Transportation

British Airways Cancels Over 100 Flights After Computer Systems Fail (cnn.com) 51

British Airways canceled more than 100 flights Wednesday after the airline's computer systems crashed. From a report: The cancellations hit thousands of travelers using London's Heathrow and Gatwick airports. Another 300 flights faced delays of up to an hour, according to the airline's website. British Airways, which is owned by International Airlines Group (ICAGY), said its check-in and flight start systems suffered a partial crash, and that it was using "backup manual systems to keep our flights operating." A spokesperson for the airline said it would allow customers on canceled flights to rebook for between August 8 and August 13. British Airways did not say what caused the computer outage.
Microsoft

Microsoft's MSDN Magazine is Ending Its Run After More Than Three Decades (onmsft.com) 70

After more than three decades of publishing editorial content and providing technical guidance to the Microsoft developer community, MSDN Magazine will publish its last issue in November. From a report: Microsoft Developer Network (MSDN) was launched in 1992 to manage the relationship of the company with the developer ecosystem. MSDN Magazine originally started as two separate magazines -- Microsoft Systems Journal (MSJ) and Microsoft Internet Developer (MIND) -- which consolidated into MSDN Magazine in March 2000. The monthly magazine is available as a print magazine in the United States and online in several languages. While the March 2000 issue was entirely devoted to Windows, the MSDN Magazine has gone through its evolution over the years as Microsoft products and services expanded exponentially.
Privacy

High-Security Locks For Government and Banks Hacked By Researcher (reuters.com) 46

pgmrdlm shares a report from Reuters: Hackers could crack open high-security electronic locks by monitoring their power, allowing thieves to steal cash in automated teller machines, narcotics in pharmacies and government secrets, according to research to be presented Friday at the annual Def Con hacking conference in Las Vegas. Mike Davis, a researcher with security firm IOActive, discovered the vulnerability last year and alerted government officials and Swiss company DormaKaba Holding, the distributor of multiple brands of locks at issue. In an interview with Reuters, Davis said he used an oscilloscope worth about $5,000 to detect small changes in the power consumption, through what is known as a side-channel attack. The method worked best in older models.

The locks include their own power supply so they function even when an external source of electricity is cut off. Most versions do not consume extra or randomized power to hide what they are doing. That leaves them open to attack if a thief can get physically close enough and has the right tools, Davis said. "I can download that analog signal and parse through the power trace to get ones and zeroes," Davis said. "I know what the lock is doing internally." Inside ATMs, the company's locks typically protect the cash in the more secure, lower compartment. An upper compartment includes the interface with customers and directs the lower compartment to send up money. The upper compartment often has less physical security, and breaking into it might provide access to the lower vault's vulnerable lock. A bigger concern is that another series of DormaKaba locks are used on military bases, U.S. presidential jet Air Force One and elsewhere in the government.

Microsoft

Windows Defender Achieves 'Best Antivirus' Status (pcmag.com) 101

An anonymous reader quotes a report from PC Magazine: As Softpedia reports, the independent IT security institute AV-TEST spent May and June continuously evaluating 20 home user security products using their default settings to see which offered the best protection. Only four of those products achieved a top score, and one of them was Windows Defender. The other three are F-Secure SAFE 17, Kaspersky Internet Security 19.0, and Norton Security 22.17. The big difference between these and Windows Defender is the fact Microsoft includes Windows Defender for free with Windows 10, where as the others require a paid subscription to continue being fully-functional. "Of the other products evaluated, Webroot SecureAnywhere 9.0 came last," adds PC Magazine. "Those just missing out on the top score while still earning an AV-TEST 'Top Product' award include Avast Free AntiVirus 19.5, AVG Internet Security 19.5, Bitdefender Internet Security 23.0, Trend Micro Internet Security 15.0, and VIPRE AdvancedSecurity 11.0."
Chrome

