Security

LinkedIn's AutoFill Plugin Could Leak user Data, Secret Fix Failed (techcrunch.com) 21

TechCrunch reports of a flaw in LinkedIn's AutoFill plugin that could have allowed hackers to steal your full name, phone number, email address, location (ZIP code), company, and job title. "Malicious sites have been able to invisibly render the plugin on their entire page so if users who are logged into LinkedIn click anywhere, they'd effectively be hitting a hidden 'AutoFill with LinkedIn' button and giving up their data." From the report: Researcher Jack Cable discovered the issue on April 9th, 2018 and immediately disclosed it to LinkedIn. The company issued a fix on April 10th but didn't inform the public of the issue. Cable quickly informed LinkedIn that its fix, which restricted the use of its AutoFill feature to whitelisted sites who pay LinkedIn to host their ads, still left it open to abuse. If any of those sites have cross-site scripting vulnerabilities, which Cable confirmed some do, hackers can still run AutoFill on their sites by installing an iframe to the vulnerable whitelisted site. He got no response from LinkedIn over the last 9 days so Cable reached out to TechCrunch. A LinkedIn spokesperson issued this statement to TechCrunch: "We immediately prevented unauthorized use of this feature, once we were made aware of the issue. We are now pushing another fix that will address potential additional abuse cases and it will be in place shortly. While we've seen no signs of abuse, we're constantly working to ensure our members' data stays protected. We appreciate the researcher responsibly reporting this and our security team will continue to stay in touch with them. For clarity, LinkedIn AutoFill is not broadly available and only works on whitelisted domains for approved advertisers. It allows visitors to a website to choose to pre-populate a form with information from their LinkedIn profile."
Chrome

Millions of Chrome Users Have Installed Malware Posing as Ad Blockers (vice.com) 38

Kaleigh Rogers, writing for Motherboard: Andrey Meshkov, the cofounder of ad-blocker AdGuard, recently got curious about the number of knock-off ad blocking extensions available for Google's popular browser Chrome. These extensions were deliberately styled to look like legitimate, well-known ad blockers, but Meshkov wondered why they existed at all, so he downloaded one and took a look at the code. "Basically I downloaded it and checked what requests the extension was making," Meshkov told me over the phone. "Some strange requests caught my attention."

Meshkov discovered that the AdRemover extension for Chrome -- which had over 10 million users -- had code hidden inside an image that was loaded from the remote command server, giving the extension creator the ability to change its functions without updating. This alone is against Google's policy, and after Meshkov wrote about a few examples on AdGuard's blog, many of which had millions of downloads, Chrome removed the extensions from the store. I reached out to Google, and a spokesperson confirmed that these extensions had been removed.

Government

FDA Wants Medical Devices To Have Mandatory Built-In Update Mechanisms (bleepingcomputer.com) 82

Catalin Cimpanu, writing for BleepingComputer: The US Food & Drug Administration plans to ask Congress for more funding and regulatory powers to improve its approach towards medical device safety, including on the cybersecurity front. An FDA document released this week reveals several of the FDA's plans, including the desire to force device makers to include mandatory update systems inside products for the purpose of delivering critical security patches.

In addition, the FDA also plans to force device makers to create a document called "Software Bill of Materials" that will be provided for each medical device and will include software-related details for each product. Hospitals, healthcare units, contractors, or users will be able to consult the medical device's bill of materials and determine how it functions, what software is needed for what feature, and what technologies are used in each device.

