New R2D2 Technique Protects Files Against Wiper Malware, Secure Delete Apps ( 24

An anonymous reader writes: Purdue University scientists have developed a data protection technique called Reactive Redundancy for Data Destruction (R2D2) that can safeguard data sitting inside a virtual machine from modern data-wiping malware and even some secure file deletion methods. The technique was developed to protect enterprise systems, which are often running inside VMs.

Researchers say the new technique was successful in preventing wiper malware such as Shamoon (v1 and v2), StoneDrill, and Destover from deleting data during their experiments, but it was able to prevent data deletion attempted with legitimate "secure delete" applications. When such operations are detected, R2D2 runs each one through a series of policies that evaluate the operation for known destructive patterns. If the scan triggers a warning, the VM creates a temporary checkpoint that a human operator can use as a system restore point.


Atlanta City Government Systems Down Due To Ransomware Attack ( 30

An anonymous reader quotes a report from Ars Technica: The city of Atlanta government has apparently become the victim of a ransomware attack. The city's official Twitter account announced that the city government "is currently experiencing outages on various customer facing applications, including some that customers may use to pay bills or access court-related information." According to a report from Atlanta NBC affiliate WXIA, a city employee sent the station a screen shot of a ransomware message demanding a payment of $6,800 to unlock each computer or $51,000 to provide all the keys for affected systems. Employees received emails from the city's information technology department instructing them to unplug their computers if they noticed anything suspicious. An internal email shared with WXIA said that the internal systems affected include the city's payroll application. "At this time, our Atlanta Information Management team is working diligently with support from Microsoft to resolve the issue," a city spokesperson told Ars. "We are confident that our team of technology professionals will be able to restore applications soon." The city's primary website remains online, and the city government will continue to post updates there, the spokesperson added.

Mark Zuckerberg Apologizes For the Cambridge Analytica Scandal, Says He Isn't Opposed To Regulation ( 167

An anonymous reader quotes a report from The Verge: Mark Zuckerberg apologized on Wednesday evening for his company's handling of the Cambridge Analytica privacy scandal. "This was a major breach of trust and I'm really sorry this happened," he said in an interview on CNN. "Our responsibility now is to make sure this doesn't happen again." Zuckerberg's comments reflected the first time he apologized following an uproar over how Facebook allowed third-party developers to access user data. Earlier in the day, Zuckerberg wrote a Facebook post in which he said the company had made mistakes in its handling of the Cambridge Analytica data revelations. The company laid out a multipart plan designed to reduce the amount of data shared by users with outside developers, and said it would audit some developers who had access to large troves of data before earlier restrictions were implemented in 2014. Zuckerberg also told CNN that he is not totally opposed to regulation. "I'm not sure we shouldn't be regulated," he said. "There are things like ad transparency regulation that I would love to see."

Other highlights of Zuckerberg's interviews:
-He told multiple outlets that he would be willing to testify before Congress.
-He said the company would notify everyone whose data was improperly used.
-He told the New York Times that Facebook would double its security force this year, adding: "We'll have more than 20,000 people working on security and community operations by the end of the year, I think we have about 15,000 now."
-He told the Times that Facebook would investigate "thousands" of apps to determine whether they had abused their access to user data.

Regarding moderation, Zuckerberg told Recode: "[The] thing is like, 'Where's the line on hate speech?' I mean, who chose me to be the person that did that?" Zuckerberg said. "I guess I have to, because of where we are now, but I'd rather not."
United States

US Spending Bill Contains CLOUD Act, a Win For Tech and Law Enforcement ( 108

The 2,232 page spending bill released Wednesday by House and Senate leaders includes the Clarifying Lawful Overseas Use of Data [CLOUD] Act, which provides a legal framework for law enforcement to request data from overseas servers. The CLOUD Act currently sits high atop the wish list of tech firms, law enforcement and even foreign nations. Axios reports: The Supreme Court is currently mulling a case determining whether the Department of Justice had the right to force Microsoft to produce client emails stored on a server in Ireland without permission from Ireland's government. Microsoft fears the DOJ will force it to violate the laws of Ireland. The DOJ hopes to avoid the often years long process of abiding by treaties dealing with evidence. But both have publicly urged lawmakers to render the pending decision moot by passing the CLOUD act, a way to streamline the treaty process for requesting digital data.

