DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×
Crime

US Prepares Charges To Seek Arrest of WikiLeaks' Julian Assange (cnn.com) 369

An anonymous reader quotes a report from CNN: U.S. authorities have prepared charges to seek the arrest of WikiLeaks founder Julian Assange, U.S. officials familiar with the matter tell CNN. The Justice Department investigation of Assange and WikiLeaks dates to at least 2010, when the site first gained wide attention for posting thousands of files stolen by the former U.S. Army intelligence analyst now known as Chelsea Manning. Prosecutors have struggled with whether the First Amendment precluded the prosecution of Assange, but now believe they have found a way to move forward. During President Barack Obama's administration, Attorney General Eric Holder and officials at the Justice Department determined it would be difficult to bring charges against Assange because WikiLeaks wasn't alone in publishing documents stolen by Manning. Several newspapers, including The New York Times, did as well. The investigation continued, but any possible charges were put on hold, according to U.S. officials involved in the process then.
The U.S. view of WikiLeaks and Assange began to change after investigators found what they believe was proof that WikiLeaks played an active role in helping Edward Snowden, a former NSA analyst, disclose a massive cache of classified documents.
Attorney General Jeff Sessions said at a news conference Thursday that Assange's arrest is a "priority." "We are going to step up our effort and already are stepping up our efforts on all leaks," he said. "This is a matter that's gone beyond anything I'm aware of. We have professionals that have been in the security business of the United States for many years that are shocked by the number of leaks and some of them are quite serious. So yes, it is a priority. We've already begun to step up our efforts and whenever a case can be made, we will seek to put some people in jail." Meanwhile, Assange's lawyer said they have "had no communication with the Department of Justice."
Security

Ambient Light Sensors Can Be Used To Steal Browser Data (bleepingcomputer.com) 37

An anonymous reader writes: "Over the past decade, ambient light sensors have become quite common in smartphones, tablets, and laptops, where they are used to detect the level of surrounding light and automatically adjust a screen's intensity to optimize battery consumption... and other stuff," reports Bleeping Computer. "The sensors have become so prevalent, that the World Wide Web Consortium (W3C) has developed a special API that allows websites (through a browser) to interact with a device's ambient light sensors. Browsers such as Chrome and Firefox have already shipped versions of this API with their products." According to two privacy and security experts, Lukasz Olejnik and Artur Janc, malicious web pages can launch attacks using this new API and collect data on users, such as URLs they visited in the past and extract QR codes displayed on the screen. This is possible because the light coming from the screen is picked up by these sensors. Mitigating such attacks is quite easy, as it only requires browser makers and the W3C to adjust the default frequency at which the sensors report their readings. Furthermore, the researcher also recommends that browser makers quantize the result by limiting the precision of the sensor output to only a few values in a preset range. The two researchers filed bug reports with both Chrome and Firefox in the hopes their recommendations will be followed.
Security

Mastercard is Building Fingerprint Scanners Directly Into Its Cards (fastcompany.com) 85

Mastercard said on Thursday it's beginning trials of its "next-generation biometric card" in South Africa. In addition to the standard chip and pin, the new cards have a built-in fingerprint reader that the user can use to authenticate every purchase. From a report: Impressively, the new card is no thicker or larger than your current credit and debit cards.
Government

President Trump Misses 90-Day Deadline To Appoint a Cybersecurity Team After Alleged Russian Hacking (politico.com) 341

From a report: President-elect Donald Trump was very clear: "I will appoint a team to give me a plan within 90 days of taking office," he said in January, after getting a U.S. intelligence assessment of Russian interference in last year's elections and promising to address cybersecurity. Thursday, Trump hits his 90-day mark. There is no team, there is no plan, and there is no clear answer from the White House on who would even be working on what. It's the latest deadline Trump's set and missed -- from the press conference he said his wife would hold last fall to answer questions about her original immigration process to the plan to defeat ISIS that he'd said would come within his first 30 days in office. Since his inauguration, Trump's issued a few tweets and promises to get to the bottom of Russian hacking -- and accusations of surveillance of Americans, himself included, by the Obama administration.
China

