Mozilla

Mozilla Slipped a 'Mr. Robot'-Promo Plugin Into Firefox and Users Are Pissed (gizmodo.com) 128

MarcAuslander shares a report from Gizmodo: Mozilla sneaked a browser plugin that promotes Mr. Robot into Firefox -- and managed to piss off a bunch of its privacy-conscious users in the process. The extension, called Looking Glass, is intended to promote an augmented reality game to "further your immersion into the Mr. Robot universe," according to Mozilla. It was automatically added to Firefox users' browsers this week with no explanation except the cryptic message, "MY REALITY IS JUST DIFFERENT THAN YOURS," prompting users to worry on Reddit that they'd been hit with spyware. Without an explanation included with the extension, users were left digging around in the code for Looking Glass to find answers. Looking Glass was updated for some users today with a description that explains the connection to Mr. Robot and lets users know that the extension won't activate without explicit opt-in.

Mozilla justified its decision to include the extension because Mr. Robot promotes user privacy. "The Mr. Robot series centers around the theme of online privacy and security," the company said in an explanation of the mysterious extension. "One of the 10 guiding principles of Mozilla's mission is that individuals' security and privacy on the internet are fundamental and must not be treated as optional. The more people know about what information they are sharing online, the more they can protect their privacy."

Bitcoin

Coinbase Wants Wall Street To Resolve Its Bitcoin Trust Issues (bloomberg.com) 33

In an effort to use digital money to reinvent finance, cryptocurrency exchange Coinbase is trying to legitimize itself by convincing big money managers to trust it enough to trade on its exchange. They need to "reassure regulators that bitcoin isn't a silk road for hackers, money launderers and tax evaders," reports Bloomberg. From the report: Despite the table tennis, Coinbase shows glimmers of maturity. More than 10 million customers have used the company since it began, though it recently quit updating the tally on its website. About $57 billion of digital currency has traded on the exchange so far this year. It doubled its staff in that time and expects to do so again in 2018. Ultimately, Coinbase plans to go public. The firm said it's prevailed against security threats, helping it avoid the fate of Mt. Gox, the world's biggest bitcoin exchange before shutting its doors in 2014 after $480 million of customer funds went bye-bye. Coinbase stores 98 percent of users' digital currencies in offline safe-deposit boxes. The remaining 2 percent, which is vulnerable because it's online, is covered by insurance. The company holds more than $10 billion in digital assets. Developing ties with banks is one of the biggest challenges. Coinbase doesn't publicly disclose its banking relationships, but a person familiar with the matter said the company is partnering with Cross River Bank, Metropolitan Bank and Silvergate Bank in the U.S.
Security

Lock Out: the Austrian Hotel That Was Hacked Four Times (bbc.com) 41

AmiMoJo shares a BBC report: Christoph Brandstatter is managing director of the four-star Seehotel, Jagerwirt, in Austria's Alps. His hotel's electronic door locks and other systems were hacked for ransom four times, between December 2016 and January 2017. "We got a ransomware mail which was hidden in a bill from Telekom Austria." His hotel's door keys became unusable after he clicked on a link to his bill. So was his hard drive. "Actually, as a small business you do not really think that anybody's interested in you for hacking, so we had no plan what to do," he recalls. He paid a ransom of two bitcoins, saying "at that time it was about $1,882." He has now installed firewalls and new antivirus software, and has trained his staff to recognise phishing emails that may seem genuine but actually contain malware. And he's moved back to traditional metal keys.
Government

CIA Captured Putin's 'Specific Instructions' To Hack the 2016 Election, Says Report (thedailybeast.com) 463

An anonymous reader quotes a report from The Daily Beast: When Director of National Intelligence James R. Clapper Jr., CIA Director John Brennan and FBI Director James B. Comey all went to see Donald Trump together during the presidential transition, they told him conclusively that they had "captured Putin's specific instructions on the operation" to hack the 2016 presidential election, according to a report in The Washington Post. The intel bosses were worried that he would explode but Trump remained calm during the carefully choreographed meeting. "He was affable, courteous, complimentary," Clapper told the Post. Comey stayed behind afterward to tell the president-elect about the controversial Steele dossier, however, and that private meeting may have been responsible for the animosity that would eventually lead to Trump firing the director of the FBI.
Bitcoin

