Businesses

Reporter Regrets Letting Amazon's Delivery People Into His House (washingtonpost.com) 114

An anonymous reader writes: Washington Post reporter Geoffrey A. Fowler describes his short-lived experience with "Amazon Key", a $250 smart lock system with a security camera that grants Amazon's delivery people access to your home. The lock sounds "like R2-D2 with constipation," and at one point it actually jammed (though his persistent delivery person eventually got it working properly). The unlocking of the door triggers a live video feed of the delivery -- which is also stored in a private archive online -- plus an alert to your phone -- and the Post's reporter writes that "The biggest downsides to the experience haven't been the strangers -- it's been Amazon."

They missed their delivery windows four out of eight times, and though the packages all arrived eventually, all four were late by a least a day. But his larger issue is that Amazon "wants to draw you further into an all-Amazon world... Now Amazon wants to literally own your door, so it can push not just packages but also services that come through it, like handymen, dog-walkers, groceries, you name it." His ultimate question? "Who's really being locked in?"

The Post's reporter notes that Amazon CEO Jeff Bezos owns the Washington Post, "but I review all tech the same." He did identify some advantages to the $250 smart lock system -- the door can now also be unlocked with the Amazon Key app, and he can even share that access with his friends by giving them a special access code.

But he also notes that security researchers discovered a way to freeze Amazon's security camera, potentially allowing a rogue delivery person to lurk in your house. And all things considered, it was apparently all too creepy. "After two weeks, my family voted to remove the Amazon Key smart lock and take down the camera."
Bitcoin

People Who Can't Remember Their Bitcoin Passwords Are Really Freaking Out Now (slate.com) 202

An anonymous reader quotes a report from Slate: Bitcoin has had quite a week. On Thursday, the cryptocurrency surged past $19,000 a coin before dropping down to $15,600 by Friday midday. The price of a single Bitcoin was below $1,000 in January. Any investors who bought Bitcoins back in 2013, when the price was less than $100, probably feel pretty smart right now. But not all early cryptocurrency enthusiasts are counting their coins. Instead they might be racking their brains trying to remember their passwords, without which those few Bitcoins they bought as an experiment a few years ago could be locked away forever. That's because Bitcoin's decentralization relies on cryptography, where each transaction is signed with an identifier assigned to the person paying and the person receiving Bitcoin.

"I've tried to ignore the news about Bitcoin completely," joked Alexander Halavais, a professor of social technology at Arizona State University, who said he bought $70 of Bitcoin about seven years as a demonstration for a graduate class he was teaching at the time but has since forgotten his password. "I really don't want to know what it's worth now," he told me. "This is possibly $400K and I'm freaking the fuck out. I'm a college student so this would change my life lmao," wrote one Reddit user last week. The user claimed to have bought 40 bitcoins in 2013 but can't remember the password now. "A few years ago, I bought about 20 euros worth of bitcoin, while it was at around 300eur/btc.," lamented another Reddit user earlier this week. "Haven't looked at it since, and recently someone mentioned the price had hit 10.000usd. So, I decided to take a look at my wallet, but found that it wasn't my usual password. I have tried every combination of the password variations I usually use, but none of them worked."

Security

Zero-Day iOS HomeKit Vulnerability Allowed Remote Access To Smart Accessories Including Locks (9to5mac.com) 39

Apple has issued a fix to a vulnerability that allowed unauthorized control of accessories, including smart locks and garage door openers. "Our understanding is Apple has rolled out a server-side fix that now prevents unauthorized access from occurring while limiting some functionality, and an update to iOS 11.2 coming next week will restore that full functionality," reports 9to5Mac. From the report: The vulnerability, which we won't describe in detail and was difficult to reproduce, allowed unauthorized control of HomeKit-connected accessories including smart lights, thermostats, and plugs. The most serious ramification of this vulnerability prior to the fix is unauthorized remote control of smart locks and connected garage door openers, the former of which was demonstrated to 9to5Mac. The issue was not with smart home products individually but instead with the HomeKit framework itself that connects products from various companies. The vulnerability required at least one iPhone or iPad on iOS 11.2, the latest version of Apple's mobile operating system, connected to the HomeKit user's iCloud account; earlier versions of iOS were not affected.
Security

'Process Doppelganging' Attack Bypasses Most Security Products, Works On All Windows Versions (bleepingcomputer.com) 125

An anonymous reader quotes a report from Bleeping Computer: Yesterday, at the Black Hat Europe 2017 security conference in London, two security researchers from cyber-security firm enSilo have described a new code injection technique called "Process Doppelganging." This new attack works on all Windows versions and researchers say it bypasses most of today's major security products. Process Doppelganging is somewhat similar to another technique called "Process Hollowing," but with a twist, as it utilizes the Windows mechanism of NTFS Transactions.

