Get HideMyAss! VPN, PC Mag's Top 10 VPNs of 2016 for 55% off for a Limited Time ×
Advertising

Malvertising Campaign Infected Thousands of Users Per Day For More Than a Year (softpedia.com) 8

An anonymous reader writes from a report via Softpedia: Since the summer of 2015, users that surfed 113 major, legitimate websites were subjected to one of the most advanced malvertising campaigns ever discovered, with signs that this might have actually been happening since 2013. Infecting a whopping 22 advertising platforms, the criminal gang behind this campaign used complicated traffic filtering systems to select users ripe for infection, usually with banking trojans. The campaign constantly pulled between 1 and 5 million users per day, infecting thousands, and netting the crooks millions each month. The malicious ads, according to this list, were shown on sites like The New York Times, Le Figaro, The Verge, PCMag, IBTimes, Ars Technica, Daily Mail, Telegraaf, La Gazetta dello Sport, CBS Sports, Top Gear, Urban Dictionary, Playboy, Answers.com, Sky.com, and more.
Communications

Snowden Questions WikiLeaks' Methods of Releasing Leaks (pcworld.com) 24

An anonymous reader quotes a report from PCWorld: Former U.S. National Security Agency contractor, Edward Snowden, has censured WikiLeaks' release of information without proper curation. On Thursday, Snowden, who has embarrassed the U.S. government with revelations of widespread NSA surveillance, said that WikiLeaks was mistaken in not at least modestly curating the information it releases. "Democratizing information has never been more vital, and @Wikileaks has helped. But their hostility to even modest curation is a mistake," Snowden said in a tweet. WikiLeaks shot back at Snowden that "opportunism won't earn you a pardon from Clinton [and] curation is not censorship of ruling party cash flows." The whistleblowing site appeared to defend itself earlier on Thursday while referring to its "accuracy policy." In a Twitter message it said that it does "not tamper with the evidentiary value of important historical archives." WikiLeaks released nearly 20,000 previously unseen DNC emails last week, which suggest that committee officials had favored Clinton over her rival Senator Bernie Sanders. The most recent leak consists of 29 voicemails from DNC officials.
Democrats

Clinton Campaign Breached By Hackers 55

An anonymous reader writes: Hillary Clinton's campaign network was breached by hackers targeting several large Democratic organizations, Reuters reports. Clinton's campaign spokesperson Nick Merrill confirmed the hack in a statement. 'An analytics data program maintained by the DNC, and used by our campaign and a number of other entities, was accessed as part of the DNC hack. Our campaign computer system has been under review by outside security experts. To date, they have found no evidence that our internal systems have been compromised,' he said.

The hack follows on the heels of breaches at the Democratic National Committee and at the Democratic Congressional Campaign Committee earlier this year. More than 19,000 emails from DNC officials were published on WikiLeaks just prior to the Democratic National Convention, casting a shadow over the proceedings. Some security experts and U.S. officials have attributed the breaches to Russian operatives, although the origin of the email leak is less certain.
Security

SwiftKey Bug Leaked Email Addresses, Phone Numbers To Strangers (theverge.com) 19

An anonymous reader writes: After many users reported receiving predictions meant for other users, such as email addresses and phone numbers, SwiftKey has suspended part of its service. The service responsible for the bug was SwiftKey's cloud sync service. The Verge reports that one user, an English speaker, was getting someone else's German suggestions, while someone received NSFW porn search suggestions. The Telegraph also reports, "One SwiftKey user, who works in the legal profession and ask to remain anonymous, found out their details had been compromised when a stranger emailed them to say that a brand new phone had suggested their email address when logging into an account online. 'A few days ago, I received an email from a complete stranger asking if I had recently purchased and returned a particular model of mobile phone, adding that not one but two of my email addresses (one personal and one work address) were saved on the phone she had just bought as brand-new,' said the user." SwiftKey released an official statement today about the issue but said that it "did not pose a security issue."
Robotics

US Military Using $600K 'Drone Buggies' To Patrol Camps In Africa (cnbc.com) 42

An anonymous reader quotes a report from CNBC: The U.S. military is using an unmanned robotic vehicle to patrol around its camps in the Horn of Africa. The remote controlled vehicle is the result of a 30-year plan after military chiefs approved the concept of a robotic security system in 1985. Now the Mobile Detection Assessment and Response System, known as MDARS, are carrying out patrols in the east African country of Djibouti, under the control of the Combined Joint Task Force-Horn of Africa. The area is known as home to a number of hostile militant groups including the al-Qaeda-affiliated al-Shabaab. An operator sits in a remote location away from the vehicle watching the terrain via a camera link which is fixed to the chassis. U.S. military software engineer Joshua Kordanai said in a video presentation that the vehicle drives itself, freeing the remote operator to monitor video. "The vehicle has an intruder detection payload, consisting of radar, a night vision camera, a PTZ [pan-tilt-zoom] camera and two-way audio, so the system will be able to detect motion," he added. One report prices the cost of an earlier version of the military 'drone buggy' at $600,000 each.
Security

