Back for a limited time - Get 15% off sitewide on Slashdot Deals with coupon code "BLACKFRIDAY" (some exclusions apply)". ×

Pwned Barbies Spying On Children? Toytalk CEO Downplays Hacking Reports ( 36

McGruber writes: Earlier this year Mattel unveiled "Hello Barbie," a $74.99 wi-fi equipped interactive doll. Users press a button on Barbie's belt to start a conversation and the recorded audio is processed over the internet so that the doll can respond appropriately. The doll also remembers the user's likes and dislikes.

Now Security Researcher Matt Jakubowski claims that he has managed to hack the Hello Barbie system to extract wi-fi network names, account IDs and MP3 files, which could be used to track down someone's home. "You can take that information and find out a person's house or business. It's just a matter of time until we are able to replace their servers with ours and have her say anything we want," Jakubowski warned. Mattel partnered with ToyTalk to develop "Hello Barbie." ToyTalk CEO Oren Jacob said: "An enthusiastic researcher has reported finding some device data and called that a hack. While the path that the researcher used to find that data is not obvious and not user-friendly, it is important to note that all that information was already directly available to Hello Barbie customers through the Hello Barbie Companion App. No user data, no Barbie content, and no major security or privacy protections have been compromised to our knowledge." A petition by the Campaign for a Commercial-Free Childhood asking Mattel to drop the doll has already been signed by over 6,000 people.

NOTE: The original reporting of this hack appears to have been this NBC-Chicago newscast.


DecryptorMax/CryptInfinite Ransomware Decrypted, No Need To Pay Ransom ( 31

An anonymous reader writes: Emsisoft has launched a new tool capable of decrypting files compromised by the DecryptorMax (CryptInfinite) ransomware. The tool is quite easy to use, and will generate a decryption key. For best results users should compare an encrypted and decrypted file, but the tool can also get the decryption key by comparing an encrypted PNG with a random PNG downloaded off the Internet.

Privacy Vulnerability Exposes VPN Users' Real IP Addresses ( 82

An anonymous reader writes: A major security flaw which reveals VPN users' real IP addresses has been discovered by Perfect Privacy (PP). The researchers suggest that the problem affects all VPN protocols, including IPSec, PPTP and OpenVPN. The technique involves a port-forwarding tactic whereby a hacker using the same VPN as its victim can forward traffic through a certain port, which exposes the unsuspecting user's IP address. This issue persists even if the victim has disabled port forwarding. PP discovered that five out of nine prominent VPN providers that offer port forwarding were vulnerable to the attack.

LinkedIn's Own CSS Abused For Clickjacking Attacks 12

An anonymous reader writes: LinkedIn has fixed a security bug that allowed attackers to use its own CSS code for clickjacking attacks. Basically attackers can create blog posts and load CSS classes from LinkedIn's own stylesheets. If a reader lands on that blog post, then a malicious link can be shown for the entire area of the page. Not something "unique" since this type of method is quite well-known, but you don't generally expect to find these kind of attacks on LinkedIn's own platform. (Here's a link to the LinkedIn security blog. Sorry for not linking to the particular blog — LinkedIn has a weird URL policy. It's the first one.)

VTech Hack Exposes Data On 4.8 Million Adults, 200,000 Kids ( 64

New submitter lorenzofb writes: A hacker broke into the site of the popular toy company VTech and was able to easily get 4.8 million credentials, and 227k kids' identities using SQL injection. The company didn't find out about the breach until Motherboard told them. According to Have I Been Pwned, this is the fourth largest consumer data breach ever. "[Security specialist Troy Hunt] said that VTech doesn't use SSL web encryption anywhere, and transmits data such as passwords completely unprotected. ... Hunt also found that the company's websites "leak extensive data" from their databases and APIs—so much that an attacker could get a lot of data about the parents or kids just by taking advantage of these flaws."

