Slashdot Mirror

The Guardian just ran an article titled " 'They'll squash you like a bug': how Silicon Valley keeps a lid on leakers," which begins with the story of an employee confronted by Facebook's secretive "rat-catching" team: They had records of a screenshot he'd taken, links he had clicked or hovered over, and they strongly indicated they had accessed chats between him and the journalist, dating back to before he joined the company. "It's horrifying how much they know," he told the Guardian, on the condition of anonymity... "You get on their bad side and all of a sudden you are face to face with Mark Zuckerberg's secret police"... One European Facebook content moderator signed a contract, seen by the Guardian, which granted the company the right to monitor and record his social media activities, including his personal Facebook account, as well as emails, phone calls and internet use. He also agreed to random personal searches of his belongings including bags, briefcases and car while on company premises. Refusal to allow such searches would be treated as gross misconduct...

Some employees switch their phones off or hide them out of fear that their location is being tracked. One current Facebook employee who recently spoke to Wired asked the reporter to turn off his phone so the company would have a harder time tracking if it had been near the phones of anyone from Facebook. Two security researchers confirmed that this would be technically simple for Facebook to do if both people had the Facebook app on their phone and location services switched on. Even if location services aren't switched on, Facebook can infer someone's location from wifi access points.
The article cites a 2012 report that Microsoft read a French blogger's Hotmail account to identify a former employee who had leaked trade secrets. And it also reports that tech companies hire external agencies to surveil their employees. "One such firm, Pinkerton, counts Google and Facebook among its clients." Though Facebook and Google both deny this, "Among other services, Pinkerton offers to send investigators to coffee shops or restaurants near a company's campus to eavesdrop on employees' conversations...

Al Gidari, consulting director of privacy at the Stanford Center for Internet and Society, says that these tools "are common, widespread, intrusive and legal."

In September, security researchers discovered eight vulnerabilities -- codenamed collectively as BlueBorne -- in the Bluetooth implementations used by over 5.3 billion devices. We have now learned that an estimated 20 million Amazon Echo and Google Home devices are also vulnerable to attacks leveraging the BlueBorne vulnerabilities. The Hacker News reports: Amazon Echo is affected by the following two vulnerabilities: a remote code execution vulnerability in the Linux kernel (CVE-2017-1000251); and an information disclosure flaw in the SDP server (CVE-2017-1000250). Since different Echo's variants use different operating systems, other Echo devices are affected by either the vulnerabilities found in Linux or Android. Whereas, Google Home devices are affected by one vulnerability: information disclosure vulnerability in Android's Bluetooth stack (CVE-2017-0785). This Android flaw can also be exploited to cause a denial-of-service (DoS) condition. Since Bluetooth cannot be disabled on either of the voice-activated personal assistants, attackers within the range of the affected device can easily launch an attack. The security firm [Armis, who disclosed the issue] notified both Amazon and Google about its findings, and both companies have released patches and issued automatic updates for the Amazon Echo and Google Home that fixes the BlueBorne attacks.

An anonymous reader quotes a report from The Hacker News: Login credentials of more than half a million records belonging to vehicle tracking device company SVR Tracking have leaked online, potentially exposing the personal data and vehicle details of drivers and businesses using its service. Just two days ago, Viacom was found exposing the keys to its kingdom on an unsecured Amazon S3 server, and this data breach is yet another example of storing sensitive data on a misconfigured cloud server. The Kromtech Security Center was first to discover a wide-open, public-facing misconfigured Amazon Web Server (AWS) S3 cloud storage bucket containing a cache belonging to SVR that was left publicly accessible for an unknown period. Stands for Stolen Vehicle Records, the SVR Tracking service allows its customers to track their vehicles in real time by attaching a physical tracking device to vehicles in a discreet location, so their customers can monitor and recover them in case their vehicles are stolen. The leaked cache contained details of roughly 540,000 SVR accounts, including email addresses and passwords, as well as users' vehicle data, like VIN (vehicle identification number), IMEI numbers of GPS devices. The leaked database also exposed 339 logs that contained photographs and data about vehicle status and maintenance records, along with a document with information on the 427 dealerships that use SVR's tracking services.

