Trust the World's Fastest VPN with Your Internet Security & Freedom - A Lifetime Subscription of PureVPN at 88% off. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. ×
Privacy

Used Cars Can Still Be Controlled By Their Previous Owners' Apps (wtkr.com) 1

An IBM security researcher recently discovered something interesting about smart cars. An anonymous reader quotes CNN: Charles Henderson sold his car several years ago, but he still knows exactly where it is, and can control it from his phone... "The car is really smart, but it's not smart enough to know who its owner is, so it's not smart enough to know it's been resold," Henderson told CNNTech. "There's nothing on the dashboard that tells you 'the following people have access to the car.'" This isn't an isolated problem. Henderson tested four major auto manufacturers, and found they all have apps that allow previous owners to access them from a mobile device. At the RSA security conference in San Francisco on Friday, Henderson explained how people can still retain control of connected cars even after they resell them.

Manufacturers create apps to control smart cars -- you can use your phone to unlock the car, honk the horn and find out the exact location of your vehicle. Henderson removed his personal information from services in the car before selling it back to the dealership, but he was still able to control the car through a mobile app for years. That's because only the dealership that originally sold the car can see who has access and manually remove someone from the app.

It's also something to consider when buying used IoT devices -- or a smart home equipped with internet-enabled devices.
The Almighty Buck

A Source Code Typo Allowed An Attacker To Steal $592,000 In Cryptocurrency (bleepingcomputer.com) 9

An anonymous reader writes: "A typo in the Zerocoin source code allowed an attacker to steal 370,000 Zerocoin, which is about $592,000 at today's price," reports BleepingComputer. According to the Zcoin team, one extra character left inside Zerocoin's source code was the cause of the bug. The hacker exploited the bugs for weeks, by initiating a transaction and receiving the money many times over.

"According to the Zcoin team, the attacker (or attackers) was very sophisticated and took great care to hide his tracks," reports the site. "They say the attacker created numerous accounts at Zerocoin exchanges and spread transactions across several weeks so that traders wouldn't notice the uneven transactions volume... The Zcoin team says they worked with various exchanges to attempt and identify the attacker but to no avail. Out of the 370,000 Zerocoin he stole, the attacker has already sold 350,000. The Zcoin team estimates the attacker made a net profit of 410 Bitcoin ($437,000)."

Cellphones

Should International Travelers Leave Their Phones At Home? (freecodecamp.com) 346

Long-time Slashdot reader Toe, The sums up what he learned from freeCodeCamp's Quincy Larson: "Before you travel internationally, wipe your phone or bring/rent/buy a clean one." Larson's article is titled "I'll never bring my phone on an international flight again. Neither should you." All the security in the world can't save you if someone has physical possession of your phone or laptop, and can intimidate you into giving up your password... Companies like Elcomsoft make 'forensic software' that can suck down all your photos, contacts -- even passwords for your email and social media accounts -- in a matter of minutes.... If we do nothing to resist, pretty soon everyone will have to unlock their phone and hand it over to a customs agent while they're getting their passport swiped... And with this single new procedure, all the hard work that Apple and Google have invested in encrypting the data on your phone -- and fighting for your privacy in court -- will be a completely moot point.
The article warns Americans that their constitutional protections don't apply because "the U.S. border isn't technically the U.S.," calling it "a sort of legal no-man's-land. You have very few rights there." Larson points out this also affects Canadians, but argues that "You can't hand over a device that you don't have."
Security

RSA Conference Attendees Get Hacked (esecurityplanet.com) 47

The RSA Conference "is perhaps the world's largest security event, but that doesn't mean that it's necessarily a secure event," reports eSecurityPlanet. Scanning the conference floor revealed rogue access points posing as known and trusted networks, according to security testing vendor Pwnie Express. storagedude writes: What's worse, several attendees fell for these dummy Wi-Fi services that spoof well-known brands like Starbucks. The company also found a number of access points using outdated WEP encryption. So much for security pros...
At least two people stayed connected to a rogue network for more than a day, according to the article, and Pownie Express is reminding these security pros that connecting to a rogue network means "the attacker has full control of all information going into and out of the device, and can deploy various tools to modify or monitor the victim's communication."
Toys