WhatsApp Isn't Fully Deleting Its 'Deleted' Chats (theverge.com) 52

Facebook-owned messaging app WhatsApp retains and stores chat logs even after those messages have been deleted, according to iOS researcher Jonathan Zdziarski. The Verge reports: Examining disk images taken from the most recent version of the app, Zdziarski found that the software retains and stores a forensic trace of the chat logs even after the chats have been deleted, creating a potential treasure trove of information for anyone with physical access to the device. The same data could also be recoverable through any remote backup systems in place. In most cases, the data is marked as deleted by the app itself -- but because it has not been overwritten, it is still recoverable through forensic tools. Zdziarski attributed the problem to the SQLite library used in coding the app, which does not overwrite by default. WhatsApp was applauded by many privacy advocates for switching to default end-to-end encryption through the Signal protocol, a process that completed this April. But that system only protects data in transit, preventing carriers and other intermediaries from spying on conversations as they travel across the network.
Chrome

Ask Slashdot: Best Browser Extensions -- 2016 Edition 157

Reader LichtSpektren writes: Almost eleven years ago, Slashdot featured an Ask titled "Favorite Firefox Extensions?". I thought it might be worthwhile to ask the question again (Editor's note: we couldn't agree more!), but expand the query to all web browsers now that there's more choices available.

Right now my main browser is Firefox, which I use with uBlock Origin, Disconnect, HTTPS Everywhere, Privacy Badger, NoScript, Self-Destructing Cookies, Decentraleyes, Privacy Settings, and Clean Links. (N.B. the first four of these are also available in Chromium-based browsers.) I use Chrome as a secondary browser, with the first four of the aforementioned extensions, plus also Clear Cache and occasionally Flashcontrol.

This one has nothing to do with security or privacy, but Reedy on Chromium is a really nice tool for speed reading.

What do you use?
Let's get this going.
Government

British Spy Agency GCHQ Used URL Shortener To Honeypot Arab Spring Activists (vice.com) 36

The British spy agency GCHQ used a custom URL shortener and Twitter sockpuppets to influence and infiltrate activists during the Iran revolution of 2009 and the Arab Spring of 2011, reports Motherboard, citing leaked documents by Edward Snowden. From the article: The GCHQ's special unit, known as the Joint Threat Research Intelligence Group or JTRIG, was first revealed in 2014, when leaked top secret documents showed it tried to infiltrate and manipulate -- using "dirty trick" tactics such as honeypots -- online communities including those of Anonymous hacktivists, among others. The group's tactics against hacktivists have been previously reported, but its influence campaign in the Middle East has never been reported before. I was able to uncover it because I was myself targeted in the past, and was aware of a key detail, a URL shortening service, that was actually redacted in Snowden documents published in 2014. A now-defunct free URL shortening service -- lurl.me -- was set up by GCHQ that enabled social media signals intelligence. Lurl.me was used on Twitter and other social media platforms for the dissemination of pro-revolution messages in the Middle East.
The Almighty Buck

Dark Patterns Across the Web Are Designed To Trick You 120

An anonymous reader writes from a report via Ars Technica: Harry Brignell has posted a 30-minute video documenting dark patterns, deliberately confusing or deceptive user interfaces (not exclusive to the internet) that trick users into setting up recurring payments, purchasing items added to a shopping cart, or spamming all contacts through pre-checked forms on Facebook games for example. Basically, they're tactics used by online services to get users to do things they wouldn't normally do. Yael Grauer has written an in-depth report on Ars Technica about dark patterns, where he discusses Brignull's work with UX designers and business executives: "Klein [Principal at Users Known and author of UX for Lean Startups] believes many of the worst dark patterns are pushed by businesses, not by designers. 'It's often pro-business at the expense of the users, and the designers often see themselves as the defender or advocate of the user,' she explained. And although Brignull has never been explicitly asked to design dark patterns himself, he said he has been in situations where using them would be an easy solution -- like when a client or boss says they really need a large list of people who have opted in to marketing e-mails. 'The first and easiest trick to have an opt-in is to have a pre-ticked checkbox, but then you can just get rid of that entirely and hide it in the terms of conditions and say that by registering you're going to be opted in to our e-mails,' Brignull said. 'Then you have a 100-percent sign-up rate and you've exceeded your goals. I kind of understand why people do it. If you're only thinking about the numbers and you're just trying to juice the stats, then it's not surprising in the slightest.' 'There's this logical positivist mindset that the only things that have value are those things that can be measured and can empirically be shown to be true, and while that has its merits it also takes us down a pretty dark place,' said digital product designer Cennydd Bowles, who is researching ethical design. 'We start to look at ethics as pure utilitarianism, whatever benefits the most people. Yikes, it has problems.'" Brignull's website has a number of examples of deliberately confusing or deceptive user interfaces.
Crime

