Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Government

New US 'Secret' Clearance Unit Hires Firm Linked To 2014 Hacks (reuters.com) 15

An anonymous reader quotes a report from Reuters: A U.S. government bureau set up to do "secret" and "top secret" security clearance investigations has turned for help to a private company whose login credentials were used in hack attacks that looted the personal data of 22 million current and former federal employees, U.S. officials said on Friday. Their confirmation of the hiring of KeyPoint Government Solutions by the new National Background Investigations Bureau (NBIB) comes just days ahead of the bureau's official opening, scheduled for next week. Its creation was spurred, in part, by the same hacks of the Office of Personnel Management that have been linked to the credentials of KeyPoint, one of four companies hired by the bureau. The officials asked not to be named when discussing sensitive information. A spokesman for OPM said the agency in the past has said in public statements and in congressional testimony that a KeyPoint contractor's stolen credentials were used by hackers to gain access to government personnel and security investigations records in two major OPM computer breaches. Both breaches occurred in 2014, but were not discovered until April 2015, according to investigators. One U.S. official familiar with the hiring of KeyPoint said personnel records were hacked in 2014 from KeyPoint and, at some point, its login credentials were stolen. But no evidence proves, the official said, that the KeyPoint credentials used by the OPM hackers were stolen in the 2014 KeyPoint hack. OPM officials said on Thursday one aim for NBIB is to reduce processing time for "top secret" clearances to 80 days from 170 days and for "secret" clearances to 40 days from 120 days.
Republicans

Newsweek Website Attacked After Report On Trump, Cuban Embargo (talkingpointsmemo.com) 152

After Newsweek published a report titled "How Donald Trump's Company Violated The United States Embargo Against Cuba," the site found itself on the receiving end of a "massive" denial-of-service attack that managed to shut down the site for several hours. TPM reports: Editor-In-Chief Jim Impoco noted that the attack came as the story earned national attention. "Last night we were on the receiving end of what our IT chief called a 'massive' DoS (denial of service) attack," Impoco wrote in an email to TPM. "The site was down most of last evening, at a time when Kurt Eichenwald's story detailing how Donald Trump's company broke the law by violating the U.S. trade embargo against Cuba was being covered extensively by prominent cable news programs. Our IT team is still investigating the hack." Later Friday afternoon, Impoco emailed TPM that in an initial investigation, the "main" IP addresses linked to the attack were found to be Russian. It should be noted that it is possible to fake an IP address. "As with any DDoS attack, there are lots of IP addresses, but the main ones are Russian, though that in itself does not prove anything," he wrote. "We are still investigating." Eichenwald tweeted Friday morning: "News: The reason ppl couldnt read #TrumpInCuba piece late yesterday is that hackers launched a major attack on Newsweek after it was posted."
Government

Researchers Ask Federal Court To Unseal Years of Surveillance Records (arstechnica.com) 19

An anonymous reader quotes a report from Ars Technica: Two lawyers and legal researchers based at Stanford University have formally asked a federal court in San Francisco to unseal numerous records of surveillance-related cases, as a way to better understand how authorities seek such powers from judges. This courthouse is responsible for the entire Northern District of California, which includes the region where tech companies such as Twitter, Apple, and Google, are based. According to the petition, Jennifer Granick and Riana Pfefferkorn were partly inspired by a number of high-profile privacy cases that have unfolded in recent years, ranging from Lavabit to Apple's battle with the Department of Justice. In their 45-page petition, they specifically say that they don't need all sealed surveillance records, simply those that should have been unsealed -- which, unfortunately, doesn't always happen automatically. The researchers wrote in their Wednesday filing: "Most surveillance orders are sealed, however. Therefore, the public does not have a strong understanding of what technical assistance courts may order private entities to provide to law enforcement. There are at least 70 cases, many under seal, in which courts have mandated that Apple and Google unlock mobile phones and potentially many more. The Lavabit district court may not be the only court to have ordered companies to turn over private encryption keys to law enforcement based on novel interpretations of law. Courts today may be granting orders forcing private companies to turn on microphones or cameras in cars, laptops, mobile phones, smart TVs, or other audio- and video-enabled Internet-connected devices in order to conduct wiretapping or visual surveillance. This pervasive sealing cripples public discussion of whether these judicial orders are lawful and appropriate."
AT&T

