Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?

Submission Summary: 2 pending, 944 declined, 390 accepted (1336 total, 29.19% accepted)

Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Submission + - FBI, Europol Dismantle Avalanche Cybercrime Crew

Trailrunner7 writes: A large group of law enforcement officials, security researchers, registrars, and others have dismantled a huge malware, phishing, and cybercrime network known as Avalanche, taking down more than 800,000 domains in the process.

The operation, which was a collaborative effort by Europol, the FBI, German police, and security groups, resulted in five arrests and the seizure of 39 servers in various countries. Officials say the Avalanche crew and its infrastructure was distributed around the world and estimated that damages from the group’s activities were in the hundreds of millions of Euros. The group conducted spam, phishing, and malware attacks using a wide variety of malware strains and tactics.

Investigators began looking at the Avalanche infrastructure in 2012 after a widespread ransomware attack that was attributed to the group. Many victims also were infected with banker malware that stole banking credentials and other private data. Like many cybercrime crews, Avalanche used money mules to cash out their profits and layers of personnel to handle specific tasks in an effort to avoid detection. The group also employed technical methods to attempts to confuse law enforcement and security researchers.

Submission + - More Than 1 Million Android Devices Rooted by Gooligan Malware

Trailrunner7 writes: A new version of an existing piece of malware has emerged in some third-party Android app stores and researchers say it has infected more than a million devices around the world, giving the attackers full access to victims’ Google accounts in the process.

The malware campaign is known as Gooligan, and it’s a variant of older malware called Ghost Push that has been found in many malicious apps. Researchers at Check Point recently discovered several dozen apps, mainly in third-party app stores, that contain the malware, which is designed to download and install other apps and generate income for the attackers through click fraud. The malware uses phantom clicks on ads to generate revenue for the attackers through pay-per-install schemes, but that’s not the main concern for victims.

The Gooligan malware also employs exploits that take advantage of several known vulnerabilities in older versions of Android, including Kit Kat and Lollipop to install a rootlet that is capable of stealing users’ Google credentials.Although the malware has full remote access to infected devices, it doesn’t appear to be stealing user data, but rather is content to go the click-fraud route. Most users are being infected through the installation of apps that appear to be legitimate but contain the Gooligan code, a familiar infection routine for mobile devices.

Submission + - Cerber Ransomware Using Tor Network to Hide

Trailrunner7 writes: Ransomware authors have adopted a number of new tactics recently to help avoid detection and stop takedown attempts, and the latest move by the gang behind the Cerber malware is the use of both Google redirection and the Tor network as evasion and obfuscation mechanisms.

Researchers from Cisco’s Talos group have come across a new version of the Cerber ransomware that uses these techniques, combined with pretty rudimentary email messages to trick victims into clicking on links that lead to the malicious files. Typically, sophisticated ransomware crews will use well-crafted emails with malicious attachments that contain the ransomware. But this Cerber campaign isn’t using any attachments in its spam emails and instead is relying on trickery to entice users into following the links, which are obfuscated and lead to sites on the Tor anonymity network.

Submission + - How Your Headphones Can Record Your Conversations Remotely 1

Trailrunner7 writes: As if attackers didn’t have enough methods for observing users’ actions, researchers have now developed a technique that allows them to use speakers or headphones plugged in to a PC as microphones to record victims’ discussions.

The attack involves a technique called re-tasking in which the researchers changed the functionality of the audio jacks on a target computer. So, whereas an input jack would normally be used by a microphone and the output jack would be used by the speakers, the researchers remapped the jacks so that the speakers can record sound when plugged into an output jack. The technique, developed by a team at Ben Gurion University of the Negev in Israel, involves the use of custom malware on the machine, but the researchers showed in their work that the attacks can succeed in recording audio from across a room.

The attack that the researchers developed allows them to record audio surreptitiously and then transmit it to another machine several meters away. The technique can be used without the user’s interaction.

