Australia

Australian Officials Want Encryption Laws To Fight 'Terrorist Messaging' (arstechnica.com) 145

An anonymous reader quotes Ars Technica: Two top Australian government officials said Sunday that they will push for "thwarting the encryption of terrorist messaging" during an upcoming meeting next week of the so-called "Five Eyes" group of English-speaking nations that routinely share intelligence... According to a statement released by Attorney General George Brandis, and Peter Dutton, the country's top immigration official, Australia will press for new laws, pressure private companies, and urge for a new international data sharing agreement amongst the quintet of countries... "Within a short number of years, effectively, 100 per cent of communications are going to use encryption," Brandis told Australian newspaper The Age recently. "This problem is going to degrade if not destroy our capacity to gather and act upon intelligence unless it's addressed"... Many experts say, however, that any method that would allow the government access even during certain situations would weaken overall security for everyone.
America's former American director of national intelligence recently urged Silicon Valley to "apply that same creativity, innovation to figuring out a way that both the interests of privacy as well as security can be guaranteed." Though he also added, "I don't know what the answer is. I'm not an IT geek, but I just don't think we're in a very good place right now."
Security

Anthem To Pay $115 Million In The Largest Data Breach Settlement Ever (cnet.com) 47

An anonymous reader quotes CNET: Anthem, the largest health insurance company in the U.S., has agreed to settle a class action lawsuit over a 2015 data breach for a record $115 million, according to lawyers for the plaintiffs. The settlement still has to be approved by US District Court Judge Lucy Koh, who is scheduled to hear the case on August 17 in San Jose, California. And Anthem, which didn't immediately respond to a request for confirmation and comment, isn't admitting any admitting any wrongdoing, according to a statement it made to CyberScoop acknowledging the settlement.

But if approved, it would be the largest data breach settlement in history, according to the plaintiffs' lawyers, who announced the agreement Friday. The funds would be used to provide victims of the data breach at least two years of credit monitoring and to reimburse customers for breach-related expenses. The settlement would also guarantee a certain level of funding for "information security to implement or maintain numerous specific changes to its data security systems, including encryption of certain information and archiving sensitive data with strict access controls," the plaintiff attorneys said.

The breach compromised data for 80 million people, including their social security numbers, birthdays, street addresses (and email addresses) as well as income data. The $115 million settlement averages out to $1.43 for every person who was affected.
Wireless Networking

How A Contractor Exploited A Vulnerability In The FCC Website (wirelessestimator.com) 68

RendonWI writes: A Wisconsin wireless contractor discovered a flaw in the FCC's Antenna Structure Registration (ASR) database, and changed the ownership of more than 40 towers from multiple carriers and tower owners into his company's name during the past five months without the rightful owners being notified by the agency, according to FCC documents and sources knowledgeable of the illegal transfers. Sprint, AT&T and key tower companies were targeted in the wide-ranging thefts... Changing ASR ownership is an easy process by applying online for an FCC Registration Number (FRN) which is instantly granted whether the factual or inaccurate information is provided. Then, once logged in, an FRN holder can submit a form stating that they are the new owner of any or multiple structures in the database. As soon as it is submitted, the change is immediately reflected in the ASR.
United States

Does US Have Right To Data On Overseas Servers? We're About To Find Out (arstechnica.com) 248

Long-time Slashdot reader quotes Ars Technica: The Justice Department on Friday petitioned the US Supreme Court to step into an international legal thicket, one that asks whether US search warrants extend to data stored on foreign servers. The US government says it has the legal right, with a valid court warrant, to reach into the world's servers with the assistance of the tech sector, no matter where the data is stored.

The request for Supreme Court intervention concerns a 4-year-old legal battle between Microsoft and the US government over data stored on Dublin, Ireland servers. The US government has a valid warrant for the e-mail as part of a drug investigation. Microsoft balked at the warrant, and convinced a federal appeals court that US law does not apply to foreign data.

