Learn to Build 14 Websites with 28 Hours of Instruction on HTML, JavaScript, MySQL & More for $14 ×

Cisco Finds Backdoor Installed On 12 Million PCs (securityweek.com) 62

Reader wiredmikey writes: Security researchers at Cisco have come across a piece of software that installed backdoors on 12 million computers around the world. Researchers determined that the application, installed with administrator rights, was capable not only of downloading and installing other tools, such as a known scareware called System Healer, but also of harvesting personal information. The software, which exhibits adware and spyware capabilities, was developed by a French online advertising company called Tuto4PC. The "features" have led Cisco Talos to classify the Tuto4PC software as a "full backdoor capable of a multitude of undesirable functions on the victim machine." Tuto4PC said its network consisted of nearly 12 million PCs in 2014, which could explain why Cisco's systems detected the backdoor on 12 million devices. An analysis of a sample set revealed infections in the United States, Australia, Japan, Spain, the UK, France and New Zealand.Tuto4PC has received flak from many over the years, including French regulators.

American Samoa Domain Registry Was Exposing Client Data Since the Mid-1990s (softpedia.com) 17

An anonymous reader quotes a report from Softpedia: A British security researcher that goes online only by the name of InfoSec Guy revealed today that American Samoa domain registry ASNIC was using an outdated domain name management system that contained a bug allowing anyone to view the personal details of any .as domain owner. The researcher also claims that anyone knowing of this bug would have been able to edit and delete any .as domain, just by altering the ASNIC domain info URL. Some of the big brands that own .as domains include Opera, Flickr, Twitter, McDonald's, British Gas, Bose, Adidas, the University of Texas, and many link shortening services. This flawed system has been online since the mid-1990s. The researcher contacted ASNIC after discovering the flaw at the end of January 2016, but email exchanges with the domain registry were scarce and confusing, with the registry issuing a statement today denying the incident and calling the allegations "inaccurate, misleading and sexed-up to the max," after previously acknowledging and fixing the security flaws.

House Passes Email Privacy Act, Requiring Warrants For Obtaining Emails (techcrunch.com) 56

An anonymous reader quotes a report from TechCrunch: The U.S. House of Representatives has passed H.R. 699, the Email Privacy Act, sending it on to the Senate and from there, hopefully anyhow, to the President. The yeas were swift and unanimous. The bill, which was introduced in the House early last year and quickly found bipartisan support, updates the 1986 Electronic Communications Privacy Act, closing a loophole that allowed emails and other communications to be obtained without a warrant. It's actually a good law, even if it is arriving a couple of decades late. "Under current law, there are more protections for a letter in a filing cabinet than an email on a server," said Congresswoman Suzan Delbene during the debate period. An earlier version of the bill also required that authorities disclose that warrant to the person it affected within 10 days, or 3 if the warrant related to a government entity. That clause was taken out in committee -- something trade groups and some of the Representatives objected to as an unpleasant compromise.

Former Tor Developer Created Malware To Hack Tor Users For The FBI (dailydot.com) 72

Patrick O'Neill writes: Matt Edman is a cybersecurity expert who worked as a part-time employee at Tor Project, the nonprofit that builds Tor software and maintains the network, almost a decade ago. Since then, he's developed potent malware used by law enforcement to unmask Tor users. It's been wielded in multiple investigations by federal law-enforcement and U.S. intelligence agencies in several high-profile cases. The Tor Project has confirmed this report in a statement after being contacted by the Daily Dot, "It has come to out attention that Matt Edman, who worked with the Tor Project until 2009, subsequently was employed by a defense contractor working for the FBI to develop anti-Tor malware." Maybe Tor users will now be less likely to anonymously check Facebook each month...

