Trust the World's Fastest VPN with Your Internet Security & Freedom - A Lifetime Subscription of PureVPN at 88% off. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. ×
Linux

Linux Kernel 4.10 Officially Released With Virtual GPU Support (softpedia.com) 78

"Linus Torvalds announced today the general availability of the Linux 4.10 kernel series, which add a great number of improvements, new security features, and support for the newest hardware components," writes Softpedia. prisoninmate quotes their report: Linux kernel 4.10 has been in development for the past seven weeks, during which it received a total of seven Release Candidate snapshots that implemented all the changes that you'll soon be able to enjoy on your favorite Linux-based operating system... Prominent new features include virtual GPU (Graphics Processing Unit) support, new "perf c2c" tool that can be used for analysis of cacheline contention on NUMA systems, support for the L2/L3 caches of Intel processors (Intel Cache Allocation Technology), eBPF hooks for cgroups, hybrid block polling, and better writeback management. A new "perf sched timehist" feature has been added in Linux kernel 4.10 to provide detailed history of task scheduling, and there's experimental writeback cache and FAILFAST support for MD RAID5... Ubuntu 17.04 (Zesty Zapus) could be the first stable OS to ship with Linux 4.10.
It required 13,000 commits, plus over 1,200 merges, Linus wrote in the announcement, adding "On the whole, 4.10 didn't end up as small as it initially looked."
Bug

Google Discloses An Unpatched Windows Bug (Again) (bleepingcomputer.com) 113

An anonymous reader writes: "For the second time in three months, Google engineers have disclosed a bug in the Windows OS without Microsoft having released a fix before Google's announcement," reports BleepingComputer. "The bug in question affects the Windows GDI (Graphics Device Interface) (gdi32.dll)..." According to Google, the issue allows an attacker to read the content of the user's memory using malicious EMF files. The bad news is that the EMF file can be hidden in other documents, such as DOCX, and can be exploited via Office, IE, or Office Online, among many.

"According to a bug report filed by Google's Project Zero team, the bug was initially part of a larger collection of issues discovered in March 2016, and fixed in June 2016, via Microsoft's security bulletin MS16-074. Mateusz Jurczyk, the Google engineer who found the first bugs, says the MS16-074 patches were insufficient, and some of the issues he reported continued to remain vulnerable." He later resubmitted the bugs in November 2016. The 90-days deadline for fixing the bugs expired last week, and the Google researcher disclosed the bug to the public after Microsoft delayed February's security updates to next month's Patch Tuesday, for March 15.

Microsoft has described Google's announcements of unpatched Windows bugs as "disappointing".
Privacy

Krebs: 'Men Who Sent SWAT Team, Heroin to My Home Sentenced' (krebsonsecurity.com) 173

An anonymous reader quotes KrebsOnSecurity: On Thursday, a Ukrainian man who hatched a plan in 2013 to send heroin to my home and then call the cops when the drugs arrived was sentenced to 41 months in prison for unrelated cybercrime charges. Separately, a 19-year-old American who admitted to being part of a hacker group that sent a heavily-armed police force to my home in 2013 was sentenced to three years probation.

Sergey Vovnenko, a.k.a. "Fly," "Flycracker" and "MUXACC1," pleaded guilty last year to aggravated identity theft and conspiracy to commit wire fraud. Prosecutors said Vovnenko operated a network of more than 13,000 hacked computers, using them to harvest credit card numbers and other sensitive information... A judge in New Jersey sentenced Vovnenko to 41 months in prison, three years of supervised released and ordered him to pay restitution of $83,368.

Separately, a judge in Washington, D.C. handed down a sentence of three year's probation to Eric Taylor, a hacker probably better known by his handle "Cosmo the God." Taylor was among several men involved in making a false report to my local police department at the time about a supposed hostage situation at our Virginia home. In response, a heavily-armed police force surrounded my home and put me in handcuffs at gunpoint before the police realized it was all a dangerous hoax known as "swatting"... Taylor and his co-conspirators were able to dox so many celebrities and public officials because they hacked a Russian identity theft service called ssndob[dot]ru. That service in turn relied upon compromised user accounts at data broker giant LexisNexis to pull personal and financial data on millions of Americans.

