Get HideMyAss! VPN, PC Mag's Top 10 VPNs of 2016 for 55% off for a Limited Time ×
Security

Can Iris-Scanning ID Systems Tell the Difference Between a Live and Dead Eye? (ieee.org) 22

the_newsbeagle writes: Iris scanning is increasingly being used for biometric identification because it's fast, accurate, and relies on a body part that's protected and doesn't change over time. You may have seen such systems at a border crossing recently or at a high-security facility, and the Indian government is currently collecting iris scans from all its 1.2 billion citizens to enroll them in a national ID system. But such scanners can sometimes be spoofed by a high-quality paper printout or an image stuck on a contact lens.

Now, new research has shown that post-mortem eyes can be used for biometric identification for hours or days after death, despite the decay that occurs. This means an eye could theoretically be plucked from someone's head and presented to an iris scanner. The same researcher who conducted that post-mortem study is also looking for solutions, and is working on iris scanners that can detect the "liveness" of an eye. His best method so far relies on the unique way each person's pupil responds to a flash of light, although he notes some problems with this approach.

Security

'High-Risk Vulnerabilities' In Oracle File-Processing SDKs Affect Major Third-Party Products (csoonline.com) 10

itwbennett writes: "Seventeen high-risk vulnerabilities out of the 276 flaws fixed by Oracle Tuesday affect products from third-party software vendors," writes Lucian Constantin on CSOonline. The vulnerabilities, which were found by researchers from Cisco's Talos team, are in the Oracle Outside In Technology (OIT), a collection of SDKs that are used in third-party products, including Microsoft Exchange, Novell Groupwise, IBM WebSphere Portal, Google Search Appliance, Avira AntiVir for Exchange, Raytheon SureView, Guidance Encase and Veritas Enterprise Vault.

"It's not clear how many of those products are also affected by the newly patched seventeen flaws, because some of them might not use all of the vulnerable SDKs or might include other limiting factors," writes Constantin. But the Cisco researchers confirmed that Microsoft Exchange servers (version 2013 and earlier) are affected if they have WebReady Document Viewing enabled. In a blog post the researchers describe how an attacker could exploit these vulnerabilities.

TL;DR version: "Attackers can exploit the flaws to execute rogue code on systems by sending specifically crafted content to applications using the vulnerable OIT SDKs."
Government

Almost Half Of All TSA Employees Have Been Cited For Misconduct (mercurynews.com) 96

Slashdot reader schwit1 writes: Almost half of all TSA employees have been cited for misconduct, and the citations have increased by almost 30 percent since 2013... It also appears that the TSA has been reducing the sanctions it has been giving out for this bad behavior.
Throughout the U.S., the airport security group "has instead sought to treat the misconduct with 'more counseling and letters that explain why certain behaviors were not acceptable'," according to a report from the House Homeland Security Commission, titled "Misconduct at TSA Threatens the Security of the Flying Public". It found 1,206 instances of "neglect of duty", and also cited the case of an Oakland TSA officer who for two years helped smugglers slip more than 220 pounds of marijuana through airport security checkpoints, according to the San Jose Mercury News.

The newspaper adds that "The misconduct ranges from salacious (federal air marshals spending government money on hotel rooms for romps with prostitutes) to downright dangerous (an officer in Orlando taking bribes to smuggle Brazilian nationals through a checkpoint without questioning)." Their conclusion? "The TSA's job is to make airline passengers feel safer and, not incidentally, actually make us safer. It's failing on both."
Republicans

Avast Suckers GOP Delegates Into Connecting To Insecure Wi-Fi Hotspots (theregister.co.uk) 89

Avast conned more than 1,200 people into connecting to fake wi-fi hotspots set up near the Republican convention and the Cleveland airport, using common network names like "Google Starbucks" and "Xfinitywifi" as well as "I vote Trump! free Internet". An anonymous reader quotes this report from The Register: With mobile devices often set to connect to known SSIDs automatically, users can overlook the networks to which they are connecting... Some 68.3 percent of users' identities were exposed when they connected, and 44.5 per cent of Wi-Fi users checked their emails or chatted via messenger apps... In its day-long experiment Avast saw more than 1.6Gbps transferred from more than 1,200 users.
Avast didn't store the data they collected, but they did report statistics on which sites were accessed most frequently. "5.1 percent played Pokemon Go, while 0.7 percent used dating apps like Tinder, Grindr, OKCupid, Match and Meetup, and 0.24 percent visited pornography sites like Pornhub."
Security

