An anonymous reader quotes a report from ZDNet: Members of Amnesty International say that Egyptian authorities are behind a recent wave of spear-phishing attacks that have targeted prominent local human rights defenders, media, and civil society organizations' staff. The attacks used a relatively new spear-phishing technique called "OAuth phishing," Amnesty experts said. OAuth phishing is when attackers aim to steal a user account's OAuth token instead of the account password. When a user grants a third-party app the right to access their account, the app receives an OAuth token instead of the user's password. These tokens work as authorization until the user revokes their access. Amnesty investigators said that in the recent spear-phishing campaign that targeted Egyptian activists, authorities created Gmail third-party apps through which they gained access to victim's accounts. Victims would receive an email that looked like a legitimate Gmail security alert. But when they clicked the link, they'd be redirected to a page where a third-party app would request access to their account. Once the victim granted the app access to their Gmail account, the user would be redirected to the account's legitimate security settings page where they'd be left to change their password. Even if the victim changes their password, at this point, the phishers would still have access to the account via the newly acquired OAuth token. The Amnesty International report says the spear-phishing campaign also targeted Yahoo, Outlook and Hotmail users.

An anonymous reader quotes the San Francisco Chronicle: Tristan O'Tierney, a co-founder of San Francisco payments company Square, died Feb. 23 in Ocala, Fla., of causes related to addiction, his family said. He was 35...

His family is awaiting an official cause of death from officials. "I do know that it was in relation to his addiction," [his mother] Pamela Tierney said. "I know he got to the hospital, he couldn't breathe and they couldn't revive him." O'Tierney was in a three-month rehabilitation program in Ocala and had been battling addiction for three years, Tierney said. O'Tierney openly discussed his struggles with addiction on social media. "As some of you may know, I've been battling with addiction for these past few years," he wrote in September in a now-deleted Instagram post that he also shared on Twitter. "With some success. A lot of failure too though."
Bloomberg remembers him as a former engineer at Yahoo and Apple who was hired to develop Square's original mobile payment app in 2009, then stayed on until 2013.

"In addition to his parents, O'Tierney is survived by his three-old-year daughter, according to an obituary on the website for the funeral home."

An anonymous reader shares a report: In a congressional hearing on Tuesday, Representative Katie Porter (D-CA) asked whether Equifax CEO Mark Begor would be willing to share his address, birth date, and Social Security number publicly at the hearing. Begor declined, citing the risk of "identity theft," letting Porter criticize Equifax's legal response to the 2017 security breach that exposed almost 150 million people's data of that sort to an unknown intruder. The company had unsuccessfully asked a judge presiding over a class-action suit over the breach to dismiss it, saying the plaintiffs hadn't "sufficiently alleged injury and proximate causation" to bring suit, as Yahoo Finance reported late last month.

Vitaly Kamluk, an information security expert and a high-ranking executive of cybersecurity company Kaspersky Lab, went on Twitter with concerns about an embedded camera in Singapore Airlines' (SIA) inflight entertainment systems. He tagged SIA in his post on Sunday, asking the airline to clarify how the camera is being used. Yahoo News reports: SIA quickly allayed his fears of unwanted surveillance by assuring Kamluk that the cameras have been disabled, with no plans to use them in the future. Not all of their devices sport the camera, though -- SIA explained that only some of its newer inflight entertainment systems come with cameras embedded in the hardware. In another tweet, SIA affirmed that the cameras were already built in by the original equipment manufacturers in newer inflight entertainment systems. Kamluk recommended that it's best to disable the cameras physically -- with stickers, for example -- to provide better peace of mind. In 2017, entertainment device developer Panasonic Avionics said it was studying how eye tracking can be used for a better passenger experience. As the report mentions, "Cameras can be used for identity recognition on planes, which in turn, would allow for in-flight biometric payment (much like Face ID on Apple devices) and personalized services."

An anonymous reader writes: Microsoft's Edge browser contains a secret whitelist that lets Facebook run Adobe Flash code behind users' backs. The whitelist allows Facebook's Flash content to bypass Edge security features such as the click-to-play policy that normally prevents websites from running Flash code without user approval beforehand.

