Slashdot Mirror

"The .NET ecosystem is affected by a similar flaw that has wreaked havoc among Java apps and developers in 2016," reports BleepingComputer. An anonymous reader writes: The issue at hand is in how some .NET libraries deserialize JSON or XML data, doing it in a total unsecured way, but also how developers handle deserialization operations when working with libraries that offer optional secure systems to prevent deserialized data from accessing and running certain methods automatically. The issue is similar to a flaw known as Mad Gadget (or Java Apocalypse) that came to light in 2015 and 2016. The flaw rocked the Java ecosystem in 2016, as it affected the Java Commons Collection and 70 other Java libraries, and was even used to compromise PayPal's servers.

Organizations such as Apache, Oracle, Cisco, Red Hat, Jenkins, VMWare, IBM, Intel, Adobe, HP, and SolarWinds , all issued security patches to fix their products. The Java deserialization flaw was so dangerous that Google engineers banded together in their free time to repair open-source Java libraries and limit the flaw's reach, patching over 2,600 projects. Now a similar issue was discovered in .NET. This research has been presented at the Black Hat and DEF CON security conferences. On page 5 [of this PDF], researchers included reviews for all the .NET and Java apps they analyzed, pointing out which ones are safe and how developers should use them to avoid deserialization attacks when working with JSON data.

"The .NET ecosystem is affected by a similar flaw that has wreaked havoc among Java apps and developers in 2016," reports BleepingComputer. An anonymous reader writes: The issue at hand is in how some .NET libraries deserialize JSON or XML data, doing it in a total unsecured way, but also how developers handle deserialization operations when working with libraries that offer optional secure systems to prevent deserialized data from accessing and running certain methods automatically. The issue is similar to a flaw known as Mad Gadget (or Java Apocalypse) that came to light in 2015 and 2016. The flaw rocked the Java ecosystem in 2016, as it affected the Java Commons Collection and 70 other Java libraries, and was even used to compromise PayPal's servers.

Organizations such as Apache, Oracle, Cisco, Red Hat, Jenkins, VMWare, IBM, Intel, Adobe, HP, and SolarWinds , all issued security patches to fix their products. The Java deserialization flaw was so dangerous that Google engineers banded together in their free time to repair open-source Java libraries and limit the flaw's reach, patching over 2,600 projects. Now a similar issue was discovered in .NET. This research has been presented at the Black Hat and DEF CON security conferences. On page 5 [of this PDF], researchers included reviews for all the .NET and Java apps they analyzed, pointing out which ones are safe and how developers should use them to avoid deserialization attacks when working with JSON data.

An anonymous reader quotes Bleeping Computer: Google's security team has sent out warnings via email to Chrome extension developers after many of them have been the targets of phishing attacks, some of which have been successful and resulted in crooks taking over extensions. These phishing attacks have come into the limelight this past week when phishers managed to compromise the developer accounts for two very popular Chrome extensions -- Copyfish and Web Developer. The phishers used access to these developer accounts to insert adware code inside the extensions and push out a malicious update that overlaid ads on top of web pages users were navigating.

According to new information obtained by Bleeping Computer, these attacks started over two months ago and had been silently going on without anyone noticing. All phishing emails contained the same lure -- someone posing as Google was informing extension developers that their add-on broke Chrome Web Store rules and needed to be updated. The extension developer was lured onto a site to view what was the problem and possibly update the extension. Before seeing the alert, the site asked extension developers to log in with their Google developer account, a natural step when accessing a secure backend.

An anonymous reader writes: European countries are currently implementing new data protection laws. Recently, despite leaving the European Union, the United Kingdom has expressed intent to implement the law called General Data Protection Regulation. As an extension, the UK wants to to ban re-identification (with a penalty of unlimited fines), the method of reversing anonymization, or pointing out the weakness of the used anonymisation process. One famous example was research re-identifying Netflix users from published datasets. By banning re-identification, UK follows the lead of Australia which is considering enacting similarly controversial law that can lead to making privacy research difficult or impossible. Privacy researchers express concerns about the effectiveness of the law that could even complicate security, a view shared by privacy advocates.

Catalin Cimpanu, writing for BleepingComputer: Jason Needham, 45, of Arlington, Tennessee was sentenced last week to 18 months in prison and two years of supervised release for hacking his former company's FTP server and the email account of one of his former colleagues. Needham did all the hacking after he left his former employer, Allen & Hoshall (A&H), a design and engineering firm for which he worked until 2013. Needham left to create his own company named HNA Engineering together with a business partner. HNA is also a design and engineering firm. According to court documents obtained by Bleeping Computer, between May 2014 and March 2016, Needham hacked into the email account of one of his former co-workers. From this account, the FBI says Needham took sensitive business information, company fee structures, marketing plans, project proposals, and lists of credentials for A&H's FTP server. A&H rotated its FTP credentials every six months, but Needham acquired new logins from his former colleague's email account.

An anonymous reader quotes a report from Bleeping Computer: A team of eight researchers has discovered that by altering street signs, an adversary could confuse self-driving cars and cause their machine-learning systems to misclassify signs and take wrong decisions, potentially putting the lives of passengers in danger. The idea behind this research is that an attacker could (1) print an entirely new poster and overlay it over an existing sign, or (2) attach smaller stickers on a legitimate sign in order to fool the self-driving car into thinking it's looking at another type of street sign. While scenario (1) will trick even human observers and there's little chance of stopping it, scenario (2) looks like an ordinary street sign defacement and will likely affect only self-driving vehicles. Experiments showed that simple stickers posted on top of a Stop sign fooled a self-driving car's machine learning system into misclassifying it as a Speed Limit 45 sign from 67% to 100% of all cases. Similarly, gray graffiti stickers on a Right Turn sign tricked the self-driving car into thinking it was looking at a Stop sign. Researchers say that authorities can fight such potential threats to self-driving car passengers by using an anti-stick material for street signs. In addition, car vendors should also take into account contextual information for their machine learning systems. For example, there's no reason to have a certain sign on certain roads (Stop sign on an interstate highway).

