Security

Author of BrickerBot Malware Retires, Says He Bricked 10 Million IoT Devices (bleepingcomputer.com) 148

An anonymous reader writes: The author of BrickerBot -- the malware that bricks IoT devices -- has announced his retirement in an email to Bleeping Computer, also claiming to have bricked over 10 million devices since he started the "Internet Chemotherapy" project in November 2016. Similar to the authors of the Mirai malware, the BrickerBot developer dumped his malware's source code online, allowing other crooks to profit from his code. The code is said to contain at least one zero-day. In a farewell message left on hundreds of hacked routers, the BrickerBot author also published a list of incidents (ISP downtimes) he caused, while also admitting he is likely to have drawn the attention of law enforcement agencies. "There's also only so long that I can keep doing something like this before the government types are able to correlate my likely network routes (I have already been active for far too long to remain safe). For a while now my worst-case scenario hasn't been going to jail, but simply vanishing in the middle of the night as soon as some unpleasant government figures out who I am," the hacker said.
Cloud

Trump Administration Calls For Government IT To Adopt Cloud Services (reuters.com) 207

According to Reuters, The White House said Wednesday the U.S. government needs a major overhaul of information technology systems and should take steps to better protect data and accelerate efforts to use cloud-based technology. The report outlined a timeline over the next year for IT reforms and a detailed implementation plan. One unnamed cloud-based email provider has agreed to assist in keeping track of government spending on cloud-based email migration. From the report: The report said the federal government must eliminate barriers to using commercial cloud-based technology. "Federal agencies must consolidate their IT investments and place more trust in services and infrastructure operated by others," the report found. Government agencies often pay dramatically different prices for the same IT item, the report said, sometimes three or four times as much. A 2016 U.S. Government Accountability Office report estimated the U.S. government spends more than $80 billion on IT annually but said spending has fallen by $7.3 billion since 2010. In 2015, there were at least 7,000 separate IT investments by the U.S. government. The $80 billion figure does not include Defense Department classified IT systems and 58 independent executive branch agencies, including the Central Intelligence Agency. The GAO report found some agencies are using systems that have components that are at least 50 years old.
Open Source

Avast Launches Open-Source Decompiler For Machine Code (techspot.com) 113

Greg Synek reports via TechSpot: To help with the reverse engineering of malware, Avast has released an open-source version of its machine-code decompiler, RetDec, that has been under development for over seven years. RetDec supports a variety of architectures aside from those used on traditional desktops including ARM, PIC32, PowerPC and MIPS. As Internet of Things devices proliferate throughout our homes and inside private businesses, being able to effectively analyze the code running on all of these new devices becomes a necessity to ensure security. In addition to the open-source version found on GitHub, RetDec is also being provided as a web service.

Simply upload a supported executable or machine code and get a reasonably rebuilt version of the source code. It is not possible to retrieve the exact original code of any executable compiled to machine code but obtaining a working or almost working copy of equivalent code can greatly expedite the reverse engineering of software. For any curious developers out there, a REST API is also provided to allow third-party applications to use the decompilation service. A plugin for IDA disassembler is also available for those experienced with decompiling software.

Security

Maker of Sneaky Mac Adware Sends Security Researcher Cease-and-Desist Letters (zdnet.com) 86

Zack Whittaker, writing for ZDNet: The maker of a sneaky adware that hijacks a user's browser to serve ads is back with a new, more advanced version -- one that can gain root privileges and spy on the user's activities. News of the updated adware dropped Tuesday in a lengthy write-up by Amit Serper, principal security researcher at Cybereason. The adware, dubbed OSX.Pirrit, is still highly active, infecting tens of thousands of Macs, according to Serper, who has tracked the malware and its different versions for over a year. Serper's detailed write-up is well worth the read. [...] TargetingEdge sent cease-and-desist letters to try to prevent Serper from publishing his research. "We've received several letters over the past two weeks," Serper told ZDNet. "We decided to publish anyway because we're sick of shady 'adware' companies and their threats."
Botnet

