Security

Iranian 'Game of Thrones' Hacker Demanded $6 Million Bitcoin Ransom From HBO, Feds Say (thedailybeast.com) 10

Anonymous readers share a report: The Department of Justice on Tuesday charged an Iranian national with allegedly hacking into HBO, dumping a selection stolen files, and attempting to extort the company by ransoming a treasure trove of the company's content. This summer, hackers released a bevy of internal HBO files, included scripts for Game of Thrones and full, unaired episodes of other shows. Behzad Mesri, aka "Skote Vahshat," at one point worked for the Iranian military to break into military and nuclear systems, as well as Israeli infrastructure, according to the newly released complaint. Under his Vahshat pseudonym, Mesri also defaced hundreds of websites in the U.S. and around the world, the complaint adds. Mesri started his hacking campaign in around May 2017, according to the complaint, probing HBO's systems and employees for weaknesses. Mesri managed to compromise multiple HBO employee accounts as well as other authorized users; from here, he allegedly stole confidential and proprietary information. These included unaired episodes of Ballers, Barry, Room 104, Curb Your Enthusiasm, and The Deuce, as well as scripts for Game of Thrones. Indeed, the hacker behind the HBO breach publicly dumped much of this material online this summer.
Security

Intel: We've Found Severe Bugs in Secretive Management Engine, Affecting Millions (zdnet.com) 147

Liam Tung, writing for ZDNet: Thanks to an investigation by third-party researchers into Intel's hidden firmware in certain chips, Intel decided to audit its firmware and on Monday confirmed it had found 11 severe bugs that affect millions of computers and servers. The flaws affect Management Engine (ME), Trusted Execution Engine (TXE), and Server Platform Services (SPS). Intel discovered the bugs after Maxim Goryachy and Mark Ermolov from security firm Positive Technologies found a critical vulnerability in the ME firmware that Intel now says would allow an attacker with local access to execute arbitrary code. The researchers in August published details about a secret avenue that the US government can use to disable ME, which is not available to the public. Intel ME has been a source of concern for security-minded users, in part because only Intel can inspect the firmware, yet many researchers suspected the powerful subsystem had bugs that were ripe for abuse by attackers.
Privacy

Over 400 of the World's Most Popular Websites Record Your Every Keystroke (vice.com) 224

An anonymous reader quotes a report from Motherboard: The idea of websites tracking users isn't new, but research from Princeton University released last week indicates that online tracking is far more invasive than most users understand. In the first installment of a series titled "No Boundaries," three researchers from Princeton's Center for Information Technology Policy (CITP) explain how third-party scripts that run on many of the world's most popular websites track your every keystroke and then send that information to a third-party server. Some highly-trafficked sites run software that records every time you click and every word you type. If you go to a website, begin to fill out a form, and then abandon it, every letter you entered in is still recorded, according to the researchers' findings. If you accidentally paste something into a form that was copied to your clipboard, it's also recorded. These scripts, or bits of code that websites run, are called "session replay" scripts. Session replay scripts are used by companies to gain insight into how their customers are using their sites and to identify confusing webpages. But the scripts don't just aggregate general statistics, they record and are capable of playing back individual browsing sessions. The scripts don't run on every page, but are often placed on pages where users input sensitive information, like passwords and medical conditions. Most troubling is that the information session replay scripts collect can't "reasonably be expected to be kept anonymous," according to the researchers.
Security

Why Hackers Reuse Malware (helpnetsecurity.com) 25

Orome1 shares a report from Help Net Security: Software developers love to reuse code wherever possible, and hackers are no exception. While we often think of different malware strains as separate entities, the reality is that most new malware recycles large chunks of source code from existing malware with some changes and additions (possibly taken from other publicly released vulnerabilities and tools). This approach makes sense. Why reinvent the wheel when another author already created a working solution? While code reuse in malware can make signature-based detection methods more effective in certain cases, more often than not it frees up time for attackers to do additional work on detection avoidance and attack efficacy -- which can create a more dangerous final product.

There are multiple reasons why hackers reuse code when developing their own malware. First, it saves time. By copying code wherever possible, malware authors have more time to focus on other areas, like detection avoidance and attribution masking. In some cases, there may be only one way to successfully accomplish a task, such as exploiting a vulnerability. In these instances, code reuse is a no-brainer. Hacker also tend to reuse effective tactics such as social engineering, malicious macros and spear phishing whenever possible simply because they have a high rate of success.