Catalin Cimpanu, reporting for BleepingComputer: On Monday, the Center for Democracy & Technology (CDT) -- a US-based privacy group -- filed a complaint with the US Federal Trade Commission (FTC) accusing one of today's largest VPN providers of deceptive trade practices. In a 14-page complaint, the CDT accuses AnchorFree -- the company behind the Hotspot Shield VPN -- of breaking promises it made to its users by sharing their private web traffic with online advertisers for the purpose of improving the ads shown to its users. In its complaint to the FTC, the CDT is not accusing Anchor Free of secretly injecting ads, as users are well aware of this practice, but of not respecting promises made to its customers. More specifically, the CDT says that AnchorFree does not respect a pledge made in marketing materials that it won't track or sell customer information.

CNN reports: For months, the ransom money from the massive WannaCry cyberattack sat untouched in online accounts. Now, someone has moved it. More than $140,000 worth of digital currency bitcoin has been drained from three accounts linked to the ransomware virus that hit hundreds of thousands of computers around the world in May.
Meanwhile, a Ukrainian law firm wants NotPetya victims to join a collective lawsuit against Intellect-Service LLC, the company behind the M.E.Doc accounting software, said to be the point of origin of the NotPetya ransomware outbreak. An anonymous reader quotes BleepingComputer: The NotPetya ransomware spread via a trojanized M.E.Doc update, according to Microsoft, Bitdefender, Kaspersky, Cisco, ESET, and Ukrainian Cyber Police. A subsequent investigation revealed that Intellect-Service had grossly mismanaged the hacked servers, which were left without updates since 2013 and were backdoored on three different occasions... The Juscutum Attorneys Association says that on Tuesday, Ukrainian Cyber Police confirmed that M.E.Doc servers were backdoor on three different occasions in an official document. The company is now using this document as the primary driving force behind its legal action.
The law firm says victims must pay all of the court fees -- and give them 30% of any awarded damages.

An anonymous reader writes from a report via Bleeping Computer: The Juscutum Attorneys Association, a Ukrainian law firm, is rallying NotPetya victims to join a collective lawsuit against Intellect-Service LLC, the company behind the M.E.Doc accounting software -- the point of origin of the NotPetya ransomware outbreak. The NotPetya ransomware spread via a trojanized M.E.Doc update, according to Microsoft, Bitdefender, Kaspersky, Cisco, ESET, and Ukrainian Cyber Police. A subsequent investigation revealed that Intellect-Service had grossly mismanaged the hacked servers, which were left without updates since 2013 and were backdoored on three different occasions. On Tuesday, Ukrainian Cyber Police confirmed that M.E.Doc servers were backdoored on three different occasions in an official document. The company is now using this document as the primary driving force behind its legal action. Juscutum says that victims must pay all court fees, must provide evidence or help with the collection of evidence, and agree to a 30% cut in the case of any awarded damages. The lawsuit is in its incipient stages. Juscutum representatives are currently spreading their message and encouraging victims to join the lawsuit via social media posts and articles in local Ukrainian press.

An anonymous reader writes from a report via Bleeping Computer: The Juscutum Attorneys Association, a Ukrainian law firm, is rallying NotPetya victims to join a collective lawsuit against Intellect-Service LLC, the company behind the M.E.Doc accounting software -- the point of origin of the NotPetya ransomware outbreak. The NotPetya ransomware spread via a trojanized M.E.Doc update, according to Microsoft, Bitdefender, Kaspersky, Cisco, ESET, and Ukrainian Cyber Police. A subsequent investigation revealed that Intellect-Service had grossly mismanaged the hacked servers, which were left without updates since 2013 and were backdoored on three different occasions. On Tuesday, Ukrainian Cyber Police confirmed that M.E.Doc servers were backdoored on three different occasions in an official document. The company is now using this document as the primary driving force behind its legal action. Juscutum says that victims must pay all court fees, must provide evidence or help with the collection of evidence, and agree to a 30% cut in the case of any awarded damages. The lawsuit is in its incipient stages. Juscutum representatives are currently spreading their message and encouraging victims to join the lawsuit via social media posts and articles in local Ukrainian press.

An anonymous reader quotes a report from Bleeping Computer: "The author of the BrickerBot malware has claimed a cyber-attack that affected several Indian states and has caused over 60,000 modems and routers to lose Internet connectivity," reports Bleeping Computer. "The incident affected modems and routers belonging to Bharat Sanchar Nigam Limited (BSNL) and Mahanagar Telephone Nigam Limited (MTNL), two Indian state-owned telecommunications service providers." The BrickerBot malware infected modems that used default passwords and modems that the two ISPs left exposed via the TR069 management interface to connections from anywhere on the Internet. BrickerBot is a malware strain that affects Linux-based IoT and networking devices. Unlike other malware that hoards devices into botnets for DDoS attacks and other purposes, BrickerBot "bricks" the equipment by rewriting its flash storage with random data. In most cases this bricking effect can be reversed, but in some cases this is permanent. BSNL and MTNL had worked to fix problems but efforts were delayed after a BSNL workforce strike. The BrickerBot author also raised the alarm about similar exposed devices on the network of Pakistan Telecommunication Company Limited (PTCL). In April, the BrickerBot author claimed he bricked over 2 million devices.

An anonymous reader quotes BleepingComputer: A petition is asking Adobe to release Flash into the hands of the open-source community. Finnish developer Juha Lindstedt started the petition a day after Adobe announced plans to end Flash support by the end of 2020. "Flash is an important piece of Internet history and killing Flash means future generations can't access the past," Lindstedt explains in the petition's opening paragraph. "Games, experiments and websites would be forgotten." The developer wants Adobe to open-source Flash or parts of its technology so the open-source community could take on the job of supporting a minimal version of the Flash plugin or at least create a tool to accurately convert old SWF and FLA files to modern HTML5, canvas data, or WebAssembly code... Lindstedt is asking users to sign the petition by starring the project on GitHub. At the time of writing, the petition has garnered over 3,000 stars.
A reporter at ZDNet counters that "the only way to really secure Flash is to get rid of it... If Flash lives, people will continue to use it, and without security support, it will be even more insecure than ever." He points out there's already several programs that convert Flash into other formats -- and that Adobe already open sourced its Flex framework for building Flash applications back in 2008 (now supported by the Apache Software Foundation as Apache Flex). "In other words, we don't need the Flash source code to convert or create Flash files. Just let Flash go already...!