According to the article, the U.S. government told the court that national security was at risk.
Security

Account Registrations Enable 'Password Reset Man In The Middle' Attacks (helpnetsecurity.com) 75

"Attackers that have set up a malicious site can use users' account registration process to successfully perform a password reset process on a number of popular websites and messaging mobile applications, researchers have demonstrated." Orome1 quotes Help Net Security: The Password Reset Man in the Middle attack exploits the similarity of the registration and password reset processes. To launch such an attack, the attacker only needs to control a website. To entice victims to make an account on the malicious website, the attacker can offer free access to a wanted resource. Once the user initiates the account registration process by entering their email address, the attacker can use that information to initiate a password reset process on another website that uses that piece of information as the username (e.g. Google, YouTube, Amazon, Twitter, LinkedIn, PayPal, and so on). Every request for input from that site is forwarded to the potential victim, and then his or her answers forwarded back to that particular site.
Interestingly, it can also beat two-factor authentication -- since the targeted user will still input the phone code into the man-in-the-middle site.
Bug

Researcher Finds Critical OpenVPN Bug Using Fuzzing (zdnet.com) 47

"Guido Vranken recently published 4 security vulnerabilities in OpenVPN on his personal blog," writes long-time Slashdot reader randomErr -- one of which was a critical remote execution bug. Though patches have been now released, there's a lesson to be learned about the importance of fuzzing -- bug testing with large amounts of random data -- Guido Vranken writes: Most of these issues were found through fuzzing. I hate admitting it, but...the arcane art of reviewing code manually, acquired through grueling practice, are dwarfed by the fuzzer in one fell swoop; the mortal's mind can only retain and comprehend so much information at a time, and for programs that perform long cycles of complex, deeply nested operations it is simply not feasible to expect a human to perform an encompassing and reliable verification.
ZDNet adds that "OpenVPN's audits, carried out over the past two years, missed these major flaws. While a handful of other bugs are found, perhaps OpenVPN should consider adding fuzzing to their internal security analysis in the future."

Guido adds on his blog, "This was a labor of love. Nobody paid me to do this. If you appreciate this effort, please donate BTC..."
United Kingdom

UK Parliament Emails Closed After 'Sustained And Determined' Cyber-Attack (theguardian.com) 44

An anonymous reader quotes the Guardian: Parliament has been hit by a "sustained and determined" cyber-attack by hackers attempting to gain access to MPs' and their staffers' email accounts. Both houses of parliament were targeted on Friday in an attack that sought to gain access to accounts protected by weak passwords... The estate's digital services team said they had made changes to accounts to block out the hackers, and that the changes could mean staff were unable to access their emails...

The international trade secretary, Liam Fox, told ITV News the attack was a "warning to everyone we need more security and better passwords. You wouldn't leave your door open at night." In an interview with the BBC, he added: "We know that there are regular attacks by hackers attempting to get passwords. We have seen reports in the last few days of even Cabinet ministers' passwords being for sale online. We know that our public services are attacked, so it is not at all surprising that there should be an attempt to hack into parliamentary emails."

One member of Parliament posted on Twitter "Sorry, no parliamentary email access today â" we're under cyber-attack from Kim Jong-un, Putin or a kid in his mom's basement or something." He added later, "I'm off to the pub."
Government

Obama Authorized a Secret Cyber Operation Against Russia, Says Report (engadget.com) 222

Jessica Conditt reports via Engadget: President Barack Obama learned of Russia's attempts to hack U.S. election systems in early August 2016, and as intelligence mounted over the following months, the White House deployed secrecy protocols it hadn't used since the 2011 raid on Osama bin Laden's compound, according to a report by The Washington Post. Apparently, one of the covert programs Obama, the CIA, NSA and other intelligence groups eventually put together was a new kind of cyber operation that places remotely triggered "implants" in critical Russian networks, ready for the U.S. to deploy in the event of a pre-emptive attack. The downed Russian networks "would cause them pain and discomfort," a former U.S. official told The Post. The report says CIA director John Brennan, Obama and other officials had at least four "blunt" conversations with Russian officials about its cyber intrusions beginning August 4th. Obama confronted Vladimir Putin in person during a meeting of world leaders in China this past September, the report says, and his administration even sent Russia a warning through a secure channel originally designed to help the two countries avoid a nuclear strike. Moscow apparently responded one week later -- after the U.S. election -- denying the accusation.
Operating Systems

