aggregator

Last week, NordVPN disclosed a server hack that leaked crypto keys. While the scope of the breach is still being determined, Ars Technica's Dan Goodin reports that NordVPN users' passwords were exposed and at least one site still features user credentials, which include email addresses, plain-text passwords, and expiration dates associated with the accounts. An anonymous Slashdot reader shares an excerpt from his report: I received a list of 753 credentials on Thursday and polled a small sample of users. The passwords listed for all but one were still in use. The one user who had changed their password did so after receiving an unrequested password reset email. It would appear someone who gained unauthorized access was trying to take over the account. Several other people said their accounts had been accessed by unauthorized people. Over the past week, breach notification service Have I Been Pwned has reported at least 10 lists of NordVPN credentials similar to the one I obtained. While it's likely that some accounts are listed in multiple lists, the number of user accounts easily tops 2,000. What's more, a large number of the email addresses in the list I received weren't indexed at all by Have I Been Pwned, indicating that some compromised credentials are still leaking into public view. Most of the Web pages that host these credentials have been taken down, but at the time this post was going live, at least one remained available on Pastebin, despite the fact Ars brought it to NordVPN's attention more than 17 hours earlier. Without exception, all of the plain-text passwords are weak. In some cases, they're the string of characters to the left of the @ sign in the email address. In other cases, they're words found in most dictionaries. Others appear to be surnames, sometimes with two or three numbers tacked onto the end. These common traits mean that the most likely way these passwords became public is through credential stuffing. That's the term for attacks that take credentials divulged in one leak to break into other accounts that use the same username and password. Attackers typically use automated scripts to carry out these attacks.

Read more of this story at Slashdot.

Amazon must decide soon if it will protest the Pentagon's awarding of a $10 billion cloud computing contract to rival Microsoft, with one possible grievance being the unusual attention given the project by President Donald Trump. From a report: Amazon was long thought to be the front-runner in the competition for the huge military contract. Its Amazon Web Services division is far ahead of second-place Microsoft in cloud computing, and Amazon has experience handling highly classified government data. It survived earlier legal challenges after the Defense Department eliminated rival bidders Oracle and IBM and whittled the competition down to the two Seattle area tech giants before choosing Microsoft last week. And what else distinguishes the losing bidder? Amazon and its CEO Jeff Bezos, who also owns The Washington Post, have been frequent targets of Trump's criticism. The Pentagon was preparing to make its final decision when Trump publicly waded into the fray in July, saying he had heard complaints about the process and that the administration would "take a very long look." He said other companies told him that the contract "wasn't competitively bid." Oracle, in particular, had argued that Pentagon officials unfairly favored Amazon for the winner-take-all contract.

Read more of this story at Slashdot.

The U.S. government has launched a national security review of TikTok owner ByteDance's $1 billion acquisition of U.S. social media app Musical.ly, Reuters reported on Friday, citing people familiar with the matter. From the report: While the $1 billion acquisition was completed two years ago, U.S. lawmakers have been calling in recent weeks for a national security probe into TikTok, concerned the Chinese company may be censoring politically sensitive content, and raising questions about how it stores personal data. TikTok has been growing more popular among U.S. teenagers at a time of growing tensions between the United States and China over trade and technology transfers. About 60% of TikTok's 26.5 million monthly active users in the United States are between the ages of 16 and 24, the company said earlier this year. The Committee on Foreign Investment in the United States (CFIUS), which reviews deals by foreign acquirers for potential national security risks, has started to review the Musical.ly deal, the sources said. TikTok did not seek clearance from CFIUS when it acquired Musical.ly, they added, which gives the U.S. security panel scope to investigate it now.

Read more of this story at Slashdot.

