hacking – Page 482 – STE WILLIAMS

Breach in Stanford System Exposes Student Records

library
crime | hacking | security

A wide variety of data was visible through the vulnerability.

A vulnerability in the system that allows Stanford University students to view their records gave one student the ability to view the Common Applications and high school transcripts of other students. The key was to first request the ability to view their admission documents under the Family Educational Rights and Privacy Act (FERPA).

A wide variety of data was visible through the vulnerability: students’ Social Security numbers, ethnicity, legacy status, home address, citizenship status, criminal status, standardized test scores, personal essays, official standardized test scores, and whether they applied for financial aid.

In the process of researching the vulnerability, the student was able to see information on a total of 81 students. Others doing research found information on an additional dozen students. In every case, the information was released through a URL involving an ID number, rather than searching for the student info by name or other information. The university says it will inform the 93 students affected of the breach.

The system, NolijWeb, has been patched. Student researchers and the student newspaper followed responsible disclosure guidlines in reporting the vulnerability and breach.

6 Tax Season Tips for Security Pros

library
crime | hacking | security

Here are some practical ways to keep your company safe as Uncle Sam comes calling.

(Image: Artur – Adobe Stock)

The tax season has arrived, which means security pros should be on the lookout for tax-related phishing and vishing scams.

According to the IRS, last year saw a 60% increase in bogus schemes that sought to steal money or tax data. These schemes not only endanger a taxpayer’s financial and tax data, but it also gives identity thieves a chance to steal a tax refund. They also put companies at risk, as fraudsters look to trap payroll administrators into business email compromises via phishing or vishing scams.

The most common way for cybercriminals to steal money, bank account information, passwords, credit cards, or Social Security numbers? They simply ask for them, according to the IRS.

“It’s shocking how many people fall for these scams,” says Ray Watson, vice president of innovation at Masergy. “And the sophistication of the attacks is growing faster than the defenses.”

Read on for a half-dozen tips on getting your company through this year’s tax season safely.

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Article source: https://www.darkreading.com/6-tax-season-tips-for-security-pros/d/d-id/1333899?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Will the EU’s new copyright directive ruin the web?

library
crime | hacking | security

The Mars Rover wasn’t the only thing to die last Wednesday. The EU also took another copyright-focused step toward killing the freedom to use memes and what critics say will be the death of the web as a place to freely exchange information.

@didgeroodi i’m just enjoying the freedom to use memes on twitter as long as it remains possible
#Uploadfilter… twitter.com/i/web/status/1…

—
Gregor Kalinkat (@gkalinkat) February 14, 2019

That tweet comes from one of many people who were concerned when the European Parliament on Wednesday finalized text in the Copyright Directive: legislation whose purpose is to drag copyright law into the digital age and ensure that content creators get paid for their work, be it newspaper copy, music or other copyrighted content.

Due to widely loathed articles in the directive, it or its articles have been called the ‘meme killer’, the ‘link tax’ and the ‘censorship machine’. Those articles, Articles 11 and 13, remain intact in the final text, as final efforts to remove them have failed.

At this point, the only thing standing in the way of the Copyright Directive becoming law is a full vote by the European Parliament and European Council.

In spite of robust opposition…

The directive was voted down by the European Parliament in July, but that was only a temporary reprieve.

Over the past few months, the final text was wrestled over in closed-door negotiations. Critics of the legislation held out hope that the talks would lessen or even remove the worst effects of Articles 11 – the ‘link tax’ – and 13, which is also known as the ‘upload filter.’

After a few member states rebelled in January, the articles were sent back to the drawing board. But France and Germany cut a last-minute deal that’s now resolved the dispute.

How bad is it?

Wikipedia founder Jimmy Wales thinks it’s a “complete disaster.”

This is a complete disaster: juliareda.eu/2019/02/eu-cop… EU Parliament must vote against this

—
Jimmy Wales (@jimmy_wales) February 14, 2019

He’s one of a collection of internet luminaries – including the inventor of the World Wide Web, Tim Berners-Lee, and internet pioneer Vint Cerf – who’ve been warning from the start that Article 13 “takes an unprecedented step towards the transformation of the internet, from an open platform for sharing and innovation, into a tool for the automated surveillance and control of its users.”