The CLOUD Act provides a framework for reciprocal treaties for nations to request data from computers located within each other's borders. It also provides a mechanism for a Microsoft to take a law enforcement demand to court if it would force them to violate another country's rules. But when neither apply, law enforcement will be able to demand files in accordance with U.S. law.


Best Buy Stops Selling Huawei Smartphones ( 78

Best Buy, the nation's largest electronics big box retailer, has ceased ordering new smartphones from Huawei and will stop selling its products over the next few weeks. Best Buy didn't provide any details as to why it has severed ties with Huawei, but it may have to do with security concerns involving the Chinese government. CNET reports: The move is a critical blow to Huawei, which is the world's third-largest smartphone vendor behind Apple and Samsung but has struggled to establish any presence in the U.S. Best Buy was one of Huawei's biggest retail partners, and one of the rare places where you could physically see its phones. Huawei phones aren't sold by any U.S. carriers, where a majority of Americans typically buy their phones. Security concerns have long dogged Huawei in the U.S. In 2012, the House Intelligence Committee released a report accusing Huawei and fellow Chinese vendor ZTE of making telecommunications equipment that posed national security threats, and banned U.S. companies from buying the gear. At the time, the committee stressed that the report didn't refer to its smartphones. But that's changed over the last several months. The directors of the FBI, CIA and NSA all expressed their concerns about the risks posed by Huawei and ZTE.

A 15-Year-Old Hacked the Secure Ledger Crypto Wallet ( 66

An anonymous reader quotes a report from TechCrunch: A 15-year-old programmer named Saleem Rashid discovered a flaw in the popular Ledger hardware wallet that allowed hackers to grab secret PINs before or after the device was shipped. The holes, which Rashid described on his blog, allowed for both a "supply chain attack" -- meaning a hack that could compromise the device before it was shipped to the customer -- and another attack that could allow a hacker to steal private keys after the device was initialized. The Ledger team described the vulnerabilities dangerous but avoidable. For the "supply chain attack," they wrote: "by having physical access to the device before generation of the seed, an attacker could fool the device by injecting his seed instead of generating a new one. The most likely scenario would be a scam operation from a shady reseller." "If you bought your device from a different channel, if this is a second hand device, or if you are unsure, then you could be victim of an elaborate scam. However, as no demonstration of the attack in the real has been shown, it is very unlikely. In both cases, a successful firmware update is the proof that your device has never been compromised," wrote the team.

Further, the post-purchase hack "can be achieved only by having physical access to the device, knowing your PIN code and installing a rogue unsigned application. This rogue app could break isolation between apps and access sensitive data managed by specific apps such as GPG, U2F or Neo." Ledger CEO Eric Larcheveque claimed that there were no reports of the vulnerability effecting any active devices. "No one was compromised that we know of," he said. "We have no knowledge that any device was affected." Rashid, for his part, was disappointed with the speed Ledger responded to his claims.


Kaspersky Lab Plans Swiss Data Center To Combat Spying Allegations, Report Says ( 46

An anonymous reader shares a report: Moscow-based Kaspersky Lab plans to open a data center in Switzerland to address Western government concerns that Russia exploits its anti-virus software to spy on customers, according to internal documents seen by Reuters. Kaspersky is setting up the center in response to actions in the United States, Britain and Lithuania last year to stop using the company's products, according to the documents, which were confirmed by a person with direct knowledge of the matter. The action is the latest effort by Kaspersky, a global leader in anti-virus software, to parry accusations by the U.S. government and others that the company spies on customers at the behest of Russian intelligence.

AMD Says Patches Coming Soon For Chip Vulnerabilities ( 84

wiredmikey writes: After investigating recent claims from a security firm that its processors are affected by more than a dozen serious vulnerabilities, chipmaker Advanced Micro Devices (AMD) says patches are coming to address several security flaws in its chips. In its first public update after the surprise disclosure of the vulnerabilities by Israeli-based security firm CTS Labs, AMD said the issues are associated with the firmware managing the embedded security control processor in some of its products (AMD Secure Processor) and the chipset used in some socket AM4 and socket TR4 desktop platforms supporting AMD processors.

AMD said that patches will be released through BIOS updates to address the flaws, which have been dubbed MASTERKEY, RYZENFALL, FALLOUT and CHIMERA. The company said that no performance impact is expected for any of the forthcoming mitigations.