Incognito Mode for Google Maps is rolling out to Android users to prevent your search queries and real-time tracked location from being recorded onto your Google account. Engadget reports: It's not something you'll want to use all the time as some features will be disabled, and it's important to note that it doesn't turn off all tracking. The places you go won't be saved to your Location History (if you have that enabled), your searches won't be saved to your account and it won't use your information to personalize the experience. Still, you could be tracked by internet service providers, other apps, or if you're using Assistant and other Google services. Similar to incognito on Chrome, it's more useful as a depersonalized look at recommendations than as a full-fledged privacy protector, and a way to make sure that whatever you're searching for in this instance doesn't affect your recommendations later -- don't worry, we're not judging.

Read more of this story at Slashdot.

An anonymous reader quotes a report from CBS News: New details about how Uber responded to a massive hack attack in 2016 raise questions about the way it handled sensitive customer information. Instead of reporting the hackers to police, the company allegedly paid $100,000 in exchange for a promise to delete 57 million user files the men stole off a third party server, prosecutors said. Within weeks of paying the ransom, Uber employees showed up at Brandon Glover's Winter Park, Florida, home and found Vasile Mereacre at a hotel restaurant in Toronto, Canada, the Justice Department said. The pair admitted their crimes, but Uber didn't turn them over to the cops. Instead, they had the hackers sign non-disclosure agreements, promising to keep quiet. The two hackers pleaded guilty on Wednesday. But there was a third person involved who was unknown to Uber, U.S. attorney for Northern California Dave Anderson told CBS News correspondent Kris Van Cleave in an exclusive interview. Anderson, who investigated the hack, said there's "no way to know definitively" what actually happened to the stolen data. [...] The hackers also targeted a company owned by LinkedIn in December of 2016, but prosecutors say LinkedIn did not pay and promptly reported the hack to police. Uber eventually did as well -- a year after the hack, when new CEO, Dara Khosrowshahi, publicly disclosed the attack. The two known hackers were eventually arrested and pleaded guilty on Wednesday to conspiracy to commit extortion charges. They face a maximum of five years in prison. The third person involved remains at large.

Read more of this story at Slashdot.

The Interior Department is grounding its entire fleet of aerial drones (Warning: source paywalled; alternative source), one of the largest in the federal government, citing increasing concerns about the national security risk from Chinese manufacturers. The Wall Street Journal reports: The department has more than 800 drones, all of which are either made in China or have Chinese parts, according to a person familiar with the matter. The machines are used to fight forest fires, survey erosion, monitor endangered species and inspect dams. Under an order from Interior Secretary David Bernhardt on Wednesday, the drones will be grounded until the department completes a review of potential security risks of Chinese drones, said department spokesman Nick Goodwin. Exceptions will be made for emergency situations, including natural disasters or when lives are threatened, Mr. Goodwin said. Officials worry that U.S. reliance on Chinese drones might be putting critical infrastructure at risk. They are concerned the drones may be sending information back to the Chinese government or hackers elsewhere to use for cyberattacks or other offenses. The Interior Department's decision is one of the biggest responses yet and may be the only total fleet shutdown in the federal government. It is not coordinating with the White House or other federal agencies.

Read more of this story at Slashdot.

The streaming giant is having to navigate different political and moral landscapes, and calls for government oversight, as it seeks subscribers worldwide. From a report: In September, Netflix released a trailer for the "Breaking Bad" sequel "El Camino." In it, a character sits in a car, lights a cigarette and holds it out the window, its orange tip glowing. The next day, Netflix Turkey released its own version. In it, the character sparks a lighter and puts his hand out of the window. But there's a difference: The cigarette has been edited out. It wasn't the first time Netflix had censored one of its trailers here. In January, the streaming giant edited one for "Sex Education," a series about a teenage sex therapist, to blur a character's hands so you couldn't see the raised middle fingers. These changes may seem small, but they are a sign of Netflix trying to get ahead of regulation it could soon face in Turkey. [...] In Turkey, and in other countries, Netflix must navigate different political and moral landscapes, and calls for censorship, as it expands worldwide. Its 2018 annual report lists both "censorship" and "the need to adapt our content and users interfaces for specific cultural and language differences" as business risks. India is another country where Netflix has been embroiled in debates around regulation and censorship. In 2017, the company offered viewers "Angry Indian Goddesses," a movie that had been released in Indian theaters in a censored form to avoid offending religious sensibilities.ï Netflix, which is not subject to India's movie theater code, initially showed the censored version anyway, to avoid a backlash from religious viewers. But complaints came instead from viewers who wanted to see the movie uncut. Netflix made that version available and released a statement: "Our members reached out to us and we listened."