"Usually, I'm favor with open-sourcing everything and anything. Not this time. Flash has proven to be a net of endless security holes. It's time to let it go for once and for all.

An anonymous reader writes: Dutch Police is aggressively going after Dark Web vendors using data they collected from the recently seized Hansa Market. According to reports, police is using the Hansa login credentials to authenticate on other Dark Web portals, such as Dream. If vendors reused passwords, police take over the accounts and set up traps or map the sales of illegal products. Other crooks noticed the account hijacks because Dutch Police changed the PGP key for the hijacked accounts with their own, which was accidentally signed with the name "Dutch Police." The second method of operation spotted by the Dark Web community involves so-called "locktime" files that were downloaded from the Hansa Market before Dutch authorities shut it down on July 20. Under normal circumstances a locktime file is a simple log of a vendor's market transaction, containing details about the sold product, the buyer, the time of the sale, the price, and Hansa's signature. The files are used as authentication by vendors to request the release of Bitcoin funds after a sale's conclusion, or if the market was down due to technical reasons. Before the market went down, these locktime files were replaced with Excel files that contained a hidden image that would beacon back to police servers, exposing the vendor's real location. Dutch Police was able to do this because they took over Hansa servers on June 20 and operated the market for one more month, collecting data on vendors.

An anonymous reader quotes a report from Bleeping Computer: Chinese authorities in the province of Xinjiang are forcing locals of the Uyghur Muslim minority to install an app on their phones that will allow the government to scan their device for "terrorist propaganda," local media reports. In reality, the app creates MD5 hashes for the user's files and matches them against a database of known terrorist content. The app also makes copies of the user's Weibo and WeChat databases and uploads it to a government server, along with the user's IMEI, IMSI, and WiFi login information. The app is called Jingwang (Citizen Safety) and was developed by police forces from Urumqi, Xinjiang's capital. Authorities launched the app in April, and also included the ability to report suspicious activity to the police. At the start of July, Xinjiang officials started sending WeChat messages in Uyghur and Chinese to locals, asking them to install the app or face detainment of up to 10 days. Police have also stopped people on the street to check if they installed the app. Several were detained for refusing to install it. Locals are now sharing the locations of checkpoints online, so others can avoid getting arrested.

An anonymous reader writes: "Veritaseum has confirmed today that a hacker stole $8.4 million from the platform's ICO on Sunday, July 23," reports Bleeping Computer. "This is the second ICO hack in the last week and the fourth hack of an Ethereum platform this month. An ICO (Initial Coin Offering) is similar to a classic IPO (Initial Public Offering), but instead of stocks in a company, buyers get tokens in an online platform. Users can keep tokens until the issuing company decides to buy them back, or they can sell the tokens to other users for Ethereum. Veritaseum was holding its ICO over the weekend, allowing users to buy VERI tokens for a product the company was preparing to launch in the realm of financial services." The hacker breached its systems, stole VERI tokens and immediately dumped them on the market due to the high-demand. The hacker made $8.4 million from the token sale, which he immediately started to launder. In a post-mortem announcement, Middleton posted online today, the Veritaseum CEO said "the amount stolen was miniscule (less than 00.07%) although the dollar amount was quite material." The CEO also suspects that "at least one corporate partner that may have dropped the ball and [might] be liable." Previous Ethereum services hacks include Parity, CoinDash, and Classic Ether Wallet.

An anonymous reader writes: "Veritaseum has confirmed today that a hacker stole $8.4 million from the platform's ICO on Sunday, July 23," reports Bleeping Computer. "This is the second ICO hack in the last week and the fourth hack of an Ethereum platform this month. An ICO (Initial Coin Offering) is similar to a classic IPO (Initial Public Offering), but instead of stocks in a company, buyers get tokens in an online platform. Users can keep tokens until the issuing company decides to buy them back, or they can sell the tokens to other users for Ethereum. Veritaseum was holding its ICO over the weekend, allowing users to buy VERI tokens for a product the company was preparing to launch in the realm of financial services." The hacker breached its systems, stole VERI tokens and immediately dumped them on the market due to the high-demand. The hacker made $8.4 million from the token sale, which he immediately started to launder. In a post-mortem announcement, Middleton posted online today, the Veritaseum CEO said "the amount stolen was miniscule (less than 00.07%) although the dollar amount was quite material." The CEO also suspects that "at least one corporate partner that may have dropped the ball and [might] be liable." Previous Ethereum services hacks include Parity, CoinDash, and Classic Ether Wallet.

An anonymous reader quotes BleepingComputer: Over 45,000 users have left one-star reviews on a company's Facebook page after the business reported a security researcher to police and had him arrested in the middle of the night instead of fixing a reported bug. The arrest took place this week in Hungary after an 18-year-old found a flaw in the online ticket-selling system of Budapesti Közlekedési Központ, Budapest's public transportation authority. The young man discovered that he could access BKK's website, press F12 to enter the browser's developer tools mode, and modify the page's source code to alter a ticket's price. Because there was no client or server-side validation put in place, the BKK system accepted the operation and issued a ticket at a smaller price...

The teenager -- who didn't want his name revealed -- reported the issue to BKK, but the organization chose to contact the police and file a complaint, accusing the young man of hacking their systems... BKK management made a fatal mistake when they brazenly boasted in a press conference about catching the hacker and declaring their systems "secure." Since then, other security flaws in BKK's system have surfaced on Twitter. As details of the case emerged, public outrage grew against BKK and its manager Kálmán Dabóczi, especially after it was revealed that BKK was paying around $1 million per year for maintenance of its IT systems, hacked in such a ludicrously simple manner.

