Stats

Do Personality Tests Give Companies Too Much Power? (thewalrus.ca) 155

One 2016 human resources study found that 48% of American businesses -- and 57% of U.K. businesses -- used personality questionnaires for hiring decisions, a new article reports. They add that the personality test industry may now be bringing in up to $4 billion a year.

But "By relying on these tests, employers can ask questions that would be inappropriate -- or at best bizarre -- in a traditional interview." For example, in 2017 the crafts store Michael's was asking job-seekers whether they strongly agreed with these statements:

- "I am always happy."
- "When I look at the world around me, I have little hope for mankind."
- "Over the course of the day, I can experience many mood changes."
- "When I am in a bad mood, it affects my work."

An anonymous reader quotes an investigative report from The Walrus: Bad hires can be costly for companies, and the tests are now used to screen everyone from minimum-wage employees to consultants and top-level executives. But there is the risk that people saddled with the wrong scores will be screened out en masse without a chance to prove themselves. As part of an attempt to build a perfect capitalist meritocracy, algorithms are effectively monitoring the workforce to decide which traits are deemed desirable -- and who gets left behind...

[S]ome critics say personality tests give companies too much power. Elizabeth D. De Armond, a professor of legal research and writing at Chicago-Kent College of Law, likens personality tests to an "MRI scan of the soul" and suggests banning them, except in cases where a business can convincingly argue that hiring for a certain personality is essential (police officers must be able to handle highly stressful situations, for example). The tests seek "to observe not just what an employee does, but how that employee thinks -- processes that pertain not just to the employee's presence on the job, but the employee's being at all times," De Armond wrote in 2012.

Merve Emre, who recently published a history of the Myers-Briggs Indicator, argues that "All of these tests are registering the interests of power, and capitalist power specifically. Just because that power is being routed through and sanitized by a scientific proof doesn't mean it's not power."

The article also includes comments from an executive at the company that created the personality test for Michael's who argues that the tests eliminate human biases from hiring based solely on an in-person interview.

Their test even check for people who answered too quickly or answered "strongly agree" too often, according to the article -- and if they did, flag their responses with an "authenticity alert."
Bug

New Spectre-like CPU Vulnerability Bypasses Existing Defenses (csoonline.com) 57

itwbennett writes: Researchers from security firm Bitdefender discovered and reported a year ago a new CPU vulnerability that 'abuses a system instruction called SWAPGS and can bypass mitigations put in place for previous speculative execution vulnerabilities like Spectre,' writes Lucian Constantin for CSO.

There are three attack scenarios involving SWAPGS, the most serious of which 'can allow attackers to leak the contents of arbitrary kernel memory addresses. This is similar to the impact of the Spectre vulnerability.' Microsoft released mitigations for the vulnerability in July's Patch Tuesday, although details were withheld until August 6 when Bitdefender released its whitepaper and Microsoft published a security advisory.

Unix

Can Swap Space Solve System Performance Issues? (utoronto.ca) 201

Earlier this week on the Linux kernel mailing list, Artem S. Tashkinov described a low-memory scenario where "the system will stall hard. You will barely be able to move the mouse pointer. Your disk LED will be flashing incessantly..."

"I'm afraid I have bad news for the people snickering at Linux here," wrote Chris Siebenmann, a sys-admin at the University of Toronto's CS lab. "If you're running without swap space, you can probably get any Unix to behave this way under memory pressure..." In the old days, this usually was not very much of an issue because system RAM was generally large compared to the size of programs and thus the amount of file-backed pages that were likely to be in memory. That's no longer the case today; modern large programs such as Firefox and its shared libraries can have significant amounts of file-backed code and data pages (in addition to their often large use of dynamically allocated memory, ie anonymous pages).
A production engineer (now on Facebook's Web Foundation team) wrote about experiencing similar issues years ago when another company had disabled swapping when they replaced or reinstalled machines -- leading to lots of pages from hosts that had to be dealt with. This week they wrote: I stand by my original position: have some swap. Not a lot. Just a little. Linux boxes just plain act weirdly without it. This is not permission to beat your machine silly in terms of memory allocation, either... If you allocate all of the RAM on the machine, you have screwed the kernel out of buffer cache it sorely needs. Back off.

