Privacy

Uber Revises Privacy Policy, Wants More Data From Users 134

Posted by Soulskill
from the can-you-just-drive-me-places dept.
itwbennett tips news that Uber has amended its privacy policy, making it much simpler to read and understand. But the policy also includes changes to what data Uber collects about its riders. Beginning July 15th, the Uber phone app will keep track of a rider's location while it's running in the background. Uber says riders will be able to opt out of this tracking. The policy changes also allow for advertising using the rider's contact list: "for example the ability to send special offers to riders' friends or family." The revision of Uber's privacy policy followed complaints at the end of last year that the company was overstepping its bounds.
Security

The Underground Hacking Economy 29

Posted by Soulskill
from the sunlight-is-a-distraction dept.
Fast Company profiles the rise of sites like Hackers List and Hackers For Hire, which provide consolidated markets for people to hire hackers to break passwords, alter databases, learn to operate malware, and more. People with the skills to circumvent security are putting themselves out there as freelancers for specific tasks, and people in need of their services are posting notices asking for help. Law enforcement agencies are warning about this new type of behavior, saying it's often illegal, and facilitated by online anonymity and cryptocurrencies like Bitcoin. The number of deals currently being made through these sites remains small, but it's growing — particularly among business seeking to gain an advantage over competitors in other countries.
Education

Chinese Nationals Accused of Taking SATs For Others 218

Posted by samzenpus
from the grades-for-pay dept.
Vadim Makarov writes: Fifteen Chinese nationals living in the U.S. have been charged with creating an elaborate scheme to take U.S. college entrance exams on behalf of students. For the past four years, the accused provided counterfeit Chinese passports to impostors, who sneaked into testing centers where they took the Scholastic Aptitude Test (SAT), the Graduate Record Examination (GRE), and others, while claiming to be someone else, according to a federal grand jury indictment. Special Agent in Charge John Kelleghan for Homeland Security Investigations of Philadelphia said: "These students were not only cheating their way into the university, they were also cheating their way through our nation's immigration system."
Security

Why Detecting Drones Is a Tough Gig 223

Posted by timothy
from the if-you-see-something-it's-too-late dept.
An anonymous reader writes with a link to some interesting commentary at Help Net Security from Drone Lab CEO Zain Naboulsi about a security issue of a (so far) unusual kind: detecting drones whose masters are bent on malice. That's relevant after the recent drone flight close enough to the White House to spook the Secret Service, and that wasn't the first -- even if no malice was involved. Drones at their most dangerous in that context are small, quiet, and flying through busy, populated spaces, which makes even detecting them tough, never mind defeating them. From the article, which briefly describes pros and cons of various detection methods: Audio detection does NOT work in urban environments - period. Most microphones only listen well at 25 to 50 feet so, because of the ambient noise in the area, any audio detection method would be rendered useless at 1600 Pennsylvania Avenue. It is also too simple for an operator to change the sound signature of a drone by buying different propellers or making other modifications. It doesn't take much to defeat the many weaknesses of audio detection.
Upgrades

New Freescale I.MX6 SoCs Include IoT-focused UltraLite 24

Posted by timothy
from the update-from-the-race-to-the-bottom dept.
DeviceGuru writes: Freescale has announced three new versions of its popular i.MX6 SoCs, including new DualPlus and QuadPlus parts featuring enhanced GPUs and expanded memory support, and a new low-end, IoT focused 528MHz UltraLite SoC that integrates a more power-efficient, single-core ARM Cortex-A7 architecture. The UltraLite, which will be available in a tiny 9x9mm package, is claimed by Freescale to be the smallest and most energy-efficient ARM based SoC. It has a stripped-down WXGA interface but adds new security, tamper detection, and power management features. All the new Freescale i.MX6 SoCs are supported with Linux BSPs and evaluation kits.
Android

Android M Arrives In Q3: Native Fingerprint Support, Android Pay, 'Doze' Mode 82

Posted by timothy
from the sleep-beats-death dept.
MojoKid writes with yet more news from the ongoing Google IO conference: Google I/O kicked off this afternoon and the first topic of discussion was of course Google's next generation mobile operating system. For those that were hoping for a huge UI overhaul or a ton of whiz-bang features, this is not the Android release for you. Instead, Android M is more of a maintenance released focused mainly on squashing bugs and improving stability/performance across the board. Even though Android M is about making Android a more stable platform, there are a few features that have been improved upon or introduced for this release: App Permissions, Chrome Custom Tabs for apps, App Links (instead of asking you which app to choose when clicking a link, Android M's new Intent System can allow apps to verify that they are rightfully in possession of a link), NFC-based Android Pay, standardized fingerprint scanning support, and a new "doze" mode that supposedly offers 2X longer battery life when idle.
The Military

