Leap Towards a Career in Ethical Hacking with 60+ Hours of Prep Toward CISM, CISA, & More Certification Exams at 95% off ×
Java

Pastejacking Attack Appends Malicious Terminal Commands To Your Clipboard (softpedia.com) 27

An anonymous reader writes: "It has been possible for a long time for developers to use CSS to append malicious content to the clipboard without a user noticing and thus fool them into executing unwanted terminal commands," writes Softpedia. "This type of attack is known as clipboard hijacking, and in most scenarios, is useless, except when the user copies something inside their terminal." Security researcher Dylan Ayrey published a new version of this attack last week, which uses only JavaScript as the attack medium, giving the attack more versatility and making it now easier to carry out. The attack is called Pastejacking and it uses Javascript to theoretically allow attackers to add their malicious code to the entire page to run commands behind a user's back when they paste anything inside the console. "The attack can be deadly if combined with tech support or phishing emails," writes Softpedia. "Users might think they're copying innocent text into their console, but in fact, they're running the crook's exploit for them."
Security

Elderly Use More Secure Passwords Than Millennials, Says Report (qz.com) 74

An anonymous reader writes from a report via Quartz: A report released May 24 by Gigya surveyed 4,000 adults in the U.S. and U.K. and found that 18- to 34-year-olds are more likely to use bad passwords and report their online accounts being compromised. The majority of respondents ages 51 to 69 say they completely steer away from easily cracked passwords like "password," "1234," or birthdays, while two-thirds of those in the 18-to-34 age bracket were caught using those kind of terms. Quartz writes, "The diligence of the older group could help explain why 82% of respondents in this age range did not report having had any of their online accounts compromised in the past year. In contrast, 35% of respondents between 18 and 34 said at least one of their accounts was hacked within the last 12 months, twice the rate of those aged 51 to 69."
The Internet

Hacker Phineas Fisher is Trying To Start a 'Hack Back' Political Movement (vice.com) 114

An anonymous reader writes: The hacker who breached Hacking Team and FinFisher is trying to get more people to "hack back" and fight "the system." For some, thanks to his targeted attacks and sophisticated political views, Phineas Fisher is quickly becoming the most influential hacktivist of the last few years. In response to his most recent hack where he released a 39-minute how-to video showing how to strip data from targeted websites, specifically a website of the Catalan police union, Phineas Fisher told Motherboard, "Everything doesn't have to be big. I wanted to strike a small blow at the system, teach a bit of hacking with the video, and inspire people to take action." Biella Coleman, professor at McGill University in Montreal, believes Phineas Fisher has a good chance of inspiring a new generation of hacktivists and "setting the stage for other hackers to follow in his footsteps." She says he has been better at choosing targets and justifying his actions with more rounded and sophisticated political and ethical views than Anonymous and LulzSec-inspired hackers. Phineas Fisher told Motherboard, "I don't want to be the lone hacker fighting the system. I want to inspire others to take similar action, and try to provide the information so they can learn how."
Government

FBI Wants Biometric Database Hidden From Privacy Act (onthewire.io) 77

Trailrunner7 quotes a report from onthewire.io: The FBI is working to keep information contained in a key biometric database private and unavailable, even to people whose information is contained in the records. The database is known as the Next Generation Identification System (NGIS), and it is an amalgamation of biometric records accumulated from people who have been through one of a number of biometric collection processes. That could include convicted criminals, anyone who has submitted records to employers, and many other people. The NGIS also has information from agencies outside of the FBI, including foreign law enforcement agencies and governments. Because of the nature of the records, the FBI is asking the federal government to exempt the database from the Privacy Act, making the records inaccessible through information requests. From the report: "The bureau says in a proposal to exempt the database from disclosure that the NGIS should be exempt from the Privacy Act for a number of reasons, including the possibility that providing access 'could compromise sensitive law enforcement information, disclose information which would constitute an unwarranted invasion of another's personal privacy; reveal a sensitive investigative technique; could provide information that would allow a subject to avoid detection or apprehension; or constitute a potential danger to the health or safety of law enforcement personnel, confidential sources, and witnesses.'" RT released a similar report on the matter.
AI

