Security

NYC Has Hired Hackers To Hit Back at Stalkerware (technologyreview.com) 28

Abusers leverage high-tech tools in the oldest of crimes, stalking their victims through tools like Facebook Messenger and Apple Maps. They spy on their targets through stalkerware apps and Amazon Alexas. But hackers are now teaming up with victim advocates to catch up. From a report: In a pilot study the New York City government has been running since 2018, technologists work in collaboration with the Mayor's Office to End Domestic and Gender-Based Violence to offer practical computer security and privacy services to survivors of intimate partner violence. The program, which involves a team of academics from Cornell Tech and New York University, has already seen early success and is growing, Cornell Tech's Sam Havron said on Wednesday at the USENIX Security Symposium in Santa Clara, California. There are hundreds of apps sold on the market today that stalkers use to track a victim's location, secretly record voice audio, steal text messages, or engage in other illegal surveillance. Since November 2018, the New York-based technologists have met with 44 clients and have discovered that 23 of them may have been targeted by spyware, account compromise, or exploitable misconfigurations. Over half the victim cases have connections to digital abuse, according to a newly published paper, "Clinical Computer Security for Victims of Intimate Partner Violence."
Microsoft

Microsoft Surface Pro 6 and Surface Book 2 Are Throttle Locking To 'Pentium 2 Speeds' of 400 MHz, Users Say (zdnet.com) 84

intensivevocoder writes: Owners of Microsoft's Surface Pro 6 and Surface Book 2 systems are finding themselves stuck at Pentium 2 speeds, as numerous user complaints indicate that the ultra-portables are throttling the processor down to 400 MHz, a state that -- in some instances -- persists across reboots. While similar issues with Surface devices have occurred in the past, reports of issues have increased in frequency following a firmware update for the Surface Pro 6.

The throttle-lock appears to be caused by an Intel CPU flag called BD PROCHOT (bi-directional processor hot), which can be set by any peripheral, telling the processor to throttle down in order to decrease system temperature -- a useful flag in cases where the CPU is operating within thermal limits, but other components tied to the CPU are running too hot, because of the demands placed on other components by processes on the CPU.

Security

The Fashion Line Designed To Trick Surveillance Cameras (theguardian.com) 95

Freshly Exhumed shares a report from The Guardian: Automatic license plate readers, which use networked surveillance cameras and simple image recognition to track the movements of cars around a city, may have met their match, in the form of a T-shirt. Or a dress. Or a hoodie. The anti-surveillance garments were revealed at the DefCon cybersecurity conference in Las Vegas on Saturday by the hacker and fashion designer Kate Rose, who presented the inaugural collection of her Adversarial Fashion line.

To human eyes, Rose's fourth amendment T-shirt contains the words of the fourth amendment to the U.S. constitution in bold yellow letters. The amendment, which protects Americans from "unreasonable searches and seizures," has been an important defense against many forms of government surveillance: in 2012, for instance, the U.S. supreme court ruled that it prevented police departments from hiding GPS trackers on cars without a warrant. But to an automatic license plate reader (ALPR) system, the shirt is a collection of license plates, and they will get added to the license plate reader's database just like any others it sees. The intention is to make deploying that sort of surveillance less effective, more expensive, and harder to use without human oversight, in order to slow down the transition to what Rose calls "visual personally identifying data collection."
"It's a highly invasive mass surveillance system that invades every part of our lives, collecting thousands of plates a minute. But if it's able to be fooled by fabric, then maybe we shouldn't have a system that hangs things of great importance on it," she said.
Security

Researchers Found World-Readable Database Used To Secure Buildings Around the Globe (arstechnica.com) 9

