Compare cell phone plans using Wirefly's innovative plan comparison tool ×
Bug

Staff Breach At OneLogin Exposes Password Storage Feature (cso.com.au)

River Tam quotes a report from CSO Australia: Enterprise access management firm OneLogin has suffered an embarrassing breach tied to a single employee's credentials being compromised. OneLogin on Tuesday revealed the breach affected a feature called Secure Notes that allowed its users to "store information." That feature however is pitched to users as a secure way to digitally jot down credentials for access to corporate firewalls and keys to software product licenses. The firm is concerned Secure Notes was exposed to a hacker for at least one month, though it may have been from as early as July 2 through to August 25, according to a post by the firm. Normally these notes should have been encrypted using "multiple levels of AES-256 encryption," it said in a blog post. Several thousand enterprise customers, including high profile tech startups, use OneLogin for single sign-on to access enterprise cloud applications. The company has championed the SAML standard for single sign-on and promises customers an easy way to enable multi-factor authentication from devices to cloud applications. But it appears the company wasn't using multi-factor authentication for its own systems. OneLogin's CISO Alvaro Hoyos said a bug in its software caused Secure Notes to be "visible in our logging system prior to being encrypted and stored in our database." The firm later found out that an employees compromised credentials were used to access this logging system. The company has since fixed the bug on the same day it detected the bug. CSO adds that the firm "also implemented SAML-based authentication for its log management system and restricted access to a limited set of IP addresses."
Government

FDA Finds Flaws In Theranos' Zika Tests (techcrunch.com) 37

An anonymous reader quotes a report from TechCrunch: This past week, the U.S. Food and Drug Administration mandated testing for the Zika virus at all U.S. blood centers. That juices demand for Zika-testing technology, but one company that isn't welcome to provide it yet is Theranos. The beleaguered blood analysis startup has run afoul of the FDA, yet again, The Wall Street Journal reports (Warning: may be paywalled). Specifically, regulators found that in developing and testing a new Zika-diagnostic technology, Theranos failed to use proper patient safety protocols, the type approved by an institutional review board. Such protocols are critical in ensuring the ethical treatment of patients involved in studies, and their safety. Theranos had sought the same FDA authorization, but voluntarily withdrew its request once regulators called the startup out, this time, on the safety protocols issue.
The Courts

Revived Lawsuit Says Twitter DMs Are Like Handing ISIS a Satellite Phone (theverge.com) 189

An anonymous reader quotes a report from The Verge: A long-standing lawsuit holding Twitter responsible for the rise of ISIS got new life today, as plaintiffs filed a revised version of the complaint (PDF) that was struck down earlier this month. In the new complaint, the plaintiffs argue Twitter's Direct Message service is akin to providing ISIS with physical communications equipment like a radio or a satellite phone. The latest complaint is largely the same as the one filed in January, but a few crucial differences will be at the center of the court's response. The plaintiffs also offer new arguments for why Twitter might be held responsible for the attack. In the dismissal earlier this month (PDF), District Judge William Orrick faulted the plaintiffs for not articulating a case for why providing access to Twitter's services constituted material aid to ISIS. "Apart from the private nature of Direct Messaging, plaintiffs identify no other way in which their Direct Messaging theory seeks to treat Twitter as anything other than a publisher of information provided by another information content provider," the ruling reads. At the same time, the judge found that the privacy of those direct messages "does not remove the transmission of such messages from the scope of publishing activity." The new complaint includes some language that might address that concern, explicitly comparing Twitter to other material communication tools. "Giving ISIS the capability to send and receive Direct Messages in this manner is no different than handing it a satellite phone, walkie-talkies or the use of a mail drop," the new complaint reads, "all of which terrorists use for private communications in order to further their extremist agendas." The Safe Harbor clause has been used in the past to protect service providers from liability for hosting data on their network. However, "Brookings Institute scholar Benjamin Witters argued against protecting Twitter under the Safe Harbor clause, claiming that the current reasoning would also protect companies that actively offer services in support of terrorists."
Google

