Slashdot Mirror

An anonymous reader writes: The author of BrickerBot -- the malware that bricks IoT devices -- has announced his retirement in an email to Bleeping Computer, also claiming to have bricked over 10 million devices since he started the "Internet Chemotherapy" project in November 2016. Similar to the authors of the Mirai malware, the BrickerBot developer dumped his malware's source code online, allowing other crooks to profit from his code. The code is said to contain at least one zero-day. In a farewell message left on hundreds of hacked routers, the BrickerBot author also published a list of incidents (ISP downtimes) he caused, while also admitting he is likely to have drawn the attention of law enforcement agencies. "There's also only so long that I can keep doing something like this before the government types are able to correlate my likely network routes (I have already been active for far too long to remain safe). For a while now my worst-case scenario hasn't been going to jail, but simply vanishing in the middle of the night as soon as some unpleasant government figures out who I am," the hacker said.

Three hackers responsible for creating the massive Mirai botnet that knocked large swathes of the internet offline last year have pleaded guilty. Brian Krebs reports: The U.S. Justice Department on Tuesday unsealed the guilty pleas of two men (Editor's note: three men) first identified in January 2017 by KrebsOnSecurity as the likely co-authors of Mirai, a malware strain that remotely enslaves so-called "Internet of Things" devices such as security cameras, routers, and digital video recorders for use in large scale attacks designed to knock Web sites and entire networks offline (including multiple major attacks against this site). Entering guilty pleas for their roles in developing and using Mirai are 21-year-old Paras Jha from Fanwood, N.J. and Josiah White, 20, from Washington, Pennsylvania. Jha and White were co-founders of Protraf Solutions LLC, a company that specialized in mitigating large-scale DDoS attacks. Like firemen getting paid to put out the fires they started, Jha and White would target organizations with DDoS attacks and then either extort them for money to call off the attacks, or try to sell those companies services they claimed could uniquely help fend off the attacks. Editor's note: The story was updated to note that three men have pleaded guilty. -- not two as described in some reports.

Tech support scammers have been aggressively posting on Spotify forums to inject their phone numbers in a bid to vastly improve their odds of showing up on Google and Bing search results, a new report claims. And that bet seems to be working. From the report: They do this by submitting a constant stream of spam posts to the Spotify forums, whose pages tend to rank well in Google. While this behavior causes the Spotify forums to become harder to use for those who have valid questions, the bigger problem is that it allows tech support scammers to rank extremely well and trick unknowing callers into purchasing unnecessary services and software. BleepingComputer was alerted to this problem by security researcher Cody Johnston who started to see an alarming amount of tech support scam phone numbers being listed in Google search results through indexed Spotify forum posts. The tech support scams being posted to Spotify include Tinder, Linksys, AOL, Turbotax, Coinbase, Amazon, Apple, Microsoft, Norton, McAfee and more.

Several popular interpreted programming languages are affected by severe vulnerabilities that expose apps built on these languages to attacks, according to research presented at the Black Hat Europe 2017 security conference. An anonymous reader writes: The author of this research is IOActive Senior Security Consultant Fernando Arnaboldi, who says he used an automated software testing technique named fuzzing to identify vulnerabilities in the interpreters of five of today's most popular programming languages: JavaScript, Perl, PHP, Python, and Ruby.

Fuzzing involves providing invalid, unexpected, or random data as input to a software application. The researcher created his own fuzzing framework named XDiFF that broke down programming languages per each of its core functions and fuzzed each one for abnormalities. His work exposed severe flaws in all five languages, such as a hidden flaw in PHP constant names that can be abused to perform remote code execution, and undocumented Python methods that can be used for OS code execution. Arnaboldi argues that attackers can exploit these flaws even in the most secure applications built on top of these programming languages.

An anonymous reader quotes a report from Bleeping Computer: Yesterday, at the Black Hat Europe 2017 security conference in London, two security researchers from cyber-security firm enSilo have described a new code injection technique called "Process Doppelganging." This new attack works on all Windows versions and researchers say it bypasses most of today's major security products. Process Doppelganging is somewhat similar to another technique called "Process Hollowing," but with a twist, as it utilizes the Windows mechanism of NTFS Transactions.

"The goal of the technique is to allow a malware to run arbitrary code (including code that is known to be malicious) in the context of a legitimate process on the target machine," Tal Liberman & Eugene Kogan, the two enSilo researchers who discovered the attack told Bleeping Computer. "Very similar to process hollowing but with a novel twist. The challenge is doing it without using suspicious process and memory operations such as SuspendProcess, NtUnmapViewOfSection. In order to achieve this goal we leverage NTFS transactions. We overwrite a legitimate file in the context of a transaction. We then create a section from the modified file (in the context of the transaction) and create a process out of it. It appears that scanning the file while it's in transaction is not possible by the vendors we checked so far (some even hang) and since we rollback the transaction, our activity leaves no trace behind." The good news is that "there are a lot of technical challenges" in making Process Doppelganging work, and attackers need to know "a lot of undocumented details on process creation." The bad news is that the attack "cannot be patched since it exploits fundamental features and the core design of the process loading mechanism in Windows." More research on the attack will be published on the Black Hat website in the following days.

