Security

Australia Concludes China Was Behind Hack on Parliament, Political Parties (reuters.com) 53

Australian intelligence determined China was responsible for a cyber-attack on its national parliament and three largest political parties before the general election in May, Reuters reports. From the report: Australia's cyber intelligence agency -- the Australian Signals Directorate (ASD) -- concluded in March that China's Ministry of State Security was responsible for the attack, the five people with direct knowledge of the findings of the investigation told Reuters. The report, which also included input from the Department of Foreign Affairs, recommended keeping the findings secret in order to avoid disrupting trade relations with Beijing, two of the people said. The Australian government has not disclosed who it believes was behind the attack or any details of the report.
Privacy

Database Leaks Data on Most of Ecuador's Citizens, Including 6.7 Million Children (zdnet.com) 11

The personal records of most of Ecuador's population, including children, has been left exposed online due to a misconfigured database, ZDNet reported Monday. From the report: The database, an Elasticsearch searver, was discovered two weeks ago by vpnMentor security researchers Noam Rotem and Ran Locar, who shared their findings exclusively with ZDNet. Together, we worked to analyze the leaking data, verify its authenticity, and contact the server owner. The leaky server is one of the, if not the biggest, data breaches in Ecuador's history, a small South American country with a population of 16.6 million citizens. The Elasticsearch server contained a total of approximately 20.8 million user records, a number larger than the country's total population count. The bigger number comes from duplicate records or older entries, containing the data of deceased persons.
Security

LastPass Bug Leaks Credentials From Previous Site (zdnet.com) 62

Password manager LastPass has released an update last week to fix a security bug that exposes credentials entered on a previously visited site. From a report: The bug was discovered last month by Tavis Ormandy, a security researcher with Project Zero, Google's elite security and bug-hunting team. LastPass, believed to be the most popular password manager app today, fixed the reported issue in version 4.33.0, released last week, on September 12. If users have not enabled an auto-update mechanism for their LastPass browser extensions or mobile apps, they're advised to perform a manual update as soon as possible. This is because yesterday, Ormandy published details about the security flaw he found. The security researcher's bug report walks an attacker through the steps necessary to reproduce the bug.
Privacy

Ask Slashdot: Can A Lack of Privacy Be Weaponized? 77

Slashdot reader dryriver asks a scary what-if question about the detailed digital profiles of our online and offline lives that are being created by "hundreds of privately owned, profit-driven companies operating with no meaningful oversight." Digital profiles are just a collection of 1s and 0s and are wide open to digital tampering or digital distortion. You could easily be made to appear to have done just about anything from visiting questionnable websites on the dark web, to buying things that you never actually bought or would have an interest in buying, to being in places in the physical world at given dates and times that you would never actually visit in real life. In other words, your digital profile(s) may make you appear to be a completely different person, doing completely different things, from who you objectively are in actuality.

For now, these digital profiles mostly sit in data centers around the world, and try to serve ads to you. But what happens if someday your digital profile is weaponized against you?

What happens in a situation where you need to prove that you are a morally upright, law-abiding person, and your digital profile(s) are accessed, and claim that you are anything but a moral, law-abiding person? What happens if these digital profiles are someday routinely examined by courts of law to determine whether you are a person of good character or not?

What happens if one of your digital profiles is purposely leaked into the public realm someday, and your "digital mirror image" did all sorts of crappy things that you, in real life, would never do?
IOS

IOS 13 Lock Screen Lets Anyone See Your Address Book (theregister.co.uk) 45

Slashdot reader dryriver writes: A security researcher discovered that if you get your hands on someone else's iThing running iOS 13, and place a phone call to it, you can choose to respond with a TXT message, and get to see the contents of the address book on the iThing without actually getting past the lock screen...

