Facebook

French Gov't Gives Facebook 3 Months To Stop Tracking Non-User Browsers 48

Reader iamthecheese writes RT reports that France's National Commission of Information and Freedoms found Facebook tracking of non-user browsers to be illegal. Facebook has three months to stop doing it. The ruling points to violations of members and non-members privacy in violation of an earlier ruling. The guidance, published last October, invalidates safe harbor provisions. If Facebook fails to comply the French authority will appoint someone to decide upon a sanction. Related: A copy of the TPP leaked last year no longer requires signing countries to have a safe harbor provision.
Crime

Hearthstone Cheats and Tools Spiked With Malware (csoonline.com) 25

itwbennett writes: Cheating at the online card game Hearthstone (which is based on Blizzard's World of Warcraft) can get you banned from the game, but now it also puts you at risk of 'financial losses and system ruin,' writes CSO's Steve Ragan. Symantec is warning Hearthstone players about add-on tools and cheat scripts that are spiked with malware. 'In one example, Hearth Buddy, a tool that allows bots to play the game instead of a human player (which is supposed to help with rank earnings and gold earning) compromises the entire system,' says Ragan. 'Another example, are the dust and gold hacking tools (Hearthstone Hack Tool), which install malware that targets Bitcoin wallets.'
Twitter

Twitter Launches Trust and Safety Council To Help Put End To Trolling (thestack.com) 141

An anonymous reader writes: Twitter has announced a new trust and safety council to stamp out bullying and trolling on the microblogging site. The Twitter Trust & Safety Council will initially be formed of around 40 bodies, including the Cyber Civil Rights Initiative, ICT Watch, NetSafe, and Samaritans. These organisations, along with safety experts, academics and security researchers, will work to ensure a safe and secure platform for users to express themselves freely and safely. The Council's main focus will be to protect minors, encourage 'greater compassion and empathy on the internet,' and promote efforts in media literacy and digital citizenship. Community groups will also participate to help prevent online 'abuse, harassment, and bullying,' as well as mental health problems and suicide.
Security

President Obama Unveils $19 Billion Plan To Overhaul U.S. Cybersecurity 170

erier2003 writes: President Obama on Tuesday unveiled an expansive plan to bolster government and private-sector cybersecurity by establishing a federal coordinator for cyber efforts, proposing a commission to study future work, and asking Congress for funds to overhaul dangerously obsolete computer systems. His newly signed executive orders contain initiatives to better prepare college students for cybersecurity careers, streamline federal computer networks, and certify Internet-connected devices as secure. The Cybersecurity National Action Plan also establishes a Federal Privacy Council (to review how the government stores Americans' personal information), creates the post of Chief Information Security Officer, and establishes a Commission on Enhancing National Cybersecurity.
Crime

Hackers Leak List of FBI Employees (vice.com) 124

puddingebola writes: The hackers responsible for the leaking of DHS employees made good on their threat to reveal the names of 20,000 FBI employees. From the article: "The hacker provided Motherboard with a copy of the data on Sunday. The list includes names, email addresses (many of which are non-public) and job descriptions, such as task force deputy director, security specialist, special agent, and many more. The list also includes roughly 1,000 FBI employees in an intelligence analysis role."
Bug

The Internet of Broken Things (hackaday.com) 79

szczys writes: The Internet of Things is all the hype these days. On one side we have companies clamoring to sell you Internet-Connected-everything to replace all of the stuff you already have that is now considered "dumb." On the other side are security researchers screaming that we're installing remote access with little thought about securing it properly. The truth is a little of both is happening, and that this isn't a new thing. It's been around for years in industry, the new part is that it's much wider spread and much closer to your life. Al Williams walks through some real examples of the unintended consequences of IoT, including his experiences building and deploying devices, and some recent IoT gaffs like the NEST firmware upgrade that had some users waking up to an icy-cold home.
Oracle

Java Installer Flaw Shows Why You Should Clear Your Downloads Folder (csoonline.com) 64

itwbennett writes: On Friday, Oracle published a security advisory recommending that users delete all the Java installers they might have laying around on their computers and use new ones for versions 6u113, 7u97, 8u73 or later. The reason: Older versions of the Java installer were vulnerable to binary planting in the Downloads folder. 'Though considered relatively complex to exploit, this vulnerability may result, if successfully exploited, in a complete compromise of the unsuspecting user's system,' said Eric Maurice, Oracle's software security assurance director, in a blog post.
Security

Researcher Finds Tens of Software Products Vulnerable To Simple Bug (softpedia.com) 150

