Privacy

How Email Open Tracking Quietly Took Over the Web (wired.com) 104

Brian Merchant, writing for Wired: There are some 269 billion emails sent and received daily. That's roughly 35 emails for every person on the planet, every day. Over 40 percent of those emails are tracked, according to a study published last June by OMC, an "email intelligence" company that also builds anti-tracking tools. The tech is pretty simple. Tracking clients embed a line of code in the body of an email -- usually in a 1x1 pixel image, so tiny it's invisible, but also in elements like hyperlinks and custom fonts. When a recipient opens the email, the tracking client recognizes that pixel has been downloaded, as well as where and on what device. Newsletter services, marketers, and advertisers have used the technique for years, to collect data about their open rates; major tech companies like Facebook and Twitter followed suit in their ongoing quest to profile and predict our behavior online. But lately, a surprising -- and growing -- number of tracked emails are being sent not from corporations, but acquaintances. "We have been in touch with users that were tracked by their spouses, business partners, competitors," says Florian Seroussi, the founder of OMC. "It's the wild, wild west out there." According to OMC's data, a full 19 percent of all "conversational" email is now tracked. That's one in five of the emails you get from your friends. And you probably never noticed.
China

German Intelligence Warns of Increased Chinese Cyberspying (apnews.com) 60

The head of Germany's domestic intelligence agency has warned that China allegedly is using social networks to try to cultivate lawmakers and other officials as sources. From a report: Hans-Georg Maassen said his agency, known by its German acronym BfV, believes more than 10,000 Germans have been targeted by Chinese intelligence agents posing as consultants, headhunters or researchers, primarily on the social networking site LinkedIn. "This is a broad-based attempt to infiltrate in particular parliaments, ministries and government agencies," Maassen said.
HP

HP Laptops Found To Have Hidden Keylogger (bbc.com) 110

Hidden software that can record every letter typed on a computer keyboard has been discovered pre-installed on hundreds of HP laptop models, BBC reported on Monday citing the findings of a security researcher. From the report: Security researcher Michael Myng found the keylogging code in software drivers preinstalled on HP laptops to make the keyboard work. HP said more than 460 models of laptop were affected by the "potential security vulnerability." It has issued a software patch for its customers to remove the keylogger. The issue affects laptops in the EliteBook, ProBook, Pavilion and Envy ranges, among others. HP has issued a full list of affected devices, dating back to 2012. Mr Myng discovered the keylogger while inspecting Synaptics Touchpad software, to figure out how to control the keyboard backlight on an HP laptop. He said the keylogger was disabled by default, but an attacker with access to the computer could have enabled it to record what a user was typing. According to HP, it was originally built into the Synaptics software to help debug errors. It acknowledged that could lead to "loss of confidentiality" but it said neither Synaptics nor HP had access to customer data as a result of the flaw.
United States

FCC Refuses Records For Investigation Into Fake Net Neutrality Comments (variety.com) 163

"FCC general counsel Tom Johnson has told the New York State attorney general that the FCC is not providing information for his investigation into fake net-neutrality comments, saying those comments did not affect the review, and challenging the state's ability to investigate the feds." Variety has more: The FCC's general counsel, in a letter to New York Attorney General Eric Schneiderman, also dismissed his concerns that the volume of fake comments or those made with stolen identities have "corrupted" the rule-making process... He added that Schneiderman's request for logs of IP addresses would be "unduly burdensome" to the commission, and would "raise significant personal privacy concerns."

Amy Spitalnick, Schneiderman's press secretary, said in a statement that the FCC "made clear that it will continue to obstruct a law enforcement investigation. It's easy for the FCC to claim that there's no problem with the process, when they're hiding the very information that would allow us to determine if there was a problem. To be clear, impersonation is a violation of New York law," she said... "The only privacy jeopardized by the FCC's continued obstruction of this investigation is that of the perpetrators who impersonated real Americans."