An anonymous reader quotes Mashable: Mozilla is building a massive repository of voice recordings for the voice apps of the future -- and it wants you to add yours to the collection. The organization behind the Firefox browser is launching Common Voice, a project to crowdsource audio samples from the public. The goal is to collect about 10,000 hours of audio in various accents and make it publicly available for everyone... Mozilla hopes to hand over the public dataset to independent developers so they can harness the crowdsourced audio to build the next generation of voice-powered apps and speech-to-text programs... You can also help train the speech-to-text capabilities by validating the recordings already submitted to the project. Just listen to a short clip, and report back if text on the screen matches what you heard... Mozilla says it aims is to expand the tech beyond just a standard voice recognition experience, including multiple accents, demographics and eventually languages for more accessible programs. Past open source voice-recognition projects have included Sphinx 4 and VoxForge, but unfortunately most of today's systems are still "locked up behind proprietary code at various companies, such as Amazon, Apple, and Microsoft."

An anonymous reader writes via Bleeping Computer: Today, in coordinated press releases, the U.S. Department of Justice (DOJ) and Europol announced the takedown of two Dark Web marketplaces -- AlphaBay and Hansa Market. First to fall was the Hansa Market after Dutch officers seized control over their servers located inside one of the country's hosting providers. Dutch Police seized Hansa servers on June 20, but the site was allowed to operate for one more month as officers gathered more evidence about its clientele. The Hansa honeypot received an influx of new users as the FBI shut down AlphaBay on July 5, a day after it took control over servers on July 4. Europol and the FBI say they collected mountains of evidence such as "usernames and passwords of thousands of buyers and sellers of illicit commodities" and "delivery addresses for a large number of orders." FBI Active Director McCabe said AlphaBay was ten times larger than Silk Road, with over 350,000 listings. In opposition, Silk Road, which authorities seized in November 2013, listed a meager 14,000 listings for illicit goods and services at the time authorities took down the service.

An anonymous reader quotes a report from Bleeping Computer: An unknown hacker has used a vulnerability in an Ethereum wallet client to steal over 153,000 Ether, worth over $30 million dollars. The hack was possible due to a flaw in the Parity Ethereum client. The vulnerability allowed the hacker to exfiltrate funds from multi-sig wallets created with Parity clients 1.5 and later. Parity 1.5 was released on January 19, 2017. The attack took place around 19:00-20:00 UTC and was immediately spotted by Parity, a company founded by Gavin Wood, Ethereum's founder. The company issued a security alert on its blog. The Ether stolen from Parity multi-sig accounts was transferred into this Ethereum wallet, currently holding 153,017.021336727 Ether. Because Parity spotted the attack in time, a group named "The White Hat Group" used the same vulnerability to drain the rest of Ether stored in other Parity wallets that have not yet been stolen by the hacker. This money now resides in this Ethereum wallet. According to messages posted on Reddit and in a Gitter chat, The White Hat Group appears to be formed of security researchers and members of the Ethereum Project that have taken it into their own hands to secure funds in vulnerable wallets. Based on a message the group posted online, they plan to return the funds they took. Their wallet currently holds 377,116.819319439311671493 Ether, which is over $76 million.

An anonymous reader writes: "Thai security researcher Worawit Wang has put together an exploit based on ETERNALSYNERGY that can also target newer versions of the Windows operating system," reports Bleeping Computer. "ETERNALSYNERGY is one of the NSA exploits leaked by the Shadow Brokers hacking group in April this year. According to a Microsoft technical analysis, the exploit can allow an attacker to execute code on Windows machines with SMB services exposed to external connections. The exploit works up to Windows 8. According to Microsoft, the techniques used in the original ETERNALSYNERGY exploit do not work on newer platforms due to several kernel security improvements. Wang says his exploit targets the same vulnerability but uses a different exploitation technique. His method 'should never crash a target,' the expert says. 'Chance should be nearly 0%,' Wang adds." Combining his exploit with the original ETERNALSYNERGY exploit would allow a hacker to target all Windows versions except Windows 10. This is about 75% of all Windows PCs. The exploit code is available for download from Wang's GitHub or ExploitDB. Sheila A. Berta, a security researcher for Telefonica's Eleven Paths security unit, has published a step-by-step guide on how to use Wang's exploit.

Starting next week Google will overhaul its two-step verification (2SV) procedure and replace one-time codes sent via SMS with prompts shown on the user's smartphone. From a report: This change in the Google 2SV scheme comes after an increase in SS7 telephony protocol attacks that have allowed hackers to take over people's mobile phone numbers to receive one-time codes via SMS and break into user accounts. The rollout process for this feature is scheduled to start next week when Google will invite users to try mobile prompts instead of receiving a one-time code via SMS. Users need an Internet-connected smartphone to use this feature. Every time users will try to log in, Google will show a prompt on their phone asking the account owner to approve the login request. There's no one-time code that users have to fill in, and users can authorize a login request with the tap of a button.

An anonymous reader writes: A company is going around buying abandoned Chrome extensions from their original developers and converting these add-ons into adware. The latest case is the Particle for YouTube Chrome extension, a simple tool that allows users to change the UI and behavior of some of YouTube's standard features. Because Google was planning major changes to YouTube's UI, the extension's original author decided to retire it and create a new one. This is when the a mysterious company approached the original author and offered to buy the extension from him for a price of his choosing. The original dev says he gave them a high price, but the company agreed to pay right away, but only after the dev signed an non-disclosure agreement preventing him from talking about the company or the transaction. Soon after the sale, the company issued an update that included code for injecting rogue ads on websites such as Google, Yahoo, Bing, Amazon, eBay, and Booking.com. Users also found other Chrome extensions that were also bought by the same company and had also been turned into adware, such as "Typewriter Sounds" and "Twitch Mini Player." According to some other Chrome extension devs, there are many companies willing to pay large sums of money for taking over legitimate Chrome extensions.