AT&T To End Targeted Ads Program, Give All Users Lowest Available Price 41

AT&T has confirmed to ArsTechnica that it is getting rid of Internet Preferences, a controversial program that analyzed home internet customers' web browsing habits in order to serve some targeted ads. From the report:"To simplify our offering for our customers, we plan to end the optional Internet Preferences advertising program related to our fastest Internet speed tiers," an AT&T spokesperson said. "As a result, all customers on these tiers will receive the best rate we have available for their speed tier in their area. We'll begin communicating this update to customers early next week." Data collection and targeted ads will be shut off, AT&T also confirmed. Since AT&T introduced Internet Preferences for its GigaPower fiber Internet service in 2013, customers had to opt into the traffic scanning program in order to receive the lowest available rate. Customers who wanted more privacy had to pay another $29 a month for standalone Internet access; bundles including TV or phone service could cost more than $60 extra when customers didn't opt in.
Security

The Psychological Reasons Behind Risky Password Practices (helpnetsecurity.com) 187

Orome1 quotes a report from Help Net Security: Despite high-profile, large-scale data breaches dominating the news cycle -- and repeated recommendations from experts to use strong passwords -- consumers have yet to adjust their own behavior when it comes to password reuse. A global Lab42 survey, which polled consumers across the United States, Germany, France, New Zealand, Australia and the United Kingdom, highlights the psychology around why consumers develop poor password habits despite understanding the obvious risk, and suggests that there is a level of cognitive dissonance around our online habits. When it comes to online security, personality type does not inform behavior, but it does reveal how consumers rationalize poor password habits. My personal favorite: password paradox. "The survey revealed that the majority of respondents understand that their digital behavior puts them at risk, but do not make efforts to change it," reports Help Net Security. "Only five percent of respondents didn't know the characteristics of a secure password, with the majority of respondents understanding that passwords should contain uppercase and lowercase letters, numbers and symbols. Furthermore, 91 percent of respondents said that there is inherent risk associated with reusing passwords, yet 61 percent continue to use the same or similar passwords anyway, with more than half (55 percent) doing so while fully understanding the risk." The report also found that when attempting to create secure passwords, "47 percent of respondents included family names or initials," while "42 percent contain significant dates or numbers and 26 percent use the family pet."
Security

The Yahoo Hackers Weren't State-Sponsored, Security Firm Says (csoonline.com) 33

itwbennett writes from a report via CSO Online: After Yahoo raised eyebrows in the security community with its claim that state-sponsored hackers were responsible for the history-making breach, security firm InfoArmor now says it has evidence to the contrary. InfoArmor claims to have acquired some of the stolen information as part of its investigation into "Group E," a team of five professional hackers-for-hire believed to be from Eastern Europe. The database that InfoArmor has contains only "millions" of accounts, but it includes the users' login IDs, hashed passwords, mobile phone numbers and zip codes, said Andrew Komarov, InfoArmor's chief intelligence officer. Earlier this week, Chase Cunningham, director of cyber operations at security provider A10 Networks, called Yahoo's claim of state-sponsored actors a convenient, if trumped up, excuse: "If I want to cover my rear end and make it seem like I have plausible deniability, I would say 'nation-state actor' in a heartbeat." "Yahoo was compromised in 2014 by a group of professional blackhats who were hired to compromise customer databases from a variety of different targeted organizations," Scottsdale, Arizona-based InfoArmor said Wednesday in a report. "The Yahoo data leak as well as the other notable exposures, opens the door to significant opportunities for cyber-espionage and targeted attacks to occur."
Facebook