Researchers said they have found a publicly accessible database containing almost 28 million records -- including plain-text passwords, face photos, and personal information -- that was used to secure buildings around the world. Ars Technica reports: Researchers from vpnMentor reported on Wednesday that the database was used by the Web-based Biostar 2 security system sold by South Korea-based Suprema. Biostar uses facial recognition and fingerprint scans to identify people authorized to enter warehouses, municipal buildings, businesses, and banks. vpnMentor said the system has more than 1.5 million installations in a wide range of countries including the U.S., the UK, Indonesia, India, and Sri Lanka. According to vpnMentor, the 23-gigabyte database contained more than 27.8 million records used by Biostar to secure customer facilities. The data included usernames, passwords and user IDs in plaintext, building access logs, employee records including start dates, personal details, mobile device data, and face images. The researchers said the data also included more than 1 million records containing actual fingerprint scans, but the report provided no data to support the claim.

"The vpnMentor researchers said they discovered the exposed database on August 5 and privately reported the finding two days later," reports Ars Technica. "The data wasn't secured until Tuesday, six days later."
Security

Credit Karma Glitch Exposed Users To Other People's Accounts (techcrunch.com) 9

Users of credit monitoring site Credit Karma have took to Reddit and Twitter to complain that they were served other people's account information when they logged in. TechCrunch has confirmed several screenshots that show other people's accounts, including details about their credit card accounts and their current balance.

When contacted, a Credit Karma spokesperson said these users "experienced a technical malfunction that has now been fixed," and that there's "no evidence of a data breach." The company didn't say for how long customers were experiencing issues. TechCrunch reports: One user told TechCrunch that after they were served another person's full credit report, they messaged the user on LinkedIn "to let him know his data was compromised." Another user told us this: "The reports are split into two sections: Credit Factors -- things like number of accounts, inquiries, utilization; and Credit Reports -- personal information like name, address, etc.. The Credit Reports section was my own information, but the Credit Factors section definitely wasn't. It listed four credit card accounts (I have more like 20 on my report), a missed payment (I'm 100% on time with payments), a Honda auto loan (never had one with Honda), student loan financing (mine are paid off and too old to appear on my report), and cards with an issuer that I have no relationship with (Discover)."

Another user who was affected said they could read another person's Credit Factors -- including derogatory credit marks -- but that the Credit Report tab with that user's personal information, like names and addresses, was blank. One user said that the login page was pulled offline for a brief period. "We'll be right back," the login page read instead.

AI

AI Researchers Launch SuperGLUE, a Rigorous Benchmark For Language Understanding (venturebeat.com) 8

Facebook AI Research, together with Google's DeepMind, University of Washington, and New York University, today introduced SuperGLUE, a series of benchmark tasks to measure the performance of modern, high performance language-understanding AI. From a report: SuperGLUE was made on the premise that deep learning models for conversational AI have "hit a ceiling" and need greater challenges. It uses Google's BERT as a model performance baseline. Considered state of the art in many regards in 2018, BERT's performance has been surpassed by a number of models this year such as Microsoft's MT-DNN, Google's XLNet, and Facebook's RoBERTa, all of which were are based in part on BERT and achieve performance above a human baseline average. SuperGLUE is preceded by the General Language Understanding Evaluation (GLUE) benchmark for language understanding in April 2018 by researchers from NYU, University of Washington, and DeepMind. SuperGLUE is designed to be more complicated than GLUE tasks, and to encourage the building of models capable of grasping more complex or nuanced language.
Security

Cray Is Building a Supercomputer To Manage the US' Nuclear Stockpile (engadget.com) 65

An anonymous reader quotes a report from Engadget: The U.S. Department of Energy (DOE) and National Nuclear Security Administration (NNSA) have announced they've signed a contract with Cray Computing for the NNSA's first exascale supercomputer, "El Capitan." El Capitan's job will be to will perform essential functions for the Stockpile Stewardship Program, which supports U.S. national security missions in ensuring the safety, security and effectiveness of the nation's nuclear stockpile in the absence of underground testing. Developed as part of the second phase of the Collaboration of Oak Ridge, Argonne and Livermore (CORAL-2) procurement, the computer will be used to make critical assessments necessary for addressing evolving threats to national security and other issues such as non-proliferation and nuclear counterterrorism.

