Compare cell phone plans using Wirefly's innovative plan comparison tool ×
Encryption

PSA: PlayStation Network Gets Two-Step Verification (arstechnica.com) 7

Consider this a public service announcement: Sony has (finally) added two-factor authentication to PlayStation Network accounts. If you're a PlayStation user and are reading this right now, you really should go set it up so that someone doesn't try to take over your account and steal your password. Ars Technica details how you can set up the new security features: "Turn on your PS4 and go to Settings -> PlayStation Network Account Management -> Account Information -> Security -> 2-Step Verification. You can also set it up through the web by logging into your PSN account on the web and going through the Security tab under the Account header. From there, on-screen instructions will walk you through the process of using a text message to confirm your mobile device as a secondary layer of security for your PSN account. Two-factor support is not available when logging on to older PlayStation systems, so Sony recommends you generate a 'device setup password' to help protect the PS3, Vita, or PSP." Two-factor authentication comes five years after hackers breached PSN's security and stole 77 million accounts.
Communications

FCC Proposes 5G Cybersecurity Requirements, Asks For Industry Advice (fedscoop.com) 14

Presto Vivace quotes a report from FedScoop: "Cybersecurity issues must be addressed during the design phase for the entire 5G ecosystem, including devices. This will place a premium on collaboration among all stakeholders," said FCC chairman Tom Wheeler during a National Press Club event on June 20. "We continue to prefer an approach that emphasizes that industry develop cybersecurity standards just as we have done in wired networks." The FCC published a request Wednesday for comment on a new set of proposed 5G rules to the Federal Register focused on adding specific "performance requirements" for developers of example internet-connected devices. If a company hopes to secure a license to access higher-frequency 5G spectrum in the future then they will need to adhere to these specific requirements -- in other words, compliance is non-negotiable. Notably, these FCC "performance requirements" now include the submission of a network security plan. The report adds: "A quick review of the FCC's proposed 5G cybersecurity plan shows a six category split, organized by a companies' security approach, coordination efforts, standards and best practices, participation with standards bodies, other security approaches and plans with information sharing organizations. Security plans must be submitted to the commission at least six months before a 5G-ready product enters the market, according to the notice."
Wireless Networking

Italy Quake Rescuers Ask Locals To Unlock Their Wi-Fi (bbc.com) 63

Rescue teams searching for earthquake survivors in central Italy have asked locals to unlock their Wifi passwords. The Italian Red Cross says residents' home networks can assist with communications during the search for survivors, reports BBC. From the report: On Wednesday a 6.2 magnitude earthquake struck central Italy and killed more than 240 people. More than 4,300 rescuers are looking for survivors believed to still be trapped in the rubble. On Twitter, the Italian Red Cross posted a step-by-step guide which explains how local residents can switch off their Wifi network encryption. Similar requests have been made by the National Geological Association and Lazio Region. A security expert has warned that removing encryption from a home Wifi network carries its own risks, but added that those concerns are trivial in the context of the rescue operation.
Windows

Windows 10 Computers Crash When Amazon Kindles Are Plugged In (theguardian.com) 168

It appears that many users are facing an issue with their Windows 10 computers when they plug in an Amazon Kindle device. According to reports, post Windows 10 Anniversary Update installation, everytime a user connect their Amazon Paperwhite or Voyage, their desktop and laptop lock up and require rebooting. The Guardian reports:Pooka, a user of troubleshooting forum Ten Forums said: "I've had a Kindle paperwhite for a few years no and never had an issue with connecting it via USB. However, after the recent Windows 10 updates, my computer BSOD's [blue screen of death] and force restarts almost as soon as I plug my Kindle in." On Microsoft's forums, Rick Hale said: "On Tuesday, I upgraded to the Anniversary Edition of Windows 10. Last night, for the first time since the upgrade, I mounted my Kindle by plugging it into a USB 2 port. I immediately got the blue screen with the QR code. I rebooted and tried several different times, even using a different USB cable, but that made no difference."
Government