One of the FCC's Democratic commissioners claimed that this response "shows the FCC's sheer contempt for public input and unreasonable failure to support integrity in its process... Moreover, the FCC refuses to look into how nearly half a million comments came from Russian sources."
AI

Emotion Recognition Systems Could Be Used In Job Interviews (techtarget.com) 145

dcblogs writes: Emotion recognition software identifies micro-expressions through video analysis. These are expressions that may be as fast as 1/25 of a second and invisible to the human eye, but a close analysis of video can detect them. These systems are being used in marketing research, but some employers may be interested in using them to assess job candidates.

Vendors claim these systems can be used to develop a personality profile and discover a good cultural fit. The technology raises concerns, illustrated earlier this year who showed that face-reading technology could use photographs to determine sexual orientation with a high degree of accuracy.

One company has already added face recognition into their iPad-based time clock, which the company's CEO thinks could be adapted to also detect an employee's mood when they're clocking out. Yet even he has his reservations. While he thinks it could provide more accurate feedback from employees, he also admits that "There's something very Big Brother about it."
Businesses

Reporter Regrets Letting Amazon's Delivery People Into His House (washingtonpost.com) 114

An anonymous reader writes: Washington Post reporter Geoffrey A. Fowler describes his short-lived experience with "Amazon Key", a $250 smart lock system with a security camera that grants Amazon's delivery people access to your home. The lock sounds "like R2-D2 with constipation," and at one point it actually jammed (though his persistent delivery person eventually got it working properly). The unlocking of the door triggers a live video feed of the delivery -- which is also stored in a private archive online -- plus an alert to your phone -- and the Post's reporter writes that "The biggest downsides to the experience haven't been the strangers -- it's been Amazon."

They missed their delivery windows four out of eight times, and though the packages all arrived eventually, all four were late by a least a day. But his larger issue is that Amazon "wants to draw you further into an all-Amazon world... Now Amazon wants to literally own your door, so it can push not just packages but also services that come through it, like handymen, dog-walkers, groceries, you name it." His ultimate question? "Who's really being locked in?"

The Post's reporter notes that Amazon CEO Jeff Bezos owns the Washington Post, "but I review all tech the same." He did identify some advantages to the $250 smart lock system -- the door can now also be unlocked with the Amazon Key app, and he can even share that access with his friends by giving them a special access code.

But he also notes that security researchers discovered a way to freeze Amazon's security camera, potentially allowing a rogue delivery person to lurk in your house. And all things considered, it was apparently all too creepy. "After two weeks, my family voted to remove the Amazon Key smart lock and take down the camera."
Privacy

People Keep Finding Hidden Cameras in Their Airbnbs (buzzfeed.com) 166

"Airbnb has a scary problem on their hands: People keep finding hidden cameras in their rental homes," reports the New York Post. "Another host was busted last month trying to film guests without their knowledge -- marking the second time since October that the company has had to publicly deal with this sort of incident." BuzzFeed reports: In October, an Indiana couple visiting Florida discovered a hidden camera disguised as a smoke detector in their Airbnb's master bedroom. Earlier that same year Airbnb was forced to investigate and suspend a Montreal listing after one of the renters discovered a camera in the bedroom of the property... Hidden cameras aren't just an issue for Airbnb -- it's been a hot-button topic in hospitality for years. There are hundreds of stories about hotels using unlawful surveillance. [For example, this one.]

Airbnb recommends its customers read the reviews of the host of any rental property they might be interested in, and also offers an on-platform messaging tool that allows communication between host and guests... "Cameras are never allowed in bathrooms or bedrooms; any other cameras must be properly disclosed to guests ahead of time," Airbnb spokesperson Jeff Henry told BuzzFeed News.

This time the couple discovered hidden cameras that were disguised as a motion detectors. Airbnb says they've permanently banned the offending host -- and offered his guests a refund -- adding that this type of incident was "incredibly rare."
Bitcoin

People Who Can't Remember Their Bitcoin Passwords Are Really Freaking Out Now (slate.com) 201

An anonymous reader quotes a report from Slate: Bitcoin has had quite a week. On Thursday, the cryptocurrency surged past $19,000 a coin before dropping down to $15,600 by Friday midday. The price of a single Bitcoin was below $1,000 in January. Any investors who bought Bitcoins back in 2013, when the price was less than $100, probably feel pretty smart right now. But not all early cryptocurrency enthusiasts are counting their coins. Instead they might be racking their brains trying to remember their passwords, without which those few Bitcoins they bought as an experiment a few years ago could be locked away forever. That's because Bitcoin's decentralization relies on cryptography, where each transaction is signed with an identifier assigned to the person paying and the person receiving Bitcoin.