Put another way, disk I/O that isn't brutally slow costs memory. Network I/O costs memory. All kinds of stuff costs memory. It's not JUST the RSS of your process. Other stuff you do needs space to operate. If you try to fill a 2 GB box with 2 GB of data, something's going to have a bad day! You have to leave room for the actual system to run or it's going to grind to a stop.

Government

Lawmakers, Intelligence Officials Welcomed To This Year's Def Con Conference (cnn.com) 31

"Multiple members of congress, dozens of congressional staffers and members of the intelligence community are gathering in Las Vegas this weekend to rub shoulders with hackers at Def Con," reports CNN: Washington's embrace of the hacking community comes amid heightened awareness of the threat of cyber attacks in the wake of the 2016 US presidential election and lawmakers realizing they need to get to grips with technology, Phil Stupak, one of the organizers of Def Con's A.I. Village told CNN Business before the conference began... Hackers here are also demonstrating potential vulnerabilities in voting machines used by Americans. The convention's election village includes a room full of voting equipment where hackers can let loose...

It will likely be the largest presence the government has had since before 2013, when, in the wake of NSA analyst Edward Snowden's leaks, Def Con founder Jeff Moss formally requested "the feds call a 'time-out' and not attend Def Con this year." But that has since smoothed over. "I think the record presence of both representative and administration reflect the reality that technology and security are built into our society," Moss told CNN Business.

"We are trying to break down the barriers between the people in tech who know what they're doing and the people in Congress who know how to take that knowledge to make laws," said Stupak, who is also a fellow at Cyber Policy Initiative at the University of Chicago.

Speaking at Def Con this year was the top cybersecurity official for America's Department of Homeland Security, who stressed the importance of backup paper ballots, as well as "auditability."

Also attending Def Con is Senator Ron Wyden, who emphasized another important election safeguard to CNN: that no voting equipment should be connected to the internet.
Government

Does Tech-Industry Job Growth Actually Lower Wages For Some Workers? (citylab.com) 78

"A new study finds clear evidence that low-skilled workers fail to benefit from high-tech growth and development," writes a senior editor at The Atlantic (and co-founder of CityLab).

The UK-based study was co-authored by two researchers, one from the London School of Economics and the other from the Resolution Foundation in London. CityLab summarizes its results: High-tech growth leads to better jobs and higher wages for more skilled workers. But it leads to lower wages for less-skilled workers. These effects are compounded by housing costs, with less-skilled workers being even worse off when housing costs are taken into account. Indeed, the researchers see "a negative and statistically significant effect from high-tech on wages for workers in the bottom third of educational attainment."

This effect is even larger when local housing costs are included, which stands in sharp contrast to the situation for higher-skill workers: Their effective wages rise when controlling for housing costs. The reason for this unevenness boils down to the fact that high-skilled tech workers are mobile and paid at rates that factor in higher housing costs, whereas less-skilled workers are more or less trapped; people competing for low-wage jobs mostly lack the resources to move to other places.

The article concludes that spurring growth in tech-industry jobs "offers no panacea for low-wage jobs: If anything, it makes a bad and highly unequal situation even worse."
Cloud

Hundreds of Exposed Amazon Cloud Backups Found Leaking Sensitive Data (techcrunch.com) 16

An anonymous reader quotes a report from TechCrunch: New research just presented at the Def Con security conference reveals how companies, startups and governments are inadvertently leaking their own files from the cloud. You may have heard of exposed S3 buckets -- those Amazon-hosted storage servers packed with customer data but often misconfigured and inadvertently set to "public" for anyone to access. But you may not have heard about exposed EBS snapshots, which poses as much, if not a greater, risk. These elastic block storage (EBS) snapshots are the "keys to the kingdom," said Ben Morris, a senior security analyst at cybersecurity firm Bishop Fox, in a call with TechCrunch ahead of his Def Con talk. EBS snapshots store all the data for cloud applications. "They have the secret keys to your applications and they have database access to your customers' information," he said.

