Privacy

Uber Is Under Investigation By Multiple States Over a 2016 Data Breach (recode.net) 6

Yesterday, it was reported that Uber concealed a massive cyberattack that exposed 57 million people's data. Recode reports that at least five states -- Illinois, Massachusetts, Missouri, New York and Connecticut -- would investigate the matter. From the report: Meanwhile, Uber must contend with the possible threat of a new probe at the Federal Trade Commission. The agency, which acts as the U.S. government's top privacy and security watchdog, penalized Uber for its privacy and security practices just this August. But it may not have known that Uber had suffered a major security breach in 2016, even as they investigated the company at the same time for other, unrelated security missteps. For now, the agency merely said it's "closely evaluating the serious issues raised." And some affected customers are similarly taking action. On Wednesday -- hours after the breach became public -- an Uber user filed a lawsuit accusing the company of negligence and deceptive business practices. The plaintiff, Alejandro Flores, is seeking to represent a class of affected riders and drivers alike.

For one thing, 48 states maintain some version of a law that requires companies that suffer a data breach to communicate what happened to consumers. In most cases, companies must disclose a security incident if hackers steal very sensitive customer data -- such as driver's license numbers, which happened with Uber in late 2016. To that end, the attorneys general in Illinois, Connecticut and New York have said they are probing the breach at Uber -- perhaps with an eye on whether the company skirted state laws. The top prosecutors in other major states, like Pennsylvania and Florida, did not immediately respond to emails on Wednesday seeking comment. California's AG declined to comment.

Television

Television's Most Infamous Hack Is Still a Mystery 30 Years Later (vice.com) 99

It has been 30 years since the Max Headroom hack, arguably the creepiest hack in the television history took place. Caroline Haskins, writes about the incident for Motherboard: It was a few minutes after 9 PM on Sunday, November 22, 1987. Chicago sportscaster Dan Roan was cheerily summarizing the Bears's victory that day for Channel 9 local news. Suddenly, televisions went silent, and their screens went black. At first, it seemed like an equipment malfunction. Without warning, televisions in the area blasted loud radio static. It was overlain with the screech of a power saw cutting into metal, or a jet engine malfunctioning. At center screen, a person wore a Max Headroom mask -- a character who appeared on various television shows and movies in the 1980s. He appeared to have yellow skin, yellow clothes, and yellow slicked-back hair. As purple and black lines spun behind him, Max nodded and swayed back and forth. His plastic face was stuck in laughter, and opaque sunglasses covered his eyes, which seemed to peer through the screen. The screen went black again. After a moment, Roan reappeared. "Well if you're wondering what'll happen," Roan said with a laugh, unaware of what had happened during the interruption, "so am I." Two hours later, it happened again on another channel. This time, Dr. Who had just turned to get his companion, Leela, a hot drink, when a line of static rolled across the screen, revealing the yellow man. After 30 years and an intense FCC investigation, the people behind the Headroom hack remain unknown. The correspondent has spoken to the newscasters who were interrupted and mocked that day. You can read the interview here.
Privacy

How a Wi-Fi Pineapple Can Steal Your Data (And How To Protect Yourself From It) (vice.com) 45

An anonymous reader writes: The Wi-Fi Pineapple is a cheap modified wireless router enables anyone to execute sophisticated exploits on Wi-Fi networks with little to no networking expertise. A report in Motherboard explains how it can be used to run a Wall of Sheep and execute a man-in-the-middle attack, as well as how you can protect yourself from Pineapple exploits when you're connected to public Wi-Fi. "... it's important that whenever you are done connecting to a public Wi-Fi network that you configure your phone or computer to 'forget' that network. This way your device won't be constantly broadcasting the SSIDs of networks it has connected to in the past, which can be spoofed by an attacker with a Pineapple," reports Motherboard. "Unfortunately there is no easy way to do this on an Android or an iPhone, and each network must be forgotten manually in the 'Manage Network' tab of the phone's settings. Another simple solution is to turn off your Wi-Fi functionality when you're not using it -- though that isn't as easy to do on some devices anymore -- and don't allow your device to connect to automatically connect to open Wi-Fi networks."
Security