The Marshall Islands, Nuclear Testing, and the NPT 67

Posted by samzenpus
from the big-booms dept.
Lasrick writes: Robert Alvarez, a senior scholar at the Institute for Policy Studies and a former senior policy adviser to the Energy Department's secretary and deputy assistant secretary for national security and the environment, details the horrific consequences of nuclear weapons testing in the Marshall Islands and explains the lawsuits the Marshallese have filed against the nuclear weapons states. The lawsuits hope to close the huge loophole those states carved for themselves with the vague wording of Article VI of the NPT (Nuclear Non-proliferation Treaty), wording that allows those states to delay, seemingly indefinitely, implementing the disarmament they agreed to when they signed the treaty.
Democrats

Obama Asks Congress To Renew 'Patriot Act' Snooping 387

Posted by Soulskill
from the it-makes-you-safer-because-reasons dept.
mi writes: President Obama has asked the Senate to renew key Patriot Act provisions before their expiration on May 31. This includes surveillance powers that let the government collect Americans' phone records. Obama said, "It's necessary to keep the American people safe and secure." The call came despite recent revelations that the FBI is unable to name a single terror case in which the snooping provisions were of much help. "Obama noted that the controversial bulk phone collections program, which was exposed by National Security Agency contractor Edward Snowden, is reformed in the House bill, which does away with it over six months and instead gives phone companies the responsibility of maintaining phone records that the government can search." Obama criticized the Senate for not acting on that legislation, saying they have necessitated a renewal of the Patriot Act provisions.
Security

Insurer Won't Pay Out For Security Breach Because of Lax Security 117

Posted by Soulskill
from the ounce-of-prevention-is-worth-a-ton-of-green dept.
chicksdaddy writes: In what may become a trend, an insurance company is denying a claim from a California healthcare provider following the leak of data on more than 32,000 patients. The insurer, Columbia Casualty, charges that Cottage Health System did an inadequate job of protecting patient data. In a complaint filed in U.S. District Court in California, Columbia alleges that the breach occurred because Cottage and a third party vendor, INSYNC Computer Solution, Inc. failed to follow "minimum required practices," as spelled out in the policy. Among other things, Cottage "stored medical records on a system that was fully accessible to the internet but failed to install encryption or take other security measures to protect patient information from becoming available to anyone who 'surfed' the Internet," the complaint alleges. Disputes like this may become more common, as insurers anxious to get into a cyber insurance market that's growing by about 40% annually use liberally written exclusions to hedge against "known unknowns" like lax IT practices, pre-existing conditions (like compromises) and so on.
Security

IRS: Personal Info of 100,000 Taxpayers Accessed Illegally 85

Posted by Soulskill
from the disincentive-to-pay-your-taxes dept.
An anonymous reader writes: The Associated Press reports that an online service provided by the IRS was used to gather the personal information of more than 100,000 taxpayers. Criminals were able to scrape the "Get Transcript" system to acquire tax return information. They already had a significant amount of information about these taxpayers, though — the system required a security check that included knowledge of a person's social security number, date of birth, and filing status. The system has been shut down while the IRS investigates and implements better security, and they're notifying the taxpayers whose information was accessed.
Transportation

Amtrak Installing Cameras To Watch Train Engineers 289

Posted by Soulskill
from the call-it-amtraking dept.
An anonymous reader writes: In the aftermath of the derailment of an Amtrak train in Philadelphia a couple weeks ago, the company has caved to demands that it install video cameras to monitor and record the actions of the engineers driving their trains. The National Transportation Safety Board has been recommending such cameras for the past five years. Amtrak CEO Joe Boardman says the cameras will improve train safety, though the engineers' union disagrees. In 2013, the union's president said, "Installation of cameras will provide the public nothing more than a false sense of security. More than a century of research establishes that monitoring workers actually reduces the ability to perform complex tasks, such as operating a train, because of the distractive effect."
Social Networks

Linux/Moose Worm Targets Routers, Modems, and Embedded Systems 110

Posted by Soulskill
from the moose-is-the-penguin's-natural-enemy dept.
An anonymous reader writes: Security firm ESET has published a report on new malware that targets Linux-based communication devices (modems, routers, and other internet-connected systems) to create a giant proxy network for manipulating social media. It's also capable of hijacking DNS settings. The people controlling the system use it for selling "follows," "likes," and so forth on social media sites like Twitter, Instagram, Vine, Facebook, and Google+. Affected router manufacturers include: Actiontec, Hik Vision, Netgear, Synology, TP-Link, ZyXEL, and Zhone. The researchers found that even some medical devices were vulnerable to the worm, though it wasn't designed specifically to work with them.
Security