The whitelist isn't new. It existed in Edge before, and prior to February 2018, it included 58 entries, including domains and subdomains for Microsoft's main site, the MSN portal, music streaming service Deezer, Yahoo, and Chinese social network QQ. The list was narrowed down to only two Facebook domains (facebook.com and apps.facebook.com) after a Google security researcher found that the whitelist mechanism had some security issues. The bug report also contains the original version of the whitelist, with all the 58 domains.

Reader theodp writes: Thanks to software, Bill and Melinda Gates report in their 2019 Annual Letter, textbooks are becoming obsolete. Bill writes: "I read more than my share of textbooks. But it's a pretty limited way to learn something. Even the best text can't figure out which concepts you understand and which ones you need more help with. It certainly can't tell your teacher how well you grasped last night's assigned reading. But now, thanks to software, the standalone textbook is becoming a thing of the past" (if so, it'll be a 60-year overnight success!). The Gates are putting their money where their mouths are -- their education investments include look-Ma-no-textbooks Khan Academy and Code.org. Code.org, whose AP Computer Science Principles course for high schools "does not require or follow a textbook", boasted in its just-released Annual Report that 38% of all AP CS exam takers in 2018 came from "Code.org Computer Science Principles classrooms," adding that it had spent $24.2 million of its donors' money on curriculum and its Code Studio learning platform (30,300 hours of coursework), another $46.7 million to prepare 87,000 new K-12 CS teachers, $12.4 million on Marketing, and $6.9 million on Government Affairs. So, do we still need textbooks?

HashCat, an open-source password recovery tool, can now crack an eight-character Windows NTLM password hash in less than 2.5 hours. "Current password cracking benchmarks show that the minimum eight character password, no matter how complex, can be cracked in less than 2.5 hours" using a hardware rig that utilizes eight Nvidia GTX 2080Ti GPUs, explained a hacker who goes by the pseudonym Tinker on Twitter in a DM conversation with The Register. "The eight character password is dead." From the report: It's dead at least in the context of hacking attacks on organizations that rely on Windows and Active Directory. NTLM is an old Microsoft authentication protocol that has since been replaced with Kerberos. According to Tinker, it's still used for storing Windows passwords locally or in the NTDS.dit file in Active Directory Domain Controllers. It's dead at least in the context of hacking attacks on organizations that rely on Windows and Active Directory. NTLM is an old Microsoft authentication protocol that has since been replaced with Kerberos. Tinker estimates that buying the GPU power described would require about $10,000; others have claimed the necessary computer power to crack an eight-character NTLM password hash can be rented in Amazon's cloud for just $25.

NIST's latest guidelines say passwords should be at least eight characters long. Some online service providers don't even demand that much. When security researcher Troy Hunt examined the minimum password lengths at various websites last year, he found that while Google, Microsoft and Yahoo set the bar at eight, Facebook, LinkedIn and Twitter only required six. Tinker said the eight character password was used as a benchmark because it's what many organizations recommend as the minimum password length and many corporate IT policies reflect that guidance. So how long is long enough to sleep soundly until the next technical advance changes everything? Tinker recommends a random five-word passphrase, something along the lines of the four-word example popularized by online comic XKCD, "correcthorsebatterystaple." That or whatever maximum length random password via a password management app, with two-factor authentication enabled in either case.

Photo-sharing website Flickr is starting to delete users' photos after changing its terms and conditions. The firm announced in November that it would no longer be allowing its members one terabyte of free storage. From a report: Under the new rules, there is a limit of 1,000 photographs for those who do not subscribe to the service at a cost of $49.99 per year. One terabyte would store around 200,000 photos with an average size of 5MB. Flickr was acquired by another photo platform called SmugMug in April 2018. The price it paid to former owner Verizon was not disclosed. In a blog in November announcing the changes, Flickr said that "storing tens of billions of Flickr members' photos is staggeringly expensive". It also said by introducing the free storage in 2013, Flickr's original owner Yahoo had "lost sight of what made Flickr truly special" as new users were attracted by the storage rather than the photography.

A U.S. judge rejected Yahoo's proposed settlement with millions of people whose email addresses and other personal information were stolen in the largest data breach in history, faulting the Internet services provider for a lack of transparency. From a report: In a Monday night decision, U.S. District Judge Lucy Koh in San Jose, California, said she could not declare the settlement "fundamentally fair, adequate and reasonable" because it did not say how much victims could expect to recover. Yahoo, now part of New York-based Verizon Communications, was accused of being too slow to disclose three breaches from 2013 to 2016 that affected an estimated 3 billion accounts. The settlement called for a $50 million payout, plus two years of free credit monitoring for about 200 million people in the United States and Israel with nearly 1 billion accounts.