Telegram Loses Supreme Court Appeal In Russia, Must Hand Over Encryption Keys ( 216

Telegram has lost a bid before Russia's Supreme Court to block security services from getting access to users' data, giving President Vladimir Putin a victory in his effort to keep tabs on electronic communications. Bloomberg reports: Supreme Court Judge Alla Nazarova on Tuesday rejected Telegram's appeal against the Federal Security Service, the successor to the KGB spy agency which last year asked the company to share its encryption keys. Telegram declined to comply and was hit with a fine of $14,000. Communications regulator Roskomnadzor said Telegram now has 15 days to provide the encryption keys. Telegram, which is in the middle of an initial coin offering of as much as $2.55 billion, plans to appeal the ruling in a process that may last into the summer, according to the company's lawyer, Ramil Akhmetgaliev. Any decision to block the service would require a separate court ruling, the lawyer said.

Putin signed laws in 2016 on fighting terrorism, which included a requirement for messaging services to provide the authorities with means to decrypt user correspondence. Telegram challenged an auxiliary order by the Federal Security Service, claiming that the procedure doesn't involve a court order and breaches constitutional rights for privacy, according to documents. The security agency, known as the FSB, argued in court that obtaining the encryption keys doesn't violate users' privacy because the keys by themselves aren't considered information of restricted access. Collecting data on particular suspects using the encryption would still require a court order, the agency said.


Orbitz Says Legacy Travel Site Likely Hacked, Affecting 880,000 Credit Cards ( 29

hyperclocker shares a report from U.S. News & World Report: Orbitz says a legacy travel booking platform may have been hacked, possibly exposing the personal information of people that made certain purchases between January 1, 2016 and December 22, 2017. Orbitz said Tuesday about 880,000 payment cards were impacted. Data that was likely exposed includes name, payment card information, date of birth, phone number, email address, physical and/or billing address and gender. The company said evidence suggests an attacker may have accessed information stored on the platform -- which was for both consumers and business partners -- between Oct. 1, 2017 and Dec. 22, 2017. "Orbitz said it worked with a forensic investigation firm, cybersecurity experts, and law enforcement once the breach was discovered in order to 'eliminate and prevent unauthorized access to the platform,'" reports The Verge. "The company also notes that its current site,, wasn't affected. It is notifying customers who may have been impacted and is offering a year of free credit monitoring."

The NSA Worked To 'Track Down' Bitcoin Users, Snowden Documents Reveal ( 60

An anonymous reader shares a report: Classified documents provided by the whistleblower Edward Snowden show the National Security Agency worked urgently to target Bitcoin users around the world -- and wielded at least one mysterious source of information to "help track down senders and receivers of Bitcoins," according to a top-secret passage in an internal NSA report dating to March 2013. The data source appears to have leveraged NSA's ability to harvest and analyze raw, global internet traffic while also exploiting an unnamed software program that purported to offer anonymity to users, according to other documents.

Although the agency was interested in surveilling some competing cryptocurrencies, "Bitcoin is #1 priority," a March 15, 2013 internal NSA report stated. The documents indicate that "tracking down" Bitcoin users went well beyond closely examining Bitcoin's public transaction ledger, known as the Blockchain, where users are typically referred to through anonymous identifiers; the tracking may also have involved gathering intimate details of these users' computers. The NSA collected some Bitcoin users' password information, internet activity, and a type of unique device identification number known as a MAC address, a March 29, 2013 NSA memo suggested. In the same document, analysts also discussed tracking internet users' internet addresses, network ports, and timestamps to identify "BITCOIN Targets."


Facebook Security Chief Said To Leave After Clashes Over Disinformation ( 45

Facebook's chief information security officer, Alex Stamos, will leave the company after internal disagreements over how the social network should deal with its role in spreading disinformation. The New York Times reports (Warning: source may be paywalled; alternative source): Mr. Stamos had been a strong advocate inside the company for investigating and disclosing Russian activity on Facebook, often to the consternation of other top executives, including Sheryl Sandberg, the social network's chief operating officer, according to the current and former employees, who asked not to be identified discussing internal matters. After his day-to-day responsibilities were reassigned to others in December, Mr. Stamos said he would leave the company. He was persuaded to stay through August to oversee the transition of his duties because executives thought his departure would look bad, the current and former employees said. He has been overseeing the transfer of his security team to Facebook's product and infrastructure divisions. His group, which once had 120 people, now has three, the current and former employees said. Mr. Stamos would be the first high-ranking employee to leave Facebook since controversy erupted over disinformation on its site. His departure is a sign of heightened leadership tensions at the company.

