Intel

Intel SPI Flash Flaw Lets Attackers Alter or Delete BIOS/UEFI Firmware (bleepingcomputer.com) 46

Catalin Cimpanu, writing for BleepingComputer: Intel has addressed a vulnerability in the configuration of several CPU series that allow an attacker to alter the behavior of the chip's SPI Flash memory -- a mandatory component used during the boot-up process [1, 2, 3]. According to Lenovo, who recently deployed the Intel fixes, "the configuration of the system firmware device (SPI flash) could allow an attacker to block BIOS/UEFI updates, or to selectively erase or corrupt portions of the firmware." Lenovo engineers say "this would most likely result in a visible malfunction, but could in rare circumstances result in arbitrary code execution."
Microsoft

Microsoft Engineer Charged In Reveton Ransomware Case (bleepingcomputer.com) 24

An anonymous reader writes: A Microsoft network engineer is facing federal charges in Florida for allegedly helping launder money obtained from victims of the Reventon ransomware. Florida investigators say that between October 2012 and March 2013, Uadiale worked with a UK citizen going online by the moniker K!NG. The latter would distribute and infect victims with the Reveton ransomware, while Uadiale would collect payments and send the money to K!NG, in the UK. Investigators tracked down Uadiale because this happened before Bitcoin became popular with ransomware authors and they used the now-defunct Liberty Reserve digital currency to move funds. Authorities from 18 countries seized and shut down Liberty Reserve servers in May 2013.
Security

PUBG Ransomware Decrypts Your Files If You Play PlayerUnknown's Battlegrounds (bleepingcomputer.com) 51

An anonymous reader quotes Bleeping Computer: In what could only be a joke, a new ransomware has been discovered called "PUBG Ransomware" that will decrypt your files if you play the game called PlayerUnknown's Battlegrounds... When the PUBG Ransomware is launched it will encrypt a user's files and folders on the user's desktop and append the .PUBG extension to them. When it has finished encrypting the files, it will display a screen giving you two methods that you can use to decrypt the encrypted files.
Users can unlock it either by entering a secret unlock code displayed on the screen -- or by playing PlayerUnknown's Battlegrounds. The ransomware checks to see if you played PlayerUnknown's Battlegrounds by monitoring the running processes for one named "TslGame"... Once a user plays the game and the process is detected, the ransomware will automatically decrypt the victim's files. This ransomware is not too advanced as it only looks for the process name and does not check for other information to confirm that the game is actually being played. That means you can simply run any executable called TslGame.exe and it will decrypt the files.
Social Networks

'An Apology for the Internet -- from the People Who Built It' (nymag.com) 179

"Those who designed our digital world are aghast at what they created," argues a new article in New York Magazine titled "The Internet Apologizes". Today, the most dire warnings are coming from the heart of Silicon Valley itself. The man who oversaw the creation of the original iPhone believes the device he helped build is too addictive. The inventor of the World Wide Web fears his creation is being "weaponized." Even Sean Parker, Facebook's first president, has blasted social media as a dangerous form of psychological manipulation. "God only knows what it's doing to our children's brains," he lamented recently...

The internet's original sin, as these programmers and investors and CEOs make clear, was its business model. To keep the internet free -- while becoming richer, faster, than anyone in history -- the technological elite needed something to attract billions of users to the ads they were selling. And that something, it turns out, was outrage. As Jaron Lanier, a pioneer in virtual reality, points out, anger is the emotion most effective at driving "engagement" -- which also makes it, in a market for attention, the most profitable one. By creating a self-perpetuating loop of shock and recrimination, social media further polarized what had already seemed, during the Obama years, an impossibly and irredeemably polarized country... What we're left with are increasingly divided populations of resentful users, now joined in their collective outrage by Silicon Valley visionaries no longer in control of the platforms they built.