Microsoft Rewrites Wassenaar Arms Control Pact To Protect The Infosec Industry (theregister.co.uk) 20

The Wassenaar Arrangement "is threatening to choke the cyber-security industry, according to a consortium of cyber-security companies...supported by Microsoft among others," reports SC Magazine. "'Because the regulation is so overly broad, it would require cyber responders and security researchers to obtain an export license prior to exchanging essential information to remediate a newly identified network vulnerability, even when that vulnerability is capable of being exploited for purposes of surveillance,' wrote Alan Cohn from the CRC on a Microsoft blog." Reporter Darren Pauli contacted Slashdot with this report: If the Wassenaar Arrangement carries through under its current state, it will force Microsoft to submit some 3800 applications for arms export every year, company assistant general counsel Cristin Goodwin says... The Wassenaar Arrangement caught all corners of the security industry off guard, but its full potentially-devastating effects will only be realised in coming months and years... Goodwin and [Symantec director of government affairs] Fletcher are calling on the industry to lobby their agencies to overhaul the dual-use software definition of the Arrangement ahead of a closed-door meeting in September where changes can be proposed.
Communications

Tinder Scam Promises Account Verification, But Actually Sells Porn (csoonline.com) 24

itwbennett writes: Tinder users should be on the lookout for Tinder profiles asking them to get "verified" and then sending them a link to a site called "Tinder Safe Dating." The service asks for credit card information, saying this will verify the user's age. Once payment information has been captured, the user is then signed up for a free trial of porn, which will end up costing $118.76 per month unless the service is cancelled. In Tinder's safety guidelines, the company warns users to avoid messages that contain links to third-party websites or ask money for an address.
Security

Auto Industry Publishes Its First Set of Cybersecurity Best Practices (securityledger.com) 37

chicksdaddy quotes a report from Security Ledger: The Automotive industry's main group for coordinating policy on information security and "cyber" threats has published a "Best Practices" document, giving individual automakers guidance on implementing cybersecurity in their vehicles for the first time. The Automotive Information Sharing and Analysis Center (ISAC) released the Automotive Cybersecurity Best Practices document on July 21st, saying the guidelines are for auto manufacturers as well as their suppliers. The Best Practices cover organizational and technical aspects of vehicle cybersecurity, including governance, risk management, security by design, threat detection, incident response, training, and collaboration with appropriate third parties. Taken together, they move the auto industry closer to standards pioneered decades ago and embraced by companies like Microsoft. They call on automakers to design software to be secure from the ground up and to take a sober look at risks to connected vehicles as part of the design process. Automakers are urged to test for and respond to software vulnerabilities, to develop methods for assessing and fixing security vulnerabilities, to create training programs, promote cybersecurity awareness for both information technology and vehicle specific risks, and educate employees about security awareness. The document comes after a Kelly Blue Book survey that found that 62% of drivers think "connected cars will be hacked," and that 42% say they "want cars to be more connected."
Security

Fortune 500 Company Hires Ransomware Gang To Hack the Competition (vice.com) 62

It's no secret that ransomware hackers are in the business to make money. But a new business arrangement hitting the news today may surprise many. Vice's Motherboard, citing research and investigation (PDF) from security firm F-Secure, is reporting that a Fortune 500 company, the name of which hasn't been unveiled, hired a ransomware gang to hack its competitors. From the article: In an exchange with a security researcher pretending to be a victim, one ransomware agent claimed they were working for a Fortune 500 company. "We are hired by [a] corporation to cyber disrupt day-to-day business of their competition," the customer support agent of a ransomware known as Jigsaw said, according to a new report by security firm F-Secure. "The purpose was just to lock files to delay a corporation's production time to allow our clients to introduce a similar product into the market first."In a statement to Motherboard, Mikko Hypponen said, "If this indeed was a case where ransomware was used on purpose to disrupt a competitor's operation, it's the only case we know of." F-Secure adds that the consumer representative noted that "politicians, governments, husbands, wives -- people from all walks of life contract [them] to hack computers, cell phones."