German Government Tells Parents: Destroy This WiFi-Connected Doll (theverge.com) 101

It's illegal in Germany now to sell a talking doll named "My Friend Cayla," according to a story shared by Slashdot reader Bruce66423. And that's just the beginning. The Verge reports: A German government watchdog has ordered parents to "destroy" an internet-connected doll for fear it could be used as a surveillance device. According to a report from BBC News, the German Federal Network Agency said the doll (which contains a microphone and speaker) was equivalent to a "concealed transmitting device" and therefore prohibited under German telecom law... In December last year, privacy advocates said the toy recorded kids' conversations without proper consent, violating the Children's Online Privacy Protection Act.

Cayla uses a microphone to listen to questions, sending this audio over Wi-Fi to a third-party company that converts it to text. This is then used to search the internet, allowing the doll to answer basic questions, like "What's a baby kangaroo called?" as well as play games. In addition to privacy concerns over data collection, security researchers found that Cayla can be easily hacked. The doll's insecure Bluetooth connection can be compromised, letting a third party record audio via the toy, or even speak to children using its voice.

The Electronic Privacy Information Center has said toys like this "subject young children to ongoing surveillance...without any meaningful data protection standards." One researcher pointed out that the doll was accessible from up to 33 feet away -- even through walls -- using a bluetooth-enabled device.
Android

Congressman Calls For Probe Into Trump's Unsecured Android Phone (cnet.com) 436

An anonymous reader quotes a report from CNET: President Donald Trump regularly makes news because of his tweets. Now a congressman is making news because of the device the president reportedly uses to tweet. On Friday, Congressman Ted Lieu, a Democrat from Los Angeles, wrote a letter to the House Oversight Committee requesting an investigation into Trump's cybersecurity practices. In particular, he calls out Trump's apparent decision to keep using his personal Android phone instead of a secured phone the Secret Service issued him for his inauguration. The letter is also signed by 14 other members of Congress and calls for a public hearing to discuss the issues. "The device President Trump insists on using -- most likely the Samsung Galaxy S3 -- has particularly well documented vulnerabilities," the letter says. "The use of an unsecured phone risks the president of the United States being monitored by foreign or domestic adversaries, many of whom would be happy to hijack the president's prized Twitter account causing disastrous consequences for global security. Cybersecurity experts universally agree that an ordinary Android smartphone, which the president is reportedly using despite repeated warnings from the Secret Service, can be easily hacked."
Encryption

Researchers Discover Security Problems Under the Hood of Automobile Apps (arstechnica.com) 26

An anonymous reader quotes a report from Ars Technica: Malware researchers Victor Chebyshev and Mikhail Kuzin examined seven Android apps for connected vehicles and found that the apps were ripe for malicious exploitation. Six of the applications had unencrypted user credentials, and all of them had little in the way of protection against reverse-engineering or the insertion of malware into apps. The vulnerabilities looked at by the Kaspersky researchers focused not on vehicle communication, but on the Android apps associated with the services and the potential for their credentials to be hijacked by malware if a car owner's smartphone is compromised. All seven of the applications allowed the user to remotely unlock their vehicle; six made remote engine start possible (though whether it's possible for someone to drive off with the vehicle without having a key or RFID-equipped key fob present is unclear). Two of the seven apps used unencrypted user logins and passwords, making theft of credentials much easier. And none of the applications performed any sort of integrity check or detection of root permissions to the app's data and events -- making it much easier for someone to create an "evil" version of the app to provide an avenue for attack. While malware versions of these apps would require getting a car owner to install them on their device in order to succeed, Chebyshev and Kuzin suggested that would be possible through a spear-phishing attack warning the owner of a need to do an emergency app update. Other malware might also be able to perform the installation.
Yahoo!