Read ’em and weep

Member of European Parliament (MEP) Julia Reda, a member of Germany’s Pirate Party and an opponent to the law, offered links to what she says is the unofficial, final text to Article 11 and Article 13 on her blog, as well as a summary.

Reda said that it could have been worse, but that it’s still pretty much a train wreck. For-profit platforms like YouTube, Tumblr, and Twitter will be forced to proactively scan user-uploaded content for material that infringes copyright… scanning that’s been error-prone and prohibitively expensive for smaller platforms.

Article 11, meanwhile, gives publishers the right to charge search engines, aggregators, and other sites if they reproduce more than “single words or very short extracts” of new stories – whatever that means, she said:

Reproducing more than “single words or very short extracts” of news stories will require a licence. That will likely cover many of the snippets commonly shown alongside links today in order to give you an idea of what they lead to. We will have to wait and see how courts interpret what “very short” means in practice – until then, hyperlinking (with snippets) will be mired in legal uncertainty.

There will be no exceptions made, even for services run by individuals, small companies or non-profits, she noted.

More about Article 13 from Reda’s summary:

Commercial sites and apps where users can post material must make “best efforts” to preemptively buy licences for anything that users may possibly upload – that is: all copyrighted content in the world. An impossible feat.
In addition, all but very few sites (those both tiny and very new) will need to do everything in their power to prevent anything from ever going online that may be an unauthorised copy of a work that a rightsholder has registered with the platform. They will have no choice but to deploy upload filters, which are by their nature both expensive and error-prone.
Should a court ever find their licensing or filtering efforts not fierce enough, sites are directly liable for infringements as if they had committed them themselves. This massive threat will lead platforms to over-comply with these rules to stay on the safe side, further worsening the impact on our freedom of speech.

Stop the madness

There’s still resistance in both the European Parliament and Council – both of which need to pass the directive before it becomes law, at which point member states would be forced to implement it.

The process will likely start today, 18 February. Then, it’s on to a vote by the Council’s EU member state governments. It can be voted down either by 13 member states or by 35% of the EU’s population. Last time it was voted on, 8 countries, representing 27% of the EU’s population, voted thumbs-down.

Otherwise, it will take a majority vote in the European Parliament to kill it. That’s scheduled for either between March 25 and 28, on April 4 or between April 15 and 18. That vote could result in killing the bill, killing Articles 11 and 13, or in shelving the project until after EU elections in May.

Did somebody say “elections?” That’s where EU citizens come in, Reda said:

It is up to you to make clear to your representatives: Their vote on whether to break the internet with Articles 11 and 13 will make or break your vote in the EU elections. Be insistent – but please always stay polite.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/-t5nE618AUk/

Opera integrates a cryptocurrency wallet – is this Web 3.0?

library
crime | hacking | security

When it appears in the next few weeks, the latest version of Opera (“Reborn 3” or “R3”) for Windows, Mac and Linux will become the first mainstream desktop browser to integrate a cryptocurrency wallet.

If you believe cryptowallets are about to a become an important way to pay for things on the web, this will sound like another tick in the box for a Chromium-based browser that is still innovating furiously to stay in touch with Chrome, Safari and Firefox.

Alternatively, if you don’t use cryptowallets, you’ll wonder what all the fuss is about – what’s the big deal about a browser with a desktop wallet when there are already plenty of standalone mobile decentralised apps (DApps) that do the same job.

To begin answering this question, in December, Opera Mobile for Android integrated an Ethereum (ETH) Web3 API wallet of its own (served through a platform called Infura), effectively turning its mobile browser into a convenient interface for managing cryptocurrency.

This integrates with the wallet inside Opera R3, which avoids having to have a separate wallet for Windows or Mac as well as providing an easy way for the mobile device to authenticate desktop transactions using something as simple as a fingerprint.

In the current developer version, setup is as simple as clicking on the new wallet icon in Opera R3’s sidebar and using Opera Mobile (beta) to scan the QR code it generates – the same system Opera has used for some time to connect to external apps.

Web 3.0 mystery

Web 3.0 is a term that means different things to different people, but there’s a general agreement that it should at least involve a ‘native’ all-digital way of transacting.