According to a report from Reason magazine, Twitter users who comment the "learn to code" advice at journalists who just lost their jobs might be treated as "abusive behavior," which is a violation of the social media site's terms of service. The rumor comes from Jon Levine, Media Editor at The Wrap. From the report: The Wrap's Jon Levine said representatives for the social media company had backed away from the position they related to him earlier, which was that the phrase "learn to code" itself constituted abusive behavior. The new position seems to be that "learn to code" is not de facto harassment, but could be considered harassment if tweeted aggressively as part of campaign to intimidate a specific user, in accordance with Twitter's somewhat vague abusive behavior policy. In an email to Reason, a Twitter spokesperson said: "Twitter is responding to a targeted harassment campaign against specific individuals -- a policy that's long been against the Twitter Rules."

Last week, journalists from BuzzFeed, HuffPost, Yahoo, AOL, and others, were let go. BuzzFeed founder and CEO, Jonah Peretti, said the company "would reduce headcount by 15%, or about 250 jobs, to around 1,100 employees globally," reports The Guardian. "At the same time, Verizon said it would trim 7% of headcount, about 800 people, from its media unit, which includes HuffPost, Yahoo and AOL. The job losses followed sales or cuts at Mic, Refinery29 and elsewhere."

An anonymous reader quotes CBS News: The governor of Washington state declared a state of emergency Friday over a measles outbreak that has sickened dozens of people in a county with one of the state's lowest vaccination rates. Gov. Jay Inslee said in a statement that the outbreak in Clark County "creates an extreme public health risk" that could spread throughout the state...

Clark County Public Health has confirmed 30 measles cases since January 1 and identified another nine suspected cases. Twenty-six of the confirmed cases were people who were not immunized for measles, the agency said... Only 77.4 percent of all public students there complete their vaccinations, according to state records cited by the Oregonian...Most of the confirmed cases -- 21 -- were with children between 1 and 10 years old. Eight cases involved people 11 to 18 years old, and one case was someone 19 to 29.
Time magazines also reports that authorities in the neighboring states of Oregon and Idaho "have issued warnings to residents."

In November the World Health Organization warned that measles cases worldwide had jumped more than 30% from 2016 to 2017, according to AFP, "in part because of children not being vaccinated."

An anonymous reader quotes a report from Yahoo: Google has reportedly blacklisted keywords mentioning Ethereum (ETH) on its advertising platform Google Ads, smart contract auditing startup Decenter tweeted on Jan. 10. The official Google Ads account replied to the tweet stating that cryptocurrency exchanges targeting the United States and Japan can be advertised on the platform, and that targeting other countries could be the reason for the ad rejection.

When Decenter explained that they are a group of developers doing smart contract security audits and that they were seeing the error message when trying to use the "ethereum development services" and "ethereum security audits" keywords, Google Ads' official account answered: "Although we wouldn't be able to preemptively confirm if your keyword is eligible to trigger ads, we'd recommend that you refer to the 'Cryptocurrencies' section of our policy on Financial products and services." When Decenter asked the Ethereum community on Reddit in an open query about the alleged Google Ads policy changes, the team specified that: "Any of the keywords that contain "ethereum" in our campaigns are no longer showing ads as of January 9th and are now reporting the following error." Decenter said they have tested keywords for "ethereum smart contract audits" and "eos smart contract audits" and found that only the EOS-referenced keyword showed ads.

Google banned all cryptocurrency-related advertising of all types in June 2018. However, Google announced in September 2018 that it would change its ad policy in October, reallowing some crypto businesses to advertise on its platform. Namely, the changes allow cryptocurrency exchanges ads in the United States and Japan.