WhatsApp Won't Comply With India's Order To Delete User Data (engadget.com) 76

An anonymous reader shares an Engadget report: WhatsApp's decision to share user data with Facebook has provoked the ire of yet another foreign government. Last week, India's Delhi High Court ordered WhatsApp to delete any data collected from users who opted out of the company's new privacy policy before September 25th. According to Mashable, however, WhatsApp has no plan to comply with the court order and it will have "no impact on the planned policy and terms of service updates." In August, privacy groups in the US spoke out against the change, which allows WhatsApp to pass account information like mobile phone number, contacts, profile pictures and status messages to its parent company. Facebook claims that sharing information between the two will help it to improve the experience and fight abuse across both platforms, while WhatsApp defended the change by saying that all messages on the service will remain encrypted.
Security

Microsoft Widens Edge Browser Bug Hunt For Bounty Hunters (theregister.co.uk) 12

Microsoft said today it is expanding its program for rewarding those who find and report bugs in Edge, its latest web browser, enabling bounty hunters to claim their prize for a broader range of vulnerabilities. The Register adds: The snappily titled "Microsoft Edge Web Platform on Windows Insider Preview Bug Bounty Programme" was launched in August, and enabled anyone to report vulnerabilities they discover in Microsoft Edge in exchange for flippin' great wodges of cash. Now, the firm has expanded the programme, with a focus on vulnerabilities that lead to "violation of W3C standards that compromise privacy and integrity of important user data," or which enable remote code execution by a particular threat vector. Specifically, the bounty programme now covers the following: Same Origin Policy bypass vulnerabilities (such as universal cross-site scripting), Referrer Spoofing vulnerabilities, Remote Code Execution vulnerabilities in Microsoft Edge on Windows Insider Preview, and Vulnerabilities in open source sections of Chakra.
AI

Facebook, Amazon, Google, IBM, and Microsoft Come Together To Create Historic Partnership On AI (techcrunch.com) 87

An anonymous reader quotes a report from TechCrunch: In an act of self-governance, Facebook, Amazon, Alphabet, IBM, and Microsoft came together today to announce the launch the new Partnership on AI. The group is tasked with conducting research and promoting best practices. Practically, this means that the group of tech companies will come together frequently to discuss advancements in artificial intelligence. The group also opens up a formal structure for communication across company lines. It's important to remember that on a day to day basis, these teams are in constant competition with each other to develop the best products and services powered by machine intelligence. Financial support will be coming from the initial tech companies who are members of the group, but in the future membership and involvement is expected to increase. User activists, non-profits, ethicists, and other stakeholders will be joining the discussion in the coming weeks. The organizational structure has been designed to allow non-corporate groups to have equal leadership side-by-side with large tech companies. As of today's launch, companies like Apple, Twitter, Intel and Baidu are missing from the group. Though Apple is said to be enthusiastic about the project, their absence is still notable because the company has fallen behind in artificial intelligence when compared to its rivals -- many of whom are part of this new group. The new organization really seems to be about promoting change by example. Rather than preach to the tech world, it wants to use a standard open license to publish research on topics including ethics, inclusivity, and privacy.
Cellphones

Verizon Technician Is Accused of Selling Customers' Call Records and Location Data To Private Investigator (ap.org) 50

A former Verizon technician who worked in Alabama is being accused of selling customers' private call records and location data to an unnamed private investigator. Authorities said the data was sold for more than four years, from 2009 to 2014. The Associated Press reports: [Daniel Eugene Traeger] logged into one Verizon computer system to gain access to customers' call records, authorities said. He used another company system known as Real Time Tool to "ping" cellphones on Verizon's network to get locations of the devices, according to the plea agreement. He then compiled the data in spreadsheets, which he sent to the private investigator for years, the court records show. "Between April 2009 and January 2014, the defendant was paid more than $10,000 in exchange for his provision of confidential customer information and cellular location data to the PL, an unauthorized third party," court records state. Though Traeger was based in the Birmingham area, the court records do not indicate whether the information that was sold involved Verizon Wireless customers in Alabama or elsewhere. He faces up to five years in prison, but prosecutors are recommending a lesser sentence since he accepted responsibility, according to terms of the plea agreement.
Crime