Ask Slashdot: How Are So Many Security Vulnerabilities Possible? 336

dryriver writes: It seems like not a day goes by on Slashdot and elsewhere on the intertubes that you don't read a story headline reading "Company_Name Product_Name Has Critical Vulnerability That Allows Hackers To Description_Of_Bad_Things_Vulnerability_Allows_To_Happen." A lot of it is big brand products as well. How, in the 21st century, is this possible, and with such frequency? Is software running on electronic hardware invariably open to hacking if someone just tries long and hard enough? Or are the product manufacturers simply careless or cutting corners in their product designs? If you create something that communicates with other things electronically, is there no way at all to ensure that the device is practically unhackable?
Security

Sacramento Regional Transit Systems Hit By Hacker (cbslocal.com) 35

Zorro shares a report from CBS Local: Sacramento Regional Transit is the one being taken for a ride on this night, by a computer hacker. That hacker forced RT to halt its operating systems that take credit card payments, and assigns buses and trains to their routes. The local transit agency alerted federal agents following an attack on their computers that riders may not have noticed Monday. "We actually had the hackers get into our system, and systematically start erasing programs and data," Deputy General Manager Mark Lonergan. Inside RT's headquarters, computer systems were taken down after the hacker deleted 30 million files. The hacker also demanded a ransom in bitcoin, and left a message on the RT website reading "I'm sorry to modify the home page, I'm good hacker, I just want to help you fix these vulnerability."
The Internet

FCC Will Also Order States To Scrap Plans For Their Own Net Neutrality Laws (arstechnica.com) 269

An anonymous reader quotes a report from Ars Technica: In addition to ditching its own net neutrality rules, the Federal Communications Commission also plans to tell state and local governments that they cannot impose local laws regulating broadband service. This detail was revealed by senior FCC officials in a phone briefing with reporters today, and it is a victory for broadband providers that asked for widespread preemption of state laws. FCC Chairman Ajit Pai's proposed order finds that state and local laws must be preempted if they conflict with the U.S. government's policy of deregulating broadband Internet service, FCC officials said. The FCC will vote on the order at its December 14 meeting. It isn't clear yet exactly how extensive the preemption will be. Preemption would clearly prevent states from imposing net neutrality laws similar to the ones being repealed by the FCC, but it could also prevent state laws related to the privacy of Internet users or other consumer protections. Pai's staff said that states and other localities do not have jurisdiction over broadband because it is an interstate service and that it would subvert federal policy for states and localities to impose their own rules.
Privacy

Uber Concealed Cyberattack That Exposed 57 Million People's Data (bloomberg.com) 31

According to Bloomberg, hackers stole the personal data of 57 million customers and drivers from Uber. The massive breach was reportedly concealed by the company for more than a year. From the report: Compromised data from the October 2016 attack included names, email addresses and phone numbers of 50 million Uber riders around the world, the company told Bloomberg on Tuesday. The personal information of about 7 million drivers were accessed as well, including some 600,000 U.S. driver's license numbers. No Social Security numbers, credit card details, trip location info or other data were taken, Uber said. At the time of the incident, Uber was negotiating with U.S. regulators investigating separate claims of privacy violations. Uber now says it had a legal obligation to report the hack to regulators and to drivers whose license numbers were taken. Instead, the company paid hackers $100,000 to delete the data and keep the breach quiet. Uber said it believes the information was never used but declined to disclose the identities of the attackers.

Here's how the hack went down: Two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money, according to the company.

Security

Iranian 'Game of Thrones' Hacker Demanded $6 Million Bitcoin Ransom From HBO, Feds Say (thedailybeast.com) 33

Anonymous readers share a report: The Department of Justice on Tuesday charged an Iranian national with allegedly hacking into HBO, dumping a selection stolen files, and attempting to extort the company by ransoming a treasure trove of the company's content. This summer, hackers released a bevy of internal HBO files, included scripts for Game of Thrones and full, unaired episodes of other shows. Behzad Mesri, aka "Skote Vahshat," at one point worked for the Iranian military to break into military and nuclear systems, as well as Israeli infrastructure, according to the newly released complaint. Under his Vahshat pseudonym, Mesri also defaced hundreds of websites in the U.S. and around the world, the complaint adds. Mesri started his hacking campaign in around May 2017, according to the complaint, probing HBO's systems and employees for weaknesses. Mesri managed to compromise multiple HBO employee accounts as well as other authorized users; from here, he allegedly stole confidential and proprietary information. These included unaired episodes of Ballers, Barry, Room 104, Curb Your Enthusiasm, and The Deuce, as well as scripts for Game of Thrones. Indeed, the hacker behind the HBO breach publicly dumped much of this material online this summer.
Censorship