Mirai IoT Botnet Co-Authors Plead Guilty (krebsonsecurity.com) 33

Three hackers responsible for creating the massive Mirai botnet that knocked large swathes of the internet offline last year have pleaded guilty. Brian Krebs reports: The U.S. Justice Department on Tuesday unsealed the guilty pleas of two men (Editor's note: three men) first identified in January 2017 by KrebsOnSecurity as the likely co-authors of Mirai, a malware strain that remotely enslaves so-called "Internet of Things" devices such as security cameras, routers, and digital video recorders for use in large scale attacks designed to knock Web sites and entire networks offline (including multiple major attacks against this site). Entering guilty pleas for their roles in developing and using Mirai are 21-year-old Paras Jha from Fanwood, N.J. and Josiah White, 20, from Washington, Pennsylvania. Jha and White were co-founders of Protraf Solutions LLC, a company that specialized in mitigating large-scale DDoS attacks. Like firemen getting paid to put out the fires they started, Jha and White would target organizations with DDoS attacks and then either extort them for money to call off the attacks, or try to sell those companies services they claimed could uniquely help fend off the attacks. Editor's note: The story was updated to note that three men have pleaded guilty. -- not two as described in some reports.
Businesses

Net Neutrality Protests Move Online, Yet Big Tech Is Quiet (nytimes.com) 71

The New York Times: Protests to preserve net neutrality, or rules that ensure equal access to the internet, migrated online on Tuesday, with numerous online companies posting calls on their sites for action to stop a vote later this week. Reddit, Etsy and Kickstarter were among the sites warning that the proposal at the Federal Communications Commission to roll back so-called net neutrality rules would fundamentally change the way the internet is experienced. Kickstarter, the crowdfunding site, cleared its entire home screen for a sparse white screen reading "Defend Net Neutrality" in large letters. Reddit, the popular online message board, pushed in multiple ways on its site for keeping the rules, including a pop-up box on its home screen. But the online protests also highlighted how the biggest tech companies, such as Facebook and Google, have taken a back seat in the debate about protecting net neutrality (Editor's note: the link may be paywalled; syndicated source), rules that prohibit internet service providers like AT&T and Comcast from blocking or slowing sites or for charging people or companies for faster speeds of particular sites. For the most part, the large tech companies did not engage in the protest on Tuesday. In the past, the companies have played a leading role in supporting the rules.
Businesses

No Matter What Happens With Net Neutrality, an Open Internet Isn't Going Anywhere, Says Former FCC Chairman (recode.net) 176

Michael K. Powell, a former chairman of the Federal Communications Commission, writing for Recode: With an ounce of reflection, one knows that none of this will come to pass, and the imagined doom will join the failed catastrophic predictions of Y2K and massive snow storms that fizzle to mere dustings -- all too common in Washington, D.C. Sadly, rational debate, like Elvis, has left the building. The vibrant and open internet that Americans cherish isn't going anywhere. In the days, weeks and years following this vote, Americans will be merrily shopping online for the holidays, posting pictures on Instagram, vigorously voicing political views on Facebook and asking Alexa the score of the game. Startups and small business will continue to hatch and flourish, and students will be online, studiously taking courses. Time will prove that the FCC did not destroy the internet, and our digital lives will go on just as they have for years. This confidence rests on the fact that ISPs highly value the open internet and the principles of net neutrality, much more than some animated activists would have you think. Why? For one, because it's a better way of making money than a closed internet.
AI

What Does Artificial Intelligence Actually Mean? (qz.com) 130

An anonymous reader writes: A new bill (pdf) drafted by senator Maria Cantwell asks the Department of Commerce to establish a committee on artificial intelligence to advise the federal government on how AI should be implemented and regulated. Passing of the bill would trigger a process in which the secretary of commerce would be required to release guidelines for legislation of AI within a year and a half. As with any legislation, the proposed bill defines key terms. In this, we have a look at how the federal government might one day classify artificial intelligence. Here are the five definitions given:

A) Any artificial systems that perform tasks under varying and unpredictable circumstances, without significant human oversight, or that can learn from their experience and improve their performance. Such systems may be developed in computer software, physical hardware, or other contexts not yet contemplated. They may solve tasks requiring human-like perception, cognition, planning, learning, communication, or physical action. In general, the more human-like the system within the context of its tasks, the more it can be said to use artificial intelligence.
B) Systems that think like humans, such as cognitive architectures and neural networks.
C) Systems that act like humans, such as systems that can pass the Turing test or other comparable test via natural language processing, knowledge representation, automated reasoning, and learning.
D) A set of techniques, including machine learning, that seek to approximate some cognitive task.
E) Systems that act rationally, such as intelligent software agents and embodied robots that achieve goals via perception, planning, reasoning, learning, communicating, decision-making, and acting.

