Leap Towards a Career in Ethical Hacking with 60+ Hours of Prep Toward CISM, CISA, & More Certification Exams at 95% off ×
Security

Hackers Stole 65 Million Passwords From Tumblr (vice.com) 36

Lorenzo Franceschi-Bicchierai, reporting for Motherboard: On May 12, Tumblr revealed that it had found out about a 2013 data breach affecting 'a set of users' email addresses and passwords, but the company refused to reveal how many users were affected. As it turns out, that number is 65 million, according to an independent analysis of the data. Troy Hunt, a security researcher who maintains the data breach awareness portal Have I Been Pwned, recently obtained a copy of the stolen data set. Hunt told Motherboard that the data contained 65,469,298 unique emails and passwords. Update: 05/30 16:36 GMT by M : An earlier version of the original report claimed that data of 68 million accounts were compromised. It's 65 million. The original story, and hence, this summary has been updated to reflect the same.
Encryption

WWII Code-Breaker Dies At Age 95 (washingtonpost.com) 83

An anonymous reader quotes an article from the Washington Post: Jane Fawcett, a British code-breaker during World War II who deciphered a key German message that led to the sinking of the battleship Bismarck -- one of Britain's greatest naval victories during the war -- died May 21 at her home in Oxford, England. She was 95... Fluent in German and driven by curiosity, Mrs. Fawcett -- then known by her maiden name, Jane Hughes -- found work at Britain's top-secret code-breaking facility at Bletchley Park, about 50 miles northwest of London. Of the 12,000 people who worked there, about 8,000 were women. Bletchley Park later became renowned as the place where mathematician Alan Turing and others solved the puzzle of the German military's "Enigma machine," depicted in the 2014 film "The Imitation Game"...

The sinking of the Bismarck marked the first time that British code-breakers had decrypted a message that led directly to a victory in battle... Mrs. Fawcett's work was not made public for decades. Along with everyone else at Bletchley Park, she agreed to comply with Britain's Official Secrets Act, which imposed a lifetime prohibition on revealing any code-breaking activities.

Meanwhile, volunteers from The National Museum of Computing at Bletchley Park finally tracked down an original keyboard from the Lorenz machine used to encode top-secret messages between Hitler and his general. It was selling on eBay for 10 pounds, advertised as an old machine for sending telegrams.
Security

Fiverr Suffers Six-Hour DDoS Attack After Removing DDoS-For-Hire Listings (softpedia.com) 41

Two days after Fiverr, a marketplace for digital services, removed user listings from its website that advertised DDoS-for-hire services, the company's website suffered a six-hour long DDOS attack. Softpedia reports: The incident took place on the morning of May 27 (European timezones), and the service admitted its problems on its Twitter account. At the time of writing, Fiverr has been back up and functioning normally for more than two hours. Fiverr's problems stem from an Incapsula probe that found DDoS-for-hire ads on its marketplace, available for $5. Incapsula reported the suspicious listings to Fiverr, who investigated the issue and removed the ads. Fiverr first removed all listings advertising blatantly illegal DDoS services, but later also removed the ads offering to "test" a website for DDoS "protection" measures.
EU

Ruby on Rails Creator Supports After-Work Email Bans (signalvnoise.com) 130

An anonymous reader writes: David Heinemeier Hansson, the creator of Ruby on Rails, is applauding talk of an after-work e-mail ban, writing that "the ever-expanding expectations for when someone is available have gotten out of hand... Work emails are ticking in at all sorts of odd hours and plenty of businesses are dysfunctional enough to believe they have a right to have those answered, whatever the hour. That's unhealthy, possibly even exploitative... Same goes for forcing everyone to work in an open office. The research is mounting on all the ills that come from persistent noise and interruptions from that arrangement."

While acknowledging that his firm's project management tool Basecamp has a "perfect storm" of features that can send emails and texts after hours, Hansson points out that at least version 3 (released in 2015) shipped with a scheduling feature that will hold notifications during weekends and other specified off-work periods. "What we need before we can even dream of having something like the French response is a change in attitudes. Less celebration of workaholism, more #WorkCanWait. More recognition that stress from unrealistic and unhealthy expectations and work habits is actually a real hazard to health and sanity."