Deleting Your Yahoo Email Account? Yeah, Good Luck With That (zdnet.com) 98

In the wake of security breach revelations, many of you might have considered deleting your Yahoo account. Many of you might be thinking about doing so soon. Heads up, it turns out, deleting a Yahoo email account isn't as straightforward as you may have imagined, and you again have Yahoo to blame for that. From a report on ZDNet: Several Yahoo users, who last year decided to leave the service, told us that their accounts remained open for weeks or months after the company said they would be closed. David Clarke was one of those departing users, whose dormant account was slowly accumulating junk over the past few years. "This was an ancient email I had set up, had no personal data in it anymore and had a unique password," writing about his troubles on Medium. "But it's a part of my digital footprint that I no longer required and decided, given the horrible security practices going on at Yahoo, to vote with my account and have it removed." Yahoo makes the account deletion process straightforward enough, but users have to wait "in most cases... approximately 90 days" for the account to close. The company says this is to "discourage users from engaging in fraudulent activity." On day 91, Clarke logged back into his account to find that it was still active. Unbeknownst to him, logging back in simply to check would reset the clock back to zero. "Yahoo confirmed via email yesterday if you access your account it resets the timer," he told me. "So, if you login to ensure your account has been deleted and it hasn't, you have to wait at least another 90 days."
Iphone

Apple's iPhone 8 To Replace Touch ID Home Button With 'Function Area' (appleinsider.com) 113

An anonymous reader quotes a report from Apple Insider: Apple will ditch the home button when it debuts a new 'iPhone 8' model later this year, and will dedicate the extra screen real estate to an area for virtual buttons, according to KGI analyst Ming-Chi Kuo. Adding detail to his previous predictions regarding the next-generation handset, Kuo in a note to investors obtained by AppleInsider said the full-screen design will allow Apple to integrate a "function" area never seen in an iPhone. The device is expected to adopt a 5.8-inch OLED panel in a form factor similar to the current 4.7-inch iPhone 7. Despite having extended screen real estate as compared to current iPhone models, the actual active display area on "iPhone 8" will be closer to 5.15 inches on the diagonal, with the remaining bottom portion dedicated to system functions like virtual buttons. While Kuo failed to elaborate on an exact implementation, the note suggests Apple plans to hardcode a set of always-on, static system controls into iOS. Whether the so-called "function area" is capable of switching to an active display mode for in-app activities like watching videos or playing games, remains to be seen. With the deletion of current Touch ID technology, Kuo believes "iPhone 8" will incorporate new bio-recognition assets to take over device security and Apple Pay authentication duties. The analyst did not offer predictions on the type of biometric tech Apple intends to use, but a report earlier today said the company could integrate a 3D laser scanning module capable of facilitating facial recognition and augmented reality applications. Kuo in a note last month said Apple might integrate a dual biometric system utilizing optical fingerprint readers and facial recognition hardware.
Government

Bipartisan Bill Seeks Warrants For Police Use of 'Stingray' Cell Trackers (usatoday.com) 111

Tulsa_Time quotes a report from USA Today: A bipartisan group of House and Senate lawmakers introduced legislation Wednesday requiring police agencies to get a search warrant before they can deploy powerful cellphone surveillance technology known as "stingrays" that sweep up information about the movements of innocent Americans while tracking suspected criminals. "Owning a smartphone or fitness tracker shouldn't give the government a blank check to track your movements," said Sen. Ron Wyden, D-Ore., a member of the Senate Intelligence Committee who introduced the bill with Reps. Jason Chaffetz, R-Utah, and John Conyers, D-Mich. "Law enforcement should be able to use GPS data, but they need to get a warrant. This bill sets out clear rules to make sure our laws keep up with the times." The legislation introduced Wednesday, called the Geolocation Privacy and Surveillance (GPS) Act, would require a warrant for all domestic law enforcement agencies to track the location and movements of individual Americans through GPS technology without their knowledge. It also aims to combat high-tech stalking by creating criminal penalties for secretly using an electronic device to track someone's movements.
Java

