Archive for the ‘Biz & IT’ Category

Facebook pulls its privacy-invading VPN app from Google Play store

February 22nd, 2019
Facebook logo on a phone.

Enlarge (credit: Getty Images | SOPA Images )

Facebook has pulled its privacy-invading Onavo Protect VPN app off the Google Play store and will reportedly stop gobbling up data from users who still have the app on their devices.

Facebook "will immediately cease pulling in data from [Onavo] users for market research though it will continue operating as a Virtual Private Network in the short term to allow users to find a replacement," TechCrunch reported yesterday.

Facebook's Onavo website still exists, but links to the Android and iOS apps are both broken. Facebook pulled the app from the iPhone and iPad App Store in August 2018 after Apple determined that Onavo violated its data-collection rules. Facebook purchased Onavo, an Israeli company, in 2013.

Read 8 remaining paragraphs | Comments

Posted in Android, Biz & IT, Facebook, iOS, onavo, Policy, VPN | Comments (0)

Millions of websites threatened by highly critical code-execution bug in Drupal

February 22nd, 2019
Millions of websites threatened by highly critical code-execution bug in Drupal

Enlarge (credit: Victorgrigas)

Millions of sites that run the Drupal content management system run the risk of being hijacked until they're patched against a vulnerability that allows hackers to remotely execute malicious code, managers of the open source project warned Wednesday.

CVE-2019-6340, as the flaw is tracked, stems from a failure to sufficiently validate user input, managers said in an advisory. Hackers who exploited the vulnerability could, in some cases, run code of their choice on vulnerable websites. The flaw is rated highly critical.

"Some field types do not properly sanitize data from non-form sources," the advisory stated. "This can lead to arbitrary PHP code execution in some cases."

Read 5 remaining paragraphs | Comments

Posted in Biz & IT, content management systems, Drupal, exploits, vulnerabilities | Comments (0)

YouTube loses advertisers over “wormhole into pedophilia ring”

February 21st, 2019
YouTube loses advertisers over “wormhole into pedophilia ring”

Enlarge (credit: Aurich / Getty)

YouTube is losing advertising from Fortnite maker Epic Games, Disney, and other companies because of ads appearing alongside videos shared by pedophiles.

YouTube told Ars that it has taken action against users violating its policies this week, including by terminating more than 400 channels, deleting accounts, and disabling comments on tens of millions of videos. YouTube said it has also reported illegal content to authorities, but the company admitted it has more to do. We asked YouTube if it has identified any problems in its algorithms that helped cause the problem but received no answer to that question.

"All Nestle companies in the US have paused advertising on YouTube, a spokeswoman for the company said Wednesday in an email," Bloomberg reported yesterday. "Video game maker Epic Games Inc. and German packaged food giant Dr. August Oetker KG also said they had postponed YouTube spending after their ads were shown to play before the videos. Disney has also withheld its spending, according to people with knowledge of the matter, who asked not to be identified because the decision hasn't been made public."

Read 9 remaining paragraphs | Comments

Posted in Biz & IT, Policy, YouTube | Comments (0)

Google Play apps with >10 million installs drain batteries, jack up data charges

February 21st, 2019
Google Play apps with >10 million installs drain batteries, jack up data charges

Enlarge (credit: NurPhoto | Getty Images)

Is your Android phone feeling hot to the touch, acting sluggish, in need of frequent charges, or using dramatically more data than it used to? It may be a victim of DrainerBot, a major fraud operation distributed through Google Play apps with more than 10 million downloads, researchers said Wednesday.

The apps catered to a wide variety of interests, from makeup and beauty to mobile gaming. Under the hood, the apps download hidden video ads to the phones that consume as much as 10GB per month of bandwidth. While the videos are never viewed or visible by anyone, the downloads generate fraudulent advertising revenue each time a legitimate end user device appears to view a video while visiting a spoofed but legitimate publisher site.

“DrainerBot is one of the first major ad fraud operations to cause clear and direct financial harm to consumers,” said Eric Roza, senior vice president and general manager of Oracle Data Cloud, which uncovered the scheme. “DrainerBot-infected apps can cost users hundreds of dollars in unnecessary data charges while wasting their batteries and slowing their devices.”