Google Expands its Advanced Protection Program To Chrome (venturebeat.com) 30

Google is expanding its Advanced Protection Program to its Chrome browser. From a report: If you're an Advanced Protection Program user and you have sync turned on in Chrome, you will now automatically receive stronger protections against risky downloads. Google didn't go into much detail regarding the protections, likely not to publicly give away how they work. But the company did say that when users attempt to download "certain risky files," Chrome will now show additional warnings, or in some cases even block the downloads outright. The warnings are, however, only available in Chrome for Windows, Mac, and Linux. Google is not rolling out the Advanced Protection Program to Chrome for Android and iOS.
Operating Systems

Linux Performs Poorly In Low RAM / Memory Pressure Situations On The Desktop (phoronix.com) 569

It's been a gripe for many running Linux on low RAM systems especially is that when the Linux desktop is under memory pressure the performance can be quite brutal with the system barely being responsive. The discussion over that behavior has been reignited this week. From a report: Developer Artem S Tashkinov took to the kernel mailing list over the weekend to express his frustration with the kernel's inability to handle low memory pressure in a graceful manner. If booting a system with just 4GB of RAM available, disabling SWAP to accelerate the impact/behavior, and launching a web browser and opening new web pages / tabs can in a matter of minutes bring the system down to its knees.

Artem elaborated on the kernel mailing list, "Once you hit a situation when opening a new tab requires more RAM than is currently available, the system will stall hard. You will barely be able to move the mouse pointer. Your disk LED will be flashing incessantly (I'm not entirely sure why). You will not be able to run new applications or close currently running ones. This little crisis may continue for minutes or even longer. I think that's not how the system should behave in this situation. I believe something must be done about that to avoid this stall."

AT&T

AT&T Employees Took Bribes To Plant Malware on the Company's Network (zdnet.com) 74

AT&T employees took bribes to unlock millions of smartphones, and to install malware and unauthorized hardware on the company's network, the Department of Justice said yesterday. From a report: These details come from a DOJ case opened against Muhammad Fahd, a 34-year-old man from Pakistan, and his co-conspirator, Ghulam Jiwani, believed to be deceased. The DOJ charged the two with paying more than $1 million in bribes to several AT&T employees at the company's Mobility Customer Care call center in Bothell, Washington. The bribery scheme lasted from at least April 2012 until September 2017. Initially, the two Pakistani men bribed AT&T employees to unlock expensive iPhones so they could be used outside AT&T's network. The two recruited AT&T employees by approaching them in private via telephone or Facebook messages. Employees who agreed, received lists of IMEI phone codes which they had to unlock for sums of money. Employees would then receive bribes in their bank accounts, in shell companies they created, or as cash, from the two Pakistani men.
Privacy

Democratic Senate Campaign Group Exposed 6.2 Million Americans' Emails (techcrunch.com) 105

A political campaign group working to elect Democratic senators left a spreadsheet containing the email addresses of 6.2 million Americans' on an exposed server. From a report: Data breach researchers at security firm UpGuard found the data in late July, and traced the storage bucket back to a former staffer at the Democratic Senatorial Campaign Committee, an organization that seeks grassroots donations and contributions to help elect Democratic candidates to the U.S. Senate. Following the discovery, UpGuard researchers reached out to the DSCC and the storage bucket was secured within a few hours. The researchers published shared their findings exclusively with TechCrunch and published their findings. The spreadsheet was titled "EmailExcludeClinton.csv" and was found in a similarly named unprotected Amazon S3 bucket without a password. The file was uploaded in 2010 -- a year after former Democratic senator and presidential candidate Hillary Clinton, whom the data is believed to be named after, became secretary of state. UpGuard said the data may be of people "who had opted out or should otherwise be excludedâ from the committee's marketing.
Security

Microsoft Catches Russian State Hackers Using IoT Devices To Breach Networks (arstechnica.com) 99

An anonymous reader quotes a report from Ars Technica: Hackers working for the Russian government have been using printers, video decoders, and other so-called Internet-of-things devices as a beachhead to penetrate targeted computer networks, Microsoft officials warned on Monday. "These devices became points of ingress from which the actor established a presence on the network and continued looking for further access," officials with the Microsoft Threat Intelligence Center wrote in a post. "Once the actor had successfully established access to the network, a simple network scan to look for other insecure devices allowed them to discover and move across the network in search of higher-privileged accounts that would grant access to higher-value data."