China To Question Apple About Live-Streaming Apps On App Store That Violate Internet Regulations (theguardian.com) 31

Three Chinese government agencies are planning to tell Apple to "tighten up checks" on live-streaming software offered on its app store, which can be used to violate internet regulation in the country. "Law enforcement officers had already met with Apple representatives over live-streaming services, [state news agency Xinhua reported], but did not provide details of the meetings," reports The Guardian. From the report: The inquiry appears to be focused on third-party apps available for download through Apple's online marketplace. The company did not respond to requests for comment. China operates the world's largest internet censorship regime, blocking a host of foreign websites including Google, Facebook, Twitter and Instagram, but the authorities have struggled to control an explosion in popularity of live-streaming video apps. As part of the inquiry into live-streaming, three Chinese websites -- toutiao.com, huoshanzhibo.com and huajiao.com -- were already found to have violated internet regulations, and had broadcast content that violated Chinese law, including providing "pornographic content," the Xinhua report said. Pornography is banned in China. The three sites were told to increase oversight of live-broadcasting services, user registration and "the handling of tips-offs." Two of the websites, huoshanzhibo.com and huajiao.com, were under formal investigation and may have their cases transferred to the police for criminal prosecutions, the Xinhua report said. Casting a wide net, the regulations state that apps cannot "engage in activities prohibited by laws and regulations such as endangering national security, disrupting social order and violating the legitimate rights and interests of others."
Communications

Microsoft's Skype Is Most Used Messaging Service For Cyber Criminals, Study Finds (securityledger.com) 57

chicksdaddy quotes a report from The Security Ledger: Cyber criminals lurk in the dark recesses of the internet, striking at random and then disappearing into the virtual ether. But when they want to talk shop with their colleagues, they turn to Redmond, Washington-based Microsoft and its Skype communications tools, according to an analysis by the firm Flashpoint. Mentions of different platforms were used as a proxy for gauging interest in and use of these messaging services. Flashpoint analysts looked, especially, for invitations to continue conversation outside of cyber criminal marketplaces, like references to ICQ accounts or other platforms. The survey results show that, out of a population of around 80 instant messenger platforms and protocols, a short list of just five platforms accounts for between 80% and 90% of all mentions within the cyber underground. Of those, Microsoft's Skype was the chat king. It ranked among the top five platforms across all language groups. That, despite the platform's lack of end-to-end encryption or forward secrecy features and evidence, courtesy of NSA hacker Edward Snowden, that U.S. spies may have snooped on Skype video calls in recent years, The Security Ledger reports. The conclusion: while security is a priority amongst thieves, it isn't the sole concern that cyber criminals and their associates have. In fact, sophisticated hacking communities like those in Russia to continue to rely on legacy platforms like ICQ when provably more secure alternatives exist. The reason? Business. "These cyber criminals have a lot of different options that they're juggling and a lot of factors that weigh on their options," said Leroy Terrelonge III, the Director of Middle East and Africa Research at Flashpoint. "We might suspect that cyber criminals use the most secure means of communication all the time, that's not what our research showed."
Security

User-Made Patch Lets Owners of Next-Gen CPUs Install Updates On Windows 7 & 8.1 (bleepingcomputer.com) 218

An anonymous reader quotes a report from BleepingComputer: GitHub user Zeffy has created a patch that removes a limitation that Microsoft imposed on users of 7th generation processors, a limit that prevents users from receiving Windows updates if they still use Windows 7 and 8.1. This limitation was delivered through Windows Update KB4012218 (March 2017 Patch Tuesday) and has made many owners of Intel Kaby Lake and AMD Bristol Ridge CPUs very angry last week, as they weren't able to install any Windows updates. Microsoft's move was controversial, but the company did its due diligence, and warned customers of its intention since January 2016, giving users enough time to update to Windows 10, move to a new OS, or downgrade their CPU, if they needed to remain on Windows 7 or 8.1 for various reasons. When the April 2017 Patch Tuesday came around last week, GitHub user Zeffy finally had the chance to test four batch scripts he created in March, after the release of KB4012218. His scripts worked as intended by patching Windows DLL files, skipping the CPU version check, and delivering updates to Windows 7 and 8.1 computers running 7th generation CPUs.
Businesses