Government

Trump Signs Law Forcing Drone Users To Register With Government (thehill.com) 468

President Trump signed a sweeping defense policy bill into law on Tuesday that will allow the government to require recreational drone users to register their model aircraft. This comes after a federal court ruled in May that Americans no longer have to register non-commercial drones with the Federal Aviation Administration (FAA) "because Congress had said in a previous law that the FAA can't regulate model aircraft," reports The Hill. From the report: In December 2015, the FAA issued an interim rule requiring drone hobbyists to register their recreational aircraft with the agency. The rule -- which had not been formally finalized -- requires model aircraft owners to provide their name, email address and physical address; pay a $5 registration fee; and display a unique drone ID number at all times. Those who fail to comply could face civil and criminal penalties. While Congress directed the FAA to safely integrate drones into the national airspace in a 2012 aviation law, lawmakers also included a special exemption to prevent model aircraft from being regulated. A D.C.-based appeals court cited the 2012 law in its ruling striking down the FAA drone registry, arguing that recreational drones count as model aircraft and that the registry counts as a rule or regulation.
Databases

Searchable Database of 1.4 Billion Stolen Credentials Found On Dark Web (itworldcanada.com) 72

YVRGeek shares a report from IT World Canada: A security vendor has discovered a huge list of easily searchable stolen credentials in cleartext on the dark web, which it fears could lead to a new wave of cyber attacks. Julio Casal, co-founder of identity threat intelligence provider 4iQ, which has offices in California and Spain, said in a Dec. 8 blog his firm found the database of 1.4 billion username and password pairs while scanning the dark web for stolen, leaked or lost data. He said the company has verified at least a group of credentials are legitimate. What is alarming is the file is what he calls "an aggregated, interactive database that allows for fast (one second response) searches and new breach imports." For example, searching for "admin," "administrator" and "root" returned 226,631 passwords of admin users in a few seconds. As a result, the database can help attackers automate account hijacking or account takeover. The dump file was 41GB in size and was found on December 5th in an underground community forum. The total amount of credentials is 1,400,553,869.
Bitcoin

SEC Shuts Down Munchee ICO (techcrunch.com) 43

The Securities and Exchange Commission has shut down Munchee, a company that built a $15 million token sale. According to TechCrunch, "The Munchee ICO aimed to fund the MUN coin, a payment system for restaurant reviews." However, the company "received a cease and desist from the SEC on December 11" because it constituted the offer and sale of unregistered securities. From the report: Within the SECs findings they noted that Munchee touted itself as a "utility" token which means that the company believed the MUN token would be primarily used within the Munchee ecosystem and not be used to fund operations. However, thanks to an application of the Howey Test (a Supreme Court finding that essentially states that any instrument with the expectation of return is an investment vehicle), the SEC found the Munchee was actually releasing a security masquerading as a utility. "Munchee offered MUN tokens in order to raise capital to build a profitable enterprise," read the SEC notice. "Munchee said that it would use the offering proceeds to run its business, including hiring people to develop its product, promoting the Munchee App, and ensuring 'the smooth operation of the MUN token ecosystem.'" The stickiest part? Munchee claimed that its coins would increase in value thanks to a convoluted process of growth.

In short, Munchee was undone by two things: depending on the token sale as a vehicle to raise cash for operations and using the typically spammy and scammy marketing efforts most ICO floggers use now, tactics taken directly from affiliate marketing handbooks. Fortunately, Munchee was able to return all $15 million to the 40 investors that dumped their coins into scheme.

Businesses

Why Google and Amazon Are Hypocrites (om.blog) 245

Amazon earlier this month responded to Google's decision to remove YouTube from all Fire TV products and the Echo Show. Google says it's taking this extreme step because of Amazon's recent delisting of new Nest products (like Nest Secure and the E Thermostat) and the company's long-running refusal to sell Chromecast or support Google Cast in any capacity. Veteran journalist Om Malik writes: This smacks of so much hypocrisy that I don't even know where to start. The two public proponents of network neutrality and anything but neutral about each other's services on each other's platforms. They can complain about the cable companies from blocking their content and charging for fast lanes. The irony isn't lost on me even a wee bit. They are locked in a battle to collect as much data about us -- what we shop, what we see, what we do online and they do so under the guise of offering us services that are amazing and wonderful. They don't talk about what they won't do with our data, instead, they bicker and distract. So to think that these purveyors of hyper-capitalism will fight for interests of consumers is not only childish, it is foolish. We as end customers need to figure out who is speaking on our behalf when it comes to the rules of the Internet.
The Internet

129 Million Americans Can Only Get Internet Service From Companies That Have Violated Net Neutrality (vice.com) 143

An anonymous reader quotes a report from Motherboard: Based on the Federal Communications Commission's own data, the Institute for Local Self Reliance found that 129 million Americans only have one option for broadband internet service in their area, which equals about 40 percent of the country. Of those who only have one option, roughly 50 million are limited to a company that has violated net neutrality in some way. Of Americans who do have more than one option, 50 million of them are left choosing between two companies that have both got shady behavior on their records, from blocking certain access to actively campaigning against net neutrality.