Facebook

That North Korean Facebook Clone Has Already Been Hacked (vice.com) 82

Remember yesterday's story about an off-the-shelf Facebook clone in North Korea? Within a few hours that site was hacked by an 18-year-old college student in Scotland. An anonymous reader writes: Using the default credentials, Andrew McKean posted "Uh, I didn't create this site just found the login" in the site's box for Sponsored links. "McKean was able to become an admin for the site just by clicking on the 'Admin' link at the bottom of the site and guessing the username and password," writes Motherboard, which adds that the password was "password". McKean says the breach "was easy enough," and granted him the ability to "delete and suspend users, change the site's name, censor certain words and manage the eventual ads, and see everyone's emails."
The teenager said he had "no plans" for the compromised site -- except possibly redirecting it to an anti-North Korean page.
Crime

California Mayors Demand Surveillance Cams On Crime-Ridden Highways (arstechnica.com) 134

An anonymous reader shares an Ars Technica report: The 28 shootings along a 10-mile stretch of San Francisco-area highway over the past six months have led mayors of the adjacent cities to declare that these "murderous activities" have reached "crisis proportions." Four people have been killed and dozens injured. These five mayors want California Gov. Jerry Brown to fund surveillance cameras along all the on and off ramps of Interstate 80 and Highway 4 along the cities of El Cerrito, Hercules, Richmond, San Pablo, and Pinole.
Privacy

Controversial Surveillance Firm Blue Coat Was Granted a Powerful Encryption Certificate (vice.com) 113

Joseph Cox, reporting for Motherboard (edited for clarity): A controversial surveillance company called Blue Coat Systems -- whose products have been detected in Iran and Sudan -- was recently issued a powerful encryption certificate by Symantec. The certificate, and the authority that comes with it, could allow Blue Coat Systems to more easily snoop on encrypted traffic. But Symantec downplayed concern from the security community. Blue Coat, which sells web-monitoring software, was granted the power in September last year, but it was only widely noticed this week. The company's devices are used by both government and commercial customers for keeping tabs on networks or conducting surveillance. In Syria, the technology has been used to censor web sites and monitor the communications of dissidents, activists and journalists.Blue Coat assures that it is not going to utilize the certificates to snoop on us. The Register reports: We asked Blue Coat how it planned to use its new powers -- and we were assured that its intermediate certificate was only used for internal testing and that the certificate is no longer in use. "Symantec has reviewed the intermediate CA issued to Blue Coat and determined it was used appropriately," the two firms said in a statement. "Consistent with their protocols, Symantec maintained full control of the private key and Blue Coat never had access to it. Blue Coat has confirmed it was used for internal testing and has since been discontinued. Therefore, rumors of misuse are unfounded."
Encryption

Feinstein-Burr Encryption Legislation Is Dead In The Water (slashdot.org) 120

An anonymous reader writes from a report via Reuters: After the San Bernardino terrorist attack, key U.S. lawmakers pledged to require technology companies to give law enforcement agencies a "back door" to encrypted communications and electronic devices. Now, the push for legislation is dead only months after the terrorist attack. In April, Senators Richard Burr and Dianne Feinstein released the official version of their anti-encryption bill with hopes for it to pass through Congress. But with the lack of White House support for the legislation as well as the high-profile court case between Apple and the Justice Department, the legislation will likely not be introduced this year, and even if it were, it would stand no chance of advancing, said sources familiar with the matter. "The short life of the push for legislation illustrates the intractable nature of the debate over digital surveillance and encryption, which has been raging in one form or another since the 1990s," reports Reuters. Technology companies believe security would be undermined if it were to create a "back door" for law enforcement, while law enforcement agencies believe they need to monitor phone calls, emails, text messages and encrypted data in general for security purposes.
Crime