There Will Be A Huge New 'Panama Papers' Data Dump (businessinsider.com) 107

An anonymous reader writes: The International Consortium of Investigative Journalists said in an email that on May 9 it would "publish what will likely be the largest-ever release of information about secret offshore companies and the people behind them," based on data from the Panama Papers investigation. "The searchable database will include information about more than 200,000 companies, trusts, foundations, and funds incorporated in 21 tax havens, from Hong Kong to Nevada in the United States." The ICIJ said in the email, "The impact of Panama Papers has been epic." The investigation has caused Icelandic Prime Minister Sigmundur David Gunnlaugsson to resign following revelations about his personal finances. It has caused Putin to point fingers at the West, accusing the U.S. of trying to weaken Russia. It has even created drama in the UK with calls for Prime Minister David Cameron to resign after his connections to offshore companies became evident. In addition, the ICIJ said, "[The Panama Papers investigation] sparked a new sense of urgency among lawmakers and regulators to close loopholes and make information about the owners of shell companies public."

A Complete Guide To The New 'Crypto Wars' (dailydot.com) 68

blottsie writes: The latest debate over encryption did not begin with a court order demanding Apple help the FBI unlock a dead terrorist's iPhone. The new "Crypto Wars," chronicled in a comprehensive timeline by Eric Geller of the Daily Dot, dates back to at least 2003, with the introduction of "Patriot Act II." The battle over privacy and personal security versus crime-fighting and national security has, however, become a mainstream debate in recent months. The timeline covers a wide-range of incidents where the U.S. and other allied governments have tried to restrict citizens' access to strong encryption. The timeline ends with the director of national intelligence blaming NSA whistleblower Edward Snowden for advancing the spread of user-friendly, widely available strong encryption.

Symantec: Cruz and Kasich Campaign Apps May Expose Sensitive Data (go.com) 32

An anonymous reader writes: Apps released by the campaigns of Republican presidential contenders Ted Cruz and John Kasich have the potential for hackers to access users' personal information. According to an independent analysis by Symantec, the "Cruz Crew" app could allow third parties to capture a phone's unique identifying number and other personal information while the Kasich 2016 app could expose users' location data and information about other apps installed on the phones. First it was Veracode that reported potential vulnerabilities with the apps, now it's Symantec. Apparently the Cruz campaign updated its app to resolve the issues after the Veracode report was released. Kasich spokesman Rob Nichols said the security experts didn't know what they were talking about. Both campaigns have yet to respond to the latest Symantec analysis. Neither security firm found any issues in the app released by the campaign of Democrat Bernie Sanders. Republican Donald Trump and Democrat Hillary Clinton do not have campaign apps.

US Wants Its Own Secure and Self-Destructing Messaging App -- And It's Willing to Pay (bloomberg.com) 83

Long time reader schwit1 writes: The Defense Advanced Research Projects Agency (DARPA), an agency within the Department of Defense historically known for creating the Internet itself, has published a call for companies to submit proposals to build a robust messaging platform that the military could use for secure communication of everything from intelligence to procurement contracts. "Troops on the ground in denied communications environments would have a way to securely communicate back to HQ and DoD back office executives could rest assured that their logistics system is efficient, timely and safe from hackers," according to the DARPA proposal. The request for proposals, reported earlier by the UK's Telegraph outlet, also says that the messaging platform should incorporate a customized blockchain, the distributed ledger technology that underpins the digital currency bitcoin, for recording messages and contract information. The proposal says such a distributed ledger would allow the military to conduct its business in a more efficient and secure fashion.Motherboard's Lorenzo Franceschi-Bicchierai reports that DARPA is willing to pay people to make this app. "This project falls under the rules of the Small Business Technology Transfer (STTR) program. During the first phase, according to the program's rules, successful applicants might be awarded no more than $150,000 for one year. The companies and researchers who are part of phase one can then be eligible for a phase two award of up to $1 million for two years. Lastly, during phase three, the company or companies can pursue commercialization, and receive no funds from the federal government."

