Slashdot Mirror

A Dutch security researcher says he found credentials for the Russian government's backdoor account for accessing servers of businesses operating in Russia, ZDNet reports: The researcher says that after his initial finding, he later found the same "admin@kremlin.ru" account on over 2,000 other MongoDB databases that had been left exposed online, all belonging to local and foreign businesses operating in Russia. Examples include databases belonging to local banks, financial institutions, big telcos, and even Disney Russia.... "The first time I saw these credentials was in the user table of a Russian Lotto website," Victor Gevers told ZDNet in an interview Monday. "I had to do some digging to understand that the Kremlin requires remote access to systems that handle financial transactions....

"All the systems this password was on were already fully accessible to anyone," Gevers said. "The MongoDB databases were deployed with default settings. So anyone without authentication had CRUD [Create, Read, Update and Delete] access."
"It took a lot of time and also many attempts to contact and warn the Kremlin about this issue," the researcher added -- specifically, three years, five months and 15 days. The Kremlin reused the same credentials "everywhere," reports IT News, "leaving a large number of businesses open to access from the internet."

Long-time Slashdot reader Bismillah calls it "an illustration of the dangers of giving governments backdoors into systems and networks."

The Firefox browser will soon come with a new security feature that will detect and then warn users when a third-party app is performing a Man-in-the-Middle (MitM) attack by hijacking the user's HTTPS traffic. From a report: The new feature is expected to land in Firefox 66, Firefox's current beta version, scheduled for an official release in mid-March. The way this feature works is to show a visual error page when, according to a Mozilla help page, "something on your system or network is intercepting your connection and injecting certificates in a way that is not trusted by Firefox." An error message that reads "MOZILLA_PKIX_ERROR_MITM_DETECTED" will be shown whenever something like the above happens.

A new vulnerability has been discovered in the upcoming 5G cellular mobile communications protocol. Researchers have described this new flaw as more severe than any of the previous vulnerabilities that affected the 3G and 4G standards. From a report: Further, besides 5G, this new vulnerability also impacts the older 3G and 4G protocols, providing surveillance tech vendors with a new flaw they can abuse to create next-gen IMSI-catchers that work across all modern telephony protocols. This new vulnerability has been detailed in a research paper named "New Privacy Threat on 3G, 4G, and Upcoming5G AKA Protocols," published last year.

According to researchers, the vulnerability impacts AKA, which stands for Authentication and Key Agreement, a protocol that provides authentication between a user's phone and the cellular networks. The AKA protocol works by negotiating and establishing keys for encrypting the communications between a phone and the cellular network.

Samsung has started mass producing what it says is the industry's first one terabyte embedded Universal Flash Storage (eUFS) technology for smartphones. "It will give the company's mobile devices PC-like storage without the need for large-capacity microSD cards," Engadget reports. "It'll be incredibly useful if you use your phone to take tons of photos and HD videos -- Samsung says it's enough to store 260 10-minute videos in 4K UHD." From the report: "The 1TB eUFS is expected to play a critical role in bringing a more notebook-like user experience to the next generation of mobile devices," said Cheol Choi, EVP of Memory Sales & Marketing at Samsung Electronics. As ZDNet notes, Samsung's upcoming flagship devices, such as the S10, will most likely come with a 1TB option thanks to its new eUFS technology. After all, Samsung started mass producing its 512GB storage technology back in December 2017 and then debuted it with its new phones early on in the following year.

In addition to offering massive storage, the new eUFS was also designed to be faster than typical SSDs, microSDs and previous revisions of the technology. It has a 1,000-megabyte-per-second sequential read speed, twice that of the usual SSD and faster than its 512GB predecessor. Despite all those, Samsung says it'll come in the same package size as its 512GB flash memory, so it won't have to make its big phones even bigger.

Google Chrome browser is set to add a feature that will warn users when accessing sites with domain names that look like authentic websites. From a report: The feature has been in the works for quite some time at Google and is a response to the practice of using typosquatted domains or IDN homograph attacks to lure users on websites they didn't intend to access. Since the release of Chrome Canary 70, Google engineers have been testing a new feature called "Navigation suggestions for lookalike URLs." In Chrome Canary distributions -- Google Chrome's testing ground for new features -- users can access the following URL to enable the feature: chrome://flags/#enable-lookalike-url-navigation-suggestions.

If you are having trouble getting your Xbox One online, you are not alone. Xbox One consoles around the world have stopped working. From a report: Xbox One owners are reporting major problems with their consoles online with displays being stuck on black screens at startup, games not loading, and errors when trying to login to Xbox Live. Microsoft is aware of the situation and has promised to give more information when they have it. Within a couple of hours, the official Xbox Support Twitter account updated everyone, saying that they have identified the problem and are working on fixing it. There is no estimate on how long it will take to fix. Bad week for Microsoft services continues. Update: The issue with Xbox Live appears to have been resolved.

Following Mozilla's footsteps, Google has released Chrome 72 for Windows, Mac, and Linux. From a report: The release includes code injection blocking and new developer features. You can update to the latest version now using Chrome's built-in updater or download it directly from google.com/chrome. With over 1 billion users, Chrome is both a browser and a major platform that web developers must consider. In fact, with Chrome's regular additions and changes, developers often must make an effort to stay on top of everything available -- as well as what has been deprecated or removed -- most notably, Chrome 72 removes support for Chromecast setup on a computer. To set up a Chromecast, you'll now need to use a mobile device.

