State Department confirms data breach exposed employee data

The State Department has confirmed a data breach affecting an unknown number of employees. A spokesperson told TechCrunch that the breach affected “less than 1 percent” of unclassified employee inboxes. “We have not detected activity of concern in the Department’s classified email system.” “We determined that certain employee personally identifiable information may have been exposed and those employees were notified,” the spokesperson said. The department said an interagency investigation — including help from the private sector — is underway and declined to share further information. Politico was first to report the incident, citing a notice on the department’s internal pages. State is said to be using Microsoft’s Office 365 cloud-based email service for unclassified work. It’s not known what’s to blame for the breach. A report published earlier this year by administration watchdog Government Accountability Office said that the State Department had only rolled out some form of two-factor
Continue reading "State Department confirms data breach exposed employee data"

Symantec offers free anti-spoofing services to US political campaigns and election groups

Symantec is the latest private security company to offer its expertise to vulnerable political targets on the house. Today the company announced that it would extend its “Project Dolphin” service (dolphins eat phish, get it) to political campaigns, candidates and election officials, all “prime target[s] for malicious actors seeking to influence the outcome of the upcoming U.S. midterm elections.” The service allows for anyone to run a check on their own website to make sure no illegitimate or “spoofed” versions of it are floating around and luring unsuspecting victims. Individuals in those qualifying groups can sign up for free for Project Dolphin, Symantec’s AI-powered system that scans for and notifies users of illegitimate websites pretending to be the real thing — just one flavor of the common hacking technique called “spoofing.” Through spoofed sites, much like spoofed email accounts, hackers can steal login credentials and
Continue reading "Symantec offers free anti-spoofing services to US political campaigns and election groups"

Cloudflare’s new ‘one-click’ DNSSEC setup will make it far more difficult to spoof websites

Bad news first: the internet is broken for a while. The good news is that Cloudflare thinks it can make it slightly less broken. With “the click of one button,” the networking giant said Tuesday, its users can now switch on DNSSEC in their dashboard. In doing so, Cloudflare hopes it removes a major pain-point in adopting the web security standard, which many haven’t set up — either because it’s so complicated and arduous, or too expensive. It’s part of a push by the San Francisco-based networking giant to try to make the pipes of the internet more secure — even from the things you can’t see. For years, you could open up a website and take it’s instant availability for granted. DNS, which translates web addresses into computer-readable IP addresses, has been plagued with vulnerabilities, making it easy to hijack any step of the process to surreptitiously send users
Continue reading "Cloudflare’s new ‘one-click’ DNSSEC setup will make it far more difficult to spoof websites"

This is what Americans think about the state of election security right now

A wide-ranging new poll yields some useful insight into how worried the average American feels about election threats as the country barrels toward midterms. The survey, conducted by NPR and researchers with Marist College, polled 949 adult U.S. residents in early September across regions of the country, contacting participants through both landlines and mobile devices. The results are a significant glimpse into current attitudes around the likelihood of foreign election interference, election security measures and how well social media companies have rebounded in the public eye.

Attitudes toward Facebook and Twitter

As the most recent dust settles around revelations that Russia ran influence campaigns targeting Americans on social media platforms, just how much do U.S. voters trust that Facebook and Twitter have cleaned up their acts? Well, they’re not convinced yet. In response to a question asking about how much those companies had done since 2016 “to make sure
Continue reading "This is what Americans think about the state of election security right now"

Facebook pilots new political campaign security tools — just 50 days before Election Day

Facebook has rolled out a “pilot” program of new security tools for political campaigns — just weeks before millions of Americans go to the polls for the midterm elections. The social networking giant said it’s targeting campaigns who “may be particularly vulnerable to targeting by hackers and foreign adversaries.” Once enrolled, Facebook said it’ll help campaigns adopt stronger security protections, “like two-factor authentication and monitor for potential hacking threats,” said Nathaniel Gleicher, Facebook’s head of cybersecurity policy, in a Monday blog post. Facebook’s chief Mark Zuckerberg has admitted that the company “didn’t do enough” in the 2016 presidential election to prevent meddling and spreading misinformation, yet took a lashing from lawmakers for failing to step up in the midterms. A former Obama campaign official told TechCrunch that the offering was important — but late. “Fifty days is an eternity in campaign time,” said Harper Reed, who served as President Obama’s
Continue reading "Facebook pilots new political campaign security tools — just 50 days before Election Day"