El Capitan will have a peak performance of more than 1.5 exaflops -- which is 1.5 quintillion calculations per second. It'll run applications 50 times faster than Lawrence Livermore National Laboratory's (LLNL) Sequoia system and 10 times faster than its Sierra system, which is currently the world's second most powerful super computer. It'll be four times more energy efficient than Sierra, too. The $600 million El Capitan is expected to go into production by late 2023.
"NNSA is modernizing the Nuclear Security Enterprise to face 21st century threats," said Lisa E Gordon-Hagerty, DOE undersecretary for nuclear security and NNSA administrator. "El Capitan will allow us to be more responsive, innovative and forward-thinking when it comes to maintaining a nuclear deterrent that is second-to-none in a rapidly-evolving threat environment."
Iphone

Researcher Makes Legit-Looking iPhone Lightning Cables That Will Hijack Your Computer (vice.com) 42

A researcher known as MG has modified Lightning cables with extra components to let him remotely connect to the computers that the cables are connected to. "It looks like a legitimate cable and works just like one. Not even your computer will notice a difference. Until I, as an attacker, wirelessly take control of the cable," MG said. Motherboard reports: One idea is to take this malicious tool, dubbed O.MG Cable, and swap it for a target's legitimate one. MG suggested you may even give the malicious version as a gift to the target -- the cables even come with some of the correct little pieces of packaging holding them together. MG typed in the IP address of the fake cable on his own phone's browser, and was presented with a list of options, such as opening a terminal on my Mac. From here, a hacker can run all sorts of tools on the victim's computer.

The cable comes with various payloads, or scripts and commands that an attacker can run on the victim's machine. A hacker can also remotely "kill" the USB implant, hopefully hiding some evidence of its use or existence. MG made the cables by hand, painstakingly modifying real Apple cables to include the implant. "In the end, I was able to create 100 percent of the implant in my kitchen and then integrate it into a cable. And these prototypes at Def con were mostly done the same way," he said. MG did point to other researchers who worked on the implant and graphical user interface. He is selling the cables for $200 each.

Microsoft

Vulnerability in Microsoft CTF Protocol Goes Back To Windows XP (zdnet.com) 64

CTF, a little-known Microsoft protocol used by all Windows operating system versions since Windows XP, is insecure and can be exploited with ease. From a report: According to Tavis Ormandy, a security researcher with Google's Project Zero elite security team and the one who discovered the buggy protocol, hackers or malware that already have a foothold on a user's computer can use the protocol to take over any app, high-privileged applications, or the entire OS, as a whole. Currently, there are no patches for these bugs, and a quick fix isn't expected, as the vulnerabilities are deeply ingrained in the protocol and its design.

What CTF stands is currently unknown. Even Ormandy, a well-known security researcher, wasn't able to find what it means in all of Microsoft documentation. What Ormandy found out was that CTF is part of of the Windows Text Services Framework (TSF), the system that manages the text shown inside Windows and Windows applications. When users start an app, Windows also starts a CTF client for that app. The CTF client receives instructions from a CTF server about the OS system language and the keyboard input methods.
It is unclear how Microsoft will patch the CTF problem.
Biotech

Tesla Owner Implants RFID Chip From Her Model 3's Keycard Into Her Arm (theverge.com) 135

A Tesla driver figured out a way to implant the RFID tag from her Model 3's keycard into her forearm. Now, all she needs to do to unlock and turn on her car is to hold her forearm near the console -- no physical key fob or smartphone required. The Verge reports: Amie DD is a software engineer and self-described "maker of things." In a video, she explained that she had implanted an RFID tag in her arm years ago, which she had used to open her home's front door and to send a smartphone's browser to her personal website. When she preordered her Model 3, she realized that she could probably do something similar with the keycard. She didn't have any luck transferring the software to her existing chip, so she decided to extract the card's chip and implant that into her arm. To do that, she dissolved the card using acetone, and had it encased in a biopolymer. From there, she went to a body-modification studio to have the chip (about the size of a Lego mini-figure) implanted into her forearm. In another video (warning, there's some blood), she shows off the implantation. She also documented her process on Hackaday. She told The Verge that the chip does work, but the range from her arm to the console "isn't the greatest." It's only about an inch, but she's hoping that it'll improve as the swelling of her arm goes down.
Privacy