Spam

Spam Is Back (theoutline.com) 145

Jon Christian, writing for The Outline: For a while, spam -- unsolicited bulk messages sent for commercial or fraudulent purposes -- seemed to be fading away. The 2003 CAN-SPAM Act mandated unsubscribe links in email marketing campaigns and criminalized attempts to hide the sender's identity, while sophisticated filters on what were then cutting-edge email providers like Gmail buried unwanted messages in out-of-sight spam folders. In 2004, Microsoft co-founder Bill Gates told a crowd at the World Economic Forum that "two years from now, spam will be solved." In 2011, cybersecurity reporter Brian Krebs noted that increasingly tech savvy law enforcement efforts were shutting down major spam operators -- including SpamIt.com, alleged to be a major hub in a Russian digital criminal organization that was responsible for an estimated fifth of the world's spam. These efforts meant that the proportion of all emails that are spam has slowly fallen to a low of about 50 percent in recent years, according to Symantec research.

But it's 2017, and spam has clawed itself back from the grave. It shows up on social media and dating sites as bots hoping to lure you into downloading malware or clicking an affiliate link. It creeps onto your phone as text messages and robocalls that ring you five times a day about luxury cruises and fictitious tax bills. Networks associated with the buzzy new cryptocurrency system Ethereum have been plagued with spam. Facebook recently fought a six-month battle against a spam operation that was administering fake accounts in Bangladesh, Indonesia, Saudi Arabia, and other countries. Last year, a Chicago resident sued the Trump campaign for allegedly sending unsolicited text message spam; this past November, ZDNet reported that voters were being inundated with political text messages they never signed up for. Apps can be horrid spam vectors, too. Repeated mass data breaches that include contact information, such as the Yahoo breach in which 3 billion user accounts were exposed, surely haven't helped. Meanwhile, you, me, and everyone we know is being plagued by robocalls.

Security

Security Problems Are Primarily Just Bugs, Linus Torvalds Says (iu.edu) 255

Linus Torvalds, in his signature voice: Some security people have scoffed at me when I say that security problems are primarily "just bugs." Those security people are f*cking morons. Because honestly, the kind of security person who doesn't accept that security problems are primarily just bugs, I don't want to work with. Security firm Errata Security has defended Linus's point of view.
Google

Critics Debate Autism's Role in James Damore's Google Memo (themarysue.com) 336

James Damore "wants you to know he isn't using autism as an excuse," reports a Silicon Valley newspaper, commenting on the fired Google engineer's new interview with the Guardian. But they also note that "he says being on the spectrum means he 'sees things differently'," and the weekend editor at the entertainment and "geek culture" site The Mary Sue sees a problem in the way that interview was framed. It's the author of this Guardian article, not James Damore himself, who makes the harmful suggestion that Damore's infamous Google memo and subsequent doubling-down are somehow caused by his autism... It frames autism as some sort of basic decency deficiency, rather than a neurological condition shared by millions of people.... This whole article is peppered with weird suggestions like this, suggestions which detract from an otherwise interesting piece.. All these weird suggestions that autism and misogyny/bigotry are somehow tied (as if autistic feminists didn't exist) do unfortunately detract from one of the article's great points.

Having worked at a number of companies large and small, I can at least anecdotally confirm that their diversity training rarely includes a discussion of neurodiversity, and when it does, it's not particularly empathetic or helpful... Many corporate cultures are plainly designed for neurotypical extroverts and no one else -- and that should change. I really do think Lewis meant well in pointing that out. But the other thing that should change? The way the media scapegoats autism as a source of anti-social behavior.

Iphone

10-Year-Old Boy Cracks the Face ID On Both Parents' IPhone X (wired.com) 290

An anonymous reader writes: A 10-year-old boy discovered he could unlock his father's phone just by looking at it. And his mother's phone too. Both parents had just purchased a new $999 iPhone X, and apparently its Face ID couldn't tell his face from theirs. The unlocking happened immediately after the mother told the son that "There's no way you're getting access to this phone."

Experiments suggest the iPhone X was confused by the indoor/nighttime lighting when the couple first registered their faces. Apple's only response was to point to their support page, which states that "the statistical probability is different...among children under the age of 13, because their distinct facial features may not have fully developed. If you're concerned about this, we recommend using a passcode to authenticate." The boy's father is now offering this advice to other parents. "You should probably try it with every member of your family and see who can access it."