An anonymous reader quotes a report from Bleeping Computer: An unknown hacker has hijacked the radio frequency of a UK radio station to play an obscene song eight times during the past month, according to the radio station's manager who recently revealed the hacks in an interview with BBC Radio 4. The hacks have been reported to Ofcom, the UK's communications regulator, who together with the radio station's staff have tried to track down the culprit at last three times, without success. Ofcom and radio station officials believe the hacker is using a mobile radio transmitter to broadcast a stronger signal on the radio station's normal frequency, overriding its normal program. In eight different occasions, the hacker has taken over broadcasts and has been heard talking, screaming, or singing, and then playing "The Winker's Song" (NSFW) by British comedian Ivor Biggun, a track about self-pleasure released in the 70s. Station manager Tony Delahunty told BBC Radio he received phone calls from distressed listeners complaining that their kids started humming the song. Fellow radio stations also called Delahunty to inquire about the hack, fearing similar hijacks.

Catalin Cimpanu, reporting for BleepingComputer: The Federal Trade Commission has shut down the operator of a large network of online loan sites that promised to find people the loans with the lowest rates, but actually sold users' data to third-parties, most of which weren't even lenders. The target of FTC's ire is a company named Blue Global Media, LLC and its CEO, Christopher Kay, against which the FTC filed an official complaint last Monday, July 3. According to the FTC, since 2012 Blue Global Media operated a network of 38 websites that promised users to match them with the best payday, personal, or auto loans using Blue Global Media's proprietary technology. Hoping to find loans with the smaller interest rate and friendlier terms, users entered a slew of personal details on Blue Global Media's websites, such as names, email addresses, home addresses, phone numbers, Social Security numbers, financial and banking information, driver's license, state ID numbers, income data, military status, home ownership info, and many other more.

An anonymous reader writes: The EU is preparing legislation that would legalize a customer's "right to repair," and would force vendors to design products for longer life and easier maintenance, in an effort to combat electronic waste and abusive practices like manufacturers legally preventing users from repairing their devices. The legislation is in its earlier stages of public discussion, but it already has the backing of several EU Members of Parliament, along with support from organizations like Greenpeace.

Currently, in the US only eleven states have similar laws, and they have been adopted after years of public discussions, and only for certain markets, and not for all types of products. It is unclear what leverage the EU will use to force manufacturers to produce longer lasting products, as this would mean lesser profits for big businesses, who often used tactics such as software DRMs, warranty contract lock-ins, and soldering components together, just to avoid users repairing products on their own.

An anonymous reader writes: The author of the original Petya ransomware -- a person/group going by the name of Janus Cybercrime Solutions -- has released the master decryption key of all past Petya versions. This key can decrypt all ransomware families part of the Petya family except NotPetya, which isn't the work of Janus, but is believed to be the work of a nation-state actor that targeted Ukraine. Most (original) Petya campaigns happened in 2016, and very few campaigns have been active this year. Users that had their files locked have wiped drives or paid the ransom many months before. The key will only help those victims who cloned their drives and saved a copy of the encrypted data. Experts believe that Janus released Petya's decryption key as a result of the recent NotPetya outbreak, and he might have decided to shut down his operation to avoid further scrutiny, or being accused of launching NotPetya.

An anonymous reader writes: The author of the original Petya ransomware -- a person/group going by the name of Janus Cybercrime Solutions -- has released the master decryption key of all past Petya versions. This key can decrypt all ransomware families part of the Petya family except NotPetya, which isn't the work of Janus, but is believed to be the work of a nation-state actor that targeted Ukraine. Most (original) Petya campaigns happened in 2016, and very few campaigns have been active this year. Users that had their files locked have wiped drives or paid the ransom many months before. The key will only help those victims who cloned their drives and saved a copy of the encrypted data. Experts believe that Janus released Petya's decryption key as a result of the recent NotPetya outbreak, and he might have decided to shut down his operation to avoid further scrutiny, or being accused of launching NotPetya.

An anonymous reader quotes a report from Bleeping Computer: A new feature added in test snapshots for the upcoming OpenBSD 6.2 release will create a unique kernel every time an OpenBSD user reboots or upgrades his computer. This feature is named KARL -- Kernel Address Randomized Link -- and works by relinking internal kernel files in a random order so that it generates a unique kernel binary blob every time. Currently, for stable releases, the OpenBSD kernel uses a predefined order to link and load internal files inside the kernel binary, resulting in the same kernel for all users. Developed by Theo de Raadt, KARL will work by generating a new kernel binary at install, upgrade, and boot time. If the user boots up, upgrades, or reboots his machine, the most recently generated kernel will replace the existing kernel binary, and the OS will generate a new kernel binary that will be used on the next boot/upgrade/reboot, constantly rotating kernels on reboots or upgrades. KARL should not be confused with ASLR -- Address Space Layout Randomization -- a technique that randomizes the memory address where application code is executed, so exploits can't target a specific area of memory where an application or the kernel is known to run. A similar technique exists for randomizing the memory location where the kernel loads -- called KASLR. The difference between the two is that KARL loads a different kernel binary in the same place, while KASLR loads the same binary in random locations. Currently Linux and Windows only support KASLR.

ITWire reports: A flaw in systemd, the init system used on many Linux systems, can be exploited using a malicious DNS query to either crash a system or to run code remotely. The vulnerability resides in the daemon systemd-resolved and can be triggered using a TCP payload, according to Ubuntu developer Chris Coulson. This component can be tricked into allocating less memory than needed for a look-up. When the reply is bigger it overflows the buffer allowing an attacker to overwrite memory. This would result in the process either crashing or it could allow for code execution remotely. "A malicious DNS server can exploit this by responding with a specially crafted TCP payload to trick systemd-resolved in to allocating a buffer that's too small, and subsequently write arbitrary data beyond the end of it," is how Coulson put it.
Affected Linux vendors have pushed out patches -- but the bug has apparently been present in systemd code since June of 2015. And long-time Slashdot reader walterbyrd also reports a recently-discovered bug where systemd unit files that contain illegal usernames get defaulted to root.

