Security

Two College Students Nearly Grabbed Donald Trump's Tax Returns Online (inquirer.com) 247

"This was a Wayne's World scene gone awry..." says an attorney for 23-year-old Andrew Harris. "They were Wayne and Garth in a blue Pacer with a dumb idea and a mixed run of luck," he told the Philadelphia Inquirer: Harris previously had filed an application for federal student aid, and noticed that the government form would redirect to the IRS and import his own tax returns automatically. Harris and his fellow classmate Justin Hiemstra wondered: What would happen if they posed as one of Trump's offspring? Could they use an application for aid to land the returns and scoop the nation's biggest newspapers? Tiffany Trump had graduated in May 2016 from the University of Pennsylvania and had announced she was going to graduate school at Georgetown University. It could work.

Six days before the 2016 election, Harris and Hiemstra went to Haverford College's computer lab and logged in using another student's credentials. They accessed a Free Application for Student Aid (FAFSA). When they attempted to register under the name of Trump's child, they were stunned to discover an application under that name already existed. Using Google, they successfully guessed most of the answers to a series of challenge questions to reset the password. Stymied four times on one of the security questions, they gave up.

What they didn't realize was that the Department of Education was monitoring all traffic on the FAFSA site. The failed attempt sent up a red flag. The IRS dispatched federal investigators to Haverford shortly after.

Last month Pulitzer Prize-winning tax journalist David Cay Johnston told the paper "It's surprising they didn't catch them until four tries." They also reported that while Harris was expelled from the college, 22-year-old Hiemstra was allowed to graduate, and both men have pleaded guilty to accessing a computer without authorization and attempting to access a computer without authorization to obtain government information.

When sentenced in December, they'll face a maximum of two years in prison, two years of supervised release, and a $200,000 fine.
Google

Google Expands Bug Bounty Programme To All Apps With Over 100M Installs (venturebeat.com) 2

Long-time Slashdot reader AmiMoJo quotes VentureBeat: Google, which has already paid security researchers over $15 million since launching its bug bounty program in 2010, today increased the scope of its Google Play Security Reward Program (GPSRP). Security researchers will now be rewarded for finding bugs across all apps in Google Play with 100 million or more installs. At the same time, the company launched the Developer Data Protection Reward Program (DDPRP) in collaboration with [bug bounty platform] HackerOne. That program is for data abuses in Android apps, OAuth projects, and Chrome extensions....

Google also uses this vulnerability data to create automated checks that scan all Google Play apps for similar vulnerabilities. Affected app developers are notified via the Play Console. The App Security Improvement (ASI) program provides them with information on the vulnerability and how to fix it. In February, Google revealed that ASI has helped over 300,000 developers fix over 1,000,000 apps on Google Play.

The article also notes that Android apps and Chrome extensions found to be abusing data "will be removed from Google Play and the Chrome Web Store."
Security

Hong Kong Protesters Using Mesh Messaging App China Can't Block: Usage Up 3685% (forbes.com) 57

An anonymous reader quotes Forbes: How do you communicate when the government censors the internet? With a peer-to-peer mesh broadcasting network that doesn't use the internet.

That's exactly what Hong Kong pro-democracy protesters are doing now, thanks to San Francisco startup Bridgefy's Bluetooth-based messaging app. The protesters can communicate with each other — and the public — using no persistent managed network...

While you can chat privately with contacts, you can also broadcast to anyone within range, even if they are not a contact.

That's clearly an ideal scenario for protesters who are trying to reach people but cannot use traditional SMS texting, email, or the undisputed uber-app of China: WeChat. All of them are monitored by the state.

Wednesday another article in Forbes confirmed with Bridgefy that their app uses end-to-end RSA encryption -- though an associate professor at the Johns Hopkins Information Security Institute warns in the same article about the possibility of the Chinese government demanding that telecom providers hand over a list of all users running the app and where they're located.

Forbes also notes that "police could sign up to Bridgefy and, at the very least, cause confusion by flooding the network with fake broadcasts" -- or even use the app to spread privacy-compromising malware. "But if they're willing to accept the risk, Bridgefy could remain a useful tool for communicating and organizing in extreme situations."
Wikipedia

Parts of Wikipedia Went Offline After 'Malicious' DDoS Attack (www.rte.ie) 47

An anonymous reader quotes the website of Ireland's national public service broadcasting: Popular online reference website Wikipedia went down in several countries after the website was targeted by what it described as a "malicious attack". The server of the Wikimedia Foundation, which hosts the site, suffered a "massive" Distributed Denial of Service (DDoS) attack, the organisation's German account said in a tweet last night.