An anonymous reader writes: Nearly 5,500 WordPress sites are infected with a malicious script that logs keystrokes and sometimes loads an in-browser cryptocurrency miner. The malicious script is being loaded from the "cloudflare.solutions" domain, which is not affiliated with Cloudflare in any way, and logs anything that users type inside form fields as soon as the user switches away from an input field. The script is included on both the sites' frontends and backends, meaning it can steal both admin account credentials and credit card data from WP sites running e-commerce stores. According to site source code search engine PublicWWW, there are 5,496 sites running this keylogger. The attacker has been active since April.

Catalin Cimpanu, writing for BleepingComputer: Over the course of the last four days, Apple has released updates to address security issues for several products, such as macOS High Sierra, Safari, watchOS, tvOS, and iOS. The most relevant security update is the one to macOS, as it also permanently fixes the bug that allowed attackers to access macOS root accounts without having to type a password. Apple issued a patch for the bug the next day after it was discovered, but because the patch was delivered as an out-of-band update that did not alter the macOS version number, when users from older macOS versions updated to 10.13.1 (the vulnerable version), the bug was still present. With today's update, the patch for the bug -- now known as "IAmRoot" (CVE-2017-13872) -- has received a permanent fix. All users who upgrade to macOS High Sierra 10.13.2 are safe.

Catalin Cimpanu, writing for BleepingComputer: German authorities are preparing a law that will force device manufacturers to include backdoors within their products that law enforcement agencies could use at their discretion for legal investigations. The law would target all modern devices, such as cars, phones, computers, IoT products, and more. Officials are expected to submit their proposed law for debate this week, according to local news outlet RedaktionsNetzwerk Deutschland (RND). The man supporting this proposal is Thomas de Maiziere, Germany's Interior Minister, who cites the difficulty law enforcement agents have had in past months investigating the recent surge of terrorist attacks and other crimes.

New submitter Kargan shares a report from BleepingComputer: PayPal says that one of the companies it recently acquired suffered a security incident during which an attacker appears to have accessed servers that stored information for 1.6 million customers. The victim of the security breach is TIO Networks, a Canadian company that runs a network of over 60,000 utility and bills payment kiosks across North America. PayPal acquired TIO Networks this past July for $238 million in cash. PayPal reportedly suspended the operations of TIO's network on November 10th. "PayPal says the intruder(s) got access to the personal information of both TIO customers and customers of TIO billers," reports BleepingComputer. "The company did not reveal what type of information the attacker accessed, but since this is a payment system, attackers most likely obtained both personally-identifiable information (PII) and financial details." The company has started notifying customers and is offering free credit monitoring memberships.

An anonymous reader writes: A Michigan man pleaded guilty last week to hacking the computer network of the Washtenaw County Jail, where he modified inmate records in an attempt to have an inmate released early. To breach the jail's network, the attacker used only spear-phishing emails and telephone social engineering.

The man called jail employees and posed as local IT staffers, tricking some into accessing a website, and downloading and installing malware under the guise of a jail system upgrade. Once the man (Konrads Voits) had access to this data, investigators said he accessed the XJail system, searched and accessed the records of several inmates, and modified at least one entry "in an effort to get that inmate released early." Jail employees noticed the modification right away and alerted the FBI. The man as arrested a month later and is now awaiting sentencing (maximum 10 years and a fine of up to $250,000).

An anonymous reader quotes Bleeping Computer: PHP got a whole lot more secure this week with the release of the 7.2 branch, a version that improves and modernizes the language's support for cryptography and password hashing algorithms.

Of all changes, the most significant is, by far, the support for Argon2, a password hashing algorithm developed in the early 2010s. Back in 2015, Argon2 beat 23 other algorithms to win the Password Hashing Competition, and is now in the midst of becoming a universally recognized Internet standard at the Internet Engineering Task Force (IETF), the reward for winning the contest. The algorithm is currently considered to be superior to Bcrypt, today's most widely used password hashing function, in terms of both security and cost-effectiveness, and is also slated to become a favorite among cryptocurrencies, as it can also handle proof-of-work operations.

The other major change in PHP 7.2 was the removal of the old Mcrypt cryptographic library from the PHP core and the addition of Libsodium, a more modern alternative.

An anonymous reader quotes Bleeping Computer: PHP got a whole lot more secure this week with the release of the 7.2 branch, a version that improves and modernizes the language's support for cryptography and password hashing algorithms.

Of all changes, the most significant is, by far, the support for Argon2, a password hashing algorithm developed in the early 2010s. Back in 2015, Argon2 beat 23 other algorithms to win the Password Hashing Competition, and is now in the midst of becoming a universally recognized Internet standard at the Internet Engineering Task Force (IETF), the reward for winning the contest. The algorithm is currently considered to be superior to Bcrypt, today's most widely used password hashing function, in terms of both security and cost-effectiveness, and is also slated to become a favorite among cryptocurrencies, as it can also handle proof-of-work operations.