Avoiding BlackBerry's Fate: How Apple Could End Up In a Similar Position (marco.org) 207

It's almost unbelievable today that BlackBerry ruled the smartphone market once. The Canadian company's handset, however, started to lose relevance when Apple launched the iPhone in 2007. At the time, BlackBerry said that nobody would purchase an iPhone, as there's a battery trade-off. Wittingly or not, Apple could end up in a similar position to BlackBerry, argues Marco Arment. Arment -- who is best known for his Apple commentary, Overcast and Instapaper apps, and co-founding Tumblr -- says that Apple's strong stand on privacy is keeping it from being the frontrunner in the advanced AI, a category which has seen large investments from Google, Apple, Facebook, and Amazon in the recent years. He adds that privacy cannot be an excuse, as Apple could utilize public data like the web, mapping databases, and business directories. He writes: Today, Amazon, Facebook, and Google are placing large bets on advanced AI, ubiquitous assistants, and voice interfaces, hoping that these will become the next thing that our devices are for. If they're right -- and that's a big "if" -- I'm worried for Apple. Today, Apple's being led properly day-to-day and doing very well overall. But if the landscape shifts to prioritise those big-data AI services, Apple will find itself in a similar position as BlackBerry did almost a decade ago: what they're able to do, despite being very good at it, won't be enough anymore, and they won't be able to catch up. Where Apple suffers is big-data services and AI, such as search, relevance, classification, and complex natural-language queries. Apple can do rudimentary versions of all of those, but their competitors -- again, especially Google -- are far ahead of them, and the gap is only widening. And Apple is showing worryingly few signs of meaningful improvement or investment in these areas. Apple's apparent inaction shows that they're content with their services' quality, management, performance, advancement, and talent acquisition and retention. One company that is missing from Mr. Arment's column is Microsoft. The Cortana-maker has also placed large bets on AI. According to job postings on its portal, it appears, for instance, that Microsoft is also working on Google Home-like service.
Crime

Real-Life RoboCop Guards Shopping Centers In California (metro.co.uk) 100

An anonymous reader quotes a report from Metro: While machines from the likes of RoboCop and Chappie might just be the reserve of films for now, this new type of robot is already fighting crime. This particular example can be found guarding a shopping center in California but there are other machines in operation all over the state. Equipped with self-navigation, infra-red cameras and microphones that can detect breaking glass, the robots, designed by Knightscope, are intended to support security services. Stacy Dean Stephens, who came up with the idea, told The Guardian the problem that needed solving was one of intelligence. "And the only way to gain accurate intelligence is through eyes and ears," he said. "So, we started looking at different ways to deploy eyes and ears into situations like that." The robot costs about $7 an hour to rent and was inspired by the Sandy Hook school shooting after which it was claimed 12 lives could have been saved if officers arrived a minute earlier.
Privacy

Uber Knows Exactly When You'll Pay Surge Pricing (yahoo.com) 210

An anonymous reader writes: Uber has figured out exactly when you are more likely to pay double or triple the cost of your ride: when your phone battery is low. Uber's head of economic research, Keith Chen, recently told NPR on an episode of The Hidden Brain podcast that people are willing to accept up to 9.9 times surge pricing if their phones are about to go dead. Data about user batteries is collected because the app uses that information to know when to switch into low-power mode. The idea being: If you really need to get where you're going, you'll pay just about anything (or at least 9.9 times anything) to ensure you're getting a ride home and won't be stranded. A person with a more fully charged device has time to wait and see if the surge pricing goes down.The company insists that it won't use this information against you.
Government