Gary Johnson: I'd Consider Pardoning Snowden, Chelsea Manning (vocativ.com) 245

An anonymous reader writes from a report via Vocativ: [Vocativ reports:] "The U.S.'s most popular third-party presidential candidate says he would 'consider' pardoning the highest profile convicts of computer-related crimes in the country, including Chelsea Manning, Ross Ulbricht, and Jeremy Hammond. Libertarian candidate Gary Johnson, a former governor of New Mexico, also reiterated his possible willingness to pardon Edward Snowden, the former National Security Agency analyst who gave a cache of agency documents to journalists in 2013." "Having actually served as a governor and administered the power to grant pardons and clemency, Gary Johnson is very conscious and respectful of the need for processes for using that authority," Joe Hunter, Johnson's communications director, told Vocativ in a statement. "However, he has made it clear on numerous occasions that he would 'look seriously at' pardoning Edward Snowden, based on public information that Snowden's actions did not cause actual harm to any U.S. intelligence personnel. Likewise, he has said he would look favorably on pardoning Ross Ulbricht, consistent with his broader and long-standing commitment to pardon nonviolent drug offenders, whistleblowers, and others imprisoned under unjust and ill-advised laws," Hunter said. When Vocativ asked specifically about Chelsea Manning, Jeremy Hammond, Barrett Brown, and Matthew Keys, Hunter responded: "The same goes for the other individuals you have mentioned -- and hundreds, if not thousands, like them. Gov. Johnson finds it to be an outrage that the U.S. has the highest incarceration rate in the developed world, and announced in 2012 that, as President, he would promptly commence the process of pardoning nonviolent offenders who have done no real harm to others." The Green Party candidate Jill Stein has also shared her thoughts on pardoning Edward Snowden and Chelsea Manning. Not only would she pardon Snowden, but she said she would appoint him to her cabinet.
Privacy

Using VPN in UAE Could Cost You $545,000 (businessinsider.com) 109

An anonymous reader writes: The President of the United Arab Emirates has issued a series of new federal laws relating to IT crimes, including a regulation that forbids anyone in the UAE from making use of virtual private networks to secure their web traffic from prying eyes. The new law states that anyone who uses a VPN or proxy server can be imprisoned and fined between $136,000-$545,000 if they are found to use VPNs fraudulently. Previously, the law was restricted to prosecuting people who used VPNs as part of an internet crime, but UK-based VPN and privacy advocate Private Internet Access says that the law has now changed to enable police in the UAE to go after anyone who uses VPNs to access blocked services, which is considered to be fraudulent use of an IP address.
Crime

Tor Project Confirms Sexual Misconduct By Developer Jacob Appelbaum (theverge.com) 394

An anonymous reader quotes a report from The Verge: The Tor Project, a nonprofit known for its online anonymity software, says it has verified claims that former employee Jacob Appelbaum engaged in "sexually aggressive behavior" with people inside and outside of its organization. "We have confirmed that the events did take place as reported," Shari Steele, Tor's executive director, tells The Verge. In a blog post today, Steele says that Tor began an investigation into Appelbaum's behavior after several people came forward with allegations of misconduct in late May. In a statement made in June, he said the allegations were "entirely false." He resigned from the Tor Project in May. "I want to thank all the people who broke the silence around Jacob's behavior," Steele writes. "It is because of you that this issue has now been addressed. I am grateful you spoke up, and I acknowledge and appreciate your courage." Steele says that Tor is now implementing a new anti-harassment policy, as well as a process for submitting complaints and having them reviewed. The changes will be put in place this week. Tor also announced last month that it would replace its entire board of directors.
Businesses

Tesla and Autopilot Supplier Mobileye Split Up After Fatal Crash (usatoday.com) 127