A Cryptocurrency Without a Blockchain Has Been Built To Outperform Bitcoin (technologyreview.com) 176

An anonymous reader quotes a report from MIT Technology Review: Bitcoin isn't the only cryptocurrency on a hot streak -- plenty of alternative currencies have enjoyed rallies alongside the Epic Bitcoin Bull Run of 2017. One of the most intriguing examples is also among the most obscure in the cryptocurrency world. Called IOTA, it has jumped in total value from just over $4 billion to more than $10 billion in a little over two weeks. But that isn't what makes it interesting. What makes it interesting is that it isn't based on a blockchain at all; it's something else entirely. The rally began in late November, after the IOTA Foundation, the German nonprofit behind the novel cryptocurrency, announced that it was teaming up with several major technology firms to develop a "decentralized data marketplace."

Though IOTA tokens can be used like any other cryptocurrency, the protocol was designed specifically for use on connected devices, says cofounder David Sonstebo. Organizations collect huge amounts of data from these gadgets, from weather tracking systems to sensors that monitor the performance of industrial machinery (a.k.a. the Internet of things). But nearly all of that information is wasted, sitting in siloed databases and not making money for its owners, says Sonstebo. IOTA's system can address this in two ways, he says. First, it can assure the integrity of this data by securing it in a tamper-proof decentralized ledger. Second, it enables fee-less transactions between the owners of the data and anyone who wants to buy it -- and there are plenty of companies that want to get their hands on data.
The report goes on to note that instead of using a blockchain, "IOTA uses a 'tangle,' which is based on a mathematical concept called a directed acyclic graph." The team decided to research this new alternative after deciding that blockchains are too costly. "Part of Sonstebo's issue with Bitcoin and other blockchain systems is that they rely on a distributed network of 'miners' to verify transactions," reports MIT Technology Review. "When a user issues a transaction [with IOTA], that individual also validates two randomly selected previous transactions, each of which refer to two other previous transactions, and so on. As new transactions mount, a 'tangled web of confirmation' grows, says Sonstebo."
Security

Attackers Deploy 'Triton' Malware Against Industrial Safety Equipment (securityweek.com) 28

wiredmikey writes: A new piece of malware designed to target industrial control systems (ICS) has been used in an attack aimed at a critical infrastructure organization, FireEye said on Thursday. The malware, which has been dubbed "Triton," is designed to target Schneider Electric's Triconex Safety Instrumented System (SIS) controllers, which are used to monitor the state of a process and restore it to a safe state or safely shut it down if parameters indicate a potentially hazardous situation. The investigation found that the attackers shut down operations after causing the SIS controllers to initiate a safe shutdown, but they may have done it inadvertently while trying to determine how they could cause physical damage.
Security

Fortinet VPN Client Exposes VPN Creds; Palo Alto Firewalls Allow Remote Attacks (bleepingcomputer.com) 31

An anonymous reader shares a report: It's been a bad week for two of the world's biggest vendors of enterprise hardware and software -- Fortinet and Palo Alto Networks. The worst of the bunch is a credentials leak affecting Fortinet's FortiClient, an antivirus product provided by Fortinet for both home and enterprise-level clients. Researchers from SEC Consult said in an advisory released this week that they've discovered a security issue that allows attackers to extract credentials for this VPN client. The second major security issue disclosed this week affects firewall products manufactured by Palo Alto Networks and running PAN-OS, the company's in-house operating system. Security researcher Philip Pettersson discovered that by combining three vulnerabilities together, he could run code on a Palo Alto firewall from a remote location with root privileges.
Security

Author of BrickerBot Malware Retires, Says He Bricked 10 Million IoT Devices (bleepingcomputer.com) 146

An anonymous reader writes: The author of BrickerBot -- the malware that bricks IoT devices -- has announced his retirement in an email to Bleeping Computer, also claiming to have bricked over 10 million devices since he started the "Internet Chemotherapy" project in November 2016. Similar to the authors of the Mirai malware, the BrickerBot developer dumped his malware's source code online, allowing other crooks to profit from his code. The code is said to contain at least one zero-day. In a farewell message left on hundreds of hacked routers, the BrickerBot author also published a list of incidents (ISP downtimes) he caused, while also admitting he is likely to have drawn the attention of law enforcement agencies. "There's also only so long that I can keep doing something like this before the government types are able to correlate my likely network routes (I have already been active for far too long to remain safe). For a while now my worst-case scenario hasn't been going to jail, but simply vanishing in the middle of the night as soon as some unpleasant government figures out who I am," the hacker said.
Open Source