Malware Sold To Governments Helped Them Spy on iPhones (washingtonpost.com) 28

One of the world's most evasive digital arms dealers is believed to have been taking advantage of three security vulnerabilities in popular Apple products in its efforts to spy on dissidents and journalists, reports The New York Times. (Editor's note: the link could be paywalled, here's an alternate source). From the report: Investigators discovered that a company called the NSO Group, an Israeli outfit that sells software that invisibly tracks a target's mobile phone, was responsible for the intrusions. The NSO Group's software can read text messages and emails and track calls and contacts. It can even record sounds, collect passwords and trace the whereabouts of the phone user. In response, Apple on Thursday released a patched version of its mobile software, iOS 9.3.5. Users can get the patch through a normal software update.The Washington Post reports that these "zero-day" flaws were previously used by the governments to take over victims' phones by tricking them into clicking on a link to a text message. Motherboard says that this is the first time anyone has uncovered such an attack in the wild. "Until this month, no one had seen an attempted spyware infection leveraging three unknown bugs, or zero-days, in the iPhone. The tools and technology needed for such an attack, which is essentially a remote jailbreak of the iPhone, can be worth as much as one million dollars."
China

China To Crackdown On Unauthorised Radio Broadcasts (www.bgr.in) 38

An anonymous reader writes: Reportedly, in a national campaign aided by more than 30,000 airwave monitors, in over past six months, more than 500 sets of equipment for making unauthorised radio broadcasts were seized in China. The campaign, launched on February 15 by the State Council, resulted in 1,796 cases related to illegal radio stations, after 301,840 hours of monitoring from February to July, according to an online statement by the Ministry of Industry and Information Technology. The number of incidents was down by 50 per cent from April to August, the China Daily quoted the statement as saying. So-called pirate radios have appeared in most parts of China since 2015 and this "has been a channel for criminals to defraud and promote aphrodisiacs, along with counterfeit and poor-quality medicine," according to the Ministry of Public Security's Criminal Investigation Department. The operating cost of a pirate radio is low, but profit can be high. A pirate radio station that broadcasts advertisements for aphrodisiacs can pocket more than 70,000 yuan ($10,500) a month, with an overhead cost of no more than 10,000 yuan, investigators said in a post on Sina Weibo. It said most spare parts for broadcasting equipment can be bought on the internet.
Security

Over 25 Million Accounts Stolen After Mail.ru Forums Hacked (zdnet.com) 25

An anonymous reader writes: Over 25 million accounts associated with forums hosted by Russian internet giant Mail.ru have been stolen by hackers. Two hackers carried out attacks on three separate game-related forums in July and August. One forum alone accounted for almost half of the breached data -- a little under 13 million records; the other two forums making up over 12 million records. The databases were stolen in early August, according to breach notification site LeakedSource.com, which obtained a copy of the databases. The hackers' names aren't known, but used known SQL injection vulnerabilities found in older vBulletin forum software to get access to the databases. An analysis of the breached data showed that hackers took 12.8 million accounts from cfire.mail.ru; a total of 8.9 million records from parapa.mail.ru, and 3.2 million accounts from tanks.mail.ru. The hackers were able to obtain usernames, email addresses, scrambled passwords, and birthdays.
HP

NASA's Outsourced Computer People Are Even Worse Than You Might Expect (arstechnica.com) 241

Eric berger, writing for ArsTechnica: As part of a plan to help NASA "modernize" its desktop and laptop computers, the space agency signed a $2.5 billion services contract with HP Enterprise Services in 2011. According to HP (now HPE), part of the Agency Consolidated End-User Service (ACES) program the computing company would "modernize NASA's entire end-user infrastructure by delivering a full range of personal computing services and devices to more than 60,000 users." HPE also said the program would "allow (NASA) employees to more easily collaborate in a secure computing environment." The services contract, alas, hasn't gone quite as well as one might have hoped. This week Federal News Radio reported that HPE is doing such a poor job that NASA's chief information officer, Renee Wynn, could no longer accept the security risks associated with the contract. Wynn, therefore, did not sign off on the authority to operate (ATO) for systems and tools.A spokesperson for NASA said: "NASA continues to work with HPE to remediate vulnerabilities. As required by NASA policy, system owners must accomplish this remediation within a specified period of time. For those vulnerabilities that cannot be fully remediated within the established time frame, a Plan of Actions and Milestones (POAM) must be developed, approved, and tracked to closure."
Android

Opera Brings Its Free VPN Service To Android (techcrunch.com) 25

Frederic Lardinois, writing for TechCrunch: Earlier this year, Opera launched its free and unlimited VPN service for iOS; today it is bringing the same functionality to Android. Like the iOS version, the Android app is based on Opera's acquisition of SurfEasy in 2015 and allows you to surf safely when you are on a public network. While Opera's marketing mostly focuses on safety, Opera VPN also allows you to appear as if you are in the U.S., Canada, Germany, Singapore and The Netherlands, so it's also a way to route around certain geo-restrictions without having to opt for a paid service. In addition to its VPN features, the service also allows you to block ad trackers. Somewhat ironically, though, the app itself will show you some pretty unintrusive ads. "The Opera VPN app for Android sets itself apart from other VPNs by offering a completely free service; without a data limit, no log-in required, advanced Wi-Fi protection features and no need for a subscription," says Chris Houston, the president of Opera's SurfEasy VPN division, in today's announcement.
Crime