Read more of this story at Slashdot.

Senior government officials in multiple U.S.-allied countries were targeted earlier this year with hacking software that used Facebook's WhatsApp to take over users' phones, Reuters reported Thursday, citing people familiar with the messaging company's investigation. From a report: Sources familiar with WhatsApp's internal investigation into the breach said a "significant" portion of the known victims are high-profile government and military officials spread across at least 20 countries on five continents. The hacking of a wider group of top government officials' smartphones than previously reported suggests the WhatsApp cyber intrusion could have broad political and diplomatic consequences. WhatsApp filed a lawsuit on Tuesday against Israeli hacking tool developer NSO Group. The Facebook-owned software giant alleges that NSO Group built and sold a hacking platform that exploited a flaw in WhatsApp-owned servers to help clients hack into the cellphones of at least 1,400 users. While it is not clear who used the software to hack officials' phones, NSO says it sells its spyware exclusively to government customers.

Read more of this story at Slashdot.

The American Civil Liberties Union on Thursday sued the Justice Department, the Drug Enforcement Administration and the FBI for records detailing their use of facial-recognition software, arguing that the agencies have secretly implemented a nationwide surveillance technology that threatens Americans' privacy and civil rights. From a report: ACLU attorneys asked a federal court in Massachusetts to order the agencies to release documents about how the government uses and audits the software, how officials have communicated with companies that provide the software, and what internal guidelines and safeguards regulate its use. "These technologies have the potential to enable undetectable, persistent, and suspicion-less surveillance on an unprecedented scale," the attorneys wrote. "Such surveillance would permit the government to pervasively track people's movements and associations in ways that threaten core constitutional values."

Read more of this story at Slashdot.

An anonymous reader quotes a report from Ars Technica: A day after Facebook-owned WhatsApp sued NSO Group, the social media platform has permanently deleted the accounts of employees who work at the Israel-based spyware maker, according to message boards and a security researcher who spoke to one worker. "Your account has been deleted for not following our terms," said a message sent to one employee by Facebook-owned Instagram. "You won't be able to log into this account, and no one else will be able to see it. We're unable to restore accounts that are deleted for these types of violations." A message board popular in Israel indicated that the deletion was widespread. "I had just personally verified it (I have friends working there)," one person wrote. "Ninety-eight percent of the company employees were blocked." Another person who claimed to work at NSO responded to say he or she hadn't been blocked. Another person claiming to be an NSO employee complained bitterly on LinkedIn. An Israel-based security researcher who spoke to an NSO employee said the deletions affected a much smaller percentage of the company's employees and didn't involve WhatsApp accounts.

Read more of this story at Slashdot.

Google is facing a backlash over an internal tool for the company's Chrome browser that some employees worry is intended for spying on workers organizing protests and discussing workplace issues. From a report: To get around using the tool, some employees have turned to third-party browsers. That's prompted at least one security engineer at Google to voice concern over the possible vulnerabilities that using outside software could bring. The tool is a software extension for Google's Chrome browser, which is installed on all employee computers. It's designed to activate when workers create calendar events that include more than 100 people or use more than 10 rooms. Google said the tool is a pop-up reminder that asks people to "be mindful" before setting up large meetings. But some employees have accused Google management of trying to keep tabs on big gatherings. Google has called those claims "categorically false" and said the purpose of the tool is to cut down on calendar spam. To avoid the extension, employees are encouraging each other to use browsers other than Chrome, a Google security engineer wrote in an internal forum, screenshots of which were reviewed by CNET. Those browsers include Chromium, the open-source browser foundation on which Google Chrome is built, the engineer wrote, adding that people shifting to other browsers "has an impact on overall security of this fleet."