Ring Told People To Snitch On Their Neighbors In Exchange For Free Stuff (vice.com) 49

popcornfan679 shares a report from Motherboard: Ring, Amazon's home security company, has encouraged people to form their own "Digital Neighborhood Watch" groups that report crime in exchange for free or discounted Ring products, according to an internal company slide presentation obtained by Motherboard. The slide presentation -- which is titled "Digital Neighborhood Watch" and was created in 2017, according to Ring -- tells people that if they set up these groups, report all suspicious activity to police, and post endorsements of Ring products on social media, then they can get discount codes for Ring products and unspecified Ring "swag." A Ring spokesperson said the program described in the slide presentation was rolled out in 2017, before Ring was acquired by Amazon. They said it was discontinued that same year.

"This particular idea was not rolled out widely and was discontinued in 2017," Ring said. "We will continue to invent, iterate, and innovate on behalf of our neighbors while aligning with our three pillars of customer privacy, security, and user control." "Some of these ideas become official programs, and many others never make it past the testing phase," Ring continued, adding that the company "is always exploring new ideas and initiatives."
Privacy

Almost Half of Employees Have Access To More Data Than They Need (betanews.com) 53

A new study of over 700 full-time US employees reveals that that 48 percent of employees have access to more company data than they need to perform their jobs, while 12 percent of employees say they have access to all company data. From a report: The survey by business app marketplace GetApp also asked employees what classifications of data protection are in place at their company. No more than a third of businesses were found to use any one individual data classification. The lowest in use are Proprietary (15 percent) and Highly Confidential (18 percent). The most commonly used are Confidential -- 33 percent of businesses use this classification, Internal -- 30 percent, Public -- 29 percent and Restricted/Sensitive -- 25 percent.
Security

Epic Hit With Class-Action Suit Over Hacked Fortnite Accounts (polygon.com) 12

Epic Games is being sued over security breaches that allowed hackers to access the personal information of Epic Games accounts. From a report: The class-action lawsuit, filed by Franklin D. Azar & Associates in U.S. District Court in North Carolina, alleges Epic's "failure to maintain adequate security measures and notify users of the security breach in a timely manner." The lawsuit states that "there are more than 100 class members." In January, Epic acknowledged that a bug in Fortnite may have exposed personal information for millions of user accounts.
Transportation

Getting Cool Vanity License Plate 'NULL' Is Not Really a Cool Idea, Infosec Researcher Discovers (mashable.com) 106

Choosing NULL as your license plate might seem like a funny idea. But as an infosec researcher discovered recently, the cool-looking NULL vanity plate comes with its own consequences. Researcher Droogie, that's his handle, who presented at this year's DEF CON in Las Vegas, said he has been on the receiving end of thousands of dollars worth of tickets that aren't his. From a report: Droogie registered a vanity California license plate consisting solely of the word "NULL" -- which in programming is a term for no specific value -- for fun. And, he admitted to laughs, on the off chance it would confuse automatic license plate readers and the DMV's ticketing system. "I was like, 'I'm the shit,'" he joked to the crowd. "'I'm gonna be invisible.' Instead, I got all the tickets." Things didn't go south immediately. As Droogie explained, he's a cautious driver and didn't get any tickets for the first year he owned the vanity plate. Then he went to reregister his tags online, and, when prompted to input his license plate, broke the DMV webpage. It seemed the DMV site didn't recognize the plate "NULL" as an actual input.