New Surveillance System May Let Cops Use All Of The Cameras (engadget.com) 116

An anonymous reader quotes a report from Wired: [Computer scientists have created a way of letting law enforcement tap any camera that isn't password protected so they can determine where to send help or how to respond to a crime.] The system, which is just a proof of concept, alarms privacy advocates who worry that prudent surveillance could easily lead to government overreach, or worse, unauthorized use. It relies upon two tools developed independently at Purdue. The Visual Analytics Law Enforcement Toolkit superimposes the rate and location of crimes and the location of police surveillance cameras. CAM2 reveals the location and orientation of public network cameras, like the one outside your apartment. You could do the same thing with a search engine like Shodan, but CAM2 makes the job far easier, which is the scary part. Aggregating all these individual feeds makes it potentially much more invasive. [Purdue limits access to registered users, and the terms of service for CAM2 state "you agree not to use the platform to determine the identity of any specific individuals contained in any video or video stream." A reasonable step to ensure privacy, but difficult to enforce (though the team promises the system will have strict security if it ever goes online). Beyond the specter of universal government surveillance lies the risk of someone hacking the system.] EFF discovered that anyone could access more than 100 "secure" automated license plate readers last year.
The Courts

Google Appeals French Order For Global 'Right To Be Forgotten' (reuters.com) 166

An anonymous reader quotes a report from Reuters: Alphabet Inc's Google appealed on Thursday an order from the French data protection authority to remove certain web search results globally in response to a European privacy ruling, escalating a fight on the extra-territorial reach of EU law. In May 2014, the European Court of Justice (ECJ) ruled that people could ask search engines, such as Google and Microsoft's Bing, to remove inadequate or irrelevant information from web results appearing under searches for people's names -- dubbed the "right to be forgotten." Google complied, but it only scrubbed results across its European websites such as Google.de in Germany and Google.fr in France, arguing that to do otherwise would set a dangerous precedent on the territorial reach of national laws. The French regulator, the Commission Nationale de l'Informatique et des Libertes (CNIL), fined Google 100,000 euros ($112,150.00) in March for not delisting more widely, arguing that was the only way to uphold Europeans' right to privacy. The company filed its appeal of the CNIL's order with France's supreme administrative court, the Council of State. "One nation does not make laws for another," said Dave Price, senior product counsel, Google. "Data protection law, in France and around Europe, is explicitly territorial, that is limited to the territory of the country whose law is being applied." Google's Transparency Report indicates the company accepts around 40 percent of requests for the removal of links appearing under search results for people's names.
Google

Google Is A Serial Tracker (softpedia.com) 110

An anonymous reader writes: Two Princeton academics conducted a massive research into how websites track users using various techniques. The results of the study, which they claim to be the biggest to date, shows that Google, through multiple domains, is tracking users on around 80 percent of all Top 1 Million domains. Researchers say that Google-owned domains account for the top 5 most popular trackers and 12 of the top 20 tracker domains. Additionally, besides tracking scripts, HTML5 canvas fingerprinting and WebRTC local IP discover, researchers discovered a new user fingerprinting technique that uses the AudioContext API. Third-party trackers use it to send low-frequency sounds to a user's PC and measure how the PC processes the data, creating an unique fingerprint based on the user's hardware and software capabilities. A demo page for this technique is available. Of course, this sort of thing is nothing new and occurs all across the web and beyond. MIT and Oxford published a study this week that revealed that Twitter location tags on only a few tweets can reveal details about the account's owner, such as his/her real world address, hobbies and medical history. Another recently released study by Stanford shows that phone call metadata can also be used to infer personal details about a phone owner.
Network

TeslaCrypt Ransomware Maker Shuts Down, Releases Master Key (techcrunch.com) 49

An anonymous reader writes: The TeslaCrypt ransomware makers have officially closed down shop and apologized for all the damage they have caused in the past. TeslaCrypt upset a lot of gamers as it would locate and encrypt video games on your Windows PC. With the recent decision to shut down, anti-ransomware researchers have been able to create a fool-proof decryption app called TeslaDecoder (Link is a direct download). Now, many of the hard drives rendered useless by the malware are available to use, and almost every file can be accessed using the unlock system. "TeslaCrypt's website was on the Tor network and now consists of a master key and an apology," writes TechCrunch.
Google