How Apple and Facebook Helped To Take Down KickassTorrents (pcworld.com) 105

Reader itwbennett writes (edited): Artem Vaulin, the alleged owner of the torrent directory service KickassTorrents, was arrested in Poland earlier this week, charged with copyright infringement and money laundering. As we dig deeper as to what exactly happened, it turns out Apple and Facebook were among the companies that handed over data to the U.S. in its investigation. Department of Homeland Security investigators traced IP addresses associated with KickassTorrents domains to a Canadian ISP, which turned over server data, including emails. At some point, investigators noticed that Vaulin had an Apple email account that was used to make iTunes purchases from two IP addresses -- both of which also accessed a Facebook account promoting KickassTorrents.if you're wondering where exactly iTunes came into play, here's a further explanation. It all started in November 2015, when an undercover IRS Special Agent reached out to a KickassTorrents representative about hosting an advertisement on the site. An agreement was made and the ad, which purportedly advertised a program to study in the United States, was to be placed on individual torrent listings for $300 per day. When it finally went live on March 14th 2016, a link appeared underneath the torrent download buttons for five days. Sure it was a short campaign, but it was enough to link KAT to a Latvian bank account, one that received $31 million in deposits -- mainly from advertising payments -- between August 2015 and March 2016. Upon further investigation of the email accounts, and corresponding reverse lookups, it was found that the account holder had made a purchase on iTunes.
Security

Hacker Steals 1.6 Million Accounts From Top Mobile Game's Forum (zdnet.com) 29

Zack Whittaker, reporting for ZDNet: A hacker has targeted the official forum of popular mobile game "Clash of Kings," making off with close to 1.6 million accounts. The hack was carried out on July 14 by a hacker, who wants to remain nameless, and a copy of the leaked database was provided to breach notification site LeakedSource.com, which allows users to search their usernames and email addresses in a wealth of stolen and hacked data. In a sample given to ZDNet, the database contains (among other things) usernames, email addresses, IP addresses (which can often determine the user's location), device identifiers, as well as Facebook data and access tokens (if the user signed in with their social account). Passwords stored in the database are hashed and salted. LeakedSource has now added the total 1,597,717 stolen records to its systems.
Printer

Police 3D-Printed A Murder Victim's Finger To Unlock His Phone (theverge.com) 96

An anonymous reader quotes a report from The Verge: Police in Michigan have a new tool for unlocking phones: 3D printing. According to a new report from Flash Forward creator Rose Eveleth, law enforcement officers approached professors at the University of Michigan earlier this year to reproduce a murder victim's fingerprint from a prerecorded scan. Once created, the 3D model would be used to create a false fingerprint, which could be used to unlock the phone. Because the investigation is ongoing, details are limited, and it's unclear whether the technique will be successful. Still, it's similar to techniques researchers have used in the past to re-create working fingerprint molds from scanned images, often in coordination with law enforcement. This may be the first confirmed case of police using the technique to unlock a phone in an active investigation. Apple has recently changed the way iOS manages fingerprint logins. You are now required to input an additional passcode if your phone hasn't been touched for eight hours and the passcode hasn't been entered in the past six days.
IOS

Apple Patches Stagefright-Like Bug In IOS (fortune.com) 23

Reader Trailrunner7 writes: Apple has fixed a series of high-risk vulnerabilities in iOS, including three that could lead to remote code execution, with the release of iOS 9.3.3. One of those code-execution vulnerabilities lies in the way that iOS handles TIFF files in various applications (Alternate source: Fortune ). Researchers at Cisco's TALOS team, who discovered the flaw, said that the vulnerability has a lot of potential for exploitation. "This vulnerability is especially concerning as it can be triggered in any application that makes use of the Apple Image I/O API when rendering tiled TIFF images. This means that an attacker could deliver a payload that successfully exploits this vulnerability using a wide range of potential attack vectors including iMessages, malicious web pages, MMS messages, or other malicious file attachments opened by any application that makes use of the Apple Image I/O API for rendering these types of files," Cisco TALOS said in a blog post.
DRM

EFF Is Suing the US Government To Invalidate the DMCA's DRM Provisions (boingboing.net) 92

Cory Doctorow, writes for BoingBoing: The Electronic Frontier Foundation has just filed a lawsuit that challenges the Constitutionality of Section 1201 of the DMCA, the "Digital Rights Management" provision of the law, a notoriously overbroad law that bans activities that bypass or weaken copyright access-control systems, including reconfiguring software-enabled devices (making sure your IoT light-socket will accept third-party lightbulbs; tapping into diagnostic info in your car or tractor to allow an independent party to repair it) and reporting security vulnerabilities in these devices. EFF is representing two clients in its lawsuit: Andrew "bunnie" Huang, a legendary hardware hacker whose NeTV product lets users put overlays on DRM-restricted digital video signals; and Matthew Green, a heavyweight security researcher at Johns Hopkins who has an NSF grant to investigate medical record systems and whose research plans encompass the security of industrial firewalls and finance-industry "black boxes" used to manage the cryptographic security of billions of financial transactions every day. Both clients reflect the deep constitutional flaws in the DMCA, and both have standing to sue the US government to challenge DMCA 1201 because of its serious criminal provisions (5 years in prison and a $500K fine for a first offense).Doctorow has explained aspects of this for The Guardian today. You should also check Huang's blog post on this.
Microsoft