Avast Launches Open-Source Decompiler For Machine Code (techspot.com) 107

Greg Synek reports via TechSpot: To help with the reverse engineering of malware, Avast has released an open-source version of its machine-code decompiler, RetDec, that has been under development for over seven years. RetDec supports a variety of architectures aside from those used on traditional desktops including ARM, PIC32, PowerPC and MIPS. As Internet of Things devices proliferate throughout our homes and inside private businesses, being able to effectively analyze the code running on all of these new devices becomes a necessity to ensure security. In addition to the open-source version found on GitHub, RetDec is also being provided as a web service.

Simply upload a supported executable or machine code and get a reasonably rebuilt version of the source code. It is not possible to retrieve the exact original code of any executable compiled to machine code but obtaining a working or almost working copy of equivalent code can greatly expedite the reverse engineering of software. For any curious developers out there, a REST API is also provided to allow third-party applications to use the decompilation service. A plugin for IDA disassembler is also available for those experienced with decompiling software.

Robotics

Robots Are Being Used To Shoo Away Homeless People In San Francisco (qz.com) 414

An anonymous reader quotes a report from Quartz: San Francisco's Society for the Prevention of Cruelty to Animals (SPCA) has been ordered by the city to stop using a robot to patrol the sidewalks outside its office, the San Francisco Business Times reported Dec. 8. The robot, produced by Silicon Valley startup Knightscope, was used to ensure that homeless people didn't set up camps outside of the nonprofit's office. It autonomously patrols a set area using a combination of Lidar and other sensors, and can alert security services of potentially criminal activity.

In a particularly dystopian move, it seems that the San Francisco SPCA adorned the robot it was renting with stickers of cute kittens and puppies, according to Business Insider, as it was used to shoo away the homeless from near its office. San Francisco recently voted to cut down on the number of robots that roam the streets of the city, which has seen an influx of small delivery robots in recent years. The city said it would issue the SPCA a fine of $1,000 per day for illegally operating on a public right-of-way if it continued to use the security robot outside its premises, the San Francisco Business Times said.

Security

Maker of Sneaky Mac Adware Sends Security Researcher Cease-and-Desist Letters (zdnet.com) 85

Zack Whittaker, writing for ZDNet: The maker of a sneaky adware that hijacks a user's browser to serve ads is back with a new, more advanced version -- one that can gain root privileges and spy on the user's activities. News of the updated adware dropped Tuesday in a lengthy write-up by Amit Serper, principal security researcher at Cybereason. The adware, dubbed OSX.Pirrit, is still highly active, infecting tens of thousands of Macs, according to Serper, who has tracked the malware and its different versions for over a year. Serper's detailed write-up is well worth the read. [...] TargetingEdge sent cease-and-desist letters to try to prevent Serper from publishing his research. "We've received several letters over the past two weeks," Serper told ZDNet. "We decided to publish anyway because we're sick of shady 'adware' companies and their threats."
Botnet

Mirai IoT Botnet Co-Authors Plead Guilty (krebsonsecurity.com) 31

Three hackers responsible for creating the massive Mirai botnet that knocked large swathes of the internet offline last year have pleaded guilty. Brian Krebs reports: The U.S. Justice Department on Tuesday unsealed the guilty pleas of two men (Editor's note: three men) first identified in January 2017 by KrebsOnSecurity as the likely co-authors of Mirai, a malware strain that remotely enslaves so-called "Internet of Things" devices such as security cameras, routers, and digital video recorders for use in large scale attacks designed to knock Web sites and entire networks offline (including multiple major attacks against this site). Entering guilty pleas for their roles in developing and using Mirai are 21-year-old Paras Jha from Fanwood, N.J. and Josiah White, 20, from Washington, Pennsylvania. Jha and White were co-founders of Protraf Solutions LLC, a company that specialized in mitigating large-scale DDoS attacks. Like firemen getting paid to put out the fires they started, Jha and White would target organizations with DDoS attacks and then either extort them for money to call off the attacks, or try to sell those companies services they claimed could uniquely help fend off the attacks. Editor's note: The story was updated to note that three men have pleaded guilty. -- not two as described in some reports.
Businesses

