Security

Suspicious Event Hijacks Amazon Traffic For 2 hours, Steals Cryptocurrency (arstechnica.com) 28

Amazon lost control of some of its widely used cloud services for two hours on Tuesday morning when hackers exploited a known Internet-protocol weakness that allowed them to redirect traffic to rogue destinations, according to media reports. ArsTechnica: The attackers appeared to use one server masquerading as cryptocurrency website MyEtherWallet.com to steal digital coins from unwitting end users. They may have targeted other customers of Amazon's Route 53 service as well. The incident, which started around 6am California time, hijacked roughly 1,300 IP addresses, Oracle-owned Internet Intelligence said on Twitter. The malicious redirection was caused by fraudulent routes that were announced by Columbus, Ohio-based eNet, a large Internet service provider that is referred to as autonomous system 10297. Once in place, the eNet announcement caused some of its peers to send traffic over the same unauthorized routes. [...] Tuesday's event may also have ties to Russia, because MyEtherWallet traffic was redirected to a server in that country, security researcher Kevin Beaumont said in a blog post. The redirection came by rerouting domain name system traffic and using a server hosted by Chicago-based Equinix to perform a man-in-the-middle attack. MyEtherWallet officials said the hijacking was used to send end users to a phishing site. Participants in this cryptocurrency forum appear to discuss the scam site. Further reading: Hacker Hijacks DNS Server of MyEtherWallet to Steal $160,000 (BleepingComputer).
Facebook

Facebook Has Hosted Stolen Identities and Social Security Numbers for Years (vice.com) 27

Cybercriminals have posted sensitive personal information, such as credit card and social security numbers, of dozens of people on Facebook and have advertised entire databases of private information on the social platform, Motherboard reports. Some of these posts have been left up on Facebook for years, and the internet giant only acted on these posts after the publication told it about them. From the report: As of Monday, there were several public posts on Facebook that advertised dozens of people's Social Security Numbers and other personal data. These weren't very hard to find. It was as easy as a simple Google search. Most of the posts appeared to be ads made by criminals who were trying to sell personal information. Some of the ads are several years old, and were posted as "public" on Facebook, meaning anyone can see them, not just the author's friends. Independent security researcher Justin Shafer alerted Motherboard to these posts Monday.
United States

Senate Confirms Trump's Pick for NSA, Cyber Command (politico.com) 40

An anonymous reader shares a report: The Senate Tuesday quietly confirmed President Donald Trump's nominee to lead the National Security Agency and U.S. Cyber Command. U.S. Army Cyber Command chief Lt. Gen. Paul Nakasone was unanimously confirmed by voice vote to serve as the "dual-hat" leader of both organizations. The two have shared a leader since the Pentagon established Cyber Command in 2009. He will replace retiring Navy Adm. Mike Rogers after a nearly four-year term. The Senate Intelligence and Armed Services committees both previously approved Nakasone's nomination by voice vote.
Security

Ask Slashdot: Do We Need a New Word For Hacking? 147

goombah99 writes: Hacking and Hackers get a bum rap. Headline scream "Every Nitendo switch can be hacked." But that's good right? Just like farmers hacking their tractors or someone re-purposing a talking teddy bear. On the other hand, remote hacking a Intel processor backdoor or looting medical data base, that are also described as hacking, are ill-motivated. It seems like we need words with different connotations for hacking. One for things you should definitely do, like program an Arduino or teddy bear. One for things that are pernicious. And finally one for things that are disputably good/bad such as hacking DRM protected appliances you own. What viral sounds terms and their nuances would you suggest? Editor's note: We suggest reading this New Yorker piece "A Short History of 'Hack'", and watching this Defcon talk by veteran journalist Steven Levy on the creativeness and chutzpah of the early hackers.
Security

Atlanta Projected To Spend At Least $2.6 Million on Ransomware Recovery (zdnet.com) 82

Atlanta is setting aside more than $2.6 million on recovery efforts stemming from a ransomware attack, which crippled a sizable part of the city's online services. ZDNet reports: The city was hit by the notorious SamSam ransomware, which exploits a deserialization vulnerability in Java-based servers. The ransom was set at around $55,000 worth of bitcoin, a digital cryptocurrency that in recent weeks has wildy fluctated in price. But the ransom was never paid, said Atlanta city spokesperson Michael Smith in an email. Between the ransomware attack and the deadline to pay, the payment portal was pulled offline by the ransomware attacker. According to newly published emergency procurement figures, the city is projected to spend as much as 50 times that amount in response to the cyberattack. Between March 22 and April 2, the city budgeted $2,667,328 in incident response, recovery, and crisis management.
Government

US Government Weighing Sanctions Against Kaspersky Lab (cyberscoop.com) 87

An anonymous reader quotes a report from CyberScoop: The U.S. government is considering sanctions against Russian cybersecurity company Kaspersky Lab as part of a wider round of action carried out against the Russian government, according to U.S. intelligence officials familiar with the matter. The sanctions would be a considerable expansion and escalation of the U.S. government's actions against the company. Kaspersky, which has two ongoing lawsuits against the U.S. government, has been called "an unacceptable threat to national security" by numerous U.S. officials and lawmakers.