WikiLeaks has published the documentation manual for an alleged CIA tool that can track users of Wi-Fi-capable Windows devices based on the Extended Service Set (ESS) data of nearby Wi-Fi networks. According to the tool's 42-page manual, the tool's name is ELSA. Bleeping Computer has an image embedded in its report that explains how the tool works. There are six steps that summarize the ELSA operation. Bleeping Computer reports: Step 1: CIA operative configures ELSA implant (malware) based on a target's environment. This is done using a tool called the "PATCHER wizard," which generates the ELSA payload, a simple DLL file.
Step 2: CIA operative deploys ELSA implant on target's Wi-Fi-enabled Windows machine. Because ELSA is an implant (malware), the CIA operator will likely have to use other CIA hacking tools and exploits to place the malware on a victim's PC.
Step 3: The implant begins collecting Wi-Fi access point information based on the schedule set by the operator. Data collection can happen even if the user is disconnected from a Wi-Fi network.
Step 4: When the target user connects to the Internet, ELSA will take the collected Wi-Fi data and query a third-party database for geolocation information.
Step 5: The CIA operative connects to the target's computer and fetches the ELSA log. This is done via the tools that allowed the operator to place ELSA on his system, or through other tools.
Step 6: The operator decrypts the log and performs further analysis on their target. Optionally, he can use the collected WiFi data to query alternate EES geo-location databases, if he feels they provide a better accuracy.

An anonymous reader quotes a report from Bleeping Computer: Today's massive ransomware outbreak was caused by a malicious software update for M.E.Doc, a popular accounting software used by Ukrainian companies. According to several researchers, such as Cisco Talos, ESET, MalwareHunter, Kaspersky Lab, and others, an unknown attacker was able to compromise the software update mechanism for M.E.Doc's servers, and deliver a malicious update to customers. When the update reached M.E.Doc's customers, the tainted software packaged delivered the Petya ransomware -- also referenced online as NotPetya, or Petna. The Ukrainian software vendor appears to have inadvertently confirmed that something was wrong when, this morning, issued a security advisory. Hours later, as the ransomware outbreak spread all over Ukraine and other countries across the globe causing huge damages, M.E.Doc denied on Facebook its servers ever served any malware. According to security researcher MalwareHunter, this is not the first time M.E.Doc has carried a malicious software update that delivered ransomware. Back in May, the company's software update mechanism also helped spread the XData ransomware.

An anonymous reader quotes a report from Bleeping Computer: Today's massive ransomware outbreak was caused by a malicious software update for M.E.Doc, a popular accounting software used by Ukrainian companies. According to several researchers, such as Cisco Talos, ESET, MalwareHunter, Kaspersky Lab, and others, an unknown attacker was able to compromise the software update mechanism for M.E.Doc's servers, and deliver a malicious update to customers. When the update reached M.E.Doc's customers, the tainted software packaged delivered the Petya ransomware -- also referenced online as NotPetya, or Petna. The Ukrainian software vendor appears to have inadvertently confirmed that something was wrong when, this morning, issued a security advisory. Hours later, as the ransomware outbreak spread all over Ukraine and other countries across the globe causing huge damages, M.E.Doc denied on Facebook its servers ever served any malware. According to security researcher MalwareHunter, this is not the first time M.E.Doc has carried a malicious software update that delivered ransomware. Back in May, the company's software update mechanism also helped spread the XData ransomware.

An anonymous reader writes: A Pennsylvania man was sentenced to one year and one day in prison for hacking and disabling base stations belonging to water utility providers in five cities across the U.S. East Coast. Called TGB, these devices collect data from smart meters installed at people's homes and relay the information to the water provider's main systems, where it is logged, monitored for incidents, and processed for billing. Before he was fired by the unnamed TGB manufacturing company, Flanagan's role was to set up these devices. After he was fired, Flanagan used former root account passwords to log onto the devices and disable their ability to communicate with their respective water utility providers' upstream equipment. He wasn't that careful, as the FBI was able to trace back the attacks to his home. Apparently, the guy wasn't that silent, leaving behind a lot of clues. Flanagan's attacks resulted in water utility providers not being able to collect user equipment readings remotely. This incurred damage to the utility providers, who had to send out employees at customer premises to collect monthly readings. He was arrested in Nov 2014, and later pleaded guilty.

An anonymous reader writes: "WikiLeaks dumped today the manuals of several hacking utilities part of Brutal Kangaroo, a CIA malware toolkit for hacking into air-gapped (offline) networks using tainted USB thumb drives," reports Bleeping Computer. The CIA uses these tools as part of a very complex attack process, that allows CIA operatives to infect offline, air-gapped networks. The first stage of these attacks start with the infection of a "primary host," an internet-connected computer at a targeted company. Malware on this primary host automatically infects all USB thumb drives inserted into the machine. If this thumb drive is connected to computers on an air-gapped network, a second malware is planted on these devices. This malware is so advanced, that it can even create a network of hacked air-gapped PCs that talk to each other and exchange commands. To infect the air-gapped computers, the CIA malware uses LNK (shortcut) files placed on the USB thumb drive. Once the user opens and views the content of the thumb drive in Windows Explorer, his air-gapped PC is infected without any other interaction.

Catalin Cimpanu, writing for BleepingComputer: Despite being an expanding threat, ransomware infections are rarely reported to law enforcement agencies, according to conclusions from the 2016 Internet Crime Report (PDF), released yesterday by the FBI's Internet Crime Complaint Center (IC3). During 2016, FBI IC3 officials said they received only 2,673 complaints regarding ransomware incidents, which ranked ransomware as the 22nd most reported cyber-crime in the US, having caused just over $2.4 million in damages (ranked 25th). The numbers are ridiculously small compared to what happens in the real world, where ransomware is one of today's most prevalent cyber-threats, according to multiple reports from cyber-security companies.

From a report: During the past month, both Google and Mozilla developers have added support in their respective browsers for "headless mode," a mechanism that allows browsers to run silently in the OS background and with no visible GUI. [...] While this feature sounds very useful for developers and very uninteresting for day-to-day users, it is excellent news for malware authors, and especially for the ones dabbling with adware. In the future, adware or clickfraud bots could boot-up Chrome or Firefox in headless mode (no visible GUI), load pages, and click on ads without the user's knowledge. The adware won't need to include or download any extra tools and could use locally installed software to perform most of its malicious actions. In the past, there have been quite a few adware families that used headless browsers to perform clickfraud. Martijn Grooten, an editor at Virus Bulletin, also pointed Bleeping Computer to a report where miscreants had abused PhantomJS, a headless browser, to post forum spam. The addition of headless mode in Chrome and Firefox will most likely provide adware devs with a new method of performing surreptitious ad clicks.