Facebook

'Login With Facebook' Data Hijacked By JavaScript Trackers (techcrunch.com) 91

An anonymous reader quotes a report from TechCrunch: Facebook confirms to TechCrunch that it's investigating a security research report that shows Facebook user data can be grabbed by third-party JavaScript trackers embedded on websites using Login With Facebook. The exploit lets these trackers gather a user's data including name, email address, age range, gender, locale, and profile photo depending on what users originally provided to the website. It's unclear what these trackers do with the data, but many of their parent companies including Tealium, AudienceStream, Lytics, and ProPS sell publisher monetization services based on collected user data. The abusive scripts were found on 434 of the top 1 million websites including freelancer site Fiverr.com, camera seller B&H Photo And Video, and cloud database provider MongoDB. That's according to Steven Englehardt and his colleagues at Freedom To Tinker, which is hosted by Princeton's Center For Information Technology Policy.
Microsoft

Microsoft Ports Edge Anti-Phishing Technology To Google Chrome (bleepingcomputer.com) 65

An anonymous reader writes: Microsoft has released a Chrome extension named "Windows Defender Browser Protection" that ports Windows Defender's -- and inherently Edge's -- anti-phishing technology to Google Chrome. The extension works by showing bright red-colored pages whenever users are tricked into accessing malicious links. The warnings are eerily similar to the ones that Chrome natively shows via the Safe Browsing API, but are powered by Microsoft's database of malicious links —also known as the SmartScreen API.

Chrome users should be genuinely happy that they can now use both APIs for detecting phishing and malware-hosting URLs. The SmartScreen API isn't as known as Google's more famous Safe Browsing API, but works in the same way, and possibly even better. An NSS Labs benchmark revealed that Edge (with its SmartScreen API) caught 99 percent of all phishing URLs thrown at it during a test last year, while Chrome only detected 87 percent of the malicious links users accessed.

Security

Data Firm Leaks 48 Million User Profiles it Scraped From Facebook, LinkedIn, Others (zdnet.com) 56

Zack Whittaker, reporting for ZDNet: A little-known data firm was able to build 48 million personal profiles, combining data from sites and social networks like Facebook, LinkedIn, Twitter, and Zillow, among others -- without the users' knowledge or consent. Localblox, a Bellevue, Wash.-based firm, says it "automatically crawls, discovers, extracts, indexes, maps and augments data in a variety of formats from the web and from exchange networks." Since its founding in 2010, the company has focused its collection on publicly accessible data sources, like social networks Facebook, Twitter, and LinkedIn, and real estate site Zillow to name a few, to produce profiles.

But earlier this year, the company left a massive store of profile data on a public but unlisted Amazon S3 storage bucket without a password, allowing anyone to download its contents. The bucket, labeled "lbdumps," contained a file that unpacked to a single file over 1.2 terabytes in size. The file listed 48 million individual records, scraped from public profiles, consolidated, then stitched together.

The Internet

Russia Admits To Blocking Millions of IP Addresses (sfgate.com) 72

It turns out, the Russian government, in its quest to block Telegram, accidentally shut down several other services as well. From a report: The chief of the Russian communications watchdog acknowledged Wednesday that millions of unrelated IP addresses have been frozen in a so-far futile attempt to block a popular messaging app. Telegram, the messaging app that was ordered to be blocked last week, was still available to users in Russia despite authorities' frantic attempts to hit it by blocking other services. The row erupted after Telegram, which was developed by Russian entrepreneur Pavel Durov, refused to hand its encryption keys to the intelligence agencies. The Russian government insists it needs them to pre-empt extremist attacks but Telegram dismissed the request as a breach of privacy. Alexander Zharov, chief of the Federal Communications Agency, said in an interview with the Izvestia daily published Wednesday that Russia is blocking 18 networks that are used by Amazon and Google and which host sites that they believe Telegram is using to circumvent the ban.
China

Huawei To Back Off US Market Amid Rising Tensions (nytimes.com) 89

Huawei is reportedly going to give up on selling its products and services in the United States (Warning: source may be paywalled; alternative source) due to Washington's accusations that the company has ties to the Chinese government. The change in tactics comes a week after the company laid off five American employees, including its biggest American lobbyist. The New York Times reports: Huawei's tactics are changing as its business prospects in the United States have darkened considerably. On Tuesday, the Federal Communications Commission voted to proceed with a new rule that could effectively kill off what little business the company has in the United States. Although the proposed rule does not mention Huawei by name, it would block federally subsidized telecommunications carriers from using suppliers deemed to pose a risk to American national security. Huawei's latest moves suggest that it has accepted that its political battles in the United States are not ones it is likely to win. "Some things cannot change their course according to our wishes," Eric Xu, Huawei's deputy chairman, said at the company's annual meeting with analysts on Tuesday. "With some things, when you let them go, you actually feel more at ease."
Security