A new penetration testing tool published at the start of the year by a security researcher can automate phishing attacks with an ease never seen before and can even blow through login operations for accounts protected by two-factor authentication (2FA). From a report: Named Modlishka --the English pronunciation of the Polish word for mantis -- this new tool was created by Polish researcher Piotr Duszynski. Modlishka is what IT professionals call a reverse proxy, but modified for handling traffic meant for login pages and phishing operations. It sits between a user and a target website -- like Gmail, Yahoo, or ProtonMail. Phishing victims connect to the Modlishka server (hosting a phishing domain), and the reverse proxy component behind it makes requests to the site it wants to impersonate. The victim receives authentic content from the legitimate site --let's say for example Google -- but all traffic and all the victim's interactions with the legitimate site passes through and is recorded on the Modlishka server.

The editors of Ars Technica have announced their annual "Deathwatch" list, identifying "companies, tech, and trends least likely to succeed in 2019." An anonymous reader quotes their report: The past year has been an absolute freefall for Essential.... The market was ultimately not impressed with the Essential phone, and the fire sales started almost immediately. Only two months after launch, the phone got a permanent $200 price drop, to $499. November saw deals as low as $399. Eventually, the $700 phone was discounted all the way down to $224, thanks to a mix of poor sales and a lack of consumer confidence in the company. A poorly selling phone was one thing, but things really started to look bad for Essential in May, when it was announced the company had cancelled the second generation Essential Phone. The first device took such a toll on the company that it was considering selling itself, and suddenly the future of Essential was in doubt.

While the phone was dead, in May the company said it was focusing on an upcoming smart home product and operating system. But by October, it announced that it was cutting 30 percent of its staff, and the company was pivoting away from smart home products and would try building a phone again. It will re-sell you a missing headphone jack, though. Essential's next phone -- if the company lasts that long -- is supposedly "an AI Phone That Texts People for You" according to Bloomberg. That sounds awful. On top of all that, Essential's CEO and founder Rubin has been the subject of a major sexual misconduct controversy at Google.
They also write that 2019 "is going to probably determine whether Facebook's management team will continue as it is -- or whether there's a stockholder rebellion, or a government lawsuit, or some combination of both that drives CEO Mark Zuckerberg and others out."

Also on their "Deathwatch" list are Snap, and Verizon's "AOL/Yahoo Frankenstein" -- but not Gwyneth Paltrow's Goop. "As much as we'd love to plop Goop on the 2019 Deathwatch, it is still just on our Deathwatch wish list. Goop is, in fact, thriving."

The attorney general for the District of Columbia filed a lawsuit on Wednesday against Facebook for allowing Cambridge Analytica, a political consultancy, to gain access to the names, "likes" and other personal data about tens of millions of the social site's users without their permission. From a report: The lawsuit filed by Karl Racine [PDF], confirmed Wednesday by two people familiar with the matter but not authorized to speak on record, marks the first major effort by regulators in the United States to penalize the tech giant for its entanglement with the firm. It could presage even tougher fines and other punishments still to come for Facebook as additional state and federal investigations continue.

The lawsuit comes as Facebook continues to face criticism around the world for mismanaging its users' personal information. On Friday, for example, the company admitted that some users' photos may have been improperly accessed by third-party apps. On Tuesday, new details emerged about Facebook's extensive data-sharing arrangements with corporate partners including Amazon and Spotify. The report from The New York Times quickly triggered another round of calls from Capitol Hill for the tech giant to be penalized. To that end, a person familiar with the new D.C. lawsuit said it is likely to be amended in the future to include more recent allegations of improper data collection and use.

An anonymous reader quotes a report from Techdirt: By now, of course, you're aware that the Verizon-owned Tumblr (which was bought by Yahoo, which was bought by Verizon and merged into "Oath" with AOL and other no longer relevant properties) has suddenly decided that nothing sexy is allowed on its servers. This took many by surprise because apparently a huge percentage of Tumblr was used by people to post somewhat racy content. Knowing that a bunch of content was about to disappear, the famed Archive Team sprung into action -- as they've done many times in the past. They set out to archive as much of the content on Tumblr that was set to be disappeared down the memory hole as possible... and it turns out that Verizon decided as a final "fuck you" to cut them off. Jason Scott, the mastermind behind the Archive Team announced over the weekend that Verizon appeared to be blocking their IPs. Thankfully, it didn't take long for the Archive Team to get past the blocks. Scott tweeted on Sunday: "why look at that the archiving of tumblr restarted how did that happen must be a bug surely a crack team of activist archivists didn't see an ip block as a small setback and then turned everything up to 11."

