Trust the World's Fastest VPN with Your Internet Security & Freedom with PureVPN - 79% off. ×
Crime

Meet The Company That Poached The FBI's Entire Silk Road Investigation Team (dailydot.com) 52

Patrick O'Neill quotes a report from The Daily Dot: The FBI team that brought down Silk Road has a new home. After headline-grabbing investigations, arrests, and prosecutions on some of America's highest-profile cybercriminals, five of U.S. law enforcement's most prized cybercrime aces have all left government service for greener pastures -- a titan consulting firm called Berkeley Research Group (BRG). BRG's newly hired gang of five includes former federal prosecutor Thomas Brown, as well as former FBI agents Christopher Tarbell, Thomas Kiernan, and Ilhwan Yum -- names that punctuated many of the biggest cybercrime stories of the last decade including Silk Road, LulzSec, Liberty Reserve, as well as the hacks of Citibank, PNC Bank, and the Rove Digital botnet; and the prosecution of Samarth Agrawal for stealing crucial code for high-frequency trading from the multinational, multibillion dollar bank Societe Generale. "Private industry provides a lot of opportunity," NYPD intelligence chief Thomas Galati told Congress earlier this year. "So I think the best people out there are working for private companies, and not for the government."
Iphone

LAPD Hacked An iPhone 5s Before The FBI Hacked San Bernardino Terrorist's iPhone 5c (latimes.com) 18

According to recently released court papers, Los Angeles police investigators found a way to break into a locked iPhone 5s belonging to April Jace, the slain wife of "The Shield" actor Michael Jace. The detectives were able to bypass the security at around the same time period the FBI was demanding Apple unlock the iPhone 5c belonging to San Bernardino terrorist Syed Rizwan Farook. LAPD detective Connie Zych wrote on March 18, the department found a "forensic cellphone expert" who could "override the locked iPhone function," according to the search warrant. There's no mention of how the LAPD broke into the iPhone or what OS the iPhone was running (Note: iOS 8, which features improved encryption and security features, came out months after the killing). The information stored on the iPhone should help in the criminal case against Jace's husband, who is charged with the May 19, 2014, killing.
Privacy

After ISIS, Americans Fear Cyberattacks Most (theatlantic.com) 75

An anonymous reader writes: According to Pew Research Center, there's an increasingly growing fear among Americans about cyberattacks. In fact, it's the second most feared entity to them, the first being ISIS. The terrorist group is scary by design, relying on propaganda videos and ultra-violent attacks to spread fear and project power. But coming in second right after the terrorist group was the prospect of country-on-country cyberwar: a digital raid to steal another government's information, for example, or a large-scale attack on a nation's electrical grid. Cyberattacks are a major threat in the minds of 72 percent of Americans, and a minor threat to another 22 percent. Cyberwar hasn't been on Americans' minds to this degree since 2013. That year, for the first time, Americans ranked cyberattacks as a top threat, placing it second after the threat from Islamic extremists like al-Qaeda. But in the intervening years, Americans turned their attention to nuclear threats.
Android

Old Qualcomm Vulnerability Exposes Android User Data (securityweek.com) 17

Reader wiredmikey writes: Researchers from FireEye have disclosed the details of a serious information disclosure vulnerability affecting a Qualcomm software package found in hundreds of Android device models (Editor's note: the link could have pop-up ads, here's an alternate source). The vulnerability is in the Qualcomm tethering controller (CVE-2016-2060) and could allow a malicious application to access user information. While the flaw could expose millions of Android devices, the vulnerability has limited impact on devices running Android 4.4 and later, which include significant security enhancements, and also does not affect Nexus devices. FireEye said its researchers informed Qualcomm about the vulnerability in January and the vendor developed a fix by early March and started reaching out to OEMs to let them know about the issue. Now it's up to the device manufacturers to push out the patch to customers.FireEye said: "The OEMs will now need to provide updates for their devices; however, many devices will likely never be patched."
Transportation

'Largest Recall In American History': Takata To Recall Nearly 70 Million Airbags (nbcnews.com) 118

