Leap Towards a Career in Ethical Hacking with 60+ Hours of Prep Toward CISM, CISA, & More Certification Exams at 95% off ×
Encryption

Feinstein-Burr Encryption Legislation Is Dead In The Water (slashdot.org) 7

An anonymous reader writes from a report via Reuters: After the San Bernardino terrorist attack, key U.S. lawmakers pledged to require technology companies to give law enforcement agencies a "back door" to encrypted communications and electronic devices. Now, the push for legislation is dead only months after the terrorist attack. In April, Senators Richard Burr and Dianne Feinstein released the official version of their anti-encryption bill with hopes for it to pass through Congress. But with the lack of White House support for the legislation as well as the high-profile court case between Apple and the Justice Department, the legislation will likely not be introduced this year, and even if it were, it would stand no chance of advancing, said sources familiar with the matter. "The short life of the push for legislation illustrates the intractable nature of the debate over digital surveillance and encryption, which has been raging in one form or another since the 1990s," reports Reuters. Technology companies believe security would be undermined if it were to create a "back door" for law enforcement, while law enforcement agencies believe they need to monitor phone calls, emails, text messages and encrypted data in general for security purposes.
Crime

FBI Raids Dental Software Researcher Who Found Patient Records On Public Server (dailydot.com) 32

blottsie writes: Yet another security researcher is facing possible prosecution under the CFAA for accessing data on a publicly accessible server. The FBI on Tuesday raided Texas-based dental software security researcher Justin Shafer, who found the protected health records of 22,000 patients stored on an anonymous FTP. "This is a troubling development. I hope the government doesn't think that accessing unsecured files on a public FTP server counts as an unauthorized access under the CFAA," Orin Kerr, a George Washington University law professor and CFAA scholar told the Daily Dot. "If that turns out to be the government's theory -- which we don't know yet, as we only have the warrant so far -- it will be a significant overreach that raises the same issues as were briefed but not resolved in [Andrew 'weev' Auernheimer's] case. I'll be watching this closely." It was also reported this week via The Intercept that a provision snuck into the still-secret text of the Senate's annual intelligence authorization that would give the FBI the ability to demand individuals' email data and possibly web-surfing history from their service providers using those beloved 'National Security Letters' -- without a warrant and in complete secrecy.
Security

Hackers Claim to Have 427 Million Myspace Passwords (vice.com) 89

Lorenzo Franceschi-Bicchierai, reporting for Motherboard: There's an oft-repeated adage in the world of cybersecurity: There are two types of companies, those that have been hacked, and those that don't yet know they have been hacked. MySpace, the social media behemoth that was, is apparently in the second category. The same hacker who was selling the data of more than 164 million LinkedIn users last week now claims to have 360 million emails and passwords of MySpace users, which would be one of the largest leaks of passwords ever. And it looks like the data is being circulated in the underground by other hackers as well. It's unclear when the data was stolen from MySpace, but both the hacker, who's known as Peace, and one of the operators of LeakedSource, a paid hacked data search engine that also claims to have the credentials, said it's from a past, unreported, breach.
Security

North Korea Linked to the SWIFT Bank Hacks (bloomberg.com) 36

North Korea could be behind the recent string of digital attacks on Asian banks, says Symantec. The cyber security firms notes that the attacks could be traced as far back as October 2015, two months prior to the earliest known incident. As you may recall, hackers stole around $80M from Bangladesh's central bank in March, and a similar attack was seen at a Vietnamese bank earlier this month. Symantec says that it has found evidence that distinctive malware that was used in both the hacks had strong commonalities with the 2014 Sony Picture breaches. Security firm FireEye also investigated the matter. From a Bloomberg report: Investigators are examining possible computer breaches at as many as 12 banks linked to Swift's global payments network that have irregularities similar to those in the theft of $81 million from the Bangladesh central bank, according to a person familiar with the probe. FireEye, the security firm hired by the Bangladesh bank, has been contacted by the other banks, most of which are in Southeast Asia, because of signs that hackers may have breached their networks, the person said. They include banks in the Philippines and New Zealand but not in Western Europe or the United States. There is no indication of whether money was taken.
Government