As this isn't a major release, there aren't many new features to cover. Chrome 72 for Windows, however, blocks code injections, reducing crashes caused by third-party software. The initiative to block code injections in Chrome started last year, with warnings letting users know that Chrome was fighting back. Those warnings are now gone, and Chrome blocks code injections full stop. Further reading: All the Chromium-based browsers.

An anonymous reader quotes a report from ZDNet: A Microsoft program manager has caused a stir on Twitter over the weekend by suggesting that Firefox-maker Mozilla should give up on its own rendering engine and move on with Chromium. "Thought: It's time for @mozilla to get down from their philosophical ivory tower. The web is dominated by Chromium, if they really 'cared' about the web, they would be contributing instead of building a parallel universe that's used by less than five percent?" wrote Kenneth Auchenberg, who builds web developer tools for Microsoft's Visual Studio Code.

Auchenberg's post referred to Mozilla's response to Microsoft's announcement in December that it would scrap Edge's EdgeHTML rendering engine for Chromium's. The move will leave Firefox's Gecko engine as the only alternative to Chromium, which is used by Opera and dozens of other browsers. Few people agreed with Auchenberg, including engineers from both Mozilla and Chromium. Long-serving Mozillian Asa Dotzler was not impressed. "Just because your employer gave up on its own people and technology doesn't mean that others should follow," Dotzler replied to Auchenberg. Auchenberg clarified that he didn't want to see Mozilla vanish, but said it should reorganize into a research institution "instead of trying to to justify themselves with the 'protectors of the web' narrative."

The FBI, together with authorities from several European countries, have seized the domains and servers of xDedic, a notorious online marketplace where cyber-criminals would sell and buy access to hacked servers. From a report: The site has been around since 2014, but it became widely known after a Kaspersky report published in June 2016. According to the report, the site was operating as a registration-based online marketplace where several criminal groups would either put up for sale or buy hacked servers, usually in the form of compromised RDP (Remote Desktop Protocol) accounts. At the time, Kaspersky said the site listed nearly 70,000 hacked servers, for prices as little as $8 per server. [...] In Europol and FBI press releases published today, authorities announced that they've seized both the domains and the servers hosting the marketplace, effectively shutting down the site and gaining access to its list of customers.

An anonymous reader writes: The Japanese government approved a law amendment on Friday that will allow government workers to hack into people's Internet of Things devices as part of an unprecedented survey of insecure IoT devices. The survey will be carried out by employees of the National Institute of Information and Communications Technology (NICT) under the supervision of the Ministry of Internal Affairs and Communications.

NICT employees will be allowed to use default passwords and password dictionaries to attempt to log into Japanese consumers' IoT devices. The plan is to compile a list of insecure devices that use default and easy-to-guess passwords and pass it on to authorities and the relevant internet service providers, so they can take measures to alert consumers and secure the devices. The survey is scheduled to kick off next month, when authorities plan to test the password security of over 200 million IoT devices, beginning with routers and web cameras. Devices in people's homes and on enterprise networks will be tested alike

New industry guidelines in South Korea will allow smartphone users the option of deleting unnecessary pre-installed bloatware. "The move aims to rectify an abnormal practice that causes inconvenience to smartphone users and causes unfair competition among industry players," said the Ministry of Science, ICT and Future Planning, in a press release. ZDNet reports: The measure will also help give users more data storage and improve battery life, said the ministry. Under the new guidelines, telcos are required to make most of their pre-installed apps deletable except for four necessary items related to Wi-Fi connectivity, near-field communication (NFC), the customer service center and the app store.

New data on the Pentagon's domestic drone use documents 11 missions during the 2018 fiscal year. That's up from 11 missions over the entire span of 2011 through 2017, as noted by Dan Gettinger, co-director of Bard College's Center for the Study of the Drone. ZDNet reports: Most of the military's 2018 missions fell under the category of "Defense Support of Civil Authorities." That meant responding to requests from the governors of California and Oregon for support during last year's wildfire season, as well as helping the South Carolina National Guard with its Hurricane Florence flood response. Defense Department drones were also on call throughout 2018 to provide Southern Border support for a regiment of the Army. In 2018, the military also used its unmanned aerial systems (UAS) in three cases to provide Defense Department installation and airspace support. It also responded to a request from the governor of New York for support during an emergency response training exercise. And for five months during the fiscal year, it used drones to support the US Customs and Border Patrol's counterdrug operations.

An anonymous reader writes: A planned update to one of the Google Chrome extensions APIs would kill much more than a few ad blockers, ZDNet has learned, including browser extensions for antivirus products, parental control enforcement, phishing detection, and various privacy-enhancing services. Developers for extensions published by F-Secure, NoScript, Amnesty International, and Ermes Cyber Security, among others, made their concerns public today after news broke this week that Google was considering the API change. Furthermore, efforts to port NoScript from Firefox to Chrome are also impacted, according to the plugin's author, who says the new API update all but cripples the NoScript for Chrome port.

A new strain of ransomware has been observed targeting Bitcoin mining rigs. ZDNet reports: At the time of writing, most of the infections have been reported in China, the country where most of the world's cryptocurrency mining farms are located. Named hAnt, this new ransomware strain was first seen in August of last year, but a new wave of infections has been reported hitting mining farms earlier this month. Most of the infected mining rigs are Antminer S9 and T9 devices, used for Bitcoin mining, but there have also been reports of hAnt infecting Antminer L3 rigs, used for mining Litecoin. In rare instances, Avalon Miner equipment (used for Bitcoin), were also reported as infected, but in much smaller numbers.