“It’s pretty difficult to defend against such an attack, but it’s possible that anti-virus will detect such a microphone retasking and will block it. Chip manufacturers can redesign the internal commands that can be sent to the controller and regulate it in a better way,” Mordechai Guri, one of the paper's authors, said.

Submission + - Adobe VoCo, Google WaveNet Raise Voice Security Concerns

Trailrunner7 writes: As voice has continued to emerge as one of the key interfaces for new devices and apps, including vehicles, bank accounts, and home automation systems, concerns about the security of these systems have evolved, as well. Now, as both Google and Adobe have demonstrated systems that can insert and replace words in recorded speech or mimic human speech those concerns are becoming more concrete.

Adobe has revealed a project known as VoCo that has that it has compared to a Photoshop for voice recordings. The app can take a small piece of a person’s recorded voice and give the user the ability to rearrange or insert words or short phrases into the recording. The user types whatever text he wants into the app and the software can then add them into the recording wherever the user specifies.

Google also has been working on a synthetic speech system, known as WaveNet, which models raw audio waveforms to produce speech that sounds more human. Many existing text-to-speech systems rely on a database of recorded words to produce sentences. Google’s model doesn’t have that limitation.

Submission + - Lawmakers Try to Delay Expansion of Government Hacking

Trailrunner7 writes: As the deadline for Congress to act on a proposed change that would give federal law enforcement agencies expanded power to hack remote computers, a group of senators has introduced a bill to delay the rule change until next summer.

The proposed change to Rule 41 of the Federal Rules of Criminal Procedure would allow law enforcement officials to get a single warrant from essentially any judge where things related to a given crime have occurred to remotely search computers that might be involved in the crime. The modification also would allow officers to remotely search computers of victims of computer crimes.

Privacy advocates and some legislators say that the change would constitute a huge a expansion of government hacking powers, while Department of Justice officials and supporters of the change say it’s simply a procedural change. The United States Supreme Court approved the change in April and it is scheduled to go into effect on Dec. 1. Congress has the ability to enact legislation to prevent the change, but so far has not.

On Thursday, a group of five senators introduced a bill that would keep Rule 41 as-is for now and delay the change until July 1, 2017. The idea is to give Congress time to consider the consequences of the proposed change. Sen. Ron Wyden (D-Ore.), one of the sponsors of the new bill, has expressed concern about the change to the rule for months.

Submission + - Carbanak Gang Calling Hotels to Convince Victims to Install Malware

Trailrunner7 writes: The Carbanak gang, one of the more successful and prolific cybercrime groups at work today, is using a new tactic to get its malware onto target networks: calls to customer service representatives at hotels that convince victims to open malicious attachments.

The technique is a simple one but has proven to be quite effective. Rather than spamming out huge volumes of email with rigged attachments, the attackers are calling selected hotels and telling the customer service reps that they’re having trouble using the online reservation system. They then ask if they can email over a document with their travel details. The attacker will stay on the phone with the victim until he opens the attachment, which is a Word document loaded with a malicious VBS script, according to researchers at Trustwave, who have investigated several incidents involving this technique recently.

This attack represents an interesting mixture of social engineering tactics and traditional spear phishing methods. Even highly targeted phishing campaigns typically involve several different waves of emails. But this technique allows the attacker to choose his target individually and receive immediate confirmation that the attack succeeded. The malware that’s involved in the attack is powerful and has a long list of capabilities. Once installed, it connects to a remote server and downloads a second stage tool that’s disguised as an Adobe file. It installs a persistence mechanism and might download even more tools.

Submission + - Schneier: We Need a New Agency for IoT Security

Trailrunner7 writes: The recent DDoS attacks by the Mirai botnet against various targets, including DNS provider Dyn, have drawn the attention of congressional leaders, who say there may be a need for regulation of IoT device security in order to address the problem of vulnerable embedded devices.