Read 6 remaining paragraphs | Comments

Posted in ad fraud, Android, apps, Biz & IT, drainerbot | Comments (0)

Forget Airwolf: One of these is the Army’s next assault “helicopter”

February 20th, 2019

The Army's future "helicopter" takes shape. A transcript of this video can be found here. (video link)

The Sikorsky UH-60 Black Hawk and its many variants have been the backbone of the US Army's helicopter force for decades. Designed during the Army's last major helicopter procurement push in the 1980s, the Black Hawk now flies in some form in all of the military services. But its range and speed have become limiting factors in the Army's airborne assault operations. And to add to the problem, the Army lacks a scout helicopter that meets the demands of deployment overseas. The Eurocopter UH-72 Lakota isn't combat-capable, so AH-64 Apaches have had to play the role of armed scouts with the assistance of drones.

As a result, the Army has two separate helicopter procurement programs running for the first time since the Black Hawk and Apache were in the pipeline. The two programs, which emerged from the "capability sets" of the Army's Future Vertical Lift program, seek Black Hawk and Kiowa replacements that are "optionally manned"—meaning that they can fly with or without an aircrew—as well as being easier to maintain and fly than their predecessors.

Read 9 remaining paragraphs | Comments

Posted in apache helicopter, Biz & IT, blackhawk helicopter, drones, helicopter, Policy, US Army, VTOL | Comments (0)

Nasty code-execution bug in WinRAR threatened millions of users for 14 years

February 20th, 2019
Evert

Enlarge / Evert (credit: iStock / Getty Images)

WinRAR, a Windows file compression program with 500 million users worldwide, recently fixed a 14-year-old vulnerability that made it possible for attackers to execute malicious code when targets opened a booby-trapped file.

The vulnerability was the result of an absolute path traversal flaw that resided in UNACEV2.DLL, a third-party code library that hasn’t been updated since 2005. The traversal made it possible for archive files to extract to a folder of the archive creator’s choosing, rather than the folder chosen by the person using the program. Because the third-party library doesn’t make use of exploit mitigations such as address space layout randomization, there was little preventing exploits.

Researchers from Check Point Software, the security firm that discovered the vulnerability, initially had trouble figuring out how to exploit the vulnerability in a way that executed code of their choosing. The most obvious path—to have an executable file extracted to the Windows startup folder where it would run on the next reboot—required WinRAR to run with higher privileges or integrity levels than it gets by default.

Read 4 remaining paragraphs | Comments

Posted in Biz & IT, bugs, code execution, exploits, vulnerabilities, WinRar | Comments (0)

Hard-to-detect credential-theft malware has infected 1,200 and is still going

February 20th, 2019
Hard-to-detect credential-theft malware has infected 1,200 and is still going

Enlarge (credit: Kit / Flickr)

A deceptively simple malware attack has stolen a wide array of credentials from thousands of computers over the past few weeks and continues to steal more, a researcher warned on Tuesday.

The ongoing attack is the latest wave of Separ, a credential stealer that has been known to exist since at least late 2017, a researcher with security firm Deep Instinct said. Over the past few weeks, the researcher said, Separ has returned with a new version that has proven surprisingly adept at evading malware-detection software and services. The source of its success: a combination of short scripts and legitimate executable files that are used so often for benign purposes that they blend right in. Use of spartan malware that's built on legitimate apps and utilities has come to be called "living off the land," and
it has been used in a variety
of highly effective campaigns over the past few years.

The latest Separ arrives in what appears to be a PDF document. Once clicked, the file runs a chain of other apps and file types that are commonly used by system administrators. An inspection of the servers being used in the campaign show that it, so far, has collected credentials belonging to about 1,200 organizations or individuals. The number of infections continues to rise, which indicates that the spartan approach has been effective in helping it fly under the radar.

Read 7 remaining paragraphs | Comments

Posted in Biz & IT, Credential Theft, living off the land, malware, separ | Comments (0)

Inside the DNSpionage hacks that hijack domains at an unprecedented scale

February 18th, 2019
Inside the DNSpionage hacks that hijack domains at an unprecedented scale

Enlarge (credit: Lion Kimbro)

Since the beginning of the year, the US government and private security companies have been warning of a sophisticated wave of attacks that’s hijacking domains belonging to multiple governments and private companies at an unprecedented scale. On Monday, a detailed report provided new details that helped explain how and why the widespread DNS hijackings allowed the attackers to siphon huge numbers of email and other login credentials.