Microsoft researchers discovered the attacks in April, when a voice-over-IP phone, an office printer, and a video decoder in multiple customer locations were communicating with servers belonging to "Strontium," a Russian government hacking group better known as Fancy Bear or APT28. In two cases, the passwords for the devices were the easily guessable default ones they shipped with. In the third instance, the device was running an old firmware version with a known vulnerability. While Microsoft officials concluded that Strontium was behind the attacks, they said they weren't able to determine what the group's ultimate objectives were.
Microsoft says they have notified the makers of the targeted IoT devices so they can add new protections. "Monday's report also provided IP addresses and scripts organizations can use to detect if they have also been targeted or infected," adds Ars Technica. "Beyond that, Monday's report reminded people that, despite Strontium's above-average hacking abilities, an IoT device is often all it needs to gain access to a targeted network."
E3

E3 Accidentally Doxxed Over 2,000 Journalists, YouTubers, and Streamers (buzzfeednews.com) 45

The Entertainment Software Association, which runs the E3 video game expo, accidentally made phone numbers, emails, names, and addresses of over 2,000 attendees public on their website. "A copy of the list was archived on several popular message boards for trolls, and includes the home addresses of many reporters," reports BuzzFeed News. From the report: The leaked list was discovered by journalist and YouTube creator Sophia Narwitz. Narwitz made a video about the database, titled "The Entertainment Software Association just doxxed over 2000 journalists and content creators," last week. Narwitz told BuzzFeed News that some members of the media criticized her following her video, accusing her of drawing attention to the list. Making Narwitz's role in this more complicated is her history with the pro-GamerGate subreddit, r/KotakuInAction. She's currently arguing publicly with members of the gaming site Kotaku. Based on screenshots Narwitz tweeted, however, she did attempt to notify ESA about the leak before making her video about it. "I think this whole event shows a stunning level of incompetence on the ESA's part. The file wasn't password protected, it was just in the open for anyone to download with a single click," she said. Harassment against those included on the list appears to have already begun. "ESA was made aware of a website vulnerability that led to the contact list of registered journalists attending E3 being made public," the ESA wrote in a statement provided to Kotaku. "Once notified, we immediately took steps to protect that data and shut down the site, which is no longer available. We regret this occurrence and have put measures in place to ensure it will not occur again."
Google

'There is No Evil Like reCAPTCHA (v3)' (thestoic.me) 259

An anonymous reader shares a post: Like many things that starts out as a mere annoyance, though eventually growing into somewhat of an affliction. One particularly dark and insidious thing has more than reared its ugly head in recent years, and now far more accurately described as an epidemic disease. I'm talking about the filth that is reCAPTCHA. Yes that seemingly harmless question of "Are you a human?" Truly I wish all this called for were sarcastic puns of 'The Matrix' variety but the matter is far more serious. Google describes reCAPTCHA as: "[reCAPTCHA] is a free security service that protects your websites from spam and abuse." However, this couldn't be further from the truth, as reCAPTCHA is actually something that causes abuse. In fact, I would go so far as to say that being subjected to constant reCAPTCHAs is actually an act of human torture and disregard for a person's human right of mental comfort. The author goes on to make several points.
Microsoft

Microsoft Launches Azure Security Lab, Doubles Top Bug Bounty To $40,000 (venturebeat.com) 7

At Black Hat 2019 today, Microsoft announced the Azure Security Lab, a sandbox-like environment for security researchers to test its cloud security. The company also doubled the top Azure bug bounty to $40,000. From a report: Bug bounty programs are a great complement to existing internal security programs. They help motivate individuals and groups of hackers to not only find flaws but disclose them properly, instead of using them maliciously or selling them to parties that will. Microsoft shared today that it has issued $4.4 million in bounty rewards over the past 12 months. The Azure Security Lab takes the idea to the next level. It's essentially a set of dedicated cloud hosts isolated from Azure customers so security researchers can test attacks against cloud scenarios. The isolation means researchers can not only research vulnerabilities in Azure, they can attempt to exploit them.
Security

