United States

US Agency Revokes All State Discounts For Kaspersky Products (thebaltimorepost.com) 2

The U.S. General Services Administration has removed Kapersky Lab from its list of approved vendors for federal systems, which also eliminates the discounts it previously offered to state governments. Long-time Slashdot reader Rick Zeman writes: "The agency's statement suggested a vulnerability exists in Kaspersky that could give the Russian government backdoor access to the systems it protects, though they offered no explanation or evidence of it," reports the Washington Post. Kaspersky, of course, denies this, offering their source code up for U.S. Government review... "Three current and former defense contractors told The Post that they knew of no specific warnings circulated about Kaspersky in recent years, but it has become an unwritten rule at the Pentagon not to include Kaspersky as a potential vendor on new projects."
"The lack of information from the GSA underscores a disconnect between local officials and the federal government about cybersecurity," the Post reports, adding that "the GSA's move on July 11 has left state and local governments to speculate about the risks of sticking with the company or abandoning taxpayer-funded contracts, sometimes at great cost."

The Post also quotes a cybersecurity expert at a prominent think tank -- the Center for Strategic and International Studies -- who believes that "it's difficult, if not impossible" for a company like Kaspersky to be headquartered in Moscow "if you don't cooperate with the government and the intelligence services."
EU

Company Gets 45,000 Bad Facebook Reviews After Teenaged Hacker's Unjust Arrest (bleepingcomputer.com) 122

An anonymous reader quotes BleepingComputer: Over 45,000 users have left one-star reviews on a company's Facebook page after the business reported a security researcher to police and had him arrested in the middle of the night instead of fixing a reported bug. The arrest took place this week in Hungary after an 18-year-old found a flaw in the online ticket-selling system of Budapesti Közlekedési Központ, Budapest's public transportation authority. The young man discovered that he could access BKK's website, press F12 to enter the browser's developer tools mode, and modify the page's source code to alter a ticket's price. Because there was no client or server-side validation put in place, the BKK system accepted the operation and issued a ticket at a smaller price...

The teenager -- who didn't want his name revealed -- reported the issue to BKK, but the organization chose to contact the police and file a complaint, accusing the young man of hacking their systems... BKK management made a fatal mistake when they brazenly boasted in a press conference about catching the hacker and declaring their systems "secure." Since then, other security flaws in BKK's system have surfaced on Twitter. As details of the case emerged, public outrage grew against BKK and its manager Kálmán Dabóczi, especially after it was revealed that BKK was paying around $1 million per year for maintenance of its IT systems, hacked in such a ludicrously simple manner.

Debian

Debian 'Stretch' Updated With 9.1 Release (debian.org) 26

An anonymous reader quotes Debian.org: The Debian project is pleased to announce the first update of its stable distribution Debian 9 (codename "stretch"). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems... Please note that the point release does not constitute a new version of Debian 9 but only updates some of the packages included. There is no need to throw away old "stretch" media... Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.
United Kingdom

UK To Require Drone Registration And Safety Exams (bloomberg.com) 65

An anonymous reader quotes Bloomberg: Drones will have to be registered and their users required to pass safety tests under new rules to be announced by the U.K.'s Department for Transport... Registration will be mandated for owners of drones 250 grams (8.8 ounces) or larger after research found that drones as small as 400 grams (14 ounces) could damage the windscreens of helicopters. Other security measures like "geo-fencing" -- GPS-based technology programmed into drones to prevent them from flying into sensitive areas such as prisons and airports -- are also under consideration, according to a statement from the department.
The BBC points out that "There is no time frame or firm plans as to how the new rules will be enforced and the Department of Transport admitted that 'the nuts and bolts still have to be ironed out.'"

"The UK government says 22 incidents involving commercial airliners and drones were investigated between January and April of this year," adds TechRadar, "with police unable to trace the owners of the drones -- one of the reasons for the new legislation."
Microsoft

Microsoft Launches A Counterattack Against Russia's 'Fancy Bear' Hackers (thedailybeast.com) 78