Cylance Accused of Distributing Fake Malware Samples To Customers To Close Deals (arstechnica.com) 32

New submitter nyman19 writes: Ars Technica reports how security vendor Cylance has been distributing non-functioning malware samples to prospective customers in order to "close the sale[s] by providing files that other products wouldn't detect" According to the report: "A systems engineer at a large company was evaluating security software products when he discovered something suspicious. One of the vendors [Cylance] had provided a set of malware samples to test -- 48 files in an archive stored in the vendor's Box cloud storage account. The vendor providing those samples was Cylance, the information security company behind Protect, a 'next generation' endpoint protection system built on machine learning. In testing, Protect identified all 48 of the samples as malicious, while competing products flagged most but not all of them. Curious, the engineer took a closer look at the files in question -- and found that seven weren't malware at all."
Government

Trump Administration Kills Open.Gov, Will Not Release White House Visitor Logs (techdirt.com) 268

An anonymous reader quotes a report from Techdirt: It will never be said that the Trump presidency began with a presumption of openness. His pre-election refusal to release his tax returns set a bit of precedent in that regard. The immediate post-election muffling of government agency social media accounts made the administration's opacity goals um clearer. So, in an unsurprising move, the Trump administration will be doing the opposite of the Obama administration. The American public will no longer have the privilege of keeping tabs on White House visitors. TIME reports: "The Trump Administration will not disclose logs of those who visit the White House complex, breaking with his predecessor, the White House announced Friday. White House communications director Michael Dubke said the decision to reverse the Obama-era policy was due to 'the grave national security risks and privacy concerns of the hundreds of thousands of visitors annually.' Instead, the Trump Administration is relying on a federal court ruling that most of the logs are 'presidential records' and are not subject to the Freedom of Information Act." So, to further distance himself from the people he serves (and the people who elected him), Trump and his administration have shut down the transparency portal put in place by the previous Commander-in-Chief: "White House officials said the Administration is ending the contract for Open.gov, the Obama-era site that hosted the visitor records along with staff financial disclosures, salaries, and appointments. An official said it would save $70,000 through 2020 and that the removed disclosures, salaries and appointments would be integrated into WhiteHouse.gov in the coming months."
Microsoft

Microsoft Says Previous Windows Patches Fixed Newly Leaked NSA Exploits (pcworld.com) 48

Microsoft said it has already patched vulnerabilities revealed in last week's high-profile leak of suspected U.S. National Security Agency spying tools, meaning customers should be protected if they've kept their software up-to-date. From a report: Friday's leak caused concern in the security community. The spying tools include about 20 exploits designed to hack into old versions of Windows, such as Windows XP and Windows Server 2008. However, Microsoft said several patches -- one of which was made only last month -- address the vulnerabilities. "Our engineers have investigated the disclosed exploits, and most of the exploits are already patched," the company said in a blog post late on Friday. Three of the exploits found in the leak have not been patched but do not work on platforms that Microsoft currently supports, such as Window 7 or later and Exchange 2010 or later.
AI

Disruptive AI Bots Are Aleady Delivering Radical Leaps In Productivity (venturebeat.com) 56

The CTO of Textio is describing the "already happening" AI disruption that no one's noticed, arguing that voice-activated assistants are "just one small part of what AI is about -- and not the part that will matter the most for the enterprise companies that actually buy almost $4 trillion in software and services each year." An anonymous reader writes: Jensen Harris describes "the less-flashy flavor of AI that is changing the nature of work itself: headless AI...the application of artificial intelligence to vastly improve internal business processes. It is fully transforming the crucial machinery of business -- processes like hiring, lead generation, financial modeling, and information security. Legacy software has become a commodity in all of these areas, and purpose-built AI solutions will get a larger and larger wallet share of these huge enterprise cost centers."