Morris built a tool using Amazon's own internal search feature to query and scrape publicly exposed EBS snapshots, then attach it, make a copy and list the contents of the volume on his system. It took him two months to build up a database of exposed data and just a few hundred dollars spent on Amazon cloud resources. Once he validates each snapshot, he deletes the data. Morris found dozens of snapshots exposed publicly in one region alone, he said, including application keys, critical user or administrative credentials, source code and more. He found several major companies, including healthcare providers and tech companies. He also found VPN configurations, which he said could allow him to tunnel into a corporate network. Morris said he did not use any credentials or sensitive data, as it would be unlawful.

Security

NSA's Free Malware Research Tool Gains Traction, 6 Months On (axios.com) 18

In March the National Security Agency released an internal malware research tool for free to the public, a first for the secretive agency. Six months later, by most indications, the release is an even bigger event than the NSA thought. From a report: Some aspects of researching malware have long required expensive software. The release of Ghidra, the NSA tool, has profoundly changed the field, opening it up to students, part-timers and hobbyists who otherwise couldn't afford to participate. It's been a good six months for Ghidra. The software has been downloaded more than 500,000 times from GitHub. "We had a bet on how many downloads it would be," Brian Knighton, senior researcher at the NSA, told Axios. "We were off by quite a factor."

Ghidra also netted the NSA two nominations for "Pwnie" awards at the typically NSA-adverse DEF CON hacker conference this week. The NSA was also pleasantly surprised with the number of outside developers modifying code and creating new features for the now open-source program. The toolkit is popular enough that the NSA now offers touring classes on Ghidra for colleges and universities.

Privacy

Researchers Bypass Apple FaceID Using Biometrics 'Achilles Heel' (threatpost.com) 53

Vulnerabilities have been uncovered in the authentication process of biometrics technology that could allow bad actors to bypass various facial recognition applications -- including Apple's FaceID. But there is a catch. Doing so requires the victim to be out cold. From a report: Researchers on Wednesday during Black Hat USA 2019 demonstrated an attack that allowed them to bypass a victim's FaceID and log into their phone simply by putting a pair of modified glasses on their face. By merely placing tape carefully over the lenses of a pair glasses and placing them on the victim's face the researchers demonstrated how they could bypass Apple's FaceID in a specific scenario. The attack itself is difficult, given the bad actor would need to figure out how to put the glasses on an unconscious victim without waking them up.

To launch the attack, researchers with Tencent tapped into a feature behind biometrics called "liveness" detection, which is part of the biometric authentication process that sifts through "real" versus "fake" features on people. It works by detecting background noise, response distortion or focus blur. One such biometrics tool that utilizes liveness detection is FaceID, which is designed and utilized by Apple for the iPhone and iPad Pro. "With the leakage of biometric data and the enhancement of AI fraud ability, liveness detection has become the Achilles' heel of biometric authentication security as it is to verify if the biometric being captured is an actual measurement from the authorized live person who is present at the time of capture," researchers said during the Black Hat USA 2019 session.

Communications

Robocall Blocking Apps Caught Sending Your Private Data Without Permission (techcrunch.com) 37

Robocall-blocking apps promise to rid your life of spoofed and spam phone calls. But are they as trustworthy as they claim to be? From a report: One security researcher said many of these apps can violate your privacy as soon as they are opened. Dan Hastings, a senior security consultant cybersecurity firm NCC Group, analyzed some of the most popular robocall-blocking apps -- including TrapCall, Truecaller, and Hiya -- and found egregious privacy violations. [...] Many of these apps, said Hastings, send user or device data to third-party data analytics companies -- often to monetize your information -- without your explicit consent, instead burying the details in their privacy policies. One app, TrapCall, sent users' phone numbers to a third-party analytics firm, AppsFlyer, without telling users -- either in the app nor in the privacy policy. He also found Truecaller and Hiya uploaded device data -- device type, model and software version, among other things -- before a user could accept their privacy policies.
Iphone

Apple Confirms $1 Million Reward For Anyone Who Can Hack An iPhone (forbes.com) 65

Apple says it will offer up to $1 million for hackers who can find vulnerabilities in iPhones and Macs. "That's up from $200,000, and in the fall the program will be open to all researchers," reports Forbes. "Previously only those on the company's invite-only bug bounty program were eligible to receive rewards." From the report: As Forbes reported on Monday, Apple is also launching a Mac bug bounty, which was confirmed Thursday, but it's also extending it to watchOS and its Apple TV operating system. The announcements came in Las Vegas at the Black Hat conference, where Apple's head of security engineering Ivan Krstic gave a talk on iOS and macOS security. Forbes also revealed on Monday that Apple was to give bug bounty participants "developer devices" -- iPhones that let hackers dive further into iOS. They can, for instance, pause the processor to look at what's happening with data in memory. Krstic confirmed the iOS Security Research Device program would be by application only. It will arrive next year.

