DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 internet speed test! ×
Security

New Technology Combines Lip Motion and Passwords For User Authentication (bleepingcomputer.com) 54

An anonymous reader writes: "Scientists from the Hong Kong Baptist University (HKBU) have developed a new user authentication system that relies on reading lip motions while the user speaks a password out loud," reports BleepingComputer. Called "lip password" the system combines the best parts of classic password-based systems with the good parts of biometrics. The system relies on the uniqueness of someone's lips, such as shape, texture, and lip motions, but also allows someone to change the lip motion (password), in case the system ever gets compromised. Other biometric solutions, such as fingerprints, iris scans, and facial features, become eternally useless once compromised.
IBM

IBM Unveils Blockchain As a Service Based On Open Source Hyperledger Fabric Technology (techcrunch.com) 42

IBM has unveiled its "Blockchain as a Service," which is based on the open source Hyperledger Fabric, version 1.0 from The Linux Foundation. "IBM Blockchain is a public cloud service that customers can use to build secure blockchain networks," TechCrunch reports, noting that it's "the first ready-for-primetime implementation built using that technology." From the report: Although the blockchain piece is based on the open source Hyperledger Fabric project of which IBM is a participating member, it has added a set of security services to make it more palatable for enterprise customers, while offering it as a cloud service helps simplify a complex set of technologies, making it more accessible than trying to do this alone in a private datacenter. The Hyperledger Fabric project was born around the end of 2015 to facilitate this, and includes other industry heavyweights such as State Street Bank, Accenture, Fujitsu, Intel and others as members. While the work these companies have done to safeguard blockchain networks, including setting up a network, inviting members and offering encrypted credentials, was done under the guise of building extra safe networks, IBM believes it can make them even safer by offering an additional set of security services inside the IBM cloud. While Jerry Cuomo, VP of blockchain technology at IBM, acknowledges that he can't guarantee that IBM's blockchain service is unbreachable, he says the company has taken some serious safeguards to protect it. This includes isolating the ledger from the general cloud computing environment, building a security container for the ledger to prevent unauthorized access, and offering tamper-responsive hardware, which can actually shut itself down if it detects someone trying to hack a ledger. What's more, IBM claims their blockchain product is built in a highly auditable way to track all of the activity that happens within a network, giving administrators an audit trail in the event something did go awry.
Security

Royal Jordanian Airlines Bans Use of Electronics After US Voices Security 'Concerns' (theverge.com) 109

An anonymous reader quotes a report from The Verge: Royal Jordanian airlines banned the use of electronics on flights servicing the U.S. after government officials here expressed concerns. Details are scant, but CNN is reporting that other carriers based on the Middle East and Africa may be affected as well. The news broke when Royal Jordanian, a state-owned airline that operates around 500 flights a week, posted this cryptic notice on its Twitter feed. The ban, which includes laptops, tablets, and video games, but does not include smartphones or medical devices, is effective for Royal Jordanian flights servicing New York, Chicago, Detroit, and Montreal. A spokesperson for Royal Jordanian was not immediately available for clarification. Meanwhile, CNN is reporting that Royal Jordanian may not be the only carrier affected by these new security provisions. Jon Ostrower, the network's aviation editor, just tweeted that as many as 12 airlines based in the Middle East and Africa could be impacted. A Saudi executive also tweeted that "directives by U.S. authorities" could affect passengers traveling from 13 countries, with the new measure set to go into effect over the next 96 hours.
Communications

Hundreds of Cisco Switches Vulnerable To Flaw Found in WikiLeaks Files (zdnet.com) 76

Zack Whittaker, writing for ZDNet: Cisco is warning that the software used in hundreds of its products are vulnerable to a "critical"-rated security flaw, which can be easily and remotely exploited with a simple command. The vulnerability can allow an attacker to remotely gain access and take over an affected device. More than 300 switches are affected by the vulnerability, Cisco said in an advisory. According to the advisory, the bug is found in the cluster management protocol code in Cisco's IOS and IOS XE software, which the company installs on the routers and switches it sells. An attacker can exploit the vulnerability by sending a malformed protocol-specific Telnet command while establishing a connection to the affected device, because of a flaw in how the protocol fails to properly process some commands. Cisco said that there are "no workarounds" to address the vulnerability, but it said that disabling Telnet would "eliminate" some risks.
Government

