Slashdot Mirror

So-called "bad bots," tasked with performing denial-of-service (DoS) attacks or other malicious activities like automatically publishing fake content or reviews, are estimated to make up roughly 37.9 percent of all internet traffic. "In 2018, one in five website requests -- 20.4 percent -- of traffic was generated by bad bots alone," reports ZDNet, citing Distil Networks' latest bot report, "Bad Bot Report 2019: The Bot Arms Race Continues." From the report: According to Distil Networks' latest bot report, the financial sector is the main target for such activity, followed by ticketing, the education sector, government websites, and gambling. Based on the analysis of hundreds of billions of bad bot requests over 2018, simple bots, which are easy to detect and defend against, accounted for 26.4 percent of bad bot traffic. Meanwhile, 52.5 percent came from those considered to be "moderately" sophisticated, equipped with the capability to use headless browser software as well as JavaScript to conduct illicit activities.

A total of 73.6 percent of bad bots are classified as Advanced Persistent Bots (APBs), which are able to cycle through random IP addresses, switch their digital identities, and mimic human behavior. Amazon is the leading ISP for bad bot traffic origins. In total, 18 percent of bad bot traffic came from the firm's services, a jump from 10.62 percent in 2017. Almost 50 percent of bad bots use Google Chrome as their user agent and 73.6 percent of bad bot traffic was recorded as originating from data centers, down from 82.7 percent in 2017. The United States outstrips all other countries as a generator of bad bots. In total, 53.4 percent of bad bot traffic came from the US, followed by the Netherlands and China. The most blocked country by IP is Russia, together with Ukraine and India.

Microsoft has lost control over a crucial subdomain that Windows 8 and Windows 10 use to deliver RSS-based news and updates to Live Tiles -- animated Windows start menu items. From a report: The subdomain (notifications.buildmypinnedsite.com) is currently under the control of Hanno Bock, a security researcher and journalist for German tech news site Golem.de. The subdomain was part of the buildmypinnedsite.com service that Microsoft set up with the launch of Windows 8, and more specifically to allow websites to show live updates inside users' Start pages and menus.

[...] Today Bock said the service no longer works. "The host that should deliver the XML files -- notifications.buildmypinnedsite.com -- only showed an error message from Microsoft's cloud service Azure," the researcher said. "The host was redirected to a subdomain of Azure. However this subdomain wasn't registered with Azure." Bock registered this subdomain on his Azure account and is currently sinkholing any requests it receives. He also notified Microsoft of the issue but said the company did not reply. "We won't keep the host registered permanently. There's a decent amount of traffic reaching this host and running up costs," the researcher said. "Once we cancel the subdomain a bad actor could register it and abuse it for malicious attacks," he warned.

A malware operation previously limited to China's borders has expanded over the past few months to infect users from all over the world, antivirus firm Bitdefender said in a report published today. From a report: Users who have the bad habit of downloading and installing cracked software applications are at the highest risk. According to Bitdefender experts, these apps are laced with a relatively new malware strain named Scranos. The most important piece of this malware is a rootkit driver that's hidden inside the tainted apps and which allows the malware to gain boot persistence and take full control over users' systems in the early stages of an infection. Although Bitdefender describes Scranos as "a work in progress, with many components in the early stage of development," the malware is still very dangerous as it is. That's because Scranos is a modular threat that once it infects a host computer, it can ping its command and control (C&C) server for additional instructions, and then download small modules to execute a fine set of operations.

Mozilla has launched a petition today to get Apple to rotate the IDFA unique identifier of iOS users every month. From a report: The purpose of this request is to prevent online advertisers from creating profiles that contain too much information about iOS users. IDFA stands for "IDentifier For Advertisers" and is a per-device unique ID. Apps running on a device can request access to this ID and relay the number to advertising SDKs/partners they use to show ads to their users. As experts from Singular, a mobile marketing firm explain, "IDFAs take the place of cookies in mobile advertising delivered to iOS devices because cookies are problematic in the mobile world." IDFAs are different from UDIDs, which stand for "unique device identifiers," which are permanent and unchangeable device identifiers. Apple added support for IDFAs specifically to replace UDIDs, which many apps were collecting for all sorts of shady reasons, enabling pervasive tracking of iOS users.

A hacker who spoke with ZDNet in February about wanting to put up for sale the data of over one billion users is getting dangerously close to his goal after releasing another 65.5 million records last week and reaching a grand total of 932 million records overall. From a report: The hacker's name is Gnosticplayers, and he's responsible for the hacks of 44 companies, including last week's revelations. Since mid-February, the hacker has been putting batches of hacked data on Dream Market, a dark web marketplace for selling illegal products, such as guns, drugs, and hacking tools. He's released data from companies like 500px, UnderArmor, ShareThis, GfyCat, and MyHeritage, just to name the bigger names. Releases have been grouped in four rounds -- Round 1 (620 million user records), Round 2 (127 million user records), Round 3 (93 million user records), and Round 4 (26.5 million user records).

Three Romanians ran a complicated online fraud operation -- along with a massive malware botnet -- for nine years, reports ZDNet, netting tens of millions of US dollars, but their crime spree is now over. But now they're all facing long prison sentences.

"The three were arrested in late 2016 after the FBI and Symantec had silently stalked their malware servers for years, patiently waiting for the highly skilled group to make mistakes that would leave enough of a breadcrumb trail to follow back to their real identities."

An anonymous Slashdot reader writes: The group started from simple eBay scams [involving non-existent cars and even a fake trucking company] to running one of the most widespread keylogger trojans around. They were considered one of the most advanced groups around, using PGP email and OTR encryption when most hackers were defacing sites under the Anonymous moniker, and using multiple proxy layers to protect their infrastructure. The group operated tens of fake websites, including a Yahoo subsidiary clone, conned and stole money from their own money mules, and were of the first groups to deploy Bitcoin crypto-mining malware on desktops, when Bitcoin could still be mined on PCs.

The Bayrob group was led by one of Romania's top IT students, who went to the dark side and helped create a malware operation that took nine years for US authorities and the FBI to track and eventually take down. Before turning hacker, he was the coach of Romania's national computer science team, although he was still a student, and won numerous awards in programming and CS contests.