Skype Vanishes From App Stores in China (nytimes.com) 37

Skype, Microsoft's Internet phone call and messaging service, has been unavailable for download from a number of app stores in China, including Apple's, for almost a month (Editor's note: the link could be paywalled; alternative source), The New York Times reported on Tuesday. From the report: "We have been notified by the Ministry of Public Security that a number of voice over internet protocol apps do not comply with local law. Therefore these apps have been removed from the app store in China," an Apple spokeswoman said Tuesday in an emailed statement responding to questions about Skype's disappearance from the app store. "These apps remain available in all other markets where they do business." The removal led to a volley of complaints from Chinese users on internet message boards who were no longer able to pay for Skype's services through Apple. The users said that the disruption began in late October. Skype, which is owned by Microsoft, still functions in China, and its fate in the country is not yet clear. But its removal from the app stores is the most recent example of a decades-long push by China's government to control and monitor the flow of information online.
Security

Intel: We've Found Severe Bugs in Secretive Management Engine, Affecting Millions (zdnet.com) 199

Liam Tung, writing for ZDNet: Thanks to an investigation by third-party researchers into Intel's hidden firmware in certain chips, Intel decided to audit its firmware and on Monday confirmed it had found 11 severe bugs that affect millions of computers and servers. The flaws affect Management Engine (ME), Trusted Execution Engine (TXE), and Server Platform Services (SPS). Intel discovered the bugs after Maxim Goryachy and Mark Ermolov from security firm Positive Technologies found a critical vulnerability in the ME firmware that Intel now says would allow an attacker with local access to execute arbitrary code. The researchers in August published details about a secret avenue that the US government can use to disable ME, which is not available to the public. Intel ME has been a source of concern for security-minded users, in part because only Intel can inspect the firmware, yet many researchers suspected the powerful subsystem had bugs that were ripe for abuse by attackers.
Privacy

Over 400 of the World's Most Popular Websites Record Your Every Keystroke (vice.com) 258

An anonymous reader quotes a report from Motherboard: The idea of websites tracking users isn't new, but research from Princeton University released last week indicates that online tracking is far more invasive than most users understand. In the first installment of a series titled "No Boundaries," three researchers from Princeton's Center for Information Technology Policy (CITP) explain how third-party scripts that run on many of the world's most popular websites track your every keystroke and then send that information to a third-party server. Some highly-trafficked sites run software that records every time you click and every word you type. If you go to a website, begin to fill out a form, and then abandon it, every letter you entered in is still recorded, according to the researchers' findings. If you accidentally paste something into a form that was copied to your clipboard, it's also recorded. These scripts, or bits of code that websites run, are called "session replay" scripts. Session replay scripts are used by companies to gain insight into how their customers are using their sites and to identify confusing webpages. But the scripts don't just aggregate general statistics, they record and are capable of playing back individual browsing sessions. The scripts don't run on every page, but are often placed on pages where users input sensitive information, like passwords and medical conditions. Most troubling is that the information session replay scripts collect can't "reasonably be expected to be kept anonymous," according to the researchers.
Security

Why Hackers Reuse Malware (helpnetsecurity.com) 26

Orome1 shares a report from Help Net Security: Software developers love to reuse code wherever possible, and hackers are no exception. While we often think of different malware strains as separate entities, the reality is that most new malware recycles large chunks of source code from existing malware with some changes and additions (possibly taken from other publicly released vulnerabilities and tools). This approach makes sense. Why reinvent the wheel when another author already created a working solution? While code reuse in malware can make signature-based detection methods more effective in certain cases, more often than not it frees up time for attackers to do additional work on detection avoidance and attack efficacy -- which can create a more dangerous final product.