An anonymous reader writes: There's a German security researcher that is arduously testing the installers of tens of software products to see which of them are vulnerable to basic DLL hijacking. Surprisingly, many companies are ignoring his reports. Until now, only Oracle seems to have addressed this problem in Java and VirtualBox. Here's a short (probably incomplete) list of applications that he found vulnerable to this attack: Firefox, Google Chrome, Adobe Reader, 7Zip, WinRAR, OpenOffice, VLC Media Player, Nmap, Python, TrueCrypt, and Apple iTunes. Mr. Kanthak also seems to have paid special attention to antivirus software installers. Here are some of the security products he discovered vulnerable to DLL hijacking: ZoneAlarm, Emsisoft Anti-Malware, Trend Micro, ESET NOD32, Avira, Panda Security, McAfee Security, Microsoft Security Essentials, Bitdefender, Rapid7's ScanNowUPnP, Kaspersky, and F-Secure.
Crime

Metel Hackers Roll Back ATM Transactions, Steal Millions (threatpost.com) 69

msm1267 writes: Researchers from Kaspersky Lab's Global Research & Analysis Team today unveiled details on two new criminal operations that have borrowed heavily from targeted nation-state attacks, and also shared an update on a resurgent Carbanak gang, which last year, it was reported, had allegedly stolen upwards of $1 billion from more than 100 financial companies. The heaviest hitter among the newly discovered gangs is an ongoing campaign, mostly confined to Russia, known as Metel. This gang targets machines that have access to money transactions, such as call center and support machines, and once they are compromised, the attackers use that access to automate the rollback of ATM transactions. As the attackers empty ATM after ATM—Metel was found inside 30 organizations—the balances on the stolen accounts remained untouched.
Security

Hackers Leak DHS Staff Directory, Claim FBI Is Next (csoonline.com) 81

itwbennett writes: On Sunday, the name, title, email address, and phone number of more than 9,000 DHS employees, with titles ranging from engineers, to security specialists, program analysts, InfoSec and IT, all the way up to director level was posted on Twitter. 'The account went on to claim that an additional data dump focused on 20,000 FBI employees was next,' writes CSO's Steve Ragan. The hacker told Motherboard that the data was obtained by "compromising the email account of a DoJ employee, although he would not elaborate on how that account was accessed in the first place."
Security

Neutrino Exploit Kit Has a New Way To Detect Security Researchers (csoonline.com) 40

itwbennett writes: [The Neutrino exploit kit] is using passive OS fingerprinting to detect visiting Linux machines, according to Trustwave researchers who found that computers they were using for research couldn't make a connection with servers that delivered Neutrino. Daniel Chechik, senior security researcher at Trustwave's SpiderLabs division wrote that they tried changing IP addresses and Web browsers to avoid whatever was causing the Neutrino server to not respond, but it didn't work. But by fiddling with some data traffic that Trustwave's computers were sending to the Neutrino server, they figured out what was going on.
Microsoft

Even With Telemetry Disabled, Windows 10 Talks To Dozens of Microsoft Servers (voat.co) 566

An esteemed reader writes: Curious about the various telemetry and personal information being collected by Windows 10, one user installed Windows 10 Enterprise and disabled all of the telemetry and reporting options. Then he configured his router to log all the connections that happened anyway. Even after opting out wherever possible, his firewall captured Windows making around 4,000 connection attempts to 93 different IP addresses during an 8 hour period, with most of those IPs controlled by Microsoft. Even the enterprise version of Windows 10 is checking in with Redmond when you tell it not to — and it's doing so frequently.
Botnet

Online Museum Displays Decades of Malware (thestack.com) 39

An anonymous reader writes: archive.org has launched a Museum of Malware, which devotes itself to a historical look at DOS-based viruses of the 1980s and 1990s, and gives viewers the opportunity to run the viruses in a DOS game emulator, and to download 'neutered' versions of the code. With an estimated 50,000 DOS-based viruses in existence by the year 2000, the Malware Museum's 65 examples should be seen as representative of an annoying, but more innocent era of digital vandalism.
Security

Avast SafeZone Browser Lets Attackers Access Your Filesystem (softpedia.com) 37

An anonymous reader writes: Just two days after Comodo's Chromodo browser was publicly shamed by Google Project Zero security researcher Tavis Ormandy, it's now Avast's turn to be publicly scorned for failing to provide a "secure" browser for its users. Called SafeZone, and also known as Avastium, Avast's custom browser is offered as a bundled download for all who purchase or upgrade to a paid version of Avast Antivirus 2016. This poor excuse of a browser was allowing attackers to access files on the user's filesystem just by clicking on malicious links. The browser wouldn't even have to be opened, and the malicious link could be clicked in "any" browser.
Government

UK Wants Authority To Serve Warrants In U.S. (usatoday.com) 143

schwit1 writes with this news, as reported by USA Today: British and U.S. officials have been negotiating a plan that could allow British authorities to directly serve wiretap orders on U.S. communications companies in criminal and national security inquiries, U.S. officials confirmed Thursday. The talks are aimed at allowing British authorities access to a range of data, from interceptions of live communications to archived emails involving British suspects, according to the officials, who are not authorized to comment publicly. ... Under the proposed plan, British authorities would not have access to records of U.S. citizens if they emerged in the British investigations. Congressional approval would be required of any deal negotiated by the two countries.
Education