"I've tried to ignore the news about Bitcoin completely," joked Alexander Halavais, a professor of social technology at Arizona State University, who said he bought $70 of Bitcoin about seven years as a demonstration for a graduate class he was teaching at the time but has since forgotten his password. "I really don't want to know what it's worth now," he told me. "This is possibly $400K and I'm freaking the fuck out. I'm a college student so this would change my life lmao," wrote one Reddit user last week. The user claimed to have bought 40 bitcoins in 2013 but can't remember the password now. "A few years ago, I bought about 20 euros worth of bitcoin, while it was at around 300eur/btc.," lamented another Reddit user earlier this week. "Haven't looked at it since, and recently someone mentioned the price had hit 10.000usd. So, I decided to take a look at my wallet, but found that it wasn't my usual password. I have tried every combination of the password variations I usually use, but none of them worked."

Security

Zero-Day iOS HomeKit Vulnerability Allowed Remote Access To Smart Accessories Including Locks (9to5mac.com) 39

Apple has issued a fix to a vulnerability that allowed unauthorized control of accessories, including smart locks and garage door openers. "Our understanding is Apple has rolled out a server-side fix that now prevents unauthorized access from occurring while limiting some functionality, and an update to iOS 11.2 coming next week will restore that full functionality," reports 9to5Mac. From the report: The vulnerability, which we won't describe in detail and was difficult to reproduce, allowed unauthorized control of HomeKit-connected accessories including smart lights, thermostats, and plugs. The most serious ramification of this vulnerability prior to the fix is unauthorized remote control of smart locks and connected garage door openers, the former of which was demonstrated to 9to5Mac. The issue was not with smart home products individually but instead with the HomeKit framework itself that connects products from various companies. The vulnerability required at least one iPhone or iPad on iOS 11.2, the latest version of Apple's mobile operating system, connected to the HomeKit user's iCloud account; earlier versions of iOS were not affected.
Security

'Process Doppelganging' Attack Bypasses Most Security Products, Works On All Windows Versions (bleepingcomputer.com) 125

An anonymous reader quotes a report from Bleeping Computer: Yesterday, at the Black Hat Europe 2017 security conference in London, two security researchers from cyber-security firm enSilo have described a new code injection technique called "Process Doppelganging." This new attack works on all Windows versions and researchers say it bypasses most of today's major security products. Process Doppelganging is somewhat similar to another technique called "Process Hollowing," but with a twist, as it utilizes the Windows mechanism of NTFS Transactions.

"The goal of the technique is to allow a malware to run arbitrary code (including code that is known to be malicious) in the context of a legitimate process on the target machine," Tal Liberman & Eugene Kogan, the two enSilo researchers who discovered the attack told Bleeping Computer. "Very similar to process hollowing but with a novel twist. The challenge is doing it without using suspicious process and memory operations such as SuspendProcess, NtUnmapViewOfSection. In order to achieve this goal we leverage NTFS transactions. We overwrite a legitimate file in the context of a transaction. We then create a section from the modified file (in the context of the transaction) and create a process out of it. It appears that scanning the file while it's in transaction is not possible by the vendors we checked so far (some even hang) and since we rollback the transaction, our activity leaves no trace behind." The good news is that "there are a lot of technical challenges" in making Process Doppelganging work, and attackers need to know "a lot of undocumented details on process creation." The bad news is that the attack "cannot be patched since it exploits fundamental features and the core design of the process loading mechanism in Windows."
More research on the attack will be published on the Black Hat website in the following days.
Chrome

Chrome 63 Offers Even More Protection From Malicious Sites, Using Even More Memory (arstechnica.com) 63

An anonymous reader quotes a report from Ars Technica: To further increase its enterprise appeal, Chrome 63 -- which hit the browser's stable release channel yesterday -- includes a couple of new security enhancements aimed particularly at the corporate market. The first of these is site isolation, an even stricter version of the multiple process model that Chrome has used since its introduction. Chrome uses multiple processes for several security and stability reasons. On the stability front, the model means that even if a single tab crashes, other tabs (and the browser itself) are unaffected. On the security front, the use of multiple processes makes it much harder for malicious code from one site to steal secrets (such as passwords typed into forms) of another. [...]