Uber's Massive Scraping Program Collected Data About Competitors Around The World (gizmodo.com) 29

Kate Conger, reporting for Gizmodo: For years, Uber systemically scraped data from competing ride-hailing companies all over the world, harvesting information about their technology, drivers, and executives. Uber gathered information from these firms using automated collection systems that ran constantly, amassing millions of records, and sometimes conducted physical surveillance to complement its data collection. Uber's scraping efforts were spearheaded by the company's Marketplace Analytics team, while the Strategic Services Group gathered information for security purposes, Gizmodo learned from three people familiar with the operations of these teams, from court testimony, and from internal Uber documents. Until Uber's data scraping was discontinued this September in the face of mounting litigation and multiple federal investigations, Marketplace Analytics gathered information on Uber's overseas competitors in an attempt to advance Uber's position in those markets. SSG's mission was to protect employees, executives, and drivers from violence, which sometimes involved tracking protesters and other groups that were considered threatening to Uber. An Uber spokesperson declined to comment for this story.
Security

Old Crypto Vulnerability Hits Major Tech Firms (securityweek.com) 32

wiredmikey writes: A team of researchers has revived an old crypto vulnerability and determined that it affects the products of several major vendors and a significant number of the world's top websites. The attack/exploit method against a Transport Layer Security (TLS) vulnerability now has a name, a logo and a website. It has been dubbed ROBOT (Return Of Bleichenbacher's Oracle Threat) and, as the name suggests, it's related to an attack method discovered by Daniel Bleichenbacher back in 1998. ROBOT allows an attacker to obtain the RSA key necessary to decrypt TLS traffic under certain conditions. While proof-of-concept (PoC) code will only be made available after affected organizations have had a chance to patch their systems, the researchers have published some additional details. Researchers have made available an online tool that can be used to test public HTTPS servers. An analysis showed that at least 27 of the top 100 Alexa websites, including Facebook and PayPal, were affected.
Businesses

Trump Signs Into Law US Government Ban on Kaspersky Lab Software (reuters.com) 138

President Donald Trump signed into law on Tuesday legislation that bans the use of Kaspersky Lab within the U.S. government, capping a months-long effort to purge the Moscow-based antivirus firm from federal agencies amid concerns it was vulnerable to Kremlin influence. From a report: The ban, included as part of a broader defense policy spending bill that Trump signed, reinforces a directive issued by the Trump administration in September that civilian agencies remove Kaspersky Lab software within 90 days. The law applies to both civilian and military networks. "The case against Kaspersky is well-documented and deeply concerning. This law is long overdue," said Democratic Senator Jeanne Shaheen, who led calls in Congress to scrub the software from government computers. She added that the company's software represented a "grave risk" to U.S. national security.
Databases

Searchable Database of 1.4 Billion Stolen Credentials Found On Dark Web (itworldcanada.com) 72

YVRGeek shares a report from IT World Canada: A security vendor has discovered a huge list of easily searchable stolen credentials in cleartext on the dark web, which it fears could lead to a new wave of cyber attacks. Julio Casal, co-founder of identity threat intelligence provider 4iQ, which has offices in California and Spain, said in a Dec. 8 blog his firm found the database of 1.4 billion username and password pairs while scanning the dark web for stolen, leaked or lost data. He said the company has verified at least a group of credentials are legitimate. What is alarming is the file is what he calls "an aggregated, interactive database that allows for fast (one second response) searches and new breach imports." For example, searching for "admin," "administrator" and "root" returned 226,631 passwords of admin users in a few seconds. As a result, the database can help attackers automate account hijacking or account takeover. The dump file was 41GB in size and was found on December 5th in an underground community forum. The total amount of credentials is 1,400,553,869.
Bitcoin

