Security

Equifax Has Been Sending Consumers To a Fake Phishing Site for Almost Two Weeks (gizmodo.com) 119

An anonymous reader shares a Gizmodo report (condensed for space): For nearly two weeks, the company's official Twitter account has been directing users to a fake lookalike website. After announcing the breach, Equifax directed its customers to equifaxsecurity2017.com, a website where they can enroll in identity theft protection services and find updates about how Equifax is handing the "cybersecurity incident." But the decision to create "equifaxsecurity2017" in the first place was monumentally stupid. The URL is long and it doesn't look very official -- that means it's going to be very easy to emulate. To illustrate how idiotic Equifax's decision was, developer Nick Sweeting created a fake website of his own: securityequifax2017.com. (He simply switched the words "security" and "equifax" around.) As if to demonstrate Sweeting's point, Equifax appears to have been itself duped by the fake URL. The company has directed users to Sweeting's fake site sporadically over the past two weeks. Gizmodo found eight tweets containing the fake URL dating back to September 9th.
Security

Ransomware Hack Targeting 2 Million an Hour (axios.com) 35

New submitter Zorro writes: A ransomware attack sweeping the globe right now is launching about 8,000 different versions of the virus script at Barracuda's customers, Eugene Weiss, lead platform architect at Barracuda, told Axios, and it's hitting at a steady rate of about 2 million attacks per hour. What to watch out for: An incoming email spoofing the destination host, with a subject about "Herbalife" or a "copier" file delivery. Two of the latest variants Barracuda has detected include a paragraph about legalese to make it seem official, or a line about how a "payment is attached," which tricks you to click since, as Weiss puts it, "everyone wants a payment."
IOS

Turning Off Wi-Fi and Bluetooth in iOS 11's Control Center Doesn't Actually Turn Off Wi-Fi or Bluetooth (vice.com) 207

An anonymous reader shares a Motherboard report: Turning off Bluetooth and Wi-Fi when you're not using them on your smartphone has long been standard, common sense, advice. Unfortunately, with the iPhone's new operating system iOS 11 - which was released to the general public yesterday - turning them off is not as easy as it used to be. Now, when you toggle Bluetooth and Wi-Fi off from the iPhone's Control Center -- the somewhat confusing menu that appears when you swipe up from the bottom of the phone -- it actually doesn't completely turn them off. While that might sound like a bug, that's actually what Apple intended in the new operating system. But security researchers warn that users might not realize this and, as a consequence, could leave Bluetooth and Wi-Fi on without noticing. Numerous Slashdot readers have complained about this "feature" this week.
Electronic Frontier Foundation

EFF Resigns From Web Consortium In Wake of EME DRM Standardization (eff.org) 213

New submitter Frobnicator writes: Four years ago, the W3C began standardizing Encrypted Media Extensions, or EME. Several organizations, including the EFF, have argued against DRM within web browsers. Earlier this year, after the W3C leadership officially recommended EME despite failing to reach consensus, the EFF filed the first-ever official appeal that the decision be formally polled for consensus. That appeal has been denied, and for the first time the W3C is endorsing a standard against the consensus of its members.

In response, the EFF published their resignation from the body: "The W3C is a body that ostensibly operates on consensus. Nevertheless, as the coalition in support of a DRM compromise grew and grew -- and the large corporate members continued to reject any meaningful compromise -- the W3C leadership persisted in treating EME as topic that could be decided by one side of the debate. [...] Today, the W3C bequeaths an legally unauditable attack-surface to browsers used by billions of people. Effective today, EFF is resigning from the W3C."
Jeff Jaffe, CEO of W3C said: "I know from my conversations that many people are not satisfied with the result. EME proponents wanted a faster decision with less drama. EME critics want a protective covenant. And there is reason to respect those who want a better result. But my personal reflection is that we took the appropriate time to have a respectful debate about a complex set of issues and provide a result that will improve the web for its users. My main hope, though, is that whatever point-of-view people have on the EME covenant issue, that they recognize the value of the W3C community and process in arriving at a decision for an inherently contentious issue. We are in our best light when we are facilitating the debate on important issues that face the web."
Privacy

In a 'Plot Twist', Wikileaks Releases Documents It Claims Detail Russia Mass Surveillance Apparatus (techcrunch.com) 158

