Ars Technica

Syndikovat obsah security – Ars Technica
Serving the Technologist for more than a decade. IT news, reviews, and analysis.
Aktualizace: 26 min 32 sek zpět

Building America’s Trust Act would amp up privacy concerns at the border

15 Srpen, 2017 - 10:00

Enlarge / A US Customs and Border Protection officer checks identifications as people cross into the United States from Mexico on September 23, 2016 in San Ysidro, California. (credit: John Moore / Getty Images News)

If a new Senate Republican border security bill is passed as currently drafted, it would dramatically increase the amount of surveillance technologies used against immigrants and, in some cases, American citizens traveling to and from the United States.

The bill, known as the "Building America's Trust Act," is authored by Sen. John Cornyn (R-Tex.). It aims for a "long-term border security and interior enforcement strategy," according to its summary. However, the senators have yet to formally introduce the text of the bill.

So Ars is going to do it for them: we received an advance copy of the bill’s text from an anonymous source, and we are publishing it here before it has been formally introduced in the Senate. Ars repeatedly contacted the offices of all six senators who are listed as co-sponsors for comment—none made anyone available.

Read 19 remaining paragraphs | Comments

Kategorie: Hacking & Security

After phishing attacks, Chrome extensions push adware to millions

3 Srpen, 2017 - 17:45

Enlarge / One of the ads displayed by a fraudulently updated version of the Web Developer extension for Chrome. (credit: dviate)

Twice in five days, developers of Chrome browser extensions have lost control of their code after unidentified attackers compromised the Google Chrome Web Store accounts used to issue updates.

The most recent case happened Wednesday to Chris Pederick, creator of the Web Developer extension. Last Friday, developers of Copyfish, a browser extension that performs optical character recognition, also had their account hijacked.

In both cases, the attackers used the unauthorized access to publish fraudulent updates that by default are automatically pushed to all Chrome users who have the extensions installed. The tainted extensions were also available for download in Google's official Chrome Web Store. Both Pederick and the Copyfish developers said the fraudulent updates did nothing more than inject ads into the sites users visited. The Copyfish developers provided this account that provided a side-by-side comparison of the legitimate and altered code. Pederick has so far not provided documentation of the changes that were pushed out to the more than one million browsers that have downloaded the Web Developer extension.

Read 7 remaining paragraphs | Comments

Kategorie: Hacking & Security

Stealthy Google Play apps recorded calls and stole e-mails and texts

27 Červenec, 2017 - 19:22

Enlarge (credit: portal gda)

Google has expelled 20 Android apps from its Play marketplace after finding they contained code for monitoring and extracting users' e-mail, text messages, locations, voice calls, and other sensitive data.

The apps, which made their way onto about 100 phones, exploited known vulnerabilities to "root" devices running older versions of Android. Root status allowed the apps to bypass security protections built into the mobile operating system. As a result, the apps were capable of surreptitiously accessing sensitive data stored, sent, or received by at least a dozen other apps, including Gmail, Hangouts, LinkedIn, and Messenger. The now-ejected apps also collected messages sent and received by Whatsapp, Telegram, and Viber, which all encrypt data in an attempt to make it harder for attackers to intercept messages while in transit.

The apps also contained functions allowing for:

Read 5 remaining paragraphs | Comments

Kategorie: Hacking & Security

Microsoft expands bug bounty program to cover any Windows flaw

26 Červenec, 2017 - 22:28

Some bugs aren't worth very much cash. (credit: Daniel Novta)

Microsoft today announced a new bug bounty scheme that would see anyone finding a security flaw in Windows eligible for a payout of up to $15,000.

The company has been running bug bounty programs, wherein security researchers are financially rewarded for discovering and reporting exploitable flaws, since 2013. Back then, Microsoft was paying up to $11,000 for bugs in Internet Explorer 11. In the years since then, Microsoft's bounty schemes have expanded with specific programs offering rewards for those finding flaws in the Hyper-V hypervisor, Windows' wide range of exploit mitigation systems such as DEP and ASLR, and the Edge browser.

Many of these bounty programs were time-limited, covering software during its beta/development period but ending once it was released. This structure is an attempt to attract greater scrutiny before exploits are distributed to regular end-users. Last month, the Edge bounty program was made an ongoing scheme no longer tied to any particular timeframe.