Currently, transactions depend on pre-web mechanisms such as credit and debit cards which come with hidden costs. Blockchains, cryptocurrencies and cryptowallets are a way of building a peer infrastructure which, in theory, ditches all of that.

As Opera cryptocurrency product lead Charles Hamel explained to ZDNet last year:

Our hope is that this will accelerate the transition of cryptocurrencies from speculation and investment to being used for actual payments and transactions in our users’ daily lives.

Normally, new features such as this are part and parcel of how browser makers try to appeal to users, preferably by doing something their rivals aren’t.

Chrome has speed and lots of third-party extensions, Firefox has security and privacy, Safari is the alternative to the Googleverse and ships with the iPhone, while Edge is tightly bound to Windows 10.

Opera? It tried adding an in-house VPN (later sold), before focussing on adblocking and, more recently, a Virtual Reality player for headsets.

Searching around for some special sauce, it hit on the arrival of crypto-infrastructure as the next big thing.

It probably helps that during 2018 the company partnered with a blockchain advisor Ledger Capital and that cryptocurrency exchange Bitmain invested $50 million during Opera’s IPO in the summer.

Another browser searching for a raison d’être is Microsoft’s under-used Edge which in December announced plans to use the Chromium engine that already powers Google’s Chrome and Opera.

This didn’t impress Mozilla, the holdout against the all-Chromium world, but it’s a pragmatic approach that should see Microsoft become more Opera-like in its feature development.

An early example of this is NewsGuard, a fake news warning system based on human rather than algorithmic judgments about website content.

It might seem that Chrome has won the browser wars, but Opera and Edge’s burst of creativity hint that whatever Web 3.0 turns out to be could yet nibble away at that supremacy.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/9GGI9FqWpwk/

Mega-crackers back with nearly 100 million new stolen data records

library
crime | hacking | security

The cracker who recently put 620 million breached records up for sale…

…is back with close to 100 million more, according to reports.

Just over five years ago, we jokingly coined the phrase “one hundred million club”, following Adobe’s then-epic leaking of 150 million records.

Back then, breaches with that many records exposed at the same time were rare.

These days, we frequently hear of breaches that are well above 100 million records, for all that they often involve aggregated breaches of multiple servers and services, possibly collected over many years.

For example, we recently saw Collection #1 hit the underground market, with more than 700,000,000 unique records, closely followed by four more breach collections, imaginatively named Collection #2 to #5, with a further 2.2 billion items.

This latest breach sounds slightly different.

Rather than collating and coalescing breached data going back years, and perhaps including old, retired or discarded accounts, TechCrunch is suggesting that the cracker used a common way into a series of different sites.

Well-known sites on the list allegedly include fun-with-GIFs website Gfycat, cloud image editor piZap and fitness fanatics Classpass.

TechCrunch suggests that all the sites in the latest breach list were running PostgreSQL as their database engine, though whether this was a factor in the sites getting breached at the same time is unknown.

These days, crooks don’t just break in by abusing unpatched security bugs in your server apps, but also by aggressively exploiting weak security practices, such as poor or re-used passwords or unprotected services made public on the internet by mistake.

What to do?

There’s no evidence that actual passwords were stolen in these breaches – at worst, it seems that the crooks made off with hashed passwords, which can’t be abused directly.

A cracker who’s made off with hashed password lists still needs to crack each password in the list, so the better your choice of password, the longer the crooks will take to hap upon the right one.

In that case, changing your old password makes it useless to the crooks, so the faster you change it, the lower the chance the crooks will figure it out first.

So:

Patch early, patch often. If you’ve got a server afflicted by known security holes, then the crooks probably already know how break in if they want to, so stay one step ahead.
Change passwords on affected sites. As mentioned above, if you change an at-risk password before the crooks figure it out and login with it, you win.
Don’t re-use passwords. We can’t say this frequently enough, which is why you hear us repeating it all the time. If one password gets breached, make sure it doesn’t instantly let the crooks into other accounts, too.
Consider 2FA. Two-factor authentication requires some sort of additional action when you login, such as entering a one-time string of digits as well as your password. This keeps you one step ahead of the crooks.
Get a password manager. If you let a password manager pick strong passwords for you – and make it choose a new one for each site – you’ll avoid password re-use, make passwords easier, and give yourself more time for 2FA.