WikiLeaks, believed by many to be a Kremlin front, surprised some observers Tuesday morning (Snowden called it a "plot twist") when it released documents linking a Russian tech company with access to thousands of citizens' telephone and internet communications with Moscow. From a report: Writing a summary of the cache of mostly Russian-language documents, Wikileaks claims they show how a long-established Russian company which supplies software to telcos is also installing infrastructure, under state mandate, that enables Russian state agencies to tap into, search and spy on citizens' digital activity -- suggesting a similar state-funded mass surveillance program to the one utilized by the U.S.'s NSA or by GCHQ in the U.K. (both of which were detailed in the 2013 Snowden disclosures). The documents which Wikileaks has published (there are just 34 "base documents" in this leak) relate to a St. Petersburg-based company, called Peter-Service, which it claims is a contractor for Russian state surveillance. The company was set up in 1992 to provide billing solutions before going on to become a major supplier of software to the mobile telecoms industry.
Encryption

Why You Shouldn't Use Texts For Two-Factor Authentication (theverge.com) 100

An anonymous reader quotes a report from The Verge: A demonstration video posted by Positive Technologies (and first reported by Forbes) shows how easy it is to hack into a bitcoin wallet by intercepting text messages in transit. The group targeted a Coinbase account protected by two-factor authentication, which was registered to a Gmail account also protected by two-factor. By exploiting known flaws in the cell network, the group was able to intercept all text messages sent to the number for a set period of time. That was enough to reset the password to the Gmail account and then take control of the Coinbase wallet. All the group needed was the name, surname and phone number of the targeted Bitcoin user. These were security researchers rather than criminals, so they didn't actually steal anyone's bitcoin, although that would have been an easy step to take. At a glance, this looks like a Coinbase vulnerability, but the real weakness is in the cellular system itself. Positive Technologies was able to hijack the text messages using its own research tool, which exploits weaknesses in the cellular network to intercept text messages in transit. Known as the SS7 network, that network is shared by every telecom to manage calls and texts between phone numbers. There are a number of known SS7 vulnerabilities, and while access to the SS7 network is theoretically restricted to telecom companies, hijacking services are frequently available on criminal marketplaces. The report notes of several ways you can protect yourself from this sort of attack: "On some services, you can revoke the option for SMS two-factor and account recovery entirely, which you should do as soon as you've got a more secure app-based method established. Google, for instance, will let you manage two-factor and account recovery here and here; just set up Authenticator or a recovery code, then go to the SMS option for each and click 'Remove Phone.'"
AI

AI Just Made Guessing Your Password a Whole Lot Easier (sciencemag.org) 132

sciencehabit shares a report from Science Magazine: The Equifax breach is reason for concern, of course, but if a hacker wants to access your online data by simply guessing your password, you're probably toast in less than an hour. Now, there's more bad news: Scientists have harnessed the power of artificial intelligence (AI) to create a program that, combined with existing tools, figured more than a quarter of the passwords from a set of more than 43 million LinkedIn profiles.

Researchers at Stevens Institute of Technology in Hoboken, New Jersey, started with a so-called generative adversarial network, or GAN, which comprises two artificial neural networks. A "generator" attempts to produce artificial outputs (like images) that resemble real examples (actual photos), while a "discriminator" tries to detect real from fake. They help refine each other until the generator becomes a skilled counterfeiter. The Stevens team created a GAN it called PassGAN and compared it with two versions of hashCat and one version of John the Ripper. The scientists fed each tool tens of millions of leaked passwords from a gaming site called RockYou, and asked them to generate hundreds of millions of new passwords on their own. Then they counted how many of these new passwords matched a set of leaked passwords from LinkedIn, as a measure of how successful they'd be at cracking them. On its own, PassGAN generated 12% of the passwords in the LinkedIn set, whereas its three competitors generated between 6% and 23%. But the best performance came from combining PassGAN and hashCat. Together, they were able to crack 27% of passwords in the LinkedIn set, the researchers reported this month in a draft paper posted on arXiv. Even failed passwords from PassGAN seemed pretty realistic: saddracula, santazone, coolarse18.