The New York Times obtained hundreds of pages of Facebook documents which were generated in 2017 that show that the social network considered these companies business partners and effectively exempted them from its privacy rules. From a report: Facebook allowed Microsoft's search engine Bing to see the names of nearly all users' friends without their consent, let Spotify, Netflix, and the Royal Bank of Canada read, write, and delete users' private messages, and see participants on a thread, allowed Amazon to get users' names and contact information through their friends, and let Yahoo view streams of friends' posts "as recently as this summer" despite publicly claiming it had stopped sharing such information a year ago, the report said. Collectively, applications made by these technology companies sought the data of hundreds of millions of people a month.

The records also show that Russian search giant Yandex, which was accused last year by Ukraine's security service for giving user data to Kremlin, also had access to Facebook's unique user IDs in 2017. A Yandex spokeswoman told the Times that the company was unaware of the access to user data provided by Facebook. Yandex did not immediately respond to BuzzFeed News' request for comment. In response to the report, Steve Satterfield, Facebook's Director of Privacy and Public Policy defended the actions of the social network.

TechCrunch has confirmed with TMZ that Colin Kroll, the 35-year-old co-founder and CEO of the HQ Trivia app and co-founder of Vine, has been found dead of an apparent drug overdose in his apartment. TMZ cites a police source saying cocaine and heroin were believed to be involved. From the report: Kroll was only named CEO of the HQ Trivia mobile game show app three months ago, replacing fellow co-founder Rus Yusupov who moved over to serve as chief creative officer. Prior to taking the CEO role Kroll served as HQ's CTO. He co-founded the startup in 2015, a few months after moving on from Vine -- the Twitter-owned short video format startup which got closed down in 2017. It's not clear who will take over the CEO role for HQ Trivia at this stage but Yusupov looks a likely candidate, at least in the interim.

Kroll started his career as a software engineer at Right Media, which went on to be acquired by Yahoo in 2006. From then until 2011, he led the engineering team in Yahoo's search and advertising tech group before joining luxury travel site Jetsetter as VP of Product -- where he went on to be promoted to CTO. In 2012 he left to start Vine with co-founders Dominik Hofmann and Yusopov.

An anonymous reader quotes a report from Ars Technica: A recent phishing campaign targeting U.S. government officials, activists, and journalists is notable for using a technique that allowed the attackers to bypass two-factor authentication protections offered by services such as Gmail and Yahoo Mail, researchers said Thursday. The event underscores the risks of 2fa that relies on one-tap logins or one-time passwords, particularly if the latter are sent in SMS messages to phones.

Attackers working on behalf of the Iranian government collected detailed information on targets and used that knowledge to write spear-phishing emails that were tailored to the targets' level of operational security, researchers with security firm Certfa Lab said in a blog post. The emails contained a hidden image that alerted the attackers in real time when targets viewed the messages. When targets entered passwords into a fake Gmail or Yahoo security page, the attackers would almost simultaneously enter the credentials into a real login page. In the event targets' accounts were protected by 2fa, the attackers redirected targets to a new page that requested a one-time password. "In other words, they check victims' usernames and passwords in realtime on their own servers, and even if 2 factor authentication such as text message, authenticator app or one-tap login are enabled they can trick targets and steal that information too," Certfa Lab researchers wrote. "We've seen [it] tried to bypass 2fa for Google Authenticator, but we are not sure they've managed to do such a thing or not," the Certfa representative wrote. "For sure, we know hackers have bypassed 2fa via SMS."

An anonymous reader quotes a report from Bloomberg: Verizon is conceding defeat on its crusade to turn a patchwork of dot-com-era businesses into a thriving online operation. The wireless carrier slashed the value of its AOL and Yahoo acquisitions by $4.6 billion, an acknowledgment that tough competition for digital advertising is leading to shortfalls in revenue and profit. The move will erase almost half the value of the division it had been calling Oath, which houses AOL, Yahoo and other businesses like the Huffington Post. The revision of the Oath division's accounting leaves its goodwill balance -- a measure of the intangible value of an acquisition -- at about $200 million, Verizon said in a filing Tuesday. The unit still has about $5 billion of assets remaining. Verizon also announced yesterday that 10,400 employees are taking buyouts to leave the company. The cuts are "part of an effort to trim the telecom giant's workforce ahead of its push toward 5G," TechCrunch reported.