The other major change in PHP 7.2 was the removal of the old Mcrypt cryptographic library from the PHP core and the addition of Libsodium, a more modern alternative.

Catalin Cimpanu, writing for BleepingComputer: Google has laid out a plan for blocking third-party applications from injecting code into the Chrome browser. The most impacted by this change are antivirus and other security products that often inject code into the user's local browser process to intercept and scan for malware, phishing pages, and other threats. Google says these changes will take place in three main phases over the next 14 months. Phase 1: In April 2018, Chrome 66 will begin showing affected users a warning after a crash, alerting them that other software is injecting code into Chrome and guiding them to update or remove that software. Phase 2: In July 2018, Chrome 68 will begin blocking third-party software from injecting into Chrome processes. If this blocking prevents Chrome from starting, Chrome will restart and allow the injection, but also show a warning that guides the user to remove the software. Phase 3: In January 2019, Chrome 72 will remove this accommodation and always block code injection.

An anonymous reader shares a report from BleepingComputer: The Russian government plans to build its own "independent internet infrastructure" that will be used by BRICS member states -- Brazil, Russia, India, China, and South Africa. The plan was part of the topic list at the October meeting of the Russian Security Council, and President Vladimir Putin approved the initiative with a completion deadline of August 1, 2018, according to Russian news agency RT. The Russian Security Council has today formally asked the country's government to start the building of a backup global DNS system that Russia and fellow BRICS member states could use. The Russian Security Council cited the "increased capabilities of western nations to conduct offensive operations in the informational space." Russia, China, and many other countries have criticized the U.S. for hoarding control over the domain naming system (DNS), a position they claim has allowed the U.S. to intercept and tap global internet traffic. The U.S. has relinquished control over the DNS system last year.

An Android update that Blu shipped to Blu One Life X2 smartphones yesterday, November 28, has locked people out of their phones. From a report: On forums, Reddit, and Blu's official Facebook page, users are complaining that after applying the update and rebooting the device, their phone won't recognize their password, PIN code, or pattern lock, even if users are 100% sure they are entering the correct data. Bleeping Computer has independently verified this bug. "I updated my BLU Life One X2 around 2 hours ago. It asks for a password in order to access Android," said one of the Blu users facing this problem. "I am completely locked out of my phone. Ever single password used is marked incorrect." After ten "failed" login attempts, the user's data is wiped from the device, according to the standard Android OS behavior.

It hasn't been long since Lenovo settled a massive $3.5 million fine for preinstalling adware on laptops without users' consent, and it appears HP is on to the same route already. According to numerous reports gathered by news outlet Computer World, the brand is deploying a telemetry client on customer computers without asking permission. The software, called "HP Touchpoint Analytics Service", appears to replace the self-managed HP Touchpoint Manager solution. To make matter worse, the suite seems to be slowing down PCs, users say. From the report: Dubbed "HP Touchpoint Analytics Service," HP says it "harvests telemetry information that is used by HP Touchpoint's analytical services." Apparently, it's HP Touchpoint Analytics Client version 4.0.2.1435. There are dozens of reports of this new, ahem, service scattered all over the internet. According to Gunter Born, reports of the infection go all the way back to Nov. 15, when poster MML on BleepingComputer said: "After the latest batch of Windows updates, about a half hour after installing the last, I noticed that this had been installed on my computer because it showed up in the notes of my Kaspersky, and that it opened the Windows Dump File verifier and ran a disk check and battery test." According to Gartner, HP was the largest PC vendor in the quarter that ended in September this year.

Catalin Cimpanu, reporting for BleepingComputer: A collaborative effort between the Yale Privacy Lab and Exodus Privacy has shed light on dozens of invasive trackers that are embedded within Android apps and record user activity, sometimes without user consent. The results of this study come to show that the practice of collecting user data via third-party tracking code has become rampant among Android app developers and is now on par with what's happening on most of today's popular websites. The two investigative teams found tracking scripts not only in lesser known Android applications, where one might expect app developers to use such practices to monetize their small userbases, but also inside highly popular apps -- such as Uber, Twitter, Tinder, Soundcloud, or Spotify. The Yale and Exodus investigation resulted in the creation of a dedicated website that now lists all apps using tracking code and a list of trackers, used by these apps. In total, researchers said they identified 44 trackers embedded in over 300 Android apps.

Yahoo Groups were nonfunctional all last week, according to customers complaining on the company's support forum and Twitter. From a report: Yahoo Groups, which is a hybrid between a classic discussion board (forum) and a mailing list, was recently acquired by Verizon. The issues appear to have started last Sunday, November 17, when users began complaining that they could not access the site, and when the site was up, users could not start new discussions and post new messages. In addition, when posting messages and starting new topics was possible, Groups would not send email notifications to the other group participants. Similarly, Yahoo Groups would not create web posts for replies people sent in via email.

Catalin Cimpanu, writing for BleepingComputer: With both Bitcoin and Ethereum price hitting all-time highs in the past seven days, cyber-criminals have stepped up efforts to search and steal funds stored in these two cryptocurrencies. These mass Internet scanning campaigns have been recently picked up by various honeypots installed by security researchers across the Internet. The first of these, aimed at Bitcoin owners, was picked up by security researcher Didier Stevens over the weekend, just two days before Bitcoin was about to jump from $7,000 to over $8,000.