Security

Equifax Suffered a Hack Almost Five Months Earlier Than the Date It Disclosed (bloomberg.com) 90

Bloomberg is reporting that Equifax, the credit reporting company that recently reported a cybersecurity incident impacting roughly 143 million U.S. consumers, learned about a breach of its computer systems in March -- almost five months before the date it has publicly disclosed. The company said the March breach was unrelated to the recent hack involving millions of U.S. consumers, but one of the people familiar with the situation said the breaches involve the same intruders. From the report: Equifax hired the security firm Mandiant on both occasions and may have believed it had the initial breach under control, only to have to bring the investigators back when it detected suspicious activity again on July 29, two of the people said. Equifax's hiring of Mandiant the first time was unrelated to the July 29 incident, the company spokesperson said. The revelation of a March breach will complicate the company's efforts to explain a series of unusual stock sales by Equifax executives. If it's shown that those executives did so with the knowledge that either or both breaches could damage the company, they could be vulnerable to charges of insider trading. The U.S. Justice Department has opened a criminal investigation into the stock sales, according to people familiar with the probe.

In early March, they said, Equifax began notifying a small number of outsiders and banking customers that it had suffered a breach and was bringing in a security firm to help investigate. The company's outside counsel, Atlanta-based law firm King & Spalding, first engaged Mandiant at about that time. While it's not clear how long the Mandiant and Equifax security teams conducted that probe, one person said there are indications it began to wrap up in May. Equifax has yet to disclose that March breach to the public.

Businesses

Slashdot Asks: Which IT Hiring Trends Are Hot, and Which Ones Are Going Cold? 186

snydeq writes: Recruiting and retaining tech talent remains IT's biggest challenge today, writes Paul Heltzel, in an article on what trends are heating up and what's cooling off when it comes to IT staffing. "One thing hasn't changed this year: Recruiting top talent is still difficult for most firms, and demand greatly outstrips supply," writes Heltzel. "That's influencing many of the areas we looked at, including compensation and retention. Whether you're looking to expand your team or job searching yourself, read on to see which IT hiring practices are trending and which ones are falling out of favor." What are you seeing companies favoring in the hiring market these days?
Microsoft

Microsoft Confirms Outlook Issues (bbc.com) 41

Microsoft has confirmed that some users of its email service Outlook are unable to send email or access their accounts. From a report: Hundreds from around Europe have commented on the website Downdetector that they have been affected by the problem -- many since Monday morning. One common issue seems to be that sent emails remain in the drafts folder and are not being delivered to recipients. On its website, Microsoft says the service dropped "unexpectedly" and it is working on a fix. Not all account holders are affected. "Intermittent connectivity is affecting customers in some European countries, which we are working to resolve as soon as possible," said a Microsoft representative.
IOS

Apple Officially Bans Scammy Antivirus Apps From iOS App Store (theverge.com) 51

Fake "virus scanning" apps have plagued the iOS App Store for a while, and Apple seems to finally be banning them once and for all in updated developer guidelines it published last week. From a report: The updated developer guidelines, compiled by Paul Hudson over at Hacking With Swift, now includes a ban on apps that claim to "including content or services that it does not actually offer" -- something that includes any iOS virus scanning apps, seeing as it wasn't possible to scan for viruses on iOS with third party apps, since iOS's sandboxing prevents applications from directly interacting with each other or the core of the iOS operating system.
Security

Avast's CCleaner Free Windows Application Infected With Malware (bleepingcomputer.com) 153

Reader Tinfoil writes: Cisco Talos announces that malware cleaning app, CCleaner, has been infected with malware for the past month. Version 5.33 of the CCleaner app offered for download between August 15 and September 12 was modified to include the Floxif malware, according to a report published by Cisco Talos a few minutes ago. Cisco Talos believes that a threat actor might have compromised Avast's supply chain and used its digital certificate to replace the legitimate CCleaner v5.33 app on its website with one that also contained the Floxif trojan. The company said more 2.27 million had downloaded the compromised version of CCleaner.
Privacy

Illinois Tests A Blockchain-Based Birth Registry/ID System (illinoisblockchain.tech) 150