Lanier adds that "despite all the warnings, we just walked right into it and created mass behavior-modification regimes out of our digital networks." Sean Parker, the first president of Facebook, is even quoted as saying that a social-validation feedback loop is "exactly the kind of thing that a hacker like myself would come up with, because you're exploiting a vulnerability in human psychology. The inventors, creators -- it's me, it's Mark [Zuckerberg], it's Kevin Systrom on Instagram, it's all of these people -- understood this consciously. And we did it anyway."

The article includes quotes from Richard Stallman, arguing that data privacy isn't the problem. "The problem is that these companies are collecting data about you, period. We shouldn't let them do that. The data that is collected will be abused..." He later adds that "We need a law that requires every system to be designed in a way that achieves its basic goal with the least possible collection of data... No company is so important that its existence justifies setting up a police state."

The article proposes hypothetical solutions. "Could a subscription model reorient the internet's incentives, valuing user experience over ad-driven outrage? Could smart regulations provide greater data security? Or should we break up these new monopolies entirely in the hope that fostering more competition would give consumers more options?" Some argue that the Communications Decency Act of 1996 shields internet companies from all consequences for bad actors -- de-incentivizing the need to address them -- and Marc Benioff, CEO of Salesforce, thinks the solution is new legislation. "The government is going to have to be involved. You do it exactly the same way you regulated the cigarette industry. Technology has addictive qualities that we have to address, and product designers are working to make those products more addictive. We need to rein that back."
Yahoo!

Yahoo's New Privacy Policy Allows Data-Sharing With Verizon (cnet.com) 38

"Yahoo is now part of Oath and there is a new Privacy and Terms contract..." warns long-time Slashdot reader DigitalLogic. CNET reports: Oath notes that it has the right to read your emails, instant messages, posts, photos and even look at your message attachments. And it might share that data with parent company Verizon, too... When you dig further into Oath's policy about what it might do with your words, photos, and attachments, the company clarifies that it's utilizing automated systems that help the company with security, research and providing targeted ads -- and that those automated systems should strip out personally identifying information before letting any humans look at your data. But there are no explicit guarantees on that.
The update also warns that Oath is now "linking your activity on other sites and apps with information we have about you, and providing anonymized and/or aggregated reports to other parties regarding user trends." For example, Oath "may analyze user content around certain interactions with financial institutions," and "leverages information financial institutions are allowed to send over email."

Oath does offer a "Privacy Controls" page which includes a "legacy" AOL link letting you opt-out of internet-based advertising that's been targeted "based on your online activities" -- but it appears to be functioning sporadically.

CNET also reports that now Yahoo users are agreeing to a class-action waiver and mutual arbitration. "What it means is if you don't like what the company does with your data, you'll have a hard time suing."
Red Hat Software

Red Hat Enterprise Linux Version 7.5 Released (redhat.com) 64

On Tuesday Red Hat announced the general availability of Red Hat Enterprise Linux version 7.5. An anonymous reader writes: Serving as a consistent foundation for hybrid cloud environments, Red Hat Enterprise Linux 7.5 provides enhanced security and compliance controls, tools to reduce storage costs, and improved usability, as well as further integration with Microsoft Windows infrastructure both on-premise and in Microsoft Azure.

New features include a large combination of Ansible Automation with OpenSCAP, and LUKS-encrypted removable storage devices can be now automatically unlocked using NBDE. The Gnome shell has been re-based to version 3.26, the Kernel version is 3.10.0-862, and the kernel-alt packages include kernel version 4.14 with support for 64-bit ARM, IBM POWER9 (little endian), and IBM z Systems, while KVM virtualization is now supported on IBM POWER8/POWER9 systems.

See the detailed release notes here.
Security

The Long, Slow Demise of Credit Card Signatures Starts Today (cnet.com) 114

Last year, all four major U.S. payment providers -- Mastercard, Visa, American Express and Discover -- announced plans to remove the requirement that merchants collect signatures for card transactions. Those plans officially go into effect today, or Saturday in the case of Visa. CNET reports: [D]on't despair if you actually like writing your signature at retail stores, because their ultimate demise will likely take a while. The change is only optional, with merchants, not customers, given the new power to decide whether to get rid of signatures. So, if asked to sign, please don't insist to your next cashier that you no longer need to -- it won't work. Also, plenty of retailers will likely want to keep signatures, particularly if their workers are paid based on a lot of tips, or they sell pricey items. Still, the change marks a clear awareness from payment providers that the signature doesn't really work as a strong protector against fraud.

