Microsoft Removes Antivirus Registry Key Check for Windows 10 Users ( 38

Microsoft has backtracked on a decision it took back in January when it conditioned that computers without a special registry key would not receive any more security updates. From a report: That particular "requirement" was introduced as part of the Meltdown and Spectre patching process. At the time, Microsoft said that antivirus vendors would have to add a key to the Windows Registry to signal that they are compatible with Microsoft's original Meltdown and Spectre patches. This was a big issue at the time because Microsoft detected during testing that some antivirus vendors would inject code into parts of the kernel that the company was trying to patch against Meltdown and Spectre flaws.

Jewelry Site Leaks Personal Details, Plaintext Passwords of 1.3 Million Users ( 37

Chicago-based MBM Company's jewelry brand Limoges Jewelry has accidentally leaked the personal information for over 1.3 million people. This includes addresses, zip-codes, e-mail addresses, and IP addresses. The Germany security firm Kromtech Security, which found the leak via an unsecured Amazon S3 storage bucket, also claims the database contained plaintext passwords. The Next Web reports: In a press release, Kromtech Security's head of communicationis, Bob Diachenko, said: "Passwords were stored in the plain text, which is great negligence [sic], taking into account the problem with many users re-using passwords for multiple accounts, including email accounts." The [MSSQL database] backup file was named "MBMWEB_backup_2018_01_13_003008_2864410.bak," which suggests the file was created on January 13, 2018. It's believed to contain current information about the company's customers. Records held in the database have dates reaching as far back as 2000. The latest records are from the start of this year. Other records held in the database include internal mailing lists, promo-codes, and item orders, which leads Kromtech to believe that this could be the primary customer database for the company. Diachenko says there's no evidence a malicious third-party has accessed the dump, but that "that does not mean that nobody [has] accessed the data."

Privacy-Busting Bugs Found in Popular VPN Services Hotspot Shield, Zenmate and PureVPN ( 60

A report by VpnMentor, a website which ranks VPN services, reveals several vulnerabilities in Hotspot Shield, Zenmate, and PureVPN -- all of which promise to provide privacy for their users. VpnMentor says it hired a team of three external ethical hackers to find vulnerabilities in three random popular VPNs. While one hacker wants to keep his identity private, the other two are known as File Descriptor and Paulos Yibelo. ZDNet: The research reveals bugs that can leak real-world IP addresses, which in some cases can identify individual users and determine a user's location. In the case of Hotspot Shield, three separate bugs in how the company's Chrome extension handles proxy auto-config scripts -- used to direct traffic to the right places -- leaked both IP and DNS addresses, which undermines the effectiveness of privacy and anonymity services. [...] AnchorFree, which makes Hotspot Shield, fixed the bugs, and noted that its mobile and desktop apps were not affected by the bugs. The researchers also reported similar IP leaking bugs to Zenmate and PureVPN.

Researchers Find Critical Vulnerabilities in AMD's Ryzen and EPYC Processors, But They Gave the Chipmaker Only 24 Hours Before Making the Findings Public ( 195

Alfred Ng, reporting for CNET: Researchers have discovered critical security flaws in AMD chips that could allow attackers to access sensitive data from highly guarded processors across millions of devices. Particularly worrisome is the fact that the vulnerabilities lie in the so-called secure part of the processors -- typically where your device stores sensitive data like passwords and encryption keys. It's also where your processor makes sure nothing malicious is running when you start your computer. CTS-Labs, a security company based in Israel, announced Tuesday that its researchers had found 13 critical security vulnerabilities that would let attackers access data stored on AMD's Ryzen and EPYC processors, as well as install malware on them. Ryzen chips power desktop and laptop computers, while EPYC processors are found in servers. The researchers gave AMD less than 24 hours to look at the vulnerabilities and respond before publishing the report. Standard vulnerability disclosure calls for 90 days' notice so that companies have time to address flaws properly. An AMD spokesperson said, "At AMD, security is a top priority and we are continually working to ensure the safety of our users as new risks arise. We are investigating this report, which we just received, to understand the methodology and merit of the findings," an AMD spokesman said. Zack Whittaker, a security reporter at CBS, said: Here's the catch: AMD had less than a day to look at the research. No wonder why its response is so vague.