Kevin Poulsen writes on the Daily Beast: It turns out Microsoft has something even more formidable than Moscow's malware: Lawyers. Last year attorneys for the software maker quietly sued the hacker group known as Fancy Bear in a federal court outside Washington DC, accusing it of computer intrusion, cybersquatting, and infringing on Microsoft's trademarks... Since August, Microsoft has used the lawsuit to wrest control of 70 different command-and-control points from Fancy Bear... Rather than getting physical custody of the servers, which Fancy Bear rents from data centers around the world, Microsoft has been taking over the Internet domain names that route to them. These are addresses like "livemicrosoft[.]net" or "rsshotmail[.]com" that Fancy Bear registers under aliases for about $10 each. Once under Microsoft's control, the domains get redirected from Russia's servers to the company's, cutting off the hackers from their victims, and giving Microsoft a omniscient view of that servers' network of automated spies. "In other words," Microsoft outside counsel Sten Jenson explained in a court filing last year, "any time an infected computer attempts to contact a command-and-control server through one of the domains, it will instead be connected to a Microsoft-controlled, secure server."
Bug

Debian, Gnome Patched 'Bad Taste' VBScript-Injection Vulnerabilities (neowin.net) 71

Slashdot reader KiloByte warned us about new exploit for .MSI files named "bad taste". Neowin reports: A now-patched vulnerability in the "GNOME Files" file manager was recently discovered which allowed hackers to create dodgy MSI files which would run malicious VBScript code on Linux... Once Nils Dagsson Moskopp discovered the bug, he reported it to the Debian Project which fixed it very rapidly. The GNOME Project also patched the gnome-exe-thumbnailer file which is responsible for parsing MSI and EXE files inside the GNOME Files app... If you run a Linux distribution with the GNOME desktop it's advisable to run the update manager and check for updates as soon as possible before you become affected by this critical vulnerability.
Encryption

Let's Encrypt Criticized Over Speedy HTTPS Certifications (threatpost.com) 178

100 million HTTPS certificates were issued in the last year by Let's Encrypt -- a free certificate authority founded by Mozilla, Cisco and the Electronic Frontier Foundation -- and they're now issuing more than 100,000 HTTPS certificates every day. Should they be performing more vetting? msm1267 shared this article from Kaspersky Lab's ThreatPost blog: [S]ome critics are sounding alarm bells and warning that Let's Encrypt might be guilty of going too far, too fast, and delivering too much of a good thing without the right checks and balances in place. The primary concern has been that while the growth of SSL/TLS encryption is a positive trend, it also offers criminals an easy way to facilitate website spoofing, server impersonation, man-in-the-middle attacks, and a way to sneak malware through company firewalls... Critics do not contend Let's Encrypt is responsible for these types of abuses. Rather, because it is the 800-pound gorilla when it comes to issuing basic domain validation certificates, critics believe Let's Encrypt could do a better job vetting applicants to weed out bad actors... "I think there should be some type of vetting process. That would make it more difficult for malicious actors to get them," said Justin Jett, director of audit and compliance at Plixer, a network traffic analytics firm...

Josh Aas, executive director of the Internet Security Research Group, the organization that oversees Let's Encrypt, points out that its role is not to police the internet, rather its mission is to make communications secure. He added that, unlike commercial certificate authorities, it keeps a searchable public database of every single domain it issues. "When people get surprised at the number of PayPal phishing sites and get worked up about it, the reason they know about it is because we allow anyone to search our records," he said. Many other certificate authorities keep their databases of issued certificates private, citing competitive reasons and that customers don't want to broadcast the names of their servers... The reason people treat us like a punching bag is that we are big and we are transparent. "

The criticism intensified after Let's Encrypt announced they'd soon offer wildcard certificates for subdomains. But the article also cites security researcher Scott Helme, who "argued if encryption is to be available to all then that includes the small percent of bad actors. 'I don't think it's for Signal, or Let's Encrypt, to decide who should have access to encryption."
The Almighty Buck

Norway, the Country Where No Salaries Are Secret (bbc.com) 200

In Norway, there are no such secrets. Anyone can find out how much anyone else is paid -- and it rarely causes problems. From a report: In the past, your salary was published in a book. A list of everyone's income, assets and the tax they had paid, could be found on a shelf in the public library. These days, the information is online, just a few keystrokes away. The change happened in 2001, and it had an instant impact. "It became pure entertainment for many," says Tom Staavi, a former economics editor at the national daily, VG. "At one stage you would automatically be told what your Facebook friends had earned, simply by logging on to Facebook. It was getting ridiculous." Transparency is important, Staavi says, partly because Norwegians pay high levels of income tax -- an average of 40.2 percent compared to 33.3 percent in the UK, according to Eurostat, while the EU average is just 30.1 percent. "When you pay that much you have to know that everyone else is doing it, and you have to know that the money goes to something reasonable," he says. "We [need to] have trust and confidence in both the tax system and in the social security system."
Piracy