Aside from being a non-ideal situation for consumers like me, this lack of competition is another dock against the FCC's plan to repeal net neutrality rules later this week. In arguing against net neutrality rules, FCC Chairman Ajit Pai has repeatedly cited a free market as just as capable of ensuring internet freedom as government regulations. "All we are simply doing is putting engineers and entrepreneurs, instead of bureaucrats and lawyers, back in charge of the internet," Pai said on Fox News's "Fox & Friends," in November. "What we wanted to do is return to the free market consensus that started in the Clinton administration and that served the internet economy in America very well for many years." But how can market competition regulate an industry when more than a third of the market has no competition at all, and even those that do have to choose between options that don't uphold net neutrality?

Education

France To Ban Mobile Phones In Schools (theguardian.com) 191

The French government is planning to ban students from using mobile phones in the country's primary, junior and middle schools. While children will be permitted to bring their phones to school, they will not be allowed to get them out at any time until they leave, even during breaks. The Guardian reports: Jean-Michel Blanquer, the French education minister, said the measure would come into effect from the start of the next school year in September 2018. It will apply to all pupils from the time they start school at age of six -- up to about 15 when they start secondary school. Blanquer said some education establishments already prohibited pupils from using their mobiles. "Sometimes you need a mobile for teaching reasons [...] for urgent situations, but their use has to be somehow controlled," he told RTL radio. The minister said the ban was also a "public health message to families," adding: "It's good that children are not too often, or even at all, in front of a screen before the age of seven." The French headteachers' union was skeptical that the ban could be enforced.
NASA

President Trump Is Sending NASA Back To The Moon (npr.org) 307

President Trump has formally told NASA to send U.S. astronauts back to the moon. From a report: "The directive I'm signing today will refocus America's space program on human exploration and discovery," he said. Standing at the president's side as he signed "Space Policy Directive 1" on Monday was Apollo 17 astronaut Harrison Schmitt, one of the last two humans to ever walk on the moon, in a mission that took place 45 years ago this week. Since that time, no human has ventured out beyond low-Earth orbit. NASA doesn't even have its own space vehicle, having retired the space shuttles in 2011. Americans currently ride up to the international space station in Russian capsules, though private space taxis are expected to start ferrying them up as soon as next year.
Privacy

How Email Open Tracking Quietly Took Over the Web (wired.com) 116

Brian Merchant, writing for Wired: There are some 269 billion emails sent and received daily. That's roughly 35 emails for every person on the planet, every day. Over 40 percent of those emails are tracked, according to a study published last June by OMC, an "email intelligence" company that also builds anti-tracking tools. The tech is pretty simple. Tracking clients embed a line of code in the body of an email -- usually in a 1x1 pixel image, so tiny it's invisible, but also in elements like hyperlinks and custom fonts. When a recipient opens the email, the tracking client recognizes that pixel has been downloaded, as well as where and on what device. Newsletter services, marketers, and advertisers have used the technique for years, to collect data about their open rates; major tech companies like Facebook and Twitter followed suit in their ongoing quest to profile and predict our behavior online. But lately, a surprising -- and growing -- number of tracked emails are being sent not from corporations, but acquaintances. "We have been in touch with users that were tracked by their spouses, business partners, competitors," says Florian Seroussi, the founder of OMC. "It's the wild, wild west out there." According to OMC's data, a full 19 percent of all "conversational" email is now tracked. That's one in five of the emails you get from your friends. And you probably never noticed.
China

German Intelligence Warns of Increased Chinese Cyberspying (apnews.com) 75

The head of Germany's domestic intelligence agency has warned that China allegedly is using social networks to try to cultivate lawmakers and other officials as sources. From a report: Hans-Georg Maassen said his agency, known by its German acronym BfV, believes more than 10,000 Germans have been targeted by Chinese intelligence agents posing as consultants, headhunters or researchers, primarily on the social networking site LinkedIn. "This is a broad-based attempt to infiltrate in particular parliaments, ministries and government agencies," Maassen said.
HP