That was the first sign that something was amiss. The next sign was, well, a little more serious: After receiving a legitimate parking ticket, thousands of dollars in random tickets starting arriving in the mail at his house, addressed to him. It seemed that a privately operated citation processing center had a database of outstanding tickets, and, for some reason -- possibly due to incomplete data on their end -- many of those tickets were assigned to the license plate "NULL." In other words, the processing center was likely trying to tell its systems it didn't know the plates of the offending cars. Instead, with Droogie's vanity plate now in play, it pegged all those outstanding tickets on him. Specifically, over $12,000 worth of outstanding tickets.
Long story short, Droogie went on the painstaking process to explain the situation to the DMV and the LAPD, both of whom advised him to change his plate. At any rate, the DMV reached out to the private vendor and sorted the issue.
Businesses

Unroll.me Settles FTC Allegations That It Deceived Consumers About How it Accesses and Uses Emails (ftc.gov) 2

Unroll.me, a firm that helps people manage their email list subscriptions but also sells users' data for profit, has settled with the FTC after allegations of deceiving consumers, the agency said. In a press release, the agency wrote: In a complaint, the FTC alleges that Unrollme , falsely told consumers that it would not "touch" their personal emails, when in fact it was sharing the users' email receipts (e-receipts) with its parent company, Slice Technologies. E-receipts are emails sent to consumers following a completed transaction and can include, among other things, the user's name, billing and shipping addresses, and information about products or services purchased by the consumer. Slice uses anonymous purchase information from Unrollme users' e-receipts in the market research analytics products it sells. Unrollme helps users unsubscribe from unwanted subscription emails and consolidates wanted email subscriptions into one daily email called the Rollup. The service requires users to provide Unrollme with access to their email accounts.
Businesses

Samsung is Spamming Galaxy Phones With Multiple Note10 Ads (androidpolice.com) 72

An anonymous reader shares a report: In case you were living under a rock this past week, it was hard to miss Samsung's big reveal for the Galaxy Note10. It was all over social media, news sites, televisions, and... notification trays. That's right, Samsung is once again spamming Galaxy phones with advertisements, this time for the Note10. This time around, push notifications advertising the Note10 are being sent out by at least three pre-installed applications -- Samsung Pay, Bixby, and the Samsung Push Service. Bixby wants you to ask it about the Note10, Samsung Pay is offering points when you look at the phone's product page, and Samsung Push Service just gives you a banner ad with no indication of where it came from. I received the Bixby ad on my international Galaxy S10e, but I haven't personally seen the others. To make matters even worse, Samsung has blocked disabling these alerts by holding down on them, at least for the Bixby app (again, I can't verify the other types of alerts). To disable the Bixby notifications, you have to open Bixby, tap the menu icon at the top-right, select Settings, and set 'Marketing notifications' to off.
Bug

Researchers Find More Than 40 Vulnerable Windows Device Drivers (eclypsium.com) 16

Artem S. Tashkinov writes: Researchers from security company Eclypsium have discovered that more than forty drivers from at least twenty different vendors -- including every major BIOS vendor, as well as hardware vendors like ASUS, Toshiba, NVIDIA, and Huawei -- include critical vulnerabilities allowing an escalation of privileges to full system level access.

Considering how widespread these drivers are, and the fact that they are digitally signed by Microsoft, they allow an attacker to more successfully penetrate target systems and networks, as well as remain hidden. Also while some of these drivers "are designed to update firmware, the driver is providing not only the necessary privileges, but also the mechanism to make changes" which means the attacker can gain a permanent foothold. Eclypsium has already notified Microsoft about the issues and at least NVIDIA has already released fixed drivers.