According to TechCrunch, account data in the breach includes information from: Legendas.tv, OneBip, Storybird, Jobandtalent, Gfycat, ClassPass, piZap and StreetEasy. We don’t know if this is an exhaustive list, but if you are a user of one of those services, a precautionary password change might be a smart idea. A password manager makes choosing new passwords quick and easy. There’s no suggestion at this time [2019-02-18T14:30Z] that any financial records such as credit card numbers were stolen from anyone.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/mHwY-DfGfH4/

Australian prime minister blames ‘state level’ baddies for Oz parliament breach

library
crime | hacking | security

Australia’s prime minister has blamed a “sophisticated state actor” for a hack on the country’s parliament and some of its prominent political parties.

Big trouble Down Under as Australian MPs told to reset their passwords amid hack attack fears

PM Scott Morrison told the continent-country’s legislature earlier today that security agencies “acted decisively to confront” the attack, which first came to public light on 8 February when local parliament workers reset all their users’ passwords.

“Our cyber experts believe that a sophisticated state actor is responsible for this malicious activity,” said Morrison this morning. This is a shift from Australia’s position on the hack 10 days ago, when the Speakers of both of the Australian parliament’s houses jointly said the password reset had been “undertaken for abundance of caution” in response to an “incident”.

The three main political parties – the Nationals, Liberal and Labor – are said to have been affected. Elections to the upper house of Australia’s parliament, the Senate, are due to take place in around three months from now. No official sources have suggested election interference as a motive for the hackers, however.

Alastair MacGibbon, head of the Australian Cyber Security Centre (the Aussie version of Britain’s NCSC, an offshoot of GCHQ), told the Australian Broadcasting Corporation: “The sophistication of their methodology to operate in those systems gives us the confidence to say it is a state actor… There are a limited number of countries but we have low confidence at being able to publicly state who we think it is.”

Both the ABC and the Sydney Morning Herald have floated the possibility that China is to blame, though both outlets heavily caveat this. The SMH reported: “Only four nations are thought to be capable of such a high-level attack: China, Russia, Israel and the United States.”

This mild insult to British state-level hacking capabilities aside, Australian diplomatic relations with China are just as fraught as the UK’s, with the added complication that Australia is one of the countries that has blocked Huawei 5G equipment from being used on its national phone networks. The Royal Australian Navy also plays a minor role in US-led freedom of navigation operations in the South China Sea, parts of which China claims as its own territory after building artificial islands to enlarge its territorial claims over formerly international waters.

These so-called FONOPS (Freedom of Navigation Operations) were the cause of the recent cancellation of UK-China trade talks after British Defence Secretary Gavin Williamson repeated the UK’s decade-old plan to sail new aircraft carrier HMS Queen Elizabeth through the South China Sea in the year 2021. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/02/18/australia_pm_scott_morrison_state_level_hackers_parliament_breach/

Privacy Ops: The New Nexus for CISOs & DPOs

library
crime | hacking | security

No longer can privacy be an isolated function managed by legal or compliance departments with little or no connection to the organization’s underlying security technology.

Recent advancements in machine learning and big data analytics have made data more important today than ever before. Companies are now investing heavily in protecting their customers’ data; for instance, Facebook has pledged to double its safety and security team to 20,000 people.

Since the introduction of Europe’s General Data Protection Regulation (GDPR) in 2018, data protection officers (DPOs) have become the subject of the latest hiring frenzy. Large organizations that are mandated to hire a DPO based on the GDPR’s criteria are struggling to find the right person for the job. But how does a DPO fit into the typical security organization?

At the end of the day, a DPO should report directly to top management on all regulation and privacy topics. As such, the perfect candidate must have in-depth knowledge of GDPR and other regulations. Your DPO should also view the responsibilities of GDPR compliance as an opportunity to drive your business forward.

Here is where things become challenging.

Security is led by the chief information security officer (CISO), who oversees regulation and all other security matters. The privacy side is led by the DPO, but this department is traditionally made up of lawyers and legal practitioners who have little knowledge of technology and security. The DPO doesn’t have a real connection to the company’s technology, and certainly does not have the buying power behind it.