Microsoft Responds To Allegations That Windows 10 Collects 'Excessive Personal Data' (betanews.com) 144

BetaNews's Mark Wilson writes: Yesterday France's National Data Protection Commission (CNIL) slapped a formal order on Microsoft to comply with data protection laws after it found Windows 10 was collecting "excessive data" about users. The company has been given three months to meet the demands or it will face fines. Microsoft has now responded, saying it is happy to work with the CNIL to work towards an acceptable solution. Interestingly, while not denying the allegations set against it, the company does nothing to defend the amount of data collected by Windows 10, and also fails to address the privacy concerns it raises. Microsoft does address concerns about the transfer of data between Europe and the US, saying that while the Safe Harbor agreement is no longer valid, the company still complied with it up until the adoption of Privacy Shield. It's interesting to see that Microsoft, in response to a series of complaints very clearly leveled at Windows 10, manages to mention the operating system only once. There is the promise of a statement about privacy next week, but for now we have Microsoft's response to the CNIL's order.
Privacy

Edward Snowden's New Research Aims To Keep Smartphones From Betraying Their Owners (theintercept.com) 106

Smartphones become indispensable tools for journalists, human right workers, and activists in war-torn regions. But at the same time, as Intercept points out, they become especially potent tracking devices that can put users in mortal danger by leaking their location. To address the problem, NSA whistleblower Edward Snowden and hardware hacker Andrew "Bunnie" Huang have been developing a way for potentially imperiled smartphone users to monitor whether their devices are making any potentially compromising radio transmissions. "We have to ensure that journalists can investigate and find the truth, even in areas where governments prefer they don't," Snowden told Intercept. "It's basically to make the phone work for you, how you want it, when you want it, but only when." Snowden and Huang presented their findings in a talk at MIT Media Lab's Forbidden Research event Thursday, and published a detailed paper. From the Intercept article: Snowden and Huang have been researching if it's possible to use a smartphone in such an offline manner without leaking its location, starting with the assumption that "a phone can and will be compromised." [...] The research is necessary in part because most common way to try and silence a phone's radio -- turning on airplane mode -- can't be relied on to squelch your phone's radio traffic. Fortunately, a smartphone can be made to lie about the state of its radios. The article adds: According to their post, the goal is to "provide field-ready tools that enable a reporter to observe and investigate the status of the phone's radios directly and independently of the phone's native hardware." In other words, they want to build an entirely separate tiny computer that users can attach to a smartphone to alert them if it's being dishonest about its radio emissions. Snowden and Haung are calling this device an "introspection engine" because it will inspect the inner-workings of the phone. The device will be contained inside a battery case, looking similar to a smartphone with an extra bulky battery, except with its own screen to update the user on the status of the radios. Plans are for the device to also be able to sound an audible alarm and possibly to also come equipped with a "kill switch" that can shut off power to the phone if any radio signals are detected.Wired has a detailed report on this, too.
Blackberry

BlackBerry CEO 'Disturbed' By Apple's Hard Line On Encryption (theinquirer.net) 197

An anonymous reader writes: BlackBerry CEO John Chen said he is "disturbed" by Apple's tough approach to encryption and user privacy, warning that the firm's attitude is harmful to society. Earlier this year, Chen said in response to Apple resisting the government's demands to unlock an iPhone belonging to one of the San Bernardino shooters: "We are indeed in a dark place when companies put their reputations above the greater good." During BlackBerry's Security Summit in New York this week, Chen made several more comments about Apple's stance on encryption. "One of our competitors, we call it 'the other fruit company,' has an attitude that it doesn't matter how much it might hurt society, they're not going to help," he said. "I found that disturbing as a citizen. I think BlackBerry, like any company, should have a basic civil responsibility. If the world is in danger, we should be able to help out." He did say there was a lot of "nonsense" being reported about BlackBerry and its approach to how it handles user information. "Of course, there need to be clear guidelines. The guidelines we've adopted require legal assets. A subpoena for certain data. But if you have the data, you should give it to them," he said. "There's some complete nonsense about what we can and can't do. People are mad at us that we let the government have the data. It's absolute garbage. We can't do that." Chen also warned that mandatory back doors aren't a good idea either, hinting at the impending Investigatory Powers Bill. "There's proposed legislation in the U.S., and I'm sure it will come to the EU, that every vendor needs to provide some form of a back door. That is not going to fly at all. It just isn't," he said.
Microsoft