32TB of Windows 10 Internal Builds, Core Source Code Leak Online (theregister.co.uk) 200

According to an exclusive report via The Register, "a massive trove of Microsoft's internal Windows operating system builds and chunks of its core source code have leaked online." From the report: The data -- some 32TB of installation images and software blueprints that compress down to 8TB -- were uploaded to betaarchive.com, the latest load of files provided just earlier this week. It is believed the data has been exfiltrated from Microsoft's in-house systems since around March. The leaked code is Microsoft's Shared Source Kit: according to people who have seen its contents, it includes the source to the base Windows 10 hardware drivers plus Redmond's PnP code, its USB and Wi-Fi stacks, its storage drivers, and ARM-specific OneCore kernel code. Anyone who has this information can scour it for security vulnerabilities, which could be exploited to hack Windows systems worldwide. The code runs at the heart of the operating system, at some of its most trusted levels. In addition to this, hundreds of top-secret builds of Windows 10 and Windows Server 2016, none of which have been released to the public, have been leaked along with copies of officially released versions.
Network

WikiLeaks Doc Dump Reveals CIA Tools For Hacking Air-Gapped PCs (bleepingcomputer.com) 72

An anonymous reader writes: "WikiLeaks dumped today the manuals of several hacking utilities part of Brutal Kangaroo, a CIA malware toolkit for hacking into air-gapped (offline) networks using tainted USB thumb drives," reports Bleeping Computer. The CIA uses these tools as part of a very complex attack process, that allows CIA operatives to infect offline, air-gapped networks. The first stage of these attacks start with the infection of a "primary host," an internet-connected computer at a targeted company. Malware on this primary host automatically infects all USB thumb drives inserted into the machine. If this thumb drive is connected to computers on an air-gapped network, a second malware is planted on these devices. This malware is so advanced, that it can even create a network of hacked air-gapped PCs that talk to each other and exchange commands. To infect the air-gapped computers, the CIA malware uses LNK (shortcut) files placed on the USB thumb drive. Once the user opens and views the content of the thumb drive in Windows Explorer, his air-gapped PC is infected without any other interaction.
Government

Victims Aren't Reporting Ransomware Attacks, FBI Report Concludes (bleepingcomputer.com) 85

Catalin Cimpanu, writing for BleepingComputer: Despite being an expanding threat, ransomware infections are rarely reported to law enforcement agencies, according to conclusions from the 2016 Internet Crime Report (PDF), released yesterday by the FBI's Internet Crime Complaint Center (IC3). During 2016, FBI IC3 officials said they received only 2,673 complaints regarding ransomware incidents, which ranked ransomware as the 22nd most reported cyber-crime in the US, having caused just over $2.4 million in damages (ranked 25th). The numbers are ridiculously small compared to what happens in the real world, where ransomware is one of today's most prevalent cyber-threats, according to multiple reports from cyber-security companies.
Security

Under Pressure, Western Tech Firms Including Cisco and IBM Bow To Russian Demands To Share Cyber Secrets (reuters.com) 110

An anonymous reader shares a Reuters report: Western technology companies, including Cisco, IBM and SAP, are acceding to demands by Moscow for access to closely guarded product security secrets, at a time when Russia has been accused of a growing number of cyber attacks on the West, a Reuters investigation has found. Russian authorities are asking Western tech companies to allow them to review source code for security products such as firewalls, anti-virus applications and software containing encryption before permitting the products to be imported and sold in the country. The requests, which have increased since 2014, are ostensibly done to ensure foreign spy agencies have not hidden any "backdoors" that would allow them to burrow into Russian systems. But those inspections also provide the Russians an opportunity to find vulnerabilities in the products' source code -- instructions that control the basic operations of computer equipment -- current and former U.S. officials and security experts said. [...] In addition to IBM, Cisco and Germany's SAP, Hewlett Packard Enterprise Co and McAfee have also allowed Russia to conduct source code reviews of their products, according to people familiar with the companies' interactions with Moscow and Russian regulatory records.
Microsoft