The security researcher who found the flaw was not financially rewarded or acknowledged by Apple, but rather given the cold shoulder.
The security researcher says all he'd wanted was a $1 Apple Store card to keep as a trophy, according to The Register: The procedure, demonstrated below in a video, involves receiving a call and opting to respond with a text message, and then changing the "to" field of the message, which can be accomplished via voice-over. The "to" field pulls up the owner's contacts list, thus giving an unauthorized miscreant the ability to crawl through the address book without ever needing to actually unlock the phone.
They also report that while the insecure-lock-screen iOS 13 will be officially released on September 19, a fixed version, iOS 13.1, "is due to land on September 30."
Crime

Released from Prison, Spammer Who Stole 17.5 Million Passwords Apologizes and Reforms (zdnet.com) 19

An anonymous reader quotes ZDNet: Kyle Milliken, a 29-year-old Arkansas man, was released last week from a federal work camp. He served 17 months for hacking into the servers of several companies and stealing their user databases. Some of the victims included Disqus, from where he stole 17.5 million user records, Kickstarter, from where he took 5.2 million records, and Imgur, with 1.7 million records. For years, Milliken and his partners operated by using the credentials stolen from other companies to break into more lucrative accounts on other services.

If users had reused their passwords, Milliken would access their email inboxes, Facebook, Twitter, or Myspace accounts, and post spam promoting various products and services. From 2010 to 2014, Milliken and his colleagues operated a successful spam campaign using this simple scheme, making more than $1.4 million in profits, and living the high life. Authorities eventually caught up with the hacker. He was arrested in 2014, and collaborated with authorities for the next years, until last year, when it leaked that he was collaborating with authorities and was blackballed on the cybercrime underground....

In an interview with ZDNet last week, Milliken said he's planning to go back to school and then start a career in cyber-security... [H]e publicly apologized to the Kickstarter CEO on Twitter. "I've had a lot of time to reflect and see things from a different perspective," Milliken told ZDNet. "When you're hacking or have an objective to dump a database, you don't think about who's on the other end. There's a lot of talented people, a ton of work, and even more money that goes into creating a company... there's a bit of remorse for putting these people through cyber hell."

He also has a message for internet uesrs: stop reusing your passwords. And he also suggests enabling two-factor authentication.

"I honestly think that the big three email providers (Microsoft, Yahoo, Google) added this feature because of me."
Crime

Two Penetration Testers Arrested For Attempted Burglary (arstechnica.com) 63

Somewhere along the North Raccoon River in Adel, Iowa -- population 3,682 -- two men were arrested for trying to break into the county courthouse.

And then things got weird, the Des Moines Register reports: The men, outfitted with numerous burglary tools, told authorities they were on contract to test out the courthouse alarm system's viability and to gauge law enforcement's response time, an alleged contract that Dallas County officials said they had no knowledge of, according to a criminal complaint.

Authorities later found out the state court administration did, in fact, hire the men to attempt "unauthorized access" to court records "through various means" in order to check for potential security vulnerabilities of Iowa's electronic court records, according to Iowa Judicial Branch officials. But, the state court administration "did not intend, or anticipate, those efforts to include the forced entry into a building," a Wednesday news release from the Iowa Judicial Branch read.

Evidently, the courthouse's security system did its job. The alarm system was triggered by the two men whom law enforcement found walking around the courthouse's third floor at about 12:30 a.m. Wednesday, court records show. Justin Wynn, of Naples, Florida, and Gary Demercurio, 43, of Seattle, Washington, were both charged with third-degree burglary and possession of burglary tools. Their bond has been set at $50,000.

"Our employees work diligently to ensure our engagements are conducted with utmost integrity and in alignment with the objectives of our client," their employer, the cybersecurity company Coalfire, told the Inquirer.

When they contacted county sheriff Chad Leonard, he would only say that "It's a strange case. We're still investigating this thing."
Security

Giant Entercom Radio Network Gets Ransomwared (bleepingcomputer.com) 14

Newer Guy writes: Entercom Communications, one of the USA's largest radio broadcasting companies, has been hit with a ransomware-like incident. It apparently came in from a computer in the programming department and has taken out the company's email system and servers. All their radio stations across the country have been affected. The ransomware people demanded half a million dollars to restore things; Entercom refused to pay.
Communications

T-Mobile Has a Secret Setting To Protect Your Account From Hackers That it Refuses To Talk About (vice.com) 34