JavaScript Attack Breaks ASLR On 22 CPU Architectures (bleepingcomputer.com) 152

An anonymous reader quotes a report from BleepingComputer: Five researchers from the Vrije University in the Netherlands have put together an attack that can be carried out via JavaScript code and break ASLR protection on at least 22 microprocessor architectures from vendors such as Intel, AMD, ARM, Allwinner, Nvidia, and others. The attack, christened ASLRCache, or AnC, focuses on the memory management unit (MMU), a lesser known component of many CPU architectures, which is tasked with improving performance for cache management operations. What researchers discovered was that this component shares some of its cache with untrusted applications, including browsers. This meant that researchers could send malicious JavaScript that specifically targeted this shared memory space and attempted to read its content. In layman's terms, this means an AnC attack can break ASLR and allow the attacker to read portions of the computer's memory, which he could then use to launch more complex exploits and escalate access to the entire OS. Researchers have published two papers [1, 2] detailing the AnC attack, along with two videos[1, 2] showing the attack in action.
Security

Yahoo Notifying Users of Malicious Account Activity as Verizon Deal Progresses (techcrunch.com) 17

Kate Conger, writing for TechCrunch: Yahoo is continuing to issue warnings to users about several security incidents as it moves toward an acquisition by Verizon. Users are receiving notifications today about unauthorized access to their accounts in 2015 and 2016, which occurred due to previously disclosed cookie forging. "As we have previously disclosed, our outside forensic experts have been investigating the creation of forged cookies that could have enabled an intruder to access our users' accounts without a password. The investigation has identified user accounts for which we believe forged cookies were taken or used. Yahoo is in the process of notifying all potentially affected account holders. Yahoo has invalidated the forged cookies so they cannot be used again," a Yahoo spokesperson told TechCrunch.
Businesses

IT Decisions Makers and Executives Don't Agree On Cyber Security Responsibility (betanews.com) 118

Sead Fadilpasic, writing for BetaNews: There's a severe disconnect between IT decision makers and C-suite executives when it comes to handling cyber attacks. Namely, both believe the other one is responsible for keeping a company safe. This is according to a new and extensive research by BAE Systems. A total of 221 C-suite executives and 984 IT decision-makers were polled or the report. According to the research, a third (35 percent) of C-suite executives believe IT teams are responsible for data breaches. On the other hand, 50 percent of IT decision makers would place that responsibility in the hands of their senior management. Cost estimates of a successful breach also differ. IT decision makers think it would set them back $19.2 million, while C-suite thinks of a lesser figure, $11.6m. C-level thinks a tenth (10 percent) of their company's IT budget is spent on cyber security, while IT decision makers think that's 15 percent. Also, 84 percent of C-suite, and 81 percent of IT teams believe they have the right protection set up.
Security

Russian Cyberspies Blamed For US Election Hacks Are Now Targeting Macs (computerworld.com) 249

You may recall "APT28", the Russian hacking group which was tied to last year's interference in the presidential election. It has long been known for its advanced range of tools for penetrating Windows, iOS, Android, and Linux devices. Now, researchers have uncovered an equally sophisticated malware package the group used to compromise Macs. From a report on ComputerWorld: The group -- known in the security industry under different names including Fancy Bear, Pawn Storm, and APT28 -- has been operating for almost a decade. It is believed to be the sole user and likely developer of a Trojan program called Sofacy or X-Agent. X-Agent variants for Windows, Linux, Android, and iOS have been found in the wild in the past, but researchers from Bitdefender have now come across what appears to be the first macOS version of the Trojan. It's not entirely clear how the malware is being distributed because the Bitdefender researchers obtained only the malware sample, not the full attack chain. However, it's possible a macOS malware downloader dubbed Komplex, found in September, might be involved. Komplex infected Macs by exploiting a known vulnerability in the MacKeeper antivirus software, according to researchers from Palo Alto Networks who investigated the malware at the time. The vulnerability allowed attackers to execute remote commands on a Mac when users visited specially crafted web pages.Further reading on ArsTechnica.
Microsoft