Read more of this story at Slashdot.

An anonymous reader quotes a report from The New York Times: Riding a bicycle in New York City is often a harrowing journey across a patchwork of bike lanes that leave cyclists vulnerable to cars. The dangers came into focus this year after 25 cyclists were killed on city streets -- the highest toll in two decades. Now Mayor Bill de Blasio and the City Council have agreed on a $1.7 billion plan that would sharply expand the number of protected bike lanes as part of a sweeping effort to transform the city's streetscape and make it less perilous for bikers. Its chief proponent, Corey Johnson, the City Council speaker, calls it nothing less than an effort to "break the car culture.'' Such ambitions show how far New York has come since around 2007 when the city, under Mayor Michael R. Bloomberg, started aggressively taking away space for cars by rolling out bike lanes and pedestrian plazas. Under pressure from the City Council, the city would be required to build 250 miles of protected bike lanes in the coming years, along with a dizzying list of other street upgrades that safety advocates have long called for. The city now has about 1,250 miles of bike lanes, including 126 miles on city streets that are protected, meaning that a barrier separates the lanes from vehicles. The bill calls for the Transportation Department to release a plan every five years to make streets safer and to prioritize public transit, starting in December 2021. The city must hit targets every year, including building 150 miles of bus lanes that are physically separated from other traffic lanes or monitored by cameras over five years.

Read more of this story at Slashdot.

A New Jersey district court has issued a devastating order against Strike 3 Holdings, the most active filer of piracy lawsuits in the US. In four separate cases, the court denied a request to obtain identities of alleged BitTorrent pirates. The court argues that the underlying complaints are futile. Even if they held up, other issues such as the privacy of the accused and Strike 3's failure to use other enforcement tools, would warrant a denial. TorrentFreak reports: Last week, New Jersey District Court Magistrate Judge Joel Schneider denied Strike 3 expedited discovery in four cases. This means that it's not allowed to subpoena ISPs for the personal details of account holders whose IP-addresses were used to share pirated videos via BitTorrent. In a very detailed 47-page opinion, the Judge takes apart various aspects of Strike 3's enforcement efforts. He makes it clear that these cases should not be allowed to go forward, as the complaints are futile. "The most fundamental basis of the Court's decision is its conclusion that, as pleaded, Strike 3's complaints are futile. The Court denies Strike 3 the right to bootstrap discovery based on a complaint that does not pass muster," Judge Schneider writes. The futility lies in the fact that the complaints themselves include very few facts. The only thing that the company really knows is that an IP address is associated with downloading copyrighted works. Strike 3 doesn't know whether the subscriber is involved in the actual infringements. Courts have previously ruled both in favor and against allowing discovery to expose the account holders in these situations, but the New Jersey Court clearly sides with the latter. "The Court sided with the cases that hold it is not sufficient to merely allege in a pleading that the defendant is a subscriber of an IP address traced to infringing activity. Consequently, the Court will not authorize Strike 3 to take discovery premised on a futile John Doe complaint." The decision is partly based on the aforementioned "Cobbler" ruling of the Ninth Circuit Court of Appeals. However, the Court makes it clear that even if there was a properly pleaded infringement claim, the requests for expedited discovery would still be denied. In the opinion, Judge Schneider sums up the other issues as follows: (1) Strike 3 bases its complaints on unequivocal affirmative representations of alleged facts that it does not know to be true. (2) Strike 3's subpoenas are misleading and create too great of an opportunity for misidentification. (3) The linchpin of Strike 3's good cause argument, that expedited discovery is the only way to stop infringement of its works, is wrong. (4) Strike 3 has other available means to stop infringement besides suing individual subscribers in thousands of John Doe complaints. (5) The deterrent effect of Strike 3's lawsuits is questionable. (6) Substantial prejudice may inure to subscribers who are misidentified. (7) Strike 3 underestimates the substantial interest subscribers have in the constitutionally protected privacy of their subscription information.