The U.S. Department of Homeland Security has published today an "emergency directive" that contains guidance in regards to a recent report detailing a wave of DNS hijacking incidents perpetrated out of Iran. ZDNet reports: The emergency directive [1, 2] orders government agencies to audit DNS records for unauthorized edits, change passwords, and enable multi-factor authentication for all accounts through which DNS records can be managed. The DHS documents also urges government IT personnel to monitor Certificate Transparency (CT) logs for newly-issued TLS certificates that have been issued for government domains, but which have not been requested by government workers.

The emergency directive comes after last week, the DHS issued an alert about ongoing DNS hijacking attacks through its US-CERT division. The DHS US-CERT alert was based on a report published last week by U.S. cyber-security firm FireEye. The now infamous report detailed a coordinated hacking campaign during which a cyber-espionage group believed to operate out of Iran had manipulated DNS records for the domains of private companies and government agencies. The purpose of these DNS hijacks was to redirect web traffic meant for companies and agencies' internal email servers towards malicious clones, where the Iranian hackers would record login credentials.

An anonymous reader quotes a report from ZDNet: A prolific cybercrime gang behind a series of ransomware attacks is distributing a new form of the file-encrypting malware which combines two well known and successful variants in a series of attacks against businesses around the world. Dubbed Phobos by its creators, the ransomware first emerged in December and researchers at CoveWare have detailed how it shares a number of similarities with Dharma ransomware.

Like Dharma, Phobos exploits open or poorly secured RDP ports to sneak inside networks and execute a ransomware attack, encrypting files and demands a ransom to be paid in bitcoin for returning the files, which in this case are locked with a .phobos extension. The demand is made in a ransom note -- and aside from 'Phobos' logos being added to the ransom note, it's exactly the same as the note used by Dharma, with the same typeface and text use throughout. Phobos is being distributed by the gang behind Dharma and likely serves as an insurance policy for malicious campaigns, providing attackers with a second option for conducting attacks, should Dharma end up decrypted or prevented from successfully extorting ransoms from victims.

An online casino group has leaked information on over 108 million bets, including details about customers' personal information, deposits, and withdrawals, ZDNet has learned. From the report: The data leaked from an ElasticSearch server that was left exposed online without a password, Justin Paine, the security researcher who discovered the server, told ZDNet. ElasticSearch is a portable, high-grade search engine that companies install to improve their web apps' data indexing and search capabilities. Last week, Paine came across one such ElasticSearch instance that had been left unsecured online with no authentication to protect its sensitive content. From a first look, it was clear to Paine that the server contained data from an online betting portal.

[...] After an analysis of the URLs spotted in the server's data, Paine and ZDNet concluded that all domains were running online casinos where users could place bets on classic cards and slot games, but also other non-standard betting games. Some of the domains that Paine spotted in the leaky server included kahunacasino.com, azur-casino.com, easybet.com, and viproomcasino.net, just to name a few.

The subsea cable providing Tonga, a country in the South Pacific Ocean, with broadband, the Tonga Cable, has been out since 20:30 local time on Sunday night, with the nation now relying on satellite internet instead. From a report: Provided by Kacific, the nation's digital connection to the outside world is now a Ku-band satellite accessed through local ISP Ezinet. Tonga Cable Director, Paula Piveni Piukala, said Kacific is working to boost internet and voice capacity for priority communications. "We appreciate Kacific's assistance, as Tonga currently has no other internet or mobile phone connectivity to the outside world," Piukala said. "Kacific's satellite service ensures that essential services can be maintained as we work to resolve the issue."

A very popular WordPress plugin was hacked over the weekend after a hacker defaced its website and sent a mass message to all its customers revealing the existence of supposed unpatched security holes. From a report: In a follow-up mass email, the plugin's developers blamed the hack on a former employee, who also defaced their website. The plugin in question is WPML (or WP MultiLingual), the most popular WordPress plugin for translating and serving WordPress sites in multiple languages. According to its website, WPML has over 600,000 paying customers and is one of the very few WordPress plugins that is so reputable that it doesn't need to advertise itself with a free version on the official WordPress.org plugins repository. But on Saturday, ET timezone, the plugin faced its first major security incident since its launch in 2007. The attacker, which the WPML team claims is a former employee, sent out a mass email to all the plugin's customers.

An anonymous reader quotes ZDNet: MongoDB is an open-source document NoSQL database with a problem. While very popular, cloud companies, such as Amazon Web Services (AWS), IBM Cloud, Scalegrid, and ObjectRocket has profited from it by offering it as a service while MongoDB Inc. hasn't been able to monetize it to the same degree. MongoDB's answer? Relicense the program under its new Server Side Public License (SSPL).

Open-source powerhouse Red Hat's reaction? Drop MongoDB from Red Hat Enterprise Linux 8. Red Hat's Technical and Community Outreach Program Manager Tom Callaway explained, in a note stating MongoDB is being removed from Fedora Linux, that "It is the belief of Fedora that the SSPL is intentionally crafted to be aggressively discriminatory towards a specific class of users." Debian Linux had already dropped MongoDB from its distribution....

The business point behind MongoDB's license change is to force cloud companies to use one of MongoDB's commercial cloud offerings. This hasn't worked either. AWS just launched DocumentDB, a database, which "is designed to be compatible with your existing MongoDB applications and tools," wrote AWS evangelist Jeff Barr.