The change is being handled a little differently by each payment provider. For instance, Mastercard, Discover and American Express said they'll let retailers make every kind of card payment optional for a signature, regardless of whether you've got a new chip card or you still swipe. Visa, meanwhile, isn't changing its requirements for payments using a swipe card, but it did relax its policy for chip card and contactless payments like Apple Pay. Visa noted that over 75 percent of face-to-face transactions using its cards in North America already don't require a signature, thanks to lower-value transactions.

Piracy

Telegram is Riddled With Tens of Thousands of Piracy Channels; Apple and Google Have Ignored Requests From Creators To Take Action (theoutline.com) 49

joshtops writes: Instant messaging platform Telegram, which is used by more than 200 million users, has had an open secret since its inception: The platform has served as a haven for online pirates. The Outline reports that the platform is riddled with thousands of groups and channels, many with more than 100,000 members, whose sole purpose of existence is to share illegally copied movies, music albums, apps, and other content. The files are stored directly to Telegram's servers, allowing users to download movies, songs, and other content with one click. Channel admins told The Outline that they have not come across any resistance from Telegram despite the company, along with Apple and Google, maintaining a 'zero tolerance' stance on copyright infringement. This permissiveness on Telegram's part has led to the proliferation of a cottage industry of piracy marketplaces on the service.

[...] The Outline also discovered several groups and channels on Telegram in which stolen credentials -- i.e., the username and password for a website -- from Netflix, Spotify, Hulu, HBO, CBS, EA Sports, Lynda, Sling, WWE Network, Mega, India's Hotstar, and dozens of other services were being offered to tens of thousands of members each day. The Outline sourced nearly three-dozen free credentials from six Telegram channels, all of which worked as advertised.
The report says that content creators have reached out to Apple, requesting the iPhone-maker to intervene, but the company has largely ignored the issue.

In an unrelated development, a Moscow court cleared the way on Friday for the local government to ban Telegram, the messaging app, over its failure to give Russian security services the ability to read users' encrypted messages.
Chrome

Google Chrome To Boost User Privacy by Improving Cookies Handling Procedure (bleepingcomputer.com) 37

Catalin Cimpanu, writing for BleepingComputer: Google engineers plan to improve user privacy and security by putting a short lifespan on cookies delivered via HTTP connections. Google hopes that the move will force website developers and advertisers to send cookies via HTTPS, which "provides significant confidentiality protections against [pervasive monitoring] attacks."

Sending cookies via plaintext HTTP is considered both a user privacy and security risk, as these cookies could be intercepted and even modified by an attacker. Banning the sending of cookies via HTTP is not yet an option, so Chrome engineers hope that by limiting a cookie's lifespan, they would prevent huge troves of user data from gathering inside cookies, or advertisers using the same cookie to track users across different sites.

Iphone

Cops Around the Country Can Now Unlock iPhones, Records Show (vice.com) 98

Law enforcement agencies across the country have purchased GrayKey, a relatively cheap tool for bypassing the encryption on iPhones, while the FBI pushes again for encryption backdoors, Motherboard reported on Thursday. From the report: FBI Director Christopher Wray recently said that law enforcement agencies are "increasingly unable to access" evidence stored on encrypted devices. Wray is not telling the whole truth. Police forces and federal agencies around the country have bought relatively cheap tools to unlock up-to-date iPhones and bypass their encryption, according to a Motherboard investigation based on several caches of internal agency documents, online records, and conversations with law enforcement officials. Many of the documents were obtained by Motherboard using public records requests.

The news highlights the going dark debate, in which law enforcement officials say they cannot access evidence against criminals. But easy access to iPhone hacking tools also hamstrings the FBI's argument for introducing backdoors into consumer devices so authorities can more readily access their contents.