FBI Raids Dental Software Researcher Who Found Patient Records On Public Server (dailydot.com) 127

blottsie writes: Yet another security researcher is facing possible prosecution under the CFAA for accessing data on a publicly accessible server. The FBI on Tuesday raided Texas-based dental software security researcher Justin Shafer, who found the protected health records of 22,000 patients stored on an anonymous FTP. "This is a troubling development. I hope the government doesn't think that accessing unsecured files on a public FTP server counts as an unauthorized access under the CFAA," Orin Kerr, a George Washington University law professor and CFAA scholar told the Daily Dot. "If that turns out to be the government's theory -- which we don't know yet, as we only have the warrant so far -- it will be a significant overreach that raises the same issues as were briefed but not resolved in [Andrew 'weev' Auernheimer's] case. I'll be watching this closely." It was also reported this week via The Intercept that a provision snuck into the still-secret text of the Senate's annual intelligence authorization that would give the FBI the ability to demand individuals' email data and possibly web-surfing history from their service providers using those beloved 'National Security Letters' -- without a warrant and in complete secrecy.
Transportation

Model X Owner Files Lemon Law Suit Against Tesla, Claims Car Is Unsafe To Drive (bgr.com) 220

An anonymous reader quotes a report from BGR: When designing the Model X, Tesla went more than a little bit overboard in trying to trick out its crossover SUV with as many bells and whistles as possible. Not only did Tesla's overly ambitious development delay the launch of the Model X, it has arguably resulted in a noticeably higher number of quality control issues than we're accustomed to seeing. Hardly a controversial point, even Tesla CEO Elon Musk has conceded that the company was far too zealous when developing the Model X. While some customers with frustrating Model X issues have noted that Tesla has been quick to fix any problems, one Model X owner from California has had enough. According to the Courthouse News Service, via Teslarati, Barrett Lyon recently filed a Lemon Law claim against Tesla, arguing that the car's problems are unfixable and that it's ultimately unsafe to drive. In addition to finding that the front door would often slam shut on his leg, Lyon's suit details a slew of other problems, including Auto Pilot problems, touch screen freezes and more. A Tesla Model S owner, on the other hand, reported that his vehicle went rogue causing an accident all by itself.
Security

Hackers Claim to Have 427 Million Myspace Passwords (vice.com) 108

Lorenzo Franceschi-Bicchierai, reporting for Motherboard: There's an oft-repeated adage in the world of cybersecurity: There are two types of companies, those that have been hacked, and those that don't yet know they have been hacked. MySpace, the social media behemoth that was, is apparently in the second category. The same hacker who was selling the data of more than 164 million LinkedIn users last week now claims to have 360 million emails and passwords of MySpace users, which would be one of the largest leaks of passwords ever. And it looks like the data is being circulated in the underground by other hackers as well. It's unclear when the data was stolen from MySpace, but both the hacker, who's known as Peace, and one of the operators of LeakedSource, a paid hacked data search engine that also claims to have the credentials, said it's from a past, unreported, breach.
Security

North Korea Linked to the SWIFT Bank Hacks (bloomberg.com) 45

North Korea could be behind the recent string of digital attacks on Asian banks, says Symantec. The cyber security firms notes that the attacks could be traced as far back as October 2015, two months prior to the earliest known incident. As you may recall, hackers stole around $80M from Bangladesh's central bank in March, and a similar attack was seen at a Vietnamese bank earlier this month. Symantec says that it has found evidence that distinctive malware that was used in both the hacks had strong commonalities with the 2014 Sony Picture breaches. Security firm FireEye also investigated the matter. From a Bloomberg report: Investigators are examining possible computer breaches at as many as 12 banks linked to Swift's global payments network that have irregularities similar to those in the theft of $81 million from the Bangladesh central bank, according to a person familiar with the probe. FireEye, the security firm hired by the Bangladesh bank, has been contacted by the other banks, most of which are in Southeast Asia, because of signs that hackers may have breached their networks, the person said. They include banks in the Philippines and New Zealand but not in Western Europe or the United States. There is no indication of whether money was taken.
Transportation

Why Are We Spending Billions and Tons of Fossil Fuel On Search of Lost Planes? 335

Reader Max_W asks: After days of massive search finally, "Report: Signals detected from EgyptAir Flight 804 in Mediterranean"

Why not record GPS/GLONASS track constantly into a text file on say twenty flash USB drives enclosed into orange styrofoam with the serial aircraft number on it? In case of an accident, these waterproof USB flash drives are released outside overboard. Certainly the text file is encrypted.