Windows 10 Update Will Support More Password-Free Logins (engadget.com) 66

An anonymous reader writes: It's not just web browsers that are moving beyond passwords. Microsoft has revealed that Windows 10's next update will support the new FIDO 2.0 standard, promising password-free logins on any Windows 10 device managed by your company or office. You could previously use Windows Hello to avoid typing in a password, of course, but this promises to be more extensive -- you could use a USB security key to sign into your Azure Active Directory.
Microsoft

Microsoft Delays Windows 10 Spring Creators Update Because of 'Higher Percentage of BSODs' (bleepingcomputer.com) 106

Microsoft has admitted that it had to postpone the release of Spring Creators Update, the upcoming major update to its Windows 10 desktop operating system due to technical issues. BleepingComputer notes: More precisely, Microsoft says it encountered a higher percentage of Blue Screen of Death (BSOD) errors on PCs, the company's Insiders Program managers said in a blog post yesterday. Microsoft says that instead of shipping the Springs Creators Update faulty as it was, and then delivering an update later to fix the issues, it decided to hold off on deploying the defective build altogether. The OS maker says it will create and test a new Windows 10 build that also includes the BSOD fixes, and ship that one instead of Windows 10 Insider Preview Build 17134, the build that was initially scheduled to be launched as the Spring Creators Update on April 10, last week.
Businesses

Cybersecurity Tech Accord: More Than 30 Tech Firms Pledge Not to Assist Governments in Cyberattacks (cybertechaccord.org) 67

Over 30 major technology companies, led by Microsoft and Facebook, on Tuesday announced what they are calling the Cybersecurity Tech Accord, a set of principles that include a declaration that they will not help any government -- including that of the United States -- mount cyberattacks against "innocent civilians and enterprises from anywhere."

The companies that are participating in the initiative are: ABB, Arm, Avast, Bitdefender, BT, CA Technologies, Cisco, Cloudflare, DataStax, Dell, DocuSign, Facebook, Fastly, FireEye, F-Secure, GitHub, Guardtime, HP Inc., HPE, Intuit, Juniper Networks, LinkedIn, Microsoft, Nielsen, Nokia, Oracle, RSA, SAP, Stripe, Symantec, Telefonica, Tenable, Trend Micro, and VMware.

The announcement comes at the backdrop of a growing momentum in political and industry circles to create a sort of Digital Geneva Convention that commits the entire tech industry and governments to supporting a free and secure internet. The effort comes after attacks such as WannaCry and NotPetya hobbled businesses around the world last year, and just a day after the U.S. and U.K. issued an unprecedented joint alert citing the threat of cyberattacks from Russian state-sponsored actors. The Pentagon has said Russian "trolling" activity increased 2,000 percent after missile strikes in Syria.

Interestingly, Amazon, Apple, Google, and Twitter are not participating in the program, though the Tech Accord says it "remains open to consideration of new private sector signatories, large or small and regardless of sector."
Wireless Networking

Planet Fitness Evacuated After WiFi Network Named 'Remote Detonator' Causes Scare (windsorstar.com) 167

An anonymous reader quotes a report from Windsor Star: A Michigan gym patron looking for a Wi-Fi connection found one named "remote detonator," prompting an evacuation and precautionary search of the facility by a bomb-sniffing dog. The Saginaw News reports nothing was found in the search Sunday at Planet Fitness in Saginaw Township, about 85 miles (140 kilometers) northwest of Detroit. Saginaw Township police Chief Donald Pussehl says the patron brought the Wi-Fi connection's name to the attention of a manager, who evacuated the building and called police. The gym was closed for about three hours as police responded. Pussehl says there's "no crime or threat," so no charges are expected. He notes people often have odd names for WiFi connections. Planet Fitness says the manager was following company procedure for when there's suspicion about a safety issue.
Communications