HP Laptops Found To Have Hidden Keylogger (bbc.com) 114

Hidden software that can record every letter typed on a computer keyboard has been discovered pre-installed on hundreds of HP laptop models, BBC reported on Monday citing the findings of a security researcher. From the report: Security researcher Michael Myng found the keylogging code in software drivers preinstalled on HP laptops to make the keyboard work. HP said more than 460 models of laptop were affected by the "potential security vulnerability." It has issued a software patch for its customers to remove the keylogger. The issue affects laptops in the EliteBook, ProBook, Pavilion and Envy ranges, among others. HP has issued a full list of affected devices, dating back to 2012. Mr Myng discovered the keylogger while inspecting Synaptics Touchpad software, to figure out how to control the keyboard backlight on an HP laptop. He said the keylogger was disabled by default, but an attacker with access to the computer could have enabled it to record what a user was typing. According to HP, it was originally built into the Synaptics software to help debug errors. It acknowledged that could lead to "loss of confidentiality" but it said neither Synaptics nor HP had access to customer data as a result of the flaw.
United States

FCC Refuses Records For Investigation Into Fake Net Neutrality Comments (variety.com) 164

"FCC general counsel Tom Johnson has told the New York State attorney general that the FCC is not providing information for his investigation into fake net-neutrality comments, saying those comments did not affect the review, and challenging the state's ability to investigate the feds." Variety has more: The FCC's general counsel, in a letter to New York Attorney General Eric Schneiderman, also dismissed his concerns that the volume of fake comments or those made with stolen identities have "corrupted" the rule-making process... He added that Schneiderman's request for logs of IP addresses would be "unduly burdensome" to the commission, and would "raise significant personal privacy concerns."

Amy Spitalnick, Schneiderman's press secretary, said in a statement that the FCC "made clear that it will continue to obstruct a law enforcement investigation. It's easy for the FCC to claim that there's no problem with the process, when they're hiding the very information that would allow us to determine if there was a problem. To be clear, impersonation is a violation of New York law," she said... "The only privacy jeopardized by the FCC's continued obstruction of this investigation is that of the perpetrators who impersonated real Americans."

One of the FCC's Democratic commissioners claimed that this response "shows the FCC's sheer contempt for public input and unreasonable failure to support integrity in its process... Moreover, the FCC refuses to look into how nearly half a million comments came from Russian sources."
Security

Touting Government/Industry 'Partnership' on Security Practices, NIST Drafts Cybersecurity Framework Update (scmagazine.com) 15

Remember NIST, the non-regulatory agency of the U.S. Department of Commerce? Their mission expanded over the years to protecting businesses from cyberthreats, including a "Cybersecurty Framework" first published in 2014. "The original goal was to develop a voluntary framework to help organizations manage cybersecurity risk in the nation's critical infrastructure, such as bridges and the electric power grid," NIST wrote in January, "but the framework has been widely adopted by many types of organizations across the country and around the world." Now SC Media reports: The second draft of the update to the National Institute of Standards and Technology's cybersecurity framework, NIST 1.1, is meant "to clarify, refine, and enhance the Cybersecurity Framework, amplifying its value and making it easier to use," according to NIST. Specifically, it brings clarity to cybersecurity measurement language and tackles improving security of the supply chain. Calling the initial NIST CSF "a landmark effort" that delivered "important benefits, such as providing common language for different models" of standards and best practices already in use, Larry Clinton, president and CEO of the Internet Security Alliance, said "it fell short of some of the most critical demands of Presidential Executive Order 13636, which generated its development...

"To begin with, the new draft makes it clear that our goal is not some undefined metric for use of the Framework, but for effective use of the Framework. Moreover, this use-metric needs to be tied not to some generic standard, but to be calibrated to the unique threat picture, risk appetite and business objective of a particular organization"... Clinton praised the process used by NIST as "a model 'use case' for how government needs to engage with its industry partners to address the cybersecurity issue." The internet's inherent interconnectedness makes it impossible for sustainable security to be achieved through anything other than true partnership, he contended.

Slashdot reader Presto Vivace reminds you that public comments on the draft Framework and Roadmap are due to NIST by 11:59 p.m. EST on January 19, 2018. "If you have an opinion about this, NOW is the time to express it."

Slashdot Top Deals