"The goal of the technique is to allow a malware to run arbitrary code (including code that is known to be malicious) in the context of a legitimate process on the target machine," Tal Liberman & Eugene Kogan, the two enSilo researchers who discovered the attack told Bleeping Computer. "Very similar to process hollowing but with a novel twist. The challenge is doing it without using suspicious process and memory operations such as SuspendProcess, NtUnmapViewOfSection. In order to achieve this goal we leverage NTFS transactions. We overwrite a legitimate file in the context of a transaction. We then create a section from the modified file (in the context of the transaction) and create a process out of it. It appears that scanning the file while it's in transaction is not possible by the vendors we checked so far (some even hang) and since we rollback the transaction, our activity leaves no trace behind." The good news is that "there are a lot of technical challenges" in making Process Doppelganging work, and attackers need to know "a lot of undocumented details on process creation." The bad news is that the attack "cannot be patched since it exploits fundamental features and the core design of the process loading mechanism in Windows."
More research on the attack will be published on the Black Hat website in the following days.
Chrome

Chrome 63 Offers Even More Protection From Malicious Sites, Using Even More Memory (arstechnica.com) 63

An anonymous reader quotes a report from Ars Technica: To further increase its enterprise appeal, Chrome 63 -- which hit the browser's stable release channel yesterday -- includes a couple of new security enhancements aimed particularly at the corporate market. The first of these is site isolation, an even stricter version of the multiple process model that Chrome has used since its introduction. Chrome uses multiple processes for several security and stability reasons. On the stability front, the model means that even if a single tab crashes, other tabs (and the browser itself) are unaffected. On the security front, the use of multiple processes makes it much harder for malicious code from one site to steal secrets (such as passwords typed into forms) of another. [...]

Naturally, this greater use of multiple processes incurs a price; with this option enabled, Chrome's already high memory usage can go up by another 15 to 20 percent. As such, it's not enabled by default; instead, it's intended for use by enterprise users that are particularly concerned about organizational security. The other new capability is the ability for administrators to block extensions depending on the features those extensions need to use. For example, an admin can block any extension that tries to use file system access, that reads or writes the clipboard, or that accesses the webcam or microphone. Additionally, Google has started to deploy TLS 1.3, the latest version of Transport Layer Security, the protocol that enables secure communication between a browser and a Web server. In Chrome 63, this is only enabled between Chrome and Gmail; in 2018, it'll be turned on more widely.

Businesses

Bangladesh Bank, NY Fed Discuss Suing Manila Bank For Heist Damages (reuters.com) 29

An anonymous reader shares a report: Bangladesh's central bank has asked the Federal Reserve Bank of New York to join a lawsuit it plans to file against a Philippines bank for its role in one of the world's biggest cyber-heists, several sources said. The Fed is yet to respond formally, but there is no indication it would join the suit. Unidentified hackers stole $81 million from Bangladesh Bank's account at the New York Fed in February last year, using fraudulent orders on the SWIFT payments system. The money was sent to accounts at Manila-based Rizal Commercial Banking Corp and then disappeared into the casino industry in the Philippines.
Businesses

Kaspersky To Close Washington Office But Expand Non-State Sales (bloomberg.com) 65

An anonymous reader shares a report: A Russian software-maker, whose products are banned for use in federal information systems by the U.S. government, is seeking to remain in the North American market and prove its products have no hidden capabilities. Kaspersky Lab Inc. will close its Washington D.C. office that was selling to the government and will keep working with non-federal customers in the U.S. via its remaining offices in the country, vice-president Anton Shingarev said in an interview in Moscow. The company also committed in October to open its product's source code to an independent third-party review and plans to open new offices in Chicago, Los Angeles and Toronto next year. "This allows independent experts to verify that our software has no hidden functionality, that it doesn't send your files to third parties, doesn't spy on you and fully complies with the end-user agreement," Shingarev said. The U.S. banned government use of Kaspersky software in September, citing founder Eugene Kaspersky's alleged ties to Russian intelligence and the possibility its products could function as "malicious actors" to compromise federal information systems. The move caused concern about the company's products in other markets, including the U.K.
Bitcoin

Bitcoin Nears $17,000 After Climbing About $4,000 in Less Than a Day 464

As economists attempt to make sense of Bitcoin, the cryptocurrency rocketed above $17,000 for the first time moments ago, adding about $4,000 to its price in fewer than 24 hours. Security reporter Brian Krebs tweeted on Thursday, "Closing in on $17k per bitcoin now (mind you, it was almost at $16k less than an hour ago. This is totally fine." Late Wednesday, finance author Ben Carlson wrote: Bitcoin has achieved something I've always wanted to see in the stock mkt - a reverse 1987 (20% gain in a single day)
Security