An anonymous reader writes: Mozilla engineers are working on a notifications system for Firefox that shows a security warning to users visiting sites that have suffered data breaches. The notifications system will use data provided by Have I Been Pwned?, a website that indexes public data breaches and allows users to search and see if their details have been compromised in any of these incidents. Work on this project has only recently started. The code to show these warnings is not even in the Firefox codebase but managed separately as an add-on available (on GitHub). The alert also includes an input field. In the add-ons current version this field doesn't do anything, but we presume it's there to allow users to search and see if their data was exposed during that site's security breach. Troy Hunt, Have I Been Pwned's author has confirmed his official collaboration with Mozilla on this feature.

An anonymous reader shares a report: Microsoft is providing a free virtual machine that comes preloaded with Windows 10 Enterprise, Visual Studio 2017, and various utilities in order to promote the development of Universal Windows Platform apps. Before you get too excited about a free version of Windows 10 Enterprise, this Virtual Machine will expire on January 15th 2018. When downloading the development environment, you can choose either a VMware, VirtualBox, Hyper-V, or Parallels virtual machine depending on what virtual machine software you use. Each of these images are about 17-20GB when extracted from the downloaded archive and include almost everything you need to develop Universal Windows Platform apps.

An anonymous reader writes: Unbeknown to most users, Mozilla added a privacy-enhancing feature to the Firefox browser over the summer that can help users block online advertisers from tracking them across the Internet. The feature is named First-Party Isolation (FPI) and was silently added to the Firefox browser in August, with the release of Firefox 55. FPI works by separating cookies on a per-domain basis.

This is important because most online advertisers drop a cookie on the user's computer for each site the user visits and the advertisers loads an ad. With FPI enabled, the ad tracker won't be able to see all the cookies it dropped on that user's PC, but only the cookie created for the domain the user is currently viewing. This will force the ad tracker to create a new user profile for each site the user visits and the advertiser won't be able to aggregate these cookies and the user's browsing history into one big fat profile. This feature was first implemented in the Tor Browser, a privacy-focused fork of the Firefox browser managed by the Tor Project, where it is known as Cross-Origin Identifier Unlinkability. FPI was added to Firefox as part of the Tor Uplift project, an initiative to bolster the Firefox codebase with some of the Tor Browser's unique privacy-focused features. The feature is not enabled by default. Information on how to enable it is in the linked article.

An anonymous reader writes: Windows 8, Windows 8.1, and subsequent Windows 10 variations fail to properly apply ASLR, rendering this crucial Windows security feature useless. The bug appeared when Microsoft changed a registry value in Windows 8 and occurs only in certain ASLR configuration modes. Basically, if users have enabled system-wide ASLR protection turned on, a bug in ASLR's implementation on Windows 8 and later will not generate enough entropy (random data) to start application binaries in random memory locations. For ASLR to work properly, users must configure it to work in a system-wide bottom-up mode. An official patch from Microsoft is not available yet, but a registry hack can be applied to make sure ASLR starts in the correct mode.

The bug was discovered by CERT vulnerability analyst Will Dormann while investigating a 17-years-old bug in the Microsoft Office equation editor, to which Microsoft appears to have lost the source code and needed to patch it manually.

An anonymous reader writes: Windows 8, Windows 8.1, and subsequent Windows 10 variations fail to properly apply ASLR, rendering this crucial Windows security feature useless. The bug appeared when Microsoft changed a registry value in Windows 8 and occurs only in certain ASLR configuration modes. Basically, if users have enabled system-wide ASLR protection turned on, a bug in ASLR's implementation on Windows 8 and later will not generate enough entropy (random data) to start application binaries in random memory locations. For ASLR to work properly, users must configure it to work in a system-wide bottom-up mode. An official patch from Microsoft is not available yet, but a registry hack can be applied to make sure ASLR starts in the correct mode.

The bug was discovered by CERT vulnerability analyst Will Dormann while investigating a 17-years-old bug in the Microsoft Office equation editor, to which Microsoft appears to have lost the source code and needed to patch it manually.

An anonymous reader quotes a report from Bleeping Computer: The European Union (EU) has voted on Tuesday, November 14, to pass the new Consumer Protection Cooperation regulation, a new EU-wide applicable law that gives extra power to national consumer protection agencies, but which also contains a vaguely worded clause that also grants them the power to block and take down websites without judicial oversight. The new law "establishes overreaching Internet blocking measures that are neither proportionate nor suitable for the goal of protecting consumers and come without mandatory judicial oversight," Member of the European Parliament Julia Reda said in a speech in the European Parliament Plenary during a last ditch effort to amend the law. "According to the new rules, national consumer protection authorities can order any unspecified third party to block access to websites without requiring judicial authorization," Reda added later in the day on her blog. This new law is an EU regulation and not a directive, meaning its obligatory for all EU states, which do not have to individually adopt it.