Privacy

Used Cars Can Still Be Controlled By Their Previous Owners' Apps (wtkr.com) 98

An IBM security researcher recently discovered something interesting about smart cars. An anonymous reader quotes CNN: Charles Henderson sold his car several years ago, but he still knows exactly where it is, and can control it from his phone... "The car is really smart, but it's not smart enough to know who its owner is, so it's not smart enough to know it's been resold," Henderson told CNNTech. "There's nothing on the dashboard that tells you 'the following people have access to the car.'" This isn't an isolated problem. Henderson tested four major auto manufacturers, and found they all have apps that allow previous owners to access them from a mobile device. At the RSA security conference in San Francisco on Friday, Henderson explained how people can still retain control of connected cars even after they resell them.

Manufacturers create apps to control smart cars -- you can use your phone to unlock the car, honk the horn and find out the exact location of your vehicle. Henderson removed his personal information from services in the car before selling it back to the dealership, but he was still able to control the car through a mobile app for years. That's because only the dealership that originally sold the car can see who has access and manually remove someone from the app.

It's also something to consider when buying used IoT devices -- or a smart home equipped with internet-enabled devices.
The Almighty Buck

A Source Code Typo Allowed An Attacker To Steal $592,000 In Cryptocurrency (bleepingcomputer.com) 75

An anonymous reader writes: "A typo in the Zerocoin source code allowed an attacker to steal 370,000 Zerocoin, which is about $592,000 at today's price," reports BleepingComputer. According to the Zcoin team, one extra character left inside Zerocoin's source code was the cause of the bug. The hacker exploited the bugs for weeks, by initiating a transaction and receiving the money many times over.

"According to the Zcoin team, the attacker (or attackers) was very sophisticated and took great care to hide his tracks," reports the site. "They say the attacker created numerous accounts at Zerocoin exchanges and spread transactions across several weeks so that traders wouldn't notice the uneven transactions volume... The Zcoin team says they worked with various exchanges to attempt and identify the attacker but to no avail. Out of the 370,000 Zerocoin he stole, the attacker has already sold 350,000. The Zcoin team estimates the attacker made a net profit of 410 Bitcoin ($437,000)."

Cellphones

Should International Travelers Leave Their Phones At Home? (freecodecamp.com) 465

Long-time Slashdot reader Toe, The sums up what he learned from freeCodeCamp's Quincy Larson: "Before you travel internationally, wipe your phone or bring/rent/buy a clean one." Larson's article is titled "I'll never bring my phone on an international flight again. Neither should you." All the security in the world can't save you if someone has physical possession of your phone or laptop, and can intimidate you into giving up your password... Companies like Elcomsoft make 'forensic software' that can suck down all your photos, contacts -- even passwords for your email and social media accounts -- in a matter of minutes.... If we do nothing to resist, pretty soon everyone will have to unlock their phone and hand it over to a customs agent while they're getting their passport swiped... And with this single new procedure, all the hard work that Apple and Google have invested in encrypting the data on your phone -- and fighting for your privacy in court -- will be a completely moot point.
The article warns Americans that their constitutional protections don't apply because "the U.S. border isn't technically the U.S.," calling it "a sort of legal no-man's-land. You have very few rights there." Larson points out this also affects Canadians, but argues that "You can't hand over a device that you don't have."
Security