Security researcher John Page has revealed a new zero-day exploit that allows remote attackers to exfiltrate Local files using Internet Explorer. "The craziest part: Windows users don't ever even have to open the now-obsolete web browser for malicious actors to use the exploit," reports Mashable. "It just needs to exist on their computer..." [H]ackers are taking advantage of a vulnerability using .MHT files, which is the file format used by Internet Explorer for its web archives. Current web browsers do not use the .MHT format, so when a PC user attempts to access this file Windows opens IE by default. To initiate the exploit, a user simply needs to open an attachment received by email, messenger, or other file transfer service...

Most worrisome, according to Page, is that Microsoft told him that it would just "consider" a fix in a future update. The security researcher says he contacted Microsoft in March before now going public with the issue. As ZDNet points out, while Internet Explorer usage makes up less than 10 percent of the web browser market, it doesn't particularly matter in this case as the exploit just requires a user to have the browser on their PC.

"I believe that, as Microsoft keeps moving Windows to a Desktop-as-a-Service model, Linux will be the last traditional PC desktop operating system standing," writes ZDNet contributing editor Steven J. Vaughan-Nichols.

"But that doesn't mean I'm blind to its problems." First, even Linus Torvalds is tired of the fragmentation in the Linux desktop. In a recent [December 2018] TFiR interview with Swapnil Bhartiya, Torvalds said, "Chromebooks and Android are the path toward the desktop." Why? Because we don't have a standardized Linux desktop. For example, better Linux desktops, such as Linux Mint, provide an easy way to install applications, but under the surface, there are half-a-dozen different ways to install programs. That makes life harder for developers. Torvalds wishes "we were better at having a standardized desktop that goes across the distributions."

Torvalds thinks there's been some progress. For software installation, he likes Flatpak. This software program, like its rival Snap, lets you install and maintain programs across different Linux distros. At the same time, this rivalry between Red Hat (which supports Flatpak) and Canonical (which backs Snap) bugs Torvalds. He's annoyed at how the "fragmentation of the different vendors have held the desktop back." None of the major Linux distributors -- Canonical, Red Hat, SUSE -- are really all that interested in supporting the Linux desktop. They all have them, but they're focused on servers, containers, the cloud, and the Internet of Things (IoT). That's, after all, is where the money is.
Linux desktop distros "tend to last for five or six years and then real life gets in the way of what's almost always a volunteer effort..." the article argues. "It is not easy building and supporting a Linux desktop. It comes with a lot of wear and tear on its developers with far too little reward."

His solution? Having a foundation create a common desktop for all Linux distros, so the Linux world could finally reap the benefits of standardization. "This would mean that many more Linux desktop developers could make a living from their work. That would improve the Linux desktop overall quality.

"It's a virtuous cycle, which would help everyone."

Russia is fining Facebook a whopping 3,000 rubles (approximately $47) for failing to comply with the country's data privacy law and store data of Russian Facebook users on servers located inside Russia. The fine serves as a stern warning for any social media company who thinks about violating its data privacy laws: Russia is not messing around. ZDNet reports: The legal proceedings started after a complaint from Roskomnadzor (Russia's Federal Service for Supervision of Communications, Information Technology and Mass Media), the country's telecommunications watchdog. Roskomnadzor lodged a complaint after Facebook failed to comply with Russia's data localization legislation -- Federal Law No. 242-FZ. Adopted on December 31, 2014, the law entered into effect on September 1, 2015. According to this legislation, all domestic and foreign companies that accumulate, store, or process the data of Russian citizens must do it on servers physically located inside Russia's borders.

Russian authorities have very rarely enforced this new law. The most high-profile case remains LinkedIn, which Roskomnadzor banned in November 2016, and the site remains blocked to this day, according to Roskomnadzor's list of banned sites that local ISPs must block on their networks. Russian news agency Interfax, which broke the story earlier today, said Facebook did not represent itself in court. Interfax also reports that Twitter was fined the same sum last week.

At least four Virtual Private Network (VPN) applications sold or made available to enterprise customers share security flaws, warns the Carnegie Mellon University CERT Coordination Center (CERT/CC) and the Department of Homeland Security's Computer Emergency Response Center (US-CERT). From a report: VPN apps from Cisco, F5 Networks, Palo Alto Networks, and Pulse Secure are impacted, CERT/CC analyst Madison Oliver said in a security alert published earlier today, echoed by the DHS' US-CERT. All four have been confirmed to store authentication and/or session cookies in an non-encrypted form inside a computer's memory or log files saved on disk.

An anonymous reader writes: Microsoft published today a generic "security configuration framework" that contains guidance for systems administrators about the basic security settings they should be applying in order to secure Windows 10 devices. The SECCON framework, the name Microsoft gave this framework, is are five different recommendations for securing a Windows 10 device, depending on its role inside an organization (Enterprise security, Enterprise high-security, Enterprise VIP security, DevOps, Administrator). [Note: last two docs are empty and don't include any info just yet].

For each of these security levels, Microsoft has published default templates for Windows policies that sysadmins can apply to desired PCs, based on the access levels those workstations have. Microsoft hopes this will automate a system administrator's job in deploying a basic minimum of security features to Windows 10 systems, on which custom modifications can then be made, depending on each enterprise's needs.

Google announced this week that Gmail has become the first major email provider to support two new security standards, namely MTA-STS and TLS Reporting. From a report: Both are extensions to the Simple Mail Transfer Protocol (SMTP), the protocol through which all emails are sent today. The purpose of MTA-STS and TLS Reporting is to help email providers establish cryptographically secure connections between each other, with the main goal of twarthing SMTP man-in-the-middle attacks. SMTP man-in-the-middle attacks are a major problem for today's email landscape, where rogue email server operators can intercept, read, and modify the contents of people's emails. The two new standards will prevent this by allowing legitimate email providers to create a secure channel for exchanging emails.

Two security researchers disclosed details this week about a group of vulnerabilities collectively referred to as Dragonblood that impact the Wi-Fi Alliance's recently launched WPA3 Wi-Fi security and authentication standard. From a report: If ever exploited, the vulnerabilities would allow an attacker within the range of a victim's network to recover the Wi-Fi password and infiltrate the target's network. In total, five vulnerabilities are part of the Dragonblood ensemble -- a denial of service attack, two downgrade attacks, and two side-channel information leaks.