Spy Chief Complains That Edward Snowden Sped Up Spread of Encryption By 7 Years (theintercept.com) 242

An anonymous reader cites an article on The Intercept: The director of national intelligence on Monday blamed NSA whistleblower Edward Snowden for advancing the development of user-friendly, widely available strong encryption. "As a result of the Snowden revelations, the onset of commercial encryption has accelerated by seven years," James Clapper said. The shortened timeline has had "a profound effect on our ability to collect, particularly against terrorists," he said. When pressed by The Intercept to explain his figure, Clapper said it came from the National Security Agency. "The projected growth maturation and installation of commercially available encryption -- what they had forecasted for seven years ahead, three years ago, was accelerated to now, because of the revelation of the leaks." Asked if that was a good thing, leading to better protection for American consumers from the arms race of hackers constantly trying to penetrate software worldwide, Clapper answered no. "From our standpoint, it's not ⦠it's not a good thing," he said."Of all the things I've been accused of," Snowden said, "this is the one of which I am most proud."

Over 1M BeautifulPeople Dating Site User Details Leak Online (thenextweb.com) 50

An anonymous reader writes: Personal information of over one million users stored by popular dating site BeautifulPeople has leaked, and is now accessible online. We already knew that BeautifulPixel.com was hacked (it happened in November 2015), but this is the first confirmation from a security researcher that the details are legitimate. (BeautifulPeople had downplayed it at the time, saying that it was a staging server, and not a production server, that was hacked.) Security researcher Troy Hunt, citing a source, noted that the data has been sold online. The leaked personal information include email addresses, phone numbers, as well as hair color, weight, job and other details.Troy also noted that of the 1.1 million users details,170 of them have government email addresses. Some of you may remember BeautifulPixel as the creator the "Shrek" virus.

'I Hacked Facebook -- and Found Someone Had Beaten Me To It' (theregister.co.uk) 51

An anonymous reader shares an article on The Register: A bug bounty hunter compromises a Facebook staff server through a sloppy file-sharing webapp -- and finds someone's already beaten him to it by backdooring the machine. The pseudo-anonymous penetration tester Orange Tsai, who works for Taiwan-based outfit Devcore, banked $10,000 from Facebook in February for successfully drilling into the vulnerable system. According to Tsai, he or she stumbled across malware installed by someone else that was stealing usernames and passwords of FB employees who logged into the machine. The login credentials were siphoned off to an outside computer. According to Facebook security engineer Reginaldo Silva, the password-slurping malware was installed by another security researcher who had earlier poked around within Facebook's system in an attempt to snag a bug bounty.

Spy Chief Pressed For Number Of Americans Ensnared In Data Espionage (reuters.com) 34

Dustin Volz, reporting for Reuters: U.S. lawmakers are pressing the nation's top intelligence official to estimate the number of Americans ensnared in email surveillance and other such spying on foreign targets, saying the information was needed to gauge possible reforms to the controversial programs. Eight Democrats and six Republicans made the request to Director of National Intelligence James Clapper in a letter seen by Reuters on Friday, reflecting the continued bipartisan concerns over the scope of U.S. data espionage. "You have willingly shared information with us about the important and actionable intelligence obtained under these surveillance programs," wrote the lawmakers, all members of the U.S. House of Representatives' Judiciary Committee. "Now we require your assistance in making a determination that the privacy protections in place are functioning as designed." They requested that Clapper provide the information about data collected under a statute, known as Section 702, by May 6.

MongoDB Config Error Exposed 93M Mexican Voter Records (csoonline.com) 69

An anonymous reader cites an article on CSOOnline: A 132 GB database, containing the personal information on 93.4 million Mexican voters has finally been taken offline. The database sat exposed to the public for at least eight days after its discovery by researcher Chris Vickery, but originally went public in September 2015. Vickery, who works as a security researcher at Kromtech, discovered the MongoDB instance on April 14, but had difficulty tracking down the person or company responsible for placing the voter data on Amazon's AWS. He first reached out to the U.S. State Department, as well as the Mexican Embassy, but had little success. The database contains all of the information that Mexican citizens need for their government-issued photo IDs that enable them to vote. Along with their municipality, and district information, the database records include the voter's name, address, voter ID number, date of birth, the names of their parents, occupation, and more. [...] Given that the database has been online since September 2015, it isn't clear how many people have accessed the records. Additionally, the actual owner of the account hosting the data remains unknown.

