Please create an account to participate in the Slashdot moderation system


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×

Submission + - Mastercard Replaces PINs With Fingerprint Sensor on New Cards 3

Trailrunner7 writes: Mastercard is rolling out a new payment card that includes a fingerprint sensor built right onto the card, a feature that is meant to eliminate the need for a PIN during in-person transactions.

The new card also has a chip embedded in it and it can be used at all of the existing chip-and-PIN terminals. During a transaction, the user would insert the card into the terminal and hold his thumb on the embedded biometric sensor while the terminal reads the chip. Rather than entering a PIN, the user’s print serves as a second factor of authentication. The user’s print is stored on the card and it is compared against the one used during each transaction.

Mastercard already has tested the new card in a pair of trials in South Africa, one with a large supermarket chain and another with a bank. The company plans wider trials this year and is aiming for a full rollout by the end of 2017.

Submission + - Facebook Launches Beta of New Account Recovery System

Trailrunner7 writes: Facebook has opened a beta program for its new Delegated Account Recovery system, which is designed to replace traditional email or SMS-based recovery processes.

The Facebook system allows users to connect their Facebook accounts with other services and use that trusted link to recover access to one of the accounts. The company has published an SDK and documentation on the system, which it has been testing for several months with GitHub. Now the program is entering a closed beta with the promise of a public release in the coming months. Delegated Account Recovery is meant to eliminate the use of insecure channels such as email or SMS to verify a user’s ownership of a given account.

“It’s an open protocol. Trust who you want. We’re really excited that GitHub is making the first connection with us,” Brad Hill, a security engineer at Facebook, said. “We really don’t want this to be a Facebook-only service, so that we can have that network effect protecting you. The best way for us to address that is to share it.”

Submission + - Inside the Tech Support Scam Ecosystem

Trailrunner7 writes: A team of three doctoral students, looking for insights into the inner workings of tech support scams, spent eight months collecting data on and studying the tactics and infrastructure of the scammers, using a purpose-built tool. What they uncovered is a complex, technically sophisticated ecosystem supported by malvertising and victimizing people around the world.

The study is the first analysis of its kind on tech support scams, and it’s the work of three PhD candidates at Stony Brook University. The team built a custom tool called RoboVic that performed a “systematic analysis of technical support scam pages: identified their techniques, abused infrastructure, and campaigns”. The tool includes a man-in-the-middle proxy that catalogs requests and responses and also will click on pop-up ads, which are key to many tech-support scams.

In their study, the researchers found that the source for many of these scams were “malvertisements”, advertisements on legitimate websites, particularly using ad-based URL shorteners, that advertised for malicious scams. This gives the scammers an opportunity to strike on what would seem like a relatively safe page. Although victims of these scams can be anywhere, the researchers found that 85.4 percentof the IP addresses in these scams were located across different regions of India, with 9.7 percentlocated in the United States and 4.9 percent in Costa Rica. Scammers typically asked users for an average of $291, with prices ranging from $70 to $1,000.

Submission + - FBI Disrupts Notorious Kelihos Botnet

Trailrunner7 writes: The Justice Department has disrupted the Kelihos botnet, one of the more prolific and long-running spam and malware networks, by sinkholing the botnet’s command-and-control servers after the arrest of a Russian man officials allege is Kelihos’s operator.

The botnet has been operating since at least 2010 and has infected hundreds of thousands of computers around the world, mainly in the service of a massive spam operation. Kelihos has been responsible for a large slice of the spam clogging the Internet for many years, and officials at the Justice Department on Monday filed a civil complaint against Peter Yuryevich Levashov, who was arrested last weekend in Spain. The complaint accuses Levashov of running Kelihos and using infected computers as part of his spam business.

Submission + - Senate Bill Seeks to Reinstate Broadband Privacy Rule

Trailrunner7 writes: Now that President Trump has signed into law legislation that eliminates an FCC rule that prevented broadband providers from selling users’ private information, some members of Congress have introduced a new bill that would restore the rule.

Sen. Ed Markey (D-Mass.) has drafted the bill and introduced it in the Senate in the hopes of reversing the effects of the law that Trump signed last week. That law, which drew criticism and opposition from a diverse set of privacy advocates, technologists, consumer groups, and legislators, gives broadband providers such as Comcast and Verizon the ability to sell users’ browsing histories and other personal information without customers’ consent.

The FCC last year had passed a rule that prevented broadband providers from selling that kind of customer information without clear consent, but opponents said the rule placed unfair restrictions on some companies. Markey’s bill seeks to put the FCC rule back in place.