Catalin Cimpanu, writing for BleepingComputer: Mozilla will soon block the loading of data URIs in the Firefox navigation bar as part of a crackdown on phishing sites that abuse this protocol. The data: URI scheme (RFC 2397) was deployed in 1998 when developers were looking for ways to embed files in other files. What they came up with was the data: URI scheme that allows a developer to load a file represented as an ASCII-encoded octet stream inside another document. Since then, the URI scheme has become very popular with website developers as it allows them to embed text-based (CSS or JS) files or image (PNG, JPEG) files inside HTML documents instead of loading each resource via a separate HTTP request. This practice became hugely popular because search engines started ranking websites based on their page loading speed and the more HTTP requests a website made, the slower it loaded, and the more it affected a site's SERP position.

Catalin Cimpanu, writing for BleepingComputer: Some OnePlus devices, if not all, come preinstalled with an application named EngineerMode that can be used to root the device and may be converted into a fully-fledged backdoor by clever attackers. The app was discovered by a mobile security researcher who goes online by the pseudonym of Elliot Alderson -- the name of the main character in the Mr. Robot TV series. Speaking to Bleeping Computer, the researcher said he started investigating OnePlus devices after a story he saw online last month detailing a hidden stream of telemetry data sent by OnePlus devices to the company's servers.

An anonymous reader writes: "It took only two years for all browser vendors to get on the same page regarding the new WebAssembly standard, and as of October 2017, all major browsers support it," reports Bleeping Computer. Project spearheads Firefox and Chrome were the first major browsers to graduate WebAssembly from preview versions to their respective stable branches over the summer. The second wave followed in the following weeks when Chromium-based browsers like Opera and Vivaldi also rolled out the feature as soon as it was added to the Chromium stable version. The last ones to ship WebAssembly in the stable branches were Apple in Safari 11.0 and Microsoft in Microsoft Edge (EdgeHTML 16), which is the version that shipped with the Windows 10 Fall Creators Update. Both were released last month. WebAssembly, or wasm, is a bytecode format for the web, allowing developers to send JavaScript code to browsers in smaller sizes, but also to compile from C/C++/Rust to wasm directly.

Catalin Cimpanu, writing for BleepingComputer: Firefox 57, set to be released tomorrow, will ship with improvements to the browser's sandbox security feature for Linux users. The Firefox sandboxing feature isolates the browser from the operating system in a way to prevent web attacks from using a vulnerability in the browser engine and its legitimate functions to attack the underlying operating system, place malware on the filesystem, or steal local files. Chrome has always run inside a sandbox. Initially, Firefox ran only a few plugins inside a sandbox -- such as Flash, DRM, and other multimedia encoding plugins.

An anonymous reader writes: The FBI has arrested and charged a man for launching DDoS attacks against a wide range of targets, including his former employer, a Minnesota-based PoS repair shop. The man, who bought access to a VPN but didn't use it all the time, was caught after registering email accounts and sending taunting emails to victims, including his former employer. The taunting emails also included a GIF image of a laughing mouse, which eventually tied the man to the DDoS attacks as well. The guy also uploaded the image on Facebook in a post that asked people to join in DDoS attacks on banks as part of Anonymous' Operation Icarus. The suspect also created the fake email accounts using the name of another former colleague, trying to pin suspicions on him. The FBI was not only able to track the man's real IP address, but they also tied him to attacks without a doubt because he used a DDoS-for-hire service that was hacked and its database was shared with the FBI.

Catalin Cimpanu, reporting for BleepingComputer: USB drivers included in the Linux kernel are rife with security flaws that in some cases can be exploited to run untrusted code and take over users' computers. The vast majority of these vulnerabilities came to light on Monday, when Google security expert Andrey Konovalov informed the Linux community of 14 vulnerabilities he found in the Linux kernel USB subsystem. "All of them can be triggered with a crafted malicious USB device in case an attacker has physical access to the machine," Konovalov said. The 14 flaws are actually part of a larger list of 79 flaws Konovalov found in Linux kernel USB drivers during the past months. Not all of these 79 vulnerabilities have been reported, let alone patched. Most are simple DoS (Denial of Service) bugs that freeze or restart the OS, but some allow attackers to elevate privileges and execute malicious code.

Catalin Cimpanu, writing for BleepingComputer: Facebook is testing new technology that is designed to help victims of revenge porn acts. It works on a database of file hashes, a cryptographic signature computed for each file. Facebook says that once an abuser tries to upload an image marked as "revenge porn" in its database, its system will block the upload process. This will work for images shared on the main Facebook service, but also for images shared privately via Messenger, Facebook's IM app. The weird thing is that in order to build a database of "revenge porn" file hashes, Facebook will rely on potential victims uploading a copy of the nude photo in advance. This process involves the victim sending a copy of the nude photo to his own account, via Facebook Messenger. This implies uploading a copy of the nude photo on Facebook Messenger, the very same act the victim is trying to prevent. The victim can then report the photo to Facebook, which will create a hash of the image that the social network will use to block further uploads of the same photo.