Secret Text In Senate Bill Would Give FBI Warrantless Access To Email Records (theintercept.com) 151

mi quotes a report from The Intercept: A provision snuck into the still-secret text of the Senate's annual intelligence authorization would give the FBI the ability to demand individuals' email data and possibly web-surfing history from their service providers using those beloved 'National Security Letters' -- without a warrant and in complete secrecy. [The spy bill passed the Senate Intelligence Committee on Tuesday, with the provision in it. The lone no vote came from Sen. Ron Wyden, D-Ore., who wrote in a statement that one of the bill's provisions "would allow any FBI field office to demand email records without a court order, a major expansion of federal surveillance powers." If passed, the change would expand the reach of the FBI's already highly controversial national security letters. The FBI is currently allowed to get certain types of information with NSLs -- most commonly, information about the name, address, and call data associated with a phone number or details about a bank account. The FBI's power to issue NSLs is actually derived from the Electronic Communications Privacy Act -- a 1986 law that Congress is currently working to update to incorporate more protections for electronic communications -- not fewer. The House unanimously passed the Email Privacy Act in late April, while the Senate is due to vote on its version this week. "NSLs have a sordid history. They've been abused in a number of ways, including targeting of journalists and use to collect an essentially unbounded amount of information," Andrew Crocker, staff attorney for the Electronic Frontier Foundation, wrote. One thing that makes them particularly easy to abuse is that recipients of NSLs are subject to a gag order that forbids them from revealing the letters' existence to anyone, much less the public.]
Privacy

Millennials Value Speed Over Security, Says Survey (dailydot.com) 129

An anonymous reader quotes a report from The Daily Dot: Millennials stand apart from other Americans in preferring faster Internet access to safer Internet access, according to a new survey. When digital-authentication firm SecureAuth asked people from all age groups whether they would rather be safer online or browse faster online, 57 percent of Americans chose security and 43 percent chose speed. But among millennials, the results were almost reversed: 54 percent chose speed over security. Young people are also more willing than the overall population to share sensitive information over public Wi-Fi connections, which are notoriously insecure as they allow anyone on the network to analyze and intercept passing traffic. While a clear majority (57 percent) of Americans told SecureAuth that they transmitted such information over public Wi-Fi, nearly eight in 10 (78 percent) of millennials said they did so. A surprising 44 percent of millennials believe their data is generally safe from hackers, and millennials are more likely than members of other age groups to share account passwords with friends. Americans overall are paying more attention to some aspects of digital security. An October 2015 study by the wireless industry's trade group found that 61 percent of Americans use passwords on their smartphones and 58 percent use them on their tablets, compared to 50 percent and 48 percent, respectively, in 2012. The recent study lines up with a report published on May 24 that found that the elderly use more secure passwords than millennials.
Privacy

Virtual Assistants Such As Amazon's Echo Break US Child Privacy Law, Experts Say (theguardian.com) 67

Mark Harris, reporting for The Guardian: An investigation by the Guardian has found that despite Amazon marketing the Echo to families with young children, the device is likely to contravene the US Children's Online Privacy Protection Act (COPPA), set up to regulate the collection and use of personal information from anyone younger than 13. Along with Google, Apple and others promoting voice-activated artificial intelligence systems to young children, the company could now face multimillion-dollar fines. "This is part of the initial wave of marketing to children using the internet of things," says Jeff Chester, executive director of the Center for Digital Democracy, a privacy advocacy group that helped write the law. "It is exactly why the law was enacted in the first place, to protect young people from pervasive data collection."
Network

Tor To Use Distributed RNG To Generate Truly Random Numbers (softpedia.com) 124

An anonymous reader quotes a report from Softpedia: Tor developers have been working on the next iteration of the Tor network and its underbelly, the Onion routing protocol, in order to create a stronger, harder-to-crack anonymous communications system. To advance the project, the developer team schedules brainstorming and planning meetings at regular intervals. The most recent of these meetings took place last week, in Montreal, Canada. In this session, the team tested the next generation of the Tor network working on top of a revamped Onion protocol that uses a new algorithm for generating random numbers, never before seen on the Internet. The Tor Project says it created something it calls "a distributed RNG" (random number generator) that uses two or more computers to create random numbers and then blends their outputs together into a new random number. The end result is something that's almost impossible to crack without knowing which computers from a network contributed to the final random number, and which entropy each one used. Last week, two University of Texas academics have made a breakthrough in random number generation. The work is theoretical, but could lead to a number of advances in cryptography, scientific polling, and the study of various complex environments such as the climate.
AI