Don't Use Google Allo (vice.com) 127

At its developer conference on Wednesday, Google announced Allo, a chatbot-enabled messaging app. The app offers a range of interesting features such as the ability to quickly doodle on an image and get prompt responses. Additionally, it is the "first Google" product to offer end-to-end encryption, though that is not turned on by default. If you're concerned about privacy, you will probably still want to avoid Allo, says the publication. From the report: Allo's big innovation is "Google Assistant," a Siri competitor that will give personalized suggestions and answers to your questions on Allo as well as on the newly announced Google Home, which is a competitor to Amazon's Echo. On Allo, Google Assistant will learn how you talk to certain friends and offer suggested replies to make responding easier. Let that sink in for a moment: The selling point of this app is that Google will read your messages, for your convenience. Google would be insane to not offer some version of end-to-end encryption in a chat app in 2016, when all of its biggest competitors have it enabled by default. Allo uses the Signal Protocol for its encryption, which is good. But as with all other Google products, Allo will work much better if you let Google into your life. Google is banking on the idea that you won't want to enable Incognito Mode, and thus won't enable encryption.Edward Snowden also chimed in on the matter. He said, "Google's decision to disable end-to-end encryption by default in its new Allo chat app is dangerous, and makes it unsafe. Avoid it for now."
Security

Updated Skimer Malware Infects ATMs Worldwide (thestack.com) 121

An anonymous reader writes: Researchers at Kaspersky have discovered an improved version of Backdoor.Win32.Skimer infecting ATM machines worldwide. The new Skimer allows criminal access to card data, including PIN numbers, as well as to the actual cash located in the machine. The malicious installers use the packer Thermida to disguise the Skimer malware which is then installed on the ATM. If the ATM file system is FAT32, the malware drops the file netmgr.dll in the folder C:\Windows\System32. If the ATM has an NTFS file system, netmgr.dll is placed in the executable file of the NTFS data stream, which makes detection and analysis of the malware more difficult. Skimer may lie dormant for months until it is activated with the phsyical use of a "magic card," which gives access control to the malware, and then offers a list of options that are accessed by inputing a choice on the pin pad. The user can then request the ATM to: show installation details, dispense money, start collecting the details of inserted cards, print collected card details, self delete, enable debug mode, and update. Here's a video of the Skimer malware in action.
Security

LinkedIn User? Your Data May Be Up For Sale (zdnet.com) 68

An anonymous reader cites a ZDNet report: Reports indicate that a LinkedIn data breach may have led to the sale of sensitive data belonging to 117 million users. The company's website experienced a data breach in 2012, but the true consequences of the breach are only now becoming apparent. Users of LinkedIn's website in 2012 discovered that roughly 6.5 million user account passwords were posted online, and the company never completely confirmed just who was impacted by the security incident. However, a hacker called "Peace" told the publication that this information is being sold on the dark web for roughly $2,200, and paid hacker data search engine LeakedSource also claims to have the data. Both sources say there are approximately 167 million accounts in the data dump, 117 million of which have both emails and encrypted passwords.LinkedIn has acknowledged the breach. In a blog post, the company writes: Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012. We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords. We have no indication that this is as a result of a new security breach.
Government

Developer Of Anonymous Tor Software Dodges FBI, Leaves US (cnn.com) 323

An anonymous reader quotes a report from CNN: FBI agents are currently trying to subpoena one of Tor's core software developers to testify in a criminal hacking investigation, CNNMoney has learned. But the developer, who goes by the name Isis Agora Lovecruft, fears that federal agents will coerce her to undermine the Tor system -- and expose Tor users around the world to potential spying. That's why, when FBI agents approached her and her family over Thanksgiving break last year, she immediately packed her suitcase and left the United States for Germany. "I was worried they'd ask me to do something that hurts innocent people -- and prevent me from telling people it's happening," she said in an exclusive interview with CNNMoney. Earlier in the month, Tech Dirt reported the Department of Homeland Security wants to subpoena the site over the identity of a hyperbolic commenter.
Education

Iraq Shuts Down Internet In Entire Country To Prevent Exam Cheating (softpedia.com) 92