FBI Authorized Informants To Break The Law 22,800 Times In 4 Years (dailydot.com) 106

blottsie quotes a report from the Daily Dot: Over a four-year period, the FBI authorized informants to break the law more than 22,800 times, according to newly reviewed documents. Official records obtained by the Daily Dot under the Freedom of Information Act show the Federal Bureau of Investigation gave informants permission at least 5,649 times in 2013 to engage in activity that would otherwise be considered a crime. In 2014, authorization was given 5,577 times, the records show. USA Today previously revealed confidential informants engaged in "otherwise illegal activity," as the bureau calls it, 5,658 times in 2011. The figure was at 5,939 the year before, according to documents acquired by the Huffington Post. In total, records obtained by reporters confirm the FBI authorized at least 22,823 crimes between 2011 and 2014. Unfortunately, many of those crimes can have serious and unintended consequences. One of the examples mentioned in the Daily Dot's report was of an FBI informant who "was responsible for facilitating the 2011 breach of Stratfor in one of the most high-profile cyberattacks of the last decade. While a handful of informants ultimately brought down the principal hacker responsible, the sting also caused Stratfor, an American intelligence firm, millions of dollars in damages and left and estimated 700,000 credit card holders vulnerable to fraud."
Canada

Ashley Madison Security Protocols Violated Canada, Austrialia Privacy Laws (www.cbc.ca) 29

The Office of the Privacy Commissioner of Canada said Tuesday that the Canada-based online dating and social networking service Ashely Madison used inadequate privacy and security technology while marketing itself as a discreet and secure way for consenting adults to have affairs. CBC.ca reports: "In a report Tuesday, the privacy watchdog says the Toronto-based company violated numerous privacy laws in Canada and abroad in the era before a massive data breach exposed confidential information from their clients to hackers. The hack stole correspondence, identifying details and even credit card information from millions of the site's users. The resulting scandal cost the company about a quarter of its annual revenues from irate customers who demanded refunds and cancelled their accounts. Working with a similar agency in Australia, the privacy group says the company knew that its security protocols were lacking but didn't do enough to guard against being hacked. The company even adorned its website with the logo of a 'trusted security award' -- a claim the company admits it fabricated." The report found that "poor habits such as inadequate authentication processes and sub-par key and password management practices were rampant at the company" and that "much of the company's efforts to monitor its own security were 'focused on detecting system performance issues and unusual employee requests for decryption of sensitive user data.'" What's more is that Ashley Madison continued to store personal information of its users even after some of which had deleted or deactivated their account(s). These people then had their information included in databases published online after the hack.
Privacy

WikiLeaks Published Rape Victims' Names, Credit Cards, Medical Data (arstechnica.com) 296

Joe Mullin, writing for ArsTechnica: Even as WikiLeaks founder Julian Assange sits trapped in the Ecuadorean embassy, the WikiLeaks website continues to publish the secrets of various governments worldwide. But that's not all it's publishing. A report today by the Associated Press highlights citizens who had "sensitive family, financial or identity records" published by the site. "They published everything: my phone, address, name, details," said one Saudi man whose paternity dispute was revealed in documents published by the site. "If the family of my wife saw this... Publishing personal stuff like that could destroy people." One document dump, from Saudi diplomatic cables, held at least 124 medical files. The files named sick children, refugees, and patients with psychiatric conditions. In one case, the cables included the name of a Saudi who was arrested for being gay. In Saudi Arabia, homosexuality is punishable by death. In two other cases, WikiLeaks published the names of teenage rape victims. "This has nothing to do with politics or corruption," said Dr. Nayef al-Fayez, who had a patient with brain cancer whose personal details were published.
Android

Hey Google, Want To Fix Android Updates? Hit OEMs Where It Hurts (arstechnica.com) 186