Researchers Teaching Robots To Feel and React To Pain (ieee.org) 62

An anonymous reader writes: Researchers from Leibniz University of Hannover in Germany are developing what they call an "artificial robot nervous system" that would allow robots to "feel" pain and react accordingly so they can avoid potential damages to their components. According to IEEE, the system uses a "nervous robot-tissue model that is inspired by the human skin structure" to measure different pain levels and move the robot in a way that prevents damaging interactions. [The model transmits pain information in repetitive spikes if the force exceeds a certain threshold, and the pain controller reacts after classifying the information into light, moderate, or severe pain.] Johannes Kuehn, one of the researchers, argues that in addition to avoiding potential damages to their components, robots will be protecting humans as well, since a growing number of them will be operating in close proximity to human workers. Kuehn, who worked on the project with Professor Sami Haddadin, reasoned that if our biological mechanisms to sense and respond to pain are so effective, why not devise a bio-inspired robot controller that mimics those mechanisms?
Piracy

The Pirate Bay Sails Back To Its .ORG Domain (cnet.com) 87

An anonymous reader writes: Following a report that the Swedish Court would seize the domain names 'ThePirateBay.se' and 'PirateBay.se,' The Pirate Bay is now sailing back to where it started in 2003, ThePirateBay.org. CNET reports: "The site is currently redirecting all traffic from the above two domains back to its .org home." In 2012, The Pirate Bay moved to the .se domain. It then moved to more secure domains, such as .sx and .ac, eventually returning to .se in 2015. Every alternative domain the site was using has been seized. Since the registry that manages the top level .org domains is based in Virginia, it's likely we'll see some legal action from the U.S. in response to the move. Meanwhile, Pirate Bay co-founder Fredrik Neij plans to appeal the Swedish's court's decision to seize the .se domains.
Open Source

CentOS Linux 6.8 Released (softpedia.com) 88

An anonymous reader writes: CentOS team is pleased to announce the immediate availability of CentOS Linux 6.8 and install media for i386 and x86_64 Architectures. Release Notes for 6.8 are available here. Softpedia writes: "CentOS Linux 6.8 arrives today with major changes, among which we can mention the latest Linux 2.6.32 kernel release from upstream with support for storing up to 300TB of data on XFS filesystems. The VPN endpoint solution implemented in the NetworkManager network connection manager utility is now provided on the libreswan library instead of the Openswan IPsec implementation used in previous release of the OS, and it looks like the SSLv2 protocol has been disabled by default for the SSSD (System Security Services Daemon), which also comes with support for smart cards now." In addition, the new release comes with updated applications, including the LibreOffice 4.3.7 office suite and Squid 3.4 caching and forwarding web proxy, many of which are supporting the Transport Layer Security (TLS) 1.2 protocol, including Git, YUM, Postfix, OpenLDAP, stunnel, and vsftpd. The dmidecode open-source tool now supports SMBIOS 3.0.0, you can now pull kickstart files from HTTPS (Secure HTTP) sources, the NTDp (Network Time Protocol daemon) package has an alternative solution as chrony, SSLv3 has been disabled by default, and there's improved support for Hyper-V.
Democrats

State Dept. IT Staff Told To Keep Quiet About Clinton's Server (computerworld.com) 357

dcblogs writes this report from Computerworld: Former U.S. Secretary of State Hillary Clinton's decision to use a private email server ran afoul of the government's IT security and record retention requirements, according to a report by the department's inspector general released today. This use of a private email server did not go unnoticed within the Department of State's IT department. Two IT staff members who raised concerns about Clinton's use of a private server were told not to speak of it. Clinton was secretary of state from 2009 to 2013 and during that period she used a private email server in her New York home. This report by the Department of State's Inspector General about Clinton's use of a private server makes clear that rules and regulations were not followed. It says that Clinton would not have received approval for this server had she sought it. According to the current CIO, the report said, "Secretary Clinton had an obligation to discuss using her personal email account to conduct official business with their offices, who in turn would have attempted to provide her with approved and secured means that met her business needs." However, the report notes, according to these officials, The Bureau of Diplomatic Security and IRM (Bureau of Information Resource Management) "did not -- and would not -- approve her exclusive reliance on a personal email account to conduct Department business, because of the restrictions in the FAM [Foreign Affairs Manual] and the security risks in doing so."
Android

Google Steps Up Pressure on Partners Tardy in Updating Android (bloomberg.com) 83

Google is actively tracking the time its partner OEMs take to release a new version of Android onto their devices. According to a Bloomberg report, the company is drawing up rankings that could shame some phone makers into better behavior. From the report: Google shared this list with Android partners earlier this year. It has discussed making it public to highlight proactive manufacturers and shame tardy vendors through omission from the list, two of the people said. [...] Google is making progress persuading phone makers and carriers to install security updates quicker "for the good of users," Android chief Hiroshi Lockheimer said. The same expedited process may then be used to send operating system updates to phones, he explained. The most challenging discussions are with carriers, which can be slow to approve updates because they test them thoroughly to avoid network disruption. The report adds that several OEMs are also stepping up their game to better comply with Google's new wishes. Motorola, for instance, is working on offering quarterly updates to its three years old devices.