Read 2 remaining paragraphs | Comments

Kategorie: Hacking & Security

“Perverse” malware infecting hundreds of Macs remained undetected for years

25 Červenec, 2017 - 01:08

Enlarge (credit: Tim Malabuyo)

A mysterious piece of malware that gives attackers surreptitious control over webcams, keyboards, and other sensitive resources has been infecting Macs for at least five years. The infections—known to number nearly 400 and possibly much higher—remained undetected until recently and may have been active for almost a decade.

Patrick Wardle, a researcher with security firm Synack, said the malware is a variant of a malicious program that came to light in January after circulating for at least two years. Dubbed Fruitfly by some, both malware samples capture screenshots, keystrokes, webcam images, and information about each infected Mac. Both generations of Fruitfly also collect information about devices connected to the same network. After researchers from security firm Malwarebytes discovered the earlier Fruitfly variant infecting four Macs, Apple updated macOS to automatically detect the malware.

The variant found by Wardle, by contrast, has infected a much larger number of Macs while remaining undetected by both macOS and commercial antivirus products. After analyzing the new variant, Wardle was able to decrypt several backup domains that were hardcoded into the malware. To his surprise, the domains remained available. Within two days of registering one of the addresses, close to 400 infected Macs connected to the server, mostly from homes located in the United States. Although Wardle did nothing more than observe the IP address and user names of Macs that connected to his server, he had the ability to use the malware to spy on the users who were unwittingly infected.

Read 7 remaining paragraphs | Comments

Kategorie: Hacking & Security

Microsoft’s secret weapon in ongoing struggle against Fancy Bear? Trademark law

21 Červenec, 2017 - 20:55

Enlarge (credit: Harald Deischinger)

On Friday, representatives of the notorious hacking entity known as Fancy Bear failed to appear in a federal court in Virginia to defend themselves against a civil lawsuit brought by Microsoft.

As the Daily Beast first reported on Friday, Microsoft has been waging a quiet battle in court against the threat group, which is believed to be affiliated with the GRU, Russia's foreign intelligence agency. For now, the company has managed to seize control of 70 domain names, but it's going after many more.

The idea of the lawsuit, which was filed in August 2016, is to use various federal laws—including the Computer Fraud and Abuse Act (CFAA), the Electronic Communications Privacy Act (ECPA), and American trademark law—as a way to seize command-and-control domain names used by the group, which goes by various monikers, including APT28 and Strontium. Many of the domain names used by Fancy Bear contain Microsoft trademarks, like microsoftinfo365.com and hundreds of others.

Read 5 remaining paragraphs | Comments

Kategorie: Hacking & Security

Google drops the boom on WoSign, StartCom certs for good

20 Červenec, 2017 - 23:57

(credit: Michael Rosenstein)

Last August, after being alerted by GitHub's security team that the certificate authority WoSign had errantly issued a certificate for a GitHub domain to someone other than GitHub, Google began an investigation in collaboration with the Mozilla Foundation and a group of security professionals into the company's certificate issuance practices. The investigation uncovered a pattern of bad practices at WoSign and its subsidiary StartCom dating back to the spring of 2015. As a result, Google moved last October to begin distrusting new certificates issued by the two companies, stating "Google has determined that two CAs, WoSign and StartCom, have not maintained the high standards expected of CAs and will no longer be trusted by Google Chrome."

WoSign (based in Shenzen, China) and StartCom (based in Eliat, Israel) are among the few low-cost certificate providers who've offered wildcard certificates. StartCom's StartSSL offers free Class 1 certificates, and $60-per-year wildcard certificates—allowing the use of a single certificate on multiple subdomains with a single confirmation. This made the service wildly popular. But bugs in WoSign's software allowed a number of misregistrations of certificates. One bug allowed someone with control of a subdomain to claim control of the whole root domain for certificates. The investigation also found that WoSign was backdating the SSL certificates it issued to get around the deadline set for certificate authorities to stop issuing SHA-1 SSL certificates by January 1, 2016. WoSign continued to issue the less secure SHA-1 SSL certificates well into 2016.

Initially, Google only revoked trust for certificates issued after October 21, 2016. But over the past six months, Google has walked that revocation back further, only whitelisting certificates for domains from a list based on Alexa's top one million sites. But today, Google announced that it would phase out trust for all WoSign and StartCom certificates with the release of Chrome 61. That release, about to be released for beta testing, will be fully released in September.

Read 1 remaining paragraphs | Comments

Kategorie: Hacking & Security