Lenovo Patches Serious Vulnerabilities In PC System Update Tool ( 38

itwbennett writes: "For the third time in less than six months security issues have forced Lenovo to update one of the tools preloaded on its PCs," writes Lucian Constantin. Last week, the company released version 5.07.0019 of Lenovo System Update, a tool that helps users keep their computers' drivers and BIOS up to date and which was previously called ThinkVantage System Update. The new version fixes two local privilege escalation vulnerabilities discovered by researchers from security firm IOActive.
United Kingdom

UK Prisons To Crack Down On Inmate Internet and Mobile Phone Use ( 67

An anonymous reader writes: UK prisons will roll out enhanced internet and mobile phone blocking technologies, according to new measures announced yesterday by Chancellor George Osborne in the Autumn Statement. The step, which seeks to stop inmate access to the internet and calls made from mobile devices, will involve part of a £1.3bn investment from the Ministry of Justice to improve the country's Prison Service. Through this strategy, the government hopes to drive "safety improvements" by denying calls and data used on illicit mobile devices. The latest development in blocking technologies promises to be better (paywalled) than earlier systems, which inmates have been able to get around.

Greenwald: Why the CIA Is Smearing Edward Snowden After Paris Attacks ( 285

JoeyRox points out that Glenn Greenwald has some harsh words for the CIA in an op-ed piece for the LA Times. From the article: "Decent people see tragedy and barbarism when viewing a terrorism attack. American politicians and intelligence officials see something else: opportunity. Bodies were still lying in the streets of Paris when CIA operatives began exploiting the resulting fear and anger to advance long-standing political agendas. They and their congressional allies instantly attempted to heap blame for the atrocity not on Islamic State but on several preexisting adversaries: Internet encryption, Silicon Valley's privacy policies and Edward Snowden."

900 Embedded Devices Share Hard-Coded Certs, SSH Host Keys 47

An anonymous reader writes: Embedded devices of some 50 manufacturers has been found sharing the same hard-coded X.509 certificates (for HTTPS) and SSH host keys, a fact that can be exploited by a remote, unauthenticated attacker to carry out impersonation, man-in-the-middle, or passive decryption attacks. SEC Consult has analyzed firmware images of more than 4000 embedded devices of over 70 vendors — firmware of routers, IP cameras, VoIP phones, modems, etc. — and found that, in some cases, there are nearly half a million devices on the web using the same certificate.

Critical Zen Cart Vulnerability Could Spell Black Friday Disaster For Shoppers ( 55

Mark Wilson writes: It's around this time of year, with Black Friday looming and Christmas just around the corner, that online sales boom. Today security firm High-Tech Bridge has issued a warning to retailers and shoppers about a critical vulnerability in the popular Zen Cart shopping management system. High-Tech Bridge has provided Zen Cart with full details of the security flaw which could allow remote attackers to infiltrate web servers and gain access to customer data. Servers running Zen Cart are also at risk of malware, meaning that hundreds of thousands of ecommerce sites pose a potential danger. Technical details of the vulnerability are not yet being made public, but having notified Zen Cart of the issue High-Tech Bridge says the date of full public disclosure is 16 December.

This Gizmo Knows Your Amex Card Number Before You've Received It ( 67

itwbennett writes: A small device built by legendary hacker Samy Kamkar can predict what new American Express card numbers will be and trick point-of-sale devices into accepting cards without a security microchip. Because American Express appears to have used a weak algorithm to generate new card numbers, the device, called MagSpoof, can predict what a new American Express card number will be based on a canceled card's number. The new expiration date can also be predicted based on when the replacement card was requested.

Green Light Or No, Nest Cam Never Stops Watching ( 199

chicksdaddy writes: How do you know when the Nest Cam monitoring your house is "on" or "off"? It's simple: just look at the little power indicator light on the front of the device — and totally disregard what it is telling you. The truth is: the Nest Cam is never "off" despite an effort by Nest and its parent Google to make it appear otherwise. That, according to an analysis of the Nest Cam by the firm ABI Research, which found that turning the Nest Cam "off" using the associated mobile application only turns off the LED power indicator light on the front of the device. Under the hood, the camera continues to operate and, according to ABI researcher Jim Mielke, to monitor its surroundings: noting movement, sound and other activity when users are led to believe it has powered down.