For users with non-Nexus devices, it's really frustrating to wait for months, and in some cases, years, before their devices from Samsung, Xiaomi, Huawei, HTC and other manufacturers get upgraded to a newer version of Android. Another challenge for Google is to push its partners to actively release updates to affordable and mid-range smartphones. Many OEMs mostly worry about serving those users who have the flagship and high-end models.
Security

Genius' Web Annotations Undermined Web Security (theverge.com) 27

New reader BradyDale shares an article on the Verge: Until early May, when The Verge confidentially disclosed the results of my independent security tests, the "web annotator" service provided by the tech startup Genius had been routinely undermining a web browser security mechanism. The web annotator is a tool which essentially republishes web pages in order to let Genius users leave comments on specific passages. In the process of republishing, those annotated pages would be stripped of an optional security feature called the Content Security Policy, which was sometimes provided by the original version of the page. This meant that anyone who viewed a page with annotations enabled was potentially vulnerable to security exploits that would have been blocked by the original site. Though no specific victims have been identified, the potential scope of this bug was broad: it was applied to all Genius users, undermined any site with a Content Security Policy, and re-enabled all blocked JavaScript code. Vijith Assar dives deep into how Genius did this :The primary way Genius annotations are accessed on the web is by adding "genius.it" in front of any URL as a prefix. The genius.it server reads the original content behind the scenes, adds the annotations, and delivers the hybrid content. The Genius version of the page includes a few extra scripts and highlighted passages, but until recently it also eliminated the original page's Content Security Policy. The Content Security Policy is an optional set of instructions encoded in the header of the HTTP connection which tells browsers exactly which sites and servers should be considered safe -- any code which isn't from one of those sites can then be ignored.
Facebook

Facebook Could Be Eavesdropping On Your Phone Calls (news10.com) 163

An anonymous reader writes: Facebook is not just looking at user's personal information, interests, and online habits but also to your private conversations, revealed a new report. According to NBC report, this may be the case as Kelli Burns, a professor at University of South Florida states, "I don't think that people realize how much Facebook is tracking every move we're making online. Anything that you're doing on your phone, Facebook is watching." the professor said. Now how do you prove that? Professor Kelli tested out her theory by enabling the microphone feature, and talked about her desire to go on a safari, informing about the mode of transport she would take. "I'm really interested in going on an African safari. I think it'd be wonderful to ride in one of those jeeps," she said aloud, phone in hand. The results were shocking, as less than 60 seconds later, the first post on her Facebook feed was about a safari story out of nowhere, which was then revealed that the story had been posted three hours earlier. And, after mentioning a jeep, a car ad also appeared on her page. On a support page, Facebook explains how this feature works: "No, we don't record your conversations. If you choose to turn on this feature, we'll only use your microphone to identify the things you're listening to or watching based on the music and TV matches we're able to identify. If this feature is turned on, it's only active when you're writing a status update." I wonder how many people are actually aware of this.
Microsoft

Microsoft Is Laying Off 1,850 to Streamline Its Smartphone Business (theverge.com) 109

Microsoft is making more changes to its smartphone business. The company, which sold its feature phone business last week, on Wednesday announced that it is scaling back hardware -- laying off 1,850 staff and take a charge of $950 million including $200 million in severance payments in a memo to all employees. The company insists that "great new devices" are in the works. From Myerson's memo: Last week we announced the sale of our feature phone business. Today I want to share that we are taking the additional step of streamlining our smartphone hardware business, and we anticipate this will impact up to 1,850 jobs worldwide, up to 1,350 of which are in Finland. These changes are incredibly difficult because of the impact on good people who have contributed greatly to Microsoft. Speaking on behalf of Satya and the entire Senior Leadership Team, we are committed to help each individual impacted with our support, resources, and respect. For context, Windows 10 recently crossed 300 million monthly active devices, our Surface and Xbox customer satisfaction is at record levels, and HoloLens enthusiasts are developing incredible new experiences. Yet our phone success has been limited to companies valuing our commitment to security, manageability, and Continuum, and with consumers who value the same. Thus, we need to be more focused in our phone hardware efforts.
Government