Combining machine intelligence with learning loops, these constantly-evolving algorithms are "where the money is," since headless AI "doesn't try to replace people; it gives them superpowers" -- for example, predicting the future. Harris ultimately argues that headless AI are delivering "radical productivity leaps that they haven't seen from software in decades... In the near future, every core business function will have been transformed by AI -- hiring, sales, security, marketing, finance, manufacturing...everything... Legacy software will get squeezed down into a smaller portion of the IT wallet as the most valuable services become the native AI platforms -- just as form-based desktop software got squeezed out by the cloud in the last generation... the real enterprise revolution is happening in the companies that are using headless AI to transform their core businesses."

By comparison, he argues that many of today's bots "are kind of a hipster facade around the same basic command line interfaces consumers abandoned in the 1980," and suggests this focus on personality misses the larger significance of behind-the-scenes AI.
Security

Unpatched Magento Zero Day Leaves 200,000 Merchants Vulnerable (threatpost.com) 29

An anonymous reader quotes ThreatPost: A popular version of the open source Magento ecommerce platform is vulnerable to a zero-day remote code execution vulnerability, putting as many as 200,000 online retailers at risk... According Bosko Stankovic, information security engineer at DefenseCode, despite repeated efforts to notify Magento, which began in November 2016, the vulnerability remains unpatched despite four version updates since the disclosure. Affected versions of the Magento Community Edition software include v. 2.1.6 and below. DefenseCode did not examine Magento Enterprise, the commercial version of the platform, but warns both share the same underlying vulnerable code... The remote code execution (RCE) vulnerability is tied to the default feature in Magento Community Edition that allows administrators to add Vimeo video content to product descriptions.
DefenseCode says the exploit can be mitigated by enforcing Magento's "Add Secret Keys To URLS" feature, warning in a paper that the hole otherwise "could lead to remote code execution and thus the complete system compromise including the database containing sensitive customer information such as stored credit card numbers and other payment information." Magento has confirmed the exploit, says they're investigating it, and promises they'll address it in their next patch release.
Security

Remote-Access Router Exploit Finally Revealed (helpnetsecurity.com) 38

"Back in the days, Cisco fixed the vulnerability, but we are not sure about all other router vendors and models because there are too many of them," writes the DefenseCode team. Orome1 quotes a new report from Help Net Security: Back in January 2013, researchers from application security services firm DefenseCode unearthed a remote root access vulnerability in the default installation of some Cisco Linksys (now Belkin) routers. The flaw was actually found in Broadcom's UPnP implementation used in popular routers, and ultimately the researchers extended the list of vulnerable routers to encompass devices manufactured by the likes of ASUS, D-Link, Zyxel, US Robotics, TP-Link, Netgear, and others. Since there were millions of vulnerable devices out there, the researchers refrained from publishing the exploit they created for the flaw, but now, four years later, they've released their full research again, and this time they've also revealed the exploit. The researchers pointed out that most users don't update their router's firmware -- meaning many routers may still be vulnerable.
Medicine