While the denial of service attack is somewhat unimportant as it only leads to crashing WPA3-compatible access points, the other four are the ones that can be used to recover user passwords. Both the two downgrade attacks and two side-channel leaks exploit design flaws in the WPA3 standard's Dragonfly key exchange -- the mechanism through which clients authenticate on a WPA3 router or access point. In a downgrade attack, Wi-Fi WPA3-capable networks can be coerced in using an older and more insecure password exchange systems, which can allow attackers to retrieve the network passwords using older flaws.

An anonymous reader writes: Google wants to block some file downloads carried out via HTTP on websites that use HTTPS. The plan is to block EXE, DMG, CRX, ZIP, GZIP, BZIP, TAR, RAR, and 7Z file downloads when the download is initiated via HTTP but the website URL shows HTTPS.

Google said it's currently not thinking of blocking all downloads started from HTTP sites, since the browser already warns users about a site's poor security via the "Not Secure" indicator in the URL bar. The idea is to block insecure downloads on sites that appear to be secure (loaded via HTTPS) but where the downloads take place via plain ol' HTTP.

The Federal Bureau of Investigations does a poor job at notifying victims of a cyber-attack, a US government report released last week said. A story adds: FBI notifications arrive either too late or contain insufficient information for victims to take action, a report from the Department of Justice's Office of the Inspector General (DOJ-OIG) has concluded. The report analyzed Cyber Guardian, an FBI application for storing information about tips and ongoing investigations. The system also allows agents to enter details about suspected victims, which Cyber Guardian can later notify via automated messages. But the DOJ-OIG report said FBI agents are not using the system as it is intended. For example, interviews with 31 agents revealed that 29 entered victim information in a lead category called "Action," rather than the standard "Victim Notification."

An anonymous reader quotes ZDNet: Chinese companies have leaked a whopping 590 million resumes in the first three months of the year, ZDNet has learned from multiple security researchers. Most of the resume leaks have occurred because of poorly secured MongoDB databases and ElasticSearch servers that have been left exposed online without a password, or have ended up online following unexpected firewall errors.

Over the past few months, and especially over the last few weeks, ZDNet has received several tips about exposed servers that --when investigated-- belonged to Chinese HR-focused companies. From tiny firms exposing a handful of CVs to professional executive head-hunting firms, they've all leaked their customers' details, in one form or another... Counting all, we have 590.497 million resumes that have leaked from Chinese companies over the past three months, a worrying sign that Chinese HR companies are not taking the security of their servers seriously. The article points out that the resumes include personal information including phone numbers, home addresses, family and marital status, and in some cases, even ID numbers.

Twelve years after it was first notified of the issue, Mozilla has finally shipped a fix this week that will prevent abusive websites -- usually tech support scam sites -- from flooding users with non-stop "authentication required" login popups and prevent users from leaving or closing their browsers. From a report: The fix has been shipped in Firefox v68, the current Nightly release, and will hit the browser's stable branch sometimes in early July. According to Firefox engineer Johann Hofmann, starting with Firefox 68, web pages won't be allowed to show more than two login prompts. Starting with the third request, Firefox will intervene to suppress the authentication popup.

Mozilla previously shipped a fix for this issue, but it was incomplete, as it blocked authentication prompts that originated from subresources, such as iframes. This latest patch completes the fix by blocking all types of authentication required prompts -- including those generated by the site's main domain.

Samsung Electronics has started mass-producing its 5G chips, the company said. From a report: Among the company's new chip offerings is the Exynos Modem 5100, which contains a 5G multi-mode chipset; it is the same chipset that is used to power the Galaxy S10 5G, which became available for sale in South Korea as of Wednesday. The model, unveiled in August, is the world's first 5G modem to be compatible with the 3GPP's 5G New Radio (5G-NR) standard. Mass production for its single-chip radio frequency transceiver, the Exynos RF 5500, and supply modulator solution, the Exynos SM 5800, have also started, Samsung said. These technologies also power Samsung's flagship 5G phone. The Exynos RF 5500 has 14 receiver paths for download, 4x4 MIMO (Multiple-Input, Multiple-Output), and a higher-order 256 QAM (Quadrature Amplitude Modulation) scheme for data transfer in 5G networks; and the Eyxnos SM5800 is 30% more power efficient than previous offerings.

An anonymous reader quotes a report from ZDNet: For the past three months, a cybercrime group has been hacking into home routers -- mostly D-Link models -- to change DNS server settings and hijack traffic meant for legitimate sites and redirect it to malicious clones. The attackers operate by using well-known exploits in router firmware to hack into vulnerable devices and make silent changes to the router's DNS configuration, changes that most users won't ever notice. Targeted routers include the following models (the number to the side of each model lists the number of internet-exposed routers, as seen by the BinaryEdge search engine): D-Link DSL-2640B - 14,327; D-Link DSL-2740R - 379; D-Link DSL-2780B - 0; D-Link DSL-526B - 7; ARG-W4 ADSL routers - 0; DSLink 260E routers - 7; Secutech routers - 17; and TOTOLINK routers - 2,265.

Troy Mursch, founder and security researcher at internet monitoring firm Bad Packets, said he detected three distinct waves during which hackers have launched attacks to poison routers' DNS settings --late December 2018, early February 2019, and late March 2019. Attacks are still ongoing, he said today in a report about these attacks. A normal attack would look like this:

1. User's computer or smartphone receives wrong DNS server settings from the hacked router.
2. User tries to access legitimate site.
3. User's device makes a DNS request to the malicious DNS server.
4. Rogue server returns an incorrect IP address for the legitimate site.
5. User lands on a clone of the legitimate site, where he might be required to log in and share his password with the attackers. Update: 04/05 16:45 GMT by M : The story adds, "According to Stefan Tanase, security researcher at Ixia, these campaigns have hijacked traffic meant for Netflix, Google,PayPal, and some Brazilian banks, and have redirected users to clone sites, hosted over HTTP, on the networks of known bulletproof hosting providers."

An anonymous reader quotes a report from ZDNet: For the past three months, a cybercrime group has been hacking into home routers -- mostly D-Link models -- to change DNS server settings and hijack traffic meant for legitimate sites and redirect it to malicious clones. The attackers operate by using well-known exploits in router firmware to hack into vulnerable devices and make silent changes to the router's DNS configuration, changes that most users won't ever notice. Targeted routers include the following models (the number to the side of each model lists the number of internet-exposed routers, as seen by the BinaryEdge search engine): D-Link DSL-2640B - 14,327; D-Link DSL-2740R - 379; D-Link DSL-2780B - 0; D-Link DSL-526B - 7; ARG-W4 ADSL routers - 0; DSLink 260E routers - 7; Secutech routers - 17; and TOTOLINK routers - 2,265.