Hackers Are So Fed Up With Twitter Bots They're Hunting Them Down Themselves ( 45

An anonymous reader writes: Even if Twitter hasn't invested much in anti-bot software, some of its most technically proficient users have. They're writing and refining code that can use Twitter's public application programming interface, or API, as well as Google and other online interfaces, to ferret out fake accounts and bad actors. The effort, at least among the researchers I spoke with, has begun with hunting bots designed to promote pornographic material -- a type of fake account that is particularly easy to spot -- but the plan is to eventually broaden the hunt to other types of bots. The bot-hunting programming and research has been a strictly volunteer, part-time endeavor, but the efforts have collectively identified tens of thousands of fake accounts, underlining just how much low-hanging fruit remains for Twitter to prune.

Among the part-time bot-hunters is French security researcher and freelance Android developer Baptiste Robert, who in February of this year noticed that Twitter accounts with profile photos of scantily clad women were liking his tweets or following him on Twitter. Aside from the sexually suggestive images, the bots had similarities. Not only did these Twitter accounts typically include profile photos of adult actresses, but they also had similar bios, followed similar accounts, liked more tweets than they retweeted, had fewer than 1,000 followers, and directed readers to click the link in their bios.


When China Hoards Its Hackers Everyone Loses ( 89

An anonymous reader shares a report: For over a decade Pwn2Own -- happening this week -- has brought together security talent from across the globe in a friendly hacking competition that is a cornerstone of research and advancement on par with Black Hat and Def Con. China's hackers routinely win, sweeping the board -- notably, the Tencent and Keen teams. Pwn2Own is good-natured, and all in the name of researchers finding big bugs, nabbing great bounties and drawing attention to security holes and zero-days that need to be fixed. But this year, according to Pwn2Own manager Brian Gorenc, China is no longer allowing its researchers to compete. Prior to the start of Pwn2Own this week, Gorenc told press "There have been regulatory changes in some countries that no longer allow participation in global exploit contests, such as Pwn2Own and Capture the Flag competitions."

One thing's for certain: yearly champions Tencent's Keen Labs and Qihoo 360's 360Vulcan team are nowhere to be found and Trend Micro, the conference organizer, has confirmed to Engadget that there are no Chinese competitors in this year's competition. [...] It's a worrying development in the direction of isolationism and away from the benefits of competition in the spirit of improving security for all. It comes at a time when relations between the US and China strain under the weight of Huawei security concerns, which are not at all new, but are certainly coming to a head as American companies sever business ties with the firm.


Firefox Master Password System Has Been Poorly Secured for the Past 9 Years, Researcher Says ( 74

Catalin Cimpanu, writing for BleepingComputer: For at past nine years, Mozilla has been using an insufficiently strong encryption mechanism for the "master password" feature. Both Firefox and Thunderbird allow users to set up a "master password" through their settings panel. This master password plays the role of an encryption key that is used to encrypt each password string the user saves in his browser or email client. Experts have lauded the feature because up until that point browsers would store passwords locally in cleartext, leaving them vulnerable to malware or attackers with physical access to a victim's computer. But Wladimir Palant, the author of the AdBlock Plus extension, says the encryption scheme used by the master password feature is weak and can be easily brute-forced. "I looked into the source code," Palant says, "I eventually found the sftkdb_passwordToKey() function that converts a [website] password into an encryption key by means of applying SHA-1 hashing to a string consisting of a random salt and your actual master password."

Are Google and Facebook Surveilling Their Own Employees? ( 106

The Guardian just ran an article titled " 'They'll squash you like a bug': how Silicon Valley keeps a lid on leakers," which begins with the story of an employee confronted by Facebook's secretive "rat-catching" team: They had records of a screenshot he'd taken, links he had clicked or hovered over, and they strongly indicated they had accessed chats between him and the journalist, dating back to before he joined the company. "It's horrifying how much they know," he told the Guardian, on the condition of anonymity... "You get on their bad side and all of a sudden you are face to face with Mark Zuckerberg's secret police"... One European Facebook content moderator signed a contract, seen by the Guardian, which granted the company the right to monitor and record his social media activities, including his personal Facebook account, as well as emails, phone calls and internet use. He also agreed to random personal searches of his belongings including bags, briefcases and car while on company premises. Refusal to allow such searches would be treated as gross misconduct...