Exploit Kit Delivers Pharming Attacks Against SOHO Routers 30

Posted by timothy
from the north-of-houston-you're-ok dept.
msm1267 writes: For the first time, DNS redirection attacks against small office and home office routers are being delivered via exploit kits. French security researcher Kafeine said an exploit kit has been finding success in driving traffic from compromised routers to the attackers' infrastructure. The risk to users is substantial, he said, ranging from financial loss, to click-fraud, man-in-the-middle attacks and phishing.
Spam

Attackers Use Email Spam To Infect Point-of-Sale Terminals 85

Posted by samzenpus
from the protect-ya-neck dept.
jfruh writes: Point-of-sale software has meant that in many cases where once you'd have seen a cash register, you now see a general-purpose PC running point-of-sale (PoS) software. Unfortunately, those PCs have all the usual vulnerabilities, and when you run software on it that processes credit card payments, they become a tempting target for hackers. One of the latest attacks on PoS software comes in the form of malicious Word macros downloaded from spam emails.
Privacy

Sniffing and Tracking Wearable Tech and Smartphones 56

Posted by samzenpus
from the all-the-better-to-follow-you-with dept.
An anonymous reader writes: Senior researcher Scott Lester at Context Information Security has shown how someone can easily monitor and record Bluetooth Low Energy signals transmitted by many mobile phones, fitness monitors, and iBeacons. The findings have raised concerns about the privacy and confidentiality wearable devices may provide. “Many people wearing fitness devices don’t realize that they are broadcasting constantly and that these broadcasts can often be attributed to a unique device,” said Scott says. “Using cheap hardware or a smartphone, it could be possible to identify and locate a particular device – that may belong to a celebrity, politician or senior business executive – within 100 meters in the open air. This information could be used for social engineering as part of a planned cyber attack or for physical crime by knowing peoples’ movements.” The researchers have even developed an Android app that scans, detects and logs wearable devices.
Firefox

Firefox's Optional Tracking Protection Reduces Load Time For News Sites By 44% 206

Posted by Soulskill
from the definition-of-a-win-win dept.
An anonymous reader writes: Former Mozilla software engineer Monica Chew and Computer Science researcher Georgios Kontaxis recently released a paper (PDF) that examines Firefox's optional Tracking Protection feature. The duo found that with Tracking Protection enabled, the Alexa top 200 news sites saw a 67.5 percent reduction in the number of HTTP cookies set. Furthermore, performance benefits included a 44 percent median reduction in page load time and 39 percent reduction in data usage.
Security

Researchers Devise Voting System That Seems Secure, But Is Hard To Use 103

Posted by Soulskill
from the find-the-candidate-and-hand-them-your-vote dept.
An anonymous reader writes: According to an article in ReadWrite, a team of British and American researchers have developed a hacker resistant process for online voting called Du-Vote. It uses a credit card-sized device that helps to divide the security-sensitive tasks between your computer and the device in a way that neither your computer nor the device learns how you voted (PDF). If a hacker managed to control the computer and the Du-Vote token, he still can't change the votes without being detected.
Security

Hacker Warns Starbucks of Security Flaw, Gets Accused of Fraud 107

Posted by Soulskill
from the biting-the-hand-that-doesn't-steal-from-you dept.
Andy Smith writes: Here's another company that just doesn't get security research. White hat hacker Egor Homakov found a security flaw in Starbucks gift cards which allowed people to steal money from the company. He reported the flaw to Starbucks, but rather than thank him, the company accused him of fraud and said he had been acting maliciously.
Security

Adult Dating Site Hack Reveals Users' Sexual Preference, Extramarital Affairs 173

Posted by Soulskill
from the another-day,-another-breach dept.
An anonymous reader notes this report from Channel 4 News that Adult FriendFinder, one of the largest dating sites in the world, has suffered a database breach that revealed personal information for 3.9 million of its users. The leaked data includes email addresses, IP addresses, birth dates, postal codes, sexual preferences, and information indicating which of them are seeking extramarital affairs. There even seems to be data from accounts that were supposedly deleted. Channel 4 saw evidence that there were plans for a spam campaign against these users, and others are worried that a blackmail campaign will follow. "Where you've got names, dates of birth, ZIP codes, then that provides an opportunity to actually target specific individuals whether they be in government or healthcare for example, so you can profile that person and send more targeted blackmail-type emails," said cybercrime specialist Charlie McMurdy.
Android

Factory Reset On Millions of Android Devices Doesn't Wipe Storage 92

Posted by samzenpus
from the stucking-around dept.
Bismillah writes: Ross Anderson and Laurent Simon of Cambridge University studied a range of Android devices and found that even though a "factory reset" is supposed to fully wipe storage, it often doesn't. Interestingly enough, full-device encryption could be compromised by the incomplete wiping too. ITnews reports: "The researchers estimated that 500 million Android devices may not fully wipe device disk partitions. As many as 630 million phones may not wipe internal SD cards. Five 'critical failures' were outlined in the researchers' Security Analysis of Android Factory Resets paper.