FBI Director Comey Confirms Investigation Into Trump Campaign (reuters.com) 529

FBI Director James Comey confirmed during testimony before Congress Monday that the FBI is investigating whether the Trump campaign colluded with a covert Russian campaign to interfere with the election. From a report on Reuters: Comey told a congressional hearing on Russian activities that the probe "includes investigating the nature of any links between individuals associated with the Trump campaign and the Russian government and whether there was any coordination between the campaign and Russia's efforts. Because it is an open, ongoing investigation and is classified, I cannot say more about what we are doing and whose conduct we are examining," Comey said. Earlier, the chairman of the U.S. House of Representatives Intelligence Committee, Republican Representative Devin Nunes, told the same hearing that the panel had seen no evidence of collusion between Russia and Trump's 2016 campaign. Nunes also denied an unsubstantiated claim from Trump that there had been a wiretap on his Trump Tower in New York but said it was possible other surveillance was used against the Republican.
Microsoft

WikiLeaks Won't Tell Tech Companies How To Patch CIA Zero-Days Until Demands Are Met (fortune.com) 227

"WikiLeaks has made initial contact with us via secure@microsoft.com," a Microsoft spokesperson told Motherboard -- but then things apparently stalled. An anonymous reader quotes Fortune: Wikileaks this week contacted major tech companies including Apple and Google, and required them to assent to a set of conditions before receiving leaked information about security "zero days" and other surveillance methods in the possession of the Central Intelligence Agency... Wikileaks' demands remain largely unknown, but may include a 90-day deadline for fixing any disclosed security vulnerabilities. According to Motherboard's sources, at least some of the involved companies are still in the process of evaluating the legal ramifications of the conditions.
Julian Assange announced Friday that Mozilla had already received information after agreeing to their "industry standard responsible disclosure plan," then added that "most of these lagging companies have conflicts of interest due to their classified work for U.S. government agencies... such associations limit industry staff with U.S. security clearances from fixing security holes based on leaked information from the CIA." Assange suggested users "may prefer organizations such as Mozilla or European companies that prioritize their users over government contracts. Should these companies continue to drag their feet we will create a league table comparing company responsiveness and government entanglements so users can decided for themselves."
Crime

Company's Former IT Admin Accused of Accessing Backdoor Account 700+ Times (bleepingcomputer.com) 63

An anonymous reader writes: "An Oregon sportswear company is suing its former IT administrator, alleging he left backdoor accounts on their network and used them more than 700 times to search for information for the benefit of its new employer," reports BleepingComputer. Court papers reveal the IT admin left to be the CTO at one of the sportswear company's IT suppliers after working for 14 years at his previous employer. For more than two years, he's [allegedly] been using an account he created before he left to access his former colleagues' emails and gather information about the IT services they might need in the future. The IT admin was fired from his CTO job after his new employer found out what he was doing.
One backdoor, which enabled both VPN and VDI connections to the company's network, granted access to a "jmanming" account for a non-existent employee named Jeff Manning...
Security

Edge, VMWare, Safari, And Ubuntu Linux Hacked at Pwn2Own 2017 (trendmicro.com) 82

The 10th annual Pwn2Own hacking competition ended Friday in Vancouver. Some of the highlights:
  • Ars Technica reports one team "compromised Microsoft's heavily fortified Edge browser in a way that escapes a VMware Workstation virtual machine it runs in... by exploiting a heap overflow bug in Edge, a type confusion flaw in the Windows kernel and an uninitialized buffer vulnerability in VMware."
  • Digital Trends reports "Samuel Grob and Niklas Baumstark used a number of logic bugs to exploit the Safari browser and eventually take root control of the MacOS on a MacBook Pro, [and] impressed onlookers even more by adding a custom message to the Touch Bar which read: "pwned by niklasb and saelo."
  • Ubuntu 16.10 Linux was also successfully attacked by exploiting a flaw in the Linux 4.8 kernel, "triggered by a researcher who only had basic user access but was able to elevate privileges with the vulnerability to become the root administrative account user..." reports eWeek. "Chaitin Security Research Lab didn't stop after successfully exploiting Ubuntu. It was also able to successfully demonstrate a chain of six bugs in Apple Safari, gaining root access on macOS."
  • Another attacker "leveraged two separate use-after-free bugs in Microsoft Edge and then escalated to SYSTEM using a buffer overflow in the Windows kernel."