Officials told CyberScoop any additional action against Kaspersky would occur at the lawsuits' conclusion, which Kaspersky filed in response to a stipulation in the 2018 National Defense Authorization Act that bans its products from federal government networks. If the sanctions came to fruition, the company would be barred from operating in the U.S. and potentially even in U.S. allied countries.

Operating Systems

Microsoft Readies Windows 10 April Update With New Features and Enhancements (hothardware.com) 99

MojoKid writes: Microsoft has been preparing a Spring Creators Update for Windows 10 for a while now, which was recently pushed out as an RTM (Release To Manufacturing) build to all rings of the Windows Insider program. Now dubbed the "Windows 10 April Update," Redmond is billing that "lots of new features" are rolling out with this release, including the ability to resume past activities in timeline and a file sharing feature with nearby devices. Also, based on what has been tested in pre-release builds, there will be other features coming as well, including a rebuilt Game Bar with a new Fluent design UI, a diagnostic data viewing tool in the Security and Privacy section, and Cortana is reportedly easier to use with a new Organizer interface and My Skills tab. It is expected Microsoft will be pushing out this update for Windows 10 this week sometime.
Nintendo

The 'Unpatchable' Exploit That Makes Every Current Nintendo Switch Hackable (arstechnica.com) 92

An anonymous reader quotes a report from Ars Technica: A newly published "exploit chain" for Nvidia Tegra X1-based systems seems to describe an apparently unpatchable method for running arbitrary code on all currently available Nintendo Switch consoles. Hardware hacker Katherine Temkin and the hacking team at ReSwitched released an extensive outline of what they're calling the Fusee Gelee coldboot vulnerability earlier today, alongside a proof-of-concept payload that can be used on the Switch. "Fusee Gelee isn't a perfect, 'holy grail' exploit -- though in some cases it can be pretty damned close," Temkin writes in an accompanying FAQ. The exploit, as outlined, makes use of a vulnerability inherent in the Tegra X1's USB recovery mode, circumventing the lock-out operations that would usually protect the chip's crucial bootROM. By sending a bad "length" argument to an improperly coded USB control procedure at the right point, the user can force the system to "request up to 65,535 bytes per control request." That data easily overflows a crucial direct memory access (DMA) buffer in the bootROM, in turn allowing data to be copied into the protected application stack and giving the attacker the ability to run arbitrary code. The exploit can't be fixed via a downloadable patch because the flawed bootROM can't be modified once the Tegra chip leaves the factory. As Temkin writes, "unfortunately, access to the fuses needed to configure the device's ipatches was blocked when the ODM_PRODUCTION fuse was burned, so no bootROM update is possible. It is suggested that consumers be made aware of the situation so they can move to other devices, where possible." Ars notes that Nintendo may however be able to detect "hacked" systems when they sign on to Nintendo's servers. "The company could then ban those systems from using the Switch's online functions."
Security

New Attack Group Orangeworm Targets Healthcare Sector in US, Asia, and Europe: Symantec (symantec.com) 29

Security researchers at Symantec say a group of hackers has been targeting firms related to health care in order to steal intellectual property. The security firm observed a hacking team, called Orangeworm, compromise the systems of pharmaceutical firms, medical-device manufacturers, health-care providers, and even IT companies working with medical organizations in the US, Europe, and Asia markets. Victims don't appear to have been chosen at random but "carefully and deliberately." You can read the full report here.
Security

Hacking a Satellite is Surprisingly Easy (theoutline.com) 185

Caroline Haskins, writing for The Outline: Hundreds of multi-ton liabilities -- soaring faster than the speed of sound, miles above the surface of the earth -- are operating on Windows-95. They're satellites, responsible for everything from GPS positioning, to taking weather measurements, to carrying cell signals, to providing television and internet. For the countries that own these satellites, they're invaluable resources. Even though they're old, it's more expensive to take satellites down than it is to just leave them up. So they stay up. Unfortunately, these outdated systems makes old satellites prime targets for cyber attacks. [...]