The full $1 million will go to researchers who can find a hack of the kernel -- the core of iOS -- with zero clicks required by the iPhone owner. Another $500,000 will be given to those who can find a "network attack requiring no user interaction." There's also a 50% bonus for hackers who can find weaknesses in software before it's released. Apple is increasing those rewards in the face of an increasingly profitable private market where hackers sell the same information to governments for vast sums.

Government

Critical US Election Systems Have Been Left Exposed Online (vice.com) 128

Jason Koebler shares a report from Motherboard: For years, U.S. election officials and voting machine vendors have insisted that critical election systems are never connected to the internet and therefore can't be hacked. But a group of election security experts have found what they believe to be nearly three dozen backend election systems in 10 states connected to the internet over the last year, including some in critical swing states. These include systems in nine Wisconsin counties, in four Michigan counties, and in seven Florida counties -- all states that are perennial battlegrounds in presidential elections. Some of the systems have been online for a year and possibly longer. Some of them disappeared from the internet after the researchers notified an information-sharing group for election officials last year. But at least 19 of the systems, including one in Florida's Miami-Dade County, were still connected to the internet this week, the researchers told Motherboard. "We ... discovered that at least some jurisdictions were not aware that their systems were online," said Kevin Skoglund, an independent security consultant who conducted the research with nine others, all of them long-time security professionals and academics with expertise in election security. "In some cases, [the vendor was] in charge [of installing the systems] and there was no oversight. Election officials were publicly saying that their systems were never connected to the internet because they didn't know differently."
Microsoft

Microsoft Removes Office 2019 From Its Home Use Program Benefits (zdnet.com) 119

Microsoft has quietly made a change to its Home Use Program (HUP) for its Software Assurance business customers. From a report: As some had expected when the company began revamping the HUP benefit earlier this year, Microsoft is dropping the ability to buy the non-subscription version of Office for a steeply discounted price. Microsoft instead is offering HUP customers the ability to buy Office 365 Home or Personal at a discount for home use. In an updated Frequently Asked Questions (FAQ) document about the program, Microsoft now notes: "Microsoft is updating the Home Use Program to offer discounts on the latest and most up to date products such as Office 365, which is always up to date with premium versions of Office apps across all your devices. Office Professional Plus 2019 and Office Home and Business 2019 are no longer available as Home Use Program offers."
The Internet

Kazakhstan Halts Introduction of Internet Surveillance System 36

Kazakhstan has halted the implementation of an internet surveillance system criticized by lawyers as illegal, with the government describing its initial rollout as a test. From a report: Mobile phone operators in the oil-rich Central Asian nation's capital, Nur-Sultan, had asked customers to install an encryption certificate on their devices or risk losing internet access. State security officials said its goal was to protect Kazakh users from "hacker attacks, online fraud and other kinds of cyber threats." The certificate allowed users' traffic to be intercepted by the government, circumventing encryption used by email and messaging applications. Several Kazakh lawyers said this week they had sued the country's three mobile operators, arguing that restricting internet access to those who refused to install the certificate would be illegal. But late on Tuesday, Kazakhstan's State Security Committee said in a statement that the certificate rollout was simply a test which has now been completed. Users can remove the certificate and use internet as usual, it said.
Security

WordPress Team Working on Daring Plan To Forcibly Update Old Websites (zdnet.com) 112

The developers behind the WordPress open-source content management system (CMS) are working on a plan to forcibly auto-update older versions of the CMS to more recent releases. From a report: The goal of this plan is to improve the security of the WordPress ecosystem, and the internet as a whole, since WordPress installations account for more than 34% of all internet websites. Officially supported versions include only the last six WordPress major releases, which currently are all the versions between v4.7 and v5.2. The plan is to slowly auto-update old WordPress sites, starting with v3.7, to the current minimum supported version, which is the v4.7 release.