And his son just "thought it was hilarious."

Businesses

In Defense of Project Management For Software Teams (techbeacon.com) 159

mikeatTB writes: Many Slashdotters weighed in on Steven A. Lowe's post, "Is Project Management Killing Good Products, Teams and Software?", where he slammed project management and called for product-centrism. Many commenters pushed back, but one PM, Yvette Schmitter, has fired back with a scathing response post, noting: "As a project manager, I'm saddened to see that project management and project managers are getting a bad rap from both ends of the spectrum. Business tends not to see the value in them, and developers tend to believe their own 'creativity' is being stymied by them. Let's set the record straight: Project management is a prized methodology for delivering on leadership's expectations.

"The success of the methodology depends on the quality of the specific project manager..." she continues. "If the project is being managed correctly by the project manager/scrum master, that euphoric state that developers want to get to can be achieved, along with the project objectives -- all within the prescribed budget and timeline. Denouncing an entire practice based on what appears to be a limited, misaligned application of the correct methodology does not make all of project management and all project managers bad."

How do Slashdot readers feel about project management for software teams?
Security

'Lazy' Hackers Exploit Microsoft RDP To Install Ransomware (sophos.com) 72

An anonymous reader writes: An investigation by Sophos has uncovered a new, lazy but effective ransomware attack where hackers brute force passwords on computers with [Microsoft's] Remote Desktop Protocol enabled, use off-the-shelf privilege escalation exploits to make themselves admins, turn off security software and then manually run fusty old versions of ransomware.
They even delete the recovery files created by Windows Live backup -- and make sure they can also scramble the database. "Because they've used their sysadmin powers to rig the system to be as insecure as they can, they can often use older versions of ransomware, perhaps even variants that other crooks have given up on and that are now floating around the internet 'for free'."

Most of the attacks hit small-to-medium companies with 30 or fewer employees, since "with small scale comes a dependence on external IT suppliers or 'jack-of-all-trades' IT generalists trying to manage cybersecurity along with many other responsibilities. In one case a victim was attacked repeatedly, because of a weak password used by a third-party application that demanded 24-hour administrator access for its support staff."
Iphone

Apple Fixes the iPhone X 'Unresponsive When It's Cold' Bug (arstechnica.com) 42

An anonymous reader quotes Ars Technica: Apple released iOS 11.1.2 for iPhones and iPads Thursday afternoon. It's a minor, bug-fix update that benefits iPhone X users who encountered issues after acquiring the new phone just under two weeks ago... The update fixes just two problems. The first is "an issue where the iPhone X screen becomes temporarily unresponsive to touch after a rapid temperature drop." Last week, some iPhone X owners began reporting on Reddit and elsewhere that their touchscreens became temporarily unresponsive when going outside into the cold... The update also "addresses an issue that could cause distortion in Live Photos and videos captured with iPhone X."
The article notes that the previous update "fixed a strange and widely mocked autocorrect bug that turned the letter 'i' into strange characters."

"To date, iOS 11's updates have largely been bug fixes."
Google

'I See Things Differently': James Damore on his Autism and the Google Memo (theguardian.com) 664

"James Damore opens up about his regrets -- and how autism may have shaped his experience of the world," writes the west coast bureau chief for the Guardian. An anonymous reader quotes their report: The experience has prompted some introspection. In the course of several weeks of conversation using Google's instant messaging service, which Damore prefers to face-to-face communication, he opened up about an autism diagnosis that may in part explain the difficulties he experienced with his memo. He believes he has a problem understanding how his words will be interpreted by other people... It wasn't until his mid-20s, after completing research in computational biology at Princeton and MIT, and starting a PhD at Harvard, that Damore was diagnosed with autism, although he was told he had a milder version of the condition known as "high-functioning autism"...

Damore argues that Google's focus on avoiding "micro-aggressions" is "much harder for someone with autism to follow". But he stops short of saying autistic employees should be given more leniency if they unintentionally offend people at work. "I wouldn't necessarily treat someone differently," he explains. "But it definitely helps to understand where they're coming from." I ask Damore if, looking back over the last few months, he feels that his difficult experience with the memo and social media may be related to being on the spectrum. "Yeah, there's definitely been some self-reflection," he says. "Predicting controversies requires predicting what emotional reaction people will have to something. And that's not something that I excel at -- although I'm working on it."