Read more of this story at Slashdot.

Facebook on Tuesday sued Israeli cyber surveillance firm NSO Group, alleging it hacked users of its messaging platform WhatsApp earlier this year. From a report: The hacking spree targeted journalists, diplomats, human rights activists, political dissidents, senior government officials and others, Facebook said in its lawsuit, filed in U.S. District Court in San Francisco. Facebook-owned WhatsApp, which is also a plaintiff in the lawsuit, said in a statement that it believed the attack "targeted at least 100 members of civil society, which is an unmistakable pattern of abuse." Facebook is seeking to have NSO barred from accessing or attempting to access WhatsApp and Facebook's services and is seeking unspecified damages. NSO's alleged use of a flaw in WhatsApp to hijack phones caused international consternation when it was made public in May of this year. NSO at the time said in a statement that it would investigate any "credible allegations of misuse" of its technology. WhatsApp said the attack exploited its video calling system in order to send malware to the mobile devices of a number of users. Further reading: Will Cathcart, head of WhatsApp, elaborates why WhatsApp is pushing back on NSO Group hacking.

Read more of this story at Slashdot.

Google has announced that it will stop indexing Flash content in Search as the internet prepares to bid a (not so fond) farewell to the multimedia software platform next year. From a report: "In web pages that contain Flash content, Google Search will ignore the Flash content," said Google engineering manager Dong-Hwi Lee in a blog post. "Google Search will stop indexing standalone SWF files." It is no secret that Adobe Flash is well and truly on its way out -- two years ago, a consortium of internet companies (including Adobe itself) committed to killing Flash by 2020. Preceding that, Steve Jobs' famous Thoughts on Flash letter from 2010 helped set the wheels in motion for the proprietary software's eventual demise, with the Apple cofounder citing numerous reasons why his company's hardware would not support Flash, including performance on mobile and poor security.

Read more of this story at Slashdot.

A startup that makes replicas of the iPhone that help hackers find vulnerabilities is accusing Apple of suing it in an attempt to shut it down. Corellium also fired back at Apple and claimed the company owes it $300,000. From a report: On Monday, Corellium, the startup that was sued by Apple for alleged copyright infringement in August, filed its response to the lawsuit. Apple alleged that Corellium's product is illegal, and helps researchers sell hacking tools based on software bugs found in iOS to government agencies that then use them to hack targets. The cybersecurity world was shocked by Apple's lawsuit, which was seen as an attempt to use copyright as an excuse to control the thriving, and largely legal, market for software vulnerabilities. The lawsuit was filed just a few days after Apple announced it would give researchers special "pre-hacked" devices to allow them to find and report more bugs to the company. "Through its invitation-only research device program and this lawsuit, Apple is trying to control who is permitted to identify vulnerabilities, if and how Apple will address identified vulnerabilities, and if Apple will disclose identified vulnerabilities to the public at all," Corellium argues in its response, echoing arguments made by the security research community. In its response, Corellium essentially argues that using Apple's code in Corellium is fair use and its product makes the world a better place by helping security researchers inspect the iPhone's operating system, find flaws in it, and help Apple fix them. With Corellium, researchers can more easily find bugs by creating virtual instances of iOS and test them more quickly, as opposed to having to use actual physical devices. Corellium attempts to illustrate this by including "before" and "after" images in its response that demonstrate what it was like to try to hack the iPhone before it released its software.

Read more of this story at Slashdot.

Counter-Strike: Global Offensive players will no longer be able to trade container keys between accounts because the trade was part of a massive worldwide fraud network. From a report: Players earned cases in Counter-Strike containing weapons and cosmetic upgrades, but had to purchase the keys to open the boxes. Developer Valve runs an internal marketplace on Steam where it allowed players to trade the boxes and the keys. Valve patched the game on October 28 and explained the problem in its patch notes. "In the past, most key trades we observed were between legitimate customers," the statement said. "However, worldwide fraud networks have recently shifted to using CS:GO keys to liquidate their gains. At this point, nearly all key purchases that end up being traded or sold on the marketplace are believed to be fraud-sourced."