An anonymous reader quotes Government Technology: The state of Illinois, which has six blockchain pilots underway, will partner with Utah-based Evernym for a birth registry pilot meant to individualize and secure identities... The endeavor, one of six distinct blockchain explorations Illinois began last summer with a working group, is expected to utilize the Sovrin Foundation's publicly available distributed identity ledger and expand upon accomplishments of the W3C Verifiable Claims Task Force, the state said... Recognizing that identity -- and, now, digital identity -- begin at birth, the state will explore using these technologies to create "a secure 'self-sovereign' identity for Illinois citizens during the birth registration process," it said in the announcement.
More from the Illinois Blockchain Initiative site: Self-sovereign identity refers to a digital identity that remains entirely under the individual's control. A self-sovereign identity can be efficiently and securely validated by entities who require it, free from reliance on a centralized repository. Jennifer O'Rourke, Blockchain Business Liaison for the Illinois Blockchain Initiative commented, "To structurally address the many issues surrounding digital identity, we felt it was important to develop a framework that examines identity from its inception at child birth... Identity is not only foundational to nearly every government service, but is the basis for trust and legitimacy in the public sector."

In the proposed framework, government agencies will verify birth registration information and then cryptographically sign identity attributes such as legal name, date of birth, sex or blood type, creating what are called "verifiable claims" or attributes. Permission to view or share each of these government-verified claims is stored on the tamper-proof distributed ledger protocol in the form of a decentralized identifier... This minimizes the need for entities to establish, maintain and rely upon their own proprietary databases of identity information.

Evernym's "Chief Trust Officer" sees the program as "a major contribution to the larger effort of solving the online identity problem."
Windows

'Bashware' Attacks Exploit Windows 10's Subsystem for Linux (betanews.com) 79

Mark Wilson quote BetaNews: While many people welcomed the arrival of Windows Subsystem for Linux (WSL) in Windows 10, it has been found to be a potential security issue. A new technique known as a Bashware has been discovered by security researchers that makes it possible for malware to use the Linux shell to bypass security software.

While administrator access is needed to execute a Bashware attack, this is fairly easily obtained, and the technique can be used to disguise malicious operations from antivirus software and other security tools. Researchers from Check Point Research point out that the danger stems from the fact that "existing security solutions are still not adapted to monitor processes of Linux executables running on Windows."

Government

NSA Launches 'Codebreaker Challenge' For Students: Stopping an Infrastructure Attack (ltsnet.net) 53

Slashdot reader eatvegetables writes: The U.S. National Security Agency launched Codebreaker Challenge 2017 Friday night (Sept 15) at 9 p.m. EST. It started off as a reverse-engineering challenge a few years ago but has grown in scope to include network analysis, reverse-engineering, and vulnerability discovery/exploitation.

This year's challenge story centers around hackers attacking critical "supervisory control and data acquisition" (SCADA) infrastructure. Your mission, should you choose to accept it, is to figure out how the SCADA network is being attacked, find the attack vector(s), and stop the bad guy(s)/gal(s)/other(s).

Codebreaker-Challenge is unusual for capture-the-flag(ish) contests due to the scope/number of challenges and how long the contest runs (now until end of year). Also (this year, at least), the challenge is built around a less than well-known networking protocol, MQTT. It's open to anyone with a school.edu email address. A site leader-board shows which school/University has the most l33t students. Carnegie Mellon and Georgia Institute of Tech are at the top of the leader-board as of Saturday morning.

Last year, 3,300 students (from 481 schools) participated, with 15 completing all six tasks. One Carnegie Mellon student finished in less than 18 hours.

A resources page offers "information on reverse engineering," and the NSA says the first 50 students who complete all the tasks ths year will receive a "small token" of appreciation from the agency.
Security

Security.txt Standard Proposed, Similar To Robots.txt (bleepingcomputer.com) 84

An anonymous reader writes: Ed Foudil, a web developer and security researcher, has submitted a draft to the IETF — Internet Engineering Task Force — seeking the standardization of security.txt, a file that webmasters can host on their domain root and describe the site's security policies. The file is akin to robots.txt, a standard used by websites to communicate and define policies for web and search engine crawlers...