Mielke reached that conclusion after analyzing Nest Cam's power consumption. Typically a shutdown or standby mode would reduce current by as much as 10 to 100 times, Mielke said. But the Google Nest Cam's power consumption was almost identical in "shutdown" mode and when fully operational, dropping from 370 milliamps (mA) to around 340mA. The slight reduction in power consumption for the Nest Cam when it was turned "off" correlates with the disabling of the LED power light, given that LEDs typically draw 10-20mA.

In a statement to The Security Ledger, Nest Labs spokesperson Zoz Cuccias acknowledged that the Nest Cam does not fully power down when the camera is turned off from the user interface (UI). "When Nest Cam is turned off from the user interface (UI), it does not fully power down, as we expect the camera to be turned on again at any point in time," Cuccias wrote in an e-mail. "With that said, when Nest Cam is turned off, it completely stops transmitting video to the cloud, meaning it no longer observes its surroundings." The privacy and security implications are serious. "This means that even when a consumer thinks that he or she is successfully turning off this camera, the device is still running, which could potentially unleash a tidal wave of privacy concerns," Mielke wrote.


Video High-Security, Open-Source Router is a Hit on Indiegogo (Video) 111

The device is called the Turris Omnia, and its Indiegogo page says it's a "hi-performance & open-source router." Their fundraising goal is $100,000. So far, 1,191 backers have pledged $248,446 (as of the moment this was typed), with 49 days left to go. They've shipped 2,000 pieces so far but, says interviewee Ondej Filip, "95% of them are in the Czech Republic."

This is not only an open-source project, but non-profit as well. A big motive for it is heightened security, as the interview (and transcript) make clear. It's also apparent that the hardware here is overkill for a router; it can run a complete Linux distro, no problem, so it can function as a server, not just as a router. Interested? You might want to put a reservation in soon. This isn't the cheapest router (or even server) out there, but a lot of people obviously think a Turris Omnia, with its crypto security, automatic updates, and server functions would be nice to have.

High Level Coding Language Used To Create New POS Malware ( 93

An anonymous reader writes: A new malware framework called ModPOS is reported to pose a threat to U.S. retailers, and has some of the highest-quality coding work ever put into a ill-intentioned software of this nature. Security researchers iSight say of the ModPOS platform that it is 'much more complex than average malware'. The researchers believe that the binary output they have been studying for three years was written in a high-level language such as C, and that the software took 'a significant amount of time and resources to create and debug'.

Second Root Cert-Private Key Pair Found On Dell Computer ( 65

msm1267 writes: A second root certificate and private key, similar to eDellRoot [mentioned here yesterday], along with an expired Atheros Authenticode cert and private key used to sign Bluetooth drivers has been found on a Dell Inspiron laptop. The impact of these two certs is limited compared to the original eDellRoot cert. The related eDellRoot cert is also self-signed but has a different fingerprint than the first one. It has been found only on two dozen machines according to the results of a scan conducted by researchers at Duo Security. Dell, meanwhile, late on Monday said that it was going to remove the eDellroot certificate from all Dell systems moving forward, and for existing affected customers, it has provided permanent removal instructions (.DOCX download), and starting today will push a software update that checks for the eDellroot cert and removes it. The second certificate / key pair was found by researchers at Duo Security.

Pearson Credential Manager System Used By Cisco, IBM, F5 Has Been Breached 25

An anonymous reader writes with a report from Help Net Security that the credential management system used by Pearson VUE (part of education company and publisher Pearson) has been breached "by an unauthorized third party with the help of malware." Pearson VUE specializes in computer-based assessment testing for regulatory and certification boards. From the story: Over 450 credential owners (including IT organizations such as IBM, Adobe, etc.) across the globe use the company's solutions to develop, manage, deliver and grow their testing programs. The company is still assessing the scope of the breach, and says that they do not think that US Social Security numbers or full payment card information were compromised. But because the PMC is custom designed to fit specific customer requirements, they are still looking into how this incident affected each of their customers. According to a note on Pearson's site, the system remains down for the time being.
The Military

Fake Bomb Detector, Blamed For Hundreds of Deaths, Is Still In Use 151 writes: Murtaza Hussain writes at The Intercept that although it remains in use at sensitive security areas throughout the world, the ADE 651 is a complete fraud and the ADE-651's manufacturer sold it with the full knowledge that it was useless at detecting explosives. There are no batteries in the unit and it consists of a swivelling aerial mounted to a hinge on a hand-grip. The device contains nothing but the type of anti-theft tag used to prevent stealing in high street stores and critics have likened it to a glorified dowsing rod.