Across US, Police Officers Abuse Confidential Databases (ap.org) 185

Sadie Gurman and Eric Tucker, reporting for Associated Press:Police officers across the country misuse confidential law enforcement databases to get information on romantic partners, business associates, neighbors, journalists and others for reasons that have nothing to do with daily police work, an Associated Press investigation has found. Criminal-history and driver databases give officers critical information about people they encounter on the job. But the AP's review shows how those systems also can be exploited by officers who, motivated by romantic quarrels, personal conflicts or voyeuristic curiosity, sidestep policies and sometimes the law by snooping. In the most egregious cases, officers have used information to stalk or harass, or have tampered with or sold records they obtained. No single agency tracks how often the abuse happens nationwide, and record-keeping inconsistencies make it impossible to know how many violations occur. But the AP, through records requests to state agencies and big-city police departments, found law enforcement officers and employees who misused databases were fired, suspended or resigned more than 325 times between 2013 and 2015. They received reprimands, counseling or lesser discipline in more than 250 instances, the review found.
Privacy

Apple Logs Your iMessage Contacts - And May Share Them With Police: The Intercept 61

The Intercept is reporting that despite what Apple claims, it does keep a log of people you are receiving messages from and shares this and other potentially sensitive metadata with law enforcement when compelled by court order. Apple insists that iMessage conversations are safe and out of reach from anyone other than you and your friends. From the report:This log also includes the date and time when you entered a number, along with your IP address -- which could, contrary to a 2013 Apple claim that "we do not store data related to customers' location," identify a customer's location. Apple is compelled to turn over such information via court orders for systems known as "pen registers" or "tap and trace devices," orders that are not particularly onerous to obtain, requiring only that government lawyers represent they are "likely" to obtain information whose "use is relevant to an ongoing criminal investigation." Apple confirmed to The Intercept that it only retains these logs for a period of 30 days, though court orders of this kind can typically be extended in additional 30-day periods, meaning a series of monthlong log snapshots from Apple could be strung together by police to create a longer list of whose numbers someone has been entering.
Yahoo!

Yahoo's Delay in Reporting Hack 'Unacceptable', Say Senators (zdnet.com) 72

Yahoo won't be able to get away with its mega data breach from 2014 that it only reported this month. Six senior senators have said Yahoo's two-year delay in reporting the largest known data breach in history is unacceptable. The senators have asked Yahoo CEO Marissa Mayer to explain why the massive hack of more than 500 million accounts wasn't reported two years ago when the breach occurred. From a ZDNet report:The senators said they were "disturbed" that a breach of that size wasn't noticed at the time. "That means millions of Americans' data may have been compromised for two years. This is unacceptable. This breach is the latest in a series of data breaches that have impacted the privacy of millions of American consumers in recent years, but it is by far the largest," the letter wrote. Sens. Patrick Leahy, Al Franken, Elizabeth Warren, Richard Blumenthal, Roy Wyden, and Edward Markey signed the letter, dated Tuesday. The senators also requested a briefing to senate staffers on its incident response and how it intends to protect affected users.
Privacy