An anonymous reader writes: The Iraqi government has ordered ISPs to shut down Internet access in the entire country to prevent exam cheating for Iraq's official exams for secondary and high schools. This is the second year in a row when Iraq does this, after the same thing happened in 2015. Companies like Akamai and Dyn also noted the government's poor decision on Twitter. It appears that Iraqi officials never heard of signal jammers and video cameras to combat exam cheating. The country's Internet went dark May 14-16th, between 05:00 AM and 08:00 AM GMT. An Iraqi ISP leaked on Facebook the content of an email it received from state officials.
Education

Theoretical Breakthrough Made In Random Number Generation (threatpost.com) 146

msm1267 quotes a report from Threatpost: Two University of Texas academics have made what some experts believe is a breakthrough in random number generation that could have longstanding implications for cryptography and computer security. David Zuckerman, a computer science professor, and Eshan Chattopadhyay, a graduate student, published a paper in March that will be presented in June at the Symposium on Theory of Computing. The paper describes how the academics devised a method for the generation of high quality random numbers. The work is theoretical, but Zuckerman said down the road it could lead to a number of practical advances in cryptography, scientific polling, and the study of other complex environments such as the climate. "We show that if you have two low-quality random sources -- lower quality sources are much easier to come by -- two sources that are independent and have no correlations between them, you can combine them in a way to produce a high-quality random number," Zuckerman said. "People have been trying to do this for quite some time. Previous methods required the low-quality sources to be not that low, but more moderately high quality. We improved it dramatically." The technical details are described in the academics' paper "Explicit Two-Source Extractors and Resilient Functions."
Privacy

It's Trivially Easy To Identify You Based On Records of Your Calls and Texts (dailydot.com) 37

Reader erier2003 shares an article on Daily Dot: Contrary to the claims of America's top spies, the details of your phone calls and text messages -- including when they took place and whom they involved -- are no less revealing than the actual contents of those communications. In a study published online Monday in the journal Proceedings of the National Academy of Sciences, Stanford University researchers demonstrated how they used publicly available sources -- like Google searches and the paid background-check service Intelius -- to identify "the overwhelming majority" of their 823 volunteers based only on their anonymized call and SMS metadata. The results cast doubt on claims by senior intelligence officials that telephone and Internet "metadata" -- information about communications, but not the content of those communications -- should be subjected to a lower privacy threshold because it is less sensitive. Contrary to those claims, the researchers wrote, "telephone metadata is densely interconnected, susceptible to reidentification, and enables highly sensitive inferences."IEEE has more details.
Privacy

Face Recognition App Taking Russia By Storm May Bring End To Public Anonymity (theguardian.com) 157

An anonymous reader writes: Anonymity in public could soon become a thing of the past. A service called FindFace allows users to photograph people in a crowd and work out their identities with 70% reliability. It works by comparing photographs to profile pictures on Vkontakte, a social network popular in Russia and the former Soviet Union, with more than 200 million accounts. In future, the designers imagine a world where people walking past you on the street could find your social network profile by sneaking a photograph of you, and shops, advertisers and the police could pick your face out of crowds and track you down via social networks. In the short time since the launch, FindFace has amassed 500,000 users and processed nearly 3m searches.The Newsweek wrote about this app last month. The publication reported on an abuse of the app in which porn stars and sex workers were targeted. Some wanted to use FindFace for the purpose of "outing" these sex workers to their families and social media contacts.
Security

Hackers' Website Breached by Hacker (bbc.com) 48

The Nulled, one of the most popular hacker forums with more than 470,000 members has suffered a data breach. As a result of which, email addresses and private messages of all these members have leaked. According to a report on BBC, the leaked data contained more than 5,000 purchase records relating to the exchange of stolen information. From the BBC report: Researchers at Risk Based Security said the data dump contained the "complete forum's database" including 12,600 invoices, usernames, members' PayPal addresses and IP addresses. It also contained millions of forum posts and private messages detailing illegal activities. And some of the data could be used to work out members' identities, if they did not take steps to conceal it. Risk Based Security added the website had used message board software with known vulnerabilities, and the site also used a weak hashing algorithm to protect members' passwords.

Slashdot Top Deals