For example, if a security researcher finds a security vulnerability on a website, he can access the site's security.txt file for information on how to contact the company and securely report the issue. According to the current security.txt IETF draft, website owners would be able to create security.txt files that look like this:

#This is a comment
Contact: security@example.com
Contact: +1-201-555-0123
Contact: https://example.com/security
Encryption: https://example.com/pgp-key.tx...
Acknowledgement: https://example.com/acknowledg...
Disclosure: Full

Bug

Equifax CSO 'Retires'. Known Bug Was Left Unpatched For Nearly Five Months (marketwatch.com) 196

phalse phace quotes MarketWatch: Following on the heels of a story that revealed that Equifax hired a music major with no education related to technology or security as its Chief Security Officer, Equifax announced on Friday afternoon that Chief Security Officer Susan Mauldin has quit the company along with Chief Information Officer David Webb.

Chief Information Officer David Webb and Chief Security Officer Susan Mauldin retired immediately, Equifax said in a news release that did not mention either of those executives by name. Mark Rohrwasser, who had been leading Equifax's international information-technology operations since 2016, will replace Webb and Russ Ayres, a member of Equifax's IT operation, will replace Mauldin.

The company revealed Thursday that the attackers exploited Apache Struts bug CVE-2017-5638 -- "identified and disclosed by U.S. CERT in early March 2017" -- and that they believed the unauthorized access happened from May 13 through July 30, 2017.

Thus, MarketWatch reports, Equifax "admitted that the security hole that attackers used was known in March, about two months before the company believes the breach began." And even then, Equifax didn't notice (and remove the affected web applications) until July 30.
The Military

Mystery of Sonic Weapon Attacks At US Embassy In Cuba Deepens (theguardian.com) 214

An anonymous reader quotes a report from The Guardian: The blaring, grinding noise jolted the American diplomat from his bed in a Havana hotel. He moved just a few feet, and there was silence. He climbed back into bed. Inexplicably, the agonizing sound hit him again. It was as if he'd walked through some invisible wall cutting straight through his room. Soon came the hearing loss, and the speech problems, symptoms both similar and altogether different from others among at least 21 U.S. victims in an astonishing international mystery still unfolding in Cuba. The top U.S. diplomat has called them "health attacks." New details learned by the Associated Press indicate at least some of the incidents were confined to specific rooms or even parts of rooms with laser-like specificity, baffling U.S. officials who say the facts and the physics don't add up.

Suspicion initially focused on a sonic weapon, and on the Cubans. Yet the diagnosis of mild brain injury, considered unlikely to result from sound, has confounded the FBI, the state department and U.S. intelligence agencies involved in the investigation. Some victims now have problems concentrating or recalling specific words, several officials said, the latest signs of more serious damage than the U.S. government initially realized. The United States first acknowledged the attacks in August -- nine months after symptoms were first reported.

Privacy

Credit Karma To Launch Free ID Monitoring Following Equifax Hack (reuters.com) 24

Credit Karma is launching a new free service that will alert customers if their identity data has been compromised in hacks, the San Francisco-based fintech company said on Friday in the wake of massive breach at credit monitoring agency Equifax. From a report: The new ID monitoring service is being tested and will be available in October, the company said on Friday. Similar to services offered by Symantec-owned LifeLock, CreditKarma will keep track of data breaches and tell customers if they are one of the victims. Customers can then check to use the company's credit monitoring services and flag suspicious activities. The company said it was accelerating the launch of the new service in response to the large data breach at Equifax, where thieves may have stolen personal information of 143 million Americans.
Security

Warning: 'MetalKettle' Repository For Kodi Becomes Vulnerable After GitHub Takeover (betanews.com) 28

BrianFagioli shares a report from BetaNews: Unfortunately, there can apparently be security issues with repositories when they shut down. For example, when the metalkettle repo ended, the developer deleted its entry on GitHub. This in itself is not a cause for concern, but unfortunately, GitHub's allowance of project names to be recycled is. You see, someone re-registered the metalkettle name, making it possible for nefarious people to potentially serve up malware to Kodi users. The warning came from the metalkettle developer over on Twitter. He warns that devices with the repository installed could be in danger from a security standpoint. If a user was to search that repo, and the new owner of the GitHub name was to share malware, the user could assume it is safe and install it. We do not know 100 percent if the person that re-registered the metalkettle name on GitHub is planning anything evil, but it is better to be safe than sorry. If you still have the repository installed, you should remove it immediately. Not to mention, if you know someone using Kodi, such as a friend or family member, you should warn them too.

Slashdot Top Deals