The story of how the ADE 651 came into use involves the 2003 U.S. invasion of Iraq. At the height of the conflict, as the new Iraqi government battled a wave of deadly car bombings, it purchased more than 7,000 ADE 651 units worth tens of millions of dollars in a desperate effort to stop the attacks. Not only did the units not help, the device actually heightened the bloodshed by creating "a false sense of security" that contributed to the deaths of hundreds of Iraqi civilians. A BBC investigation led to a subsequent export ban on the devices.

The device is once again back in the news as it was reportedly used for security screening at hotels in the Egyptian resort city of Sharm el-Sheikh where a Russian airliner that took off from that city's airport was recently destroyed in a likely bombing attack by the militant Islamic State group. Speaking to The Independent about the hotel screening, the U.K. Foreign Office stated it would "continue to raise concerns" over the use of the ADE 651. James McCormick, the man responsible for the manufacture and sale of the ADE 651, received a 10-year prison sentence for his part in manufacture of the devices, sold to Iraq for $40,000 each. An employee of McCormick who later became a whistleblower said that after becoming concerned and questioning McCormick about the device, McCormick told him the ADE 651 "does exactly what it's designed to. It makes money."

FAA To Drone Owners: Get Ready To Register To Fly ( 192

coondoggie writes: While an actual rule could be months away, drones weighing about 9 ounces or more will apparently need to be registered with the Federal Aviation Administration going forward. The registration requirement and other details came form the government’s UAS Task Force which was created by the FAA last month and featured all manner of associates from Google, the Academy of Model Aeronautics and Air Line Pilots Association to Walmart, GoPro and Amazon. “By some estimates, as many as 400,000 new unmanned aircraft will be sold during the holiday season. Pilots with little or no aviation experience will be at the controls of many of these aircraft. Many of these new aviators may not even be aware that their activities in our airspace could be dangerous to other aircraft -- or that they are, in fact, pilots once they start flying their unmanned aircraft,” said FAA Administrator Michael Huerta in announcing the task force’s results.

Dell Accused of Installing 'Superfish-Like' Rogue Certificates On Laptops ( 92

Mickeycaskill writes: Dell has been accused of pre-installing rogue self-signing root certificate authentications on its laptops. A number of users discovered the 'eDellRoot' certificate on their machines and say it leaves their machines, and any others with the certificate, open to attack. "Anyone possessing the private key which is on my computer is capable of minting certificates for any site, for any purpose and the computer will programmatically and falsely conclude the issued certificate to be valid," said Joe Nord, a Citrix product manager who found the certificate on his laptop. It is unclear whether it is Dell or a third party installing the certificate, but the episode is similar to the 'Superfish' incident in which Lenovo was found to have installed malware to inject ads onto users' computers.

What the Sony Hack Looked Like To Employees ( 51

An anonymous reader writes: The cyber attack on Sony was one of the highest profile hacks in the past several years. Slate tracked down two dozen people who worked there at the time, and asked them what it was like on the inside while it was happening. Quoting: "The telephone directory vanished. Voicemail was offline. Computers became bricks. Internet access on the lot was shuttered. The cafeteria went cash-only. Contracts—and the templates those contracts were based on—disappeared. Sony's online database of stock footage was unsearchable. It was near impossible for Sony to communicate directly with its employees—much less ex-employees, who were also gravely affected by the hack—to inform them of what was even happening and what to do about it. 'It was like moving back into an earlier time,' one employee says." Some employees had their workloads doubled, some had nothing to do. While the hack brought the company together at the beginning, it eventually descended into recriminations and lawsuits.