UK-based Mobile-Only Bank Monzo Admits To Storing Payment Card PINs in Internal Logs (zdnet.com) 33

Monzo, a mobile-only bank operating in the UK, admitted today to storing payment card PINs inside internal logs. From a report: The company is now notifying all impacted customers and urging users to change card PINs the next time they use a cash machine. Monzo described the issue as a "bug" that occurred when Monzo customers used two specific features of their Monzo mobile apps -- namely the feature that reminds users of their card number and the feature for canceling standing orders. When Monzo customers used one of these two features, they'd be asked to enter their account PIN, for authorization purposes, but unbeknowst to them, the PIN would also be logged inside Monzo's internal logs. Monzo said these logs were encrypted and that only a few employees had access to the data stored inside. The company said it discovered the bug on Friday, August 2, and spent all weekend removing PIN numbers from its internal logs.
Wireless Networking

New Vulnerabilities Found In WPA3 WiFi Standard (zdnet.com) 58

Slashdot reader Artem S. Tashkinov writes: Mathy Vanhoef and Eyal Ronen have recently disclosed two new additional bugs impacting WPA3. The security researched duo found the new bugs in the security recommendations the WiFi Alliance created for equipment vendors in order to mitigate the initial Dragonblood attacks [found by the same two security researchers]. "Just like the original Dragonblood vulnerabilities from April, these two new ones allow attackers to leak information from WPA3 cryptographic operations and brute-force a WiFi network's password," reports ZDNet.
More from ZDNet: "[The] Wi-Fi standard is now being updated with proper defenses, which might lead to WPA3.1," Vanhoef said. "Although this update is not backwards-compatible with current deployments of WPA3, it does prevent most of our attacks," the researchers said.

But besides just disclosing the two new Dragonblood vulnerabilities, the two researchers also took the chance to criticize the WiFi Alliance again for its closed standards development process that doesn't allow for the open-source community to contribute and prevent big vulnerabilities from making it into the standard in the first place.

"This demonstrates that implementing Dragonfly and WPA3 without side-channel leaks is surprisingly hard," the researchers said. "It also, once again, shows that privately creating security recommendations and standards is at best irresponsible and at worst inept."

While these type of feedback might be ignored when coming from other researchers, it means more when it comes from Vanhoef. The Belgian researchers is the one who discovered the KRACK attack that broke the WPA2 WiFi authentication standard and forced the WiFi Alliance to develop the WPA3 standard, which it launched in June 2018.
Security

Voter Records For 80% of Chile's Population Left Exposed Online (zdnet.com) 44

An anonymous reader writes: "The voter information of more than 14.3 million Chileans, which accounts to nearly 80% of the country's entire population, was left exposed and leaking on the internet inside an Elasticsearch database," reports ZDNet. "The database contained names, home addresses, gender, age, and tax ID numbers (RUT, or Rol Único Tributario) for 14,308,151 individuals...including many high-profile Chilean officials."

A spokesperson for the Chile Electoral Service said the data appears to have been scraped without authorization from its website, from a section that allows users to update their voting data. Chile now joins countries as the US, Mexico, Turkey, and the Philippines, whose voter information was gathered in bulk and then published online in one big pile, easy to access for any crooks.

Facebook

Did WhatsApp Backdoor Rumor Come From 'Unanswered Questions ' and 'Leap of Faith' For Closed-Source Encryption Products? (forbes.com) 105

On Friday technologist Bruce Schneier wrote that after reviewing responses from WhatsApp, he's concluded that reports of a pre-encryption backdoor are a false alarm. He also says he got an equally strong confirmation from WhatsApp's Privacy Policy Manager Nate Cardozo, who Facebook hired last December from the EFF. "He basically leveraged his historical reputation to assure me that WhatsApp, and Facebook in general, would never do something like this."