Yesterday we talked about some of Nexus devices, including 2013's Nexus 5 not receiving an update, because it has been more than two years since the launch of the phone. But as you may know, this commitment to keeping the devices up to date is even worse when you look at what other Android OEMs are doing. ArsTechnica's Ron Amadeo has a solution: Google keeps missing the point when it comes to addressing Android's update situation. It keeps coming up with strategies to make updating "easier" for OEMs, but I don't think the problem is "ease of updating" -- it's creating any incentive for OEMs to update at all. Google seems to think that its partners will update phones because it's The Right Thing To Do by their customers and that handing out gold stars will send them scrambling to produce updates for their devices. I don't think that's ever going to happen. Google actually already tried the "shame" tactic and it didn't work. When Google-owned Motorola, Moto's update speed went through the roof. Motorola was achieving near-Nexus-like update speeds on many of its phones and was definitely putting other manufacturers to shame. But the increased update competition never really spurred other OEMs to start competing on update speeds. The bottom line is that Android partners only care about, well, the bottom line -- money. These companies already have your money, so updating a device that's already been sold is a needless expense. There's also a good argument to be made that updating a device hurts future sales. If your phone isn't updated, it will start to feel old, so you're more likely to buy a new phone sooner.
Security

Epic Games Forums Hacked, Again (betanews.com) 38

An anonymous reader writes: Epic Games, maker of popular games such as Unreal and Infinity Blade, announced today that its forums have been hacked. Now, if you don't reuse password that isn't a huge deal. But if you have used the same password on any service, perhaps even a variation of that password, you will want to ensure that you have changed password of all your accounts. In the meanwhile, here's Epic Games: "We believe a recent Unreal Engine and Unreal Tournament forum compromise revealed email addresses and other data entered into the forums, but no passwords in any form, neither salted, hashed, nor plaintext. While the data contained in the vBulletin account databases for these forums were leaked, the passwords for user accounts are stored elsewhere. These forums remain online and no passwords need to be reset", says Epic Games.ZDNet is reporting that thousands of passwords have been stolen.
Security

BHU's 'Tiger Will Power' Wi-Fi Router May Be The Most Insecure Router Ever Made (softpedia.com) 62

An anonymous reader writes from a report via Softpedia: A Wi-Fi router manufactured and sold only in China can easily run for the title of "most insecure router ever made." The BHU router, whose name translates to "Tiger Will Power," has a long list of security problems that include: four authentication bypass flaws (one of which is just hilarious); a built-in backdoor root account that gets created on every boot-up sequence; the fact that it opens the SSH port for external connections after every boot (somebody has to use that root backdoor account right?); a built-in proxy server that re-routes all traffic; an ad injection system that adds adverts to all the sites you visit; and a backup JS file embedded in the router firmware if the ad script fails to load from its server. For techies, there's a long technical write-up, which gets funnier and scarier at the same time as you read through it. "An attacker authenticating on the router can use a hardcoded session ID (SID) value of 700000000000000 to gain admin privileges," reports Softpedia. "If he misspells the SID and drops a zero, that's no problem. The BHU router will accept any value and still grant the user admin rights."
Crime

Turkish Journalist Jailed For Terrorism Was Framed, Forensic Report Shows (vice.com) 96

An anonymous reader quotes a report from Motherboard: Turkish investigative journalist Baris Pehlivan spent 19 months in jail, accused of terrorism based on documents found on his work computer. But when digital forensics experts examined his PC, they discovered that those files were put there by someone who removed the hard drive from the case, copied the documents, and then reinstalled the hard drive. The attackers also attempted to control the journalist's machine remotely, trying to infect it using malicious email attachments and thumb drives. Among the viruses detected in his computer was an extremely rare trojan called Ahtapot, in one of the only times it's been seen in the wild. Pehlivan went to jail in February of 2011, along with six of his colleagues, after electronic evidence seized during a police raid in 2011 appeared to connect all of them to Ergenekon, an alleged armed group accused of terrorism in Turkey. A paper recently published by computer expert Mark Spencer in Digital Forensics Magazine sheds light into the case after several other reports have acknowledged the presence of malware. Spencer said no other forensics expert noticed the Ahtapot trojan in the OdaTV case, nor has determined accurately how those documents showed up on the journalist's computer. However, almost all the reports have concluded that the incriminating files were planted. "We are not guilty," Baris Pehlivan told Andrada Fiscutean via Motherboard. "The files were put into our computers by a virus and by [attackers] entering the OdaTV office secretly. None of us has seen those documents before the prosecutor showed them to us." (OdaTV is the website Pehlivan works for and "has been critical of the government and the Gulen Movement, which was accused by Turkish president Recep Tayyip Erdogan of orchestrating the recent attempted coup.") In regard to the report, senior security consultant at F-Secure, Taneli Kaivola, says, "Yes, [the report] takes an impressive level of conviction to locally attack a computer four times, and remotely attack it seven times [between January 1, 2011, and February 11, 2011], as well as a certain level of technical skill to set up the infrastructure for those attacks, which included document forgery and date and time manipulation."
Democrats