TSA Replaces Security Chief As Tension Grows At Airports 264

HughPickens.com writes: Ron Nixon reports at the NYT that facing a backlash over long security lines and management problems, TSA administrator Peter V. Neffenger has shaken up his leadership team, replacing the agency's top security official Kelly Hoggan (Warning: source may be paywalled) and adding a new group of administrators at Chicago O'Hare International Airport. Beginning late that year, Hoggan received $90,000 in bonuses over a 13-month period, even though a leaked report from the Department of Homeland Security showed that auditors were able to get fake weapons and explosives past security screeners 95 percent of the time in 70 covert tests. Hoggan's bonus was paid out in $10,000 increments, an arrangement that members of Congress have said was intended to disguise the payments. During a hearing of the House Oversight Committee two weeks ago, lawmakers grilled Mr. Neffenger about the bonus, which was issued before he joined the agency in July. Last week and over the weekend, hundreds of passengers, including 450 on American Airlines alone, missed flights because of waits of two or three hours in security lines, according to local news reports. Many of the passengers had to spend the night in the terminal sleeping on cots. The TSA has sent 58 additional security officers and four more bomb-sniffing dog teams to O'Hare. Several current and former TSA employees said the moves to replace Hoggan and add the new officials in Chicago, where passengers have endured hours long waits at security checkpoints, were insufficient. "The timing of this decision is too late to make a real difference for the summer," says Andrew Rhoades, an assistant federal security director at Minneapolis-St. Paul International Airport who testified his supervisor accused him of "going native" after attending a meeting at a local mosque and that TSA's alleged practice of "directed reassignments," or unwanted job transfers were intended to punish employees who speak their minds. "Neffenger is only doing this because the media and Congress are making him look bad."
Java

Pastejacking Attack Appends Malicious Terminal Commands To Your Clipboard (softpedia.com) 89

An anonymous reader writes: "It has been possible for a long time for developers to use CSS to append malicious content to the clipboard without a user noticing and thus fool them into executing unwanted terminal commands," writes Softpedia. "This type of attack is known as clipboard hijacking, and in most scenarios, is useless, except when the user copies something inside their terminal." Security researcher Dylan Ayrey published a new version of this attack last week, which uses only JavaScript as the attack medium, giving the attack more versatility and making it now easier to carry out. The attack is called Pastejacking and it uses Javascript to theoretically allow attackers to add their malicious code to the entire page to run commands behind a user's back when they paste anything inside the console. "The attack can be deadly if combined with tech support or phishing emails," writes Softpedia. "Users might think they're copying innocent text into their console, but in fact, they're running the crook's exploit for them."
Security

Elderly Use More Secure Passwords Than Millennials, Says Report (qz.com) 153

An anonymous reader writes from a report via Quartz: A report released May 24 by Gigya surveyed 4,000 adults in the U.S. and U.K. and found that 18- to 34-year-olds are more likely to use bad passwords and report their online accounts being compromised. The majority of respondents ages 51 to 69 say they completely steer away from easily cracked passwords like "password," "1234," or birthdays, while two-thirds of those in the 18-to-34 age bracket were caught using those kind of terms. Quartz writes, "The diligence of the older group could help explain why 82% of respondents in this age range did not report having had any of their online accounts compromised in the past year. In contrast, 35% of respondents between 18 and 34 said at least one of their accounts was hacked within the last 12 months, twice the rate of those aged 51 to 69."
Security

Beware Of Keystroke Loggers Disguised As USB Phone Chargers, FBI Warns (arstechnica.com) 49

An anonymous reader cites an article on Ars Technica: FBI officials are warning private industry partners to be on the lookout for highly stealthy keystroke loggers that surreptitiously sniff passwords and other input typed into wireless keyboards. The FBI's Private Industry Notification (PDF) comes more than 15 months after whitehat hacker Samy Kamkar released a KeySweeper, a proof-of-concept attack platform that covertly logged and decrypted keystrokes from many Microsoft-branded wireless keyboards and transmitted the data over cellular networks. To lower the chances that the sniffing device might be discovered by a target, Kamkar designed it to look almost identical to USB phone chargers that are nearly ubiquitous in homes and offices."If placed strategically in an office or other location where individuals might use wireless devices, a malicious cyber actor could potentially harvest personally identifiable information, intellectual property, trade secrets, passwords, or other sensitive information," FBI officials wrote in last month's advisory. "Since the data is intercepted prior to reaching the CPU, security managers may not have insight into how sensitive information is being stolen."

Slashdot Top Deals