Kodi Magazine 'Directs Readers To Pirate Content' (bbc.com) 47

An anonymous reader writes: A British magazine is directing readers to copyright-infringing software, the Federation Against Copyright Theft (Fact) has said. Kodi is a free, legal media player for computers -- but software add-ons can make it possible to download pirated content. The Complete Guide to Kodi magazine instructs readers on how to download such add-ons. Dennis Publishing has not yet responded to a BBC request for comment. The magazine is available at a number of retailers including WH Smith, Waterstones and Amazon. It was spotted on sale by cyber-security researcher Kevin Beaumont. It repeatedly warns readers of the dangers of accessing pirated content online, but one article lists a series of software packages alongside screenshots promoting "free TV", "popular albums" and "world sport". "Check before you stream and use them at your own risk," the guide says, before adding that readers should stay "on the right side of the law."
PlayStation (Games)

Sony Using Copyright Requests To Remove Leaked PS4 SDK From the Web (arstechnica.com) 146

An anonymous reader quotes a report from Ars Technica: Sony appears to be using copyright law in an attempt to remove all traces of a leaked PlayStation 4 Software Development Kit (PS4 SDK) from the Web. That effort also seems to have extended in recent days to the forced removal of the mere discussion of the leak and the posting of a separate open source, homebrew SDK designed to be used on jailbroken systems. The story began a few weeks ago, when word first hit that version 4.5 of the PS4 SDK had been leaked online by a hacker going by the handle Kromemods. These SDKs are usually provided only to authorized PS4 developers inside development kits. The SDKs contain significant documentation that, once made public, can aid hackers in figuring out how to jailbreak consoles, create and install homebrew software, and enable other activities usually prohibited by the hardware maker (as we've seen in the wake of previous leaks of PlayStation 3 SDKs). While you can still find reference to the version 4.5 SDK leak on places like Reddit and MaxConsole, threads discussing and linking to those leaked files on sites like GBATemp and PSXhax, for example, appear to have been removed after the fact. Cached versions of those pages show links (now defunct) to download those leaked files, along with a message from KromeMods to "Please spread this as much as possible since links will be taken down... We will get nowhere if everything keeps private; money isn't everything." KromeMods notes on Twitter that his original tweet posting a link to the leaked files was also hit with a copyright notice from Sony.
Ubuntu

Ubuntu 16.10 Reaches End of Life (softpedia.com) 160

prisoninmate shares a report from Softpedia: Today, July 20, 2017, is the last day when the Ubuntu 16.10 (Yakkety Yak) was supported by Canonical as the operating system now reached end of life, and it will no longer receive security and software updates. Dubbed by Canonical and Ubuntu founder Mark Shuttleworth as the Yakkety Yak, Ubuntu 16.10 was launched on October 13, 2016, and it was a short-lived release that only received nine (9) months of support through kernel updates, bug fixes, and security patches for various components. Starting today, you should no longer use Ubuntu 16.10 (Yakkety Yak) on your personal computer, even if it's up-to-date. Why? Because, in time, it will become vulnerable to all sort of attacks as Canonical won't provide security and kernel updates for this release. Therefore, all users are urged to upgrade to Ubuntu 17.04 (Zesty Zapus) immediately using the instructions here.
Encryption

Apple Flies Top Privacy Executives Into Australia To Lobby Against Proposed Encryption Laws (patentlyapple.com) 64

An anonymous reader quotes a report from Patently Apple: Last week Patently Apple posted a report titled "Australia proposed new Laws Compelling Companies like Facebook & Apple to Provide Access to Encrypted Messages." Days later, Australia's Prime Minister spoke about the encryption problem with the Australian press as noted in the video in our report. Now we're learning that Apple has flown in top executives to lobby Turnbull government on encryption laws. It sounds like a showdown is on the horizon. This is the second time this month that Apple has flown executives into Australia to lobby the government according to a Sydney publication. Apple executives met with Attorney-General George Brandis and senior staff in Prime Minister Malcolm Turnbull's office on Tuesday to discuss the company's concerns about the legal changes, which could see tech companies compelled to provide access to locked phones and third party messaging applications. Apple has argued in the meetings that as a starting point it does not want the updated laws to block tech companies from using encryption on their devices, nor for companies to have to provide decryption keys to allow access to secure communications. The company has argued that if it is compelled to provide a software "back door" into its phones to help law enforcement agencies catch criminals and terrorists, this would reduce the security for all users. It also says it has provided significant assistance to police agencies engaged in investigations, when asked. UPDATE 07/20/17: Headline has been updated to clarify that Apple is lobbying against the proposed encryption laws in Australia.
Privacy