Microsoft Claims 'No Known Ransomware' Runs on Windows 10 S. Researcher Says 'Hold My Beer' (zdnet.com) 125

Earlier this month, Microsoft said "no Windows 10 customers were known to be compromised by the recent WannaCry (WannaCrypt) global cyberattack," adding that "no known ransomware works against Windows 10 S." News outlet ZDNet asked a security researcher to see how good Microsoft's claims were. Turns out, not much. From the report: We asked Matthew Hickey, a security researcher and co-founder of cybersecurity firm Hacker House, a simple enough question: Will ransomware install on this operating system? It took him a little over three hours to bust the operating system's various layers of security, but he got there. "I'm honestly surprised it was this easy," he said in a call after his attack. "When I looked at the branding and the marketing for the new operating system, I thought they had further enhanced it. I would've wanted more restrictions on trying to run privileged processes instead of it being such a short process."
Businesses

Samsung Begins Production For Its First Internet of Things-optimised Exynos Processor (zdnet.com) 50

An anonymous reader shares a report: Samsung Electronics has launched the Exynos i T200, its first processor optimised for Internet of Things (IoT) devices, the company has announced. The South Korean tech giant said the chip has upped security and supports wireless connections, with hopes of giving it an advantage in the expanding IoT market. The Exynos i T200 applies Samsung's 28-nanometer High-K Metal Gate process and has multiple cores, with the Cortex-R4 doing the heavy lifting and an independently operating Cortex-M0+ allowing for multifunctionality. For example, if applied to a refrigerator, Cotext-R4 will run the OS and Cotex-M0+ will power LED displays on the doors.
Businesses

Trump Plans To Dismantle Obama-Era 'Startup Visa' (arstechnica.com) 316

An anonymous reader quotes a report from Ars Technica: A regulation from the Obama administration that would have allowed foreign-born entrepreneurs who raise investor cash to build their startups in the U.S. won't be allowed to go into effect. The Department of Homeland Security will file an official notice to delay the International Entrepreneur Rule for eight months. The intention is to eliminate the rule entirely, according to sources briefed on the matter who spoke to The Wall Street Journal. The decision isn't final, and a DHS spokesperson told the WSJ that the department "cannot speculate" on the outcome of the review. The International Entrepreneur Rule, signed by former President Obama days before he left office in January, doesn't offer a visa but rather a type of "parole" that would allow immigrants to stay in the U.S. temporarily as long as they meet certain requirements. In order to qualify, a foreign entrepreneur has to raise at least $250,000 from well-known U.S. investors. The rule grants a stay in the U.S. of 30 months, which can be extended for an additional 30 months. Founders can't apply for a green card during that time. DHS has estimated about 3,000 entrepreneurs would qualify under the rule.
Security

Fireball Browser Hijack Impact Revised After Microsoft Analysis (eweek.com) 10

Sean Michael Kerner, writing for eWeek: A browser hijacking operation initially reported to have 250 million victims by security firm Check Point isn't quite that large, according to a new analysis by Microsoft. On June 1, security firm Check Point reported that a browser hijacking operation called "Fireball" had already claimed 250 million victims. According to a Microsoft analysis published June 22, Check Point's estimate of the number of victims was "overblown" and the attack is not nearly as widespread as initially reported. The Fireball attack is a browser hijacking that is potentially able to download malware onto victims' systems, as well as manipulate pageviews and redirect search requests. Check Point's initial analysis claimed that Fireball was being bundled as part of free software downloads to unsuspecting users. "Indeed, we have been working with Microsoft on their analysis, feeding them with some additional data," Maya Horowitz, group manager of threat intelligence at Check Point, said in a statement sent to eWEEK. "We tried to reassess the number of infections, and from recent data we know for sure that numbers are at least 40 million, but could be much more."
Firefox

Chrome and Firefox Headless Modes May Spur New Adware & Clickfraud Tactics (bleepingcomputer.com) 80