A malicious actor could fake their IP address, which gives information about a user's computer and its location. This person could then get access to the satellite's computer system, and manipulate where the satellite goes or what it does. Alternatively, an actor could jam the satellite's radio transmissions with earth, essentially disabling it. The cost of such an attack could be huge. If a satellite doesn't work, life-saving GPS or online information could be withheld to people on earth when they need it most. What's worse, if part of a satellite -- or an entire satellite -- is knocked out of its orbit from an attack, the debris could create a domino effect and cause extreme damage to other satellites.

Security

'Drupalgeddon2' Touches Off Arms Race To Mass-Exploit Powerful Web Servers (arstechnica.com) 60

Researchers with Netlab 360 warn that attackers are mass-exploiting "Drupalgeddon2," the name of an extremely critical vulnerability Drupal maintainers patched in late March. The exploit allows them to take control of powerful website servers. Ars Technica reports: Formally indexed as CVE- 2018-7600, Drupalgeddon2 makes it easy for anyone on the Internet to take complete control of vulnerable servers simply by accessing a URL and injecting publicly available exploit code. Exploits allow attackers to run code of their choice without having to have an account of any type on a vulnerable website. The remote-code vulnerability harkens back to a 2014 Drupal vulnerability that also made it easy to commandeer vulnerable servers.

Drupalgeddon2 "is under active attack, and every Drupal site behind our network is being probed constantly from multiple IP addresses," Daniel Cid, CTO and founder of security firm Sucuri, told Ars. "Anyone that has not patched is hacked already at this point. Since the first public exploit was released, we are seeing this arms race between the criminals as they all try to hack as many sites as they can." China-based Netlab 360, meanwhile, said at least three competing attack groups are exploiting the vulnerability. The most active group, Netlab 360 researchers said in a blog post published Friday, is using it to install multiple malicious payloads, including cryptocurrency miners and software for performing distributed denial-of-service attacks on other domains. The group, dubbed Muhstik after a keyword that pops up in its code, relies on 11 separate command-and-control domains and IP addresses, presumably for redundancy in the event one gets taken down.

Crime

UK Teen Who Hacked CIA Director Sentenced To 2 Years In Prison (gizmodo.com) 147

An anonymous reader quotes a report from Gizmodo: A British teenager who gained notoriety for hacking a number of high profile United States government employees including former CIA director John Brennan and former director of intelligence James Clapper was sentenced Friday to two years in prison. Eighteen-year-old Kane Gamble pleaded guilty to 10 separate charges, including eight counts of "performing a function with intent to secure unauthorized access" and two counts of "unauthorized modification of computer material," the Guardian reported.

Gamble, otherwise known by his online alias Cracka, was 15 at the time that he started his hacking campaigns. The alleged leader of a hacking group known as Crackas With Attitude (CWA), Gamble made it a point to target members of the U.S. government. The young hacker's group managed to successfully gain access to ex-CIA director John Brennan's AOL email account. The group hacked a number of accounts belonging to former Director of National Intelligence James Clapper, including his personal email, his wife's email, and his phone and internet provider account. The hackers allegedly made it so every call to Clapper's home phone would get forwarded to the Free Palestine Movement.

Power

White House Reportedly Exploring Wartime Rule To Help Coal, Nuclear (arstechnica.com) 291

An anonymous reader quotes a report from Ars Technica: According to reports from Bloomberg and E&E News, the Trump Administration has been exploring another way to help coal and nuclear generators: the Defense Production Act of 1950. The Act was passed under President Truman. Motivated by the Korean War, it allows the president broad authority to boost U.S. industries that are considered a priority for national security. On Thursday, E&E News cited sources that said "an interagency process is underway" at the White House to examine possible application of the act to the energy industry. The goal would be to give some form of preference to coal and nuclear plants that are struggling to compete with cheap natural gas.