Submission + - New Details Connect Moonlight Maze Attacks on US Government to Modern Campaigns

Trailrunner7 writes: Researchers investigating modern cyber espionage operations have found a direct link between the Moonlight Maze attacks that hit a number of United States military and government agencies in the 1990s and operations that are still ongoing today. The connections, through code samples, logs, and other data, show that some of the same tools and infrastructure used 20 years ago are still in use by advanced attackers right now.

The Moonlight Maze attacks were among the first major cyber espionage campaigns to gain public attention, and security researchers often point to the attacks as the beginning of the modern advanced threat era. The attacks went on for years and included highly complex techniques and the exfiltration of a huge amount of data. Researchers at Kaspersky Lab, working with counterparts from King’s College London, recently discovered that a backdoor used by the Moonlight Maze attackers in 1998 also has been used by the Turla APT attack group, possibly as recently as this year. The new details come from a months-long analysis of data and logs from a server that was compromised during the Moonlight Maze attacks and preserved by a systems administrator since then.

The original Moonlight Maze attackers mainly used Unix and had a large set of tools at their disposal. They were targeting Solaris systems for the most part and had a custom backdoor that they used often. One of the systems that they compromised was a server known as HRtest, which administrator David Hedges has kept. Hedges allowed Kaspersky’s researchers and Rid access to the server, including access logs, the attackers’ own logs, and an extensive toolset used by the attackers, including 43 separate binaries.

Submission + - Those IRS Scam Calls May Soon Disappear

Trailrunner7 writes: The FCC has moved one step closer to implementing a system that would prevent robocalls that spoof the caller ID of numbers that don’t initiate outbound calls, a move that could significantly reduce the volume of scam calls reaching businesses and consumers.

The commission on Thursday issued a notice that seems public comment on the concept of a Do Not Originate list, which would establish a set of phone numbers that never are used to initiate calls. This would help prevent fraudsters from spoofing the caller IDs of numbers owned by organizations such as the IRS, FBI, banks, and charities, a tactic that they use regularly to make their phone fraud schemes seem more plausible. The policy would allow carriers to block calls from numbers on the DNO list, something that they’re not allowed to do under FCC rules right now.

The proposal is an outgrowth of work done by the Robocall Strike Force, a group that the FCC and a number of carriers established last year in an effort to find answers to the robocall problem. The group has come up with a number of ideas, but the one that has the best potential to have an immediate effect is the DNO list. A trial of the DNO list concept last fall produced a 90 percent decrease in the number of IRS scam calls. Now, the commission is looking to allow carriers to implement this system on a permanent basis.

Submission + - Android Trojan Spreads Through Fake Cell Towers

Trailrunner7 writes: Attackers in China are using rogue cell base stations to spread versions of an Android banking Trojan that steals user credentials and has the ability to bypass two-factor authentication.

The malware, known as the Swearing Trojan for some impolite language found in the Chinese code, has been in circulation for several months and uses a number of different methods to spread, including traditional phishing emails and SMS messages. The most sophisticated method, though, is the use of the fake base transceiver stations, which the attackers employ to send SMS messages to victims. The texts appear to come from a Chinese telecom operator and contain a link that will infect the user’s device with the malware.

Submission + - Half of Android Devices Didn't Get Security Patches in 2016

Trailrunner7 writes: Google has made several changes to the Android security ecosystem recently, including providing monthly updates and working with manufacturers to get those patches in the hands of users more quickly. But despite those efforts, about 50 percent of Android devices didn’t install a single security update in 2016.

One of the issues with Android security over the years has been the way that patches are delivered to users. Google distributes updates directly to the Nexus and Pixel devices it sells, but carriers and other manufacturers are responsible for getting updates to their own customers. Some handset makers, including LG and Samsung, follow Google’s lead and send monthly updates to some of their devices on the day they’re released. But many others either deliver them much later or not at all.

In its annual report on Android security, Google said that while the monthly update schedule has helped, it hasn’t fixed the problem entirely.

Submission + - NSA: We Disclose 90% of the Flaws We Find

Trailrunner7 writes: In the wake of the release of thousands of documents describing CIA hacking tools and techniques earlier this month, there has been a renewed discussion in the security and government communities about whether government agencies should disclose any vulnerabilities they discover. While raw numbers on vulnerability discovery are hard to come by, the NSA, which does much of the country’s offensive security operations, discloses more than nine of every 10 flaws it finds, the agency’s deputy director said.

NSA has both defensive and offensive roles in cybersecurity and does its own vulnerability research and exploit development. Some of the flaws NSA finds are kept private and used for intelligence-gathering purposes in targeted exploitation operations. But many others are disclosed to the affected vendors as soon as possible, said Richard Ledgett, deputy director of NSA.

“Our historic numbers are around 90 percent, or a little better than 90 percent toward disclosure,” Ledgett said during a roundtable discussion on cybersecurity issues Tuesday hosted by the Aspen Institute.