'Slingshot' Malware That Hid For Six Years Spread Through Routers 72

An anonymous reader quotes a report from Engadget: Security researchers at Kaspersky Lab have discovered what's likely to be another state-sponsored malware strain, and this one is more advanced than most. Nicknamed Slingshot, the code spies on PCs through a multi-layer attack that targets MikroTik routers. It first replaces a library file with a malicious version that downloads other malicious components, and then launches a clever two-pronged attack on the computers themselves. One, Canhadr, runs low-level kernel code that effectively gives the intruder free rein, including deep access to storage and memory; the other, GollumApp, focuses on the user level and includes code to coordinate efforts, manage the file system and keep the malware alive. Kaspersky describes these two elements as "masterpieces," and for good reason. For one, it's no mean feat to run hostile kernel code without crashes. Slingshot also stores its malware files in an encrypted virtual file system, encrypts every text string in its modules, calls services directly (to avoid tripping security software checks) and even shuts components down when forensic tools are active. If there's a common method of detecting malware or identifying its behavior, Slingshot likely has a defense against it. It's no wonder that the code has been active since at least 2012 -- no one knew it was there. Recent MikroTik router firmware updates should fix the issue. However, there's concern that other router makers might be affected.

Trump Issues Order To Block Broadcom's Takeover of Qualcomm ( 227

Bloomberg reports that President Donald Trump issued an executive order today blocking Broadcom from acquiring Qualcomm, "scuttling a $117 billion deal that had been subject to U.S. government scrutiny on national security grounds." From the report: The president acted on a recommendation by the Committee on Foreign Investment in the U.S., which reviews acquisitions of American firms by foreign investors. The decision to block the deal was unveiled just hours after Broadcom Chief Executive Officer Hock Tan met with security officials at the Pentagon in a last-ditch effort to salvage the transaction. "There is credible evidence that leads me to believe that Broadcom Ltd." by acquiring Qualcomm "might take action that threatens to impair the national security of the United States," Trump said in the order released Monday evening in Washington.

Data Breach Victims Can Sue Yahoo in the United States, Federal Judge Rules ( 13

Yahoo has been ordered by a federal judge to face much of a lawsuit in the United States claiming that the personal information of all 3 billion users was compromised in a series of data breaches. From a report: In a decision on Friday night, U.S. District Judge Lucy Koh in San Jose, California rejected a bid by Verizon Communications, which bought Yahoo's Internet business last June, to dismiss many claims, including for negligence and breach of contract. Koh dismissed some other claims. She had previously denied Yahoo's bid to dismiss some unfair competition claims.

[...] The plaintiffs amended their complaint after Yahoo last October revealed that the 2013 breach affected all 3 billion users, tripling its earlier estimate. Koh said the amended complaint highlighted the importance of security in the plaintiffs' decision to use Yahoo. 'Plaintiffs' allegations are sufficient to show that they would have behaved differently had defendants disclosed the security weaknesses of the Yahoo Mail System," Koh wrote. She also said the plaintiffs could try to show that liability limits in Yahoo's terms of service were "unconscionable," given the allegations that Yahoo knew its security was deficient but did little.


New Traces of Hacking Team in the Wild ( 19

Previously unreported samples of Hacking Team's infamous surveillance tool -- the Remote Control System (RCS) -- are in the wild, and have been detected by ESET systems in fourteen countries. From a report: Our analysis of the samples reveals evidence suggesting that Hacking Team's developers themselves are actively continuing the development of this spyware. Since being founded in 2003, the Italian spyware vendor Hacking Team gained notoriety for selling surveillance tools to governments and their agencies across the world. The capabilities of its flagship product, the Remote Control System (RCS), include extracting files from a targeted device, intercepting emails and instant messaging, as well as remotely activating a device's webcam and microphone. The company has been criticized for selling these capabilities to authoritarian governments -- an allegation it has consistently denied. When the tables turned in July 2015, with Hacking Team itself suffering a damaging hack, the reported use of RCS by oppressive regimes was confirmed. With 400GB of internal data -- including the once-secret list of customers, internal communications, and spyware source code -- leaked online, Hacking Team was forced to request its customers to suspend all use of RCS, and was left facing an uncertain future.

Feds Bust CEO Allegedly Selling Custom BlackBerry Phones To Sinaloa Drug Cartel ( 115

An anonymous reader shares a Motherboard report: For years, a slew of shadowy companies have sold so-called encrypted phones, custom BlackBerry or Android devices that sometimes have the camera and microphone removed and only send secure messages through private networks. Several of those firms allegedly cater primarily for criminal organizations.Now, the FBI has arrested the owner of one of the most established companies, Phantom Secure, as part of a complex law enforcement operation, according to court records and sources familiar with the matter. "FBI are flexing their muscle," one source familiar with the secure phone industry, and who gave Motherboard specific and accurate details about the operation before it was public knowledge, said. Motherboard granted the sources in this story anonymity to talk about sensitive developments in the secure phone trade. The source said the Phantom operation was carried out in partnership with Canadian and Australian authorities.