In a joint hearing on Wednesday, the House Subcommittee on Communications and Technology and the Subcommittee on Commerce, Manufacturing, and Trade delved into the issue of IoT security and several lawmakers said that they were reluctant to get the government involved in regulating this problem, but it may be inevitable. The problem, of course, is that many of the embedded devices that make up the IoT aren’t manufactured in the United States, so regulation would have no effect on their security.

Another piece of the puzzle is the fact that there’s no one federal agency or independent organization that oversees security standards for IoT devices. There are embedded computers in cars, appliances, medical devices, and hundreds of other kinds of devices. That cuts across many different industries and regulatory fields, a problem that the federal government is not set up to handle.

“I actually think we need a new agency. We can’t have different rules if a computer makes calls, or a computer has wheels, or is in your body,” said cryptographer Bruce Schneier, another witness during the hearing. “The government is getting involved here regardless, because the stakes are too high. The choice isn’t between government involvement and no government involvement. It’s between good government involvement and stupid government involvement. I’m not a regulatory fan but this is a world of dangerous things.”

Submission + - PoisonTap: The Tiny Internet-Hijacking, Cookie-Stealing, Backdoor-on-a-Board

Trailrunner7 writes: A renowned hardware hacker has released a cheap USB device that, when plugged in to any computer–even password-protected or locked ones–can hijack all of the Internet traffic from the PC, steal web cookies, and install a persistent backdoor that survives after device is removed.

Known as PoisonTap, the device is the work of Samy Kamkar, a security researcher and hardware hacker who built the tool on a cheap Raspberry Pi Zero board. He’s released the code for PoisonTap, which could be a key tool in the arsenal of any security researcher or hacker. The device sounds simple, but there’s a whole lot going on in the background.

The device tells the infected machine that the PoisonTap local network contains all of the IPv4 space, so all Internet requests go through the device. The device performs a similar trick in order to siphon off web cookies from HTTP requests. When a browser running on the infected machine makes an HTTP request, the device will perform DNS spoofing so that the request goes to the PoisonTap web server rather than the intended one. The device has the ability to grab cookies from any of the Alexa top one million sites, Kamkar said.

Submission + - EPIC Sues FBI Over Biometric Database

Trailrunner7 writes: A major privacy group has filed a lawsuit against the FBI to force the bureau to release all relevant documents about its plan to share a huge amount of biometric information with the Department of Defense.

The lawsuit filed by EPIC (Electronic Privacy Information Center) concerns the FBI’s Next Generation Identification system, which comprises fingerprint, iris scan, and facial recognition data, and the bureau has been using it for several years.

EPIC’s lawsuit asks that the FBI be forced to release records about the plan to share NGI data with the Department of Defense under the Freedom of Information Act. EPIC filed a FOIA request about the plan last year and though the FBI said it has located 35 pages of records that are responsive to the request, it hasn’t released any of those records.

Submission + - An Interview With An Actual Expert on Voting Machine Security

Trailrunner7 writes: The news has been full of headlines for weeks about election fraud, voting machine hacking, and all kinds of other scary sounding stuff. Much of the coverage has been hyperbolic to say the least, so we decided to get some clear-headed, rational thoughts on the topic from Avi Rubin. Avi is a professor at Johns Hopkins University and did some of the pioneering work on voting machine security in the early 2000s. We talked with Avi about the problems with electronic voting machines, the potential for tampering with them, whether the machines can be attacked remotely, and what other avenues attackers might have to disrupt the election.

Submission + - More Than 50% of All Pages in Chrome are Loaded Over HTTPS Now

Trailrunner7 writes: After years of encouraging site owners to transition to HTTPS by default, Google officials say that the effort has begun to pay off. The company’s data now shows that more than half of all pages loaded by Chrome on desktop platforms are served over HTTPS.