Security

Uber's 2016 Breach Affected More Than 20 Million US Users (bloomberg.com) 6

An anonymous reader quotes a report from Bloomberg: A data breach in 2016 exposed the names, phone numbers and email addresses of more than 20 million people who use Uber's service in the U.S., authorities said on Thursday, as they chastised the ride-hailing company for not revealing the lapse earlier. The Federal Trade Commission said Uber failed to disclose the leak last year as the agency investigated and sanctioned the company for a similar data breach that happened in 2014. "After misleading consumers about its privacy and security practices, Uber compounded its misconduct," said Maureen Ohlhausen, the acting FTC chairman. She announced an expansion of last year's settlement with the company and said the new agreement was "designed to ensure that Uber does not engage in similar misconduct in the future."

In the 2016 breach, intruders in a data-storage service run by Amazon.com Inc. obtained unencrypted consumer personal information relating to U.S. riders and drivers, including 25.6 million names and email addresses, 22.1 million names and mobile phone numbers, and 607,000 names and driver's license numbers, the FTC said in a complaint. Under the revised settlement, Uber could be subject to civil penalties if it fails to notify the FTC of future incidents, and it must submit audits of its data security, the agency said.

Network

Cyber-Espionage Groups Are Increasingly Leveraging Routers in Their Attacks (bleepingcomputer.com) 22

Catalin Cimpanu, reporting for BleepingComputer: Cyber-espionage groups -- also referred to as advanced persistent threats (APTs) -- are using hacked routers more and more during their attacks, according to researchers at Kaspersky Lab. "It's not necessarily something new. Not something that just exploded," said Costin Raiu, director of Global Research and Analysis Team (GReAT) at Kaspersky Lab, in a webinar today. "We've seen a bunch of router attack throughout the years. A very good example is SYNful Knock, a malicious implant for Cisco [routers] that was discovered by FireEye but also threat actors such as Regin and CloudAtlas. Both APTs have been known to have and own proprietary router implants." But the number of APTs leveraging routers for attacks has gone steadily up in the past year, and the tactic has become quite widespread in 2018. For example, the Slingshot APT (believed to be a US Army JSOC operation targeting ISIS militants) has used hacked MikroTik routers to infect victims with malware.
Android

Some Android Device Makers Are Lying About Security Patch Updates (phonedog.com) 116

An anonymous reader shares a report: Security patches for smartphones are extremely important because many people store personal data on their devices. Lots of Android phones out there get regularly security patches, but according to a new report, some of them are lying about the patches that they've actually gotten. According to a study by Security Research Labs, some Android phones are missing patches that they claim to have. Wired explains that SRL tested 1,200 phones from more than a dozen phone makers for every Android security patch released in 2017. The devices tested include ones from Google, Samsung, Motorola, LG, HTC, Xiaomi, OnePlus, Nokia, TCL, and ZTE. The study found that outside of Google and its Pixel phones, well-known phone makers had devices that were missing patches that they claimed to have. "We found several vendors that didn't install a single patch but changed the patch date forward by several months," says SRL founder Karsten Nohl.
Encryption

Researchers Devise a Way To Generate Provably Random Numbers Using Quantum Mechanics (newatlas.com) 139

No random number generator you've ever used is truly, provably random. Until now, that is. Researchers have used an experiment developed to test quantum mechanics to generate demonstrably random numbers, which could come in handy for encryption. From a report: The method uses photons to generate a string of random ones and zeros, and leans on the laws of physics to prove that these strings are truly random, rather than merely posing as random. The researchers say their work could improve digital security and cryptography. The challenge for existing random number generators is not only creating truly random numbers, but proving that those numbers are random. "It's hard to guarantee that a given classical source is really unpredictable," says Peter Bierhorst, a mathematician at the National Institute of Standards and Technology (NIST), where this research took place. "Our quantum source and protocol is like a fail-safe. We're sure that no one can predict our numbers." For example, random number algorithms often rely on a source of data which may ultimately prove predictable, such as atmospheric noise. And however complex the algorithm, it's still applying consistent rules. Despite these potential imperfections, these methods are relied on in the day-to-day encryption of data. This team's method, however, makes use of the properties of quantum mechanics, or what Einstein described as "spooky action at a distance." Further reading: Wired, LiveScience, and CNET.
Security