This is true historically as well; the privacy side of operations within an enterprise comes from a legal background, which has been conservative and resistant to change. However, the emergence of regulations such as GDPR has caused a rise of influence in privacy roles, which have started to see growth and an increase in purchasing power. Organizations have also realized the critical need for cross-departmental collaboration and communication.

Today, we have entered a new era of global privacy management. No longer will privacy be an isolated function that can be housed by just legal or compliance. There needs to be a connector somewhere — Privacy Operations — a new and separate group that will serve as the technical connector between the security and privacy teams.

Privacy Ops is much like DevSecOps, wherein security processes take place along with development sprints. And just as security practitioners had to become involved and affect the software life cycle, privacy practitioners today must understand the data life cycle and enforce protection controls throughout the data processing pipelines. In Privacy Ops, we will see a merging of the security and privacy teams, in which the DPOs will leverage the security team’s expertise to implement and manage technology in order to simplify regulation adherence.

This change and adaptation to new privacy standards has the potential to positively affect multiple aspects of privacy, business, and security. Privacy or DPO teams can now enhance their in-house impact on the organization and help protect user privacy by adopting technical solutions to be maintained by the privacy operations teams. This allows business digitalization teams to leverage data that is now maintained and governed. Security teams can leverage the power of the new privacy operations teams to enforce privacy regulations, thus allowing security to focus on risk management and prevention.

The impact of hiring data protection professionals and implementing privacy-driven technology is yet to be seen, but it is a necessary step toward minimizing data breaches and keeping our data from falling into the wrong hands.

Related Content:

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Amit Ashbel, security evangelist at Cognigo, has been with the security industry for two decades and has taken on multiple tasks and responsibilities, including technical positions and senior product lead positions. Amit has experience with a wide range of security … View Full Bio

Article source: https://www.darkreading.com/endpoint/privacy-ops-the-new-nexus-for-cisos-and-dpos/a/d-id/1333878?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Data-spewing Spectre chip flaws can’t be killed by software alone, Google boffins conclude

library
crime | hacking | security

Google security researchers have analyzed the impact of the data-leaking Spectre vulnerabilities afflicting today’s processor cores, and concluded software alone cannot prevent exploitation.

The Chocolate Factory brainiacs – Ross Mcilroy, Jaroslav Sevcik, Tobias Tebbi, Ben L. Titzer, Toon Verwaest – show that they can construct what’s dubbed a universal gadget to exploit the spectre gang of speculative-execution flaws present in various CPU families, allowing attacker-supplied code running in a thread to read all memory in the same address space.

This means, for example, a malicious webpage’s JavaScript code executing in a web browser thread can potentially snoop on another webpage’s JavaScript running in another thread, and steal secret data from that other page. There are already mitigations in place in browsers, such as Chrome’s Site Isolation that keeps webpages in separate processes, limiting what any malicious JavaScript can spy on. Firefox, Internet Explorer, and Edge, at least, block the use of JS object SharedArrayBuffer, which can be exploited to perform Spectre snooping.

However, the underlying threat is still there for any applications interpreting attacker-supplied code. Language-based defenses and similar safeguards within a process can’t stop Spectre; you have to go down to hardware-based separation using individual processes with their own individual virtual address spaces and hardware-enforced page tables.

Threat or hype?

Since there aren’t many other scenarios in which attacker-supplied code is interpreted in the same address space as other user-supplied code – web browsers spring to mind, chiefly – the Googlers’ research is largely academic, and not something to immediately panic over. However, if you’re developing software that interprets external code, this is something to be very much aware of.

“We now believe that speculative vulnerabilities on today’s hardware defeat all language-enforced confidentiality with no known comprehensive software mitigations, as we have discovered that untrusted code can construct a universal read gadget to read all memory in the same address space through side-channels,” the researchers say in a paper distributed through pre-print service ArXiv.

The paper is titled “Spectre is here to stay: An analysis of side-channels and speculative execution.”

Shortly after The Register first reported the Spectre and Meltdown bugs in January 2018, University of Michigan assistant professor of computer science Daniel Genkin, a co-author of the original Spectre research paper who was a postdoctoral student at the time, said as much: “We are currently not aware of effective countermeasures that will eliminate the root cause of Spectre, short of hardware redesign,” he told The Register last year.