Naturally, this greater use of multiple processes incurs a price; with this option enabled, Chrome's already high memory usage can go up by another 15 to 20 percent. As such, it's not enabled by default; instead, it's intended for use by enterprise users that are particularly concerned about organizational security. The other new capability is the ability for administrators to block extensions depending on the features those extensions need to use. For example, an admin can block any extension that tries to use file system access, that reads or writes the clipboard, or that accesses the webcam or microphone. Additionally, Google has started to deploy TLS 1.3, the latest version of Transport Layer Security, the protocol that enables secure communication between a browser and a Web server. In Chrome 63, this is only enabled between Chrome and Gmail; in 2018, it'll be turned on more widely.

Google

Inside Oracle's Cloak-and-dagger Political War With Google (recode.net) 83

schwit1 shares a Recode report: The story that appeared in Quartz this November seemed shocking enough on its own: Google had quietly tracked the location of its Android users, even those who had turned off such monitoring on their smartphones. But missing from the news site's report was another eyebrow-raising detail: Some of its evidence, while accurate, appears to have been furnished by one of Google's fiercest foes: Oracle. For the past year, the software and cloud computing giant has mounted a cloak-and-dagger, take-no-prisoners lobbying campaign against Google, perhaps hoping to cause the company intense political and financial pain at a time when the two tech giants are also warring in federal court over allegations of stolen computer code. Since 2010, Oracle has accused Google of copying Java and using key portions of it in the making of Android. Google, for its part, has fought those claims vigorously. More recently, though, their standoff has intensified. And as a sign of the worsening rift between them, this summer Oracle tried to sell reporters on a story about the privacy pitfalls of Android, two sources confirmed to Recode.
Privacy

Keylogger Found On Nearly 5,500 WordPress Sites (bleepingcomputer.com) 83

An anonymous reader writes: Nearly 5,500 WordPress sites are infected with a malicious script that logs keystrokes and sometimes loads an in-browser cryptocurrency miner. The malicious script is being loaded from the "cloudflare.solutions" domain, which is not affiliated with Cloudflare in any way, and logs anything that users type inside form fields as soon as the user switches away from an input field. The script is included on both the sites' frontends and backends, meaning it can steal both admin account credentials and credit card data from WP sites running e-commerce stores. According to site source code search engine PublicWWW, there are 5,496 sites running this keylogger. The attacker has been active since April.
Government

Warrantless Surveillance Can Continue Even If Law Expires, Officials Say (theverge.com) 68

According to a New York Times report citing American officials, the Trump administration has decided that the National Security Agency and the FBI can lawfully keep operating their warrantless surveillance program even if Congress fails to extend the law authorizing it before an expiration date of New Year's Eve. The Verge reports: The White House believes the Patriot Act's surveillance provisions won't expire until four months into 2018. Lawyers point to a one-year certification that was granted on April 26th of last year. If that certification is taken as a legal authorization for the FISA court overall -- as White House lawyers suggest -- then Congress will have another four months to work out the details of reauthorization. There are already several proposals for Patriot Act reauthorization in the Senate, which focus the Section 702 provisions that authorize certain types of NSA surveillance. Some of the proposals would close the backdoor search loophole that allows for warrantless surveillance of U.S. citizens, although a recent House proposal would leave it in place. But with Congress largely focused on tax cuts and the looming debt ceiling fight, it's unlikely the differences could be reconciled before the end of the year.
Security

NiceHash Hacked, $62 Million of Bitcoin May Be Stolen (reddit.com) 79

New submitter Chir breaks the news to us that the NiceHash crypto-mining marketplace has been hacked. The crypto mining pool broke the news on Reddit, where users suggest that as many as 4,736.42 BTC -- an amount worth more than $62 million at current prices -- has been stolen. The NiceHash team is urging users to change their online passwords as a result of the breach and theft.
Encryption