Troy Mursch, founder and security researcher at internet monitoring firm Bad Packets, said he detected three distinct waves during which hackers have launched attacks to poison routers' DNS settings --late December 2018, early February 2019, and late March 2019. Attacks are still ongoing, he said today in a report about these attacks. A normal attack would look like this:

1. User's computer or smartphone receives wrong DNS server settings from the hacked router.
2. User tries to access legitimate site.
3. User's device makes a DNS request to the malicious DNS server.
4. Rogue server returns an incorrect IP address for the legitimate site.
5. User lands on a clone of the legitimate site, where he might be required to log in and share his password with the attackers. Update: 04/05 16:45 GMT by M : The story adds, "According to Stefan Tanase, security researcher at Ixia, these campaigns have hijacked traffic meant for Netflix, Google,PayPal, and some Brazilian banks, and have redirected users to clone sites, hosted over HTTP, on the networks of known bulletproof hosting providers."

An anonymous reader quotes a report from ZDNet: This week, the Apache Software Foundation has patched a severe vulnerability in the Apache (httpd) web server project that could --under certain circumstances-- allow rogue server scripts to execute code with root privileges and take over the underlying server. The vulnerability, tracked as CVE-2019-0211, affects Apache web server releases for Unix systems only, from 2.4.17 to 2.4.38, and was fixed this week with the release of version 2.4.39. According to the Apache team, less-privileged Apache child processes (such as CGI scripts) can execute malicious code with the privileges of the parent process. Because on most Unix systems Apache httpd runs under the root user, any threat actor who has planted a malicious CGI script on an Apache server can use CVE-2019-0211 to take over the underlying system running the Apache httpd process, and inherently control the entire machine.

"First of all, it is a LOCAL vulnerability, which means you need to have some kind of access to the server," Charles Fol, the security researcher who discovered this vulnerability told ZDNet in an interview yesterday. This means that attackers either have to register accounts with shared hosting providers or compromise existing accounts. Once this happens, the attacker only needs to upload a malicious CGI script through their rented/compromised server's control panel to take control of the hosting provider's server to plant malware or steal data from other customers who have data stored on the same machine. "The web hoster has total access to the server through the 'root' account. If one of the users successfully exploits the vulnerability I reported, he/she will get full access to the server, just like the web hoster," Fol said. "This implies read/write/delete any file/database of the other clients."

An anonymous reader quotes a report from ZDNet: A German security researcher has printed the word "PWNED!" on the tracking maps of hundreds of GPS watches after the watch vendor ignored vulnerability reports for more than a year, leaving thousands of GPS-tracking watches --some of which are used by children and the elderly-- open to attackers. Speaking at the Troopers 2019 security conference that was held in Heidelberg, Germany, at the end of March, security researcher Christopher Bleckmann-Dreher presented a series of vulnerabilities impacting over 20 models of GPS watches manufactured by Austrian company Vidimensio. The watch models all share a common backend API, which works as an intermediary and storage point between the GPS watches and associated mobile apps.

Back in December 2017, Dreher discovered flaws in the mechanism through which the GPS watches communicate with this backend API server. [...] Dreher's new warning comes as the number vulnerable Vidimensio GPS watches grew ten times since December 2017, despite the warning from German authorities to destroy and stop using children smartwatches with intrusive tracking and eavesdropping capabilities. According to the researcher, the number has grown from around 700 to 7,000, of which 3,000 have been active in the past month. To raise awareness to these still-unpatched devices, Dreher told ZDNet that he has now turned to an unconventional strategy. The researcher has been using one of the security flaws he discovered to insert fake GPS coordinates in people's location history. The researcher designed these fake GPS coordinates to look like the word "PWNED!" when displayed on the location history section map --displayed inside the mobile apps and the watches' web dashboard.

An anonymous reader quotes a report from ZDNet: A German security researcher has printed the word "PWNED!" on the tracking maps of hundreds of GPS watches after the watch vendor ignored vulnerability reports for more than a year, leaving thousands of GPS-tracking watches --some of which are used by children and the elderly-- open to attackers. Speaking at the Troopers 2019 security conference that was held in Heidelberg, Germany, at the end of March, security researcher Christopher Bleckmann-Dreher presented a series of vulnerabilities impacting over 20 models of GPS watches manufactured by Austrian company Vidimensio. The watch models all share a common backend API, which works as an intermediary and storage point between the GPS watches and associated mobile apps.

Back in December 2017, Dreher discovered flaws in the mechanism through which the GPS watches communicate with this backend API server. [...] Dreher's new warning comes as the number vulnerable Vidimensio GPS watches grew ten times since December 2017, despite the warning from German authorities to destroy and stop using children smartwatches with intrusive tracking and eavesdropping capabilities. According to the researcher, the number has grown from around 700 to 7,000, of which 3,000 have been active in the past month. To raise awareness to these still-unpatched devices, Dreher told ZDNet that he has now turned to an unconventional strategy. The researcher has been using one of the security flaws he discovered to insert fake GPS coordinates in people's location history. The researcher designed these fake GPS coordinates to look like the word "PWNED!" when displayed on the location history section map --displayed inside the mobile apps and the watches' web dashboard.

Starting today, Microsoft is ending all ebook sales in its Microsoft Store for Windows PCs. "Previously purchased ebooks will be removed from users' libraries in early July," reports The Verge. "Even free ones will be deleted. The company will offer full refunds to users for any books they've purchased or preordered." From the report: Microsoft's "official reason," according to ZDNet, is that this move is part of a strategy to help streamline the focus of the Microsoft Store. It seems that the company no longer has an interest in trying to compete with Amazon, Apple Books, and Google Play Books. It's a bit hard to imagine why anyone would go with Microsoft over those options anyway.

If you have purchased ebooks from Microsoft, you can continue accessing them through the Edge browser until everything vanishes in July. After that, customers can expect to automatically receive a refund. According to a newly published Microsoft Store FAQ, "refund processing for eligible customers start rolling out automatically in early July 2019 to your original payment method." If your original payment method is no longer valid (or if you used a gift card), you'll receive a credit back to your Microsoft account to use online at the Microsoft Store. Microsoft will also offer an additional $25 credit (to your Microsoft account) if you annotated or marked up any ebook that you purchased from the Microsoft Store prior to today, April 2nd. Liliputing reminds us that "if you pay for eBooks, music, movies, video games, or any other content from a store that uses DRM, then you aren't really buying those digital items so much as paying a license fee for the rights to access them... a right that can be revoked if the company decides to remove a title from your device unexpectedly or if a company shuts down a server that would normally handle the digital rights management features."