$10 Router, No Firewall Blamed In $80M Bangladesh Bank Hack (reuters.com) 96

Earlier this a year, a spelling mistake in an online bank transfer prevented nearly $1 billion heist at Bangladesh's central bank and the New York Fed. The hackers, however, still had managed to steal about $80 million. Bangladesh government blamed the New York Fed for not spotting the suspicious transactions earlier. As it turns out, they should also be taking some blame, if not all. An anonymous reader writes: Bangladesh's central bank was vulnerable to hackers because it did not have a firewall and used second-hand, $10 switches to network computers connected to the SWIFT global payment network, an investigator into one of the world's biggest cyber heists said. The shortcomings made it easier for hackers to break into the Bangladesh Bank system earlier this year and attempt to siphon off nearly $1 billion using the bank's SWIFT credentials, said Mohammad Shah Alam, head of the Forensic Training Institute of the Bangladesh police's criminal investigation department.
United Kingdom

UK Intel Agencies Have Been Spying on Millions of People 'Of No Security Interest' Since 1990s (arstechnica.com) 101

The UK's intelligence agencies such as MI5, MI6, and GCHQ have been collecting personal information from citizens who are "unlikely to be of intelligence or security interest" since the 1990s, a thousand pages of documents published on Thursday revealed. The documents were published as a result of a lawsuit filed by Privacy International, a UK-based registered charity that defends and promotes the right to privacy across the world. According to the documents, GCHQ and others have been collecting bulk personal data sets since 1998 under the provisions of section 94 of the Telecommunications Act 1984. J.M. Porup, reports for Ars Technica: These records can be "anything from your private medical records, your correspondence with your doctor or lawyer, even what petitions you have signed, your financial data, and commercial activities," Privacy International legal officer Millie Graham Wood said in a statement. "The information revealed by this disclosure shows the staggering extent to which the intelligence agencies hoover up our data." Nor, it seems, are BPDs only being used to investigate terrorism and serious crime; they can and are used to protect Britain's "economic well-being" -- including preventing pirate copies of Harry Potter books from leaking before their release date. The so-called "Bulk Personal Datasets," or BPDs are so powerful, in fact, that the normally toothless UK parliament watchdog that oversees intelligence gathering, the Intelligence and Security Committee (ISC), recommended in February that "Class Bulk Personal Dataset warrants are removed from the new legislation." These data sets are so large and collect so much information so indiscriminately that they even include information on dead people.

Child Porn Is Being Hidden on Legal Commercial Websites (theguardian.com) 92

People who visit porn websites or search for adult pornography on the Web are facing the risk of being arrested for accessing child abuse images. The Internet Watch Foundation is warning that vicious minds are increasingly hiding criminal content on legal commercial websites, according to a report on The Guardian. The IWF found 743 websites in 2015, compared with 353 in 2013, in which child sexual abuse content was hosted on legal porn websites, and could be accessed if a special link was requested. From the report: "It has really started to become an accepted practice for the commercial side of the paedophilic community because this obfuscation technique is more effective at keeping its content live for longer," said Fred Langford, chief executive of the UK charity. Last year, the IWF found that 21% of the webpages containing illegal images and videos were commercial and those seeking to profit from the abuse were increasingly disguising it behind legal content, usually adult pornography. Langford said the trend raised the risk that people searching for adult pornography could unwittingly access child abuse images on disguised websites.

Opera Adds Free VPN-Client With Unlimited Usage To Its Desktop Browser 101

On Thursday, Opera announced that it is adding a free built-in virtual private network (VPN) client to its desktop browser. The feature, which isn't available on other popular Web browsers, will allow users to hide their IP address, unblock firewalls and access region-locked content. It will also help users protect their personal information on public Wi-Fi networks as it offers 256-bit encryption. "Everyone deserves to be private online if they want to be," Krystian Kolondra, SVP at Opera told Slashdot in a statement. "By adding a free, unlimited VPN directly into the browser, no additional download or extensions from an unknown third-party provider are necessary."