If the DOE decides not to invoke Section 202(c), the president may turn to the Defense Production Act. According to a 2014 summary report (PDF) from the Congressional Research Service (CRS), the act would allow the president to "demand priority for defense-related products," "provide incentives to develop, modernize, and expand defense productive capacity," and establish "a voluntary reserve of trained private sector executives available for emergency federal employment," among other powers. (Some even more permissive applications of the Act were terminated in 1957.) Using the Act to protect coal and nuclear facilities would almost certainly be more controversial, as the link between national defense and keeping uneconomic coal generators running is not well-established.
The Administration could apply the Act to "provide or guarantee loans to industry" for material-specific deliveries and production. "The president may also authorize the purchase of 'industrial items or technologies for installation in government or private industrial facilities,'" reports Ars.
Businesses

Eventbrite Claims The Right To Film Your Events -- And Keep the Copyright (eventbrite.com) 148

Eventbrite lets you sell tickets online for your events. An anonymous reader reports on Eventbrite's newly-updated merchant agreement. The merchant agreement specifies that you "grant permission to Eventbrite and its agents to enter onto and remain on the premises (including real property, fixtures, equipment, or other personal property) where your event is hosted...with personnel and equipment for the purpose of photographing and recording the Premises, both internally and externally in connection with the production of digital content on the date of your event(s) and any other dates reasonably requested by Eventbrite (for example, during setup and breakdown for the event) (the 'Shoot')."

But in addition, you're also granting them permission to record and use footage of all your attendees and speakers, "in any manner, in any medium or context now known or hereafter developed, without further authorization from, or compensation to." And after that Eventbrite "will own all rights of every nature whatsoever in and to all films and photographs taken and recordings made hereunder, including without limitation of all copyrights therein and renewals and extensions thereof, and the exclusive right to use and exploit the Recordings in any manner, in any medium or context now known or hereafter developed..." You're even responsible for obtaining all the clearances and licenses "necessary to secure Eventbrite the permissions and rights described above," and you also release Eventbrite from any claims that may arise regarding use of the Recordings, "including, without limitation, any claims of defamation, invasion of privacy, or infringement of rights of likeness, publicity or copyright."

"So, yeah. No," tweeted Ars Technica's national security editor. "Eventbrite is now off my list for recommended event organizing tools."
Desktops (Apple)

Users Complain About Installation Issues With macOS 10.13.4 (theregister.co.uk) 90

An anonymous reader shares a report: The 10.13.4 update for macOS High Sierra is recommended for all users, and was emitted at the end of March promising to "improve stability, performance, and security of your Mac." But geek support sites have started filling up with people complaining that it had the opposite effect: killing their computer with messages that "the macOS installation couldn't be completed."

The initial install appears to be working fine, but when users go to shutdown or reboot an upgraded system, it goes into recovery mode. According to numerous reports, there doesn't appear to be anything wrong with users' Macs -- internal drives report that they're fine. And the issue is affecting a range of different Apple-branded computers from different years. Some have been successful in getting 10.13.4 to install by launching from Safe Mode, but others haven't and are deciding to roll back and stick with 10.13.3 until Apple puts out a new update that will fix whatever the issue is while claiming it has nothing to do with it.

Government

Palantir Knows Everything About You (bloomberg.com) 110

Palantir, a data-mining company created by Peter Thiel, is aiding government agencies by tracking American citizens using the War on Terror, Bloomberg reports. From the report: The company's engineers and products don't do any spying themselves; they're more like a spy's brain, collecting and analyzing information that's fed in from the hands, eyes, nose, and ears. The software combs through disparate data sources -- financial documents, airline reservations, cellphone records, social media postings -- and searches for connections that human analysts might miss. It then presents the linkages in colorful, easy-to-interpret graphics that look like spider webs.

[...] The U.S. Department of Health and Human Services uses Palantir to detect Medicare fraud. The FBI uses it in criminal probes. The Department of Homeland Security deploys it to screen air travelers and keep tabs on immigrants. Police and sheriff's departments in New York, New Orleans, Chicago, and Los Angeles have also used it, frequently ensnaring in the digital dragnet people who aren't suspected of committing any crime.

The Internet

The 'Terms and Conditions' Reckoning Is Coming (bloomberg.com) 129

Everyone from Uber to PayPal is facing a backlash against their impenetrable legalese. From a report: Personal finance forums online are brimming with complaints from hundreds of PayPal customers who say they've been suspended because they signed up before age 18. PayPal declined to comment on any specific cases, but says it's appropriate to close accounts created by underage people "to ensure our customers have full legal capacity to accept our user agreement." While that may seem "heavy-handed," says Sarah Kenshall, a technology attorney with law firm Burges Salmon, the company is within its rights because the users clicked to agree to the rules -- however difficult the language might be to understand.

Websites have long required users to plow through pages of dense legalese to use their services, knowing that few ever give the documents more than a cursory glance. In 2005 security-software provider PC Pitstop LLC promised a $1,000 prize to the first user to spot the offer deep in its terms and conditions; it took four months before the reward was claimed. The incomprehensibility of user agreements is poised to change as tech giants such as Uber Technologies and Facebook confront pushback for mishandling user information, and the European Union prepares to implement new privacy rules called the General Data Protection Regulation, or GDPR. The measure underscores "the requirement for clear and plain language when explaining consent," British Information Commissioner Elizabeth Denham wrote on her blog last year.