FDA Slams St. Jude Medical For Ignoring Security Flaws In Medical Devices (securityledger.com) 30

chicksdaddy quotes a report from The Security Ledger: The U.S. Food and Drug Administration issued a letter of warning to medical device maker Abbott on Wednesday, slamming the company for what it said was a pattern of overlooking security and reliability problems in its implantable medical devices at its St. Jude Medical division and describing a range of the company's devices as "adulterated," in violation of the U.S. Federal Food, Drug and Cosmetic Act, the Security Ledger reports. In a damning warning letter, the FDA said that St. Jude Medical knew about serious security flaws in its implantable medical devices as early as 2014, but failed to address them with software updates or by replacing those devices. The government found that St. Jude, time and again, failed to adhere to internal security and product quality guidelines, a lapse that resulted in at least one patient death. St. Jude Medical, which is now wholly owned by the firm Abbott, learned of serious and exploitable security holes in the company's "high voltage and peripheral devices" in an April, 2014 "third party assessment" commissioned by the company. But St. Jude "failed to accurately incorporate the findings of that assessment" in subsequent risk assessments for the affected products, including Merlin@home, a home-based wireless transmitter that is used to provide remote care for patients with implanted cardiac devices, the FDA revealed. Among the security flaws: a "hardcoded universal unlock code" for the company's implantable, high voltage devices. The report casts doubt on a defamation lawsuit St. Jude filed against the firm MedSec Holdings Ltd over its August, 2016 report that warned of widespread security flaws in St. Jude products, including Merlin@home. The MedSec report on St. Judes technology was released in conjunction with a report by the investment firm Muddy Waters Research, which specializes in taking "short" positions on firms. At the time, MedSec said that the security of the company's medical devices and support software was "grossly inadequate compared with other leading manufacturers," and represents "unnecessary health risks and should receive serious notice among hospitals, regulators, physicians and cardiac patients." St. Judes has called the MedSec allegations false, but it now appears that the company had heard similar warnings raised by its own third-party security auditor more than a year prior.
Security

NSA-Leaking Shadow Brokers Just Dumped Its Most Damaging Release Yet (arstechnica.com) 111

An anonymous reader quotes a report from Ars Technica: The Shadow Brokers -- the mysterious person or group that over the past eight months has leaked a gigabyte worth of the National Security Agency's weaponized software exploits -- just published its most significant release yet. Friday's dump contains potent exploits and hacking tools that target most versions of Microsoft Windows and evidence of sophisticated hacks on the SWIFT banking system of several banks across the world. Friday's release -- which came as much of the computing world was planning a long weekend to observe the Easter holiday -- contains close to 300 megabytes of materials the leakers said were stolen from the NSA. The contents (a convenient overview is here) included compiled binaries for exploits that targeted vulnerabilities in a long line of Windows operating systems, including Windows 8 and Windows 2012. It also included a framework dubbed Fuzzbunch, a tool that resembles the Metasploit hacking framework that loads the binaries into targeted networks. Independent security experts who reviewed the contents said it was without question the most damaging Shadow Brokers release to date. One of the Windows zero-days flagged by Hickey is dubbed Eternalblue. It exploits a remote code-execution bug in the latest version of Windows 2008 R2 using the server message block and NetBT protocols. Another hacking tool known as Eternalromance contains an easy-to-use interface and "slick" code. Hickey said it exploits Windows systems over TCP ports 445 and 139. The exact cause of the bug is still being identified. Friday's release contains several tools with the word "eternal" in their name that exploit previously unknown flaws in Windows desktops and servers.
Privacy

Microsoft Says US Foreign Intelligence Surveillance Requests More Than Doubled (reuters.com) 42

Microsoft Corp says it received at least a thousand surveillance requests from the U.S. government that sought user content for foreign intelligence purposes during the first half of 2016. From a report: The amount, shared in Microsoft's biannual transparency report, was more than double what the company said it received under the Foreign Intelligence Surveillance Act (FISA) during the preceding six-month interval, and was the highest the company has listed since 2011, when it began tracking such government surveillance orders. The scope of spying authority granted to U.S. intelligence agencies under FISA has come under renewed scrutiny in recent weeks, sparked in part by evolving, unsubstantiated assertions from President Donald Trump and other Republicans that the Obama White House improperly spied on Trump and his associates.
Cellphones

Researchers Develop Master Fingerprints That Can Break Into Smartphones (digitaltrends.com) 29