T-Mobile has a feature that gives its customers more protection from hackers trying to steal their phone number, but you probably don't know it exists because the company doesn't advertise it publicly and won't even talk about it. From a report: It's called "NOPORT" and, in theory, it makes it a bit harder for criminals to hijack phone numbers with an attack known as "SIM swapping," a type of social engineering that is increasingly being used to steal people's phone numbers. SIM swapping attackers usually trick wireless providers into giving them control of a target's phone number by impersonating the victim with a company's customer support representatives -- usually on a phone call. T-Mobile's NOPORT feature makes this harder by requiring customers to physically come to a store and present a photo ID in order to request their number to be ported out to a different carrier or a new SIM card.

In theory, this should make it impossible for someone to do a SIM swap (also known as SIM hijacking or port-out scam) over the phone. But it's unclear whether all T-Mobile customers can have NOPORT or how effective it really is. T-Mobile doesn't even inform customers that it exists. I learned about it from a tipster, and then confirmed that it is indeed real. I was able to activate the feature on my own T-Mobile account by calling customer service and asking for it to be put on the account, but the company has declined to answer specific questions about the feature.

Security

New Simjacker Attack Exploited In the Wild To Track Users For At Least Two Years (zdnet.com) 15

Security researchers have disclosed today a major SMS-based attack method being abused in the real world by a surveillance vendor to track and monitor individuals. An anonymous reader shares a report: "We are quite confident that this exploit has been developed by a specific private company that works with governments to monitor individuals," security researchers from AdaptiveMobile Security said in a report. "We believe this vulnerability has been exploited for at least the last 2 years by a highly sophisticated threat actor in multiple countries, primarily for the purposes of surveillance."

The attack, named Simjacker, works by attackers sending SMS messages to victims' phones. The SMS messages contain STK instructions that are run by a victim's SIM card to gather location data and the IMEI code, which is then sent through an SMS message to a logging system. Researchers said they've seen Simjacker being abused to track hundreds of victims for two years, yet it is unclear if the victims are criminals tracked by law enforcement, or dissidents tracked by oppressive regimes. Over one billion smartphone users use SIM cards deemed vulnerable to this attack.

The Courts

Court Rules That 'Scraping' Public Website Data Isn't Hacking (vice.com) 25

Scraping public data from a website doesn't constitute "hacking," according to a new court ruling that could dramatically limit abuse of the United States' primary hacking law. From a report: The ruling comes after a lengthy battle between data analytics firm HiQ Labs and Microsoft owned LinkedIn, which have been at each other's throats for several years over HiQ Labs' practice of scraping the business social networking website's public-facing data, then selling it (fused with other datasets) to a laundry list of employers. In the ruling by The Ninth Circuit Court of Appeals, the court shot down LinkedIn's claim that access to this public data violated the Computer Fraud and Abuse Act (CFAA). In its declaration, the court ruled that to violate the CFAA, somebody would need to actually "circumvent [a] computer's generally applicable rules regarding access permissions, such as username and password requirements," meaning it's not really hacking if you're not bypassing some kind of meaningful authorization system.
Chrome

Google To Run DNS-over-HTTPS (DoH) Experiment in Chrome (zdnet.com) 104

Google has announced plans to test the new DNS-over-HTTPS (DoH) protocol inside Google Chrome starting with v78, scheduled for release in late October this year. From a report: The DNS-over-HTTPS protocol works by sending DNS requests to special DoH-compatible DNS resolvers. The benefit comes from the fact that DNS requests are sent via port 443, as encrypted HTTPS traffic, rather than cleartext, via port 53. This hides DoH requests in the unending stream of HTTPS traffic that moves across the web at any moment of the day and prevents third-party observers from tracking users' browsing histories by recording and looking at their unencrypted DNS data. The news that Google is looking into testing DoH in Chrome comes just as Mozilla announced plans over the weekend to gradually enable DoH by default for a small subset of users in the US later this month.
Intel

Weakness In Intel Chips Lets Researchers Steal Encrypted SSH Keystrokes 78

An anonymous reader quotes a report from Ars Technica: In late 2011, Intel introduced a performance enhancement to its line of server processors that allowed network cards and other peripherals to connect directly to a CPU's last-level cache, rather than following the standard (and significantly longer) path through the server's main memory. By avoiding system memory, Intel's DDIO -- short for Data-Direct I/O -- increased input/output bandwidth and reduced latency and power consumption.