K-12 CS Framework Draft: Kids Taught To 'Protect Original Ideas' In Early Grades 132

theodp writes: Remember that Code.org and ACM-bankrolled K-12 Computer Science Education Framework that Microsoft, Google, Apple, and others were working on? Well, a draft of the framework was made available for review on Feb. 3rd, coincidentally just 3 business days after U.S. President Barack Obama and Microsoft President Brad Smith teamed up to announce the $4+ billion Computer Science for All initiative for the nation's K-12 students. "Computationally literate citizens have the responsibility to learn about, recognize, and address the personal, ethical, social, economic, and cultural contexts in which they operate," explains the section on Fostering an Inclusive Computing Culture, one of seven listed 'Core K-12 CS Practices'. "Participating in an inclusive computing culture encompasses the following: building and collaborating with diverse computational teams, involving diverse users in the design process, considering the implication of design choices on the widest set of end users, accounting for the safety and security of diverse end users, and fostering inclusive identities of computer scientists." Hey, do as they say, not as they do! Also included in the 10-page draft (pdf) is a section on Law and Ethics, which begins: "In early grades, students differentiate between responsible and irresponsible computing behaviors. Students learn that responsible behaviors can help individuals while irresponsible behaviors can hurt individuals. They examine legal and ethical considerations for obtaining and sharing information and apply those behaviors to protect original ideas."
Security

MIT Reveals "Hack-Proof" RFID Chip (thestack.com) 53

JustAnotherOldGuy writes: A group of researchers at MIT and Texas Instruments claim that they have developed a new radio frequency identification chip that may be impossible to hack. Traditional RFID chips are vulnerable to side-channel attacks, whereby a hacker can extract a cryptographic key from the chip. The new RFID chip runs a random-number generator that creates a new secret key after each transaction. The key can then be verified with a server to ensure that it is correct. The group at MIT also incorporated protection against a power-glitch attack, an attack that would normally leave a chip vulnerable to an interruption of the power source that would in turn halt the creation of a new secret key. Texas Instruments CTO Ahmad Bahai stated, "We believe this research is an important step toward the goal of a robust, lo-cost, low-power authentication protocol for the industrial internet." The question is, how long will it be before this "hack proof" chip is hacked?
Security

Anti-Malware Maker Files Lawsuit Over Bad Review (csoonline.com) 162

itwbennett writes: In a lawsuit filed January 8, 2016, Enigma Software, maker of anti-malware software SpyHunter, accuses self-help portal Bleeping Computer of making 'false, disparaging, and defamatory statements.' At issue: a bad review posted by a user in September, 2014. The lawsuit also accuses Bleeping Computer of profiting from driving traffic to competitor Malwarebytes via affiliate links: 'Bleeping has a direct financial interest in driving traffic and sales to Malwarebytes and driving traffic and sales away from ESG.' Perhaps not helping matters, one of the first donations to a fund set up by Bleeping Computer to help with legal costs came from Malwarebytes.
Government

Marco Rubio Wants To Permanently Extend NSA Mass Surveillance (nationaljournal.com) 349

SonicSpike writes: Marco Rubio wants Congress to permanently extend the authorities governing several of the National Security Agency's controversial spying programs, including its mass surveillance of domestic phone records. The Florida Republican and 2016 presidential hopeful penned an op-ed on Tuesday condemning President Obama's counterterrorism policies and warning that the U.S. has not learned the "fundamental lessons of the terrorist attacks of Sept. 11, 2001." Rubio called on Congress to permanently reauthorize core provisions of the post-9/11 USA Patriot Act, which are due to sunset on June 1 of this year and provide the intelligence community with much of its surveillance power. "This year, a new Republican majority in both houses of Congress will have to extend current authorities under the Foreign Intelligence Surveillance Act, and I urge my colleagues to consider a permanent extension of the counterterrorism tools our intelligence community relies on to keep the American people safe," Rubio wrote in a Fox News op-ed.
Cloud

CoreOS Launches Rkt 1.0 (eweek.com) 49

darthcamaro writes: Docker is about to get some real competition in the container runtime space, thanks to the lofficial aunch of rkt 1.0. CoreOS started building rkt in 2014 and after more than a year of security, performance and feature improvement are now ready to declare it 'production-ready.' While rkt is a docker runtime rival, docker apps will run in rkt, giving using a new runtime choice: "rkt will remain compatible with the Docker-specific image format, as well as its own native App Container Image (ACI). That means developers can build containers with Docker and run those containers with rkt. In addition, CoreOS will support the growing ecosystem of tools based around the ACI format."

Slashdot Top Deals