Schneier has also added the words "This story is wrong" to his original blog post. "The only source for that post was a Forbes essay by Kalev Leetaru, which links to a previous Forbes essay by him, which links to a video presentation from a Facebook developers conference." But that Forbes contributor has also responded, saying that he'd first asked Facebook three times about when they'd deploy the backdoor in WhatsApp -- and never received a response.

Asked again on July 25th the company's plans for "moderating end to end encrypted conversations such as WhatsApp by using on device algorithms," a company spokesperson did not dispute the statement, instead pointing to Zuckerberg's blog post calling for precisely such filtering in its end-to-end encrypted products including WhatsApp [apparently this blog post], but declined to comment when asked for more detail about precisely when such an integration might happen... [T]here are myriad unanswered questions, with the company declining to answer any of the questions posed to it regarding why it is investing in building a technology that appears to serve little purpose outside filtering end-to-end encrypted communications and which so precisely matches Zuckerberg's call. Moreover, beyond its F8 presentation, given Zuckerberg's call for filtering of its end-to-end encrypted products, how does the company plan on accomplishing this apparent contradiction with the very meaning of end-to-end encryption?

The company's lack of transparency and unwillingness to answer even the most basic questions about how it plans to balance the protections of end-to-end encryption in its products including WhatsApp with the need to eliminate illegal content reminds us the giant leap of faith we take when we use closed encryption products whose source we cannot review... Governments are increasingly demanding some kind of compromise regarding end-to-end encryption that would permit them to prevent such tools from being used to conduct illegal activity. What would happen if WhatsApp were to receive a lawful court order from a government instructing it to insert such content moderation within the WhatsApp client and provide real-time notification to the government of posts that match the filter, along with a copy of the offending content?

Asked about this scenario, Carl Woog, Director of Communications for WhatsApp, stated that he was not aware of any such cases to date and noted that "we've repeatedly defended end-to-end encryption before the courts, most notably in Brazil." When it was noted that the Brazilian case involved the encryption itself, rather than a court order to install a real-time filter and bypass directly within the client before and after the encryption process at national scale, which would preserve the encryption, Woog initially said he would look into providing a response, but ultimately did not respond.

Given Zuckerberg's call for moderation of the company's end-to-end encryption products and given that Facebook's on-device content moderation appears to answer directly to this call, Woog was asked whether its on-device moderation might be applied in future to its other end-to-end encrypted products rather than WhatsApp. After initially saying he would look into providing a response, Woog ultimately did not respond.

Here's the exact words from Zuckerberg's March blog post. It said Facebook is "working to improve our ability to identify and stop bad actors across our apps by detecting patterns of activity or through other means, even when we can't see the content of the messages, and we will continue to invest in this work. "
Security

Another Breach: What Capital One Could Have Learned From Google's 'BeyondCorp' (vortex.com) 119

"Firewalls can be notoriously and fiendishly difficult to configure correctly, and often present a target-rich environment for successful attacks," writes long-time Slashdot reader Lauren Weinstein.

"The thing is, firewall vulnerabilities are not headline news -- they're an old story, and better solutions to providing network security already exist." In particular, Google's "BeyondCorp" approach is something that every enterprise involved in computing should make itself familiar with. Right now! BeyondCorp techniques are how Google protects its own internal networks and systems from attack, with enormous success.

In a nutshell, BeyondCorp is a set of practices that effectively puts "zero trust" in the networks themselves, moving access control and other authentication elements to individual devices and users. This eliminates traditional firewalls (and in nearly all instances, VPNs) because there is no longer any need for such devices or systems that, once breached, give an attacker access to internal goodies.

If Capital One had been following BeyondCorp principles, there'd likely be 100+ million fewer potentially panicky people today.

The Courts

Lawsuit Filed Against GitHub In Wake of Capital One Data Breach (thehill.com) 92

An anonymous reader quotes a report from The Hill: Capital One and GitHub have been hit with a class-action lawsuit over the recent data breach that resulted in the data of over 100 million Capital One customers being exposed. The law firm Tycko & Zavareei LLP filed the lawsuit on Thursday, arguing that GitHub and Capital One demonstrated negligence in their response to the breach. The firm filed the class-action complaint on behalf of those impacted by the breach, alleging that both companies failed to protect customer data.

