Government

Body Camera Study Shows No Effect On Police Use of Force Or Citizen Complaints (npr.org) 19

An anonymous reader quotes a report from NPR: Having police officers wear little cameras seems to have no discernible impact on citizen complaints or officers' use of force, at least in the nation's capital. That's the conclusion of a study performed as Washington, D.C., rolled out its huge camera program. The city has one of the largest forces in the country, with some 2,600 officers now wearing cameras on their collars or shirts. In the wake of high-profile shootings, many police departments have been rapidly adopting body-worn cameras, despite a dearth of solid research on how the technology can change policing. "We need science, rather than our speculations about it, to try to answer and understand what impacts the cameras are having," says David Yokum, director of the Lab @ DC. His group worked with local police officials to make sure that cameras were handed out in a way that let the researchers carefully compare officers who were randomly assigned to get cameras with those who were not. The study ran from June 2015 to last December. It's to be expected that these cameras might have little impact on the behavior of police officers in Washington, D.C., he says, because this particular force went through about a decade of federal oversight to help improve the department.
Android

Google Says 64 Percent of Chrome Traffic On Android Now Protected With HTTPS, 75 Percent On Mac, 66 Percent On Windows (techcrunch.com) 55

An anonymous reader quotes a report from TechCrunch: Google's push to make the web more secure by flagging sites using insecure HTTP connections appears to be working. The company announced today that 64 percent of Chrome traffic on Android is now protected, up 42 percent from a year ago. In addition, over 75 percent of Chrome traffic on both ChromeOS and Mac is now protected, up from 60 percent on Mac and 67 percent on ChromeOS a year ago. Windows traffic is up to 66 percent from 51 percent. Google also notes that 71 of the top 100 websites now use HTTPS by default, up from 37 percent a year ago. In the U.S., HTTPS usage in Chrome is up from 59 percent to 73 percent. Combined, these metrics paint a picture of fairly rapid progress in the switchover to HTTPS. This is something that Google has been heavily pushing by flagging and pressuring sites that hadn't yet adopted HTTPS.
Security

Student Expelled After Using Hardware Keylogger to Hack School, Change Grades (bleepingcomputer.com) 123

Catalin Cimpanu, writing for BleepingComputer: Kansas University (KU) officials have expelled a student for installing a hardware keylogger and using the data acquired from the device to hack into the school's grading system and chang his grades. KU did not release the student's name to the public, but they said the keystroke logging device had been installed on one of the computers in its lecture halls. The student used data collected from the device to change F grades into A grades. Professors said the incident would not have been noticed if the student didn't get greedy about modifications. The hardware device the student used was a run-of-the-mill hardware keylogger that anyone can buy on Amazon or eBay for prices as low as $20. Speaking to local media, various KU professors said they hope not to see any copycats in the near future.
Security

MasterCard Has Finally Realized That Signatures Are Obsolete and Stupid (fastcompany.com) 281

An anonymous reader shares a report: For years, credit card companies have relied on an illegible squiggly line as the frontline of defense against credit card fraud. Customers are forced to use a pen (how retro!) to scrawl their signature on bills at restaurants and sign digitally at cash registers -- as if somehow in the age of chips, PINs, biometrics, and online fraud alerts, a line on a page is still a great tool against fraud prevention. Personally, I have been known to sign on the dotted line with a doodle of a piece of tofu and no one has ever stopped me, because signatures mean very little in this digital age. Companies are finally seeing the light. Starting in April 2018, MasterCard cardholders will no longer be required to sign their name when they purchase something using their debit or credit cards. The company has been moving away from requiring signatures for a few years now, with only about 80% of purchases (typically over a certain dollar amount) requiring a signature these days. MasterCard did some digging, though, and per its press release, realized that most of their customers "believe it would be easier to pay and that checkout lines would move faster if they didn't need to sign when making a purchase."
Facebook

Facebook Security Chief Says Its Corporate Network Is Run 'Like a College Campus' (zdnet.com) 74

An anonymous reader quotes a report from ZDNet: Facebook's security chief has told employees that the social media giant needs to improve its internal security practices to be more akin to a defense contractor, according to a leaked recording obtained by ZDNet. Alex Stamos made the comments to employees at a late-July internal meeting where he argued that the company had not done enough to respond to the growing threats that the company faces, citing both technical challenges and cultural issues at the company. "The threats that we are facing have increased significantly and the quality of the adversaries that we are facing," he said. "Both technically and from a cultural perspective I don't feel like we have caught up with our responsibility. The way that I explain to [management] is that we have the threat profile of a Northrop Grumman or a Raytheon or another defense contractor, but we run our corporate network, for example, like a college campus, almost," he said.
China