Such a floating USB flash drive would cost maximum a hundred USD even if equipped with a tiny LED lamp; while an aircraft costs millions, and a search may costs billions let alone thousands of tons of burned fossil fuel.
Government

Secret Text In Senate Bill Would Give FBI Warrantless Access To Email Records (theintercept.com) 157

mi quotes a report from The Intercept: A provision snuck into the still-secret text of the Senate's annual intelligence authorization would give the FBI the ability to demand individuals' email data and possibly web-surfing history from their service providers using those beloved 'National Security Letters' -- without a warrant and in complete secrecy. [The spy bill passed the Senate Intelligence Committee on Tuesday, with the provision in it. The lone no vote came from Sen. Ron Wyden, D-Ore., who wrote in a statement that one of the bill's provisions "would allow any FBI field office to demand email records without a court order, a major expansion of federal surveillance powers." If passed, the change would expand the reach of the FBI's already highly controversial national security letters. The FBI is currently allowed to get certain types of information with NSLs -- most commonly, information about the name, address, and call data associated with a phone number or details about a bank account. The FBI's power to issue NSLs is actually derived from the Electronic Communications Privacy Act -- a 1986 law that Congress is currently working to update to incorporate more protections for electronic communications -- not fewer. The House unanimously passed the Email Privacy Act in late April, while the Senate is due to vote on its version this week. "NSLs have a sordid history. They've been abused in a number of ways, including targeting of journalists and use to collect an essentially unbounded amount of information," Andrew Crocker, staff attorney for the Electronic Frontier Foundation, wrote. One thing that makes them particularly easy to abuse is that recipients of NSLs are subject to a gag order that forbids them from revealing the letters' existence to anyone, much less the public.]
Businesses

Anonymous Hackers Turned Stock Analysts Are Targeting US, Chinese Corporations (softpedia.com) 110

An anonymous reader writes: A smaller group of Anonymous, called Anonymous Analytics, reached the conclusion that DDoSing is stupid and never fixes anything, so they decided to use their hacking skills and stock market knowledge to make a difference in another way. For the past years, the group has been compiling market reports on U.S. and Chinese companies and publishing their results. Their reports have been noticed by the stock market, who recently started to react to their findings. The most obvious case was of Chinese lottery machine maker REXLot. The hackers discovered that REXLot inflated its revenue and the amount of cash on its balance sheet, based on the amount of interest earned. "The group published its findings on June 24, 2015, and REXLot stock price plummeted from 0.485 Hong Kong dollar per share to 0.12, before trading was suspended [for ten months]. REXLot rejoined the market on April 18, 2016, this year, but even after submitting a 53-page report, the company stock fell again by 50 percent," reports Softpedia. Anonymous Analytics then published two more reports on the company, urging the market to sell, and two days later, Reuters reported that REXLot did not have enough cash to make due bond payments, which meant the company had to sell assets to repay bonds. Other companies on which the group published market reports include Qihoo 360 and Western Union.
Privacy

Millennials Value Speed Over Security, Says Survey (dailydot.com) 141

An anonymous reader quotes a report from The Daily Dot: Millennials stand apart from other Americans in preferring faster Internet access to safer Internet access, according to a new survey. When digital-authentication firm SecureAuth asked people from all age groups whether they would rather be safer online or browse faster online, 57 percent of Americans chose security and 43 percent chose speed. But among millennials, the results were almost reversed: 54 percent chose speed over security. Young people are also more willing than the overall population to share sensitive information over public Wi-Fi connections, which are notoriously insecure as they allow anyone on the network to analyze and intercept passing traffic. While a clear majority (57 percent) of Americans told SecureAuth that they transmitted such information over public Wi-Fi, nearly eight in 10 (78 percent) of millennials said they did so. A surprising 44 percent of millennials believe their data is generally safe from hackers, and millennials are more likely than members of other age groups to share account passwords with friends. Americans overall are paying more attention to some aspects of digital security. An October 2015 study by the wireless industry's trade group found that 61 percent of Americans use passwords on their smartphones and 58 percent use them on their tablets, compared to 50 percent and 48 percent, respectively, in 2012. The recent study lines up with a report published on May 24 that found that the elderly use more secure passwords than millennials.
Network