Intel SGX ‘safe’ room easily trashed by white-hat hacking marauders

Spectre, as its name suggests, involves the exploitation of speculative execution, a feature of modern processors that involves guessing the future path of a program and making anticipated calculations while the processor is busy with other tasks.

These calculations can be retained if the correct path was guessed, which saves time and hastens code execution. But as the Spectre flaws demonstrated, the ability to peer into the future can be abused.

There are several Spectre variants but the basic problem is that chip designers traded security for speed. “Our models, our mental models, are wrong; we have been trading security for performance and complexity all along and didn’t know it,” the researchers observe.

Variant 4, Speculative Aliasing Confusion, has no software solution that Google’s researchers could find. “Variant 4 defeats everything we could think of,” the researchers say.

Initially, software and hardware makers pushed fixes like microcode updates and techniques like Retpoline. Browser makers Google and Mozilla made timing data less accessible, to make speculative execution attacks more difficult.

But that appears to be futile. “We argue that mitigating timing channels by manipulating timers is impossible, nonsensical, and in any case ultimately self-defeating,” the researchers say.

Google’s boffins added defenses against Spectre into the V8 JavaScript virtual machine within the company’s Chrome browser and found the performance penalties frustrating because they slow things down without truly fixing the problem. “None of these mitigations provide comprehensive protection against Spectre, and so the mitigation space is a frustrating performance / protection trade-off,” they say.

That’s why Google shifted its browser security focus to the aforementioned site isolation. But help has to come from hardware, too, in the form of better process isolation.

Intel announced hardware fixes for some of the Spectre vulnerabilities in March 2018, but its claim that Spectre Variant 1 “will continue to be addressed via software mitigations” now looks rather dubious. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/02/18/spectre_cant_be_killed/

Aussie PM blames ‘state level’ baddies for parliament breach

library
crime | hacking | security

Australia’s prime minister has blamed a “sophisticated state actor” for a hack on the country’s parliament and some of its prominent political parties.

Big trouble Down Under as Australian MPs told to reset their passwords amid hack attack fears

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/02/18/australia_pm_scott_morrison_state_level_hackers_parliament_breach/

Tens of millions more web accounts for sale after more sites hacked, Mac malware spreads via Windows.exe, and more

library
crime | hacking | security

Roundup Let’s kickstart your Monday with some lovely juicy computer security and screwups news, beyond what we reported last week.

New round of data theft claims

Throughout last week, El Reg broke the news that more than 600 million accounts details had been stolen from more than a dozen websites, and were being offered for sale on the dark web by a single seller. One by one, the companies hit by the hacker confirmed their customer records had been swiped and touted online for Bitcoin.

Just before the weekend, the miscreant put more databases up for sale on the dark web from more hacked websites. The purloined data is mostly usernames or email addresses as well as hashed passwords, sold to spammers and credential stuffers to exploit. Here’s the list of purported account records for sale:

Houzz: 57 million usernames and hashed passwords. The company is aware, and notified customers and law enforcement around early February that it had been ransacked by a hacker.
YouNow: 40 million usernames and IP addresses. The company is aware, and said that no passwords were involved as it uses external sites for user authentication. YouNow says it does not believe the advertised data was stolen from its systems, and may have been scraped from its website – although that doesn’t explain the IP addresses.
ixgo: 18 million usernames and MD5 hashed passwords, which could be trivially easy to break.
Stronghold Kingdoms: 5 million accounts and HMAC-RIPEMD160 hashed passwords.
Roll20.net: 4 million usernames and bcrypt hashed passwords.
ge.tt: 1.8 million usernames and sha256 hashed passwords.
Petflow: 1.5 million usernames and MD5 hashed passwords, which could be trivially easy to break.
CoinMama: 400,000 usernames and PHPASS hashed passwords.
Plus, in late-breaking news: 60 million accounts from Pizap, 8 million from Gfycat, 20 million accounts from Storybird, Jobandtalent, Legendas.tv, and OneBip, 1.5 million from ClassPass, and one million from StreetEasy.