In a separate statement the Wikimedia Foundation said that the attack on the encyclopedia - one of the world's most popular websites - was "ongoing" and teams were working to restore access... Wikimedia condemned the breach of its server, saying it threatened "everyone's fundamental rights to freely access and share information."

Bug

Exploit For Wormable BlueKeep Windows Bug Released Into the Wild (arstechnica.com) 24

An anonymous reader quotes a report from Ars Technica: For months, security practitioners have worried about the public release of attack code exploiting BlueKeep, the critical vulnerability in older versions of Microsoft Windows that's "wormable," meaning it can spread from computer to computer the way the WannaCry worm did two years ago. On Friday, that dreaded day arrived when the Metasploit framework -- an open source tool used by white hat and black hat hackers alike -- released just such an exploit into the wild. The module, which was published as a work in progress on Github, doesn't yet have the polish and reliability of the EternalBlue exploit that was developed by the NSA and later used in WannaCry. For instance, if the people using the new module specify the wrong version of Windows they want to attack, they'll likely wind up with a blue-screen crash. Getting the exploit to work on server machines also requires a change to default settings in the form of a registry modification that turns on audio sharing.

The latest flaw, which is indexed as CVE-2019-0708 but is better known by the name BlueKeep, resides in earlier versions of the Remote Desktop Services, which help provide a graphical interface for connecting to Windows computers over the Internet. It affects Windows 2003 and XP, Vista 7, Server 2008 R2, and Server 2008. When Microsoft patched the vulnerability in May, it warned that computers that failed to install the fix could suffer a similar fate if reliable attack code ever becomes available. The reason: like the flaw that EternalBlue exploited, BlueKeep allowed for self-replicating attacks. Like a falling line of dominoes, a single exploit could spread from vulnerable machine to vulnerable machine with no interaction required of end users.
"The release of this exploit is a big deal because it will put a reliable exploit in the hands of both security professionals and malicious actors," Ryan Hanson, principal research consultant at Atredis Partners and a developer who helped work on the release, told Ars. "I'm hoping the exploit will be primarily used by offensive teams to demonstrate the importance of security patches, but we will likely see criminal groups modifying it to deliver ransomware as well."
Google

Apple Disputes Google's Claims of a Devastating iPhone Hack (vice.com) 22

In a rare move, Apple has released a statement to comment on the attacks on iPhone users revealed by Google last week. From a report: Last week, Google dropped a bombshell in the form of a long, detailed analysis of five chains of iOS vulnerabilities discovered by its security teams. Google didn't say who was behind the attacks, nor who was targeted, but described the attack as "indiscriminate," and potentially hitting "thousands" of people. Apple disagrees. Friday, Apple published a brief press release that disputes some relatively minor details that Google released about the attacks. Namely, that the attacks lasted for a shorter amount of time and that they were less widespread than Google reported.

"First, the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones 'en masse' as described. The attack affected fewer than a dozen websites that focus on content related to the Uighur community." Apple wrote. "Google's post, issued six months after iOS patches were released, creates the false impression of 'mass exploitation' to 'monitor the private activities of entire populations in real time,' stoking fear among all iPhone users that their devices had been compromised. This was never the case. Second, all evidence indicates that these website attacks were only operational for a brief period, roughly two months, not 'two years' as Google implies," the statement continued.

Intel

Intel Is Suddenly Very Concerned With 'Real-World' Benchmarking (extremetech.com) 72

Dputiger writes: Intel is concerned that many of the benchmarks used in CPU reviews today are not properly capturing overall performance. In the process of raising these concerns, however, the company is drawing a false dichotomy between real-world and synthetic benchmarks that doesn't really exist. Whether a test is synthetic or not is ultimately less important than whether it accurately measures performance and produces results that can be generalized to a larger suite of applications.
Privacy

Why Phones That Secretly Listen To Us Are a Myth (bbc.com) 219

A mobile security company has carried out a research investigation to address the popular conspiracy theory that tech giants are listening to conversations. From a report: The internet is awash with posts and videos on social media where people claim to have proof that the likes of Facebook and Google are spying on users in order to serve hyper-targeted adverts. Videos have gone viral in recent months showing people talking about products and then ads for those exact items appear online. Now, cyber security-specialists at Wandera have emulated the online experiments and found no evidence that phones or apps were secretly listening. Researchers put two phones -- one Samsung Android phone and one Apple iPhone -- into a "audio room". For 30 minutes they played the sound of cat and dog food adverts on loop. They also put two identical phones in a silent room.