Tor To Use Distributed RNG To Generate Truly Random Numbers (softpedia.com) 130

An anonymous reader quotes a report from Softpedia: Tor developers have been working on the next iteration of the Tor network and its underbelly, the Onion routing protocol, in order to create a stronger, harder-to-crack anonymous communications system. To advance the project, the developer team schedules brainstorming and planning meetings at regular intervals. The most recent of these meetings took place last week, in Montreal, Canada. In this session, the team tested the next generation of the Tor network working on top of a revamped Onion protocol that uses a new algorithm for generating random numbers, never before seen on the Internet. The Tor Project says it created something it calls "a distributed RNG" (random number generator) that uses two or more computers to create random numbers and then blends their outputs together into a new random number. The end result is something that's almost impossible to crack without knowing which computers from a network contributed to the final random number, and which entropy each one used. Last week, two University of Texas academics have made a breakthrough in random number generation. The work is theoretical, but could lead to a number of advances in cryptography, scientific polling, and the study of various complex environments such as the climate.
AI

Researchers Teaching Robots To Feel and React To Pain (ieee.org) 63

An anonymous reader writes: Researchers from Leibniz University of Hannover in Germany are developing what they call an "artificial robot nervous system" that would allow robots to "feel" pain and react accordingly so they can avoid potential damages to their components. According to IEEE, the system uses a "nervous robot-tissue model that is inspired by the human skin structure" to measure different pain levels and move the robot in a way that prevents damaging interactions. [The model transmits pain information in repetitive spikes if the force exceeds a certain threshold, and the pain controller reacts after classifying the information into light, moderate, or severe pain.] Johannes Kuehn, one of the researchers, argues that in addition to avoiding potential damages to their components, robots will be protecting humans as well, since a growing number of them will be operating in close proximity to human workers. Kuehn, who worked on the project with Professor Sami Haddadin, reasoned that if our biological mechanisms to sense and respond to pain are so effective, why not devise a bio-inspired robot controller that mimics those mechanisms?
Microsoft

Microsoft May Ban Your Favorite Password (securityweek.com) 232

wiredmikey writes from a report via SecurityWeek.Com: Microsoft is taking a step to better protect users by banning the use of weak and commonly-used passwords across its services. Microsoft has announced that it is dynamically banning common passwords from Microsoft Account and Azure Active Directory (AD) system. In addition to banning commonly used passwords to improve user account safety, Microsoft has implemented a feature called smart password lockout, meant to add an extra level of protection when an account is attacked. [Alex Weinert, Group Program Manager of Azure AD Identity Protection team explains in a blog post that] Microsoft is seeing more than 10 million accounts being attacked each day, and that this data is used to dynamically update the list of banned passwords. This list is then used to prevent people from choosing a common or similar password. Microsoft's new feature comes after last week's leak of 117 million LinkedIn credentials.
Cellphones

FCC Formalizes Massive Fines For Selling, Using Cell-Phone Jammers (networkworld.com) 134

An anonymous reader quotes a report from Network World: Two years ago the FCC announced its intention to fine a Chinese electronics maker $34.9 million and a Florida man $48,000 for respectively selling and using illegal cell-phone jammers. Today the agency has issued press releases telling us that those fines have finally been made official, without either of the offending parties having bothered to mount a formal defense of their actions. From the press release announcing the fine against CTS. Technology: "[...] The company's website falsely claimed that some jammers had been approved by the FCC, and advertised that the company could ship signal jammers to consumers in the United States." The company did not respond to the FCC's allegations, although the agency does report that changes were made to its website that appear to be aimed at complying with U.S. law. Next up is Florida man, Jason R. Humphreys, who is alleged to have used a jammer on his commute: "Mr. Humphreys' illegal operation of the jammer continued for up to two years, caused interference to cellular service along Interstate 4, and disrupted police communications." Last Fall, a Chicagoan was arrested for using a cell-phone jammer to make his subway commute more tolerable.

Slashdot Top Deals