France: Windows 10 Collects 'Excessive Personal Data', Issues Microsoft With Formal Warning (betanews.com) 112

France's National Data Protection Commission (CNIL) has ordered Microsoft to "stop collecting excessive data and tracking browsing by users without consent," adding that Microsoft must comply with the French Data Protection Act within next three months. BetaNews reports: In addition to this, the chair of CNIL has notified Microsoft that it needs to take "satisfactory measures to ensure the security and confidentiality of user data." The notice comes after numerous complaints about Windows 10, and a series of investigations by French authorities which revealed a number of failings on Microsoft's part. Microsoft is accused of not only gathering excessive data about users, but also irrelevant data. The CNIL points to Windows 10's telemetry service which gathers information about the apps users have installed and how long each is used for. The complaint is that "these data are not necessary for the operation of the service."
Android

Android Nougat Won't Boot If Your Phone's Software Is Corrupt Or Has Malware (androidauthority.com) 156

An anonymous reader shares a report on Android Authority: In a bid to increase the security of the Android operating system, Google has introduced a new check for malware as part of the boot process in all Android devices. Until Marshmallow, Android devices ran the check as part of the boot process and in Marshmallow, the phone would warn you that it was compromised but would continue to let the phone boot up. In Nougat however, Google is taking this security check to the next level. On the Android Developer's blog, the company explains that Android Nougat strictly enforces that boot check, giving you far more than a warning. The good news is that if your phone is infected with types of malware, it will refuse to boot or will boot in a limited capacity mode (presumably akin to safe mode). The bad news however, is that some non-malicious corruption of data could also mean that your phone will refuse to boot up. Considering that corrupted data may not always be malicious -- even a single-byte error could cause your phone to refuse to boot up -- Android Nougat brings additional code to guard against corruption.
Firefox

Firefox To Block Non-Essential Flash Content In August 2016, Require Click-To-Activate In 2017 (mozilla.org) 156

Mozilla has announced that it plans to discontinue support for Flash in Firefox. Starting next month, Firefox will block Flash content "that is not essential to the user experience." Also, starting sometime in 2017, the browser will require click-to-activate approval from users before a website activates the Flash plugin for any content. In a blogpost, the company writes:Mozilla and the Web as a whole have been taking steps to reduce the need for Flash content in everyday browsing. Over the past few years, Firefox has implemented Web APIs to replace functionality that was formerly provided only by plugins. This includes audio/video playback and streaming capabilities, clipboard integration, fast 2D and 3D graphics, WebSocket networking, and microphone/camera access. As websites have switched from Flash to other web technologies, the plugin crash rate in Firefox has dropped significantly. [...] We continue to work closely with Adobe to deliver the best possible Flash experience for our users.
Security

Software Flaw Puts Mobile Phones and Networks At Risk Of Complete Takeover (arstechnica.com) 51

Dan Goodin, reporting for Ars Technica: A newly disclosed vulnerability could allow attackers to seize control of mobile phones and key parts of the world's telecommunications infrastructure and make it possible to eavesdrop or disrupt entire networks, security experts warned Tuesday. The bug resides in a code library used in a wide range of telecommunication products, including radios in cell towers, routers, and switches, as well as the baseband chips in individual phones. Although exploiting the heap overflow vulnerability would require great skill and resources, attackers who managed to succeed would have the ability to execute malicious code on virtually all of those devices. The code library was developed by Pennsylvania-based Objective Systems and is used to implement a telephony standard known as ASN.1, short for Abstract Syntax Notation One."The vulnerability could be triggered remotely without any authentication in scenarios where the vulnerable code receives and processes ASN.1 encoded data from untrusted sources," researchers who discovered the flaw wrote in an advisory published Monday evening. "These may include communications between mobile devices and telecommunication network infrastructure nodes, communications between nodes in a carrier's network or across carrier boundaries, or communication between mutually untrusted endpoints in a data network."

Slashdot Top Deals