You Think Discovering a Computer Virus Is Hard? Try Naming One (wsj.com) 49

Like astronomers who discover new stars, security experts who first identify computer bugs, viruses, worms, ransomware and other coding catastrophes often get to name their finds. Such discoveries now number in the thousands each year, so crafting a standout moniker can be a serious challenge. From a report: Two years ago, German security firm SerNet GmbH figured a punchy name for their bug discovery would give the company a publicity jolt. They called it Badlock, designed a fractured-lock logo and set up a website. The marketing push backfired when some security experts decided Badlock wasn't that bad. Cynical hackers called it Sadlock. "We would not do this again," says SerNet Chief Executive Johannes Loxen of the branding blitz, which he says was overkill because a relatively small number of people were affected by Badlock. Hackers are no fans of marketing. They brand things in their own way. Puns and historic references are the name of the game. "They see it as a kind of grass-roots initiative," says Gabriella Coleman, an anthropologist who teaches courses on hacker culture at McGill University in Montreal.

Some venerable names that have stood the test of time: The Love Bug, for the worm that attacked millions of Windows personal computers in 2000, and Y2K, a turn-of-the-century programming scare that didn't live up to its hype. Many names tend more toward geekspeak. The title of hacker magazine 2600 is a tip of the hat to 2600 hertz, the frequency old-school hackers reproduced to trick AT&T phone lines into giving them free calls. Computer worm Conficker is an amalgam of "configure" and a German expletive. Code Red is named after the Mountain Dew drink researchers guzzled while investigating the worm.

Security

Data Exfiltrators Send Info Over PCs' Power Supply Cables (theregister.co.uk) 131

From a report on The Register: If you want your computer to be really secure, disconnect its power cable. So says Mordechai Guri and his team of side-channel sleuths at the Ben-Gurion University of the Negev. The crew have penned a paper titled PowerHammer: Exfiltrating Data from Air-Gapped Computers through Power Lines that explains how attackers could install malware that regulates CPU utilisation and creates fluctuations in the current flow that could modulate and encode data. The variations would be "propagated through the power lines" to the outside world.

Depending on the attacker's approach, data could be exfiltrated at between 10 and 1,000 bits-per-second. The higher speed would work if attackers can get at the cable connected to the computer's power supply. The slower speed works if attackers can only access a building's electrical services panel. The PowerHammer malware spikes the CPU utilisation by choosing cores that aren't currently in use by user operations (to make it less noticeable). Guri and his pals use frequency shift keying to encode data onto the line.

AMD

AMD Releases Spectre v2 Microcode Updates for CPUs Going Back To 2011 (bleepingcomputer.com) 54

Catalin Cimpanu, writing for BleepingComputer: AMD has released CPU microcode updates for processors affected by the Spectre variant 2 (CVE-2017-5715) vulnerability. The company has forwarded these microcode updates to PC and motherboard makers to include them in BIOS updates. Updates are available for products released as far as 2011, for the first processors of the Bulldozer line. Microsoft has released KB4093112, an update that also includes special OS-level patches for AMD users in regards to the Spectre v2 vulnerability. Similar OS-level updates have been released for Linux users earlier this year. Yesterday's microcode patches announcement is AMD keeping a promise it made to users in January, after the discovery of the Meltdown and Spectre (v1 and v2) vulnerabilities.
Facebook

Mark Zuckerberg Denies Knowledge of Non-Consensual Shadow Profiles Facebook Has Been Building of Non-Users For Years 235