Needless to say, if you have an account on any of these sites you would be well-advised to change your password ASAP. The stolen credentials were hashed, aka one-way encrypted, and some of the more secure algorithms, such as bcrypt, make it highly unlikely they could be solved to steal accounts, but it’s better to be safe than sorry.

Prosecutors claim Stone link to WikiLeaks

Friday afternoon’s bad news dump contained a new allegation in the case against President Trump associate Roger Stone.

US prosecutors say they have copies of direct communications between Stone and Wikileaks. If proven, that would place Stone within an alleged chain of communication that went from the Guccifer 2.0 hacking operation to WikiLeaks, to Stone, and possibly to the Trump campaign.

Stone has plead not guilty.

Facebook using tracking tools to watch ‘threats’

Stop us if you’ve heard this one before: a newly-uncovered practice at Facebook is raising possible privacy concerns.

This time, it’s a report from CNBC outlining how the social network uses its products to track users who they believe pose a credible threat to Facebook offices and employees.

Dubbed “Bolo” (short for Be On Look Out) the tool has reportedly been in use for more than a decade. When a user is added to the Bolo list, Facebook’s security team gets their information as well as their location information and photos.

While Facebook maintains that the list is only used to protect its employees from credible threats of harm, the report suggests that in some cases people are added to the list for minor infractions, or because they were a former employee or contractor.

The whole thing is a sticky situation. On one hand, Facebook can and should be able to protect its employees from any threat of harm. On the other, the social network doesn’t exactly have the best track record when it comes to guarding privacy.

Hackers show off remote-control tricks in Xiaomi scooters

A report by security shop at Zimperium found that Xiaomi’s M365 scooter model uses a potentially insecure Bluetooth control system that can be managed through a smartphone.

The flaw is not within the scooter’s hardware itself, but rather in the way the techie toys communicate with administrator devices over Bluetooth.

The problem arises in the way that Bluetooth communication occurs. The hackers found that by default the scooter assumes the person running the application has already been authenticated.

“During our research, we determined the password is not being used properly as part of the authentication process with the scooter and that all commands can be executed without the password,” writes researcher Rani Idan.

“The password is only validated on the application side, but the scooter itself doesn’t keep track of the authentication state.”

Fortunately, it does not look like this is a threat for any of the popular rent-a-scooter services popping up in cities. Of the major scooter carriers we talked to, only one still used the M365, and they had closed the described vulnerability long before putting the scooters on the street.

Mac malware spreads via Windows PC apps

A new outbreak of Mac malware infections is coming from an unlikely source: a Windows .EXE file.

Researchers at Trend Micro say the infection disguises itself as an installer for the popular paid-for Little Snitch macOS security tool being spread for free on Torrent sites.

Within the installer is a .EXE file, a Windows executable packed with the Mono .NET framework, which allows the executable to launch on a Mac and begin downloading adware and logging system information.

Trend believes the unusual behavior is done to evade macOS’s built-in security Gatekeeper tool that would otherwise spot the malicious activity: in other words, the operating system would stop the malware as an unsigned binary, or from an untrusted developer, but allows the .EXE to run.

“We suspect that this specific malware can be used as an evasion technique for other attack or infection attempts to bypass some built-in safeguards such as digital certification checks since it is an unsupported binary executable in Mac systems by design,” the security firm says.

“We think that the cybercriminals are still studying the development and opportunities from this malware bundled in apps and available in torrent sites, and therefore we will continue investigating how cybercriminals can use this information and routine.”

Microsoft sacks SAC-T

Redmond wants to make it a bit easier for companies to upgrade their PCs. To do that, Microsoft says it is doing away with the SAC-T designation on some versions of Windows.

Previously, SAC-T, or Semi-Annual Channel (Targetted) had been designated for specific versions of Windows offered on Windows Update for Business. This was done as Microsoft was working to get the Windows and Office releases aligned on Update for Business. That work will be done in the upcoming Windows feature update.

“Instead, you will find a single entry for each new SAC release. In addition, if you are using Windows Update for Business, you will see new UI and behavior to reflect that there is only one release date for each SAC release,” writes Microsoft’s John Wilcox.

“If you use System Center Configuration Manager, Windows Server Update Services (WSUS), or other management tools, there will now only be one feature update published to WSUS, and this will occur at the time of release.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/02/18/security_roundup_150219/