Personal information for tens of millions of customers was exposed after a firewall misconfiguration in an Amazon cloud storage service used by Capital One was exploited. The breach exposed around 140,000 Social Security numbers and 80,000 bank account numbers, along with the credit card applications of millions in both the U.S. and Canada. The individual who allegedly perpetrated the data breach, Seattle-based software engineer Paige Thompson, was arrested earlier this week. Thompson, a former Amazon employee, allegedly accessed the data in March and posted about her theft of the information on GitHub in April, according to the complaint. Another GitHub user notified Capital One, which subsequently notified the FBI.
The law firm also alleged that computer logs "demonstrate that Capital One knew or should have known" about the data breach when it occurred in March, and criticized Capital One for not taking action to respond to the breach until last month.
Security

GermanWiper Ransomware Hits Germany Hard, Destroys Files, Asks For Ransom (zdnet.com) 89

An anonymous reader quotes a report from ZDNet: For the past week, a new ransomware strain has been wreaking havoc across Germany. Named GermanWiper, this ransomware doesn't encrypt files but instead it rewrites their content with zeroes, permanently destroying users' data. As a result, any users who get infected by this ransomware should be aware that paying the ransom demand will not help them recover their files. Unless users had created offline backups of their data, their files are most likely gone for good. For now, the only good news is that this ransomware appears to be limited to spreading in German-speaking countries only, and with a focus on Germany primarily.

According to German security researcher Marius Genheimer and CERT-Bund, Germany's Computer Emergency Response Team, the GermanWiper ransomware is currently being distributed via malicious email spam (malspam) campaigns. These emails claim to be job applications from a person named "Lena Kretschmer." A CV is attached as a ZIP file to these emails, and contains a LNK shortcut file. The LNK file is boobytrapped and will install the GermanWiper ransomware. When users run this file, the ransomware will rewrite the content of various local files with the 0x00 (zero character), and append a new extension to all files. This extension has a format of five random alpha-numerical characters, such as .08kJA, .AVco3, .OQn1B, .rjzR8, etc.. After it "encrypts" all targeted files, GermanWiper will open the ransom note (an HTML file) inside the user's default browser. The ransom note looks like the one below. A video of the infection process is also available here. Victims are given seven days to pay the ransom demand. It is important to remember that paying the ransom note won't help users recover their files.

Facebook

Facebook Insists No Security 'Backdoor' Is Planned for WhatsApp (medium.com) 56

An anonymous reader shares a report: Billions of people use the messaging tool WhatsApp, which added end-to-end encryption for every form of communication available on its platform back in 2016. This ensures that conversations between users and their contacts -- whether they occur via text or voice calls -- are private, inaccessible even to the company itself. But several recent posts published to Forbes' blogging platform call WhatsApp's future security into question. The posts, which were written by contributor Kalev Leetaru, allege that Facebook, WhatsApp's parent company, plans to detect abuse by implementing a feature to scan messages directly on people's phones before they are encrypted. The posts gained significant attention: A blog post by technologist Bruce Schneier rehashing one of the Forbes posts has the headline "Facebook Plans on Backdooring WhatsApp." It is a claim Facebook unequivocally denies.

"We haven't added a backdoor to WhatsApp," Will Cathcart, WhatsApp's vice president of product management, wrote in a statement. "To be crystal clear, we have not done this, have zero plans to do so, and if we ever did, it would be quite obvious and detectable that we had done it. We understand the serious concerns this type of approach would raise, which is why we are opposed to it."

UPDATE: Later Friday technologist Bruce Schneier wrote that after reviewing responses from WhatsApp, he's concluded that reports of a pre-encryption backdoor are a false alarm. He also says he got an equally strong confirmation from WhatsApp's Privacy Policy Manager Nate Cardozo, who Facebook hired last December from EFF. "He basically leveraged his historical reputation to assure me that WhatsApp, and Facebook in general, would never do something like this."

Slashdot Top Deals