The WordPress team said it plans to monitor this tiered forced auto-update process for errors and site breakage. If there's something massively wrong, then auto-update can be stopped altogether. If only a few individual sites break, than those site will be rolled back to their previous versions and the owner will be notified via email.

Security

Skype, Slack, Other Electron-Based Apps Can Be Easily Backdoored (arstechnica.com) 82

An anonymous reader quotes a report from Ars Technica: The Electron development platform is a key part of many applications, thanks to its cross-platform capabilities. Based on JavaScript and Node.js, Electron has been used to create client applications for Internet communications tools (including Skype, WhatsApp, and Slack) and even Microsoft's Visual Studio Code development tool. But Electron can also pose a significant security risk because of how easily Electron-based applications can be modified without triggering warnings. At the BSides LV security conference on Tuesday, Pavel Tsakalidis demonstrated a tool he created called BEEMKA, a Python-based tool that allows someone to unpack Electron ASAR archive files and inject new code into Electron's JavaScript libraries and built-in Chrome browser extensions. The vulnerability is not part of the applications themselves but of the underlying Electron framework -- and that vulnerability allows malicious activities to be hidden within processes that appear to be benign. Tsakalidis said that he had contacted Electron about the vulnerability but that he had gotten no response -- and the vulnerability remains.

While making these changes required administrator access on Linux and MacOS, it only requires local access on Windows. Those modifications can create new event-based "features" that can access the file system, activate a Web cam, and exfiltrate information from systems using the functionality of trusted applications -- including user credentials and sensitive data. In his demonstration, Tsakalidis showed a backdoored version of Microsoft Visual Studio Code that sent the contents of every code tab opened to a remote website. The problem lies in the fact that Electron ASAR files themselves are not encrypted or signed, allowing them to be modified without changing the signature of the affected applications. A request from developers to be able to encrypt ASAR files was closed by the Electron team without action.

Advertising

Twitter Fesses Up To More Adtech Leaks (techcrunch.com) 18

Twitter has disclosed more bugs related to how it uses personal data for ad targeting that means it may have shared users data with advertising partners even when a user had expressly told it not to. TechCrunch reports: Back in May the social network disclosed a bug that in certain conditions resulted in an account's location data being shared with a Twitter ad partner, during real-time bidding (RTB) auctions. In a blog post on its Help Center about the latest "issues" Twitter says it "recently" found, it admits to finding two problems with users' ad settings choices that mean they "may not have worked as intended." It claims both problems were fixed on August 5. Though it does not specify when it realized it was processing user data without their consent.

The first bug relates to tracking ad conversions. This meant that if a Twitter user clicked or viewed an ad for a mobile application on the platform and subsequently interacted with the mobile app Twitter says it "may have shared certain data (e.g., country code; if you engaged with the ad and when; information about the ad, etc)" with its ad measurement and advertising partners -- regardless of whether the user had agreed their personal data could be shared in this way. It suggests this leak of data has been happening since May 2018 -- which is also the day when Europe's updated privacy framework, GDPR, came into force. Twitter specifies that it does not share users' names, Twitter handles, email or phone number with ad partners. However it does share a user's mobile device identifier, which GDPR treats as personal data as it acts as a unique identifier. The second issue Twitter discloses in the blog post also relates to tracking users' wider web browsing to serve them targeted ads. Here Twitter admits that, since September 2018, it may have served targeted ads that used inferences made about the user's interests based on tracking their wider use of the Internet -- even when the user had not given permission to be tracked.

Privacy

A Boeing Code Leak Exposes Security Flaws Deep In a 787's Guts (wired.com) 177

An anonymous reader quotes a report from Wired: Late one night last September, security researcher Ruben Santamarta sat in his home office in Madrid and partook in some creative googling, searching for technical documents related to his years-long obsession: the cybersecurity of airplanes. He was surprised to discover a fully unprotected server on Boeing's network, seemingly full of code designed to run on the company's giant 737 and 787 passenger jets, left publicly accessible and open to anyone who found it. So he downloaded everything he could see. Now, nearly a year later, Santamarta claims that leaked code has led him to something unprecedented: security flaws in one of the 787 Dreamliner's components, deep in the plane's multi-tiered network. He suggests that for a hacker, exploiting those bugs could represent one step in a multistage attack that starts in the plane's in-flight entertainment system and extends to highly protected, safety-critical systems like flight controls and sensors.