Google Login Bug Allows Credential Theft (onthewire.io) 43

Trailrunner7 writes from a report via On the Wire: Attackers can add an arbitrary page to the end of a Google login flow that can steal users' credentials, or alternatively, send users an arbitrary file any time a login form is submitted, due to a bug in the login process. A researcher in the UK identified the vulnerability recently and notified Google of it, but Google officials said they don't consider it a security issue. The bug results from the fact that the Google login page will take a specific, weak GET parameter. Using this bug, an attacker could add an extra step to the end of the login flow that could steal a user's credentials. For example, the page could mimic an incorrect password dialog and ask the user to re-enter the password. [Aidan Woods, the researcher who discovered the bug,] said an attacker also could send an arbitrary file to the target's browser any time the login form is submitted. In an email interview, Woods said exploiting the bug is a simple matter. "Attacker would not need to intercept traffic to exploit -- they only need to get the user to click a link that they have crafted to exploit the bug in the continue parameter," Woods said. Google told Woods they don't consider this a security issue.
Encryption

FBI Director Says Prolific Default Encryption Hurting Government Spying Efforts (go.com) 345

SonicSpike quotes a report from ABC News: FBI Director James Comey warned again Tuesday about the bureau's inability to access digital devices because of encryption and said investigators were collecting information about the challenge in preparation for an "adult conversation" next year. Widespread encryption built into smartphones is "making more and more of the room that we are charged to investigate dark," Comey said in a cybersecurity symposium. The remarks reiterated points that Comey has made repeatedly in the last two years, before Congress and in other settings, about the growing collision between electronic privacy and national security. "The conversation we've been trying to have about this has dipped below public consciousness now, and that's fine," Comey said at a symposium organized by Symantec, a technology company. "Because what we want to do is collect information this year so that next year we can have an adult conversation in this country." The American people, he said, have a reasonable expectation of privacy in private spaces -- including houses, cars and electronic devices. But that right is not absolute when law enforcement has probable cause to believe that there's evidence of a crime in one of those places, including a laptop or smartphone. "With good reason, the people of the United States -- through judges and law enforcement -- can invade our private spaces," Comey said, adding that that "bargain" has been at the center of the country since its inception. He said it's not the role of the FBI or tech companies to tell the American people how to live and govern themselves. "We need to understand in the FBI how is this exactly affecting our work, and then share that with folks," Comey said, conceding the American people might ultimately decide that its privacy was more important than "that portion of the room being dark." Comey made his remarks to the 2016 Symantec Government Symposium. The Daily Dot has another take on Comey's remarks, which you can read here.
EU

Europe's Net Neutrality Doesn't Ban BitTorrent Throttling (torrentfreak.com) 65

Millions of Europeans will have to do with throttling on BitTorrent. The Body of European Regulators of Electronic Communication (BEREC) published its guidelines for Europe's net neutrality rules on Tuesday in which it hasn't challenged the BitTorrent throttling practices by many ISPs. TorrentFreak reports:Today, BEREC presented its final guidelines on the implementation of Europe's net neutrality rules. Compared to earlier drafts it includes several positive changes for those who value net neutrality. For example, while zero-rating isn't banned outright, internet providers are not allowed to offer a "sub Internet" service, where access to only part of the Internet is offered for 'free.' However, not all traffic is necessarily "neutral." ISPs are still allowed to throttle specific categories for "reasonable" network management purposes.
The Courts