From a report: During the past month, both Google and Mozilla developers have added support in their respective browsers for "headless mode," a mechanism that allows browsers to run silently in the OS background and with no visible GUI. [...] While this feature sounds very useful for developers and very uninteresting for day-to-day users, it is excellent news for malware authors, and especially for the ones dabbling with adware. In the future, adware or clickfraud bots could boot-up Chrome or Firefox in headless mode (no visible GUI), load pages, and click on ads without the user's knowledge. The adware won't need to include or download any extra tools and could use locally installed software to perform most of its malicious actions. In the past, there have been quite a few adware families that used headless browsers to perform clickfraud. Martijn Grooten, an editor at Virus Bulletin, also pointed Bleeping Computer to a report where miscreants had abused PhantomJS, a headless browser, to post forum spam. The addition of headless mode in Chrome and Firefox will most likely provide adware devs with a new method of performing surreptitious ad clicks.

From a report: During the past month, both Google and Mozilla developers have added support in their respective browsers for "headless mode," a mechanism that allows browsers to run silently in the OS background and with no visible GUI. [...] While this feature sounds very useful for developers and very uninteresting for day-to-day users, it is excellent news for malware authors, and especially for the ones dabbling with adware. In the future, adware or clickfraud bots could boot-up Chrome or Firefox in headless mode (no visible GUI), load pages, and click on ads without the user's knowledge. The adware won't need to include or download any extra tools and could use locally installed software to perform most of its malicious actions. In the past, there have been quite a few adware families that used headless browsers to perform clickfraud. Martijn Grooten, an editor at Virus Bulletin, also pointed Bleeping Computer to a report where miscreants had abused PhantomJS, a headless browser, to post forum spam. The addition of headless mode in Chrome and Firefox will most likely provide adware devs with a new method of performing surreptitious ad clicks.

From a report: During the past month, both Google and Mozilla developers have added support in their respective browsers for "headless mode," a mechanism that allows browsers to run silently in the OS background and with no visible GUI. [...] While this feature sounds very useful for developers and very uninteresting for day-to-day users, it is excellent news for malware authors, and especially for the ones dabbling with adware. In the future, adware or clickfraud bots could boot-up Chrome or Firefox in headless mode (no visible GUI), load pages, and click on ads without the user's knowledge. The adware won't need to include or download any extra tools and could use locally installed software to perform most of its malicious actions. In the past, there have been quite a few adware families that used headless browsers to perform clickfraud. Martijn Grooten, an editor at Virus Bulletin, also pointed Bleeping Computer to a report where miscreants had abused PhantomJS, a headless browser, to post forum spam. The addition of headless mode in Chrome and Firefox will most likely provide adware devs with a new method of performing surreptitious ad clicks.

From a report: During the past month, both Google and Mozilla developers have added support in their respective browsers for "headless mode," a mechanism that allows browsers to run silently in the OS background and with no visible GUI. [...] While this feature sounds very useful for developers and very uninteresting for day-to-day users, it is excellent news for malware authors, and especially for the ones dabbling with adware. In the future, adware or clickfraud bots could boot-up Chrome or Firefox in headless mode (no visible GUI), load pages, and click on ads without the user's knowledge. The adware won't need to include or download any extra tools and could use locally installed software to perform most of its malicious actions. In the past, there have been quite a few adware families that used headless browsers to perform clickfraud. Martijn Grooten, an editor at Virus Bulletin, also pointed Bleeping Computer to a report where miscreants had abused PhantomJS, a headless browser, to post forum spam. The addition of headless mode in Chrome and Firefox will most likely provide adware devs with a new method of performing surreptitious ad clicks.

An anonymous reader writes: Nayana, a web hosting provider based in South Korea, announced it is in the process of paying a three-tier ransom demand of nearly $1 million worth of Bitcoin, following a ransomware infection that encrypted data on customer' servers. The ransomware infection appears has taken place on June 10, but Nayana admitted to the incident two days later, in a statement on its website.

Attackers asked for an initial ransom payment of 550 Bitcoin, which was worth nearly $1.62 million at the time of the request. After two days of negotiations, Nayana staff said they managed to reduce the ransom demand to 397.6 Bitcoin, or nearly $1 million. In a subsequent announcement, Nayana officials stated that they negotiated with the attackers to pay the ransom demand in three installments, due to the company's inability to produce such a large amount of cash in a short period of time.

On Saturday, June 17, the company said it already paid two of the three payment tranches. In subsequent announcements, Nayana updated clients on the server decryption process, saying the entire operation would take up to ten days due to the vast amount of encrypted data. The company said 153 Linux servers were affected, servers which stored the information of more than 3,400 customers.

An anonymous reader writes: Starting this fall, with the public launch of the next major Windows 10 update — codenamed Redstone 3 -- Microsoft plans to disable SMBv1 in most versions of the Windows operating systems. SMBv1 is a three-decades-old file sharing protocol that Microsoft has continued to ship "enabled by default" with all Windows OS versions.

The protocol got a lot of attention recently as it was the main infection vector for the WannaCry ransomware. Microsoft officially confirmed Tuesday that it will not ship SMBv1 with the Fall Creators Update. This change will affect only users performing clean installs, and will not be shipped as an update. This means Microsoft decision will not affect existing Windows installations, where SMBv1 might be part of a critical system.

An anonymous reader writes: "Mazda cars with next-gen Mazda MZD Connect infotainment systems can be hacked just by plugging in a USB flash drive into their dashboard, thanks to a series of bugs that have been known for at least three years," reports Bleeping Computer. "The issues have been discovered and explored by the users of the Mazda3Revolution forum back in May 2014. Since then, the Mazda car owner community has been using these 'hacks' to customize their cars' infotainment system to tweak settings and install new apps. One of the most well-designed tools is MZD-AIO-TI (MZD All In One Tweaks Installer)." Recently, a security researcher working for Bugcrowd has put together a GitHub repository that automates the exploitation of these bugs. The researcher says an attacker can copy the code of his GitHub repo on a USB flash drive, add malicious scripts and carry out attacks on Mazda cars. Mazda said the issues can't be exploited to break out of the infotainment system to other car components, but researchers disagreed with the company on Twitter. In the meantime, the car maker has finally plugged the bugs via a firmware update released two weeks ago.