France is Building Its Own Encrypted Messaging Service To Ease Fears That Foreign Entities Could Spy on Private Conversations (reuters.com) 87

The French government is building its own encrypted messenger service to ease fears that foreign entities could spy on private conversations between top officials, the digital ministry said on Monday. From a report: None of the world's major encrypted messaging apps, including Facebook's WhatsApp and Telegram -- a favorite of President Emmanuel Macron -- are based in France, raising the risk of data breaches at servers outside the country.

About 20 officials and top civil servants are testing the new app which a state-employed developer has designed, a ministry spokeswoman said, with the aim that its use will become mandatory for the whole government by the summer. "We need to find a way to have an encrypted messaging service that is not encrypted by the United States or Russia," the spokeswoman said. "You start thinking about the potential breaches that could happen, as we saw with Facebook, so we should take the lead."

Encryption

Russia Begins Blocking Telegram Messenger (reuters.com) 59

Russia's state telecommunications regulator said on Monday it had begun blocking access to Telegram messenger after the company refused to comply with an order to give Russian state security access to its users' secret messages (encryption keys). From a report: The watchdog, Roskomnadzor, said in a statement on its website that it had sent telecoms operators a notification about blocking access to Telegram inside Russia. The service, set up by a Russian entrepreneur, has more than 200 million global users and is ranked as the world's ninth most popular mobile messaging app.
Security

Hackers Stole a Casino's High-Roller Database Through a Thermometer in the Lobby Fish Tank (businessinsider.com) 245

From a report: Nicole Eagan, the CEO of cybersecurity company Darktrace, told the WSJ CEO Council in London on Thursday: "There's a lot of internet of things devices, everything from thermostats, refrigeration systems, HVAC [air conditioning] systems, to people who bring in their Alexa devices into the offices. There's just a lot of IoT. It expands the attack surface and most of this isn't covered by traditional defenses."

Eagan gave one memorable anecdote about a case Darktrace worked on where an unnamed casino was hacked via a thermometer in a lobby aquarium. "The attackers used that to get a foothold in the network. They then found the high-roller database and then pulled that back across the network, out the thermostat, and up to the cloud," she said.

Intel

Intel SPI Flash Flaw Lets Attackers Alter or Delete BIOS/UEFI Firmware (bleepingcomputer.com) 46

Catalin Cimpanu, writing for BleepingComputer: Intel has addressed a vulnerability in the configuration of several CPU series that allow an attacker to alter the behavior of the chip's SPI Flash memory -- a mandatory component used during the boot-up process [1, 2, 3]. According to Lenovo, who recently deployed the Intel fixes, "the configuration of the system firmware device (SPI flash) could allow an attacker to block BIOS/UEFI updates, or to selectively erase or corrupt portions of the firmware." Lenovo engineers say "this would most likely result in a visible malfunction, but could in rare circumstances result in arbitrary code execution."
Encryption

Former FBI Director James Comey Reveals How Apple and Google's Encryption Efforts Drove Him 'Crazy' (fastcompany.com) 350

An anonymous reader shares a report: In his explosive new book, A Higher Loyalty, fired FBI director James Comey denounces President Trump as "untethered to the truth" and likens him to a "mob boss," but he also touches on other topics during his decades-long career in law enforcement -- including his strong objection to the tech industry's encryption efforts. When Apple and Google announced in 2014 that they would be moving their mobile devices to default encryption, by emphasizing that making them immune to judicial orders was good for society, "it drove me crazy," he writes. He goes on to lament the lack of "true listening" between tech and law enforcement, saying that "the leaders of the tech companies don't see the darkness the FBI sees," such as terrorism and organized crime.