There are multiple reasons why hackers reuse code when developing their own malware. First, it saves time. By copying code wherever possible, malware authors have more time to focus on other areas, like detection avoidance and attribution masking. In some cases, there may be only one way to successfully accomplish a task, such as exploiting a vulnerability. In these instances, code reuse is a no-brainer. Hacker also tend to reuse effective tactics such as social engineering, malicious macros and spear phishing whenever possible simply because they have a high rate of success.

Google

Eric Schmidt Says Google News Will 'Engineer' Russian Propaganda Out of the Feed (vice.com) 339

Justin Ling, writing for Motherboard: Eric Schmidt, Executive Chariman of Alphabet, says the company is working to ferret out Russian propaganda from Google News after facing criticism that Kremlin-owned media sites had been given plum placement on the search giant's news and advertising platforms. "We're well aware of this one, and we're working on detecting this kind of scenario you're describing and deranking those kinds of sites," Schmidt said, after being asked why the world's largest search company continued to classify the Russian sites as news. Schmidt, in an interview at the Halifax International Security Forum over the weekend, name-checked two state-owned enterprises. "It's basically RT and Sputnik," Schmidt added. "We're well aware and we're trying to engineer the systems to prevent it."
Security

Security Problems Are Primarily Just Bugs, Linus Torvalds Says (iu.edu) 265

Linus Torvalds, in his signature voice: Some security people have scoffed at me when I say that security problems are primarily "just bugs." Those security people are f*cking morons. Because honestly, the kind of security person who doesn't accept that security problems are primarily just bugs, I don't want to work with. Security firm Errata Security has defended Linus's point of view.
Intel

Intel Planning To End Legacy BIOS Support By 2020, Report Says (phoronix.com) 122

Michael Larabel, writing for Phoronix: Intel is planning to end "legacy BIOS" support in their new platforms by 2020 in requiring UEFI Class 3 or higher. Making rounds this weekend is a slide deck from the recent UEFI Plugfest. Brian Richardson of Intel talked about the "last mile" barriers to removing legacy BIOS support from systems. By 2020, they will be supporting no less than UEFI Class 3, which means only UEFI support and no more legacy BIOS or CSM compatibility support mode. But that's not going to force on UEFI Secure Boot unconditionally: Secure Boot enabled is considered UEFI Class 3+. Intel hasn't removed legacy BIOS / CSM support yet due to many customers' software packages still relying upon legacy BIOS, among other reasons. Removing the legacy BIOS support will mitigate some security risks, needs less validation by vendors, allows for supporting more modern technologies, etc.
Iphone

10-Year-Old Boy Cracks the Face ID On Both Parents' IPhone X (wired.com) 295

An anonymous reader writes: A 10-year-old boy discovered he could unlock his father's phone just by looking at it. And his mother's phone too. Both parents had just purchased a new $999 iPhone X, and apparently its Face ID couldn't tell his face from theirs. The unlocking happened immediately after the mother told the son that "There's no way you're getting access to this phone."

Experiments suggest the iPhone X was confused by the indoor/nighttime lighting when the couple first registered their faces. Apple's only response was to point to their support page, which states that "the statistical probability is different...among children under the age of 13, because their distinct facial features may not have fully developed. If you're concerned about this, we recommend using a passcode to authenticate." The boy's father is now offering this advice to other parents. "You should probably try it with every member of your family and see who can access it."

And his son just "thought it was hilarious."

Security

'Lazy' Hackers Exploit Microsoft RDP To Install Ransomware (sophos.com) 72

An anonymous reader writes: An investigation by Sophos has uncovered a new, lazy but effective ransomware attack where hackers brute force passwords on computers with [Microsoft's] Remote Desktop Protocol enabled, use off-the-shelf privilege escalation exploits to make themselves admins, turn off security software and then manually run fusty old versions of ransomware.
They even delete the recovery files created by Windows Live backup -- and make sure they can also scramble the database. "Because they've used their sysadmin powers to rig the system to be as insecure as they can, they can often use older versions of ransomware, perhaps even variants that other crooks have given up on and that are now floating around the internet 'for free'."