An anonymous reader writes: Federal regulators are ordering Japanese supplier Takata to recall as many as 40 million additional airbags linked to a defect already blamed for at least 11 deaths, bringing the total number of faulty airbags in the U.S. to 69 million. Previously, the recall involved about 24 million vehicles sold in the U.S. over roughly the last decade, with 14 manufacturers impacted. With the latest recall, almost every other major carmaker will now be pulled. "This is the largest recall in American history," National Highway Traffic Safety Administrator Mark Rosekind told reporters on Wednesday. Initial estimates said 35-40 million airbags were to be recalled. And because some vehicles use more than one Takata airbag, the total number of vehicles will likely be smaller. Now it's considered highly likely that the total number of cars, trucks and crossovers will now top the 50 million mark, and as many as a quarter of all vehicles on U.S. roads could be covered. The NHTSA has reported that just over 8 million vehicles had been fixed as of April 22. The airbags have so far been tied to at least 10 U.S. deaths and more than 100 injuries -- two more fatalities in Malaysia were confirmed Wednesday. "The exploding airbags can send shrapnel into the faces and necks of victims, leaving them looking as if they had been shot or stabbed," according to Fox 59.
Google

Google Encrypts All Blogspot Domains With HTTPS 49

Reader Mickeycaskill writes: Google is continuing its crusade to encrypt the web by enabling an HTTPS version of every single domain hosted on Blogspot. The search giant started the rollout last September, but as an opt-in service. Now users can opt to visit an HTTPS version of a site without its participation, while administrators can turn on an automatic redirect so all visitors are sent to the encrypted version. "HTTPS is fundamental to internet security; it protects the integrity and confidentiality of data sent between websites and visitors' browsers," said Milanda Perera, security software engineer at Google. Google already encrypts its search results, Google Drive and Gmail, while it also ranks HTTPS-enabled sites higher in the search. Blogspot rival WordPress began rolling out HTTPS in 2014.
Java

No One Should Have To Use Proprietary Software To Communicate With Their Government (fsf.org) 146

Donald Robertson, writing for Free Software Foundation: Proprietary JavaScript is a threat to all users on the Web. When minified, the code can hide all sorts of nasty items, like spyware and other security risks. [...] On March 1st, 2016, the Copyright Office announced a call for comments on an update to their technology infrastructure. We submitted a comment urging them to institute a policy that requires all software they develop and distribute to be free software. Further, we also urged them to not require people to run proprietary software in order to communicate or submit comments to them. Unfortunately, once again, the Copyright Office requires the use of proprietary JavaScript in order to submit the comment and they are only accepting comments online unless a person lacks computer or Internet access. [...] The most absurd part of all this is that other government agencies, while still using Regulations.gov, are perfectly capable of offering alternatives to submission.
Security

Aging and Bloated OpenSSL Is Purged of 2 High-Severity Bugs (arstechnica.com) 61

An anonymous reader cites a story on Ars Technica: Maintainers of the OpenSSL cryptographic library have patched high-severity holes that could make it possible for attackers to decrypt login credentials or execute malicious code on Web servers. The updates were released Tuesday morning for both versions 1.0.1 and 1.0.2 of OpenSSL, which a large portion of the Internet relies on to cryptographically protect sensitive Web and e-mail traffic using the transport layer security protocol. OpenSSL advisories labeled the severity of both vulnerabilities "high," meaning the updates fixing them should be installed as soon as possible. The fixes bring the latest supported versions to 1.0.1t and 1.0.2h. The decryption vulnerability is the result of what cryptographers call a padding oracle weakness, which allows attackers to repeatedly probe an encrypted payload for clues about the plaintext content inside. According to TLS expert Filippo Valsorda, the bug allows for only 16 bytes of encrypted traffic to be recovered, and even then only when an end user sends it repeatedly.
Security

Millions of Gmail, Yahoo, Hotmail Email Accounts Being Traded in Russian Underworld (reuters.com) 72