He writes, "I found it appalling that the tech types couldn't see this. I would frequently joke with the FBI 'Going Dark' team assigned to seek solutions, 'Of course the Silicon Valley types don't see the darkness -- they live where it's sunny all the time and everybody is rich and smart." But Comey understood it was an unbelievably difficult issue and that public safety had to be balanced with privacy concerns.

Encryption

Lawmakers Call FBI's 'Going Dark' Narrative 'Highly Questionable' After Motherboard Shows Cops Can Easily Hack iPhones (vice.com) 69

Joseph Cox, reporting for Motherboard: This week, Motherboard showed that law enforcement agencies across the country, including a part of the State Department, have bought GrayKey, a relatively cheap technology that can unlock fully up-to-date iPhones. That revelation, cryptographers and technologists said, undermined the FBI's renewed push for backdoors in consumer encryption products. Citing Motherboard's work, on Friday US lawmakers sent a letter to FBI Director Christopher Wray, doubting the FBI's narrative around 'going dark', where law enforcement officials say they are increasingly unable to obtain evidence related to crimes due to encryption. Politico was first to report the letter. "According to your testimony and public statements, the FBI encountered 7,800 devices last year that it could not access due to encryption," the letter, signed by 5 Democrat and 5 Republican n House lawmakers, reads. "However, in light of the availability of unlocking tools developed by third-parties and the OIG report's findings that the Bureau was uninterested in seeking available third-party options, these statistics appear highly questionable," it adds, referring to a recent report from the Justice Department's Office of the Inspector General. That report found the FBI barely explored its technical options for accessing the San Bernardino iPhone before trying to compel Apple to unlock the device. The lawmaker's letter points to Motherboard's report that the State Department spent around $15,000 on a GrayKey.
Businesses

Survey Finds 'Agile' Competency Is Rare In Organizations (sdtimes.com) 269

An anonymous reader writes: The 12th annual "State of Agile" report has just been released by CollabNet VersionOne, which calls it "the largest and longest-running Agile survey in the world." After surveying more than 1,400 software professionals in various roles and industries over the last four months of 2017, "Only 12% percent responded that their organizations have a high level of competency with agile practices across the organization, and only 4% report that agile practices are enabling greater adaptability to market conditions... The three most significant challenges to agile adoption and scaling are reported as organizational culture at odds with agile values (53%), general organizational resistance to change (46%), and Inadequate management support and sponsorship (42%)...

"The encouraging news is that 59% recognize that they are still maturing, indicating that they do not intend to plateau where they are." And agile adoption does appear to be growing. "25% of the respondents say that all or almost all of their teams are agile, whereas only 8% reported that in 2016."

The researchers also note "the recognized necessity of accelerating the speed of delivery of high-quality software, and the emphasis on customer satisfaction," with 71% of the survey respondents reporting that a DevOps initiative is underway or planned for the next 12 months.
Security

PUBG Ransomware Decrypts Your Files If You Play PlayerUnknown's Battlegrounds (bleepingcomputer.com) 51

An anonymous reader quotes Bleeping Computer: In what could only be a joke, a new ransomware has been discovered called "PUBG Ransomware" that will decrypt your files if you play the game called PlayerUnknown's Battlegrounds... When the PUBG Ransomware is launched it will encrypt a user's files and folders on the user's desktop and append the .PUBG extension to them. When it has finished encrypting the files, it will display a screen giving you two methods that you can use to decrypt the encrypted files.
Users can unlock it either by entering a secret unlock code displayed on the screen -- or by playing PlayerUnknown's Battlegrounds. The ransomware checks to see if you played PlayerUnknown's Battlegrounds by monitoring the running processes for one named "TslGame"... Once a user plays the game and the process is detected, the ransomware will automatically decrypt the victim's files. This ransomware is not too advanced as it only looks for the process name and does not check for other information to confirm that the game is actually being played. That means you can simply run any executable called TslGame.exe and it will decrypt the files.

Slashdot Top Deals