Alleged Dark Web Kingpin Doxed Himself With His Personal Hotmail Address (vice.com) 62

Joseph Cox, reporting for Motherboard: On Thursday, US authorities announced the seizure of the largest dark web marketplace AlphaBay. Europol and Dutch police also claimed seizure of Hansa, another popular market. In their dark web investigations, law enforcement have increasingly turned to hacking tools, including the deployment of browser exploits on a mass scale. But tracking down the alleged AlphaBay administrator was much more mundane, officials said. Alexandre Cazes, who US authorities say used the handle alpha02 as administrator of the site, allegedly left his personal email in a welcome message to new AlphaBay members, according to the forfeiture complaint published on Thursday. The news echoes the arrest of Ross Ulbricht, the convicted creator of the original Silk Road, who made a similar security mistake. "In December 2016, law enforcement learned that CAZES' personal email was included in the header of AlphaBay's 'welcome email' to new users in December 2014," the complaint reads. Users received this message once they signed up to AlphaBay's forum and entered an email address. Cazes' email address -- Pimp_Alex_91@hotmail.com -- was also included in the header of the AlphaBay forum password recovery process, the complaint adds. From there, investigators found the address was linked to an Alexandre Cazes, and discovered his alleged front company, EBX Technologies.
Crime

Authorities Take Down Hansa Dark Web Market, Confirm AlphaBay Takedown (bleepingcomputer.com) 40

An anonymous reader writes via Bleeping Computer: Today, in coordinated press releases, the U.S. Department of Justice (DOJ) and Europol announced the takedown of two Dark Web marketplaces -- AlphaBay and Hansa Market. First to fall was the Hansa Market after Dutch officers seized control over their servers located inside one of the country's hosting providers. Dutch Police seized Hansa servers on June 20, but the site was allowed to operate for one more month as officers gathered more evidence about its clientele. The Hansa honeypot received an influx of new users as the FBI shut down AlphaBay on July 5, a day after it took control over servers on July 4. Europol and the FBI say they collected mountains of evidence such as "usernames and passwords of thousands of buyers and sellers of illicit commodities" and "delivery addresses for a large number of orders." FBI Active Director McCabe said AlphaBay was ten times larger than Silk Road, with over 350,000 listings. In opposition, Silk Road, which authorities seized in November 2013, listed a meager 14,000 listings for illicit goods and services at the time authorities took down the service.
Government

FCC Says It Has No Documentation of Cyberattack That It Claims Happened (thehill.com) 54

An anonymous reader quotes a report from The Hill: The Federal Communications Commission (FCC) declined to reveal analysis proving that it was the victim of a cyberattack in May. The agency claimed at the time that its Electronic Comment Filing System (ECFS) did not actually crash because of a large amount of traffic on the site prompted by John Oliver telling viewers to file comments in favor of net neutrality on his HBO show, Last Week Tonight. Instead, the FCC said that the ECFS went down as a result of a DDoS attack. In its response to Gizmodo's FOIA request, the FCC said that the attack "did not result in written documentation." "Based on a review of the logs, we have already provided a detailed description of what happened. We stand by our career IT staff's analysis of the evidence in our possession," an FCC spokesperson said when asked for comment on the matter.
Microsoft

Windows 10 Will Cut Off Devices With Older CPUs (pcworld.com) 270

Reader Baron_Yam shares a PCWorld report: No Windows 10 Creators Update for you, Microsoft says -- at least, not if you happen to be the unlucky owner of certain older Atom-based Windows devices, and other aging models in the future. After stories arose of failed attempts to upgrade such hardware to the Creators Update, Microsoft confirmed late Wednesday that any hardware device that falls out of the manufacturer's support cycle may be ineligible for future Windows 10 updates. In the case of the four "Clover Trail" processors (part of the Cloverview platform) that have fallen into Intel's End of Interactive Support phase, they will be ineligible for the Windows 10 Creators Update, Microsoft confirmed. Instead, they'll simply be offered the Windows 10 Anniversary Update, plus security updates through January, 2023, the end of the original Windows 8.1 support period. The problem, however, is that Microsoft's language opens up the possibility that any unsupported hardware device could be excluded from future Windows 10 updates. "Recognizing that a combination of hardware, driver and firmware support is required to have a good Windows 10 experience, we updated our support lifecycle policy to align with the hardware support period for a given device," Microsoft said in a statement. "If a hardware partner stops supporting a given device or one of its key components and stops providing driver updates, firmware updates, or fixes, it may mean that device will not be able to properly run a future Windows 10 feature update." The reader adds, it's not a case of "feature updates are not recommended and may not work", it's a case of "we will block feature updates to your device".
United States