RSA Conference Attendees Get Hacked (esecurityplanet.com) 52

The RSA Conference "is perhaps the world's largest security event, but that doesn't mean that it's necessarily a secure event," reports eSecurityPlanet. Scanning the conference floor revealed rogue access points posing as known and trusted networks, according to security testing vendor Pwnie Express. storagedude writes: What's worse, several attendees fell for these dummy Wi-Fi services that spoof well-known brands like Starbucks. The company also found a number of access points using outdated WEP encryption. So much for security pros...
At least two people stayed connected to a rogue network for more than a day, according to the article, and Pownie Express is reminding these security pros that connecting to a rogue network means "the attacker has full control of all information going into and out of the device, and can deploy various tools to modify or monitor the victim's communication."
Toys

German Government Tells Parents: Destroy This WiFi-Connected Doll (theverge.com) 128

It's illegal in Germany now to sell a talking doll named "My Friend Cayla," according to a story shared by Slashdot reader Bruce66423. And that's just the beginning. The Verge reports: A German government watchdog has ordered parents to "destroy" an internet-connected doll for fear it could be used as a surveillance device. According to a report from BBC News, the German Federal Network Agency said the doll (which contains a microphone and speaker) was equivalent to a "concealed transmitting device" and therefore prohibited under German telecom law... In December last year, privacy advocates said the toy recorded kids' conversations without proper consent, violating the Children's Online Privacy Protection Act.

Cayla uses a microphone to listen to questions, sending this audio over Wi-Fi to a third-party company that converts it to text. This is then used to search the internet, allowing the doll to answer basic questions, like "What's a baby kangaroo called?" as well as play games. In addition to privacy concerns over data collection, security researchers found that Cayla can be easily hacked. The doll's insecure Bluetooth connection can be compromised, letting a third party record audio via the toy, or even speak to children using its voice.

The Electronic Privacy Information Center has said toys like this "subject young children to ongoing surveillance...without any meaningful data protection standards." One researcher pointed out that the doll was accessible from up to 33 feet away -- even through walls -- using a bluetooth-enabled device.
Android

Congressman Calls For Probe Into Trump's Unsecured Android Phone (cnet.com) 496

An anonymous reader quotes a report from CNET: President Donald Trump regularly makes news because of his tweets. Now a congressman is making news because of the device the president reportedly uses to tweet. On Friday, Congressman Ted Lieu, a Democrat from Los Angeles, wrote a letter to the House Oversight Committee requesting an investigation into Trump's cybersecurity practices. In particular, he calls out Trump's apparent decision to keep using his personal Android phone instead of a secured phone the Secret Service issued him for his inauguration. The letter is also signed by 14 other members of Congress and calls for a public hearing to discuss the issues. "The device President Trump insists on using -- most likely the Samsung Galaxy S3 -- has particularly well documented vulnerabilities," the letter says. "The use of an unsecured phone risks the president of the United States being monitored by foreign or domestic adversaries, many of whom would be happy to hijack the president's prized Twitter account causing disastrous consequences for global security. Cybersecurity experts universally agree that an ordinary Android smartphone, which the president is reportedly using despite repeated warnings from the Secret Service, can be easily hacked."
Encryption

Researchers Discover Security Problems Under the Hood of Automobile Apps (arstechnica.com) 27

An anonymous reader quotes a report from Ars Technica: Malware researchers Victor Chebyshev and Mikhail Kuzin examined seven Android apps for connected vehicles and found that the apps were ripe for malicious exploitation. Six of the applications had unencrypted user credentials, and all of them had little in the way of protection against reverse-engineering or the insertion of malware into apps. The vulnerabilities looked at by the Kaspersky researchers focused not on vehicle communication, but on the Android apps associated with the services and the potential for their credentials to be hijacked by malware if a car owner's smartphone is compromised. All seven of the applications allowed the user to remotely unlock their vehicle; six made remote engine start possible (though whether it's possible for someone to drive off with the vehicle without having a key or RFID-equipped key fob present is unclear). Two of the seven apps used unencrypted user logins and passwords, making theft of credentials much easier. And none of the applications performed any sort of integrity check or detection of root permissions to the app's data and events -- making it much easier for someone to create an "evil" version of the app to provide an avenue for attack. While malware versions of these apps would require getting a car owner to install them on their device in order to succeed, Chebyshev and Kuzin suggested that would be possible through a spear-phishing attack warning the owner of a need to do an emergency app update. Other malware might also be able to perform the installation.
Yahoo!