At the Black Hat security conference today in Las Vegas, Santamarta, a researcher for security firm IOActive, plans to present his findings, including the details of multiple serious security flaws in the code for a component of the 787 known as a Crew Information Service/Maintenance System. The CIS/MS is responsible for applications like maintenance systems and the so-called electronic flight bag, a collection of navigation documents and manuals used by pilots. Santamarta says he found a slew of memory corruption vulnerabilities in that CIS/MS, and he claims that a hacker could use those flaws as a foothold inside a restricted part of a plane's network. An attacker could potentially pivot, Santamarta says, from the in-flight entertainment system to the CIS/MS to send commands to far more sensitive components that control the plane's safety-critical systems, including its engine, brakes, and sensors. Boeing maintains that other security barriers in the 787's network architecture would make that progression impossible.
Boeing said in a statement that it had investigated IOActive's claims and concluded that they don't represent any real threat of a cyberattack. "IOActive's scenarios cannot affect any critical or essential airplane system and do not describe a way for remote attackers to access important 787 systems like the avionics system," the company's statement reads. "IOActive reviewed only one part of the 787 network using rudimentary tools, and had no access to the larger system or working environments. IOActive chose to ignore our verified results and limitations in its research, and instead made provocative statements as if they had access to and analyzed the working system. While we appreciate responsible engagement from independent cybersecurity researchers, we're disappointed in IOActive's irresponsible presentation."

Boeing says the company put an actual Boeing 787 in "flight mode" to test and try to exploit the vulnerabilities. They found that they couldn't carry out a successful attack.
Security

With Warshipping, Hackers Ship Their Exploits Directly To Their Target's Mail Room (techcrunch.com) 79

Why break into a company's network when you can just walk right in-- literally? From a report: Gone could be the days of having to find a zero-day vulnerability in a target's website, or having to scramble for breached usernames and passwords to break through a company's login pages. And certainly there will be no need to park outside a building and brute-force the Wi-Fi network password. Just drop your exploit in the mail and let your friendly postal worker deliver it to your target's door. This newly named technique -- dubbed "warshipping" -- is not a new concept. Just think of the traditional Trojan horse rolling into the city of Troy, or when hackers drove up to TJX stores and stole customer data by breaking into the store's Wi-Fi network.

But security researchers at IBM's X-Force Red say it's a novel and effective way for an attacker to gain an initial foothold on a target's network. "It uses disposable, low cost and low power computers to remotely perform close-proximity attacks, regardless of the cyber criminal's location," wrote Charles Henderson, who heads up the IBM offensive operations unit.

Security

North Korea Took $2 Billion in Cyberattacks To Fund Weapons Program (reuters.com) 116

An anonymous reader shares a report: North Korea has generated an estimated $2 billion for its weapons of mass destruction programs using "widespread and increasingly sophisticated" cyberattacks to steal from banks and cryptocurrency exchanges, according to a confidential U.N. report seen by Reuters on Monday. Pyongyang also "continued to enhance its nuclear and missile programmes although it did not conduct a nuclear test or ICBM (Intercontinental Ballistic Missile) launch," said the report to the U.N. Security Council North Korea sanctions committee by independent experts monitoring compliance over the past six months.

The experts said North Korea "used cyberspace to launch increasingly sophisticated attacks to steal funds from financial institutions and cryptocurrency exchanges to generate income." They also used cyberspace to launder the stolen money, the report said.

Transportation

British Airways Cancels Over 100 Flights After Computer Systems Fail (cnn.com) 51

British Airways canceled more than 100 flights Wednesday after the airline's computer systems crashed. From a report: The cancellations hit thousands of travelers using London's Heathrow and Gatwick airports. Another 300 flights faced delays of up to an hour, according to the airline's website. British Airways, which is owned by International Airlines Group (ICAGY), said its check-in and flight start systems suffered a partial crash, and that it was using "backup manual systems to keep our flights operating." A spokesperson for the airline said it would allow customers on canceled flights to rebook for between August 8 and August 13. British Airways did not say what caused the computer outage.

Slashdot Top Deals