None of the attendees registered to attempt an attack on the Apache Web Server on Ubuntu 16.10 Linux, according to eWeek, but the contest's blog reports that "We saw a record 51 bugs come through the program. We paid contestants $833,000 USD in addition to the dozen laptops we handed out to winners. And, we awarded a total of 196 Master of Pwn points."


Government

CBS Reports 'Suspicious' Cell Phone Tower Activity In Washington DC (cbsnews.com) 187

"An unusually high amount of suspicious cell phone activity in the nation's capital has caught the attention of the Department of Homeland Security, raising concerns that U.S. officials are being monitored by a foreign entity," reports CBS News: The issue was first reported in the Washington Free Beacon, but a source at telecom security firm ESD America confirmed the spike in suspicious activity to CBS News. ESD America, hired preemptively for a DHS pilot program this January called ESD Overwatch, first noticed suspicious activity around cell phone towers in certain parts of the capital, including near the White House. This kind of activity can indicate that someone is monitoring specific individuals or their devices... According to the ESD America source, the first such spike of activity was in D.C. but there have been others in other parts of the country. Based on the type of technology used, the source continued, it is likely that the suspicious activity was being conducted by a foreign nation.
The news coincides with a letter sent to the DHS by two congressmen "deeply concerned" about vulnerabilities in the SS7 protocol underlying U.S. cellular networks, according to an article shared by Slashdot reader Trailrunner7. Senator Ron Wyden and Representative Ted Lieu are asking if the agency has enough resources to address the threat. "Although there have been a few news stories about this topic, we suspect that most Americans simply have no idea how easy it is for a relatively sophisticated adversary to track their movements, tap their calls, and hack their smartphones."
China

China's Police Will Shoot Illegal Drones With Radio-Jamming Rifles (mashable.com) 62

"Police in China are being equipped with new high-tech weaponry to help them fight back against illegal drone use," writes new submitter drunkdrone. Mashable reports: A Chinese city's police department is arming itself with more than 20 drone-jamming rifles...which work by emitting radio signals that force the drones to land, purportedly without damaging them. The drone-killing rifles will be used during the upcoming 2017 Wuhan Marathon, to raise security. Wuhan police demonstrated the drone-killing rifles last week, where they shot down six drones, according to the Chutian Metropolitan Daily.
Each rifle costs $36,265, and has a range of 0.6 miles.
Botnet

Bruce Schneier Calls for IoT Legislation, Argues The Internet Is Becoming One Giant Robot (linux.com) 84

"We're building a world-size robot, and we don't even realize it," security expert Bruce Schneier warned the Open Source Leadership Summit. As mobile computing and always-on devices combine with the various network-connected sensors, actuators, and cloud-based AI processing, "We are building an internet that senses, thinks, and acts." An anonymous reader quotes Linux.com: You can think of it, he says, as an Internet that affects the world in a direct physical manner. This means Internet security becomes everything security. And, as the Internet physically affects our world, the threats become greater. "It's the same computers, it could be the same operating systems, the same apps, the same vulnerability, but there's a fundamental difference between when your spreadsheet crashes, and you lose your data, and when your car crashes and you lose your life," Schneier said...

"I have 20 IoT-security best-practices documents from various organizations. But the primary barriers here are economic; these low-cost devices just don't have the dedicated security teams and patching/upgrade paths that our phones and computers do. This is why we also need regulation to force IoT companies to take security seriously from the beginning. I know regulation is a dirty word in our industry, but when people start dying, governments will take action. I see it as a choice not between government regulation and no government regulation, but between smart government regulation and stupid government regulation."