An anonymous reader quotes a report from USA Today: Tesla and Mobileye, one of the top suppliers to its Autopilot partial self-driving system, are parting ways in the wake of the May accident that killed an owner of one of its electric Model S sedans. Mobileye is considered a leader in developing the equipment that will be needed for fully self-driving cars. The Israeli tech company will continue to support and maintain current Tesla products, including upgrades that should help the Autopilot system with crash avoidance and to better allow the car to steer itself, said Chairman Amnon Shashua in releasing the company's second-quarter earnings Tuesday. Shashua said moving cars to higher levels of self-driving capability "is a paradigm shift both in terms of function complexity and the need to ensure an extremely high level of safety." He added there is "much at stake" in terms of Mobileye's reputation, and that it is best to end the relationship with Tesla by the end of the year. Tesla CEO Elon Musk, meeting with reporters at the company's new battery Gigafactory outside Reno, indicated that Tesla can go forward without Mobileye. "Us parting ways was somewhat inevitable. There's nothing unexpected here from our standpoint," Musk said. "We're committed to autonomy. They'll go their way, and we'll go ours."
Iphone

New York DA Wants Apple, Google To Roll Back Encryption (tomsguide.com) 254

An anonymous reader writes: Manhattan District Attorney Cyrus Vance Jr. called on Apple and Google to weaken their device encryption, arguing that thousands of crimes remained unsolved because no one can crack into the perpetrators' phones. Vance, speaking at the International Conference on Cyber Security here, said that law enforcement officials did not need an encryption "backdoor," sidestepping a concern of computer-security experts and device makers alike. Instead, Vance said, he only wanted the encryption standards rolled back to the point where the companies themselves can decrypt devices, but police cannot. This situation existed until September 2014, when Apple pushed out iOS 8, which Apple itself cannot decrypt. "Tim Cook was absolutely right when he told his shareholders that the iPhone changed the world," Vance said. "It's changed my world. It's letting criminals conduct their business with the knowledge we can't listen to them."
Security

LastPass Accounts Can Be 'Completely Compromised' When Users Visit Sites (theregister.co.uk) 134

Reader mask.of.sanity writes: A dangerous zero-day vulnerability has been found in popular cloud password vault LastPass, which can completely compromise user accounts when users visit malicious websites. The flaw is today being reported to LastPass by established Google Project zero hacker Tavis Ormandy who says he has found other "obvious critical problems". Interestingly, Mathias Karlsson, a security researcher has also independently found flaws in LastPass. In a blog post, he wrote that he was able to trick LastPass into believing he was on the real Twiter website and cough up the users' credentials of a bug in the LastPass password manager's autofill functionality. LastPass has fixed the bug, but Karlsson advises users to disable autofill functionality and use multi-factor authentication. At this point, it's not clear whether Ormandy is also talking about the same vulnerability.
HP

Popular Wireless Keyboards From HP, Toshiba and Others Don't Use Encryption, Can Be Easily Snooped On (threatpost.com) 85

Reader msm1267 writes: Wireless keyboards made by eight different companies suffer from a vulnerability that can allow attackers to eavesdrop on keystrokes from up to 250 feet away, researchers warned Tuesday. If exploited, the vulnerability, dubbed KeySniffer, could let an attacker glean passwords, credit card numbers, security questions and answers -- essentially anything typed on a keyboard, in clear text. Keyboards manufactured by Hewlett-Packard, Toshiba, Kensington, Insignia, Radio Shack, Anker, General Electric, and EagleTec are affected, according to Marc Newlin, a researcher with Bastille Networks who discovered the vulnerability. Bastille gave the manufacturers of the keyboards 90 days to address the vulnerability, but most vendors failed to respond to their findings. Newlin said only Jasco Products, a company that manufactures the affected keyboard (GE 98614) for General Electric, responded and claimed it no longer manufactures wireless devices, like keyboards. As there doesn't appear to be a way to actually fix the vulnerability, it's likely the companies will eventually consider the devices end of life.
Android

Motorola Confirms That It Will Not Commit To Monthly Security Patches (arstechnica.com) 162

If you are planning to purchase the Moto Z or a Moto G4 smartphone, be prepared to not see security updates rolling out to your phone every month -- and in a timely fashion. After Ars Technica called out Motorola's security policy as "unacceptable" and "insecure," in a recent review, the company tried to handle the PR disaster, but later folded. In a statement to the publication, the company said: Motorola understands that keeping phones up to date with Android security patches is important to our customers. We strive to push security patches as quickly as possible. However, because of the amount of testing and approvals that are necessary to deploy them, it's difficult to do this on a monthly basis for all our devices. It is often most efficient for us to bundle security updates in a scheduled Maintenance Release (MR) or OS upgrade. As we previously stated, Moto Z Droid Edition will receive Android Security Bulletins. Moto G4 will also receive them.Monthy security updates -- or the lack thereof -- remains one of the concerning issues that plagues the vast majority of Android devices. Unless it's a high-end smartphone, it is often rare to see the smartphone OEM keep the device's software updated for more than a year. Even with a flagship phone, the software update -- and corresponding security patches -- are typically guaranteed for only 18 to 24 months. Reports suggest that Google has been taking this issue seriously, and at some point, it was considering publicly shaming its partners that didn't roll out security updates to their respective devices fast enough.
Government