Facebook Told To Stop Taking Data From German WhatsApp Users (bloomberg.com) 38

An anonymous reader shares a Bloomberg report: Facebook, already under scrutiny in the U.S. and the European Union for revisions to privacy policies for its WhatsApp messaging service, was ordered by Hamburg's privacy watchdog to stop processing data of German users of the chat service. In a renewed clash with the social-network operator, Johannes Caspar, one of Germany's most outspoken data protection commissioners, ordered Facebook to delete any data it already has. The news comes as EU privacy regulators, who previously expressed concerns about the policy shift, meet in Brussels to discuss their position. There's no legal basis for Facebook to use information of WhatsApp customers, Caspar said Tuesday. "This order protects the data of about 35 million WhatsApp users in Germany," Caspar said. "It has to be their decision as to whether they want to connect their account with Facebook. Therefore, Facebook has to ask for their permission in advance. This has not happened."
Security

Windows 10 Will Soon Run Edge In a Virtual Machine To Keep You Safe (arstechnica.com) 171

An anonymous reader quotes a report from Ars Technica: Microsoft has announced that the next major update to Windows 10 will run its Edge browser in a lightweight virtual machine. Running the update in a virtual machine will make exploiting the browser and attacking the operating system or compromising user data more challenging. Called Windows Defender Application Guard for Microsoft Edge, the new capability builds on the virtual machine-based security that was first introduced last summer in Windows 10. Windows 10's Virtualization Based Security (VBS) uses small virtual machines and the Hyper-V hypervisor to isolate certain critical data and processes from the rest of the system. The most important of these is Credential Guard, which stores network credentials and password hashes in an isolated virtual machine. This isolation prevents the popular MimiKatz tool from harvesting those password hashes. In turn, it also prevents a hacker from breaking into one machine and then using stolen credentials to spread to other machines on the same network. Credential Guard's virtual machine is very small and lightweight, running only a relatively simple process to manage credentials. Application Guard will go much further by running large parts of the Edge browser within a virtual machine. This virtual machine won't, however, need a full operating system running inside it -- just a minimal set of Windows features required to run the browser. Because Application Guard is running in a virtual machine it will have a much higher barrier between it and the host platform. It can't see other processes, it can't access local storage, it can't access any other installed applications, and, critically, it can't attack the kernel of the host system. In its first iteration, Application Guard will only be available for Edge. Microsoft won't provide an API or let other applications use it. As with other VBS features, Application Guard will also only be available to users of Windows 10 Enterprise, with administrative control through group policies. Administrators will be able to mark some sites as trusted, and those sites won't use the virtual machine. Admins also be able to control whether untrusted sites can use the clipboard or print.
Privacy

California Enacts Law Requiring IMDb To Remove Actor Ages On Request (hollywoodreporter.com) 317

California Gov. Jerry Brown on Saturday signed legislation that requires certain entertainment sites, such as IMDb, to remove -- or not post in the first place -- an actor's age or birthday upon request, reports Hollywood Reporter. From the report: The law, which becomes effective Jan. 1, 2017, applies to entertainment database sites that allow paid subscribers to post resumes, headshots or other information for prospective employers. Only a paying subscriber can make a removal or nonpublication request. Although the legislation may be most critical for actors, it applies to all entertainment job categories. "Even though it is against both federal and state law, age discrimination persists in the entertainment industry," Majority Leader Ian Calderon, D-Whittier, said in a statement. "AB 1687 provides the necessary tools to remove age information from online profiles on employment referral websites to help prevent this type of discrimination."Bloomberg columnist, Shira Ovide said, "Congratulations, IMDB. You have now become the subject of California law." Slate writer Will Oremus added, "Sometimes I start to think California is not such a bad place and then they go and do something like this."
United States

Kentucky's Shotgun 'Drone Slayer' Gets Sued Again (yahoo.com) 305

"Technology has surpassed the law..." argues a Kentucky man who fired a shotgun at a drone last year. An anonymous Slashdot reader reports: The drone's owner has now filed for damages in Federal Court over the loss of his $1,800 drone, arguing that the shotgun blast was unjustified because his drone wasn't actually trespassing or invading anyone's privacy. The defendant -- who has dubbed himself 'the Drone Slayer' -- said the aerial vehicle was over his garden and his daughter, and the verdict could ultimately set a new precedent in U.S. law: who owns the air?