US Says It Doesn't Need a Court Order To Ask Tech Companies To Build Encryption Backdoors (gizmodo.com) 248

schwit1 shares a report from Gizmodo: According to statements from July released this weekend, intelligence officials told members of the Senate Intelligence Committee that there's no need for them to approach courts before requesting a tech company help willfully -- though they can always resort to obtaining a Foreign Intelligence Surveillance Court order if the company refuses. The documents show officials testified they had never needed to obtain such an FISC order, though they declined to tell the committee whether they had "ever asked a company to add an encryption backdoor," per ZDNet. Other reporting has suggested the FISC has the power to authorize government personnel to compel such technical assistance without even notifying the FISC of what exactly is required. Section 702 of the Foreign Intelligence Surveillance Act gives authorities additional powers to compel service providers to build backdoors into their products.
Privacy

Germany Preparing Law for Backdoors in Any Type of Modern Device (bleepingcomputer.com) 251

Catalin Cimpanu, writing for BleepingComputer: German authorities are preparing a law that will force device manufacturers to include backdoors within their products that law enforcement agencies could use at their discretion for legal investigations. The law would target all modern devices, such as cars, phones, computers, IoT products, and more. Officials are expected to submit their proposed law for debate this week, according to local news outlet RedaktionsNetzwerk Deutschland (RND). The man supporting this proposal is Thomas de Maiziere, Germany's Interior Minister, who cites the difficulty law enforcement agents have had in past months investigating the recent surge of terrorist attacks and other crimes.
Privacy

Trump Is Looking at Plans For a Global Network of Private Spies (vice.com) 481

David Gilbert, writing for Vice: The White House is reportedly looking at a proposal to create a ghost network of private spies in hostile countries -- a way of bypassing the intelligence community's "deep state," which Donald Trump believes is a threat to his administration. The network would report directly to the president and CIA Director Mike Pompeo, and would be developed by Blackwater founder Erik Prince, according to multiple current and former officials speaking to The Intercept. "Pompeo can't trust the CIA bureaucracy, so we need to create this thing that reports just directly to him," a former senior U.S. intelligence official with firsthand knowledge of the proposals told the website. Described as "totally off the books," the network would be run by intelligence contractor Amyntor Group and would not share any data with the traditional intelligence community.
Security

A Popular Virtual Keyboard App Leaks 31 Million Users' Personal Data (zdnet.com) 65

Zack Whittaker, writing for ZDNet: Personal data belonging to over 31 million customers of a popular virtual keyboard app has leaked online, after the app's developer failed to secure the database's server. The server is owned by Eitan Fitusi, co-founder of AI.type, a customizable and personalizable on-screen keyboard, which boasts more than 40 million users across the world. But the server wasn't protected with a password, allowing anyone to access the company's database of user records, totaling more than 577 gigabytes of sensitive data. The database appears to only contain records on the app's Android users.
Businesses

Gizmodo: Don't Buy Anyone an Amazon Echo Speaker (gizmodo.com) 257

Adam Clark Estes, writing for Gizmodo: Three years ago, we said the Echo was "the most innovative device Amazon's made in years." That's still true. But you shouldn't buy one. You shouldn't buy one for your family. [...] Your family members do not need an Amazon Echo or a Google Home or an AppleHomePod or whatever that one smart speaker that uses Cortana is called. And you don't either. You only want one because every single gadget-slinger on the planet is marketing them to you as an all-new, life-changing device that could turn your kitchen into a futuristic voice-controlled paradise. You probably think that having an always-on microphone in your home is fine, and furthermore, tech companies only record and store snippets of your most intimate conversations. No big deal, you tell yourself. Actually, it is a big deal. The newfound privacy conundrum presented by installing a device that can literally listen to everything you're saying represents a chilling new development in the age of internet-connected things. By buying a smart speaker, you're effectively paying money to let a huge tech company surveil you. And I don't mean to sound overly cynical about this, either. Amazon, Google, Apple, and others say that their devices aren't spying on unsuspecting families. The only problem is that these gadgets are both hackable and prone to bugs.

Slashdot Top Deals