Uber Paid 20-year-old Florida Man To Keep Data Breach Secret (reuters.com) 27

A 20-year-old Florida man was responsible for the large data breach at Uber last year and he was paid by the company to destroy the data through a so-called "bug bounty" program, three people familiar with the events have told Reuters. From the report: Uber announced on Nov. 21 that the personal data of 57 million users, including 600,000 drivers in the United States, were stolen in a breach that occurred in October 2016, and that it paid the hacker $100,000 to destroy the information. But the company did not reveal any information about the hacker or how it paid him the money. Uber made the payment last year through a program designed to reward security researchers who report flaws in a company's software, these people said. Uber's bug bounty service -- as such a program is known in the industry -- is hosted by a company called HackerOne, which offers its platform to a number of tech companies.
Privacy

Keylogger Found On Nearly 5,500 WordPress Sites (bleepingcomputer.com) 83

An anonymous reader writes: Nearly 5,500 WordPress sites are infected with a malicious script that logs keystrokes and sometimes loads an in-browser cryptocurrency miner. The malicious script is being loaded from the "cloudflare.solutions" domain, which is not affiliated with Cloudflare in any way, and logs anything that users type inside form fields as soon as the user switches away from an input field. The script is included on both the sites' frontends and backends, meaning it can steal both admin account credentials and credit card data from WP sites running e-commerce stores. According to site source code search engine PublicWWW, there are 5,496 sites running this keylogger. The attacker has been active since April.
Government

Warrantless Surveillance Can Continue Even If Law Expires, Officials Say (theverge.com) 68

According to a New York Times report citing American officials, the Trump administration has decided that the National Security Agency and the FBI can lawfully keep operating their warrantless surveillance program even if Congress fails to extend the law authorizing it before an expiration date of New Year's Eve. The Verge reports: The White House believes the Patriot Act's surveillance provisions won't expire until four months into 2018. Lawyers point to a one-year certification that was granted on April 26th of last year. If that certification is taken as a legal authorization for the FISA court overall -- as White House lawyers suggest -- then Congress will have another four months to work out the details of reauthorization. There are already several proposals for Patriot Act reauthorization in the Senate, which focus the Section 702 provisions that authorize certain types of NSA surveillance. Some of the proposals would close the backdoor search loophole that allows for warrantless surveillance of U.S. citizens, although a recent House proposal would leave it in place. But with Congress largely focused on tax cuts and the looming debt ceiling fight, it's unlikely the differences could be reconciled before the end of the year.
The Internet

EU Urges Internet Companies To Do More To Remove Extremist Content (reuters.com) 79

Internet groups such as Facebook, Google's YouTube and Twitter need to do more to stem the proliferation of extremist content on their platforms, the European Commission said after a meeting on Wednesday. From a report: Social media companies have significantly boosted their resources to take down violent and extremist content as soon as possible in response to growing political pressure from European governments, particularly those hit by militant attacks in recent years. But Julian King, EU security commissioner, said that while a lot of progress had been made, additional efforts were needed. "We are not there yet. We are two years down the road of this journey: to reach our final destination we now need to speed up our work," King said in his closing speech at the third meeting of the EU Internet Forum, which brings together the Commission, EU member states, law enforcement and technology companies. The EU has said it will come forward with legislation next year if it is not satisfied with progress made by tech companies in removing extremist content, while a German online hate speech law comes into effect on Jan. 1.
Security

Apple Issues Security Updates for MacOS, iOS, TvOS, WatchOS, and Safari (bleepingcomputer.com) 30

Catalin Cimpanu, writing for BleepingComputer: Over the course of the last four days, Apple has released updates to address security issues for several products, such as macOS High Sierra, Safari, watchOS, tvOS, and iOS. The most relevant security update is the one to macOS, as it also permanently fixes the bug that allowed attackers to access macOS root accounts without having to type a password. Apple issued a patch for the bug the next day after it was discovered, but because the patch was delivered as an out-of-band update that did not alter the macOS version number, when users from older macOS versions updated to 10.13.1 (the vulnerable version), the bug was still present. With today's update, the patch for the bug -- now known as "IAmRoot" (CVE-2017-13872) -- has received a permanent fix. All users who upgrade to macOS High Sierra 10.13.2 are safe.
Security

NiceHash Hacked, $62 Million of Bitcoin May Be Stolen (reddit.com) 79

New submitter Chir breaks the news to us that the NiceHash crypto-mining marketplace has been hacked. The crypto mining pool broke the news on Reddit, where users suggest that as many as 4,736.42 BTC -- an amount worth more than $62 million at current prices -- has been stolen. The NiceHash team is urging users to change their online passwords as a result of the breach and theft.
Privacy