Taringa, also known as "The Latin American Reddit," has been compromised in a massive data breach that has resulted in the leaked login credentials of almost all of its over 28 million users. The Hackers News reports: The Hacker News has been informed by LeakBase, a breach notification service, who has obtained a copy of the hacked database containing details on 28,722,877 accounts, which includes usernames, email addresses and hashed passwords for Taringa users. The hashed passwords use an ageing algorithm called MD5 -- which has been considered outdated even before 2012 -- that can easily be cracked, making Taringa users open to hackers. Wanna know how weak is MD5? LeakBase team has already cracked 93.79 percent (nearly 27 Million) of hashed passwords successfully within just a few days. The data breach reportedly occurred last month, and the company then alerted its users via a blog post: "It is likely that the attackers have made the database containing nicks, email addresses and encrypted passwords. No phone numbers and access credentials from other social networks have been compromised as well as addresses of bitcoin wallets from the Taringa program! Creators." the post (translated) says. "At the moment there is no concrete evidence that the attackers continue to have access to the Taringa code! and our team continues to monitor unusual movements in our infrastructure."

Yesterday, Android O officially became Android Oreo and started rolling out to Pixel and Nexus devices. While there are many new features available in the new OS, we thought we'd ask you: what are your favorite Android Oreo features? The Hacker News highlights eleven of the new features "that make Android even better" in their report: 1. No More 'Install From Unknown Sources' Setting: Prior to Android Oreo, third-party app installation requires users to enable just one setting by turning on "Install from unknown sources" -- doesn't matter from where the user has downloaded an APK file, i.e. from a browser, Bluetooth, transferred from a computer via USB or downloaded using another app. Android 8.0 Oreo has completely changed the way this feature works, bringing a much smarter and safer system called "Install other apps," in which a user has to manually permit 3rd-party app installation from different sources.
2. Autofill API Framework: Android 8.0 Oreo brings a built-in secure AutoFill API that allows users-chosen password manager to store different types of sensitive data, such as passwords, credit card numbers, phone numbers, and addresses -- and works throughout the entire system.
3. Picture-in-Picture: With Android Oreo, you can view a YouTube video while reading through a report in Word or be chatting on WhatsApp on your Android device -- thanks to Picture-in-Picture (PIP) feature.
4. Google Play Protect: Play Protect helps in detecting and removing harmful applications with more than 50 billion apps scanned every day.
5. Wi-Fi Aware (Neighborhood Aware Networking -- NAN): Android Oreo has added support for a new connectivity feature called Wi-Fi Aware, also known as Neighborhood Aware Networking (NAN), which allows apps and devices to automatically find, connect to, and share data with each other directly without any internet access point or cellular data.
6. Android Instant Apps: With Android 8.0 Oreo, you can now access a range of Instant Apps without downloading them.
7. Battery-Saving Background Limits: Google has blocked apps from reacting to "implicit broadcasts" and carrying out certain tasks when they are running in the background in an effort to enhance the battery life of Android device. Besides this, Android Oreo will also limit some background services and location updates when an app is not in use.
8. AI-based Smart Text Selection: Android Oreo brings the 'Smart Text Selection' feature, which uses Google's machine learning to detect when something like physical addresses, email addresses, names or phone numbers is selected, then automatically suggests the relevant information on other apps.
9. Notification Dots (Limit notifications): Oreo introduces Notification Dots that offers you to manage each app individually with "fine-grained control," allowing you to control how many notifications you see and how they come through.
10. Find my Device: Google has introduced a new feature, called Find my Device, which is a similar feature to Apple's Find my iPhone and allows people to locate, lock and wipe their Android devices in the event when they go missing or get stolen.
11. New Emoji and Downloadable Fonts: Android Oreo introduces 60 new emoji and a redesign of the current "blob" characters. The update also offers new color support to app developers and the ability to change or animate the shape of icons in their apps.