Security

Some HTTPS Inspection Tools Actually Weaken Security (itworld.com) 101

America's Department of Homeland Security issued a new warning this week. An anonymous reader quotes IT World: Companies that use security products to inspect HTTPS traffic might inadvertently make their users' encrypted connections less secure and expose them to man-in-the-middle attacks, the U.S. Computer Emergency Readiness Team warns. US-CERT, a division of the Department of Homeland Security, published an advisory after a recent survey showed that HTTPS inspection products don't mirror the security attributes of the original connections between clients and servers. "All systems behind a hypertext transfer protocol secure (HTTPS) interception product are potentially affected," US-CERT said in its alert.
Slashdot reader msm1267 quotes Threatpost: HTTPS inspection boxes sit between clients and servers, decrypting and inspecting encrypted traffic before re-encrypting it and forwarding it to the destination server... The client cannot verify how the inspection tool is validating certificates, or whether there is an attacker positioned between the proxy and the target server.
AI

Researchers Build An AI That's Better At Reading Lips Than Humans (bbc.com) 62

An anonymous reader quotes the BBC: Scientists at Oxford say they've invented an artificial intelligence system that can lip-read better than humans. The system, which has been trained on thousands of hours of BBC News programs, has been developed in collaboration with Google's DeepMind AI division. "Watch, Attend and Spell", as the system has been called, can now watch silent speech and get about 50% of the words correct. That may not sound too impressive - but when the researchers supplied the same clips to professional lip-readers, they got only 12% of words right...
The system now recognizes 17,500 words, and one of the researchers says, "As it keeps watching TV, it will learn."
Security

Windows 10 UAC Bypass Uses Backup and Restore Utility (bleepingcomputer.com) 58

An anonymous reader writes: "A new User Access Control (UAC) bypass technique relies on altering Windows registry app paths and using the Backup and Restore utility to load malicious code without any security warning," reports BleepingComputer. The technique works when an attacker launches the Backup and Restore utility, which loads its control panel settings page. Because the utility doesn't known where this settings page is located, it queries the Windows Registry. The problem is that low-privileged users can modify Windows Registry values and point to malware. Because the Backup and Restore utility is a trusted application, UAC prompts are suppressed. This technique only works in Windows 10 (not earlier OS versions) and was tested with Windows 10 build 15031. A proof-of-concept script is available on GitHub. The same researcher had previously found two other UAC bypass techniques, one that abuses the Windows Event Viewer, and one that relies on the Windows 10 Disk Cleanup utility
Crime

Judge Grants Search Warrant For Everyone Who Searched a Crime Victim's Name On Google (startribune.com) 101

Hennepin County District Judge Gary Larson has issued a search warrant to Edina, Minnesota police to collect information on people who searched for variations of a crime victim's name on Google from Dec. 1 through Jan. 7. Google would be required to provide Edina police with basic contact information for people targeted by the warrant, as well as Social Security numbers, account and payment information, and IP and MAC addresses. StarTribune reports: Information on the warrant first emerged through a blog post by public records researcher Tony Webster. Edina police declined to comment Thursday on the warrant, saying it is part of an ongoing investigation. Detective David Lindman outlined the case in his application for the search warrant: In early January, two account holders with SPIRE Credit Union reported to police that $28,500 had been stolen from a line of credit associated with one of their accounts, according to court documents. Edina investigators learned that the suspect or suspects provided the credit union with the account holder's name, date of birth and Social Security number. In addition, the suspect faxed a forged U.S. passport with a photo of someone who looked like the account holder but wasn't. Investigators ran an image search of the account holder's name on Google and found the photo used on the forged passport. Other search engines did not turn up the photo. According to the warrant application, Lindman said he had reason to believe the suspect used Google to find a picture of the person they believed to be the account holder. Larson signed off on the search warrant on Feb. 1. According to court documents, Lindman served it about 20 minutes later.
IBM

IBM To Hire 2,000 More Veterans, Expand Tech Training Schools (axios.com) 32

Ina Fried, reporting for Axios: IBM CEO Ginni Rometty is among the tech leaders meeting Friday with President Trump and German Chancellor Angela Merkel, Axios has learned. They'll discuss worker training. And IBM will announce plans to: Open 20 more of its P-TECH schools, which let students get a combined high school degree and associate degree in science and technology in as little as four and a half years. Hire 2,000 U.S. military veterans over the next four years and expand a program that trains and certifies veterans in the use of the type of IBM software often used by law enforcement, cybersecurity and national security agencies.
Transportation

A US Ally Shot Down a $200 Drone With a $3 Million Patriot Missile (theverge.com) 318