An anonymous reader writes from a report via BleepingComputer: Yesterday, Microsoft released new standards that consumers should follow in order to have a highly secure Windows 10 device. These standards include the type of hardware that should be included with Windows 10 systems and the minimum firmware features. The hardware standards are broken up into 6 categories, which are minimum specs for processor generation, processor architecture, virtualization, trusted platform modules (TPM), platform boot verification, and RAM. Similarly, firmware features should support at least UEFI 2.4 or later, Secure Boot, Secure MOR 2 or later, and support the Windows UEFI Firmware Capsule Update specification.

A popular Firefox browser add-on that saves and syncs bookmarks has started to lose those bookmarks instead, users are complaining. From a report: According to user reports -- and your reporter's own experience -- the problems arose when Xmarks updated the add-on to version 4.5.0.4, the first version to work on the new WebExtensions API, Firefox's new add-on technology. Since then, Firefox users have reported a wide range of problems, but among which the biggest was the fact that Xmarks was not syncing bookmarks as it should. The problems did not manifest the same way for all users. Some users said the add-on stopped syncing new bookmarks altogether, some reported corrupted links, others said they lost all bookmarks, while other reported that only a small portion of new bookmark URLs was being added to their Xmarks account.

Long-time Slashdot reader Artem Tashkinov quotes BleepingComputer: Mozilla engineers are discussing plans to remove support for a state-operated Dutch TLS/HTTPS provider after the Dutch government has voted a new law that grants local authorities the power to intercept Internet communications using "false keys". If the plan is approved, Firefox will not trust certificates issued by the Staat der Nederlanden (State of the Netherlands) Certificate Authority (CA)...

This new law gives Dutch authorities the powers to intercept and analyze Internet traffic. While other countries have similar laws, what makes this one special is that authorities will have authorization to carry out covert technical attacks to access encrypted traffic. Such covert technical capabilities include the use of "false keys," as mentioned in Article 45 1.b, a broad term that includes TLS certificates.
"Fears arise of mass Dutch Internet surveillance," reads a subhead on the article, citing a bug report which notes, among other things, the potential for man-in-the-middle attacks and the fact that the Netherlands hosts a major internet transit point.

An anonymous reader writes: Mozilla engineers have borrowed yet another feature from the Tor Browser and starting with version 58 Firefox will block attempts to fingerprint users using the HTML5 canvas element. The technique is widely used in the advertising industry to track users across sites. Firefox 58 is scheduled for release on January 16, 2018.

Canvas fingerprinting blocking is the second feature Mozilla engineers have borrowed from the Tor Project. Previously, Mozilla has added a mechanism to Firefox 52 that prevents websites from fingerprinting users via system fonts. Mozilla's efforts to harden Firefox are part of the Tor Uplift project, an initiative to import more privacy-focused feature from the Tor Browser into Firefox.

An anonymous reader quotes a report from Bleeping Computer: Security experts have filed a proposal with the Internet Engineering Task Force (IETF) that defines a secure framework for delivering firmware updates to Internet of Things (IoT) devices. Filed on Monday by three ARM employees, their submission has entered the first phase of a three-stage process for becoming an official Internet standard. Titled "IoT Firmware Update Architecture," their proposal -- if approved -- puts forward a series of ground rules that device makers could implement when designing the firmware update mechanism for their future devices. The proposed rules are nothing out of the ordinary, and security experts have recommended and advocated for most of these measures for years. Some hardware vendors are most likely already compliant with the requirements included in this IETF draft. Nonetheless, the role of this proposal is to have the IETF put forward an official document that companies could use as a baseline when designing the architecture of future products. This document could also serve as a general guideline for lawmakers who could draft regulations forcing manufacturers to adhere to this baseline. Some of the main requirements put forward by three ARM engineers in their IETF draft include: The update mechanism must work the same even if the firmware binary is delivered via Bluetooth, WiFi, UART, USB, or other mediums; The update mechanism must work in a broadcast type of delivery, allowing updates to reach multiple users at once; End-to-end security (public key cryptography) must be used to verify and validate firmware images.

Catalin Cimpanu, reporting for BleepingComputer: The Tor Project has released a security update for the Tor Browser on Mac and Linux to fix a vulnerability that leaks users' real IP addresses. The vulnerability was spotted by Filippo Cavallarin, CEO of We Are Segment, an Italian company specialized in cyber-security and ethical hacking. Cavallarin privately reported the issue -- which he codenamed TorMoil -- to the Tor Project last week. Tor Project developers worked with the Firefox team (Tor Browser is based on the Firefox browser) to release a fix. Today, the Tor team released version 7.0.9 to address the vulnerability. Tor Browser 7.0.9 is only available for Mac and Linux users. Tor Browser on Windows is not affected.

An anonymous reader writes: The operator of a 77,000-strong spam botnet was sentenced to two years probation and no prison time after admitting his crime and completely reforming his life. The former botnet operator is now working for a cybersecurity company, and admitted his actions as soon as the FBI knocked on his door back in 2013. The botnet operator, a 29-year-old from Santa Clara, California, says he was tricked by fellow co-schemers who told him they were not doing anything wrong by infecting computers with malware because they were not accessing private information such as banking or financial records. Furthermore, the botnet operator escaped prison time because he used all the money he earned in getting a college degree at Cal Poly instead of using it on a lavish lifestyle or drugs. This case is similar to the one that MalwareTech (aka Marcus Hutchins) now faces in the U.S. for his role in developing the Kronos trojan, but also after turning his life around and working as a cybersecurity researcher for years.