Apple Watch's LTE Suspended In China Possibly Due To Government Security Concerns (appleinsider.com) 18

The Apple Watch Series 3's best new feature has been mysteriously blocked in China. According to a report from The Wall Street Journal, China has cut off the Apple Watch's LTE connectivity on Sept. 28 after brief availability from China Unicom. Industry analysts claim that the suspension is probably from governmental concerns about not being able to track and confirm users of the device. AppleInsider reports: Apple issued a brief statement confirming the situation, and referring customers to China Unicom. Neither China Unicom, nor Chinese regulators have made any statement on the matter. The issue may stem from the eSIM in the Apple Watch. Devices like the iPhone have state-owned telecom company-issued SIM cards -- and the eSIM is embedded in the device by Apple. "The eSIM (system) isn't mature enough yet in China," one analyst said. "The government still needs to figure out how they can control the eSIM." The LTE version of the Apple Watch had only a trial certificate to operate on the Chinese LTE network. An analyst who asked not to be identified expects that Ministry of Industry and Information Technology may take months to figure out how the government will deal with the eSIM, and issue a formal certificate for operation.
Canada

Canada's 'Super Secret Spy Agency' Is Releasing a Malware-Fighting Tool To the Public (www.cbc.ca) 66

Matthew Braga, reporting for CBC News: Canada's electronic spy agency says it is taking the "unprecedented step" of releasing one of its own cyber defence tools to the public, in a bid to help companies and organizations better defend their computers and networks against malicious threats. The Communications Security Establishment (CSE) rarely goes into detail about its activities -- both offensive and defensive -- and much of what is known about the agency's activities have come from leaked documents obtained by U.S. National Security Agency whistleblower Edward Snowden and published in recent years. But as of late, CSE has acknowledged it needs to do a better job of explaining to Canadians exactly what it does. Today, it is pulling back the curtain on an open-source malware analysis tool called Assemblyline that CSE says is used to protect the Canadian government's sprawling infrastructure each day. "It's a tool that helps our analysts know what to look at, because it's overwhelming for the number of people we have to be able to protect things," Scott Jones, who heads the agency's IT security efforts, said in an interview with CBC News. On the one hand, open sourcing Assemblyline's code is a savvy act of public relations, and Jones readily admits the agency is trying to shed its "super secret spy agency" reputation in the interest of greater transparency.
Security

Targeted Fuzzing Is Improving Linux Security, Linus Torvalds Says (iu.edu) 62

On the sidelines of announcing the fifth release candidate for the Linux kernel version 4.14, Linus Torvalds said fuzzing, which involves stress testing a system by generating random code to induce errors, is helping the community find and fix a range of security vulnerabilities. He wrote: The other thing perhaps worth mentioning is how much random fuzzing people are doing, and it's finding things. We've always done fuzzing (who remembers the old "crashme" program that just generated random code and jumped to it? We used to do that quite actively very early on), but people have been doing some nice targeted fuzzing of driver subsystems etc, and there's been various fixes (not just this last week either) coming out of those efforts. Very nice to see.
Chrome

Google Engineers Explore Ways To Stop In-Browser Cryptocurrency Miners in Chrome (bleepingcomputer.com) 184

An anonymous reader writes: Google Chrome engineers are considering adding a special browser permission that will thwart the rising trend of in-browser cryptocurrency miners. Discussions on the topic of in-browser miners have been going on the Chromium project's bug tracker since mid-September when Coinhive, the first such service, launched. "Here's my current thinking," Ojan Vafai, a Chrome engineering working on the Chromium project, wrote in one of the recent bug reports. "If a site is using more than XX% CPU for more than YY seconds, then we put the page into 'battery saver mode' where we aggressively throttle tasks and show a toast [notification popup] allowing the user to opt-out of battery saver mode. When a battery saver mode tab is backgrounded, we stop running tasks entirely. I think we'll want measurement to figure out what values to use for XX and YY, but we can start with really egregious things like 100% and 60 seconds. I'm effectively suggesting we add a permission here, but it would have unusual triggering conditions [...]. It only triggers when the page is doing a likely bad thing."

An earlier suggestion had Google create a blacklist and block the mining code at the browser level. That suggestion was shut down as being too impractical and something better left to extensions.