Eric Auchard, reporting for Reuters (edited and condensed): Hundreds of millions of hacked usernames and passwords for email accounts and other websites are being traded in Russia's criminal underworld, a security expert told Reuters. The discovery of 272.3 million stolen accounts included a majority of users of Mail.ru, Russia's most popular email service, and smaller fractions of Google, Yahoo and Microsoft email users (Editor's note: the numbers are: 57M Mail.ru, 24M Google, 40M Yahoo, and 33M Hotmail), said Alex Holden, founder and chief information security officer of Hold Security. [...] The latest discovery came after Hold Security researchers found a young Russian hacker bragging in an online forum that he had collected and was ready to give away a far larger number of stolen credentials that ended up totaling 1.17 billion records.Amir Efrati, a reporter with The Information, asks: "Industry seems to be failing at convince email users to do 2-step verification. Why not require it?"
Facebook

Facebook Paid $10,000 To A 10-Year-Old For Hacking Instagram (thenextweb.com) 61

An anonymous reader writes: Facebook has paid $10,000 to a 10-year-old hacker who discovered how one could hack into Instagram and delete comments made by users. Speaking to local publication Iltalehti, Jani said: "I would have been able to eliminate anyone, even Justin Bieber." The Finnish hacker just became the youngest person to receive cash from Facebook for hacking its products. The previous record was set by a 13-year-old back in 2013. What's funny is Jani isn't technically old enough to sign-up and use Facebook or Instagram, as it's supposed to be restricted to those under the age of 13. Jani found he could alter code on Instagram's servers and force-delete users' posts. This was confirmed by Facebook using a test account and patched in February, Facebook told Forbes. Facebook has received more than 2,400 valid submissions and awarded upwards of $4.3 million to over 800 researchers since the bounty program launched in 2011.
Government

Snowden: 'Governments Can Reduce Our Dignity To That Of Tagged Animals' (theguardian.com) 109

An anonymous reader writes: NSA whistleblower Edward Snowden writes a report on The Guardian explaining why leaking information about wrongdoing is a vital act of resistance. "One of the challenges of being a whistleblower is living with the knowledge that people continue to sit, just as you did, at those desks, in that unit, throughout the agency; who see what you saw and comply in silence, without resistance or complaint," Snowden writes. "They learn to live not just with untruths but with unnecessary untruths, dangerous untruths, corrosive untruths. It is a double tragedy: what begins as a survival strategy ends with the compromise of the human being it sought to preserve and the diminishing of the democracy meant to justify the sacrifice." He goes on to explain the importance and significance of leaks, how not all leaks are alike, nor are their makers, and how our connected devices come into play in the post-9/11 period. Snowden writes, "By preying on the modern necessity to stay connected, governments can reduce our dignity to something like that of tagged animals, the primary difference being that we paid for the tags and they are in our pockets."
Security

Samsung Smart Home Flaws Let Hackers Pick Connected Doors From Anywhere In the World (arstechnica.com) 77

Researchers have discovered flaws in Samsung's Smart Home automation system, which if exploited, allows them to carry a range of remote attacks. These attacks include digitally picking connected door locks from anywhere in the world. The flaws have been documented by researchers from the University of Michigan ahead of the 2016 IEEE Symposium on Security and Privacy. "All of the above attacks expose a household to significant harm -- break-ins, theft, misinformation, and vandalism," the researchers wrote in a paper. "The attack vectors are not specific to a particular device and are broadly applicable." Dan Goodin, reports for Ars Technica: Other attacks included a malicious app that was able to obtain the PIN code to a smart lock and send it in a text message to attackers, disable a preprogrammed vacation mode setting, and issue a fake fire alarm. The one posing the biggest threat was the remote lock-picking attack, which the researchers referred to as a "backdoor pin code injection attack." It exploited vulnerabilities in an existing app in the SmartThings app store that gives an attacker sustained and largely surreptitious access to users' homes. The attack worked by obtaining the OAuth token that the app and SmartThings platform relied on to authenticate legitimate users. The only interaction it required was for targeted users to click on an attacker-supplied HTTPS link that looked much like this one that led to the authentic SmartThings login page. The user would then enter the username and password. A flaw in the app allowed the link to redirect the credentials away from the SmartThings page to an attacker-controlled address. From then on, the attackers had the same remote access over the lock that users had.
Ubuntu