Grumpy Cat Wants $600K From 'Pirating' Coffee Maker (torrentfreak.com) 186

Eloking quotes a report from TorrentFreak: Grumpy Cat is not pleased, yet. Her owners have asked a California federal court to issue a $600,000 judgment against a coffee maker which allegedly exploited their copyrights (PDF). In addition, they want damages for trademark and contract breach, and a ban on the company in question from selling any associated Grumpy Cat merchandise. There are dozens of celebrity cats on the internet, but Grumpy Cat probably tops them all. The cat's owners have made millions thanks to their pet's unique facial expression, which turned her into an overnight internet star. Part of this revenue comes from successful merchandise lines, including the Grumpy Cat "Grumppuccino" iced coffee beverage, sold by the California company Grenade Beverage. The company licensed the copyright and trademarks to sell the iced coffee, but is otherwise not affiliated with the cat and its owners. Initially this partnership went well, but after the coffee maker started to sell other "Grumpy Cat" products, things turned bad. TorrentFreak adds: "The cat's owners, incorporated as Grumpy Cat LLC, took the matter to court last year with demands for the coffee maker to stop infringing associated copyrights and trademarks. After Grenade Beverage failed to properly respond to the allegations, Grumpy Cat's owners moved for a default, which a court clerk entered in early June. A few days ago they went ahead and submitted a motion for default judgement."
EU

European Commission To Issue Apple An Irish Tax Bill of $1.1 Billion, Says Report (reuters.com) 206

An anonymous reader quotes a report from Reuters: The European Commission will rule against Ireland's tax dealings with Apple on Tuesday, two source familiar with the decision told Reuters, one of whom said Dublin would be told to recoup over 1 billion euros in back taxes. The European Commission accused Ireland in 2014 of dodging international tax rules by letting Apple shelter profits worth tens of billions of dollars from tax collectors in return for maintaining jobs. Apple and Ireland rejected the accusation; both have said they will appeal any adverse ruling. The source said the Commission will recommend a figure in back taxes that it expects to be collected, but it will be up to Irish authorities to calculate exactly what is owed. A bill in excess of 1 billion euros ($1.12 billion) would be far more than the 30 million euros each the European Commission previously ordered Dutch authorities to recover from U.S. coffee chain Starbucks and Luxembourg from Fiat Chrysler for their tax deals. When it opened the Apple investigation in 2014, the Commission told the Irish government that tax rulings it agreed in 1991 and 2007 with the iPhone maker amounted to state aid and might have broken EU laws. The Commission said the rulings were "reverse engineered" to ensure that Apple had a minimal Irish bill and that minutes of meetings between Apple representatives and Irish tax officials showed the company's tax treatment had been "motivated by employment considerations."
Piracy

Judge Allows Kim Dotcom To Livestream Court Hearing (mashable.com) 67

Kim Dotcom has been granted the right to livestream his extradition appeal on YouTube. The appeal hearing began Monday, but will be livestreamed tomorrow because "the cameraman needs to set this up professionally and implement the judge's live streaming rules." tweets Kim Dotcom. Mashable reports: "The United States, which wants Dotcom extradited from New Zealand, is against the request. Dotcom says a livestream is the only way to ensure a fair hearing. The U.S. is seeking the extradition of Dotcom and other Megaupload co-founders in hopes of taking them to court in America on charges of money-laundering, racketeering and copyright infringement. The charges stem from the operation of file-sharing website Megaupload, founded by Dotcom in 2005 and once the 13th most popular website on the internet. Users could upload movies, music and other content to the site and share with others, a practice the U.S. considers copyright infringement. The website reportedly made around $175 million before the FBI took it down in 2012. The U.S. says Megaupload cost copyright holders around $500 million, though Dotcom says it's not his fault users chose to upload the shared copyrighted material. Dotcom was arrested in 2012 after police raided his home, but was released on bail. A judge ruled in favor of his extradition to the U.S. in 2015, though Dotcom said at the time the judge was not interested in a fair hearing." Dotcom plans to revive Megaupload on January 20, 2017, urging people to "buy bitcoin while cheap," since he claims the launch will send the bitcoin price soaring way above its current $575 value. Every file transfer taking place over Megaupload "will be linked to a tiny Bitcoin micro transaction," Dotcom posted on Twitter.
Government