Obama Creates a Color-Coded Cyber Threat 'Schema' After the DNC Hack (vice.com) 133

The White House on Tuesday issued new instructions on how government agencies should respond to major cyber security attacks, in an attempt to combat perceptions that the Obama administration has been sluggish in addressing threats from sophisticated hacking adversaries, Reuters reports. The announcement comes amid reports that hackers working for Russia may have engineered the leak of emails stolen from the Democratic National Committee in an attempt to influence the outcome of the upcoming presidential election. Motherboard adds: George W. Bush's Homeland Security Advisory System -- the color-coded terrorism "threat level" indicator that became a symbol of post-9/11 fear mongering -- is getting its spiritual successor for hacking: the "Cyber Incident Severity Schema." President Obama announced a new policy directive Tuesday that will codify how the federal government will respond to hacking incidents against both the government and private American companies. [...] The Cyber Incident Severity Schema ranges from white (an "unsubstantiated or inconsequential event") to black (a hack that "poses an imminent threat to the provision of wide-scale critical infrastructure services, national government stability, or to the lives of U.S. persons") , with green, yellow, orange, and red falling in between. Any hack or threat of a hack rated at orange or above is a "significant cyber incident" that will trigger what the Obama administration is calling a "coordinated" response from government agencies. As you might expect, there are many unanswered questions here, and the federal government has announced so many cyber programs in the last few years that it's hard to know which, if any of them, will actually make the US government or its companies any safer from hackers.
Security

'DNC Hacker' Unmasked: He Really Works for Russia, Researchers Say (thedailybeast.com) 692

The hacker who claimed to compromise the DNC swore he was Romanian, but new investigation shows he worked directly for Russia President Vladimir Putin's government in Moscow. The Daily Beast reports: The hacker who claims to have stolen emails from the Democratic National Committee and provided them to WikiLeaks is actually an agent of the Russian government and part of an orchestrated attempt to influence U.S. media coverage surrounding the presidential election, a security research group concluded on Tuesday. The researchers, at Arlington, Va.-based ThreatConnect, traced the self-described Romanian hacker Guccifer 2.0 back to an Internet server in Russia and to a digital address that has been linked in the past to Russian online scams. Far from being a single, sophisticated hacker, Guccifer 2.0 is more likely a collection of people from the propaganda arm of the Russian government meant to deflect attention away from Moscow as the force behind the DNC hacks and leaks of emails, the researchers found. ThreatConnect is the first known group of experts to link the self-proclaimed hacker to a Russian operation, amidst an ongoing FBI investigation and a presidential campaign rocked by the release of DNC emails that have embarrassed senior party leaders and inflamed intraparty tensions turning the Democratic National Convention. The emails revealed that party insiders plotted ways to undermine Sen. Bernie Sanders' presidential bid. The researchers at the aforementioned security firm are basing their conclusion on three signals: the hacker used Russian computers to edit PDF files, he also used Russian VPN -- and other internet infrastructure from the country, and that he was unable to speak Romanian.
Blackberry

BlackBerry Says Its New Android Smartphone DTEK 50 Is the 'World's Most Secure' (theverge.com) 94

BlackBerry, which once assumed the tentpole position in the mobile market, announced on Tuesday the BlackBerry DTEK 50, its second smartphone powered by Google's Android operating system. The Canadean company is marketing the DTEK as the 'world's most secure' phone. It is priced at $300, and will go on sale in select markets on August 8. The Verge adds:The DTEK50 has a 5.2-inch, 1080p display, Qualcomm Snapdragon 617 processor, 3GB RAM, 13-megapixel camera, and 2,610mAh battery. The 8-megapixel front camera also includes a flash for taking selfies. It runs Android 6.0 Marshmallow with BlackBerry's software features, such as the Hub. The software is similar to the software on the Priv released last year. The security features are highlighted right in the device's name, as it has BlackBerry's DTEK software that protects users from malware and other security problems often seen on Android smartphones. The DTEK app lets users quickly get an overview of their device's security and take action on any potential issues. BlackBerry says that it has modified Android with its own technology originally developed for the BB10 platform to make it more secure. The company is also committing to rapid updates to deliver security patches shortly after they are released.

Slashdot Top Deals