Read more of this story at Slashdot.

During his Open Source Summit Europe keynote speech, Greg Kroah-Hartman, the stable Linux kernel maintainer, said Intel CPU's security problems "are going to be with us for a very long time" and are "not going away." He added: "They're all CPU bugs, in some ways they're all the same problem," but each has to be solved in its own way. "MDS, RDDL, Fallout, Zombieland: They're all variants of the same basic problem." ZDNet reports: And they're all potentially deadly for your security: "RIDL and Zombieload, for example, can steal data across applications, virtual machines, even secure enclaves. The last is really funny, because [Intel Software Guard Extensions (SGX)] is what supposed to be secure inside Intel ships" [but, it turns out it's] really porous. You can see right through this thing." To fix each problem as it pops up, you must patch both your Linux kernel and your CPU's BIOS and microcode. This is not a Linux problem; any operating system faces the same problem. OpenBSD, a BSD Unix devoted to security first and foremost, Kroah-Hartman freely admits was the first to come up with what's currently the best answer for this class of security holes: Turn Intel's simultaneous multithreading (SMT) off and deal with the performance hit. Linux has adopted this method. But it's not enough. You must secure the operating system as each new way to exploit hyper-threading appears. For Linux, that means flushing the CPU buffers every time there's a context switch (e.g. when the CPU stops running one VM and starts another). You can probably guess what the trouble is. Each buffer flush takes a lot of time, and the more VMs, containers, whatever, you're running, the more time you lose. "The bad part of this is that you now must choose: Performance or security. And that is not a good option," Kroah-Hartman said. He added: "If you are not using a supported Linux distribution kernel or a stable/long term kernel, you have an insecure system."

Read more of this story at Slashdot.

An anonymous reader quotes a report from The Wall Street Journal: The Federal Communications Commission is moving to place another restraint on the U.S. business of Huawei and ZTE by banning U.S. companies receiving federal subsidies from purchasing the Chinese firms' equipment (Warning: source may be paywalled; alternative source). FCC Chairman Ajit Pai set the proposal for vote at the agency's meeting on Nov. 19. It would designate Huawei and ZTE as national security threat and tell U.S. firms not to buy their equipment using money from an $8.5 billion federal fund designed to fund telecommunications service in rural areas. The FCC would also propose further study, and potentially federal funding, for removing and replacing equipment from the companies that has already been installed. Mr. Pai in a Wall Street Journal op-ed Monday called this existing equipment an "unacceptable risk."

Read more of this story at Slashdot.

Google executives misled their own employees last week when they said a former top Department of Homeland Security official who had recently joined the company was "not involved in the family separation policy," government emails obtained under the Freedom of Information Act reveal. From a report: In fact, Miles Taylor, who served as deputy chief of staff and then chief of staff to former Homeland Security secretary Kirstjen Nielsen, was involved in high-level discussions about immigration enforcement, helping to shape the department's narratives and talking points as one of Nielsen's trusted lieutenants. As Nielsen's deputy chief of staff, Taylor was included on some of the DHS secretary's emails and privy to her events schedule, often prepping his boss with reports and talking points ahead of public appearances between April and June 2018, when the family separation policy was in effect. In one email obtained by BuzzFeed News, Taylor assisted Nielsen in preparing what he described as the "Protecting Children Narrative" -- the department's spin on a policy that horrified Americans when images of abandoned, caged migrant children in squalid camps emerged. Other emails from Nielsen's events planner show that he had been scheduled to participate in at least two weekly calls to "discuss Border Security and Immigration Enforcement" in June 2018. Two former DHS officials dismissed Google's claim that Taylor -- who last month joined the company as a government affairs and public policy manager advising on national security issues -- could have kept his hands clean from the policy.

Read more of this story at Slashdot.