Surveillance camera vulnerability could allow hackers to spy on and alter recordings

In newly published research, security firm Tenable reveals how popular video surveillance camera software could be manipulated, allowing would-be attackers the ability to view, disable or otherwise manipulate video footage. The vulnerability, which researchers fittingly dubbed “Peekaboo,” affects software created by NUUO, a surveillance system software maker with clients including hospitals, banks and schools around the globe. The vulnerability works via a stack buffer overflow, overwhelming the targeted software and opening the door for remote code execution. That loophole means that an attacker could remotely access and take over accounts with no authorization, even taking over networked cameras connected to the target device. “This is particularly devastating because not only is an attacker able to control the NVR [camera] but the credentials for all the cameras connected to the NVR are stored in plaintext on disk,” Tenable writes. Tenable provides more details on potential exploits tested with one
Continue reading "Surveillance camera vulnerability could allow hackers to spy on and alter recordings"

Five security settings in iOS 12 you should change right now

iOS 12, Apple’s latest mobile software for iPhone and iPad, is finally out. The new software packs in a bunch of new security and privacy features you’ve probably already heard about. Here’s what you need to do to take advantage of the new settings and lock down your device.

1. Turn on USB Restricted Mode to make hacking more difficult

This difficult-to-find new feature prevents any accessories from connecting to your device — like USB cables and headphones — when your iPhone or iPad has been locked for more than an hour. That prevents police and hackers alike from using tools to bypass your lock screen passcode and get your data. Go to Settings > Touch ID & Passcode and type in your passcode. Then, scroll down and ensure that USB Accessories are not permitted on the lock screen, so make sure the setting is Off.

2. Make sure automatic
Continue reading "Five security settings in iOS 12 you should change right now"

Facebook expands bug bounty program to include third-party apps and websites

Facebook announced this morning it’s expanding its bug bounty program – which pays researchers who find security vulnerabilities within its platform – to now include issues found in third-party apps and websites. Specifically, Facebook says it will reward valid reports of vulnerabilities that relate to the improper exposure of Facebook user access tokens. Typically, when a user logs into another app using their Facebook account information, they’re able to decide what information the token and, therefore, the app can access and what actions it can take. But if the token becomes compromised, users’ personal information could be misused. Facebook says it will pay a minimum reward of $500 per vulnerable app or website, if the report is valid. The company also noted it wasn’t aware of any other programs offering rewards of this scope for all eligible third-party apps. If a vulnerability is determined to be legit, Facebook will then work
Continue reading "Facebook expands bug bounty program to include third-party apps and websites"

Altaba to settle lawsuits relating to Yahoo data breach for $47 million

Altaba, the holding company of what Verizon left behind after its acquisition of Yahoo, said it has settled three ongoing legal cases relating to Yahoo’s previously disclosed data breaches. In a Monday filing with the Securities and Exchange Commission, the former web giant turned investment company said it has agreed to end litigation for $47 million, which the company said will “mark a significant milestone” in cleaning up its remaining liabilities. The deal is subject to court approval, which attorneys for both sides asked the court to approve the deal within 45 days, according to a filing submitted Friday. In case you missed it, Yahoo had two data breaches — one in mid-2013, where data on all of the company’s three billion users was stolen, and another breach a year later of 500 million accounts, including email addresses and passwords. The company blamed the attack on state-sponsored hackers, without citing
Continue reading "Altaba to settle lawsuits relating to Yahoo data breach for $47 million"

Facebook is hiring a director of human rights policy to work on “conflict prevention” and “peace-building”

Facebook is advertising for a human rights policy director to join its business, located either at its Menlo Park HQ or in Washington DC — with “conflict prevention” and “peace-building” among the listed responsibilities. In the job ad, Facebook writes that as the reach and impact of its various products continues to grow “so does the responsibility we have to respect the individual and human rights of the members of our diverse global community”, saying it’s:
… looking for a Director of Human Rights Policy to coordinate our company-wide effort to address human rights abuses, including by both state and non-state actors. This role will be responsible for: (1) Working with product teams to ensure that Facebook is a positive force for human rights and apply the lessons we learn from our investigations, (2) representing Facebook with key stakeholders in civil society, government, international institutions, and industry, (3) driving our
Continue reading "Facebook is hiring a director of human rights policy to work on “conflict prevention” and “peace-building”"