You can find DRM-free eBooks at some online stores including Smashwords and Kobo (by browsing the DRM-free selection), or from publisher websites including Angry Robot, and Baen.

Mozilla said this week that it intends to run two experiments over the course of this month to determine the most adequate way of dealing with push notification spam, a growing problem that is slowly deteriorating the web experience for everyone. From a report: The experiments will run in Firefox Nightly (v68) and Firefox Beta (v67). The Firefox Nightly experiment will run from April 1 to April 29. During this time, Mozilla said Firefox Nightly would only allow websites to show a push notification permission only after the user has clicked or pressed a key while on a website. All attempts to show a push notification permission request before a click or key press will be blocked by default. [...] In the last two weeks of the experiment, Firefox will show an icon in the URL bar, but with no visible popup on the page. Users can click this icon and accept any push notification permission requests if they wish so. Further reading: Mozilla and Scroll Partner To Test Alternative Funding Models for the Web.

Two new studies reaffirm every computer dunce's worst fears: IT professionals blame the employees they're bound to help for their computer problems -- at least when it comes to security. From a report: One, courtesy of SaaS operations management platform BetterCloud, offers grim reading. 91 percent of the 500 IT and security professionals surveyed admitted they feel vulnerable to insider threats. Which only makes one wonder about the supreme (over-)confidence of the other 9 percent.

[...] Yet now I've been confronted with another survey. This one was performed by the Ponemon Institute at the behest of security-for-your-security company nCipher. Its sampling was depressingly large. 5,856 IT and security professionals from around the world were asked for their views of corporate IT security. They seemed to wail in unison at the lesser and more unwashed. Oh, an objective 30 percent insisted that external hackers were the biggest cause for concern. A teeth-gritting 54 percent, however, said the most extreme threat to corporate IT security came from employee mistakes.

At SUSECon in Nashville, Tennessee, European Linux power SUSE CEO Nils Brauckmann said his company would soon be the largest independent Linux company. "That's because, of course, IBM is acquiring Red Hat," reports ZDNet. "But, simultaneously, SUSE has continued to grow for seven-straight years." From the report: Brauckmann said, "We believe that makes our status as a truly independent open source company more important than ever. Our genuinely open-source solutions, flexible business practices, lack of enforced vendor lock-in, and exceptional service are more critical to customer and partner organizations, and our independence coincides with our single-minded focus on delivering what is best for them." Practically speaking, SUSE has been growing by focusing on delivering high-quality Linux and open-source programs and services to enterprise customers. Looking ahead Brauckmann said, "SUSE is better positioned to bring more innovation to customers and partners faster through both organic growth and acquisitions, keeping us on track to provide them with the open solutions that keep them ahead with their own customers in their own markets. We continue to adapt so our customers and partners can succeed."

Last year SUSE's revenue grew by 15 percent in fiscal year 2018, and the business is about to surpass the $400 million revenue mark for the first time. SUSE, which sees not quite half of its business in Europe, is also seeing revenue growth around the world. North America, for example, now accounts for almost 40 percent of SUSE's revenues. The company is also expanding. SUSE added more than 300 employees in the last 12 months. For the most part this has been in engineering followed by sales and services. SUSE staff is now approaching 1,750 globally and its plans on continuing to hire aggressively.

Google announced today that Gmail has become the first major email provider to support two new security standards, namely MTA-STS and TLS Reporting. Both are extensions to the Simple Mail Transfer Protocol (SMTP), the protocol through which all emails are sent today. ZDNet reports: The purpose of MTA-STS and TLS Reporting is to help email providers establish cryptographically secure connections between each other, with the main goal of thwarting SMTP man-in-the-middle attacks. The two new standards will prevent this by allowing legitimate email providers to create a secure channel for exchanging emails. For example, SMTP MTA Strict Transport Security (MTA-STS) works by allowing email server admins to set up an MTA-STS policy on their server. This policy allows a legitimate provider to request that external email servers verify the security of a SMTP connections before sending any emails. Minimum requirements, such as forcing external email servers to authenticate with a valid public certificate encrypted with TLS 1.2 or higher, can be enforced, depending on preferences, ensuring that emails sent to a company's server travel through an obligatory and properly encrypted channel -- or they don't arrive at all.

In addition, the TLS Reporting SMTP extension sets up a reporting mechanism through which a legitimate email server can request daily reports from other email servers about the success or failure of emails that have been sent to the legitimate server's domain. Both, when combined, will either prevent or help email server admins identify SMTP man-in-the-middle attacks against their email traffic.

Over 13,000 iSCSI storage clusters are currently accessible via the internet after their respective owners forgot to enable authentication. From a report: This misconfiguration has the risk of causing serious harm to devices' owners, as cyber-criminal groups could access these internet-accessible hard drives (storage disk arrays and NAS devices) to replace legitimate files with malware, insert backdoors inside backups, or steal company information stored on the unprotected devices. [...] Over the weekend, penetration tester A Shadow tipped ZDNet about this hugely dangerous misconfiguration issue. The researcher found over 13,500 iSCSI clusters on Shodan, a search engine that indexes internet-connected devices. In an online conversation with ZDNet, the researcher described this iSCSI exposure as a "dangerous backdoor" that can allow cyber-criminals to plant ransomware-infected files on companies' networks, steal company data, or place backdoors inside backup archives that may get activated when a company restores one of these booby-trapped files.

At the Black Hat Asia 2019 security conference, security researchers from Positive Technologies disclosed the existence of a previously unknown and undocumented feature in Intel chipsets. From a report: Called Intel Visualization of Internal Signals Architecture (Intel VISA), Positive Technologies researchers Maxim Goryachy and Mark Ermolov said this is a new utility included in modern Intel chipsets to help with testing and debugging on manufacturing lines. VISA is included with Platform Controller Hub (PCH) chipsets part of modern Intel CPUs and works like a full-fledged logic signal analyzer. According to the two researchers, VISA intercepts electronic signals sent from internal buses and peripherals (display, keyboard, and webcam) to the PCH -- and later the main CPU. Unauthorized access to the VISA feature would allow a threat actor to intercept data from the computer memory and create spyware that works at the lowest possible level. But despite its extremely intrusive nature, very little is known about this new technology.