Embedi security researcher Denis Selianin has discovered a vulnerability affecting the firmware of a popular Wi-Fi chipset deployed in a wide range of devices, such as laptops, smartphones, gaming rigs, routers, and Internet of Things (IoT) devices. According to Selianin, the vulnerability impacts ThreadX, a real-time operating system that is used as firmware for billions of devices. ZDNet reports: In a report published today, Selianin described how someone could exploit the ThreadX firmware installed on a Marvell Avastar 88W8897 wireless chipset to execute malicious code without any user interaction. The researcher chose this WiFi SoC (system-on-a-chip) because this is one of the most popular WiFi chipsets on the market, being deployed with devices such as Sony PlayStation 4, Xbox One, Microsoft Surface laptops, Samsung Chromebooks, Samsung Galaxy J1 smartphones, and Valve SteamLink cast devices, just to name a few.

"I've managed to identify ~4 total memory corruption issues in some parts of the firmware," said Selianin. "One of the discovered vulnerabilities was a special case of ThreadX block pool overflow. This vulnerability can be triggered without user interaction during the scanning for available networks." The researcher says the firmware function to scan for new WiFi networks launches automatically every five minutes, making exploitation trivial. All an attacker has to do is send malformed WiFi packets to any device with a Marvell Avastar WiFi chipset and wait until the function launches, to execute malicious code and take over the device. Selianin says he also "identified two methods of exploiting this technique, one that is specific to Marvell's own implementation of the ThreadX firmware, and one that is generic and can be applied to any ThreadX-based firmware, which, according to the ThreatX homepage, could impact as much as 6.2 billion devices," the report says. Patches are reportedly being worked on.

After months of user complaints, Mozilla will remove a misleading "dark pattern" from its page screenshot utility. From a report: The problematic feature is the "Save" button that appears when Firefox users take a screenshot. The issue is that the Save button doesn't save the screenshot to the PC, as most users would naturally expect, but uploads the image to a Mozilla server. This is both a privacy violation, as some users don't appreciate being tricked into uploading sensitive images saved on remote servers, but also an incovenience as users would still have to download the image locally, but in multiple steps afterward.

An anonymous reader quotes a report from ZDNet: Researchers have disclosed the existence of a server exposed to the public which not only contained terabytes of confidential government data but information relating to FBI investigations. According to UpGuard cybersecurity researchers Greg Pollock and Chris Vickery, the open storage server belonged to the Oklahoma Department of Securities (ODS), a U.S. government department which deals with securities cases and complaints. The database was found through the Shodan search engine which registered the system as publicly accessible on November 30, 2018.

The UpGuard team stumbled across the database on December 7th and notified the department a day later after verifying what they were working with. To ODS' credit, the department removed public access to the server on the same day. In order to examine the security breach, the team was able to download the server's contents. The oldest records dated back to 1986 and the most recent was timestamped in 2016. In total, three terabytes of information representing millions of files. Contents ranged from personal data to system credentials and internal communication records. ODS said in a statement to ZDNet: "All state IP addresses, and many city and county addresses, are registered to OMES, but the agency has no visibility into the computer systems at the Oklahoma Department of Securities. For the past eight years the state has been working to consolidate all IT infrastructure under OMES and ODS had the option to consolidate its systems voluntarily and they did not."

A security researcher with antivirus maker ESET has discovered a collection of 19 Android apps that pose as GPS applications but which don't do anything but show ads on top of the legitimate Google Maps service. From a report: "They attract potential users with fake screenshots stolen from legitimate Navigation apps," said Lukas Stefanko, the ESET researcher who found them, who pointed out the 19 apps have been downloaded more than 50 million times. The apps "pretend to be full featured navigation apps, but all they can do is to create useless layer between User and Google Maps app," the researcher said. Stefanko says that the apps don't have any actual "navigation technology" and they only "misuse Google Maps."

A Skype call and a gullible employee was all it took for North Korean hackers to infiltrate the computer network of Redbanc, the company that interconnects the ATM infrastructure of all Chilean banks. From a report: Prime suspects behind the hack are a hacker group known as Lazarus Group (or Hidden Cobra), known to have associations to the Pyongyang regime, is one of the most active and dangerous hacking groups around, and known to have targeted banks, financial institutions, and cryptocurrency exchanges in the past years. Lazarus' most recent attack took place at the end of December last year but only came to the public's attention after Chilean Senator Felipe Harboe called out Redbanc on Twitter last week for not disclosing its security breach. The company, which has direct lines into the networks of all Chilean banks, formally admitted to the hack a day later in a message posted on its website, but that announcement didn't include any details about the intrusion. However, a day after Redbanc's admission, an investigation conducted by Chilean tech news site trendTIC revealed that the financial firm was the victim of a serious cyber-attack, and not something that could be easily dismissed. According to reporters, the source of the hack was identified as a LinkedIn ad for a developer position at another company to which one of the Redbanc employees applied.