A new CSS-based web attack will crash and restart your iPhone

A security researcher has found a new way to crash and restart any iPhone — with just a few lines of code. Sabri Haddouche tweeted a proof-of-concept webpage with just 15 lines of code which, if visited, will crash and restart an iPhone or iPad. Those on macOS may also see Safari freeze when opening the link. The code exploits a weakness in iOS’ web rendering engine WebKit, which Apple mandates all apps and browsers use, Haddouche told TechCrunch. He explained that nesting a ton of elements — such as <div> tags — inside a backdrop filter property in CSS, you can use up all of the device’s resources and cause a kernel panic, which shuts down and restarts the operating system to prevent damage. “Anything that renders HTML on iOS is affected,” he said. That means anyone sending you a link on Facebook or Twitter, or if any webpage you
💣
Continue reading "A new CSS-based web attack will crash and restart your iPhone"

FEMA to send its first ‘Presidential Alert’ in emergency messaging system test

The Federal Emergency Management Agency will this week test a new “presidential alert” system that will allow the president to send a message to every phone in the US. The alert is the first nationwide test of the presidential alert test, FEMA said in an advisory, which allows the president to address the nation in the event of a national emergency. Using the Wireless Emergency Alert (WEA) system, anyone with cell service should receive the message to their phone. “THIS IS A TEST of the National Wireless Emergency Alert System. No action is needed,” the message will read, due to be sent out on Thursday at 2:18pm ET. Minutes later, the Emergency Alert System (EAS) will broadcast a similar test message over television, radio, and wireline video services. Emergency alerts aren’t new and warning systems have long been used — and tested — in the US to alert citizens of
Continue reading "FEMA to send its first ‘Presidential Alert’ in emergency messaging system test"

North Korea skirts US sanctions by secretly selling software around the globe

Fake social media profiles are useful for more than just sowing political discord among foreign adversaries, as it turns out. A group linked to the North Korean government has been able to duck existing sanctions on the country by concealing its true identity and developing software for clients abroad. This week, the US Treasury issued sanctions against two tech companies accused of running cash-generating front operations for North Korea: Yanbian Silverstar Network Technology or “China Silver Star,” based near Shenyang, China, and a Russian sister company called Volasys Silver Star. The Treasury also sanctioned China Silver Star’s North Korean CEO Jong Song Hwa. “These actions are intended to stop the flow of illicit revenue to North Korea from overseas information technology workers disguising their true identities and hiding behind front companies, aliases, and third-party nationals,” Treasury Secretary Steven Mnuchin said of the sanctions. As the Wall Street Journal reported in
Continue reading "North Korea skirts US sanctions by secretly selling software around the globe"

Three years later, Let’s Encrypt now secures 75% of the web

Bon anniversaire, Let’s Encrypt! The free-to-use nonprofit was founded in 2014 in part by the Electronic Frontier Foundation and is backed by Akamai, Google, Facebook, Mozilla and more. Three years ago Friday, it issued its first certificate. Since then, the numbers have exploded. To date, more than 380 million certificates have been issued on 129 million unique domains. Let’s Encrypt now secures 75 percent of the web, according to public Firefox data. That’s a massive increase from when it was founded, where only 38 percent of website page loads were served over an HTTPS encrypted connection. That also makes it the largest certificate issuer in the world, by far. “Change at that speed and scale is incredible,” a spokesperson told TechCrunch. “Let’s Encrypt isn’t solely responsible for this change, but we certainly catalyzed it.” HTTPS is what keeps the pipes of the web secure. Every time your browser lights up
Continue reading "Three years later, Let’s Encrypt now secures 75% of the web"

UK warns of satellite and space program problems in case of Brexit ‘no deal’