Some employees switch their phones off or hide them out of fear that their location is being tracked. One current Facebook employee who recently spoke to Wired asked the reporter to turn off his phone so the company would have a harder time tracking if it had been near the phones of anyone from Facebook. Two security researchers confirmed that this would be technically simple for Facebook to do if both people had the Facebook app on their phone and location services switched on. Even if location services aren't switched on, Facebook can infer someone's location from wifi access points.

The article cites a 2012 report that Microsoft read a French blogger's Hotmail account to identify a former employee who had leaked trade secrets. And it also reports that tech companies hire external agencies to surveil their employees. "One such firm, Pinkerton, counts Google and Facebook among its clients." Though Facebook and Google both deny this, "Among other services, Pinkerton offers to send investigators to coffee shops or restaurants near a company's campus to eavesdrop on employees' conversations...

Al Gidari, consulting director of privacy at the Stanford Center for Internet and Society, says that these tools "are common, widespread, intrusive and legal."

1 in 3 Michigan Workers Tested Opened A Password-Phishing Email ( 118

An anonymous reader quotes the AP: Michigan auditors who conducted a fake "phishing" attack on 5,000 randomly selected state employees said Friday that nearly one-third opened the email, a quarter clicked on the link and almost one-fifth entered their user ID and password. The covert operation was done as part of an audit that uncovered weaknesses in the state government's computer network, including that not all workers are required to participate in cybersecurity awareness training... Auditors made 14 findings, including five that are "material" -- the most serious. They range from inadequate management of firewalls to insufficient processes to confirm if only authorized devices are connected to the network. "Unauthorized devices may not meet the state's requirements, increasing the risk of compromise or infection of the network," the audit said.

Facial Scanning Now Arriving At US Airports ( 79

According to a report via NPR, a Geneva-based company called SITA that develops information technology for the world's airlines has installed facial scanning cameras at Orlando International Airport. "Britain-bound passengers -- some wearing Mickey Mouse T-shirts and other Disney paraphernalia -- lined up at Gate 80 recently for the evening British Airways flight to London's Gatwick Airport," reports NPR. "It looks like any other airport departure area, except for the two small gates with what look like small boxes on posts next to them. Those boxes are actually cameras." From the report: Sherry Stein, a senior manager at SITA, says the cameras are triggered when passengers step onto designated footprints. "We collect a photo, send it to CBP, who checks to make sure that person is booked on the manifest and matches the photo that they already have on file." If everything matches, Stein says, "we open the doors and give them the OK to board." All that happens, she says, "in three to five seconds." If things don't match, the traveler's passport is scanned manually by a gate agent. CBP is testing biometric scanning at a dozen or so U.S. international airports to ensure that people leaving the country are who they say they are, and to prevent visa overstays. The Transportation Security Administration, another agency within the Department of Homeland Security, is testing similar devices at security check-in lines.

Hacker Adrian Lamo Dies At 37 ( 136

Adrian Lamo, a well-known hacker known for his involvement in passing information on whistleblower Chelsea Manning and hacking into systems at The New York Times, Microsoft, and Yahoo in the early-2000s, has died at 37. ZDNet reports: His father, Mario, posted a brief tribute to his son in a Facebook group on Friday. "With great sadness and a broken heart I have to let know all of Adrian's friends and acquittances that he is dead. A bright mind and compassionate soul is gone, he was my beloved son," he wrote. The coroner for Sedgwick County, where Lamo lived, confirmed his death, but provided no further details. Circumstances surrounding Lamo's death are not immediately known. A neighbor who found his body said he had been dead for some time.

Android Is Now as Safe as the Competition, Google Says ( 113

In an interview with CNET, David Kleidermacher, Google's head of security for Android, Google Play and Chrome OS, said Android is now as safe as the competition. From the interview: That's a big claim, considering that Android's main competitor is Apple's iPhone. This bold idea permeates the annual Android Security Report that Google released Thursday. "Android security made a significant leap forward in 2017 and many of our protections now lead the industry," the report says on page one. Echoing the report, Kleidermacher told CNET that Android flaws have become harder for researchers to find and that the software now protects users from malicious software so well the problems that used to leave users exposed to bad actors aren't such a big problem anymore.

Slashdot Top Deals