A collection of almost 773 million unique email addresses and just under 22 million unique passwords were exposed on cloud service MEGA. Security researcher Troy Hunt said the collection of data, dubbed Collection #1, totaled over 12,000 separate files and more than 87GB of data. ZDNet reports: "What I can say is that my own personal data is in there and it's accurate; right email address and a password I used many years ago," Hunt wrote. "In short, if you're in this breach, one or more passwords you've previously used are floating around for others to see." Some passwords, including his own, have been "dehashed", that is converted back to plain text. Hunt said he gained the information after multiple people reached out to him with concerns over the data on MEGA, with the Collection #1 dump also being discussed on a hacking forum. "The post on the forum referenced 'a collection of 2000+ dehashed databases and Combos stored by topic' and provided a directory listing of 2,890 of the files," Hunt wrote. The collection has since been removed. You can visit Hunt's Have I Been Pwned service to see if you are affected by this breach.

Mozilla will take the next major step in disabling support for the Adobe Flash plugin later this year when it releases Firefox 69. From a report: Firefox 69 will be Mozilla's third last step to completely dropping support for the historically buggy plugin, which will reach end of life on December 31, 2020. Flash is the last remaining NPAPI plugin that Firefox supports. Mozilla flagged the change, spotted by Ghacks, in a new bug report that notes "we'll disable Flash by default in Nightly 69 and let that roll out". Firefox 69 stable will be released in early September, according to Mozilla's release calendar.

The WordPress open-source content management system (CMS) will show warnings in its backend admin panel if the site runs on top of an outdated PHP version. From a report: The current plan is to have the warnings appear for sites using a PHP version prior to the 5.6.x branch (5.6 or lower). The warnings will contain a link to a WordPress support page with information on how site owners can update their server's underlying PHP version. In instances where site owners are running their WordPress portals on top of tightly-controlled web hosting environments, the web host has the option to change this link with a custom URL pointing at its own support site. [...] Around 66.7 percent of all Internet sites run an unsupported PHP version, according to W3Techs. Almost a quarter of all internet sites run on top of a WordPress CMS.

Danngggg writes: Many will remember Martin Gottesfeld since he was arrested on a speedboat coming from Cuba. He volunteered at trial that he and his wife had just been denied political asylum by Castro. Gottesfeld has said he did it to defend the life of an innocent child named Justina Pelletier. On Thursday, the same judge that over saw the Aaron Swartz case sentenced the Anonymous hacktivist to 10 years in federal prison for a DDoS of Boston Children's Hospital, Harvard-affiliated hospitals, and Wayside Youth and Family. The sentence included $440,000 in restitution, 3 years supervised release, and other conditions. The week before, Gottesfeld docketed a 690-page affidavit (including exhibits) documenting the judge's conflicts of interest and why he doesn't belong anywhere near the case. That's available on the FreeMartyG website. Local news spoke to his wife after the sentencing hearing as well.

An anonymous reader quotes ZDNet: German authorities have asked the public for help in surfacing more details and potentially identifying the owner of a MAC address known to have been used by a bomber in late 2017... The MAC address is f8:e0:79:af:57:eb. Brandenburg police say it belongs to a suspect who tried to blackmail German courier service DHL between November 2017 and April 2018. The suspect demanded large sums of money from DHL and threatened to detonate bombs across Germany, at DHL courier stations, private companies, and in public spaces. [The bomb threats were real, but one caught fire instead of exploding, while the second failed to explode, albeit containing real explosives.]

Investigators called in to negotiate with the bomber managed to exchange emails with the attacker on three occasions, on April 6, 2018, April 13, 2018, and April 14, 2018. One of the details obtained during these conversations was the bomber's MAC address, which based on the hardware industry's MAC address allocation tables, should theoretically belong to a Motorola phone... Now, they're asking router owners to check router access logs for this address, and report any sightings to authorities. Investigators want to know to what routers/networks the bomber has connected before and after the attacks, in order to track his movements and maybe gain an insight into his identity.

More than 80 TLS certificates used by US government websites have expired so far without being renewed, leaving some websites inaccessible to the public. From a report: NASA, the US Department of Justice, and the Court of Appeals are just some of the US government agencies currently impacted, according to Netcraft. The blame falls on the current US federal government shutdown caused by US President Donald Trump's refusal to sign any 2019 government budget bill that doesn't contain funding for a Mexico border wall he promised during his election campaign. This has resulted in hundreds of thousands of government workers being furloughed across all government agencies, including staff handling IT support and cybersecurity. As a result, government websites are dropping like flies, with no one being on hand to renew TLS certificates.

US cybersecurity firm FireEye has uncovered an extremely sophisticated hacking campaign during which a suspected Iranian group redirected traffic from companies all over their globe through their own malicious servers, recording company credentials for future attacks. From a news report: Affected organizations include telecoms, ISPs, internet infrastructure providers, government, and sensitive commercial entities across the Middle East, North Africa, Europe, and North America. FireEye analysts believe an Iranian-based group is behind the attacks, although there is no definitive proof for exact attribution just yet. Researchers said the entities targeted by the group have no financial value, but they would be of interest to the Iranian government.

An anonymous reader quotes a report from ZDNet: A weather app that comes preinstalled on Alcatel smartphones contained malware that surreptitiously subscribed device owners to premium phone numbers behind their backs. The app, named "Weather Forecast-World Weather Accurate Radar," was developed by TCL Corporation, a Chinese electronics company that among other things owns the Alcatel, BlackBerry, and Palm brands. The app is one of the default apps that TCL installs on Alcatel smartphones, but it was also made available on the Play Store for all Android users --where it had been downloaded and installed more than ten million times. But at one point last year, both the app included on some Alcatel devices and the one that was available on the Play Store were compromised with malware. How the malware was added to the app is unclear. TCL has not responded to phone calls requesting comment made by ZDNet this week. The app reportedly harvested users' data and sent it to China. It collected geographic locations, email addresses, and IMEI codes, which it sent back to TCL.