FBI Finds 14,900 More Documents From Hillary Clinton's Email Server (go.com) 524

An anonymous reader quotes a report from ABC News: The FBI uncovered nearly 15,000 more emails and materials sent to or from Hillary Clinton as part of the agency's investigation into her use of private email at the State Department. The documents were not among the 30,000 work-related emails turned over to the State Department by her attorneys in December 2014. The State Department confirmed it has received "tens of thousands" of personal and work-related email materials -- including the 14,900 emails found by the FBI -- that it will review. At a status hearing Monday before federal Judge Emmett Sullivan, who is overseeing that case, the State Department presented a schedule for how it would release the emails found by the FBI. The first group of 14,900 emails was ordered released, and a status hearing on Sept. 23 "will determine the release of the new emails and documents," Sullivan said. "As we have previously explained, the State Department voluntarily agreed to produce to Judicial Watch any emails sent or received by Secretary Clinton in her official capacity during her tenure as secretary of state which are contained within the material turned over by the FBI and which were not already processed for FOIA by the State Department," said State Department spokesman Mark Toner in a statement issued Monday. "We can confirm that the FBI material includes tens of thousands of non-record (meaning personal) and record materials that will have to be carefully appraised at State," it read. "State has not yet had the opportunity to complete a review of the documents to determine whether they are agency records or if they are duplicative of documents State has already produced through the Freedom of Information Act" said Toner, declining further comment.
Mozilla

Mozilla Is Changing Its Look -- and Asking the Internet For Feedback (arstechnica.com) 226

Megan Geuss, writing for ArsTechnica: Mozilla is trying a rebranding. Back in June, the browser developer announced that it would freshen up its logo and enlist the Internet's help in reaching a final decision. The company hired British design company Johnson Banks to come up with seven new "concepts" to illustrate the company's work. The logos rely on vibrant colors, and several of them recall '80s and '90s style. In pure, nearly-unintelligible marketing speak, Mozilla writes that each new design reflects a story about the company. "From paying homage to our paleotechnic origins to rendering us as part of an ever-expanding digital ecosystem, from highlighting our global community ethos to giving us a lift from the quotidian elevator open button, the concepts express ideas about Mozilla in clever and unexpected ways," Mozilla's Creative Director Tim Murray writes in a blog post. Mozilla is soliciting comment and criticism on the seven new designs for the next two weeks, but this is no Boaty McBoatface situation. Mozilla is clear that it's not crowdsourcing a design, asking anyone to work on spec, or holding a vote over which logo the Internet prefers. It's just asking for comments.
IT

Activists Call For General Strike On the Tor Network (vice.com) 127

Reader derekmead writes: Some Tor users are very unhappy with the way the project has been run in recent months, and are calling for a blackout on September 1st. They are asking users to not use Tor, for developers to stop working on Tor, and for those who run parts of the network's infrastructure to shut it down. The disgruntled users feel that Tor can no longer be fully trusted after a brief hiring of an ex-CIA official and the internal sexual misconduct investigation against activist Jacob Appelbaum.
Microsoft

Ask Slashdot: How Will You Handle Microsoft's New 'Cumulative' Windows Updates? (slashdot.org) 400

Microsoft's announced they'll discontinue "individual patches" for Windows 7 and 8.1 (as well as Windows Server 2008 R2, 2012, and 2012 R2). Instead they'll have monthly "cumulative" rollups of each month's patches, and while there will be a separate "security-only" bundle each month, "individual patches will no longer be available." This has one anonymous Slashdot reader asking what's the alternative: We've read about the changes coming to Windows Update in October 2016... But what happens when it's time to wipe and reload the OS? Or what about installing Windows on different hardware? Admittedly, there are useful non-security updates worth having, but plenty to avoid (e.g. telemetry).

How does one handle this challenge? Set up a personal WSUS box before October to sync all desired updates through October 2016? System images can work if you don't change primary hardware, but what if you do? Or should one just bend the knee to Microsoft...?

Should they use AutoPatcher? Switch to Linux? Or just disconnect their Windows boxes from the internet... Leave your answers in the comments. How do you plan to handle Microsoft's new 'cumulative' Windows Updates?

Slashdot Top Deals