Now, researchers are warning that, in certain scenarios, attackers can abuse DDIO to obtain keystrokes and possibly other types of sensitive data that flow through the memory of vulnerable servers. The most serious form of attack can take place in data centers and cloud environments that have both DDIO and remote direct memory access enabled to allow servers to exchange data. A server leased by a malicious hacker could abuse the vulnerability to attack other customers. To prove their point, the researchers devised an attack that allows a server to steal keystrokes typed into the protected SSH (or secure shell session) established between another server and an application server.
"The researchers have named their attack NetCAT, short for Network Cache ATtack," the report adds. "Their research is prompting an advisory for Intel that effectively recommends turning off either DDIO or RDMA in untrusted networks."

"The researchers say future attacks may be able to steal other types of data, possibly even when RDMA isn't enabled. They are also advising hardware makers do a better job of securing microarchitectural enhancements before putting them into billions of real-world servers." The researchers published their paper about NetCAT on Tuesday.
IT

Myths About USB Type-C (electronicdesign.com) 89

Julie Stultz, Technical Marketing Manager at ON Semiconductor, writes for ElectronicDesign: 1. USB Type-C and PD are complicated: With a universal connector that can plug into a power host (source) or device (sink), it seems like the negotiation of which device is powering which can be overwhelming for product designers and consumers. However, products can have more -- or less -- complexity based on the product designer's needs. For Type-C only devices, a single IC can be used to control all of the connection handshakes. For more complex features, the Power Delivery protocol (PD) can be implemented. There's a strict set of guidelines that must be followed to be USB-C PD compliant. Products receive approval from the USB-IF governing committee before they're certified. Utilizing firmware from certified IC vendors can simplify design the solution.
2. USB Type-C and PD is expensive: To detect, attach, and negotiate communication, it would seem that the transition from USB 2.0 to USB-C would become expensive. For basic USB-C functionality, a basic state-machine controller can be used. Controllers are available on the market for 3. All Type-C ports have identical functionality: Despite a common connector, the actual feature set of a USB-C port can vary significantly. Ports on travel adapters only charge devices. Ports on wearable devices typically only receive charge. Ports on dual-role devices such as laptops can still see variation in port features. Power levels for standard Type-C ports are limited to 15 W while ports that implement PD can negotiate power up to 100 W. In addition, some ports are capable of data communication up to USB SS Gen 2 speeds of 10 Gb/s. Other features may include DisplayPort or Thunderbolt support.
The article debunks eight more myths.
Security

We Need To Prepare for the Future of War, NSA Official Says (nytimes.com) 57

Glenn S. Gerstell, the general counsel of the National Security Agency, writing at The New York Times: The threats of cyberattack and hypersonic missiles are two examples of easily foreseeable challenges to our national security posed by rapidly developing technology. It is by no means certain that we will be able to cope with those two threats, let alone the even more complicated and unknown challenges presented by the general onrush of technology -- the digital revolution or so-called Fourth Industrial Revolution -- that will be our future for the next few decades.

The digital revolution has urgent and profound implications for our federal national security agencies. It is almost impossible to overstate the challenges. If anything, we run the risk of thinking too conventionally about the future. The short period of time our nation has to prepare for the effects of this revolution is already upon us, and it could not come at a more perilous and complicated time for the National Security Agency, Central Intelligence Agency, National Geospatial-Intelligence Agency, Defense Intelligence Agency, Federal Bureau of Investigation and the other components of the intelligence community.