Upstream, a UK-based mobile security firm, also found that "the malicious code hidden inside the app would also attempt to subscribe users to premium phone numbers that incurred large charges on users' phone bills," reports ZDNet. "All in all, the company says it detected and blocked over 27 million transaction attempts across seven markets, which would have created losses of around $1.5 million to phone owners if they hadn't been blocked."

Upstream notes that most of the behavior they've seen originated only from two types of smartphones: Pixi 4 and A3 Max models.

Some Windows 7 admins are feeling the pain of Microsoft's latest updates in this week's Patch Tuesday releases. From a report: Users who've installed this Tuesday's KB4480970 cumulative January update have been complaining of network connectivity issues on those devices based on a network that uses the SMBv2 file sharing protocol. Microsoft released its update to fix several identified vulnerabilities, including a remote execution flaw in PowerShell and to add robustness against side-channel attacks like those targeting the Meltdown and Spectre flaws. But a number of users immediately complained of networking issues, with Microsoft confirming there are now three known problems with the January patch. The other issues comprise an authentication error, and a file-sharing issue affecting some user accounts. ZDNet adds: Regarding the 'Not Genuine' Windows 7 error, Microsoft confirms that "some users are reporting the KMS Activation error, 'Not Genuine', 0xc004f200 on Windows 7 devices". "We are aware of this incident and are presently investigating it. We will provide an update when available," writes Microsoft on both KB4480960 and KB4480970.

An anonymous reader quotes a report from ZDNet: Amazon Web Services (AWS) has announced a fully-managed document database service, building the Amazon DocumentDB (with MongoDB compatibility) to support existing MongoDB workloads. The cloud giant said developers can use the same MongoDB application code, drivers, and tools as they currently do to run, manage, and scale workloads on Amazon DocumentDB. Amazon DocumentDB uses an SSD-based storage layer, with 6x replication across three separate Availability Zones. This means that Amazon DocumentDB can failover from a primary to a replica within 30 seconds, and supports MongoDB replica set emulation so applications can handle failover quickly. Each MongoDB database contains a set of collections -- similar to a relational database table -- with each collection containing a set of documents in BSON format. Amazon DocumentDB is compatible with version 3.6 of MongoDB and storage can be scaled from 10 GB up to 64 TB in increments of 10 GB. The new offering implements the MongoDB 3.6 API that allows customers to use their existing MongoDB drivers and tools with Amazon DocumentDB. In a separate report, TechCrunch's Frederic Lardinois says AWS is "giving open source the middle finger" by "taking the best open-source projects and re-using and re-branding them without always giving back to those communities."

"The wrinkle here is that MongoDB was one of the first companies that aimed to put a stop to this by re-licensing its open-source tools under a new license that explicitly stated that companies that wanted to do this had to buy a commercial license," Frederic writes. "Since then, others have followed."

"Imitation is the sincerest form of flattery, so it's not surprising that Amazon would try to capitalize on the popularity and momentum of MongoDB's document model," MongoDB CEO and president Dev Ittycheria told us. "However, developers are technically savvy enough to distinguish between the real thing and a poor imitation. MongoDB will continue to outperform any impersonations in the market."

A feature of the Google search engine lets threat actors alter search results in a way that could be used to push political propaganda, oppressive views, or promote fake news. From a report: The feature is known as the "knowledge panel" and is a box that usually appears at the right side of the search results, usually highlighting the main search result for a very specific query. For example, searching for Barack Obama would bring a box showing information from Barack Obama's Wikipedia page, along with links to the former president's social media profiles. But Wietze Beukema, a member of PwC's Cyber Threat Detection & Response team, has discovered that you can hijack these knowledge panels and add them to any search query, sometimes in a way that pushes legitimate search results way down the page, highlighting an incorrect result and making it look legitimate. The way this can be done is by first searching for a legitimate item, and pressing the "share" icon that appears inside a knowledge panel.

A new penetration testing tool published at the start of the year by a security researcher can automate phishing attacks with an ease never seen before and can even blow through login operations for accounts protected by two-factor authentication (2FA). From a report: Named Modlishka --the English pronunciation of the Polish word for mantis -- this new tool was created by Polish researcher Piotr Duszynski. Modlishka is what IT professionals call a reverse proxy, but modified for handling traffic meant for login pages and phishing operations. It sits between a user and a target website -- like Gmail, Yahoo, or ProtonMail. Phishing victims connect to the Modlishka server (hosting a phishing domain), and the reverse proxy component behind it makes requests to the site it wants to impersonate. The victim receives authentic content from the legitimate site --let's say for example Google -- but all traffic and all the victim's interactions with the legitimate site passes through and is recorded on the Modlishka server.

Google has removed 85 Android apps from the official Play Store that security researchers from Trend Micro deemed to contain a common strain of adware. "The 85 apps had been downloaded over nine million times, and one app, in particular, named 'Easy Universal TV Remote,' was downloaded over five million times," reports ZDNet. From the report: While the apps were uploaded on the Play Store from different developer accounts and were signed by different digital certificates, they exhibited similar behaviors and shared the same code, researchers said in a report published today. But besides similarities in their source code, the apps were also visually identical, and were all of the same types, being either games or apps that let users play videos or control their TVs remotely.