Transportation

DJI Threatens Researcher Who Reported Exposed Cert Key, Credentials, and Customer Data (arstechnica.com) 81

An anonymous reader quotes Ars Technica: DJI, the Chinese company that manufactures the popular Phantom brand of consumer quadcopter drones, was informed in September that developers had left the private keys for both the "wildcard" certificate for all the company's Web domains and the keys to cloud storage accounts on Amazon Web Services exposed publicly in code posted to GitHub. Using the data, researcher Kevin Finisterre was able to access flight log data and images uploaded by DJI customers, including photos of government IDs, drivers licenses, and passports. Some of the data included flight logs from accounts associated with government and military domains.

Finisterre found the security error after beginning to probe DJI's systems under DJI's bug bounty program, which was announced in August. But as Finisterre worked to document the bug with the company, he got increasing pushback -- including a threat of charges under the Computer Fraud and Abuse Act. DJI refused to offer any protection against legal action in the company's "final offer" for the data. So Finisterre dropped out of the program and published his findings publicly yesterday, along with a narrative entitled, "Why I walked away from $30,000 of DJI bounty money."

The company says they're now investigating "unauthorized access of one of DJI's servers containing personal information," adding that "the hacker in question" refused to agree to their terms and shared "confidential communications with DJI employees."
IBM

Tech Companies Try Apprenticeships To Fill The Tech Skills Gap (thehill.com) 123

Slashdot reader jonyen writes: For generations, apprenticeships have been the way of working life; master craftsmen taking apprentices under their wing, teaching them the tools of the trade. This declined during the Industrial Revolution as the advent of the assembly line enabled mass employment for unskilled laborers. The master-apprentice model went further out of focus as higher education and formal training became increasingly more valuable.

Fast forward to the 21st century, where employers are turning back the page to apprenticeships in an effort to fill a growing skills gap in the labor force in the digital age. Code.org estimates there will be a million unfulfilled tech jobs by 2020.

jonyen shared this article by IBM's Vice President of Talent:IBM is committed to addressing this shortage and recently launched an apprenticeship program registered with the US Department of Labor, with a plan to have 100 apprentices in 2018. ... Other firms have taken up the apprenticeship challenge as well. Salesforce CEO Marc Benioff, for example, has called for creating 5 million American apprentices in the next five years.

An apprenticeship offers the chance for Americans to get the formal education they need, whether through a traditional university, a community college or a trade school, while getting something else: On-the-job experience and an income... Right now, there are more than 6 million jobs in the U.S. that are going unfilled because employers can't find candidates with the right skills, according to the Labor Department.

IBM says their apprentices "are on their way to becoming software developers in our Cloud business and mainframe administrators for technologies like Blockchain, and we will add new apprenticeships in data analytics and cybersecurity as we replicate the program across the U.S."

"Ninety-one percent of apprentices in the U.S. find employment after completing their program, and their average starting wage is above $60,000."
Bug

iPhone X Owners Experience 'Crackling' or 'Buzzing' Sounds From Earpiece Speaker (macrumors.com) 104

MacRumors reports: A limited but increasing number of iPhone X owners claim to be experiencing so-called "crackling" or "buzzing" sounds emanating from the device's front-facing earpiece speaker at high or max volumes. Over two dozen users have said they are affected in a MacRumors discussion topic about the matter, while similar reports have surfaced on Twitter and Reddit since the iPhone X launched just over a week ago. On affected devices, the crackling sounds occur with any kind of audio playback, including phone calls, music, videos with sound, alarms, and ringtones. The issue doesn't appear to be limited to any specific iPhone X configuration or iOS version.
"The speakerphone for an $1100 phone should be at least as good as it was on the iPhone 6 and 7," complained one user, "but instead, it's crackly, edgy and buzzy."

"I believe we all knew the iPhone X would be highly scrutinized," writes Slashdot reader sqorbit, "but the reported problems appear to be stacking up."
The Military

Massive US Military Social Media Spying Archive Left Wide Open In AWS S3 Buckets (theregister.co.uk) 84

An anonymous reader quotes a report from The Register: Three misconfigured AWS S3 buckets have been discovered wide open on the public internet containing "dozens of terabytes" of social media posts and similar pages -- all scraped from around the world by the U.S. military to identify and profile persons of interest. The archives were found by veteran security breach hunter UpGuard's Chris Vickery during a routine scan of open Amazon-hosted data silos, and these ones weren't exactly hidden. The buckets were named centcom-backup, centcom-archive, and pacom-archive. CENTCOM is the common abbreviation for the U.S. Central Command, which controls army operations in the Middle East, North Africa and Central Asia. PACOM is the name for U.S. Pacific Command, covering the rest of southern Asia, China and Australasia.