An anonymous reader quotes a report from ZDNet: A group of academics from South Korea have identified 36 new vulnerabilities in the Long-Term Evolution (LTE) standard used by thousands of mobile networks and hundreds of millions of users across the world. The vulnerabilities allow attackers to disrupt mobile base stations, block incoming calls to a device, disconnect users from a mobile network, send spoofed SMS messages, and eavesdrop and manipulate user data traffic. They were discovered by a four-person research team from the Korea Advanced Institute of Science and Technology Constitution (KAIST), and documented in a research paper they intend to present at the IEEE Symposium on Security and Privacy in late May 2019.

The Korean researchers said they found 51 LTE vulnerabilities, of which 36 are new, and 15 have been first identified by other research groups in the past. They discovered this sheer number of flaws by using a technique known as fuzzing --a code testing method that inputs a large quantity of random data into an application and analyzes the output for abnormalities, which, in turn, give developers a hint about the presence of possible bugs. The resulting vulnerabilities, see image below or this Google Docs sheet, were located in both the design and implementation of the LTE standard among the different carriers and device vendors. The KAIST team said it notified both the 3GPP (industry body behind LTE standard) and the GSMA (industry body that represents mobile operators), but also the corresponding baseband chipset vendors and network equipment vendors on whose hardware they performed the LTEFuzz tests.

An anonymous reader quotes a report from ZDNet: French authorities have arrested five men who stole over 120,000 liters (26,400 gallons) of fuel from gas stations around Paris by unlocking gas pumps using a special remote. The five-man team operated with the help of a special remote they bought online and which could unlock a particular brand of gas pumps installed at Total gas stations. The hack was possible because some gas station managers didn't change the gas pump's default lock code from the standard 0000. Hackers would use this simple PIN code to reset fuel prices and remove any fill-up limits.

Crooks would operate in small teams of two to three individuals who visited gas stations at night using two vehicles. A man in a first car would use the remote to unlock the gas station, and then a second car, usually a van, would come along seconds later to fill a giant tanker installed in the back of the vehicle with as much as 2,000 or 3,000 liters in one go. The group advertised the fuel they stole on social media, providing a time and place where customers could come and refuel their vehicles or pick up orders for gasoline and diesel at smaller prices. Police uncovered the scheme in April 2018, when they arrested a suspect in possession of a remote used in the hack. "Five men, part of the same gang, were arrested on Monday, according to Le Parisien, who first reported the scheme last November," the report adds.

An anonymous reader quotes a report from ZDNet: Court documents unsealed today revealed that Microsoft has been waging a secret battle against a group of Iranian government-sponsored hackers. The OS maker sued and won a restraining order that allowed it to take control of 99 web domains that had been previously owned and operated by a group of Iranian hackers known in cyber-security circles as APT35, Phosphorus, Charming Kitten, and the Ajax Security Team. The domains had been used as part of spear-phishing campaigns aimed at users in the US and across the world.

APT35 hackers had registered these domains to incorporate the names of well-known brands, such as Microsoft, Yahoo, and others. The domains were then used to collect login credentials for users the group had tricked into accessing their sites. The tactic is decades old but is still extremely successful at tricking users into unwittingly disclosing usernames and passwords, even today. Some of the domains Microsoft has confiscated include the likes of outlook-verify.net, yahoo-verify.net, verification-live.com, and myaccount-services.net. Microsoft said it received substantial support from the domain registrars, which transferred the domains over to Microsoft as soon as the company obtained a court order.

According to ZDNet, researchers at Microsoft have discovered a buggy Huawei utility that could have given attackers a cheap way to undermine the security of the Windows kernel. From the report: Microsoft has now detailed how it found a severe local privilege escalation flaw in the Huawei PCManager driver software for its MateBook line of Windows 10 laptops. Thanks to Microsoft's work, the Chinese tech giant patched the flaw in January. As Microsoft researchers explain, third-party kernel drivers are becoming more attractive to attackers as a side-door to attacking the kernel without having to overcome its protections using an expensive zero-day kernel exploit in Windows. The flaw in Huawei's software was detected by new kernel sensors that were implemented in the Windows 10 October 2018 Update, aka version 1809.

The kernel sensors are meant to address the difficulty of detecting malicious code running in the kernel and are designed to detect user-space asynchronous procedure call (APC) code injection from the kernel. Microsoft Defender ATP anti-malware uses these sensors to detect actions caused by kernel code that may inject code into user-mode. Huawei's PCManager triggered Defender ATP alerts on multiple Windows 10 devices, prompting Microsoft to launch an investigation. [...] The investigation led the researcher to the executable MateBookService.exe. Due to a flaw in Huawei's 'watchdog' mechanism for HwOs2Ec10x64.sys, an attacker is able to create a malicious instance of MateBookService.exe to gain elevated privileges. The flaw can be used to make code running with low privileges read and write to other processes or to kernel space, leading to a "full machine compromise." Long-time Slashdot reader shanen writes: Though the story features Huawei, there doesn't seem to be anything specific to that company there. Just innuendo that you can't trust Chinese companies, eh? "Don't throw your computer into that Chinese briar patch!" Anyway, the sordid reality is that Microsoft is the root of all evils in the Windows platform. If increasing security had been half as important as maximizing profits, then we'd be in a much better world today. All complicated software is buggy, but adding complexity for no good reason is just begging for more problems. Here's a crazy solution approach: Any OS feature that isn't used by a LARGE majority of the users should be REMOVED from the OS. Maybe that isn't strong enough. Maybe the OS should be strictly limited to what absolutely needs to be there. Guard those eggs carefully!

Dream Market, today's top dark web marketplace, today announced plans to shut down on April 30. From a report: The announcement came on the same day Europol, FBI, and DEA officials announced tens of arrests and a massive crackdown on dark web drug trafficking. The timing of the four announcements immediately sent most of Dream Market's users and dark web threat intel analysts into a frenzy of theories that law enforcement might have already seized the site and are now running a honeypot operation. Their fears are based on a similar event from June 2017 when Dutch police took over Hansa Market and ran the site for a month while collecting evidence on the portal's users. Law enforcement later used passwords collected from Hansa Market users to gain access to accounts on other dark web marketplaces.