Submission + - Critical Cisco Flaw Found Buried in Vault 7 Documents

Trailrunner7 writes: Hundreds of models of Cisco switches are vulnerable to a remote-code execution bug in the company’s IOS software that can be exploited with a simple Telnet command. The vulnerability was uncovered by company researchers in the CIA hacking tool dump known as Vault 7.

The bug is a critical one and an attacker who is able to exploit it would be able to get complete control of a target device. The flaw lies in the Cluster Management Protocol (CMP) that’s used in IOS, and Cisco said it’s caused by the incorrect processing of CMP-specific Telnet options, as well as accepting and processing these commands from any Telnet connection.

“An attacker could exploit this vulnerability by sending malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections. An exploit could allow an attacker to execute arbitrary code and obtain full control of the device or cause a reload of the affected device,” the Cisco advisory says.

Submission + - US-CERT Says SSL Interception Boxes Weaken TLS Security

Trailrunner7 writes: The Department of Homeland Security’s US-CERT group has issued an advisory warning enterprises that many security appliances that perform HTTPS inspection through a man-in-the-middle position don’t correctly verify certificate chains before forwarding traffic, weakening the security benefits of TLS in the process.

The advisory comes after a recent paper by security researchers from Google, Mozilla, Cloudflare, University of Michigan, and elsewhere looked at traffic interception appliances and their effect on secure connections. The researchers built a set of heuristics to enable servers to detect HTTPS interception, and found that interception boxes “drastically reduce connection security.”

Submission + - Congressmen Push DHS For Answers on SS7 Security 1

Trailrunner7 writes: year after flaws in SS7, one of the underlying protocols in the cell network came to the public’s attention, two powerful members of Congress are asking the secretary of Homeland Security how DHS has addressed the threat and whether the department has sufficient resources to detect and defeat SS7-related attacks.

The flaws in SS7, a protocol that’s designed to connect various telecom carriers, can enable anyone with access to the system to carry out discreet surveillance against a victim, knowing only the target’s phone number. Many people at each of the carriers have access to the system, and security researchers have been warning about the problem for years. Last year, researchers demonstrated an attack on the phone of Rep. Ted Lieu (D-Calif.) using this technique, prompting Lieu to call on congressional leaders to address the issue.

Now, a year later, Lieu and Sen. Ron Wyden (D-Ore.) have sent a letter to John F. Kelly, secretary of Homeland Security, to detail what the department has done to address the SS7 problem and whether the federal government understands how this vulnerability could be used for surveillance.

“We are deeply concerned that the security of America’s telecommunications infrastructure is not getting the attention it deserves. Although there have been a few news stories about this topic, we suspect that most Americans simply have no idea how easy it is for a relatively sophisticated adversary to track their movements, tap their calls, and hack their smartphones. We are also concerned that the government has not adequately considered the counterintelligence threat posed by SS7-enabled surveillance,” the letter says.

Submission + - Google Roots Out Chamois Ad Fraud Botnet From Play Store

Trailrunner7 writes: Fraudsters and cybercriminals continue to target mobile app stores with garbage apps disguised as benign ones, and Google has just identified a large family of potentially harmful apps in the Play marketplace and banned the apps and some people who were trying to take advantage of the company’s ad system to make money on the apps.

Google has identified the family of PHAs as Chamois and said that it caught them through the use of traffic analysis, which determined that the apps were trying to evade the company’s security systems. The goal behind the apps appears to have been ad fraud, and the developers employed a few different techniques to get around Google’s detection and prevention systems.

“We analyzed malicious apps based on Chamois, and found that they employed several methods to avoid detection and tried to trick users into clicking ads by displaying deceptive graphics. This sometimes resulted in downloading of other apps that commit SMS fraud. So we blocked the Chamois app family using Verify Apps and also kicked out bad actors who were trying to game our ad systems,” Bernhard Grill, Megan Ruthven, and Xin Zhao, security software engineers at Google, said

Submission + - Confide App Full of Security Holes, Researchers Find

Trailrunner7 writes: Researchers at IOActive have uncovered a number of serious security flaws in the Confide secure messaging app, some of which could allow an attacker to hijack a user’s session or impersonate a target user.

Confide is one of the group of encrypted chat apps that have emerged in the last few years and promises end-to-end encryption and self-destructing messages. But the team at IOActive discovered a group of vulnerabilities in the app that make users susceptible to a range of attacks that could result in account compromises, message disclosure, and other problems. The vulnerabilities are across a number of different areas in the app, but one of the main issues is the way Confide handles SSL certificates.

“The application’s notification system did not require a valid SSL server certificate to communicate, which would leak session information to actors performing a man-in-the-middle attack,” the IOActive bulletin says.

Slashdot Top Deals

The reason computer chips are so small is computers don't eat much.