FAA Expects 600,000 Commercial Drones In The Air Within A Year (npr.org) 47

The drone industry is expected to expand dramatically in the coming months and years with the passing of a new rule (PDF) that makes it easier to become a commercial drone operator. The Federal Aviation Administration predicts there to be roughly 600,000 drones to be used commercially within the next year. NPR reports: "For context, the FAA says that 20,000 drones are currently registered for commercial use. What's expected to produce a 30-fold increase in a matter of months is a new rule that went into effect today and makes it easier to become a commercial drone operator. Broadly, the new rules change the process of becoming a commercial drone pilot: Instead of having to acquire a traditional pilot's license and getting a special case-by-case permission from the regulators, drone operators now need to pass a new certification test and abide by various flying restrictions (and, well, be older than 16). The rest of the drone safety rules still apply: No flights beyond line-of-sight, over people, at night, above 400 feet in the air or faster than 100 miles an hour. Drones also can't be heavier than 55 pounds, and all unmanned aircraft have to be registered. Businesses, however, may get special wavers to skip some of the restrictions if they can prove they can do so safely. The drone association expects the industry will create more than 100,000 jobs and generate more than $82 billion for the economy in the first 10 years of being integrated into the national airspace. The FAA is also working on new rules that eventually will allow drone flights over people and beyond line of sight."
AT&T

US Appeals Court Dismisses AT&T Data Throttling Lawsuit (reuters.com) 26

An anonymous reader quotes a report from Reuters: A federal appeals court in California on Monday dismissed a U.S. government lawsuit that accused ATT Inc of deception for reducing internet speeds for customers with unlimited mobile data plans once their use exceeded certain levels. The company, however, could still face a fine from the Federal Communications Commission regarding the slowdowns, also called "data throttling." The U.S. Court of Appeals for the Ninth Circuit said it ordered a lower court to dismiss the data-throttling lawsuit, which was filed in 2014 by the Federal Trade Commission. The FTC sued ATT on the grounds that the No. 2 U.S. wireless carrier failed to inform consumers it would slow the speeds of heavy data users on unlimited plans. In some cases, data speeds were slowed by nearly 90 percent, the lawsuit said. The FTC said the practice was deceptive and, as a result, barred under the Federal Trade Commission Act. ATT argued that there was an exception for common carriers, and the appeals court agreed.
Transportation

65-Year-Old Woman Shoots Down Drone Over Her Virginia Property With One Shot (arstechnica.com) 636

An anonymous reader writes from a report via Ars Technica: Jennifer Youngman, a 65-year-old woman living in rural northern Virginia shot down a drone flying over her property with a single shotgun blast. Ars Technica reports: "Youngman told Ars that she had just returned from church one Sunday morning and was cleaning her two shotguns -- .410 and a .20 gauge -- on her porch. She had a clear view of the Blue Ridge Mountains and neighbor Robert Duvall's property (yes, the same Robert Duvall from The Godfather). Youngman had seen two men set up a card table on what she described as a 'turnaround place' on a country road adjacent to her house. 'I go on minding my business, working on my .410 shotgun and the next thing I know I hear bzzzzz,' she said. 'This thing is going down through the field, and they're buzzing like you would scaring the cows.' Youngman explained that she grew up hunting and fishing in Virginia, and she was well-practiced at skeet and deer shooting. 'This drone disappeared over the trees and I was cleaning away, there must have been a five- or six-minute lapse, and I heard the bzzzzz,' she said, noting that she specifically used 7.5 birdshot. 'I loaded my shotgun and took the safety off, and this thing came flying over my trees. I don't know if they lost command or if they didn't have good command, but the wind had picked up. It came over my airspace, 25 or 30 feet above my trees, and hovered for a second. I blasted it to smithereens.'" Ars goes on to explain that aerial trespassing isn't currently recognized under American law. "The Supreme Court ruled in a case known as United States v. Causby that a farmer in North Carolina could assert property rights up to 83 feet in the air. There is a case still pending on whether or not Kentucky drone pilot, David Boggs, was trespassing when he flew his drone over somebody else's property. "Broggs asked the court to rule that there was no trespassing and that he is therefor entitled to damages of $1,500 for the destroyed drone."
Education