Deleting Your Yahoo Email Account? Yeah, Good Luck With That (zdnet.com) 99

In the wake of security breach revelations, many of you might have considered deleting your Yahoo account. Many of you might be thinking about doing so soon. Heads up, it turns out, deleting a Yahoo email account isn't as straightforward as you may have imagined, and you again have Yahoo to blame for that. From a report on ZDNet: Several Yahoo users, who last year decided to leave the service, told us that their accounts remained open for weeks or months after the company said they would be closed. David Clarke was one of those departing users, whose dormant account was slowly accumulating junk over the past few years. "This was an ancient email I had set up, had no personal data in it anymore and had a unique password," writing about his troubles on Medium. "But it's a part of my digital footprint that I no longer required and decided, given the horrible security practices going on at Yahoo, to vote with my account and have it removed." Yahoo makes the account deletion process straightforward enough, but users have to wait "in most cases... approximately 90 days" for the account to close. The company says this is to "discourage users from engaging in fraudulent activity." On day 91, Clarke logged back into his account to find that it was still active. Unbeknownst to him, logging back in simply to check would reset the clock back to zero. "Yahoo confirmed via email yesterday if you access your account it resets the timer," he told me. "So, if you login to ensure your account has been deleted and it hasn't, you have to wait at least another 90 days."
Iphone

Apple's iPhone 8 To Replace Touch ID Home Button With 'Function Area' (appleinsider.com) 113

An anonymous reader quotes a report from Apple Insider: Apple will ditch the home button when it debuts a new 'iPhone 8' model later this year, and will dedicate the extra screen real estate to an area for virtual buttons, according to KGI analyst Ming-Chi Kuo. Adding detail to his previous predictions regarding the next-generation handset, Kuo in a note to investors obtained by AppleInsider said the full-screen design will allow Apple to integrate a "function" area never seen in an iPhone. The device is expected to adopt a 5.8-inch OLED panel in a form factor similar to the current 4.7-inch iPhone 7. Despite having extended screen real estate as compared to current iPhone models, the actual active display area on "iPhone 8" will be closer to 5.15 inches on the diagonal, with the remaining bottom portion dedicated to system functions like virtual buttons. While Kuo failed to elaborate on an exact implementation, the note suggests Apple plans to hardcode a set of always-on, static system controls into iOS. Whether the so-called "function area" is capable of switching to an active display mode for in-app activities like watching videos or playing games, remains to be seen. With the deletion of current Touch ID technology, Kuo believes "iPhone 8" will incorporate new bio-recognition assets to take over device security and Apple Pay authentication duties. The analyst did not offer predictions on the type of biometric tech Apple intends to use, but a report earlier today said the company could integrate a 3D laser scanning module capable of facilitating facial recognition and augmented reality applications. Kuo in a note last month said Apple might integrate a dual biometric system utilizing optical fingerprint readers and facial recognition hardware.
Government

Bipartisan Bill Seeks Warrants For Police Use of 'Stingray' Cell Trackers (usatoday.com) 113

Tulsa_Time quotes a report from USA Today: A bipartisan group of House and Senate lawmakers introduced legislation Wednesday requiring police agencies to get a search warrant before they can deploy powerful cellphone surveillance technology known as "stingrays" that sweep up information about the movements of innocent Americans while tracking suspected criminals. "Owning a smartphone or fitness tracker shouldn't give the government a blank check to track your movements," said Sen. Ron Wyden, D-Ore., a member of the Senate Intelligence Committee who introduced the bill with Reps. Jason Chaffetz, R-Utah, and John Conyers, D-Mich. "Law enforcement should be able to use GPS data, but they need to get a warrant. This bill sets out clear rules to make sure our laws keep up with the times." The legislation introduced Wednesday, called the Geolocation Privacy and Surveillance (GPS) Act, would require a warrant for all domestic law enforcement agencies to track the location and movements of individual Americans through GPS technology without their knowledge. It also aims to combat high-tech stalking by creating criminal penalties for secretly using an electronic device to track someone's movements.
Java