The U.K. government says that access to satellites and space surveillance programs will suffer in the event of a “no deal” departure from the European Union . Britain has less than six months to go before the country leaves the 28-member state bloc, after a little over half the country voted to withdraw membership from the European Union in a 2016 referendum. So far, the Brexit process has been a hot mess of political infighting and uncertainty, bureaucracy and backstabbing — amid threats of coups and leadership challenges. And the government isn’t even close to scoring a deal to keep trade ties open, immigration flowing and airplanes taking off. Now, the government has further said that services reliant on EU membership — like access to space programs — will be affected. The reassuring news is that car and phone GPS maps won’t suddenly stop working. But the government said
Continue reading "UK warns of satellite and space program problems in case of Brexit ‘no deal’"

Cryptocurrency mining attacks using leaked NSA hacking tools are still highly active a year later

It’s been over a year since highly classified exploits built by the National Security Agency were stolen and published online. One of the tools, dubbed EternalBlue, can covertly break into almost any Windows machine around the world. It didn’t take long for hackers to start using the exploits to run ransomware on thousands of computers, grinding hospitals and businesses to a halt. Two separate attacks in as many months used WannaCry and NotPetya ransomware, which spread like wildfire. Once a single computer in a network was infected, the malware would also target other devices on the network. The recovery was slow and cost companies hundreds of millions in damages. Yet, more than a year since Microsoft released patches that slammed the backdoor shut, almost a million computers and networks are still unpatched and vulnerable to attack. Although WannaCry infections have slowed, hackers are still using the publicly accessible NSA exploits
Continue reading "Cryptocurrency mining attacks using leaked NSA hacking tools are still highly active a year later"

US lawmakers warn spy chief that ‘deep fakes’ are a national security threat

What once sounded like science fiction is now a reality: creating almost-perfectly faked videos of people saying things they never did. Surprise: Now they’re a reality, thanks to modern computing power and the power to instantly share it on the world’s social stage. But U.S. lawmakers are worried that these faked videos could be used by the enemy to harm national security. If you’re unaware, “deep fakes” are digitally manipulated videos — which, using existing footage mixed with artificial intelligence and machine learning, can be made to look like, or close to, the real thing. Unsurprisingly, one of the first uses of deep fake videos was for porn — by superimposing faces onto others. But now, lawmakers think that deep fakes could be used as part of wider disinformation campaigns — known to be a tactic of adversarial nation states like Russia — in an effort to sway elections
Continue reading "US lawmakers warn spy chief that ‘deep fakes’ are a national security threat"

Alibaba’s Ant Financial denies stealing from Equifax

Ant Financial has denied claims that it covertly raided Equifax the U.S. credit firm that was hit by a hack last year — to grab information, including code, confidential data and documents to help recruit staff for its own credit scoring service. The Alibaba affiliate, which is valued at over $100 billion, launched Sesame Credit in China in 2015, and a report this week from The Wall Street Journal suggests that it leaned heavily on Equifax to do so. Ant Financial hired China-born Canadian David Zou from Equifax and the Journal claims that Zou looked up employee information to gauge potential hires and squirreled away confidential documents via his personal email account. Ant was said to have offered Chinese staff at Equifax lucrative raises — reportedly tripling their salaries — with a focus on those who “provided instructions on specific Equifax information… if they jumped ship.”
Continue reading "Alibaba’s Ant Financial denies stealing from Equifax"

Security flaw in ‘nearly all’ modern PCs and Macs exposes encrypted data

Most modern computers, even devices with disk encryption, are vulnerable to a new attack that can steal sensitive data in a matter of minutes, new research says. In new findings published Wednesday, F-Secure said that none of the existing firmware security measures in every laptop it tested “does a good enough job” of preventing data theft. F-Secure principal security consultant Olle Segerdahl told TechCrunch that the vulnerabilities put “nearly all” laptops and desktops — both Windows and Mac users — at risk. The new exploit is built on the foundations of a traditional cold boot attack, which hackers have long used to steal data from a shut-down computer. Modern computers overwrite their memory when a device is powered down to scramble the data from being read. But Segerdahl and his colleague Pasi Saarinen found a way to disable the overwriting process, making a cold boot attack possible again. “It takes some
Continue reading "Security flaw in ‘nearly all’ modern PCs and Macs exposes encrypted data"