Now Arriving On the New York Subway: Free E-Books, Timed For Your Commute (betanews.com) 44

Brian Fagioli, writing for BetaNews:Andrew M. Cuomo, Governor of New York has announced a new promotion called "Subway Reads," which leverages the free Wi-Fi connectivity provided at the NYC subway. This initiative will help straphangers get some relief from the other nonsense by enabling them to bury themselves in a free Penguin Random House e-book short or excerpt. "As part of 'Subway Reads', Penguin Random House created a special platform to offer subway customers free access to five full-length e-shorts, including High Heat, a Jack Reacher novella by Lee Child; F. Scott Fitzgerald's classic short story, The Diamond As Big As The Ritz; 3 Truths and A Lie, a short story by Lisa Gardner; The Murders in the Rue Morgue by Edgar Allan Poe; and At the Reunion Buffet by Alexander McCall Smith," says the New York State Government.Sounds like a good thing. What's your thought?
Government

FBI Says Foreign Hackers Breached State Election Systems (theguardian.com) 161

The FBI has uncovered evidence that foreign hackers breached two state election databases in recent weeks, and it has warned election officials across the country to some measures to step up the security of their computer systems. The Guardian reports: The FBI warning did not identify the two states targeted by cyber intruders, but Yahoo News said sources familiar with the document said it referred to Arizona and Illinois, whose voter registration systems were penetrated. Citing a state election board official, Yahoo News said the Illinois voter registration system was shut down for 10 days in late July after hackers downloaded personal data on up to 200,000 voters. The Arizona attack was more limited and involved introducing malicious software into the voter registration system, Yahoo News quoted a state official as saying. No data was removed in that attack, the official said. US intelligence officials have become increasingly worried that hackers sponsored by Russia or other countries may attempt to disrupt the November presidential election.
Opera

Opera Sync Users May Have Been Compromised In Server Breach (fortune.com) 26

An anonymous reader writes: Someone broke into Opera's servers. The Opera browser has a handy feature for synchronizing browsing data across different devices. Unfortunately, some of the passwords and login information used to enable the feature may have been stolen from Opera's servers. Opera's sync service is used by around 1.7 million people each month. Overall, the browser has 350 million users. The Norwegian firm told its users that someone had gained access to the Opera sync system, and "some of our sync users' passwords and account information, such as login names, may have been compromised." As a result, Opera had to reset all the passwords for the feature, meaning users will need to select new ones.
Security

How Security Experts Are Protecting Their Own Data (siliconvalley.com) 214

Today the San Jose Mercury News asked several prominent security experts which security products they were actually using for their own data. An anonymous Slashdot reader writes: The EFF's chief technologist revealed that he doesn't run an anti-virus program, partly because he's using Linux, and partly because he feels anti-virus software creates a false sense of security. ("I don't like to get complacent and rely on it in any way...") He does regularly encrypt his e-mail, "but he doesn't recommend that average users scramble their email, because he thinks the encryption software is just too difficult to use."

The newspaper also interviewed security expert Eugene Spafford, who rarely updates the operating system on one of his computers -- because it's not connected to the internet -- and sometimes even accesses his files with a virtual machine, which he then deletes when he's done. His home router is equipped with a firewall device, and "he's developed some tools in his research center that he uses to try to detect security problems," according to the article. "There are some additional things I do," Spafford added, telling the reporter that "I'm not going to give details of all of them, because that doesn't help me."

Bruce Schneier had a similar answer. When the reporter asked how he protected his data, Schneier wouldn't tell them, adding "I'm kind of a target..."
Google

Google Tests A Software That Judges Hollywood's Portrayal of Women 313

Slashdot reader theodp writes: Aside from it being hosted in a town without a movie theater, the 2016 Bentonville Film Festival was also unusual in that it required all entrants to submit "film scripts and downloadable versions of the film" for judgment by "the team at Google and USC", apparently part of a larger Google-funded research project with USC Engineering "to develop a computer science tool that could quickly and efficiently assess how women are represented in films"...