The security specialists kept apps open for Facebook, Instagram, Chrome, SnapChat, YouTube, and Amazon with full permissions granted to each platform. They then looked for ads related to pet food on each platform and webpage they subsequently visited. They also analyzed the battery usage and data consumption on the phones during the test phase. They repeated the experiment at the same time for three days, and noted no relevant pet food adverts on the "audio room" phones and no significant spike in data or battery usage.

Businesses

Israeli Spyware Firm NSO Group is Wildly Profitable Despite Concerns Over Misuse of its Technology, Leaked Financials Show (businessinsider.com) 8

An anonymous reader shares a report: The secretive Israeli spyware company NSO Group gained notoriety following allegations that its hacking tool Pegasus was used by governments like Saudi Arabia and Mexico to track dissidents and journalists. A few months later, the company was acquired for $1 billion by its cofounders Shalev Hulio and Omri Lavie alongside the private equity firm Novalpina Capital. To get that deal done, the founders raised money through a debt offering led by Credit Suisse and Jefferies. The banks reportedly struggled to sell the debt due to ethical concerns, but in the end it found buyers in mutual funds including BlackRock and Principal Financial Group, as well as collateralized loan obligation (CLO) management firms Ellington Management Group and Saratoga Investment Corp. Why would so many financial institutions align themselves with a company with a contentious reputation? NSO Group is high growth, and it's wildly profitable, according to a person who saw the debt offering circulated by the company earlier this year who shared its contents with Business Insider. And it did that all with just 60 customers.
Iphone

Apple Plans Return of Touch ID and New Cheap iPhone (bloomberg.com) 25

Apple is reportedly developing in-display fingerprint technology for as early as its 2020 iPhones, according to Bloomberg. "The technology is in testing both inside Apple and among the company's overseas suppliers, though the timeline for its release may slip to the 2021 iPhone refresh, said the people, who asked not to be identified discussing private work." From the report: Apple introduced fingerprint scanning on iPhones in 2013, following its acquisition of AuthenTec Inc., a pioneer in the field. Integrated into the iPhone's home button, the Touch ID system was used for unlocking the device, approving payments and authorizing app downloads -- and it gave Apple a technological edge with its speed and reliability. Touch ID was replaced with face-scanning sensors in 2017 with the iPhone X launch. Branded as Face ID, the new face authentication again put Apple ahead of the competition with a more robust and secure implementation than rivals. The upcoming fingerprint reader would be embedded in the screen, letting a user scan their fingerprint on a large portion of the display, and it would work in tandem with the existing Face ID system, the people familiar with Apple's plans said. The report also mentions Apple is working on its first low-cost iPhone since the iPhone SE: That could come out as early as the first half of 2020, the people said. The device would look similar to the iPhone 8 and include a 4.7-inch screen. The iPhone 8 currently sells for $599, while Apple sold the iPhone SE for $399 when that device launched in 2016. The new low-cost phone is expected to have Touch ID built into the home button, not the screen. Nikkei reported plans for a cheaper iPhone earlier this week.
Security

Twitter Disables SMS-to-Tweet Feature After Its CEO Got Hacked Last Week (zdnet.com) 20

Twitter is disabling the ability to send tweets via SMS messages after an incident last week when the company's CEO Twitter account got hacked via this feature. From a report: The social network said the move is only temporary, but did not provide a timeline for the feature's reactivation. Twitter blamed the whole issue on mobile networks and "vulnerabilities that need to be addressed by mobile carriers."
Privacy

600,000 GPS Trackers Left Exposed Online With a Default Password of '123456' (zdnet.com) 52