From a report: During the past month, both Google and Mozilla developers have added support in their respective browsers for "headless mode," a mechanism that allows browsers to run silently in the OS background and with no visible GUI. [...] While this feature sounds very useful for developers and very uninteresting for day-to-day users, it is excellent news for malware authors, and especially for the ones dabbling with adware. In the future, adware or clickfraud bots could boot-up Chrome or Firefox in headless mode (no visible GUI), load pages, and click on ads without the user's knowledge. The adware won't need to include or download any extra tools and could use locally installed software to perform most of its malicious actions. In the past, there have been quite a few adware families that used headless browsers to perform clickfraud. Martijn Grooten, an editor at Virus Bulletin, also pointed Bleeping Computer to a report where miscreants had abused PhantomJS, a headless browser, to post forum spam. The addition of headless mode in Chrome and Firefox will most likely provide adware devs with a new method of performing surreptitious ad clicks.
Microsoft

Microsoft Admits Disabling Anti-Virus Software For Windows 10 Users (bbc.com) 206

An anonymous reader quotes a report from the BBC: Microsoft has admitted that it does temporarily disable anti-virus software on Windows PCs, following an competition complaint to the European Commission by a security company. In early June, Kaspersky Lab filed the complaint against Microsoft. The security company claims the software giant is abusing its market dominance by steering users to its own anti-virus software. Microsoft says it implemented defenses to keep Windows 10 users secure. In an extensive blog post that does not directly address Kaspersky or its claims, Microsoft says it bundles the Windows Defender Antivirus with Windows 10 to ensure that every single device is protected from viruses and malware. To combat the 300,000 new malware samples being created and spread every day, Microsoft says that it works together with external anti-virus partners. The technology giant estimates that about 95% of Windows 10 PCs were using anti-virus software that was already compatible with the latest Windows 10 Creators Update. For the applications that were not compatible, Microsoft built a feature that lets users update their PCs and then reinstall a new version of the anti-virus software. "To do this, we first temporarily disabled some parts of the AV software when the update began. We did this work in partnership with the AV partner to specify which versions of their software are compatible and where to direct customers after updating," writes Rob Lefferts, a partner director of the Windows and Devices group in enterprise and security at Microsoft.
Software

NSA Opens GitHub Account, Lists 32 Projects Developed By the Agency (thehackernews.com) 64

An anonymous reader quotes a report from The Hacker News: The National Security Agency (NSA) -- the United States intelligence agency which is known for its secrecy and working in the dark -- has finally joined GitHub and launched an official GitHub page. GitHub is an online service designed for sharing code amongst programmers and open source community, and so far, the NSA is sharing 32 different projects as part of the NSA Technology Transfer Program (TTP), while some of these are "coming soon." "The NSA Technology Transfer Program (TTP) works with agency innovators who wish to use this collaborative model for transferring their technology to the commercial marketplace," the agency wrote on the program's page. "OSS invites the cooperative development of technology, encouraging broad use and adoption. The public benefits by adopting, enhancing, adapting, or commercializing the software. The government benefits from the open source community's enhancements to the technology." Many of the projects the agency listed are years old that have been available on the Internet for some time. For example, SELinux (Security-Enhanced Linux) has been part of the Linux kernel for years.
Network

Ask Slashdot: Best Way To Isolate a Network And Allow Data Transfer? 233

Futurepower(R) writes: What is the best way to isolate a network from the internet and prevent intrusion of malware, while allowing carefully examined data transfer from internet-facing computers? An example of complete network isolation could be that each user would have two computers with a KVM switch and a monitor and keyboard, or two monitors and two keyboards. An internet-facing computer could run a very secure version of Linux. Any data to be transferred to that user's computer on the network would perhaps go through several Raspberry Pi computers running Linux; the computers could each use a different method of checking for malware. Windows computers on the isolated network could be updated using Autopatcher, so that there would never be a direct connection with the internet. Why not use virtualization? Virtualization does not provide enough separation; there is the possibility of vulnerabilities. Do you have any ideas about improving the example above?

Slashdot Top Deals