pizzutz writes: Chrome's popular Web Developer plugin was briefly hijacked on Wednesday when an attacker gained control of the author's Google account and released a new version (0.49) which injected ads into web pages of more than a million users who downloaded the update. The version was quickly replaced with an uncompromised version (0.5) and all users are urged to update immediately.
Lauren Weinstein has a broader warning: While the browser firms work extensively to build top-notch security and privacy controls into the browsers themselves, the unfortunate fact is that these can be undermined by add-ons, some of which are downright crooked, many more of which are sloppily written and poorly maintained. Ironically, some of these add-on extensions and apps claim to be providing more security, while actually undermining the intrinsic security of the browsers themselves. Others (and this is an extremely common scenario) claim to be providing additional search or shopping functionalities, while actually only existing to silently collect and sell user browsing activity data of all sorts.
Lauren also warns about sites that "push users very hard to install these privacy-invasive, data sucking extensions" -- and believes requests for permissions aren't a sufficient safeguard for most users. "Expecting them to really understand what these permissions mean is ludicrous. We're the software engineers and computer scientists -- most users aren't either of these. They have busy lives -- they expect our stuff to just work, and not to screw them over."

An anonymous reader quotes a report from The Hacker News: Swedish media is reporting of a massive data breach in the Swedish Transport Agency (Transportstyrelsen) after the agency mishandled an outsourcing deal with IBM, which led to the leak of the private data about every vehicle in the country, including those used by both police and military. The data breach exposed the names, photos and home addresses of millions of Swedish citizen, including fighter pilots of Swedish air force, members of the military's most secretive units, police suspects, people under the witness relocation program, the weight capacity of all roads and bridges, and much more. The incident is believed to be one of the worst government information security disasters ever.

In 2015, the Swedish Transport Agency hand over IBM an IT maintenance contract to manage its databases and networks. However, the Swedish Transport Agency uploaded IBM's entire database onto cloud servers, which covered details on every vehicle in the country, including police and military registrations, and individuals on witness protection programs. The transport agency then emailed the entire database in messages to marketers that subscribe to it. And what's terrible is that the messages were sent in clear text. When the error was discovered, the transport agency merely thought of sending a new list in another email, asking the subscribers to delete the old list themselves.

An anonymous reader quotes a report from The Hacker News: WikiLeaks has today published the 15th batch of its ongoing Vault 7 leak, this time detailing two alleged CIA implants that allowed the agency to intercept and exfiltrate SSH (Secure Shell) credentials from targeted Windows and Linux operating systems using different attack vectors. Secure Shell or SSH is a cryptographic network protocol used for remote login to machines and servers securely over an unsecured network. Dubbed BothanSpy -- implant for Microsoft Windows Xshell client, and Gyrfalcon -- targets the OpenSSH client on various distributions of Linux OS, including CentOS, Debian, RHEL (Red Hat), openSUSE and Ubuntu. Both implants steal user credentials for all active SSH sessions and then sends them to a CIA-controlled server.

An anonymous reader quotes a report from The Hacker News: The National Security Agency (NSA) -- the United States intelligence agency which is known for its secrecy and working in the dark -- has finally joined GitHub and launched an official GitHub page. GitHub is an online service designed for sharing code amongst programmers and open source community, and so far, the NSA is sharing 32 different projects as part of the NSA Technology Transfer Program (TTP), while some of these are "coming soon." "The NSA Technology Transfer Program (TTP) works with agency innovators who wish to use this collaborative model for transferring their technology to the commercial marketplace," the agency wrote on the program's page. "OSS invites the cooperative development of technology, encouraging broad use and adoption. The public benefits by adopting, enhancing, adapting, or commercializing the software. The government benefits from the open source community's enhancements to the technology." Many of the projects the agency listed are years old that have been available on the Internet for some time. For example, SELinux (Security-Enhanced Linux) has been part of the Linux kernel for years.