EU

EU: No Encryption Backdoors But, Let's Help Each Other Crack That Crypto (theregister.co.uk) 81

The European Commission has proposed that member states help each other break into encrypted devices by sharing expertise around the bloc. From a report: In an attempt to tackle the rise of citizens using encryption and its effects on solving crimes, the commission decided to sidestep the well-worn, and well-ridiculed, path of demanding decryption backdoors in the stuff we all use. Instead, the plans set out in its antiterrorism measures on Wednesday take a more collegiate approach -- by offering member states more support when they actually get their hands on an encrypted device. "The commission's position is very clear -- we are not in favour of so-called backdoors, the utilisation of systemic vulnerabilities, because it weakens the overall security of our cyberspace, which we rely upon," security commissioner Julian King told a press briefing. "We're trying to move beyond a sometimes sterile debate between backdoors or no backdoors, and address some of the concrete law enforcement challenges. For instance, when [a member state] gets a device, how do they get information that might be encrypted on the device." [...] Share the wealth. "Some member states are more equipped technically to do that [extract information from a seized device] than others," King said. "We want to make sure no member state is at a disadvantage, by sharing the tech expertise among the member states and reinforcing the support that Europol can offer."
Businesses

Dodging Russian Spies, Customers Are Ripping Out Kaspersky (thedailybeast.com) 350

From a report: Multiple U.S. security consultants and other industry sources tell The Daily Beast customers are dropping their use of Kaspersky software all together, particularly in the financial sector, likely concerned that Russian spies can rummage through their files. Some security companies are being told to only provide U.S. products. And former Kaspersky employees describe the firm as reeling, with department closures and anticipation that researchers will jump ship soon. "We are under great pressure to only use American products no matter the technical or performance consequences," said a source in a cybersecurity firm which uses Kaspersky's anti-virus engine in its own services. The Daily Beast granted anonymity to some of the industry sources to discuss internal deliberations, as well as the former Kaspersky employees to talk candidly about recent events.
Security

Ask Slashdot: What Are Ways To Get Companies To Actually Focus On Security? 158

New submitter ctilsie242 writes: Many years ago, it was said that we would have a "cyber 9/11," a security event so drastic that it fundamentally would change how companies and people thought about security. However, this has not happened yet (mainly because the bad guys know that this would get organizations to shut their barn doors, stopping the gravy train.) With the perception that security has no financial returns, coupled with the opinion that "nobody can stop the hackers, so why even bother," what can actually be done to get businesses to have an actual focus on security. The only "security" I see is mainly protection from "jailbreaking," so legal owners of a product can't use or upgrade their devices. True security from other attack vectors are all but ignored. In fact, I have seen some development environments where someone doing anything about security would likely get the developer fired because it took time away from coding features dictated by marketing. I've seen environments where all code ran as root or System just because if the developers gave thought to any permission model at all, they would be tossed, and replaced by other developers who didn't care to "waste" their time on stuff like that.

One idea would be something similar to Underwriters Labs, except would grade products, perhaps with expanded standards above the "pass/fail" mark, such as Europe's "Sold Secure," or the "insurance lock" certification (which means that a security device is good enough for insurance companies to insure stuff secured by it.) There are always calls for regulation, but with regulatory capture being at a high point, and previous regulations having few teeth, this may not be a real solution in the U.S. Is our main hope the new data privacy laws being enacted in Europe, China, and Russia, which actually have heavy fines as well as criminal prosecutions (i.e. execs going to jail)? This especially applies to IoT devices where it is in their financial interest to make un-upgradable devices, forcing people to toss their 1.0 lightbulbs and buy 1.0.1 lightbulbs to fix a security issue, as opposed to making them secure in the first place, or having an upgrade mechanism. Is there something that can actually be done about the general disinterest by companies to make secure products, or is this just the way life is now?
Security

The Internet Is Ripe With In-Browser Miners and It's Getting Worse Each Day (bleepingcomputer.com) 354

Catalin Cimpanu, reporting for BleepingComputer: Ever since mid-September, when Coinhive launched and the whole cryptojacking frenzy started, the Internet has gone crazy with in-browser cryptocurrency miners, and new sites that offer similar services are popping up on a weekly basis. While one might argue that mining Monero in a site's background is an acceptable alternative to viewing intrusive ads, almost none of these services that have recently appeared provide a way to let users know what's happening, let alone a way to stop mining behavior. In other words, most are behaving like malware, intruding on users' computers and using resources without permission. [...] Bleeping Computer spotted two new services named MineMyTraffic and JSEcoin, while security researcher Troy Mursch also spotted Coin Have and PPoi, a Coinhive clone for Chinese users. On top of this, just last night, Microsoft spotted two new services called CoinBlind and CoinNebula, both offering similar in-browser mining services, with CoinNebula configured in such a way that users couldn't report abuse. Furthermore, none of these two services even have a homepage, revealing their true intentions to be deployed in questionable scenarios.
Businesses