According to Avast security researchers, over 600,000 GPS trackers manufactured by a Chinese company are using the same default password of "123456. "They say that hackers can abuse this password to hijack users' accounts, from where they can spy on conversations near the GPS tracker, spoof the tracker's real location, or get the tracker's attached SIM card phone number for tracking via GSM channels," reports BleepingComputer. From the report: Avast researchers said they found these issues in T8 Mini, a GPS tracker manufactured by Shenzhen i365-Tech, a Chinese IoT device maker. However, as their research advanced, Avast said the issues also impacted over 30 other models of GPS trackers, all manufactured by the same vendor, and some even sold as white-label products, bearing the logos of other companies. All models shared the same backend infrastructure, which consisted of a cloud server to which GPS trackers reported, a web panel where customers logged in via their browsers to check the tracker's location, and a similar mobile app, which also connected to the same cloud server. But all this infrastructure was full of holes.

While Avast detailed several issues in its report, the biggest was the fact that all user accounts (either from the mobile app or web panel) relied on a user ID and a password that were easy to guess. The user IDs were based on the GPS tracker's IMEI (International Mobile Equipment Identity) code and was sequential, while the password was the same for all devices -- 123456. This means that a hacker can launch automated attacks against Shenzhen i365-Tech's cloud server by going through all user ID's one by one, and using the same 123456 password, and take over users' accounts. While users can change the default after they log into their account for the first time, Avast said that during a scan of over four million user IDs, it found that more than 600,000 accounts were still using the default password.

Android

Trusted Face Smart Unlock Method Has Been Removed From Android Devices (androidpolice.com) 11

The not-so-widely-used trusted face smart unlock feature has officially been removed from Android, news blog Android Police reported this week. From the report: Trusted face was added in 2014 and has been accessible to users on all Android devices until recently. Now, it's completely gone from stock and OEM devices, running Android 10 or below. The feature was accessible under Settings -> Security -> Smart Lock -> Trusted face. It didn't use any biometric data for security, instead just relying on your face to unlock your device. A photo could easily fool it. The writing was on the wall for its removal: It was broken on Android Q Beta 6 and we know Google has been working on a more secure face authentication method. But it's not only Android 10 that no longer has the Trusted face option. We've verified that the option is gone from the OnePlus 6T, Samsung Galaxy S9 and S10, Nokia 3.2, all of which are running Android Pie stable.
IOS

Apple Change Causes Scramble Among Private Messaging App Makers (theinformation.com) 40

A change Apple is making to improve privacy in an upcoming version of its iPhone operating system has alarmed an unlikely group of software makers: developers of privacy-focused encrypted messaging apps. The Information (paywalled): They warn the change, which is already available in public test versions of iOS 13, could end up undermining the privacy goals that prompted it in the first place. The Information previously reported that the technical change Apple is making to its next operating systems, iOS 13, has sparked concern at Facebook, which believes it will have to make significant modifications to encrypted messaging apps like Facebook Messenger and WhatsApp to comply. But a much wider group of developers of encrypted messaging apps -- including Signal, Wickr, Threema and Wire -- is scrambling to overhaul their software so that key privacy features continue to work. Apple told The Information on Wednesday in a statement that it is working with the developers to resolve their concerns. "We've heard feedback on the API changes introduced in iOS 13 to further protect user privacy and are working closely with iOS developers to help them implement their feature requests," an Apple spokesperson said.
Communications

China Hacked Asian Telcos To Spy on Uighur Travelers (reuters.com) 22

Hackers working for the Chinese government have broken into telecoms networks to track Uighur travelers in Central and Southeast Asia, Reuters reported, citing two intelligence officials and two security consultants who investigated the attacks. From a report: The hacks are part of a wider cyber-espionage campaign targeting "high-value individuals" such as diplomats and foreign military personnel, the sources said. But China has also prioritized tracking the movements of ethnic Uighurs, a minority mostly Muslim group considered a security threat by Beijing. China is facing growing international criticism over its treatment of Uighurs in Xinjiang. Members of the group have been subject to mass detentions in what China calls "vocational training" centers and widespread state surveillance. Beijing's alleged cyberspace attacks against Uighurs show how it is able to pursue those policies beyond its physical borders.
Facebook

A Huge Database of Facebook Users' Phone Numbers Found Online (techcrunch.com) 36