Check Point researchers have discovered a massive malware campaign, dubbed Fireball, that has already infected more than 250 million computers across the world, including Windows and Mac OS. The Fireball malware "is an adware package that takes complete control of victim's web browsers and turns them into zombies, potentially allowing attackers to spy on victim's web traffic and potentially steal their data," reports The Hacker News. From the report: Check Point researchers, who discovered this massive malware campaign, linked the operation to Rafotech, a Chinese company which claims to offer digital marketing and game apps to 300 million customers. While the company is currently using Fireball for generating revenue by injecting advertisements onto the browsers, the malware can be quickly turned into a massive destroyer to cause a significant cyber security incident worldwide. Fireball comes bundled with other free software programs that you download off of the Internet. Once installed, the malware installs browser plugins to manipulate the victim's web browser configurations to replace their default search engines and home pages with fake search engines (trotux.com). "It's important to remember that when a user installs freeware, additional malware isn't necessarily dropped at the same time," researchers said. "Furthermore, it is likely that Rafotech is using additional distribution methods, such as spreading freeware under fake names, spam, or even buying installs from threat actors."

Xiaomi, the Chinese smartphone manufacturer many refer to as the "Apple of China," can silently install any app on your device, according to a Computer Science student and security enthusiast from the Netherlands. Thijs Broenink started investigating a mysterious pre-installed app, dubbed AnalyticsCore.apk, that constantly runs in the background and reappears even if you try and delete it. The Hacker News reports: After asking about the purpose of the AnalyticsCore app on the company's support forum and getting no response, Thijs Broenink reverse engineered the code and found that the app checks for a new update from the company's official server every 24 hours. While making these requests, the app sends device identification information with it, including the phone's IMEI, Model, MAC address, Nonce, Package name as well as signature. If there is an updated app available on the server with the filename "Analytics.apk," it will automatically get downloaded and installed in the background without user interaction. Broenink found that there is no validation at all to check which APK is getting installed to a user's phone, which means there is a way for hackers to exploit this loophole. This also means Xiaomi can remotely and silently install any application on your device just by renaming it to "Analytics.apk" and hosting it on the server. Ironically, the device connects and receives updates over HTTP connection, exposing the whole process to Man-in-the-Middle attacks."

An anonymous reader writes: Google first implemented Full Disk Encryption in Android by default with Android 5.0 Lollipop in an effort to prevent criminals or government agencies from gaining unauthorized access to one's data. What it does is it encodes all the data on a user's Android device before it's ever written to disk using a user's authentication code. Once it is encrypted, it can only be decrypted if the user enters his/her password. However, security researcher Gal Beniamini has discovered issues with the full disk encryption. He published a step-by-step guide on how one can break down the encryption protections on Android devices powered by Qualcomm Snapdragon processors. The source of the exploit is posted on GitHub. Android's disk encryption on devices with Qualcomm chips is based only on your password. However, Android uses your password to create a 2048-bit RSA key (KeyMaster) derived from it instead. Qualcomm specifically runs in the Snapdragon TrustZone to protect critical functions like encryption and biometric scanning, but Beniamini discovered that it's possible to exploit a security flaw and retrieve the keys from TrustZone. Qualcomm runs a small kernel in TrustZone to offer a Trusted Execution Environment known as Qualcomm Secure Execution Environment (QSEE), which allows small apps to run inside of QSEE away from the main Android OS. Beniamini has detailed a way for attackers to exploit an Android kernel security flaw to load their own QSEE app inside this secure environment, thereby exploiting privilege escalation flaw and hijacking of the complete QSEE space, including the keys generated for full disk encryption. The researcher also said Qualcomm or OEMs can comply with government or law enforcement agencies to break the FDE: "Since the key is available to TrustZone, Qualcomm and OEMs [Original Equipment Manufacturers] could simply create and sign a TrustZone image which extracts the KeyMaster keys and flash it to the target device," Beniamini wrote. "This would allow law enforcement to easily brute force the FDE password off the device using the leaked keys."

Dave Knott writes: The world's most popular torrent website, The Pirate Bay, is suffering a major blow after the Swedish Court ruled Thursday that it will seize the domain names 'ThePirateBay.se' and 'PirateBay.se' and hand over them to the state. This is the latest development in an ongoing legal tug-of-war between The Pirate Bay and Swedish prosecutors, which has at various times seen the courts rule in favor of either side, only to see the case proceed via further appeals. Despite previous criminal convictions, the torrent site has always remained functioning by moving to different web domains several times. However, this time, The Pirate Bay loses its main .SE domain, the world's 225th most popular website according to the Alexa ranking, as reported by the Swedish newspaper DN.