The first time users ran any of the apps, they would proceed to show fullscreen ads in different steps, asking and reasking users to press various buttons to continue. If the user was persistent and stayed with the app until it reached a menu page, every menu button push would trigger yet another fullscreen ad, over and over again until the app would suddenly crash, hiding its original app icon. But despite the crash, unbeknownst to the user, the app would continue to run in the phone's background, showing new fullscreen ads ever 15 or 30 minutes, generating profits for the fraudsters until users either removed the apps or reset devices to factory settings as a last resort. You can view a list of the 85 adware apps via this PDF file.

In the next major release of Windows 10, Microsoft will reserve 7GB of your device's storage to resolve a Windows 10 bug thrown up by Windows Update not checking whether a PC has enough storage space before launching after big updates. From a report: As Microsoft warned ahead of the Windows 10 October 2018 Update, systems that don't have enough space to install Microsoft's 'quality updates' or new versions of the OS will see an error message explaining there is insufficient storage space. That happens because Windows doesn't check if a device has enough space before initializing. Microsoft's current solution is for users to manually delete unnecessary temporary files and temporarily move important files like photos and videos to external storage devices to make enough space for the update. This problem is more acute for devices with little storage capacity, such as many of the cheap 32GB flash-drive PCs on the market today.

Cryptocurrency trading portal Coinbase delisted the Ethereum Classic (ETC) currency Monday after detecting a series of double-spend attacks over the last three days. From a report: In layman terms, double-spend attacks are when a malicious actor gains the majority computational power inside a blockchain, which they then use to enforce unauthorized transactions over legitimate ones. According to a security alert published today by Coinbase security engineer Mark Nesbitt, this is exactly what's been happening on the Ethereum Classic blockchain for the past three days, since January 5. Nesbitt says that a malicious actor has carried out 11 (at the time of writing) double-spend attacks during which he moved funds from legitimate accounts to their own. [...] According to Crypto51, it only costs $5,029 to rent enough computing powerto overwhelm the ETC blockchain with your own miners and gain 51 percent hashing power to carry out a double-spend attack.

The US National Security Agency will release a free reverse engineering tool at the upcoming RSA security conference that will be held at the start of March, in San Francisco. From a report: The software's name is GHIDRA and in technical terms, is a disassembler, a piece of software that breaks down executable files into assembly code that can then be analyzed by humans. The NSA developed GHIDRA at the start of the 2000s, and for the past few years, it's been sharing it with other US government agencies that have cyber teams who need to look at the inner workings of malware strains or suspicious software. GHIDRA's existence was never a state secret, but the rest of the world learned about it in March 2017 when WikiLeaks published Vault7, a collection of internal documentation files that were allegedly stolen from the CIA's internal network. Those documents showed that the CIA was one of the agencies that had access to the tool.

ZDNet reports that by 2020, "many, if not most, new cars will be running with Linux." While some companies, like Tesla, run their own homebrew Linux distros, most rely on Automotive Grade Linux (AGL). AGL is a collaborative cross-industry effort developing an open platform for connected cars with over 140 members... Its membership includes Audi, Ford, Honda, Mazda, Nissan, Mercedes, Suzuki, and the world's biggest automobile company: Toyota. Why? "Automakers are becoming software companies, and just like in the tech industry, they are realizing that open source is the way forward," said Dan Cauchy, AGL's executive director, in a statement.

Car companies know that while horsepower sells, customers also want smart infotainment systems, automated safe drive features, and, eventually, self-driving cars. Linux and open-source company can give them all of that. The AGL's goal is to develop an open-source, common platform for infotainment systems: The Unified Code Base (UCB). This is a Linux distribution and open-source software platform for car infotainment, telematics, and instrument cluster applications... The AGL's hope is that this will serve as a de facto industry standard. It's well on its way.
Yesterday Hyundai announced that they were also joining both the AGL effort and the Linux Foundation.

The L3 protection level of Google's Widevine DRM technology has been cracked by a British security researcher who can now decrypt content transferred via DRM-protected multimedia streams. ZDNet's Catalin Cimpanu notes that while this "sounds very cool," it's not likely to fuel a massive piracy wave because "the hack works only against Widevine L3 streams, and not L2 and L1, which are the ones that carry high-quality audio and video content." From the report: Google designed its Widevine DRM technology to work on three data protection levels --L1, L2, and L3-- each usable in various scenarios. According to Google's docs, the differences between the three protection levels is as follows:

L1 - all content processing and cryptography operations are handled inside a CPU that supports a Trusted Execution Environment (TEE).
L2 - only cryptography operations are handled inside a TEE.
L3 - content processing and cryptography operations are (intentionally) handled outside of a TEE, or the device doesn't support a TEE

"Soooo, after a few evenings of work, I've 100% broken Widevine L3 DRM," [British security researcher David Buchanan] said on Twitter. "Their Whitebox AES-128 implementation is vulnerable to the well-studied DFA attack, which can be used to recover the original key. Then you can decrypt the MPEG-CENC streams with plain old ffmpeg." Albeit Buchanan did not yet release any proof-of-concept code, it wouldn't help anyone if he did. In order to get the DRM-encrypted data blob that you want to decrypt, an attacker would still need "the right/permission" to receive the data blob in the first place. If a Netflix pirate would have this right (being an account holder), then he'd most likely (ab)use it to pirate a higher-quality version of the content, instead of bothering to decrypt low-res video and lo-fi audio. The only advantage is in regards to automating the pirating process, but as some users have pointed out, this isn't very appealing in today's tech scene where almost all devices are capable of playing HD multimedia [1, 2].