Massive DDOS Attacks Are Now Targeting Google, Amazon, and the NRA ( 121

PC Magazine reports: A new way to amplify DDoS attacks has been spotted harassing Google, Amazon, Pornhub and even the National Rifle Association's main website after striking Github last week. The attacks, which exploit vulnerable "memcached servers," have been trying to hose down scores of new targets with a flood of internet traffic, according to Chinese security firm Qihoo 360... Github was the first high-profile victim and suffered a 1.35 Tbps assault -- or what was then the biggest DDoS attack on record. But days later, an unnamed U.S. service provider fended off a separate assault, which measured at 1.7 Tbps. Unfortunately, the amplified DDoS attacks haven't stopped. They've gone on to strike over 7,000 unique IP addresses in the last seven days, Qihoo 360 said in a blog post... Gaming sites including,, and have been among those hit...

The security community is also steadily addressing the linchpin to all the assaults: the vulnerable memcached servers. About 100,000 of these online storage systems were publicly exposed over a week ago. But the server owners have since patched or firewalled about 60,000 of them, Radware security researcher Daniel Smith said. That leaves 40,000 servers open to exploitation. Smith points to how the coding behind the attack technique has started to circulate online through free tools and scripts.

Meanwhile, Slashdot reader darthcamaro shares an article about "the so-call 'kill switch'" that some vendors have been debating: "The 'kill switch' was immediately obvious to everyone who worked on mitigating this DDoS attack," John Graham-Cumming, CTO of CloudFlare said. "We chose not to use or test this method because it would be unethical and likely illegal since it alters the state of a remote machine without authorization."

SgxSpectre Attack Can Extract Data From Intel SGX Enclaves ( 28

An anonymous reader quotes BleepingComputer: A new variation of the Spectre attack has been revealed this week by six scientists from the Ohio State University. Named SgxSpectre, researchers say this attack can extract information from Intel SGX enclaves. Intel Software Guard eXtensions (SGX) is a feature of modern Intel processors that allow an application to create so-called enclaves. This enclave is a hardware-isolated section of the CPU's processing memory where applications can run operations that deal with extremely sensitive details, such as encryption keys, passwords, user data, and more... Neither Meltdown and Spectre were able to extract data from SGX enclaves. This is where SgxSpectre comes in.

According to researchers, SgxSpectre works because of specific code patterns in software libraries that allow developers to implement SGX support into their apps. Vulnerable SGX development kits include the Intel SGX SDK, Rust-SGX, and Graphene-SGX. Academics say an attacker can leverage the repetitive code execution patterns that these SDKs introduce in SGX enclaves and watch for small variations of cache size. This allows for side-channel attacks that allow a threat actor to infer and slowly recover data from secure enclaves.

Intel's recent Spectre patches don't necessarily help, as an attacker can work around these fixes. Intel says an update for the Intel SGX SDK that adds SgxSpectre mitigations will be released on March 16. Apps that implement Google's Retpoline anti-Spectre coding techniques are safe, researchers say.


'Flippy,' the Fast Food Robot, Turned Off For Being Too Slow ( 126

He was supposed to revolutionize a California fast food kitchen, churning out 150 burgers per hour without requiring a paycheck or benefits. But after a single day of working as a cook at a Caliburger location in Pasadena this week, Flippy the burger-flipping robot has stopped flipping. From a report: In some ways, Flippy was a victim of his own success. Inundated with customers eager to see the machine in action this week, Cali Group, which runs the fast food chain, quickly realized the robot couldn't keep up with the demand. They decided instead to retrain the restaurant staff to work more efficiently alongside Flippy, according to USA Today. Temporarily decommissioned, patrons encountered a sign Thursday noting that Flippy would be "cooking soon," the paper reported. "Mostly it's the timing," Anthony Lomelino, the Chief Technology Officer for Cali Group told the paper. "When you're in the back, working with people, you talk to each other. With Flippy, you kind of need to work around his schedule. Choreographing the movements of what you do, when and how you do it."