JavaScript Attack Breaks ASLR On 22 CPU Architectures (bleepingcomputer.com) 153

An anonymous reader quotes a report from BleepingComputer: Five researchers from the Vrije University in the Netherlands have put together an attack that can be carried out via JavaScript code and break ASLR protection on at least 22 microprocessor architectures from vendors such as Intel, AMD, ARM, Allwinner, Nvidia, and others. The attack, christened ASLRCache, or AnC, focuses on the memory management unit (MMU), a lesser known component of many CPU architectures, which is tasked with improving performance for cache management operations. What researchers discovered was that this component shares some of its cache with untrusted applications, including browsers. This meant that researchers could send malicious JavaScript that specifically targeted this shared memory space and attempted to read its content. In layman's terms, this means an AnC attack can break ASLR and allow the attacker to read portions of the computer's memory, which he could then use to launch more complex exploits and escalate access to the entire OS. Researchers have published two papers [1, 2] detailing the AnC attack, along with two videos[1, 2] showing the attack in action.
Security

Yahoo Notifying Users of Malicious Account Activity as Verizon Deal Progresses (techcrunch.com) 17

Kate Conger, writing for TechCrunch: Yahoo is continuing to issue warnings to users about several security incidents as it moves toward an acquisition by Verizon. Users are receiving notifications today about unauthorized access to their accounts in 2015 and 2016, which occurred due to previously disclosed cookie forging. "As we have previously disclosed, our outside forensic experts have been investigating the creation of forged cookies that could have enabled an intruder to access our users' accounts without a password. The investigation has identified user accounts for which we believe forged cookies were taken or used. Yahoo is in the process of notifying all potentially affected account holders. Yahoo has invalidated the forged cookies so they cannot be used again," a Yahoo spokesperson told TechCrunch.
Businesses

IT Decisions Makers and Executives Don't Agree On Cyber Security Responsibility (betanews.com) 118

Sead Fadilpasic, writing for BetaNews: There's a severe disconnect between IT decision makers and C-suite executives when it comes to handling cyber attacks. Namely, both believe the other one is responsible for keeping a company safe. This is according to a new and extensive research by BAE Systems. A total of 221 C-suite executives and 984 IT decision-makers were polled or the report. According to the research, a third (35 percent) of C-suite executives believe IT teams are responsible for data breaches. On the other hand, 50 percent of IT decision makers would place that responsibility in the hands of their senior management. Cost estimates of a successful breach also differ. IT decision makers think it would set them back $19.2 million, while C-suite thinks of a lesser figure, $11.6m. C-level thinks a tenth (10 percent) of their company's IT budget is spent on cyber security, while IT decision makers think that's 15 percent. Also, 84 percent of C-suite, and 81 percent of IT teams believe they have the right protection set up.
Security

Russian Cyberspies Blamed For US Election Hacks Are Now Targeting Macs (computerworld.com) 250

You may recall "APT28", the Russian hacking group which was tied to last year's interference in the presidential election. It has long been known for its advanced range of tools for penetrating Windows, iOS, Android, and Linux devices. Now, researchers have uncovered an equally sophisticated malware package the group used to compromise Macs. From a report on ComputerWorld: The group -- known in the security industry under different names including Fancy Bear, Pawn Storm, and APT28 -- has been operating for almost a decade. It is believed to be the sole user and likely developer of a Trojan program called Sofacy or X-Agent. X-Agent variants for Windows, Linux, Android, and iOS have been found in the wild in the past, but researchers from Bitdefender have now come across what appears to be the first macOS version of the Trojan. It's not entirely clear how the malware is being distributed because the Bitdefender researchers obtained only the malware sample, not the full attack chain. However, it's possible a macOS malware downloader dubbed Komplex, found in September, might be involved. Komplex infected Macs by exploiting a known vulnerability in the MacKeeper antivirus software, according to researchers from Palo Alto Networks who investigated the malware at the time. The vulnerability allowed attackers to execute remote commands on a Mac when users visited specially crafted web pages.Further reading on ArsTechnica.
Microsoft