The move comes a year after Opera acquired North American VPN company SurfEasy. Unlike Chrome and Firefox, which require you to use an additional third-party tool (such as an extension), Opera's VPN offering is baked in the browser. What's more, it is free and offers unlimited usage. The feature is available on Opera's Mac, Windows, and Linux clients.

Changes Are Coming To the EU's Cookie Directive, But It's Not Going Away (softpedia.com) 120

An anonymous reader writes: The European Commission is listening to suggestions regarding EU laws on privacy and electronic communications (e-Privacy), among which is also the EU Cookie Directive that has made the lives of EU Internet users a living hell. The EU Commission has started an open consultation on this topic and is inviting users and businesses to provide their opinion. From the consultation's text, which is nothing more than a survey, one could argue that the EU isn't intent on removing the directive at all, but only making small adjustments. In its current implementation, most companies ask users if they're OK with storing cookies on their PCs and then collecting their data. One of the questions the Commission asked and is currently looking for an answer is whether companies should be allowed to deny users access to a website if they don't want to accept using cookies. The EU wants Internet companies to build alternative (usable) websites for people that don't want to use cookies at all, and so respect their decision for privacy.

Google Records Over 750,000 'Hijacking' Breaches In One Year (nbcnews.com) 11

An anonymous reader writes: A new study by Google and the University of California, Berkeley, claims over 700,000 websites were breached between June 2014 and June 2015. The research shows that "miscreants" had routinely hijacked thousands of vulnerable web servers for "cheap hosting and traffic acquisition." The exact number of recorded "hijacking incidents" within the period was 760,935 but google has been said they were able to curb the amount of breaches through direct communication with webmasters. Google's Safe Browsing Alerts sends notifications to network admins when potentially dangerous URLs are detected on their networks. These have reportedly increased the likelihood of a "cleanup" by more than 50 percent and reduced "infection lengths" by at least 62 percent. According to The Next Web, WordPress topped the chart of platforms that experienced the most breaches (almost half of all attacks). English websites experienced the most attacks, with Chinese, German, Japanese and Russian language websites following closely behind.

Can Switzerland Become a Safe Haven For the World's Data? (dailydot.com) 103

An anonymous reader shares an interesting article on Daily Dot which lists a number of reasons why Switzerland should be deemed as the nation for storing all of your data. The article reads: As United States and European Union regulators debate a sweeping new data-privacy agreement, Switzerland is presenting itself as a viable neutral location for storing the world's data thanks to strict privacy laws and ideal infrastructure. The Swiss constitution guarantees data privacy under Article 13. The country's laws protecting privacy are similar to those enacted by the E.U. Swiss data protections are also, in some cases, much stricter than those of the E.U., according to Nicola Benz, attorney at Swiss law firm Froriep. And since Switzerland is not part of the E.U., data stored there remains outside the reach of the union's authorities. [...] The country's tight privacy laws could make the small nation more attractive to privacy-focused start-ups. And it already has that momentum. After the former NSA contractor Edward Snowden 2013 revelations about the National Security Agency's secret surveillance activities, Switzerland witnessed something of a boom in its data-center business. Phil Zimmermann, creator of the popular PGP encryption protocol and founder of Silent Circle, even left the U.S. for Switzerland last year, citing the overreach of American authorities. Andy Yen, CEO of Swiss-based encrypted email service Protonmail, said that the country has robust processes in how it carries out data requests from authorities. Data requests have to go through a court like in most countries, said Yen, but "the person that's having their data requested needs to be notified eventually about the request happening and there's an opportunity to fight it in an open court. This is quite different than the U.S., where things can go through a so-called FISA court."

Slashdot Top Deals