Gearing up to deal with those new adversaries, which do not necessarily present merely conventional military threats, is itself a daunting challenge and one that must be undertaken immediately and for at least the next decade or two. But that is precisely when we must put in place a new foundation for dealing with the even more profound and enduring implications of the digital revolution. That revolution will sweep through all aspects of our society so powerfully that our only chance of effectively grappling with its consequences will lie in taking bold steps in the relatively near term. In short, our attention must turn to a far more complex set of threats of multiple dimensions enabled by the digital revolution. While the potential consequences are less catastrophic than nuclear war, they are nonetheless deeply threatening in a range of ways we will have trouble countering.

Security

Loophole That Lets People Share Your Private Instagram Pics and Stories Isn't a 'Hack' -- but Still, Heads Up (gizmodo.com) 99

An anonymous reader shares a report: Here's another reminder to be wary of what you share online: BuzzFeed News noticed on Monday that the way Instagram and its owner Facebook serve up media content allows for anyone who has access to a private photo or video to root around in the HTML code and copy-paste a direct link to it.

BuzzFeed wrote: "The hack -- which works on Instagram stories as well -- requires only a rudimentary understanding of HTML and a browser. It can be done in a handful of clicks. A user simply inspects the images and videos that are being loaded on the page and then pulls out the source URL. This public URL can then be shared with people who are not logged in to Instagram or do not follow that private user. According to tests performed by BuzzFeed's Tech + News Working Group, JPEGs and MP4s from private feeds and stories can be viewed, downloaded, and shared publicly this way.
...
Because all of this data is being hosted by Facebook's own content delivery network, the work-around also applies to private Facebook content. Here's an example of such a link to a private Instagram image, per the Verge: https://scontent-lax3-1.cdninstagram.com/vp/0907741760b14f49ebbb7d45f1e4871e/5E092026/t51.2885-15/e35/s1080x1080/67509661_124712232143789_4496164141880255274_n.jpg?_nc_ht=scontent-lax3-1.cdninstagram.com "


BuzzFeed is calling this a "hack," but what's really happening is Internet 101. When an authorized user loads a piece of content on Instagram in a browser, it's trivial to look in the HTML and find a direct URL to where the image or video is sitting on a server. This is not exactly uncommon for the content delivery networks (CDNs) that serve as the backbones of big websites; the simplest and least computationally expensive method of restricting unauthorized users from accessing the image or video in question is to make its URL very, very long.

Security

Thousands of Servers Infected With New Lilocked (Lilu) Ransomware (zdnet.com) 71

Longtime Slashdot reader Merovech shares a report from ZDNet: Thousands of web servers have been infected and had their files encrypted by a new strain of ransomware named Lilocked (or Lilu). Infections have been happening since mid-July, and have intensified in the past two weeks, ZDNet has learned. Based on current evidence, the Lilocked ransomware appears to target Linux-based systems only. The way the Lilocked gang breaches servers and encrypts their content is currently unknown. A thread on a Russian-speaking forum puts forward the theory that crooks might be targeting systems running outdated Exim (email) software. It also mentions that the ransomware managed to get root access to servers by unknown means.

Lilocked doesn't encrypt system files, but only a small subset of file extensions, such as HTML, SHTML, JS, CSS, PHP, INI, and various image file formats. This means infected servers continue to run normally. According to French security researcher Benkow, Lilocked has encrypted more than 6,700 servers, many of which have been indexed and cached in Google search results. However, the number of victims is suspected to be much much higher. Not all Linux systems run web servers, and there are many other infected systems that haven't been indexed in Google search results.
Why it should scare you:
- affects Linux servers
- so far the vector of infection / vulnerability is unknown
- you can craft a Google search to watch it spread!

Google

On Apple's Response To Google's Project Zero 54

Last week, Apple published a statement in which it disputed Google's Project Zero team's findings about the worst iOS attack in history. Alex Stamos, adjunct professor at Stanford University's Center for International Security and Cooperation and former CSO at Facebook, writes on Twitter: Apple's response to the worst known iOS attack in history should be graded somewhere between "disappointing" and "disgusting". First off, disputing Google's correct use of "indiscriminate" when describing a watering hole attack smacks of "it's ok, it didn't hit white people." The use of multiple exploits against an oppressed minority in an authoritarian state makes the likely outcomes *worse* than the Huffington Post example a former Apple engineer posited. It is possible that this data contributed to real people being "reeducated" or even executed. Even if we accept Apple's framing that exploiting Uyghurs isn't as big a deal as Google makes it out to be, they have no idea whether these exploits were used by the PRC in more targeted situations. Dismissing such a possibility out of hand is extremely risky.