The article, published by KrebsOnSecurity reporter Brian Krebs, said that, over the past few months, the attackers behind the so-called DNSpionage campaign have compromised key components of DNS infrastructure for more than 50 Middle Eastern companies and government agencies. Monday’s article goes on to report that the attackers, who are believed to be based in Iran, also took control of domains belonging to two highly influential Western services—the Netnod Internet Exchange in Sweden and the Packet Clearing House in Northern California. With control of the domains, the hackers were able to generate valid TLS certificates that allowed them to launch man-in-the-middle attacks that intercepted sensitive credentials and other data.

Short for domain name system, DNS acts as one of the Internet’s most fundamental services by translating human-readable domain names into the IP addresses one computer needs to locate other computers over the global network. DNS hijacking works by falsifying the DNS records to cause a domain to point to an IP address controlled by a hacker rather than the domain’s rightful owner. DNSpionage has taken DNS hijacking to new heights, in large part by compromising key services that companies and governments rely on to provide domain lookups for their sites and email servers.

Read 13 remaining paragraphs | Comments

Posted in Biz & IT, DNS hijacking, dnspionage, domain name system | Comments (0)

With elections weeks away, someone “sophisticated” hacked Australia’s politicians

February 18th, 2019
Just over a week after the announcement of a cyber-attack on Australia's Parliament House, the government now says three Australian political parties weer also attacked by a "sophisticated state actor."

Enlarge / Just over a week after the announcement of a cyber-attack on Australia's Parliament House, the government now says three Australian political parties weer also attacked by a "sophisticated state actor." (credit: Getty Images)

With elections just three months away, Australian Prime Minister Scott Morrison announced on February 18 that the networks of the three major national political parties had been breached by what Australian security officials described as a "sophisticated state actor."

The Sydney Morning Herald reports that while the attack bears hallmarks of tools and techniques used by China-sponsored hacking groups in the past, security officials were concerned that the attackers may have used such approaches as part of a "false-flag" attack—like what is believed to have occurred in the case of the "Olympic Destroyer" attack on last year's Winter Olympics in South Korea.

Morrison said that the Australian government had made moves to "ensure the integrity of our electoral system," including instructing the Australian Cyber Security Centre "to be ready to provide any political party or electoral body in Australia with immediate support, including making their technical experts available." Electoral commissions and state and territory security agencies have been briefed on the attacks, and the Cyber Security Centre has also passed along malware samples and other information to "global anti-virus companies," the Prime Minister noted.

Read 2 remaining paragraphs | Comments

Posted in australia, Australian Senate, Biz & IT, china, false flag, Policy | Comments (0)

Electric truck startup announces $700 million funding round led by Amazon

February 17th, 2019
A man and a dog sit on an electric pickup truck

Enlarge / A marketing photo of Rivian's R1T electric pickup truck. (credit: Rivian)

On Friday, electric truck startup Rivian announced a $700 million funding round led by Amazon. The announcement is notable not just for the size of the investment but also due to Amazon's involvement.

The e-commerce giant has made a variety of investments in mobility, and electric trucks and SUVs like the kind Rivian debuted at the Los Angeles Auto Show in November could help the company further its ambitions in that regard.

Rivian's R1T pickup and R1S SUV made a splash at their announcement. The startup is seen as a potential competitor to Tesla, which has promised to develop an all-electric pickup truck in the future. Rivian's trucks are expected to be pricy: the startup is taking pre-orders, and it said in November that, when the R1T and R1S go on sale in late 2020, they'll start at $61,500, and $65,000 after the $7,500 IRS tax credit. (Rivian has sold no trucks to date, so vehicles from that company would still be eligible for the full electric vehicle tax credit. The full tax credit begins to phase out after a company has sold more than 200,000 electric vehicles.)

Read 3 remaining paragraphs | Comments

Posted in amazon, Biz & IT, cars, electric pickup truck, Electric vehicles, Rivian | Comments (0)