model and vulnerable software version. I use ‘software’ a generic term that includes embedded software, firmware, baseband, etc.,” Arce said by email.
Arne Swinnen discovered the issue several months ago after looking at the way that several of these companies’s services set up their two-step verification procedures. Facebook uses two-step verification for some of its services, including Instagram, and Google and Microsoft also employ it for some of their user accounts. Swinnen realized that the companies made a mistake in not checking to see whether the numbers that users supply as contact points are legitimate.
“They all offer services to supply users with a token via a computer-voiced phone call, but neglected to properly verify whether supplied phone numbers were legitimate, non-premium numbers. This allowed a dedicated attacker to steal thousands of EUR/USD/GBP,” Swinnen said.
The test is due to begin today, and will involve a small fraction of the Facebook user base at the beginning. Facebook Messenger is the company’s text messaging app, and it has nearly a billion active users. The company is now testing an option called “secret conversations” for Messenger, which will enable the end-to-end encryption capability.
However, the encryption option is not turned on by default. Users will have to opt-in to the encrypted mode, something that makes the Messenger security different from that of secure messaging apps such as Signal.
Trailrunner7 writes: Much of the way that ransomware behaves is virtually identical to how normal malware acts. Infecting machines, looking for data, reporting back to C&C servers. The key difference is its encryption behavior, and understanding how all of that works is key to discovering how to break the chain. So researchers at NCC Group have developed a ransomware simulator that can reproduce the behavior of ransomware on a system to allow defenders to see what kind of damage could happen in a real-world infection.
In its basic form, the simulator will go through a system and enumerate the files on the local system, as well as on any removable and network storage devices. But there is also a second mode for the tool, emulation mode, which will go several steps further in simulating a ransomware attack. In that mode, which the user needs to enable manually, the tool will masquerade as a real piece of ransomware, stealing files and encrypting them.
Trailrunner7 writes: Researchers have discovered a new backdoor for Mac OS X that gives attackers essentially complete control over an infected machine. The malware is disguised as a common file converter utility and uses Tor for some communication functions.
Known as Eleanor, the backdoor has a wide range of functionality, including the ability for the attacker to remotely control the infected machine, steal data, take pictures from the machine’s camera, and take many other actions. The infection routine starts when the user downloads and runs the malicious app, called EasyDoc Converter, which looks like a drag-and-drop conversion utility. Once on a new machine, the app executes a script that serves as an installer for the rest of the malware’s functionality, including a Tor component, a Web service agent, and a Pastebin agent.
The pressure is coming from Rep. Ted Lieu (D-Calif.) and follows comments from officials at the Department of Health and Human Services about the department’s plan to issue guidance to health care organizations about ransomware attacks. The Office for Civil Rights section of HHS, which has responsibility for health information privacy, will provide guidance on how to handle ransomware attacks, and Lieu is eager to ensure that the guidance specifically addresses how ransomware attacks relate to data breach regulations.
Trailrunner7 writes: The Senate last week voted against an expansion of FBI surveillance powers, a vote that was seen as a temporary barrier at best. Now, a key member of the Senate intelligence committee has placed a hold on the bill that includes that provision, saying the measure “would dramatically and unnecessarily expand government surveillance authorities”.
Sen. Ron Wyden (D-Ore.) said on Monday on the Senate floor that he objects to the portion of the Intelligence Authorization Bill that would allow the FBI to use National Security Letters to obtain electronic communications transactional records, a broad term that can include email and Web browsing records. Right now, NSLs are used to gain access to phone and financial records, including phone metadata information. The language that’s in the intelligence budget bill would give the FBI the authority to use NSLs for a much broader group of records.
chicksdaddy writes: The Security Ledger notes (https://securityledger.com/2016/06/report-feds-mull-bug-bounty-contest-for-medical-devices/) that the U.S. Department of Health and Human Services is considering a bug bounty program for medical devices and healthcare technology, modeled after the Department of Defense's recently launched Hack the Pentagon program. (https://yro.slashdot.org/story/16/03/31/2013254/hack-the-pentagon-bug-bounty-program-opens-for-registration)
The Chief Privacy Officer at the Department of Health and Human Services (HHS) has made public statements that suggest HHS is considering a similar program.
Speaking at the Collaboration of Health IT Policy and Standards Committees meeting on June 23, Lucia Savage, chief privacy officer at HHS’s Office of the National Coordinator for Health Information Technology, said that the practice could show promise at HHS if it was scaled up to meet health care needs, Federal Times reported on June 23rd. (http://www.federaltimes.com/story/government/it/health/2016/06/23/ethical-hacking-dod-draws-interest-hhs/86301606/)
"This is a struggle for devices as well,” she said. “You can’t hack something in the field, because what if the hacker disrupts the operation of the device. Similarly, health data and EHRs, we may not want to have the hacker accessing your live data because that might cause other problems relative to your obligation to keep that data confidential."
"Given that space and given the need to improve cybersecurity, is there something that ONC can do to improve that rate at which ethical hacking occurs in health care?” Savage wondered.
On June 17, U.S. Secretary of Defense Ash Carter announced preliminary results from the program, which invited some 1,400 vulnerability hunters to try their luck on DOD systems. In all, the DOD paid bounties for 138 vulnerabilities submitted by 250 researchers. In all, the DOD paid out $150,000 in bounties, with about half going to the hackers.
Trailrunner7 writes: There appears to be no end in sight to the ransomware epidemic. New stats released by security researchers at Kaspersky Lab show that the number of users who came across crypto ransomware in the last year increased by more than 500 percent over the previous year.
Data compiled by Kaspersky researchers from the company’s cloud network shows that from April 2015 to March 2016, the volume of crypto ransomware encountered by users leapt from 131,111 to 718,536. That’s a massive increase, especially considering the fact that ransomware is a somewhat mature threat. It didn’t just burst onto the scene a couple of years ago. Kaspersky’s researchers said the spike in crypto ransomware can be attributed to a small group of variants.
The change under consideration is for Rule 41 of the Federal Rules of Criminal Procedure, which concerns the limits of government search and seizure. The rule has specific language about the circumstances under which a judge can issue a warrant for a search. The change that is under consideration right now would amend the circumstances under which judges can issue warrants for remote searches of electronic devices, enabling law enforcement agencies to obtain a warrant for many devices in multiple jurisdictions.
“The changes to Rule 41 give federal magistrate judges across the United States new authority to issue warrants for hacking and surveillance in cases where a computer’s location is unknown. This would invite law enforcement to seek warrants authorizing them to hack thousands of computers at once—which it is hard to imagine would not be in direct violation of the Fourth Amendment,” the letter from the EFF, Google, and PayPal, says.
The new feature is currently in the Nightly build of Firefox 50, and it gives users the ability to open separate tabs in multiple different contexts. Containers are an attempt to address one of the more difficult problems in online identity: sectioning off different aspects of a user’s online activities. Many people use the same computer and browser for work and personal activities, and keeping those identities and information separate is notoriously difficult.
ttyler writes: Recent Intel x86 processors implement a secret, powerful control mechanism that runs on a separate chip that no one is allowed to audit or examine. When these are eventually compromised, they'll expose all affected systems to nearly unkillable, undetectable rootkit attacks. I've made it my mission to open up this system and make free, open replacements, before it's too late.