Fest reports noted that representatives of Google and the White House Office of Science and Technology Policy appeared in a "Reel vs. Real Diversity" panel presentation at the fest, where the importance of diversity and science to President Obama were discussed, and the lack of qualified people to fill 500,000 U.S. tech jobs was blamed in part on how STEM careers have been presented in film and television... In a 2015 report on a Google-sponsored USC Viterbi School of Engineering MacGyver-themed event to promote women in engineering, USC reported that President Obama was kept briefed on efforts to challenge media's stereotypical portrayals of women. As for its own track record, Google recently updated its Diversity page, boasting that "21% of new hires in 2015 were women in tech, compared to 19% of our current population"....
Databases

100 Arrested In New York Thanks To Better Face-Recognition Technology (arstechnica.com) 85

New York doubled the number of "measurement points" used by their facial recognitation technology this year, leading to 100 arrests for fraud and identity theft, plus another 900 open cases. An anonymous reader quotes a report from Ars Technica: In all, since New York implemented facial recognition technology in 2010, more than 14,000 people have been hampered trying to get multiple licenses. The newly upgraded system increases the measurement points of a driver's license picture from 64 to 128.

The DMV said this vastly improves its chances of matching new photographs with one already in a database of 16 million photos... "Facial recognition plays a critical role in keeping our communities safer by cracking down on individuals who break the law," Gov. Andrew M. Cuomo said in a statement. "New York is leading the nation with this technology, and the results from our use of this enhanced technology are proof positive that its use is vital in making our roads safer and holding fraudsters accountable."

At least 39 US states use some form of facial recognition software, and New York says their new system also "removes high-risk drivers from the road," stressing that new licenses will no longer be issued until a photo clears their database.
Security

New Ransomware Poses As A Windows Update (hothardware.com) 88

Slashdot reader MojoKid quotes an article from Hot Hardware: A security researcher for AVG has discovered a new piece of ransomware called Fantom that masquerades as a critical Windows update. Victims who fall for the ruse will see a Windows screen acting like it's installing the update, but what's really happening is that the user's documents and files are being encrypted in the background...

The scam starts with a pop-up labeled as a critical update from Microsoft. Once a user decides to apply the fake update, it extracts files and executes an embedded program called WindowsUpdate.exe... As with other EDA2 ransomware, Fantom generates a random AES-128 key, encrypts it using RSA, and then uploads it to the culprit. From there, Fantom targets specific file extensions and encrypts those files using AES-128 encryption... Users affected by this are instructed to email the culprit for payment instructions.

While the ransomware is busy encrypting your files, it displays Microsoft's standard warning about not turning off the computer while the "update" is in progress. Pressing Ctrl+F4 closes that window, according to the article, "but that doesn't stop the ransomware from encrypting files in the background."
Bitcoin

Kim Dotcom Will Revive Megaupload, Linking File Transfers To Bitcoin Microtransactions (fortune.com) 70

Long-time Slashdot reader SonicSpike quotes an article from Fortune: The controversial entrepreneur Kim Dotcom said last month that he was preparing to relaunch Megaupload, the file-sharing site that U.S. and New Zealand authorities dramatically shut down in 2012, with bitcoins being involved in some way... This system will be called Bitcache, and Dotcom claimed its launch would send the bitcoin price soaring way above its current $575 value.

The launch of Megaupload 2.0 will take place on January 20, 2017, he said, urging people to "buy bitcoin while cheap, like right now, trust me..." Crucially, Dotcom said the Bitcache system would overcome bitcoin's scaling problems. "It eliminates all blockchain limitations," he claimed.

Every file transfer taking place over Megaupload "will be linked to a tiny Bitcoin micro transaction," Dotcom posted on Twitter. His extradition trial begins Monday, and he's asking the court to allow live-streaming of the trial "because of global interest in my case." Meanwhile, the FBI apparently let the registration lapse on the Megaupload domain, which they seized in 2012, and Ars Technica reports that the site is now full of porn ads.

Slashdot Top Deals