Researchers at New York University and Michigan State University have recently found that the fingerprint sensor on your phone is not as safe as you think. "The team has developed a set of fake fingerprints that are digital composites of common features found in many people's fingerprints," reports Digital Trends. "Through computer simulations, they were able to achieve matches 65 percent of the time, though they estimate the scheme would be less successful in real life, on an actual phone." From the report: Nasir Memon, a computer science and engineering professor at New York University, explained the value of the study to The New York Times. Modern smartphones, tablets, and other computing devices that utilize biometric authentication typically only take a snapshots of sections of a user's finger, to compose a model of one fingerprint. But the chances of faking your way into someone else's phone are much higher if there are multiple fingerprints recorded on that device. "It's as if you have 30 passwords and the attacker only has to match one," Memon said. The professor, who was one of three authors on the study, theorized that if it were possible to create a glove with five different composite fingerprints, the attacker would likely be successful with about half of their attempts. For the record, Apple reported to the Times that the chance of a false match through the iPhone's TouchID system is 1 in 50,000 with only one fingerprint recorded.
Microsoft

New Processors Are Now Blocked From Receiving Updates On Old Windows (arstechnica.com) 238

halfEvilTech writes: Last year, Microsoft announced they were planning on blocking OS updates on newer Intel CPU's, namely the 7th Generation Kaby Lake processors. Ars Technica reports: "Now, the answer appears to be 'this month.' Users of new processors running old versions of Windows are reporting that their updates are being blocked. The block means that systems using these processors are no longer receiving security updates." While Windows 7 has already ended mainstream support, the same can't be said for Windows 8.1 which is still on mainstream support until January of next year.
Network

Former Sysadmin Accused of Planting 'Time Bomb' In Company's Database (bleepingcomputer.com) 143

An anonymous reader writes: Allegro MicroSystems LLC is suing a former IT employee for sabotaging its database using a "time bomb" that deleted crucial financial data in the first week of the new fiscal year. According to court documents, after resigning from his job, a former sysadmin kept one of two laptops. On January 31, Patel entered the grounds of the Allegro headquarters in Worcester, Massachusetts, just enough to be in range of the factory's Wi-Fi network. Allegro says that Patel used the second business-use laptop to connect to the company's network using the credentials of another employee. While connected to the factory's network on January 31, Allegro claims Patel, who was one of the two people in charge of Oracle programming, uploaded a "time bomb" to the company's Oracle finance module. The code was designed to execute a few months later, on April 1, 2016, the first week of the new fiscal year, and was meant to "copy certain headers or pointers to data into a separate database table and then to purge those headers from the finance module, thereby rendering the data in the module worthless." The company says that "defendant Patel knew that his sabotage of the finance module on the first week of the new fiscal year had the maximum potential to cause Allegro to suffer damages because it would prevent Allegro from completing the prior year's fiscal year-end accounting reconciliation and financial reports."
Media

West Point Researchers Demonstrate Passive Netflix Traffic Analysis Attack (threatpost.com) 64

hypercard writes: Researchers from West Point recently presented research on a real-time passive analysis of Netflix traffic. The paper, entitled "Identifying HTTPS-Protected Netflix Videos in Real-Time" is based on research conducted by Andrew Reed, Michael Kranch and Benjamin Klimkowski. The team's technique demonstrates frighteningly accurate results based solely on information captured from TCP/IP headers. Even with the recent upgrade to HTTPS, their technique was effective at identifying the correct video with greater than 99.99 percent accuracy against their database of over 42,000 videos. "When tested against 200 random 20-minute video streams, our system identified 99.5 percent of the videos with the majority of the identifications occurring less than two and a half minutes into the video stream," the paper reads. However, there are important points to note. First, the attack described only applies to streams still using Silverlight. Additionally, an attacker would likely need significant resources and access to intercept, fingerprint and process the traffic in real time. Netflix has reacted positively to the team's research and acknowledged the issue as a known drawback to processing video streams with HTTPS.

Slashdot Top Deals