Microsoft Delays February Patch Tuesday Indefinitely (sans.edu) 88

UnderAttack writes: Microsoft today announced that it had to delay its February Patch Tuesday due to issues with a particular patch. This was also supposed to be the first Patch Tuesday using a new format, which led some to believe that even Microsoft had issues understanding how the new format is exactly going to work with no more simple bulletin summary and patches being released as large monolithic updates. Ars Technica notes the importance of this Patch Tuesday as "there's an in-the-wild zero-day flaw in SMB, Microsoft's file sharing protocol, that at the very least allows systems to be crashed." They also elaborate on the way Microsoft is "continuing to tune the way updates are delivered to Windows 7, 8.1, Server 2008 R2, Server 2012, and Server 2012 R2."
Transportation

Big Week For Drones: Dubai Permits Passenger-Carrying Drone; Kenya Finally Approves Commercial Use (apnews.com) 47

It's shaping up to be a major week for drone enthusiasts. A pilot-less drone designed to carry one passenger at a time is set to start making regular trips in Dubai later this year. In some other news, Kenya has joined the neighbor Rwanda in opening up its skies for commercial drone use. From an AP report: Up, up and away: Dubai hopes to have a passenger-carrying drone regularly buzzing through the skyline of this futuristic city-state in July. The arrival of the Chinese-made EHang 184 -- which already has had its flying debut over Dubai's iconic, sail-shaped Burj al-Arab skyscraper hotel -- comes as the Emirati city also has partnered with other cutting-edge technology companies, including Hyperloop One. The question is whether the egg-shaped, four-legged craft will really take off as a transportation alternative in this car-clogged city already home to the world's longest driverless metro line. From a Quartz report: Flying a drone will soon be legal in Kenya, which has effectively banned the use of unmanned aerial vehicles for anyone outside of the military for the past two years. A spokesperson for the Kenya Civil Aviation Authority (KCAA) said that draft regulations for the commercial use of drones had been approved by security officials. The agency said details of the law would be released soon. The approval comes as regulators elsewhere in Africa have tightened restrictions on UAVs. In Ghana, flying an unregistered drone is punishable by up to 30 years in jail. In Nigeria, operators require permits from the aviation authority as well as the office of the National Security Adviser (the process of getting a permit costs up to $4,000).
Microsoft

Microsoft Calls For 'Digital Geneva Convention' (usatoday.com) 144

Microsoft is calling for a digital Geneva Convention to outline protections for civilians and companies from government-sponsored cyberattacks. In comments Tuesday at the RSA security industry conference in San Francisco, Microsoft President and Chief Legal Officer Brad Smith said the rising trend of government entities wielding the internet as a weapon was worrying. From a report on USA Today: In the cyber realm, tech must be committed to "100% defense and zero percent offense," Smith said at the opening keynote at the RSA computer security conference. Smith called for a "digital Geneva Convention," like the one created in the aftermath of World War II which set ground rules for how conduct during wartime, defining basic rights for civilians caught up armed conflicts. In the 21st century such rules are needed "to commit governments to protect civilians from nation-state attacks in times of peace," a draft of Smith's speech released to USA TODAY said. This digital Geneva Convention would establish protocols, norms and international processes for how tech companies would deal with cyber aggression and attacks of nations aimed at civilian targets, which appears to effectively mean anything but military servers.

Slashdot Top Deals