An anonymous reader writes: A bug in the new "Adaptive Icons" feature introduced in Android Oreo has sent thousands of phones into infinite boot loops, forcing some users to reset their devices to factory settings, causing users to lose data along the way. The bug was discovered by Jcbsera, the developer of the Swipe for Facebook Android app (energy-efficient Facebook wrapper app), and does not affect Android Oreo (8.0) in its default state. The bug occurs only with apps that use adaptive icons -- a new feature introduced in Android Oreo that allows icons to change shape and size based on the device they're viewed on, or the type of launcher the user is using on his Android device. For example, adaptive icons will appear in square, rounded, or circle containers depending on the theme or launcher the user is using. The style of adaptive icons is defined a local XML file. The bug first manifested itself when the developer of the Swipe for Facebook Android app accidentally renamed the foreground image of his adaptive icon with the same name as this XML file (ic_launcher_main.png and ic_launcher_main.xml). This naming scheme sends Android Oreo in an infinite loop that regularly crashes the device. At one point, Android detects something is wrong and prompts the user to reset the device to factory settings. Users don't have to open an app, and the crashes still happen just by having an app with malformed adaptive icons artifacts on your phone. Google said it will fix the issue in Android Oreo 8.1.

An anonymous reader quotes a report from Bleeping Computer: Rutgers engineers have created a new authentication system called VibWrite. The system relies on placing an inexpensive vibration motor and receiver on a solid surface, such as wood, metal, plastic, glass, etc.. The motor sends vibrations to the receiver. When the user touches the surface with one of his fingers, the vibration waves are modified to create a unique signature per user and per finger. Rutgers researchers say that VibWrite is more secure when users are asked to draw a pattern or enter a code on a PIN pad drawn on the solid surface. This also generates a unique fingerprint, but far more complex than just touching the surface with one finger. During two tests, VibWrite verified users with a 95% accuracy and a 3% false positive rate. The only problem researchers encountered in the live trials was that some users had to draw the pattern or enter the PIN number several times before they passed the VibWrite authentication test. Besides improvements to the accuracy with which VibWrite can detect finger vibrations, researchers also plan to look into how VibWrite will behave in outdoor environments to account for varying temperatures, humidity, winds, wetness, dust, dirt, and other conditions. This new novel user authentication system is described in full in a research paper entitled "VibWrite: Towards Finger-input Authentication on Ubiquitous Surfaces via Physical Vibration."

Catalin Cimpanu, reporting for BleepingComputer: Mozilla engineers have started work on a project named Lockbox that they describe as "a work-in-progress extension [...] to improve upon Firefox's built-in password management." Mozilla released the new extension for employee-use only at first, but users can install it by going to this or this links. Lockbox revamps Firefox's antiquated password management utility with a new user interface (UI). A new Firefox UI button is also included, in case users want to add a shortcut in their browser's main interface to open Lockbox without going through all the menu options. Support for a master password is included, helping users secure their passwords from unauthorized access by co-workers, family members, or others.

An anonymous reader quotes Bleeping Computer: Scientists from Florida International University and Bloomberg have created a custom two-factor authentication (2FA) system that relies on users taking a photo of a personal object. The act of taking the photo comes to replace the cumbersome process of using crypto-based hardware security keys (e.g., YubiKey devices) or entering verification codes received via SMS or voice call. The new system is named Pixie, and researchers argue it is more secure than the aforementioned solutions.

Pixie works by requiring users to choose an object as their 2FA key. When they set up the Pixie 2FA protection, they take an initial photo of the object that will be used for reference. Every time users try to log into their account again, they re-take a photo of the same object, and an app installed on their phone compares the two photos... In automated tests, Pixie achieved a false accept rate below 0.09% in a brute force attack with 14.3 million authentication attempts. An Android app is available for testing here.

An anonymous reader writes: Late yesterday afternoon, Google announced plans to deprecate and eventually remove PKP support from the Chromium open-source browser, which indirectly means from Chrome... According to Google engineer Chris Palmer, low adoption and technical difficulties are among the reasons why Google plans to remove the feature from Chrome.

"We would like to do this in Chrome 67, which is estimated to be released to Stable on 29 May 2018," Palmer says. The proposal is up in the air, and users can submit opinions against Google's intent to deprecate, but seeing how little PKP was adopted, it's most likely already out the door. A Neustar survey from March 2016 had PKP deployment at only 0.09% of all HTTPS sites. By August 2017, that needle had barely moved to 0.4% of all sites in the Alexa Top 1 Million.