"Maybe It's a Piece of Dust" (theoutline.com) 518

An anonymous reader shares a report: I was in the Grand Central Station Apple Store for a third time in a year, watching a progress bar slowly creep across my computer's black screen as my Genius multi-tasked helping another customer with her iPad. My computer was getting its third diagnostic test in 45 minutes. The problem was not that its logic board was failing, that its battery was dying, or that its camera didn't respond. There were no mysteriously faulty innerworkings. It was the spacebar. It was broken. And not even physically broken -- it still moved and acted normally. But every time I pressed it once, it spaced twice. "Maybe it's a piece of dust," the Genius had offered. The previous times I'd been to the Apple Store for the same computer with the same problem -- a misbehaving keyboard -- Geniuses had said to me these exact same nonchalant words, and I had been stunned into silence, the first time because it seemed so improbable to blame such a core problem on such a small thing, and the second time because I couldn't believe the first time I was hearing this line that it was not a fluke. But this time, the third time, I was ready. "Hold on," I said. "If a single piece of dust lays the whole computer out, don't you think that's kind of a problem?"
Government

'Significant' Number of Equifax Victims Already Had Info Stolen, Says IRS (thehill.com) 105

An anonymous reader quotes a report from The Hill: The IRS does not expect the Equifax data breach to have a major effect on the upcoming tax filing season, Commissioner John Koskinen said Tuesday, adding that the agency believes a "significant" number of the victims already had their information stolen by cyber criminals. "We actually think that it won't make any significantly or noticeable difference," Koskinen told reporters during a briefing on the agency's data security efforts. "Our estimate is a significant percent of those taxpayers already had their information in the hands of criminals." The IRS estimates that more than 100 million Americans have had their personally identifiable information stolen by criminal hackers, he said.

The Equifax breach disclosed in early September is estimated to have affected more than 145 million U.S. consumers. "It's an important reminder to the public that everyone can take any actions that they can ... to make sure we can do everything we can to protect personal information," Koskinen said of the breach on Tuesday, in response to a reporter's question. The IRS commissioner advised Americans to "assume" their data is already in the hands of criminals and "act accordingly."

Piracy

Netflix, Amazon, Movie Studios Sue Over TickBox Streaming Device (arstechnica.com) 130

Movies studios, Netflix, and Amazon have teamed up to file a lawsuit against a streaming media player called TickBox TV. The device in question runs Kodi on top of Android 6.0, and searches the internet for streams that it can make available to users without actually hosting any of the content itself. An anonymous reader quotes a report from Ars Technica: The complaint (PDF), filed Friday, says the TickBox devices are nothing more than "tool[s] for mass infringement," which operate by grabbing pirated video streams from the Internet. The lawsuit was filed by Amazon and Netflix Studios, along with six big movie studios that make up the Motion Picture Association of America: Universal, Columbia, Disney, Paramount, 20th Century Fox, and Warner Bros.

"What TickBox actually sells is nothing less than illegal access to Plaintiffs' copyrighted content," write the plaintiffs' lawyers. "TickBox TV uses software to link TickBox's customers to infringing content on the Internet. When those customers use TickBox TV as Defendant intends and instructs, they have nearly instantaneous access to multiple sources that stream Plaintiffs' Copyrighted Works without authorization." The device's marketing materials let users know the box is meant to replace paid-for content, with "a wink and a nod," by predicting that prospective customers who currently pay for Amazon Video, Netflix, or Hulu will find that "you no longer need those subscriptions." The lawsuit shows that Amazon and Netflix, two Internet companies that are relatively new to the entertainment business, are more than willing to join together with movie studios to go after businesses that grab their content.