SEC Shuts Down Munchee ICO (techcrunch.com) 43

The Securities and Exchange Commission has shut down Munchee, a company that built a $15 million token sale. According to TechCrunch, "The Munchee ICO aimed to fund the MUN coin, a payment system for restaurant reviews." However, the company "received a cease and desist from the SEC on December 11" because it constituted the offer and sale of unregistered securities. From the report: Within the SECs findings they noted that Munchee touted itself as a "utility" token which means that the company believed the MUN token would be primarily used within the Munchee ecosystem and not be used to fund operations. However, thanks to an application of the Howey Test (a Supreme Court finding that essentially states that any instrument with the expectation of return is an investment vehicle), the SEC found the Munchee was actually releasing a security masquerading as a utility. "Munchee offered MUN tokens in order to raise capital to build a profitable enterprise," read the SEC notice. "Munchee said that it would use the offering proceeds to run its business, including hiring people to develop its product, promoting the Munchee App, and ensuring 'the smooth operation of the MUN token ecosystem.'" The stickiest part? Munchee claimed that its coins would increase in value thanks to a convoluted process of growth.

In short, Munchee was undone by two things: depending on the token sale as a vehicle to raise cash for operations and using the typically spammy and scammy marketing efforts most ICO floggers use now, tactics taken directly from affiliate marketing handbooks. Fortunately, Munchee was able to return all $15 million to the 40 investors that dumped their coins into scheme.

IT

Tech Support Scammers Invade Spotify Forums To Rank in Search Engines (bleepingcomputer.com) 33

Tech support scammers have been aggressively posting on Spotify forums to inject their phone numbers in a bid to vastly improve their odds of showing up on Google and Bing search results, a new report claims. And that bet seems to be working. From the report: They do this by submitting a constant stream of spam posts to the Spotify forums, whose pages tend to rank well in Google. While this behavior causes the Spotify forums to become harder to use for those who have valid questions, the bigger problem is that it allows tech support scammers to rank extremely well and trick unknowing callers into purchasing unnecessary services and software. BleepingComputer was alerted to this problem by security researcher Cody Johnston who started to see an alarming amount of tech support scam phone numbers being listed in Google search results through indexed Spotify forum posts. The tech support scams being posted to Spotify include Tinder, Linksys, AOL, Turbotax, Coinbase, Amazon, Apple, Microsoft, Norton, McAfee and more.
Privacy

How Email Open Tracking Quietly Took Over the Web (wired.com) 116

Brian Merchant, writing for Wired: There are some 269 billion emails sent and received daily. That's roughly 35 emails for every person on the planet, every day. Over 40 percent of those emails are tracked, according to a study published last June by OMC, an "email intelligence" company that also builds anti-tracking tools. The tech is pretty simple. Tracking clients embed a line of code in the body of an email -- usually in a 1x1 pixel image, so tiny it's invisible, but also in elements like hyperlinks and custom fonts. When a recipient opens the email, the tracking client recognizes that pixel has been downloaded, as well as where and on what device. Newsletter services, marketers, and advertisers have used the technique for years, to collect data about their open rates; major tech companies like Facebook and Twitter followed suit in their ongoing quest to profile and predict our behavior online. But lately, a surprising -- and growing -- number of tracked emails are being sent not from corporations, but acquaintances. "We have been in touch with users that were tracked by their spouses, business partners, competitors," says Florian Seroussi, the founder of OMC. "It's the wild, wild west out there." According to OMC's data, a full 19 percent of all "conversational" email is now tracked. That's one in five of the emails you get from your friends. And you probably never noticed.
Google

Google Releases Tool To Help iPhone Hackers (vice.com) 52

Lorenzo Franceschi-Bicchierai, writing for Motherboard: Google has released a powerful tool that can help security researchers hack and find bugs in iOS 11.1.2, a very recent version of the iPhone operating system. The exploit is the work of Ian Beer, one of the most prolific iOS bug hunters, and a member of Google Project Zero, which works to find bugs in all types of software, including that not made by Google. Beer released the tool Monday, which he says should work for "all devices." The proof of concept works only for those devices he tested -- iPhone 7, 6s and iPod touch 6G -- "but adding more support should be easy," he wrote. Last week, Beer caused a stir among the community of hackers who hack on the iPhone -- also traditionally known as jailbreakers -- by announcing that he was about to publish an exploit for iOS 11.1.2. Researchers reacted with excitement as they realized the tool would make jailbreaking and security research much easier.

Slashdot Top Deals