"Operators need to know where they can fly," argued the drone pilot's lawyer, "and owners must know when they can reasonably expect privacy and be free of prying eyes." He estimates a drone is shot from he skies about once a month, and "What happens typically is that law enforcement doesn't know what to do and civil suits are uncommon as most people don't want to get involved due to the costs."

The Drone Slayer was originally charged with felony counts of wanton endangerment and criminal mischief. But all of those charges were dismissed in October when a district judge ruled he "had a right to shoot at the aircraft."
Security

97% of the Top Companies Have Leaked Credentials Online (onthewire.io) 21

Apparently lots of people have been use both their work email address and work password on third-party sites -- suggesting a huge vulnerability. Trailrunner7 quotes On The Wire: The last few years have seen a number of large-scale breaches at popular sites and companies, including LinkedIn, Adobe, MySpace, and Ashley Madison, and many of the credentials stolen during those incidents have ended up online in various places... [R]esearch from Digital Shadows found that the most significant breach for the global 1,000 companies it looked at was the LinkedIn incident... Digital Shadows found more than 1.6 million credentials online for the 1,000 companies it studied. Adobe's breach was next on the list, with more than 1.3 million credentials.
"For Ashley Madison alone, there were more than 200,000 leaked credentials from the top 1,000 global companies," the researchers report, noting they also found many leaked credentials from breaches at other dating and gaming sites, as well as Myspace. Their conclusion? "The vast majority of organizations have credentials exposed online..."
Media

Snapchat's 10-Second-Video Glasses Are Real And Cost $130 Bucks (techcrunch.com) 92

Long-time Slashdot reader bheerssen writes that Snapchat "announced a new product yesterday, Spectacles, which are sunglasses with a camera built into the frame." TechCrunch reports: Snapchat's long-rumored camera glasses are actually real. The startup's first foray into hardware will be a pair of glasses called "Spectacles" and will go on sale this fall for $129.99, according to the WSJ... To start recording you tap a button on the side of the glasses. Video capture will mimic Snapchat's app, meaning you can only capture 10 seconds of video at once. This video will sync wirelessly to your phone, presumably making it available to share as a snap.
The cameras will be using a circular 115-degree lens to mimic the human eye's natural field of vision, and in the Journal's article, Snap CEO Evan Spiegel remembers his first test of the product in 2015. "I could see my own memory, through my own eyes -- it was unbelievable... It was the closest I'd ever come to feeling like I was there again." The camera glasses will enter "limited distribution" sometime within the next three months, which TechCrunch believes "could end up being like Google Glass when it first launched -- officially on sale to the public but pretty hard to come by."
Security

Hacker Who Aided ISIS Gets 20 Years In Prison (softpedia.com) 131

An anonymous reader quotes a report from Softpedia: Ardit Ferizi, aka Th3Dir3ctorY, 20, a citizen of Kosovo, will spend 20 years in a U.S. prison for providing material support to ISIS hackers by handing over data for 1,351 U.S. government employees. Ferizi obtained the data by hacking into a U.S. retail company on June 13, 2015. The hacker then filtered the stolen information and put aside records related to government officials, which he later handed over to Junaid Hussain, the then leader of the Islamic State Hacking Division (ISHD). Hussain then uploaded this information online, asking fellow ISIS members to seek out these individuals and execute lone wolf attacks. Because of this leak, the U.S. Army targeted and killed Hussain in a drone strike in Syria in August 2015. Before helping ISIS, Ferizi had a prodigious hacking career as the leader of Kosova Hacker's Security (KHS) hacking crew. He was arrested on October 6, 2015, at the international airport in Kuala Lumpur, Malaysia, while trying to catch a flight back to Kosovo. Ferizi was in Kuala Lumpur studying computer science.

Slashdot Top Deals