Bug

Remember Autorun.inf Malware In Windows? Turns Out KDE Offers Something Similar (zdnet.com) 85

Long-time Slashdot reader Artem S. Tashkinov writes: A security researcher has published proof-of-concept (PoC) code for a vulnerability in the KDE software framework. A fix is not available at the time of writing. The bug was discovered by Dominik "zer0pwn" Penner and impacts the KDE Frameworks package 5.60.0 and below. The KDE Frameworks software library is at the base of the KDE desktop environment v4 and v5 (Plasma), currently included with a large number of Linux distributions.

The vulnerability occurs because of the way the KDesktopFile class (part of KDE Frameworks) handles .desktop or .directory files. It was discovered that malicious .desktop and .directory files could be created that could be used to run malicious code on a user's computer. When a user opens the KDE file viewer to access the directory where these files are stored, the malicious code contained within the .desktop or .directory files executes without user interaction — such as running the file.

Zero user interaction is required to trigger code execution — all you have to do is to browse a directory with a malicious file using any of KDE file system browsing applications like Dolphin.

When ZDNet contacted KDE for a comment Tuesday, their spokesperson provided this response.

"We would appreciate if people would contact security@kde.org before releasing an exploit into the public, rather than the other way around, so that we can decide on a timeline together."
Stats

Do Personality Tests Give Companies Too Much Power? (thewalrus.ca) 155

One 2016 human resources study found that 48% of American businesses -- and 57% of U.K. businesses -- used personality questionnaires for hiring decisions, a new article reports. They add that the personality test industry may now be bringing in up to $4 billion a year.

But "By relying on these tests, employers can ask questions that would be inappropriate -- or at best bizarre -- in a traditional interview." For example, in 2017 the crafts store Michael's was asking job-seekers whether they strongly agreed with these statements:

- "I am always happy."
- "When I look at the world around me, I have little hope for mankind."
- "Over the course of the day, I can experience many mood changes."
- "When I am in a bad mood, it affects my work."

An anonymous reader quotes an investigative report from The Walrus: Bad hires can be costly for companies, and the tests are now used to screen everyone from minimum-wage employees to consultants and top-level executives. But there is the risk that people saddled with the wrong scores will be screened out en masse without a chance to prove themselves. As part of an attempt to build a perfect capitalist meritocracy, algorithms are effectively monitoring the workforce to decide which traits are deemed desirable -- and who gets left behind...

[S]ome critics say personality tests give companies too much power. Elizabeth D. De Armond, a professor of legal research and writing at Chicago-Kent College of Law, likens personality tests to an "MRI scan of the soul" and suggests banning them, except in cases where a business can convincingly argue that hiring for a certain personality is essential (police officers must be able to handle highly stressful situations, for example). The tests seek "to observe not just what an employee does, but how that employee thinks -- processes that pertain not just to the employee's presence on the job, but the employee's being at all times," De Armond wrote in 2012.

Merve Emre, who recently published a history of the Myers-Briggs Indicator, argues that "All of these tests are registering the interests of power, and capitalist power specifically. Just because that power is being routed through and sanitized by a scientific proof doesn't mean it's not power."

The article also includes comments from an executive at the company that created the personality test for Michael's who argues that the tests eliminate human biases from hiring based solely on an in-person interview.

Their test even check for people who answered too quickly or answered "strongly agree" too often, according to the article -- and if they did, flag their responses with an "authenticity alert."
Bug

New Spectre-like CPU Vulnerability Bypasses Existing Defenses (csoonline.com) 57

itwbennett writes: Researchers from security firm Bitdefender discovered and reported a year ago a new CPU vulnerability that 'abuses a system instruction called SWAPGS and can bypass mitigations put in place for previous speculative execution vulnerabilities like Spectre,' writes Lucian Constantin for CSO.

There are three attack scenarios involving SWAPGS, the most serious of which 'can allow attackers to leak the contents of arbitrary kernel memory addresses. This is similar to the impact of the Spectre vulnerability.' Microsoft released mitigations for the vulnerability in July's Patch Tuesday, although details were withheld until August 6 when Bitdefender released its whitepaper and Microsoft published a security advisory.

Slashdot Top Deals