Germany Preparing Law for Backdoors in Any Type of Modern Device (bleepingcomputer.com) 251

Catalin Cimpanu, writing for BleepingComputer: German authorities are preparing a law that will force device manufacturers to include backdoors within their products that law enforcement agencies could use at their discretion for legal investigations. The law would target all modern devices, such as cars, phones, computers, IoT products, and more. Officials are expected to submit their proposed law for debate this week, according to local news outlet RedaktionsNetzwerk Deutschland (RND). The man supporting this proposal is Thomas de Maiziere, Germany's Interior Minister, who cites the difficulty law enforcement agents have had in past months investigating the recent surge of terrorist attacks and other crimes.
Security

A Popular Virtual Keyboard App Leaks 31 Million Users' Personal Data (zdnet.com) 65

Zack Whittaker, writing for ZDNet: Personal data belonging to over 31 million customers of a popular virtual keyboard app has leaked online, after the app's developer failed to secure the database's server. The server is owned by Eitan Fitusi, co-founder of AI.type, a customizable and personalizable on-screen keyboard, which boasts more than 40 million users across the world. But the server wasn't protected with a password, allowing anyone to access the company's database of user records, totaling more than 577 gigabytes of sensitive data. The database appears to only contain records on the app's Android users.
Android

Android Go Will Make the Most Basic Phones Run Smoothly (cnet.com) 101

Entry-level phones may cost less than big hitters, but they come at the cost of space, speed and efficiency. Google's looking to change that with Android Go. From a report: Android Oreo (Go Edition) will launch tomorrow as part of the Android Oreo 8.1 rollout and all Android Oreo devices with 512MB to 1GB of memory will be optimised for Android Go. Google says this will allow them to function properly as smartphones while doubling their available storage space. The experience includes: An improved operating system with better performance, storage and security features; a new set of lighter Google apps, suitable for first-time web users; a Google Play store that highlights apps designed to work best on entry-level devices.
Security

PayPal Says 1.6 Million Customer Details Stolen In Breach At Canadian Subsidiary (bleepingcomputer.com) 24

New submitter Kargan shares a report from BleepingComputer: PayPal says that one of the companies it recently acquired suffered a security incident during which an attacker appears to have accessed servers that stored information for 1.6 million customers. The victim of the security breach is TIO Networks, a Canadian company that runs a network of over 60,000 utility and bills payment kiosks across North America. PayPal acquired TIO Networks this past July for $238 million in cash. PayPal reportedly suspended the operations of TIO's network on November 10th. "PayPal says the intruder(s) got access to the personal information of both TIO customers and customers of TIO billers," reports BleepingComputer. "The company did not reveal what type of information the attacker accessed, but since this is a payment system, attackers most likely obtained both personally-identifiable information (PII) and financial details." The company has started notifying customers and is offering free credit monitoring memberships.
IT

Man Hacks Jail Computer Network To Get Inmate Released Early (bleepingcomputer.com) 31

An anonymous reader writes: A Michigan man pleaded guilty last week to hacking the computer network of the Washtenaw County Jail, where he modified inmate records in an attempt to have an inmate released early. To breach the jail's network, the attacker used only spear-phishing emails and telephone social engineering.

The man called jail employees and posed as local IT staffers, tricking some into accessing a website, and downloading and installing malware under the guise of a jail system upgrade. Once the man (Konrads Voits) had access to this data, investigators said he accessed the XJail system, searched and accessed the records of several inmates, and modified at least one entry "in an effort to get that inmate released early." Jail employees noticed the modification right away and alerted the FBI. The man as arrested a month later and is now awaiting sentencing (maximum 10 years and a fine of up to $250,000).

Censorship

Apple, Google CEOs Bring Star Power as China Promotes Censorship (bloomberg.com) 38

An anonymous reader shares a Bloomberg report: Apple's Tim Cook and Google's Sundar Pichai made their first appearances at China's World Internet Conference, bringing star power to a gathering the Chinese government uses to promote its strategy of tight controls online. Apple's chief executive officer gave a surprise keynote at the opening ceremony on Sunday, calling for future internet and AI technologies to be infused with privacy, security and humanity. The same day, one of China's most-senior officials called for more aggressive government involvement online to combat terrorism and criminals. Wang Huning, one of seven men on China's top decision-making body, even called for a global response team to go well beyond its borders. It was Cook's second appearance in China in two months, following a meeting with President Xi Jinping in October. The iPhone maker has most of its products manufactured in the country and is trying to regain market share in smartphones against local competitors such as Huawei. "The theme of this conference -- developing a digital economy for openness and shared benefits -- is a vision we at Apple share," Cook said. "We are proud to have worked alongside many of our partners in China to help build a community that will join a common future in cyberspace."

Slashdot Top Deals