Second, the word "China" is conspicuously absent, once again demonstrating the value the PRC gets from their leverage over the world's most valuable public company. To be fair, Google's post also didn't mention China. Their employees likely leaked attribution on background. Third, the pivot to Apple's arrogant marketing is not only tone-deaf but really rings hollow to the security community when Google did all the heavy lifting here. I'm guessing we won't hear Tim talk about how they are going to do better on stage next week. Dear Apple employees: I have worked for companies that took too long to publicly address their responsibilities. This is not a path you want to take. Apple does some incredible security work, but this kind of legal/comms driven response can undermine that work. Demand better.
Michael Tsai raises further questions about the way Apple framed its statement: "A blog," rather than "a blog post"? I love how Apple is subtly trying to discredit Project Zero by implying that it's a mere blog. And let's be sure everyone knows it's affiliated with Google, the privacy bad guys, even though it's a responsible, technically focused group. Apple says: "First, the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones 'en masse' as described."
Project Zero literally referred to "a small collection of hacked websites" that received "receive thousands of visitors per week." And it does seem like a particular subpopulation was targeted "en masse." The sites in question were on the public Internet; it wasn't links being sent to target particular individuals. Apple is blaming the messenger for things it didn't even say.

Apple adds: "The attack affected fewer than a dozen websites that focus on content related to the Uighur community."
Oh, I get it. Most people would consider "fewer than a dozen" to be "a small collection." But in Apple-speak, there were "a small number" of corrupt App Store binaries causing crashes, and "a small number" of MacBook Pro users experiencing butterfly keyboard problems, not to be confused with the "very small number" of iPhones that unexpectedly shut down. So, yeah, I can see why Apple wants people to know that this "small collection" doesn't mean "millions." Although there are apparently 10 million Uigurs in China. Apple adds: "Google's post, issued six months after iOS patches were released[...] It's great that Project Zero reported this in a responsible way, because now we can downplay it as old news.
Windows

New Windows 10 Update Bugs Include Orange Screenshots (mspoweruser.com) 96

An anonymous reader quotes MS Poweruser: Microsoft's latest Cumulative Update KB4512941 for Windows 10 May 2019 Update(1903) may be Microsoft's buggiest yet, with the update already known for being plagued with high CPU usage bugs* and crippled search.

Now reports of a new bug are filtering in, with users reporting that their screenshots all have an orange tint, no matter which method or app they use to take them.

The issue appears to be related to older video drivers, as updating drivers (or uninstalling KB4512941) appears to fix this problem.

* Microsoft has told Forbes that the spike in CPU usage "only occurs on devices that have disabled searching the web using Windows Desktop Search" -- and that they're planning to release a fix for this update-related bug in mid-September.
Google

Chrome OS Bug Started Mistakenly Sending 'Final Update' Notifications (9to5google.com) 21

An anonymous reader quotes 9to5Google: Like it or not, Chromebooks do have something of an expiration date when you purchase them, namely that one day they'll stop receiving updates. Thankfully, that date is typically over five years after the Chromebook's original release. For some, however, Chrome OS has been wrongly indicating this week that their Chromebook has received its "final update" many years too early.

Just like the Chrome browser on desktop and Android, Chrome OS has four different update "channels" -- Stable, Beta, Dev, and Canary. Each one of these after Stable trades a level of stability for more rapid updates, with Canary receiving highly unstable updates almost every day. People who are bold enough to put their Chromebook on Dev or Canary have been facing an interesting new issue for the past few days. Upon restarting their device, Chrome OS immediately displays a notification warning that "this is the last automatic software and security update for this Chromebook." Of course, if you're seeing this message this week, there's a decent chance that this is not actually the case.

Instead, these final update warnings are caused by a bug in the most recent versions of Chrome OS.

Slashdot Top Deals