Google has patched a Chrome bug that was being abused in the wild by tech support scammers to create artificial mouse cursors and lock users inside browser pages by preventing them from closing and leaving browser tabs. From a report: The trick was first spotted in September 2018 by Malwarebytes analyst Jerome Segura. Called an "evil cursor," it relied on using a custom image to replace the operating system's standard mouse cursor graphic. A criminal group that Malwarebytes called Partnerstroka operated by switching the standard OS 32-by-32 pixels mouse cursor with one of 128 or 256 pixels in size. A normal cursor would still appear on screen, but in the corner of a bigger transparent bounding box. [...] The "evil cursor" fix is currently live for Google Canary users, and is scheduled to land in the Chrome 75 stable branch, to be released later this spring.

A research duo who hacked a Tesla were the big winners at the annual Pwn2Own white hat security contest, reports ZDNet. "The duo earned $375,000 in prize money, of the total of $545,000 awarded during the whole three-day competition... They also get to keep the car." Team Fluoroacetate -- made up of Amat Cama and Richard Zhu -- hacked the Tesla car via its browser. They used a JIT bug in the browser renderer process to execute code on the car's firmware and show a message on its entertainment system... Besides keeping the car, they also received a $35,000 reward. "In the coming days we will release a software update that addresses this research," a Tesla spokesperson told ZDNet today in regards to the Pwn2Own vulnerability.

Not coincidentally, Team Fluoroacetate also won the three-day contest after earning 36 "Master of Pwn" points for successful exploits in Apple Safari, Firefox, Microsoft Edge, VMware Workstation, and Windows 10... [R]esearchers also exploited vulnerabilities in Apple Safari, Microsoft Edge, VMware Workstation, Oracle Virtualbox, and Windows 10.

Earlier this month, Microsoft made the source code for its Windows calculator available on GitHub. This has spurred developers to add new features to the app, like a new graphing mode that will make its way to the official Windows Calculator app. The "Graphing Mode" is one of 30+ suggestions that open-source contributors have proposed so far. The ZDNet reports: As its name implies, Graphing Mode will allow users to create graphs based on mathematical equations, in a similar way to Matlab's (way more advanced) Plotting Mode. The feature was proposed by Microsoft engineer Dave Grochocki, also a member of the Windows Calculator team. In a GitHub issue Grochocki submitted to support his proposal, he argued that a graphing mode would help students learn algebra easier.

"High school algebra is the gateway to mathematics and all other disciplines of STEM," Grochocki said. "However, algebra is the single most failed course in high school, as well as the most failed course in community college." By adding a Graphing Mode to Windows Calculator, an app included with all Windows 10 versions, the Microsoft engineer hopes to provide students and teachers with a free tool to help schools across the world. "Physical graphing calculators can be expensive, software solutions require licenses and configuration by school IT departments, and online solutions are not always an option," he added. "Graphing capabilities in their daily tools are essential for students who are beginning to explore linear algebra as early as 8th grade. [...] At present, Windows Calculator does not currently have the needed functionality to meet the demands of students."

There's no timeline for when the new graphing mode will arrive, but it should arrive soon.

A scan of billions of files from 13 percent of all GitHub public repositories over a period of six months has revealed that over 100,000 repos have leaked API tokens and cryptographic keys, with thousands of new repositories leaking new secrets on a daily basis. From a report: The scan was the object of academic research carried out by a team from the North Carolina State University (NCSU), and the study's results have been shared with GitHub, which acted on the findings to accelerate its work on a new security feature called Token Scanning, currently in beta. The NCSU study is the most comprehensive and in-depth GitHub scan to date and exceeds any previous research of its kind. NCSU academics scanned GitHub accounts for a period of nearly six months, between October 31, 2017, and April 20, 2018, and looked for text strings formatted like API tokens and cryptographic keys.

The battle between PewDiePie, currently the most subscribed channel on YouTube, and T-Series, an Indian music label, continues to have strange repercussions. In recent months, as T-Series closes in on the gap to beat PewDiePie for the crown of the most subscribers on YouTube, alleged supporters of PewDiePie, in an unusual show of love, have hacked Chromecasts and printers to persuade victims to subscribe to PewDiePie's channel. Now ZDNet reports about a second strain of ransomware that is linked to PewDiePie. From the report: A second one appeared in January, and this was actually a fully functional ransomware strain. Called PewCrypt, this ransomware was coded in Java, and it encrypted users' files in the "proper" way, with a method of recovering files at a later date. The catch --you couldn't buy a decryption key, but instead, victims had to wait until PewDiePie gained over 100 million followers before being allowed to decrypt any of the encrypted files. At the time of writing, PewDiePie had around 90 million fans, meaning any victim would be in for a long wait before they could regain access to any of their files. Making matters worse, if T-Series got to 100 million subscribers before PewDiePie, then PewCrypt would delete the user's encryption key for good, leaving users without a way to recover their data.

While the ransomware was put together as a joke, sadly, it did infect a few users, ZDNet has learned. Its author eventually realized the world of trouble he'd get into if any of those victims filed complaints with authorities, and released the ransomware's source code on GitHub, along with a command-line-based decryption tool.

HMD Global, the Finnish company that sublicensed the Nokia smartphone brand from Microsoft, is under investigation in Finland for collecting and sending some phone owners' information to a server located in China. From a report: In a statement to Finnish newspaper Helsingin Sanomat, the company blamed the data collection on a coding mistake during which an "activation package" was accidentally included in some phones' firmware. HMD Global said that only a single batch of Nokia 7 Plus devices were impacted and included this package. The data collection was exposed today in an investigation published by Norwegian broadcaster NRK, which learned of it from a user's tip. According to NRK, affected Nokia phones collected user data every time the devices were turned on, unlocked, or the screen was revived from a sleep state. Collected data included the phone's GPS coordinates, network information, phone serial number, and SIM card number.

Google has banned ads for virtual private network (VPN) products targeting Chinese users, ZDNet reported on Wednesday. From a report: The company cited "local legal restrictions" as the cause of the VPN ad ban. "It is currently Google Ads policy to disallow promoting VPN services in China, due to local legal restrictions," Google said in an email today. The email was received and shared with ZDNet by VPNMentor, a website offering advice, tips, and reviews of VPN products. The company said Google prevented its employees from placing Google search ads for the Chinese version of its site.