Chinese Internet Service Providers (ISPs) have been caught red-handed for injecting advertisements as well as malware through their network traffic. Three Israeli researchers uncovered that the major Chinese-based ISPs named China Telecom and China Unicom, two of Asia's largest network operators, have been engaged in an illegal practice of content injection in network traffic. Chinese ISPs had set up many proxy servers to pollute the client's network traffic not only with insignificant advertisements but also malware links, in some cases, inside the websites they visit. If an Internet user tries to access a domain that resides under these Chinese ISPs, the forged packet redirects the user's browser to parse the rogue network routes. As a result, the client's legitimate traffic will be redirected to malicious sites/ads, benefiting the ISPs.

An anonymous reader writes "Apple has removed encrypted email attachments from iOS 7. Apple said back in June 2010 in regards to iOS 4.0: 'Data protection is available for devices that offer hardware encryption, including iPhone 3GS and later, all iPad models, and iPod touch (3rd generation and later). Data protection enhances the built-in hardware encryption by protecting the hardware encryption keys with your passcode. This provides an additional layer of protection for your email messages attachments, and third-party applications.' Not anymore."

pdclarry writes: "On April 8, Yahoo implemented a new DMARC policy that essentially bars any Yahoo user from accessing mailing lists hosted anywhere except on Yahoo and Google. While Yahoo is the initiator, it also affects Comcast, AT&T, Rogers, SBCGlobal, and several other ISPs. Internet Engineering Council expert John R. Levine, a specialist in email infrastructure and spam filtering, said, 'Yahoo breaks every mailing list in the world including the IETF's' on the Internet Engineering Task Force (IETF) list.

DMARC (Domain-based Message Authentication, Reporting & Conformance) is a two-year-old proposed standard previously discussed on Slashdot that is intended to curb email abuse, including spoofing and phishing. Unfortunately, as implemented by Yahoo, it claims most mailing list users as collateral damage. Messages posted to mailing lists (including listserv, mailman, majordomo, etc) by Yahoo subscribers are blocked when the list forwards them to other Yahoo (and other participating ISPs) subscribers. List members not using Yahoo or its partners are not affected and will receive posts from Yahoo users. Posts from non-Yahoo users are delivered to Yahoo members. So essentially those suffering the most are Yahoo's (and Comcast's, and AT&T's, etc) own customers. The Hacker News has details about why DMARC has this effect on mailing lists. Their best proposed solution is to ban Yahoo email users from mailing lists and encourage them to switch to other ISPs. Unfortunately, it isn't just Yahoo, although they are getting the most attention."

sfcrazy writes "The openSUSE Forums were hijacked yesterday. An alleged Pakistani hacker who goes by handle H4x0r HuSsY reportedly exploited a vulnerability in the vBulletin 4.2.1 software SuSE uses to host the forum. vBulletin is a proprietary forum software. The openSUSE team notes that user passwords were not compromised. 'Credentials for your openSUSE login are not saved in our application databases as we use a single-sign-on system (Access Manager from NetIQ) for all our services. This is a completely separate system and it has not been compromised by this crack. What the cracker reported as compromised passwords where indeed random, automatically set strings that are in no way connected to your real password.' It's shocking to learn that SUSE/openSUSE are using proprietary forum software vBulleting as well as proprietary single sign on solution." SuSE was using vBulletin 4.x which has no known fix for the security hole, and they are leaving the forums offline for now. It seems likely they'll be upgrading to the 5.x series.

colinneagle writes "Ethical hacking professor Sam Bowne recently put a cookie re-use method to test on several major web services, finding that Office 365, Yahoo mail, Twitter, LinkedIn, Amazon, eBay, and WordPress all failed the security test. Both Amazon and eBay can be tied directly to your money via the method of payment you have on record. And, just for kicks, we tried it with Netflix. And it worked. Microsoft has apparently known that accounts can be hijacked since at least 2012 when The Hacker News reported the Hotmail and Outlook cookie-handling vulnerability, so Bowne was curious if Microsoft closed the hole or if stolen cookies could still be re-used. He claims he 'easily reproduced it using Chrome and the Edit This Cookie extension.'"