Microsoft Delays February Patch Tuesday Indefinitely (sans.edu) 88

UnderAttack writes: Microsoft today announced that it had to delay its February Patch Tuesday due to issues with a particular patch. This was also supposed to be the first Patch Tuesday using a new format, which led some to believe that even Microsoft had issues understanding how the new format is exactly going to work with no more simple bulletin summary and patches being released as large monolithic updates. Ars Technica notes the importance of this Patch Tuesday as "there's an in-the-wild zero-day flaw in SMB, Microsoft's file sharing protocol, that at the very least allows systems to be crashed." They also elaborate on the way Microsoft is "continuing to tune the way updates are delivered to Windows 7, 8.1, Server 2008 R2, Server 2012, and Server 2012 R2."
Transportation

Big Week For Drones: Dubai Permits Passenger-Carrying Drone; Kenya Finally Approves Commercial Use (apnews.com) 47

It's shaping up to be a major week for drone enthusiasts. A pilot-less drone designed to carry one passenger at a time is set to start making regular trips in Dubai later this year. In some other news, Kenya has joined the neighbor Rwanda in opening up its skies for commercial drone use. From an AP report: Up, up and away: Dubai hopes to have a passenger-carrying drone regularly buzzing through the skyline of this futuristic city-state in July. The arrival of the Chinese-made EHang 184 -- which already has had its flying debut over Dubai's iconic, sail-shaped Burj al-Arab skyscraper hotel -- comes as the Emirati city also has partnered with other cutting-edge technology companies, including Hyperloop One. The question is whether the egg-shaped, four-legged craft will really take off as a transportation alternative in this car-clogged city already home to the world's longest driverless metro line. From a Quartz report: Flying a drone will soon be legal in Kenya, which has effectively banned the use of unmanned aerial vehicles for anyone outside of the military for the past two years. A spokesperson for the Kenya Civil Aviation Authority (KCAA) said that draft regulations for the commercial use of drones had been approved by security officials. The agency said details of the law would be released soon. The approval comes as regulators elsewhere in Africa have tightened restrictions on UAVs. In Ghana, flying an unregistered drone is punishable by up to 30 years in jail. In Nigeria, operators require permits from the aviation authority as well as the office of the National Security Adviser (the process of getting a permit costs up to $4,000).
Microsoft

Microsoft Calls For 'Digital Geneva Convention' (usatoday.com) 139

Microsoft is calling for a digital Geneva Convention to outline protections for civilians and companies from government-sponsored cyberattacks. In comments Tuesday at the RSA security industry conference in San Francisco, Microsoft President and Chief Legal Officer Brad Smith said the rising trend of government entities wielding the internet as a weapon was worrying. From a report on USA Today: In the cyber realm, tech must be committed to "100% defense and zero percent offense," Smith said at the opening keynote at the RSA computer security conference. Smith called for a "digital Geneva Convention," like the one created in the aftermath of World War II which set ground rules for how conduct during wartime, defining basic rights for civilians caught up armed conflicts. In the 21st century such rules are needed "to commit governments to protect civilians from nation-state attacks in times of peace," a draft of Smith's speech released to USA TODAY said. This digital Geneva Convention would establish protocols, norms and international processes for how tech companies would deal with cyber aggression and attacks of nations aimed at civilian targets, which appears to effectively mean anything but military servers.
Databases

Story Of a Country Which Has Built a Centralized Biometrics Database Of 1.1B People But Appears To Be Mishandling It Now (mashable.com) 56