Norsk Hydro, one of the world's largest aluminum producers, said today it has "became victim of an extensive cyber-attack" that has crippled some of its infrastructure and forced it to switch to manual operations in some smelting locations. From a report: The cyber-attack was later identified as an infection with the LockerGoga ransomware strain, the company said during a press conference. News of the cyber-attack broke earlier this morning in a message the company sent to investors and stock exchanges. "Hydro became victim of an extensive cyber-attack in the early hours of Tuesday (CET), impacting operations in several of the company's business areas," the company said. "IT-systems in most business areas are impacted and Hydro is switching to manual operations as far as possible."

EU governments are allowing more than 100 advertising companies, including Google and Facebook, to surreptitiously track citizens across sensitive public sector websites, in apparent violation of their own EU data protection rules, a study has found. From a report: Danish browser-analysis company Cookiebot found ad trackers -- which log users' locations, devices and browsing behaviours for advertisers -- on the official government websites of 25 EU member states [Editor's note: the link may be paywalled; alternative source]. The French government had the highest number of ad trackers on its site, with 52 different companies tracking users' behaviour. Google, YouTube and DoubleClick, Google's advertising platform, accounted for three of the top five tracking domains on 22 of the main government websites. Researchers also studied the websites for EU public health services, finding that people seeking health advice on sensitive topics such as abortion, HIV and mental illness were met with commercial ad trackers on more than half of the sites analysed.

An anonymous reader quotes a report from ZDNet: A hacker set off the tornado emergency sirens in the middle of the night last week across two North Texas towns. Following the unauthorized intrusion, city authorities had to shut down their emergency warning system a day before major storms and potential tornados were set to hit the area. The false alarm caused quite the panic in the two towns, as locals were already on the edge of their seats regarding incoming storms. The city had run tests of the tornado alarm sirens a week before, but the tests were set during the middle of the day and had long concluded. The two hacked systems were taken offline the next morning, and remained offline ever since.

Bad weather, including storms and potential tornadoes, was announced for all last week in the North Texas area. A severe thunderstorm hit the two cities the following night, on March 13. Thunderstorms are known to produce brief tornadoes, but luck had it that no tornado formed and hit the towns that day. Tornadoes are frequent in Texas, as the state is located in Tornado Alley, and tornado season, a period of the year between March and May when most tornadoes happen, had officially begun. Nevertheless, a tornado didn't form on March 13, and, luckily, the sirens weren't needed.

An anonymous reader quotes a report from ZDNet: Security researchers have spotted a new variant of the Mirai IoT malware in the wild targeting two new classes of devices -- smart signage TVs and wireless presentation systems. This new strain is being used by a new IoT botnet that security researchers from Palo Alto Networks have spotted earlier this year. The botnet's author(s) appears to have invested quite a lot of their time in upgrading older versions of the Mirai malware with new exploits. Palo Alto Networks researchers say this new Mirai botnet uses 27 exploits, 11 of which are new to Mirai altogether, to break into smart IoT devices and networking equipment. Furthermore, the botnet operator has also expanded Mirai's built-in list of default credentials, that the malware is using to break into devices that use default passwords. Four new username and password combos have been added to Mirai's considerable list of default creds, researchers said in a report published earlier today.

The purpose and modus operandi of this new Mirai botnet are the same as all the previous botnets. Infected devices scan the internet for other IoT devices with exposed Telnet ports and use the default credentials (from their internal lists) to break in and take over these new devices. The infected bots also scan the internet for specific device types and then attempt to use one of the 27 exploits to take over unpatched systems. The new Mirai botnet is specifically targeting LG Supersign signage TVs and WePresent WiPG-1000 wireless presentation systems.

Long-time Slashdot reader skdffff quotes ZDnet: F5 Networks on Monday announced that it will acquire NGINX, which provides popular open-source software of the same name, for $670 million. The deal advances F5's aim of capitalizing on the trend toward multi-cloud deployments.

F5 plans to enhance NGINX's current offerings with F5 security solutions and will integrate F5 cloud-native technology with NGINX's software load balancing technology. This should accelerate F5's time to market of application services for containerized applications. Meanwhile, NGINX will benefit from F5's global salesforce, channel infrastructure and partner ecosystem.

The acquisition adds "the power of NGINX's open source innovation to F5's ADC leadership and enterprise reach," NGINX CEO Gus Robertson said in a statement

Microsoft showed off the ability to mirror applications running on an Android phone to a Windows 10 PC last fall. Windows Insiders could begin testing this feature as soon as this week. From a report: MSPoweruser reports that the Android app-mirroring feature initially will be available on certain Android phones running Android 7.0 or greater, specifically the Samsung Galaxy S8, S8+, S9 and S9+. Supported Windows 10 PCs need to have the "Bluetooth radio supports Low Energy Peripheral Role" on their systems in order to get the app-mirroring feature to work. Users will need to have Microsoft's Your Phone app installed for the feature to work. Only Windows Insiders running the latest test builds on certain devices will be able to test app-mirroring at first.The app-mirroring feature potentially could be available to Insiders as soon as this week.

CSS, or the language that styles and arranges how page elements appear on a website, will soon get support for trigonometry functions such as sine, cosine, tangent, and others, ZDNet is reporting. From the report: The new trigonometry functions were approved at the end of February in a meeting of the World Wide Web Consortium (W3C) CSS Working Group. The new functions approved and set to join the CSS standard are: Sine - sin(), cosine - cos(), tangent - tan(), arccosine - acos(), arcsine - asin(), arctangent - atan(), arctangent (of two numbers x and y) - atan2(), square root - sqrt(), square root of the sum of squares of its arguments - hypot(), and power of - pow().

Experts have proven once again that facial recognition on modern devices remains hilariously insecure and can be bypassed using simple tricks such as showing an image or a video in front of a device's camera. From a report: The latest device to fall victim to such attacks is Samsung Galaxy S10, Samsung's latest top tier phone and considered one of the world's most advanced smartphones to date. Unfortunately, the Galaxy S10's facial recognition feature remains just as weak as the one supported in its previous versions or on the devices of its competitors, according to Lewis Hilsenteger, a smartphone reviewer better known as Unbox Therapy on YouTube. Hilsenteger showed in a demo video uploaded on his YouTube channel last week how putting up a video of the phone owner in front of the Galaxy S10 front camera would trick the facial recognition system into unlocking the device.