Hundreds of millions of phone numbers linked to Facebook accounts have been found online. TechCrunch: The exposed server contained over 419 million records over several databases on users across geographies, including 133 million records on U.S.-based Facebook users, 18 million records of users in the U.K., and another with more than 50 million records on users in Vietnam. But because the server wasn't protected with a password, anyone could find and access the database. Each record contained a user's unique Facebook ID and the phone number listed on the account. A user's Facebook ID is typically a long, unique and public number associated with their account, which can be easily used to discern an account's username. But phone numbers have not been public in more than a year since Facebook restricted access to users' phone numbers. TechCrunch verified a number of records in the database by matching a known Facebook user's phone number against their listed Facebook ID. We also checked other records by matching phone numbers against Facebook's own password reset feature, which can be used to partially reveal a user's phone number linked to their account.
Security

Fraudsters Deepfake CEO's Voice To Trick Manager Into Transferring $243,000 (thenextweb.com) 39

An anonymous reader quotes a report from The Next Web: In March, criminals sought the help of commercially available voice-generating AI software to impersonate the boss of a German parent company that owns a UK-based energy firm. They then tricked the latter's chief executive into urgently wiring said funds to a Hungarian supplier in an hour, with guarantees that the transfer would be reimbursed immediately. The company CEO, hearing the familiar slight German accent and voice patterns of his boss, is said to have suspected nothing, the report said.

But not only was the money not reimbursed, the fraudsters posed as the German CEO to ask for another urgent money transfer. This time, however, the British CEO refused to make the payment. As it turns out, the funds the CEO transferred to Hungary were eventually moved to Mexico and other locations. Authorities are yet to determine the culprits behind the cybercrime operation. The firm was insured by Euler Hermes Group, which covered the entire cost of the payment. The names of the company and the parties involved were not disclosed.
According to The Wall Street Journal, which first reported the news, the voice fraud cost the company $243,000.
Security

Over 47,000 Supermicro Servers Are Exposing BMC Ports on the Internet (zdnet.com) 57

Catalin Cimpanu, writing for ZDNet: More than 47,000 workstations and servers, possibly more, running on Supermicro motherboards are currently open to attacks because administrators have left an internal component exposed on the internet. These systems are vulnerable to a new set of vulnerabilities named USBAnywhere that affect the baseboard management controller (BMC) firmware of Supermicro motherboards. Patches are available to fix the USBAnywhere vulnerabilities, but Supermicro and security experts recommend restricting access to BMC management interfaces from the internet, as a precaution and industry best practice.
Google

Android Exploits Are Now Worth More Than iOS Exploits for the First Time (zdnet.com) 26

Zerodium, a company which claims it buys and then resells software exploits to government and law enforcement agencies, has updated its price list today, and Android exploits are worth more than iOS exploits for the first time ever. From a report: According to the company, starting today, a zero-click (no user interaction) exploit chain for Android can get hackers and security researchers up to $2.5 million in rewards. A similar exploit chain impacting iOS is worth only $2 million. Zerodium's new price for Android exploits is almost twelve times more when compared to the maximum of $200,000 the company was willing to offer a year ago, and even 100 times more than Zerodium was paying for some of the lower-impact Android exploits. Zerodium has timed its announcement with Google's official release for Android 10, scheduled for later today. Further reading: Exploit Sellers Say There are More iPhone Hacks on the Market Than They've Ever Seen.
IT

USB-IF To Continue Confusing Name Scheme With USB4 Gen 3x2 (techrepublic.com) 79

intensivevocoder writes: USB4 will be formally published at the USB Developer Days Seattle on September 17, and the USB Implementers Forum (USB-IF) is expected to continue the widely maligned naming scheme for USB speeds introduced in February for USB 3.2, an engineer familiar with the USB-IF's plans told TechRepublic. As a quick recap, USB 3.1 Gen 2, increased the lane speed to 10 Gbps. A second 10 Gbps lane was added in the USB 3.2 standard, which the USB-IF calls "USB 3.2 Gen 2x2." USB4 (which is not written as "USB 4.0") will reach speeds of 40 Gbps, doubling the speeds again. USB4 was first previewed in March, when the USB Promoter Group announced that USB4 would be based on Intel's Thunderbolt 3 specification, though specific details are expected later this month.

Slashdot Top Deals