In a bid to get more Indians to have a birth certificate or any sort of ID card, India announced Aadhaar project in 2009. At the time, there were more Indians without these ID cards than those with. As a result of this, much of the government funding for the citizens were disappearing before they could see them. But according to several security experts, lawyers, politicians and journalists, the government is using poor security practices, and this is exposing the biometrics data -- photo, name, address, fingerprint, iris info -- of people at risk. More than 1.1 billion people -- and 99 percent of all adults -- in India have enrolled themselves to the system. From a report: "There are two fundamental flaws in Aadhaar: it is poorly designed, and it is being poorly verified," Member of Parliament and privacy advocate, Rajeev Chandrasekhar told Mashable India. Another issue with Aadhaar is, Chandrasekhar explains, there is no firm legislation to safeguard the privacy and rights of the billion people who have enrolled into the system. There's little a person whose Aadhaar data has been compromised could do. [...] "Aadhaar is remote, covert, and non-consensual," he told Mashable India, adding the existence of a central database of any kind, but especially in the context of the Aadhaar, and at the scale it is working is appalling. Abraham said fingerprint and iris data of a person can be stolen with little effort -- a "gummy bear" which sells for a few cents, can store one's fingerprint, while a high-resolution camera can capture one's iris data. The report goes on to say that the Indian government is also not telling how the data is being shared with private companies. Experts cited in the story have expressed concerns that those companies (some of which are run by people who were previously members of the team which designed the framework of Aadhaar) can store and create a parallel database of their own. On top of that, the government is making Aadhaar mandatory for availing several things including registration for nation-wide examinations, but in the beginning it promised Aadhaar will be used only to help poor get grocery at subsidized prices.
Security

Michael Flynn Resigns As Trump's National Security Adviser (go.com) 890

An anonymous reader quotes a report from ABC News: President Donald Trump's embattled national security adviser Michael Flynn, who faced questions about a call to the Russian ambassador prior to the inauguration, has resigned. Retired Army General Keith Kellogg was named acting national security adviser to replace Flynn. ABC News reported Monday that Flynn called Vice President Mike Pence on Friday to apologize for misleading him about his conversation with the ambassador in November. Flynn previously denied that he spoke about sanctions the U.S. imposed on Russia for its suspected interference in the 2016 election, a claim repeated by Pence in January. An administration official later claimed Pence was relying on information provided to him by Flynn. In his resignation later, Flynn cited the "fast pace of events" for "inadvertently" briefing "the Vice President Elect and others with incomplete information regarding [his] phone calls with the Russian Ambassador." You can view Flynn's full resignation letter, as provided by the White House, here.
Google

Engineers On Google's Self-Driving Car Project Were Paid So Much That They Quit (theverge.com) 95

According to a new report from Bloomberg, most of the money Google spent on it self-driving car project, now spun off into a new entity called Waymo, has gone to engineers and other staff. While it has helped retain a lot of influential and dedicated workers in the short run, it has resulted in many staffers leaving the company in the long run due to the immense financial security. The Verge reports: Bloomberg says that early staffers "had an unusual compensation system" that multiplied staffers salaries and bonuses based on the performance of the self-driving project. The payments accumulated as milestones were reached, even though Waymo remains years away from generating revenue. One staffer eventually "had a multiplier of 16 applied to bonuses and equity amassed over four years." The huge amounts of compensation worked -- for a while. But eventually, it gave many staffers such financial security that they were willing to leave the cuddly confines of Google. Two staffers that Bloomberg spoke to called it "F-you money," and the accumulated cash allowed them to depart Google for other firms, including Chris Urmson who co-founded a startup with ex-Tesla employee Sterling Anderson, and others who founded a self-driving truck company called Otto which was purchased by Uber last year, and another who founded Argo AI which received a $1 billion investment from Ford last week.

Slashdot Top Deals