US Ends Controversial Laptop Ban On Flights From Middle East (theguardian.com) 79

The United States has ended a four-month ban on passengers carrying laptops onboard US-bound flights from certain airports in the Middle East and North Africa, bringing to an end one of the controversial travel restrictions imposed by President Donald Trump's administration. From a report: Riyadh's King Khalid international airport was the last of 10 airports to be exempted from the ban, the US department of homeland security (DHS) confirmed in a tweet late on Wednesday local time. Middle East carriers have blamed Trump's travel restrictions, which include banning citizens of some Muslim-majority countries from visiting the United States, for a downturn in demand on US routes. In March, the United States banned large electronics in cabins on flights from 10 airports in the Middle East and North Africa over concerns that explosives could be concealed in the devices taken onboard aircraft. The ban has been lifted on the nine airlines affected -- Emirates, Etihad Airways, Qatar Airways, Turkish Airlines, Saudi Arabian Airlines, Royal Jordanian , Kuwait Airways, EgyptAir and Royal Air Maroc -- which are the only carriers to fly direct to the US from the region. A ban on citizens of six Muslim-majority countries -- Iran, Libya, Somalia, Sudan, Syria, and Yemen, -- remains in place, though has been limited after several US court hearings challenged the restrictions.
Piracy

Game of Thrones Pirates Being Monitored By HBO, Warnings On The Way (torrentfreak.com) 282

HBO is leaving no stones unturned in keeping Game of Thrones' piracy under control. The company is monitoring various popular torrent swarms and sending thousands of warnings targeted at internet subscribers whose connections are used to share the season 7 premiere of the popular TV series, reports TorrentFreak: Soon after the first episode of the new season appeared online Sunday evening, the company's anti-piracy partner IP Echelon started sending warnings targeted at torrenting pirates. The warnings in question include the IP-addresses of alleged BitTorrent users and ask the associated ISPs to alert their subscribers, in order to prevent further infringements. "We have information leading us to believe that the IP address xx.xxx.xxx.xx was used to download or share Game of Thrones without authorization," the notification begins. "HBO owns the copyright or exclusive rights to Game of Thrones, and the unauthorized download or distribution constitutes copyright infringement. Downloading unauthorized or unknown content is also a security risk for computers, devices, and networks." Under US copyright law, ISPs are not obligated to forward these emails, which are sent as a DMCA notification. However, many do as a courtesy to the affected rightsholders. The warnings are not targeted at a single swarm but cover a wide variety of torrents. TorrentFreak has already seen takedown notices for the following files, but it's likely that many more are being tracked.
Security

Hacker Steals $30 Million Worth of Ethereum From Parity Multi-Sig Wallets (bleepingcomputer.com) 66

An anonymous reader quotes a report from Bleeping Computer: An unknown hacker has used a vulnerability in an Ethereum wallet client to steal over 153,000 Ether, worth over $30 million dollars. The hack was possible due to a flaw in the Parity Ethereum client. The vulnerability allowed the hacker to exfiltrate funds from multi-sig wallets created with Parity clients 1.5 and later. Parity 1.5 was released on January 19, 2017. The attack took place around 19:00-20:00 UTC and was immediately spotted by Parity, a company founded by Gavin Wood, Ethereum's founder. The company issued a security alert on its blog. The Ether stolen from Parity multi-sig accounts was transferred into this Ethereum wallet, currently holding 153,017.021336727 Ether. Because Parity spotted the attack in time, a group named "The White Hat Group" used the same vulnerability to drain the rest of Ether stored in other Parity wallets that have not yet been stolen by the hacker. This money now resides in this Ethereum wallet. According to messages posted on Reddit and in a Gitter chat, The White Hat Group appears to be formed of security researchers and members of the Ethereum Project that have taken it into their own hands to secure funds in vulnerable wallets. Based on a message the group posted online, they plan to return the funds they took. Their wallet currently holds 377,116.819319439311671493 Ether, which is over $76 million.

Slashdot Top Deals