"For the research I downloaded 400GB of samples but there were many terabytes of data up there," he said. "It's mainly compressed text files that can expand out by a factor of ten so there's dozens and dozens of terabytes out there and that's a conservative estimate." Just one of the buckets contained 1.8 billion social media posts automatically fetched over the past eight years up to today. It mainly contains postings made in central Asia, however Vickery noted that some of the material is taken from comments made by American citizens. The databases also reveal some interesting clues as to what this information is being used for. Documents make reference to the fact that the archive was collected as part of the U.S. government's Outpost program, which is a social media monitoring and influencing campaign designed to target overseas youths and steer them away from terrorism.

Security

Windows 8 and Later Fail To Properly Apply ASLR (bleepingcomputer.com) 62

An anonymous reader writes: Windows 8, Windows 8.1, and subsequent Windows 10 variations fail to properly apply ASLR, rendering this crucial Windows security feature useless. The bug appeared when Microsoft changed a registry value in Windows 8 and occurs only in certain ASLR configuration modes. Basically, if users have enabled system-wide ASLR protection turned on, a bug in ASLR's implementation on Windows 8 and later will not generate enough entropy (random data) to start application binaries in random memory locations. For ASLR to work properly, users must configure it to work in a system-wide bottom-up mode. An official patch from Microsoft is not available yet, but a registry hack can be applied to make sure ASLR starts in the correct mode.

The bug was discovered by CERT vulnerability analyst Will Dormann while investigating a 17-years-old bug in the Microsoft Office equation editor, to which Microsoft appears to have lost the source code and needed to patch it manually.

Privacy

Germany Bans Children's Smartwatches (bbc.com) 44

A German regulator has banned the sale of smartwatches aimed at children, describing them as spying devices. From a report: It had previously banned an internet-connected doll called, My Friend Cayla, for similar reasons. Telecoms regulator the Federal Network Agency urged parents who had such watches to destroy them. One expert said the decision could be a "game-changer" for internet-connected devices. "Poorly secured smart devices often allow for privacy invasion. That is really concerning when it comes to kids' GPS tracking watches - the very watches that are supposed to help keep them safe," said Ken Munro, a security expert at Pen Test Partners.
Social Networks

Report Claims That 18 Nation's Elections Were Impacted By Social Engineering Last Year (bbc.com) 235

sqorbit writes: Independent watchdog group Freedom House released a report that claims that 18 nation's elections were "hacked." Of the 65 countries that Freedom House monitors, 30 appear to be using social media in order to affect elections by attempting to control online discussions. The report covers fake news posts, paid online opinion writers and trolling tactics. Other items in the report speak to online censorship and VPN blocking that blocks information within countries to interfere with elections. The report says net freedom could be aided by: large-scale programs that showed people how to spot fake news; putting tight controls on political adverts; and making social media giants do more to remove bots and tune algorithms to be more objective.
Security

Bluetooth Hack Affects 20 Million Amazon Echo, Google Home Devices (thehackernews.com) 40

In September, security researchers discovered eight vulnerabilities -- codenamed collectively as BlueBorne -- in the Bluetooth implementations used by over 5.3 billion devices. We have now learned that an estimated 20 million Amazon Echo and Google Home devices are also vulnerable to attacks leveraging the BlueBorne vulnerabilities. The Hacker News reports: Amazon Echo is affected by the following two vulnerabilities: a remote code execution vulnerability in the Linux kernel (CVE-2017-1000251); and an information disclosure flaw in the SDP server (CVE-2017-1000250). Since different Echo's variants use different operating systems, other Echo devices are affected by either the vulnerabilities found in Linux or Android. Whereas, Google Home devices are affected by one vulnerability: information disclosure vulnerability in Android's Bluetooth stack (CVE-2017-0785). This Android flaw can also be exploited to cause a denial-of-service (DoS) condition. Since Bluetooth cannot be disabled on either of the voice-activated personal assistants, attackers within the range of the affected device can easily launch an attack. The security firm [Armis, who disclosed the issue] notified both Amazon and Google about its findings, and both companies have released patches and issued automatic updates for the Amazon Echo and Google Home that fixes the BlueBorne attacks.

Slashdot Top Deals