AI

AI Can Scour Code To Find Accidentally Public Passwords (qz.com) 47

An anonymous reader shares a report: Researchers at software infrastructure firm Pivotal have taught AI to locate this accidentally public sensitive information in a surprising way: By looking at the code as if it were a picture. Since modern artificial intelligence is arguably better than humans at identifying minute differences in images, telling the difference between a password and normal code for a computer is just like recognizing a dog from a cat. The best way to check whether private passwords or sensitive information has been left public today is to use hand-coded rules called "regular expressions." These rules tell a computer to find any string of characters that meets specific criteria, like length and included characters.
The Internet

Cloudflare: FOSTA Was a 'Very Bad Bill' That's Left the Internet's Infrastructure Hanging (vice.com) 192

Last week, President Donald Trump signed the Fight Online Sex Trafficking Act (FOSTA) into law. It's a bill that penalizes any platform found "facilitating prostitution," and has caused many advocacy groups to come out against the bill, saying that it undermines essential internet freedoms. The most recent entity to decry FOSTA is Cloudflare, which recently decided to terminate its content delivery network services for an alternative, decentralized social media platform called Switter. Motherboard talked to Cloudflare's general counsel, Doug Kramer, about the bill and he said that FOSTA was an ill-consider bill that's now become a dangerous law: "[Terminating service to Switter] is related to our attempts to understand FOSTA, which is a very bad law and a very dangerous precedent," he told me in a phone conversation. "We have been traditionally very open about what we do and our roles as an internet infrastructure company, and the steps we take to both comply with the law and our legal obligations -- but also provide security and protection, let the internet flourish and support our goals of building a better internet." Cloudflare lobbied against FOSTA, Kramer said, urging lawmakers to be more specific about how infrastructure companies like internet service providers, registrars and hosting and security companies like Cloudflare would be impacted. Now, he said, they're trying to figure out how customers like Switter will be affected, and how Cloudflare will be held accountable for them.

"We don't deny at all that we have an obligation to comply with the law," he said. "We tried in this circumstance to get a law that would make sense for infrastructure companies... Congress didn't do the hard work of understanding how the internet works and how this law should be crafted to pursue its goals without unintended consequences. We talked to them about this. A lot of groups did. And it was hard work that they decided not do." He said the company hopes, going forward, that there will be more clarity from lawmakers on how FOSTA is applied to internet infrastructure. But until then, he and others there are having to figure it out along with law enforcement and customers. "Listen, we've been saying this all along and I think people are saying now, this is a very bad law," Kramer said. "We think, for now, it makes the internet a different place and a little less free today as a result. And there's a real-world implication of this that people are just starting to grapple with."

Security

LinkedIn's AutoFill Plugin Could Leak user Data, Secret Fix Failed (techcrunch.com) 25

TechCrunch reports of a flaw in LinkedIn's AutoFill plugin that could have allowed hackers to steal your full name, phone number, email address, location (ZIP code), company, and job title. "Malicious sites have been able to invisibly render the plugin on their entire page so if users who are logged into LinkedIn click anywhere, they'd effectively be hitting a hidden 'AutoFill with LinkedIn' button and giving up their data." From the report: Researcher Jack Cable discovered the issue on April 9th, 2018 and immediately disclosed it to LinkedIn. The company issued a fix on April 10th but didn't inform the public of the issue. Cable quickly informed LinkedIn that its fix, which restricted the use of its AutoFill feature to whitelisted sites who pay LinkedIn to host their ads, still left it open to abuse. If any of those sites have cross-site scripting vulnerabilities, which Cable confirmed some do, hackers can still run AutoFill on their sites by installing an iframe to the vulnerable whitelisted site. He got no response from LinkedIn over the last 9 days so Cable reached out to TechCrunch. A LinkedIn spokesperson issued this statement to TechCrunch: "We immediately prevented unauthorized use of this feature, once we were made aware of the issue. We are now pushing another fix that will address potential additional abuse cases and it will be in place shortly. While we've seen no signs of abuse, we're constantly working to ensure our members' data stays protected. We appreciate the researcher responsibly reporting this and our security team will continue to stay in touch with them. For clarity, LinkedIn AutoFill is not broadly available and only works on whitelisted domains for approved advertisers. It allows visitors to a website to choose to pre-populate a form with information from their LinkedIn profile."

Slashdot Top Deals