A reader shares a BleepingComputer report: LG Electronics has avoided a security disaster this summer after it worked with security researchers to patch a vulnerability in the mobile app that customers are using to control a breadth of LG smart home devices. The vulnerability affects the LG SmartThinQ app used to control all of LG's "smart" home appliances, a list that includes devices such as smart ovens, vacuums, dishwashers, refrigerators, washing machines, dryers, air conditioners, and more. The flaw was discovered by security researchers from Israeli firm Check Point, who reported the problem to LG technicians. According to researchers, an attacker would have been able to hijack the authentication process that occurs between the SmartThinQ app and LG's servers. The attacker could have been able to take over a user's account and control devices in the user's home, and paired with the user's profile. For example, attackers could have overheated ovens, altered a home's temperature via AC units in a Mr.Robot-style hack, or spied on users via camera-enabled devices.

An anonymous reader writes from a report via Bleeping Computer: After last week we had the KRACK and ROCA cryptographic attacks, this week has gotten off to a similarly "great" start with the publication of a new crypto attack known as DUHK (Don't Use Hard-coded Keys). The issue at the heart of the DUHK attack is a combination of two main factors. The first is the usage of the ANSI X9.31 Random Number Generator (RNG). This is an algorithm that takes random data and generates encryption keys used to secure VPN connections, browsing sessions, and other encrypted traffic/data. The second factor needed for a DUHK attack is when hardware vendors use a hardcoded "seed key" for the ANSI X9.31 RNG algorithm. When these two conditions take place, an attacker can brute-force encrypted data to discover the rest of the encryption parameters and deduce the master encryption key used to encrypt web sessions or VPN connections. In a research paper published today, researchers said they found 12 vendors that sold hardware/software products with hardcoded X9.31 seed keys. This issue is widespread because ANSI X9.31 is very widespread. Up until January 2016, the algorithm was on the list of U.S. government (FIPS) approved RNG algorithms. ANSI X9.31 remained on the list until 2016, even if US NIST deprecated the algorithm in 2011, and scientists warned that the algorithm could be broken if the seed key ever leaked way back in 1998.

A reader shares a BleepingComputer report: With the release of Windows 10 Fall Creators Update last week, the "Controlled Folder Access" that Microsoft touted in June is now live for millions of users. As the name hints, the Controlled Folder Access feature allows users to control who can access certain folders. The feature works on a "block everything by default" philosophy, which means that on a theoretical level, it would be able to prevent ransomware when it tries to access and encrypt files stored in those folders. The benefits of using Controlled Folder Access for your home and work computers are tangible for anyone that's fearful of losing crucial files to a ransomware infection.

An anonymous reader writes: Since mid-September, a new IoT botnet has grown to massive proportions. Codenamed IoT_reaper, researchers estimate its current size at nearly two million infected devices. According to researchers, the botnet is mainly made up of IP-based security cameras, routers, network-attached storage (NAS) devices, network video recorders (NVRs), and digital video recorders (DVRs), primarily from vendors such as Netgear, D-Link, Linksys, GoAhead, JAWS, Vacron, AVTECH, MicroTik, TP-Link, and Synology.

The botnet reuses some Mirai source code, but it's unique in its own right. Unlike Mirai, which relied on scanning for devices with weak or default passwords, this botnet was put together using exploits for unpatched vulnerabilities. The botnet's author is still struggling to control his botnet, as researchers spotted over two million infected devices sitting in the botnet's C&C servers' queue, waiting to be processed. As of now, the botnet has not been used in live DDoS attacks, but the capability is in there.
Today is the one-year anniversary of the Dyn DDoS attack, the article points out, adding that "This week both the FBI and Europol warned about the dangers of leaving Internet of Things devices exposed online."

Catalin Cimpanu, writing for BleepingComputer: Kansas University (KU) officials have expelled a student for installing a hardware keylogger and using the data acquired from the device to hack into the school's grading system and chang his grades. KU did not release the student's name to the public, but they said the keystroke logging device had been installed on one of the computers in its lecture halls. The student used data collected from the device to change F grades into A grades. Professors said the incident would not have been noticed if the student didn't get greedy about modifications. The hardware device the student used was a run-of-the-mill hardware keylogger that anyone can buy on Amazon or eBay for prices as low as $20. Speaking to local media, various KU professors said they hope not to see any copycats in the near future.

An anonymous reader writes: Google Chrome engineers are considering adding a special browser permission that will thwart the rising trend of in-browser cryptocurrency miners. Discussions on the topic of in-browser miners have been going on the Chromium project's bug tracker since mid-September when Coinhive, the first such service, launched. "Here's my current thinking," Ojan Vafai, a Chrome engineering working on the Chromium project, wrote in one of the recent bug reports. "If a site is using more than XX% CPU for more than YY seconds, then we put the page into 'battery saver mode' where we aggressively throttle tasks and show a toast [notification popup] allowing the user to opt-out of battery saver mode. When a battery saver mode tab is backgrounded, we stop running tasks entirely. I think we'll want measurement to figure out what values to use for XX and YY, but we can start with really egregious things like 100% and 60 seconds. I'm effectively suggesting we add a permission here, but it would have unusual triggering conditions [...]. It only triggers when the page is doing a likely bad thing."

An earlier suggestion had Google create a blacklist and block the mining code at the browser level. That suggestion was shut down as being too impractical and something better left to extensions.