Open Source

Companies Overlook Risks in Open Source Software, Survey Finds (betanews.com) 131

An anonymous reader shares a report: Open source code helps software suppliers to be nimble and build products faster, but a new report reveals hidden software supply chain risks of open source that all software suppliers and IoT manufacturers should know about. The recent Equifax breach for example exploited a vulnerability in a widely used open source web framework, Apache Struts, and the study by software monetization specialist Flexera points out that as much as 50 percent of code in commercial and IoT software products is open source. "We can't lose sight that open source is indeed a clear win. Ready-to-go code gets products out the door faster, which is important given the lightning pace of the software space," says Jeff Luszcz, vice president of product management at Flexera. "However, most software engineers don't track open source use, and most software executives don't realize there's a gap and a security/compliance risk." Flexera surveyed 400 software suppliers, Internet of Things manufacturers and in-house development teams. It finds only 37 percent of respondents to the survey have an open source acquisition or usage policy, while 63 percent say either their companies either don't have a policy, or they don't know if one exists. Worryingly, of the 63 percent who say their companies don't have an open source acquisition or usage policy, 43 percent say they contribute to open source projects. There is an issue over who takes charge of open source software too. No one within their company is responsible for open source compliance, or they don't know who is, according to 39 percent of respondents.
Google

'Google Just Made Gmail the Most Secure Email Provider on the Planet' (vice.com) 197

Google announced on Tuesday that it would offer stronger online security for "high risk" users who may be frequent targets of online attacks. The company said anyone with a personal Google account can enroll in the new "advanced protection," while noting that it will require users to "trade off a bit of convenience" for extra security. Motherboard reports: The main advantage in terms of security is the need for a key or token to log in as the second factor, instead of a code sent via SMS or via app. This is much better because there's no way for hackers to steal or phish this key from afar (there have been isolated incidents of hackers using social engineering to gain access to someone's cell phone number by getting the provider to issue a new SIM card, for instance). Thanks to these new features, Gmail is now the most secure email provider available on the internet if you are worried about hackers breaking into your private correspondence. "This is a major step in the right direction in offering the same kind of protection available to high-profile figures to everyday people," Kenneth White, a Washington D.C. based security consultant to federal agencies, told Motherboard. "They have really thought this through, and while it may not make sense for everyone, for those that need it, it's a much needed option."
Microsoft

Microsoft Responded Quietly After Detecting Secret Database Hack in 2013 (reuters.com) 46

Citing five former employees, Reuters reported on Tuesday that Microsoft's secret internal database for tracking bugs in its own software was broken into by a highly sophisticated hacking group more than four years ago. From the report: The company did not disclose the extent of the attack to the public or its customers after its discovery in 2013, but the five former employees described it to Reuters in separate interviews. Microsoft declined to discuss the incident. The database contained descriptions of critical and unfixed vulnerabilities in some of the most widely used software in the world, including the Windows operating system. Spies for governments around the globe and other hackers covet such information because it shows them how to create tools for electronic break-ins. The Microsoft flaws were fixed likely within months of the hack, according to the former employees. Yet speaking out for the first time, these former employees as well as U.S. officials informed of the breach by Reuters said it alarmed them because the hackers could have used the data at the time to mount attacks elsewhere, spreading their reach into government and corporate networks. "Bad guys with inside access to that information would literally have a 'skeleton key' for hundreds of millions of computers around the world," said Eric Rosenbach, who was U.S. deputy assistant secretary of defense for cyber at the time.
Technology

The Impossible Dream of USB-C (marco.org) 338

Marco Arment, a prominent developer best known for co-founding Tumblr, explains things that are still crippling USB-C, despite being around for years and being used in mainstream products. Arment writes: While a wide variety of USB-C dongles are available, most use the same handful of unreliable, mediocre chips inside. Some USB-A dongles make Wi-Fi drop on MacBook Pros. Some USB-A devices don't work properly when adapted to USB-C, or only work in certain ports. Some devices only work when plugged directly into a laptop's precious few USB-C ports, rather than any hubs or dongles. And reliable HDMI output seems nearly impossible in practice. Very few hubs exist to add more USB-C ports, so if you have more than a few peripherals, you can't just replace all of their cables with USB-C versions. You'll need a hub that provides multiple USB-A ports instead, and you'll need to keep your USB-A cables for when you're plugged into the hub -- but also keep USB-C cables or dongles around for everything you might ever need to plug directly into the computer's ports. Hubs with additional USB-C ports might pass Thunderbolt through to them, but usually don't. Sometimes, they add a USB-C port that can only be used for power passthrough. Many hubs with power passthrough have lower wattage limits than a 13-inch or 15-inch laptop needs. Fortunately, USB-C is a great charging standard. Well, it's more of a collection of standards. USB-C devices can charge via the slow old USB rates, but for higher-powered devices or faster charging, that's not enough current.

Slashdot Top Deals