An anonymous reader writes: After a two-week hiatus, WikiLeaks dumped new files as part of the Vault 7 series -- documents about a CIA tool named CherryBlossom, a multi-purpose framework developed for hacking hundreds of home router models. The tool is by far one of the most sophisticated CIA malware frameworks in the CIA's possession. The purpose of CherryBlossom is to allow operatives to interact and control SOHO routers on the victim's network. The tool can sniff, log, and redirect the user's Internet traffic, open a VPN to the victim's local network, execute actions based on predefined rules, alert operators when the victim becomes active, and more. A 24-page document included with the CherryBlossom docs lists over 200 router models from 21 vendors that the CIA could hack. The biggest names on this list are Apple, D-Link, Belkin, Aironet (Cisco), Linksys, and Motorola.

An anonymous reader quotes a report from Bleeping Computer: A 77-page report released today by cyber-security firm Trend Micro explores the underground landscape of fake news, where anyone can buy influence and create artificial trends to serve personal interests. An examination of Chinese, Russian, Middle Eastern, and English-based underground fake news marketplaces reveals a wide range of services available on these portals. The report explores several websites where customers can purchase services ranging from "discrediting journalists" to "promoting street protests," and from "stuffing online polls" to "manipulating a decisive course of action," such as an election. According to researchers, the typical clients of such services are interested in warping the way others perceive reality. These services are usually used for character assassination, swaying political trends, or creating fake celebrities. Trend Micro has compiled a "fake news" price catalog in its report, which is imbedded in Bleeping Computer's article. Some of the most expensive services include $200,000 for helping to instigate a street protest via fake news articles, $50,000 to discredit a journalist, and $400,000 to influence elections.

An anonymous reader writes: "A team of researchers from French company P1 Security has detailed a long list of issues with the 4G VoLTE telephony, a protocol that has become quite popular all over the world in recent years and is currently in use in the US, Asia, and most European countries," reports Bleeping Computer. Researchers say they identified several flaws in the VoLTE protocol (a mixture of LTE and VoIP) that allow an attacker to spoof anyone's phone number and place phone calls under new identities, and extract IMSI and geo-location data from pre-call message exchanges. These issues can be exploited by both altering some VoLTE packets and actively interacting with targets, but also by passively listening to VoLTE traffic on an Android device. Some of these flaws don't even need a full call/connection to be established between the victim and the target for the data harvesting operation to take place. Additionally, another flaw allows users to make calls and use mobile data without being billed. The team's research paper, entitled "Subscribers remote geolocation and tracking using 4G VoLTE enabled Android phone" was presented last week at SSTIC (Symposium sur la Securite des Technologies de l'Information et des Communications), a security conference held each year in Rennes, France.

An anonymous reader quotes BleepingComputer: Verelox, a provider of dedicated KVM and VPS servers based in The Hague, Netherlands, suffered a catastrophic outage after a former administrator deleted all customer data and wiped most of the company's servers. Details of what exactly happened aren't available, but according to posts on various web hosting forums [1, 2, 3], the incident appears to have taken place Thursday, when users couldn't access their servers or the company's website.

Verelox's homepage came back online earlier Friday, but the website was plastered with a grim message informing users of the ex-admin's actions. Following the incident, the hosting provider decided to take the rest of its network offline and focus on recovering customer data. Verelox staff don't believe they can recover all data.
Saturday night the web site was advising customers that the network and hosting services "will be back this week with security updates," adding that "current customers who are still interested in our services will receive compensation."

An anonymous reader writes: "Gabor Szathmari, a security researcher for CryptoAUSTRALIA, is working on a method of improving the security of leaked documents by removing hidden dots left behind by laser printers, which are usually used to watermark documents and track down leakers," reports Bleeping Computer. "Szathmari's work was inspired by the case of a 25-year-old woman, Reality Leigh Winner, who was recently charged with leaking top-secret NSA documents to a news outlet." According to several researchers, Winner might have been caught after The Intercept had shared some of the leaked documents with the NSA. These documents had the invisible markings left behind by laser printers, which included the printer's serial number and the date and time when the document was printed. This allowed the NSA to track down Winner and arrest her even before she was able to publish the leaked documents. Now, Szatmari has submitted a pull request to the PDF Redact Tools, a project for securely redacting and stripping metadata from documents before publishing. Szathmari's pull request adds a code routine to the PDF Redact Tools project that would allow app operators to convert documents to black and white before publishing. "The black and white conversion will convert colors like the faded yellow dots to white," Szathmari said in an interview. Ironically, the project is managed by First Look Media, the parent company behind The Intercept news outlet.

An anonymous reader writes: Microsoft's security team has come across a malware family that uses Intel's Active Management Technology (AMT) Serial-over-LAN (SOL) interface as a file transfer tool. The problem with Intel AMT SOL is that it's part of Intel's ME, a separate chip inside Intel CPUs that runs its own OS and stays on even when the main CPU is off.

Inside Intel's ME, AMT SOL opens a virtual network interface which works even when the PC is turned off. Furthermore, because this virtual network interface runs inside ME, firewalls and security products installed on the main OS won't detected malware using AMT SOL to exfiltrate data.

The malware was created and used by a nation-state cyber-espionage unit codenamed PLATINUM, active since 2009, and which has targeted countries around the South China Sea. PLATINUM is by far one of the most sophisticated hacking groups ever discovered. Last year [PDF], the OS maker said the group was installing malware by abusing hotpatching — a mechanism that allows Microsoft to issue updates that tap into active processes and upgrade applications or the operating system without having to reboot the computer.

Details about PLATINUM's recent targets and attacks are available in a report [PDF] Microsoft released yesterday.