In a Remarkable Turn of Events, Hackers -- Not Users -- Lost Money in Attempted Cryptocurrency Exchange Heist ( 56

The hackers who attempted to hack Binance, one of the largest cryptocurrency exchanges on the Internet, have ended up losing money in a remarkable turn of events. It all began on Thursday, when thousands of user accounts started selling their Bitcoin and buying an altcoin named Viacoin (VIA). The incident, BleepingComputer reports, looked like a hack, and users reacted accordingly. But this wasn't a hack, or at least not your ordinary hack. The report adds: According to an incident report published by the Binance team, in preparation for yesterday's attack, the hackers ran a two-month phishing scheme to collect Binance user account credentials. Hackers used a homograph attack by registering a domain identical to, but spelled with Latin-lookalike Unicode characters. More particularly, hackers registered the [redacted].com domain -- notice the tiny dots under the "i" and "a" characters.

Phishing attacks started in early January, but the Binance team says it detected evidence that operations ramped up around February 22, when the campaign reached its peak. Binance tracked down this phishing campaign because the phishing pages would immediately redirect phished users to the real Binance login page. This left a forensic trail in referral logs that Binance developers detected. After getting access to several accounts, instead of using the login credentials to empty out wallets, hackers created "trading API keys" for each account. With the API keys in hand, hackers sprung their main attack yesterday. Crooks used the API keys to automate transactions that sold Bitcoin held in compromised Binance accounts and automatically bought Viacoin from 31 other Binance accounts that hackers created beforehand, and where they deposited Viacoin, ready to be bought. But hackers didn't know one thing -- Binance's secret weapon -- an internal risk management system that detected the abnormal amount of Bitcoin-Viacoin sale orders within the span of two minutes and blocked all transactions on the platform. Hackers tried to cash out the 31 Binance accounts, but by that point, Binance had blocked all withdrawals.


Documents Prove Local Cops Have Bought Cheap iPhone Cracking Tech ( 101

GrayShift is a new company that promises to unlock even iPhones running the latest version of iOS for a relatively cheap price. From a report: In a sign of how hacking technology often trickles down from more well-funded federal agencies to local bodies, at least one regional police department has already signed up for GrayShift's services, according to documents and emails obtained by Motherboard. As Forbes reported on Monday, GrayShift is an American company which appears to be run by an ex-Apple security engineer and others who have long held contracts with intelligence agencies. In its marketing materials, GrayShift offers a tool called GrayKey, an offline version of which costs $30,000 and comes with an unlimited number of uses. For $15,000, customers can instead buy the online version, which grants 300 iPhones unlocks.

This is what the Indiana State Police bought, judging by a purchase order obtained by Motherboard. The document, dated February 21, is for one GrayKey unit costing $500, and a "GrayKey annual license -- online -- 300 uses," for $14,500. The order, and an accompanying request for quotation, indicate the unlocking service was intended for Indiana State Police's cybercrime department. A quotation document emblazoned with GrayShift's logo shows the company gave Indiana State Police a $500 dollar discount for their first year of the service. Importantly, according to the marketing material cited by Forbes, GrayKey can unlock iPhones running modern versions of Apple's mobile operating system, such as iOS 10 and 11, as well as the most up to date Apple hardware, like the iPhone 8 and X.


Downloads of Popular Apps Were Silently Swapped For Spyware in Turkey: Citizen Lab ( 29

Matthew Braga, reporting for CBC: Since last fall, Turkish internet users attempting to download one of a handful of popular apps may have been the unwitting targets of a wide-reaching computer surveillance campaign. And in Egypt, users across the country have, seemingly at random, had their browsing activity mysteriously redirected to online money-making schemes. Internet filtering equipment sold by technology company Sandvine -- founded in Waterloo, Ont. -- is believed to have played a significant part in both.

That's according to new research from the University of Toronto's Citizen Lab, which has examined misuse of similar equipment from other companies in the past. The researchers say it's likely that Sandvine devices are not only being used to block the websites of news, political and human rights organizations, but are also surreptitiously redirecting users toward spyware and unwanted ads. Using network-filtering devices to sneak spyware onto targets' computers "has long been the stuff of legends" according to the report -- a practice previously documented in leaked NSA documents and spyware company brochures, the researchers say, but never before publicly observed.
Citizen Lab notes that targeted users in Turkey and Syria who attempted to download Windows applications from official vendor websites including Avast Antivirus, CCleaner, Opera, and 7-Zip were silently redirected to malicious versions by way of injected HTTP redirects. It adds: This redirection was possible because official websites for these programs, even though they might have supported HTTPS, directed users to non-HTTPS downloads by default. Additionally, targeted users in Turkey and Syria who downloaded a wide range of applications from CBS Interactive's (a platform featured by CNET to download software) were instead redirected to versions containing spyware. does not appear to support HTTPS despite purporting to offer "secure download" links.