Google has been among the louder advocates for the increased use of encryption across the web in the last few years. The company has made significant changes to its own infrastructure, encrypting the links between its data center, and also has made HTTPS the default connection option on many of its main services, including Gmail and search. And Google also has been encouraging owners of sites of all shapes and sizes to move to secure connections to protect their users from eavesdropping and data theft.

That effort has begun to bear fruit in a big way. New data released by Google shows that at the end of October, 68 percent of pages loaded by the Chrome browser on Chrome OS machines were over HTTPS. That’s a significant increase in just the last 10 months. At the end of 2015, just 50 percent of pages loaded by Chrome on Chrome OS were HTTPS. The numbers for the other desktop operating systems are on the rise as well, with macOS at 60 percent, Linux at 54 percent, and Windows at 53 percent.

Submission + - Microsoft, Google, and the Myth of User Safety

Trailrunner7 writes: There was a time in the not-so-distant past when nasty public fights between Microsoft and various researchers over when and how to disclose vulnerabilities were just about a weekly occurrence. That time thankfully has passed, but, as the current disagreement between Google and Microsoft over Google’s disclosure of a Windows zero day makes clear, everyone isn’t sitting around the campfire holding hands either.

The facts of the current case are fairly straightforward there’s really only one bit that’s in dispute: whether a large swath of the Windows user base was at risk of attack. Last month, researchers from Google’s Threat Analysis team discovered new flaws in Windows and Adobe Flash. The team found that both bugs were being used in targeted attacks–spear-phishing attempts via email with rigged attachments–and informed both vendors about the vulnerabilities. The Flash bug is the more serious of the two, as it is remotely exploitable, while the Windows flaw is a local privilege-escalation weakness.

Adobe patched the Flash bug quickly and warned customers that it was being used in attacks already. Meanwhile, Microsoft decided not to rush out an emergency patch for the Windows vulnerability, probably because it isn’t dangerous enough to warrant the commitment of time and resources that requires. Google’s team waited 10 days after informing Microsoft and then disclosed some details of the flaw, saying that it was doing so because of the existence of active attacks.

There are some valid reasons to disclose unpatched vulnerabilities, but doing so to protect a tiny percentage of users against a phishing attack while potentially putting a much larger number at higher risk shouldn’t be one of them.

Submission + - IoTSeeker Finds Smart Devices With Dumb Credentials

Trailrunner7 writes: With the Mirai botnet still wreaking havoc, and other IoT botnets appearing, security researchers are looking for ways to discover the insecure devices that are being targeted by attackers before they can be compromised. One such effort is a new scanner that will check networks for devices that are using default credentials, which often are exploited by attackers.

The IoTSeeker tool from Rapid7 is designed to comb through users’ networks and identify common IoT devices with default usernames and passwords enabled. Those are the devices upon which botnets such as Mirai feed, especially those with telnet exposed on default ports. Mirai searches for devices with telnet enabled and using default credentials and then compromises them and begins scanning again.

Submission + - FCC Enacts Major New Online Privacy Rule

Trailrunner7 writes: The FCC has voted to enact a new rule that will force broadband companies to get consent from customers before they sell information about those customers’ online movements, history, and other actions.

The new rule will require broadband companies to have customers opt in to the sale or sharing of their online histories as part of marketing or ad deals. It includes restrictions on the way that providers can share users’ location data and other information and also ensures that they will have to tell consumers exactly what data they collect and what they do with it. The changes do not apply to how broadband providers can use customer information in their own marketing, though.

The new regulations also require that broadband providers have “common-sense” data breach notifications and reasonable security practices.

The vote by the FCC makes distinctions between broadband providers and phone carriers and other service providers. Before the vote, providers and others had urged the FCC to align its rules with existing ones from the FTC on usage of customer data for marketing.

Slashdot Top Deals

"No, no, I don't mind being called the smartest man in the world. I just wish it wasn't this one." -- Adrian Veidt/Ozymandias, WATCHMEN