Most of the attacks hit small-to-medium companies with 30 or fewer employees, since "with small scale comes a dependence on external IT suppliers or 'jack-of-all-trades' IT generalists trying to manage cybersecurity along with many other responsibilities. In one case a victim was attacked repeatedly, because of a weak password used by a third-party application that demanded 24-hour administrator access for its support staff."
Transportation

DJI Threatens Researcher Who Reported Exposed Cert Key, Credentials, and Customer Data (arstechnica.com) 81

An anonymous reader quotes Ars Technica: DJI, the Chinese company that manufactures the popular Phantom brand of consumer quadcopter drones, was informed in September that developers had left the private keys for both the "wildcard" certificate for all the company's Web domains and the keys to cloud storage accounts on Amazon Web Services exposed publicly in code posted to GitHub. Using the data, researcher Kevin Finisterre was able to access flight log data and images uploaded by DJI customers, including photos of government IDs, drivers licenses, and passports. Some of the data included flight logs from accounts associated with government and military domains.

Finisterre found the security error after beginning to probe DJI's systems under DJI's bug bounty program, which was announced in August. But as Finisterre worked to document the bug with the company, he got increasing pushback -- including a threat of charges under the Computer Fraud and Abuse Act. DJI refused to offer any protection against legal action in the company's "final offer" for the data. So Finisterre dropped out of the program and published his findings publicly yesterday, along with a narrative entitled, "Why I walked away from $30,000 of DJI bounty money."

The company says they're now investigating "unauthorized access of one of DJI's servers containing personal information," adding that "the hacker in question" refused to agree to their terms and shared "confidential communications with DJI employees."
The Courts

FOSS Community Criticizes SFLC over SFC Trademark War (lunduke.com) 63

Earlier this month Bruce Perens notified us that "the Software Freedom Law Center, a Linux-Foundation supported organization, has asked USPTO to cancel the trademark of the name of the Software Freedom Conservancy, an organization that assists and represents Free Software/Open Source developers." Now Slashdot reader curcuru -- director of the Apache Software Foundation -- writes: No matter how you look at it, this kind of lawsuit is a loss for software freedom and open source in general, since this kind of USPTO trademark petition (like a lawsuit) will tie up both organizations, leaving less time and funds to help FOSS projects. There's clearly more to the issue than the trademark issue; the many community members' blog posts make that clear.

GNOME executive director Neil McGovern
Apache Software Foundation director Shane Curcuru
Google security developer Matthew Garrett
Linux industry journalist Bryan Lunduke


The key point in this USPTO lawsuit is that the legal aspects aren't actually important. What's most important is the community reaction: since SFLC and Conservancy are both non-profits who help serve free software communities, it's the community perception of what organizations to look to for help that matters. SFLC's attempt to take away the Conservancy's very name doesn't look good for them.

Bryan Lunduke's video covers the whole case, including his investigation into the two organizations and their funding.

The Military

Massive US Military Social Media Spying Archive Left Wide Open In AWS S3 Buckets (theregister.co.uk) 84

An anonymous reader quotes a report from The Register: Three misconfigured AWS S3 buckets have been discovered wide open on the public internet containing "dozens of terabytes" of social media posts and similar pages -- all scraped from around the world by the U.S. military to identify and profile persons of interest. The archives were found by veteran security breach hunter UpGuard's Chris Vickery during a routine scan of open Amazon-hosted data silos, and these ones weren't exactly hidden. The buckets were named centcom-backup, centcom-archive, and pacom-archive. CENTCOM is the common abbreviation for the U.S. Central Command, which controls army operations in the Middle East, North Africa and Central Asia. PACOM is the name for U.S. Pacific Command, covering the rest of southern Asia, China and Australasia.

"For the research I downloaded 400GB of samples but there were many terabytes of data up there," he said. "It's mainly compressed text files that can expand out by a factor of ten so there's dozens and dozens of terabytes out there and that's a conservative estimate." Just one of the buckets contained 1.8 billion social media posts automatically fetched over the past eight years up to today. It mainly contains postings made in central Asia, however Vickery noted that some of the material is taken from comments made by American citizens. The databases also reveal some interesting clues as to what this information is being used for. Documents make reference to the fact that the archive was collected as part of the U.S. government's Outpost program, which is a social media monitoring and influencing campaign designed to target overseas youths and steer them away from terrorism.

Slashdot Top Deals