Half of Ransomware Victims Didn't Recover Their Data After Paying the Ransom ( 58

An anonymous reader shares a report: A massive survey of nearly 1,200 IT security practitioners and decision makers across 17 countries reveals that half the people who fell victim to ransomware infections last year were able to recover their files after paying the ransom demand. The survey, carried out by research and marketing firm CyberEdge Group, reveals that paying the ransom demand, even if for desperate reasons, does not guarantee that victims will regain access to their files. Timely backups are still the most efficient defense against possible ransomware infections, as it allows easy recovery. The survey reveals that 55% of all responders suffered a ransomware infection in 2017, compared to the previous year's study, when 61% experienced similar incidents. Of all the victims who suffered ransomware infections, CyberEdge discovered that 61.3% opted not to pay the ransom at all. Some lost files for good (8%), while the rest (53.3%) managed to recover files, either from backups or by using ransomware decrypter applications. Of the 38.7% who opted to pay the ransom, a little less than half (19.1%) recovered their files using the tools provided by the ransomware authors.

Slack Is Shutting Down Its IRC Gateway ( 89

Slack, a team collaboration communication service, has updated its IRC support page to note that it is ending support for IRC on its platform: Unfortunately, support for gateways is ending. Starting on May 15th, it will no longer be possible to connect to Slack using the IRC and XMPP gateways. In another support page, which requires you to log in to one of your Slack groups, the company elaborates: As Slack has evolved over the years, we've built features and capabilities -- like Shared Channels, Threads, and emoji reactions (to name a few) -- that the IRC and XMPP gateways aren't able to handle. Our priority is to provide a secure and high-quality experience across all platforms, and so the time has come to close the gateways.

Please note that the gateways will be closed according to the following schedule: March 6, 2018: No longer available to newly-created workspaces; April 3, 2018: Removed from workspaces where they're not in use; May 15, 2018: Closed for all remaining workspaces.


Comcast's Protected Browsing Is Blocking PayPal, Steam and TorrentFreak, Customers Say ( 82

Comcast's Xfinity internet customers have been reporting multiple websites, including PayPal, Steam, and TorrentFreak have been getting blocked by the ISP's "protected browsing" setting. From a report: The "protected browsing" setting is designed to "reduce the risk of accessing known sources of malware, spyware, and phishing for all devices connected to your home network." This, in general, isn't a bad thing. It's similar to Google Chrome's security settings that warn you when you have an insecure connection. But it's odd that Xfinity's security setting would be blocking perfectly harmless sites like PayPal. Multiple consumers have been reporting on Comcast's forums and elsewhere that they've been blocked while trying to access sites that many people use every day. After posting about it on the forums, one user who said they couldn't access PayPal said the problem with that particular site had been fixed. Further reading: Comcast's Protected Browsing Blocks TorrentFreak as "Suspicious" Site (TorrentFreak).

Businesses Under Pressure To 'Consumerize' Logins ( 47

Almost two-thirds (64 percent) of IT leaders say their security teams are considering implementing consumer-grade access to cloud services for employees. From a report: According to the 2018 Identity and Access Management Index from digital security company Gemalto 54 percent of respondents believe that the authentication methods they implement in their businesses are not as good compared to those found on popular sites including Amazon and Facebook. Authentication methods applied in the consumer world can be applied to secure access to enterprise resources 70 percent of IT professionals believe. But despite this, 92 percent of IT leaders express concern about employees reusing personal credentials for work. This comes as 61 percent admit they are still not implementing two-factor authentication to allow access to their network, potentially leaving themselves vulnerable to cyber criminals.

Vatican Invites Hackers To Fix Problems, Not Breach Security ( 72

From a report: Computer hackers with a heart are descending on the Vatican to help tackle pressing problems particularly dear to Pope Francis, including how to better provide resources for migrants and encourage solidarity for the poor. The "Vatican Hackathon," an around-the-clock computer programming marathon, starts Thursday in the Vatican, with the full support of the pope, several Vatican offices and student volunteers from Harvard and MIT. Organizers stressed that no firewalls will be breached or acts of computer piracy committed.

Slashdot Top Deals