It has been widely reported that Facebook builds profile of people even if they have never signed up for its services. However, in a hearing with the House Energy & Commerce Committee on Wednesday, when New Mexico Representative Ben Lujan asked Facebook CEO Mark Zuckerberg if he was aware of the so-called practice of building "shadow profiles", Zuckerberg denied knowledge of it. Here's the exchange: Lujan: Facebook has detailed profiles on people who have never signed up for Facebook, yes or no?
Zuckerberg: Congressman, in general we collect data on people who have not signed up for Facebook for security purposes to prevent the kind of scraping you were just referring to [reverse searches based on public info like phone numbers].
Lujan: So these are called shadow profiles, is that what they've been referred to by some?
Zuckerberg: Congressman, I'm not, I'm not familiar with that.
Lujan: I'll refer to them as shadow profiles for today's hearing. On average, how many data points does Facebook have on each Facebook user?
Zuckerberg: I do not know off the top of my head.
Lujan: Do you know how many points of data Facebook has on the average non-Facebook user?
Zuckerberg: Congressman, I do not know off the top of my head but I can have our team get back to you afterward.
Lujan: It's been admitted by Facebook that you do collect data points on non-[Facebook users]. My question is, can someone who does not have a Facebook account opt out of Facebook's involuntary data collection?
Zuckerberg: Anyone can turn off and opt out of any data collection for ads, whether they use our services or not but in order to prevent people from scraping public information ... we need to know when someone is repeatedly trying to access our services.
Microsoft

Microsoft Removes Antivirus Registry Key Check for All Windows Versions (bleepingcomputer.com) 49

Microsoft has decided to remove a mandatory "registry key requirement" it introduced in the aftermath of the Meltdown and Spectre vulnerability disclosure. BleepingComputer: Microsoft used this registry key to prevent Windows updates from being installed on computers running antivirus software incompatible with the Meltdown and Spectre patches. Antivirus vendors were supposed to create this registry key on users' computers to signal that they've updated their product and will not interfere with Microsoft's patches. This was a big issue because incompatible antivirus products would crash and BSOD Windows systems. [...] The OS maker removed the registry key check for Windows 10 computers last month, in March, and has announced yesterday that the key is no longer necessary for other Windows operating system versions -- 7, 8, 8.1, Server 2008, and Windows Server 2012.
Democrats

Democratic Senators Propose 'Privacy Bill of Rights' To Prevent Websites From Sharing Or Selling Sensitive Info Without Opt-In Consent (arstechnica.com) 136

Democratic Senators Edward J. Markey (D-Mass.) and Richard Blumenthal (D-Conn.) today proposed a "privacy bill of rights" that would prevent Facebook and other websites from sharing or selling sensitive information without a customer's opt-in consent. The proposed law would protect customers' web browsing and application usage history, private messages, and any sensitive personal data such as financial and health information. Ars Technica reports: Markey teamed with Sen. Richard Blumenthal (D-Conn.) to propose the Customer Online Notification for Stopping Edge-provider Network Transgressions (CONSENT) Act. You can read the full legislation here. "Edge providers" refers to websites and other online services that distribute content over consumer broadband networks. Facebook and Google are the dominant edge providers when it comes to advertising and the use of customer data to serve targeted ads. No current law requires edge providers to seek customers' permission before using their browsing histories to serve personalized ads. The online advertising industry uses self-regulatory mechanisms in which websites let visitors opt out of personalized advertising based on browsing history, and websites can be punished by the Federal Trade Commission (FTC) if they break their privacy promises.

The Markey/Blumenthal bill's stricter opt-in standard would require edge providers to "obtain opt-in consent from a customer to use, share, or sell the sensitive customer proprietary information of the customer." Edge providers would not be allowed to impose "take-it-or-leave-it" offers that require customers to consent in order to use the service. The FTC and state attorneys general would be empowered to enforce the new opt-in requirements. The bill would require edge providers to notify users about all collection, use, and sharing of their information. The bill also requires edge providers "to develop reasonable data security practices" and to notify customers about data breaches that affect them.

Slashdot Top Deals