New submitter thn writes "John McAfee, who started the antivirus software giant named after him, has been accused of murder in Belize and is wanted. McAfee had taken to 'posting on a drug-focused Russian message board...about his attempts to purify the psychoactive compounds colloquially known as "bath salts,"' Gizmodo wrote. The scariest aspect of this story may be the fact that an entire lab was constructed for John McAfee's research purposes. Because of his efforts to extract chemicals from natural chemical plans McAfee was able to justify his experiments in a country that is largely unregulated."

An anonymous reader writes "'If you are one of the six million Virgin subscribers, you are at the whim of anyone who doesn't like you.' The Hacker News describes how the username and password system used by Virgin Mobile to let users access their account information is inherently weak and open to abuse." Computerworld also describes the problem: essentially, hard-coded, brute-force guessable passwords, coupled with an inadequate mechanism for reacting to failed attempts to log on.

An anonymous reader writes "Saudi Aramco, the world's biggest oil producer, has resumed operating its main internal computer networks after a virus infected about 30,000 of its workstations in mid-August. The group, calling itself the 'Cutting Sword of Justice,' claimed to have hacked Aramco systems in several countries before sending a virus across 30,000 computers, achieving a 75 percent infection rate of all the company's systems. It refuted suggestions that a nation state was behind the attack."

gzipped_tar writes "The 'Chinese Software Developer Network' (CSDN), operated by Bailian Midami Digital Technology Co., Ltd., is one of the largest networks of software developers in China. A text file with 6 million CSDN user credentials including user names, password, emails, all in clear text, got leaked to the Internet. The CSDN has issued a letter of apology to its users. In the letter, it is explained that passwords created before April 2009 had been stored in plain text, while later passwords were encrypted. Users created between September 2010 and January 2011 may still suffer from email address leaks. A summary of the most frequent passwords without the corresponding usernames is available at GitHub. Somewhat surprisingly, the cryptic sounding password 'dearbook' ranks 4th with 46053 accounts using it."

jjp9999 writes "More than 70,000 websites were compromised in a recent breach of InMotion. Thousands of websites were defaced and others had alterations made to give users a hard time accessing their accounts and fixing the damage. A similar attack hit JustHost back in June, and in a breach of Australian Web host DistributeIT just prior to that, hackers completely deleted more than 4,800 websites that the company was unable to recover. The incidents raise concern that hacker groups are bypassing single targets and hitting Web hosts directly, giving them access to tens of thousands of websites, rather than single targets. While the attacks have caused damage, they weren't as malicious as they could have been. Rather than defacing and deleting, hackers could have quietly planted malware in the sites or stolen customer data. Web hosting companies could be one of the largest holes in non-government cybersecurity, since malicious hackers can gain access through openings left by the Web host, regardless of the security of a given site."

An anonymous reader writes "To mark the upcoming release of the Linux 3.1 kernel IBM's Darrick Wong has proposed changing the familiar solo-Tux logo to something more, well, befitting of the version number."

First time accepted submitter JoeF writes "There is a note posted on the main kernel.org page indicating that kernel.org was compromised earlier this month: 'Earlier this month, a number of servers in the kernel.org infrastructure were compromised. We discovered this August 28th. While we currently believe that the source code repositories were unaffected, we are in the process of verifying this and taking steps to enhance security across the kernel.org infrastructure.' The note goes on to say that it is unlikely to have affected the source code repositories, due to the nature of git."

jampola writes "The Hacker News is reporting that Android password data is being stored as plain text in its SQlite database. Hackers News says that 'The password for email accounts is stored into the SQLite DB which in turn stores it on the phone's file system in plain text. Encrypting or at least transforming the password would be desirable.' I'm sure most would agree encrypted password data in at least SHA or MD5 would be kind of a good idea!"

Earlier this morning we reported that an arrest had been made relating to the hacker group LulzSec. mask.of.sanity notes "Hacking group LulzSec has poured cloud water on claims that it had stolen UK Census data and was preparing to release the records. 'Just saw the pastebin of the UK census hack. That wasn't us — don't believe fake LulzSec releases unless we put out a tweet first,' the group said from its official Twitter account."