Microsoft is working on a project codenamed "Bali," which is designed to give users control of data collected about them. The project is a Microsoft Research incubation effort and seems to be in private testing at this stage. From a report: I learned of the existence of Bali in a tweet from "Longhorn," which I saw via another Twitter user, "Walking Cat." Longhorn described Bali as "a project that can delete all your connection and account information (inverseprivacyproject)." I found a link to the Bali project page. That page allows those with a code to sign into the site and says those without a code can request one.

The "About" page for Bali describes it as a "new personal data bank which puts users in control of all data collected about them.... The bank will enable users to store all data (raw and inferred) generated by them. It will allow the user to visualize, manage, control, share and monetize the data."

Abine, the company behind the Blur password manager and the DeleteMe online privacy protection service, revealed on Monday a data breach impacting nearly 2.4 million Blur users, ZDNet reports. From the report: The breach came to light last year, on December 13, when a security researcher contacted the company about a server that exposed a file containing sensitive information about Blur users, an Abine spokesperson told ZDNet via email. The company said it followed this initial report with an internal security audit to determine the size of the breach. The audit concluded last week, and the company made the data leak public on Monday in a post on its blog. The data that was available on the web included each user's email addresses, some users' first and last names, some users' password hints but only from our old MaskMe product, and each user's encrypted Blur password.

Catalin Cimpanu, writing for ZDNet: Every major user interface (UI) redesign project is a hit and miss game, and Google's new Chrome UI appears to be a colossal miss. Designed with mobile devices in mind, the new Chrome user interface style was officially rolled out in September this year, with the release of Chrome version 69. Not all users liked the new UI, and this was clear from the beginning, with some users voicing their discontent online even back then. However, those users who didn't appreciate the new lighter-toned Chrome interface had the option to visit the chrome://flags page and modify a Chrome setting and continue using Chrome's older UI.

But with Chrome version 71, released earlier this month, Google has removed the Chrome flag that allowed users to use the old UI. As you might imagine, this change did not go well, at all. Chrome's new UI might have been developed with a mobile-first approach in mind, but the UI is problematic on laptops and desktops, where its lighter tone and rounded tabs make it extremely hard to distinguish tabs from one another, especially when users open multiple tabs. Since being able to distinguish and switch between tabs at a fast pace is an important detail in most of today's internet-based jobs, many users have been having trouble adapting to the new UI both at work and at home, especially if they're the kind of people who deal with tens of tabs at the same time.

Researchers at Google's AI labs created a couple of novel neural networks that can succeed in navigating web forms, such as an online flight-booking site. Although baby steps at the moment, the program succeeds as well or better than some models trained using human demonstrations of pointing and clicking. From a report: In a new paper from the team, they trained a neural network to understand the structure of web pages and the choices it can make when filling out forms in an airline ticket booker, or interacting with a social media site. The work broadly employs the same category of machine learning as Google's Go-winning AlphaZero software, what is known as "reinforcement learning." In RL, a neural network develops strategies of steps to take at each stage of trying to solve a problem as it receives rewards for good choices. The researchers figured out a way to train a neural network without being given human examples of how to navigate an online booking form. The approach makes the task of learning webpages and social media networks more "scalable," they write, where the possible combinations of states and actions can reach into the tens of millions. The point is not necessarily to actually book a flight; it's more an exercise in how a neural network can find solutions to a problem with numerous variables, where human guidance, or "supervision," in training is infeasible.

A hacker -- or potentially a group of hackers -- has made over 200 Bitcoin (circa $750,000 at today's exchange) using a clever attack on the infrastructure of the Electrum Bitcoin wallet over the last one week. From a report: The attack resulted in legitimate Electrum wallet apps showing a message on users' computers, urging them to download a malicious wallet update from an unauthorized GitHub repository. The attack began last week on Friday, December 21, and appears to have been temporarily stopped earlier today after GitHub admins took down the hacker's GitHub repository. Admins of the Electrum wallet expect a new attack to soon get underway, with either a new GitHub repo or a link to another download location altogether. This is because the vulnerability at the heart of this attack has remained unpatched, albeit Electrum wallet admins taking steps to mitigate its usability for the attacker.

A hacker has stolen the personal details of over 500,000 San Diego Unified School District staff and students, the district revealed in a breach notice posted on its website Friday. From a report: The breach occurred because the attacker gained access to staff credentials via a tactic known as phishing -- sending authentic-looking emails that redirect users to fake login pages were attackers collect login credentials. The attack didn't go unnoticed. Some staff reported the funny-looking emails to IT staff, who investigated and eventually discovered the breach in October this year. District officials said the hacker had access to its network between January 2018 and November 1, 2018, but that he stole student and staff data going back to the 2008-2009 school year.

The small Pacific island Tokelau is still the most populated country-level domain in the world, outnumbering the 20.8 million domains that use China's .cn. From a report: UK registry for .uk domains has published its latest topsy-turvy map of the world, with land mass weighted according to the number of registered country-level domains. As it was two years ago, Tokelau remains the world's 'largest' country, thanks to its free registration policy; the number of .tk domains reaching nine million in 2012 and from there tripling to 31 million by 2016. Today, the number of .tk domains stands at 21.2 million, but it still remains the largest, just ahead of China. The number of domains with China's .cn has increased over the past two years from 17 million to 20.8 million, making it the second most widely used country-level domain in the world.