An anonymous reader shares a report on The Verge: Earlier this week, General David Perkins, the commander of the US Army Training and Doctrine Command (TRADOC) spoke at the Association of the US Army's Global Force symposium, where he discussed the threats that the US military would begin to face in the coming years. One notable example is how a US ally recently shot down a $200 consumer drone with a $3.4 million worth Patriot Missile. Perkins' talk during the symposium focused on the complexity of a military organization in the field, and how the interconnected nature of air, ground, and sea forces can lead to a fragmented response to a threat between the commanders who are in charge of specific areas. [...] "The gut instinct was," he explains, "that's an air defense problem, because they're in the air." "In fact," he went on to say, "we have a very close ally of ours that was dealing with an adversary using small quadcopter UASs, and they shot it down with a Patriot missile." The problem, he said, wasn't effectiveness: the tiny drone didn't stand a chance -- the issue is economics.
The Military

Physicist Declassifies Rescued Nuclear Test Films (llnl.gov) 62

Eloking quotes a report from Lawrence Livermore National Laboratory: The U.S. conducted 210 atmospheric nuclear tests between 1945 and 1962, with multiple cameras capturing each event at around 2,400 frames per second. But in the decades since, around 10,000 of these films sat idle, scattered across the country in high-security vaults. Not only were they gathering dust, the film material itself was slowly decomposing, bringing the data they contained to the brink of being lost forever. For the past five years, Lawrence Livermore National Laboratory (LLNL) weapon physicist Greg Spriggs and a crack team of film experts, archivists and software developers have been on a mission to hunt down, scan, reanalyze and declassify these decomposing films. The goals are to preserve the films' content before it's lost forever, and provide better data to the post-testing-era scientists who use computer codes to help certify that the aging U.S. nuclear deterrent remains safe, secure and effective. To date, the team has located around 6,500 of the estimated 10,000 films created during atmospheric testing. Around 4,200 films have been scanned, 400 to 500 have been reanalyzed and around 750 have been declassified. An initial set of these declassified films -- tests conducted by LLNL -- were published today in an LLNL YouTube playlist.
Government

US Federal Budget Proposal Cuts Science Funding (washingtonpost.com) 648

hey! writes: The U.S. Office of Management and Budget has released a budget "blueprint" which outlines substantial cuts in both basic research and applied technology funding. The proposal includes a whopping 18% reduction in National Institutes of Health medical research. NIH does get a new $500 million fund to track emerging infectious agents like Zika in the U.S., but loses its funding to monitor those agents overseas. The Department of Energy's research programs also get an 18% cut in research, potentially affecting basic physics research, high energy physics, fusion research, and supercomputing. Advanced Research Projects Agency (ARPA-E) gets the ax, as does the Advanced Technology Vehicle Manufacturing Program, which enabled Tesla to manufacture its Model S sedan. EPA loses all climate research funding, and about half the research funding targeted at human health impacts of pollution. The Energy Star program is eliminated; Superfund funding is drastically reduced. The Chesapeake Bay and Great Lakes cleanup programs are also eliminated, as is all screening of pesticides for endocrine disruption. In the Department of Commerce, Sea Grant is eliminated, along with all coastal zone research funding. Existing weather satellites GOES and JPSS continue funding, but JPSS-3 and -4 appear to be getting the ax. Support for transfer of federally funded research and technology to small and mid-sized manufacturers is eliminated. NASA gets a slight trim, and a new focus on deep space exploration paid for by an elimination of Earth Science programs. You can read more about this "blueprint" in Nature, Science, and the Washington Post, which broke the story. The Environmental Protection Agency, the State Department and Agriculture Department took the hardest hits, while the Defense Department, Department of Homeland Security, and Department of Veterans Affairs have seen their budgets grow.
Privacy

Buying a Samsung TV Online Could Jeopardize Your Data (cnet.com) 30

An anonymous reader shares a CNET report: If you buy a product from Samsung's online store, your name, address, order information and other data may be accessible to anyone who cares to look. Matt Metzger, a self-described "application security engineer" who said he has worked in shipping-industry compliance, wrote Wednesday on Medium about an accidental discovery. Metzger said he ordered a TV from the Samsung online store and was sent a URL to track his delivery. When he followed the URL, he discovered that his tracking number was the same one used for someone else's previous delivery and that he could see sensitive information, such as the person's name and items ordered, without any security measures getting in the way. Metzger also discovered that more information was attached in a TIFF file to his own order after the delivery was completed. The file included his full name, address and signature.Samsung told CNET it is aware of the issue and is looking into it.

Slashdot Top Deals