Ubuntu Founder Pledges No Back Doors In Linux (eweek.com) 105

Mark Shuttleworth, founder of Canonical and Ubuntu Foundation, gave an interview to eWeek this week ahead of Ubuntu Online Summit (UOS). In the wide-ranging interview, Shuttleworth teased some features that we could expect in Ubuntu 16.10, and also talked about security and privacy. From the report: One thing that Ubuntu Linux users will also continue to rely on is the strong principled stance that Shuttleworth has on encryption. With the rapid growth of the Linux Foundation's Let's Encrypt free Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate platform this year, Shuttleworth noted that it's a good idea to consider how that might work in an integrated way with Ubuntu. Overall, he said, the move to encryption as a universal expectation is really important. "We don't do encryption to hide things; we do encryption so we can choose what to share," Shuttleworth said. "That's a profound choice we should all be able to make." Shuttleworth emphasized that on the encryption debate, Canonical and Ubuntu are crystal clear. "We will never backdoor Ubuntu; we will never weaken encryption," he said.
Government

Kim Jong-Un Bans All Weddings, Funerals And Freedom Of Movement In North Korea (independent.co.uk) 204

An anonymous reader quotes a report from The Independent: Weddings and funerals have been banned and Pyongyang is in lockdown as preparations for a once-in-a-generation party congress get underway in North Korea. The ruling Worker's Party of Korea, headed by the country's leader, Kim Jong-un, is due to stage the first gathering of its kind for 36 years on Friday. Free movement in and out of the capital has also been forbidden and there has been an increase in inspections and property searches, according to Daily NK, which claims to have sources in the country. The temporary measures are said to be an attempt to minimize the risk of "mishaps" at the event, according to Cheong Joon-hee, a spokesman at South Korea's Unification Ministry. Meanwhile, North Korea has been conducting missile tests left and right, many of which have failed miserably.
AI

Self-Driving Features Could Lead To More Sex In Moving Cars, Expert Warns (www.cbc.ca) 268

An anonymous reader writes: According to CBC.ca, "At least one expert is anticipating that, as the so-called 'smart' cars get smarter, there will eventually be an increase in an unusual form of distracted driving: hanky-panky behind the wheel." Barrie Kirk of the Canadian Automated Vehicles Centre of Excellence said, "I am predicting that, once computers are doing the driving, there will be a lot more sex in cars. That's one of several things people will do which will inhibit their ability to respond quickly when the computer says to the human, 'Take over.'" Federal officials, who have been tasked with building a regulatory framework to govern driverless cars, highlighted their concerns in briefing notes compiled for Transport Minister Marc Garneau. "Drivers tend to overestimate the performance of automation and will naturally turn their focus away from the road when they turn on their auto-pilot," said the note. The Tesla autopilot feature has been receiving the most criticism as there have been many videos posted online showing Tesla drivers engaged in questionable practices, including reading a newspaper or brushing their teeth.
EU

Greenpeace Leaks Big Part Of Secret TTIP Documents (bbc.com) 136

An anonymous reader writes: The environmental group Greenpeace has obtained 248 pages of classified documents from the Transatlantic Trade and Investment Partnership (TTIP) trade talks. The group warns EU standards on the environment and public health risk being undermined by compromises with the US, specifically that US corporations may erode Europe's consumer protections. The TTIP would "harmonize regulations across a huge range of business sectors, providing a boost to exporters on both sides of the Atlantic," writes the BBC. After the Greenpeace leak was published, EU Trade Commissioner Cecilia Malmstroem said in her blog, "I am simply not in the business of lowering standards." Meanwhile, Greenpeace EU director Jorgo Riss said, "These leaked documents confirm what we have been saying for a long time: TTIP would put corporations at the center of policy-making, to the detriment of environment and public health." You can be the judge for yourself. The leaked documents are available for download here.
Encryption

Without Encryption, Everything Stops, Says Snowden (thehill.com) 143

An anonymous reader writes about Snowden's appearance on a debate with CNN's Fareed Zakaria: Edward Snowden defended the importance of encryption, calling it the "backbone of computer security." He said, "Encryption saves lives. Encryption protects property. Without it, our economy stops. Our government stops. Everything stops. Our intelligence agencies say computer security is a bigger problem than terrorism, than crime, than anything else," he noted. "[...] Lawful access to any device or communication cannot be provided to anybody without fatally compromising the security of everybody."
Music

Audiophile Torrent Site What.CD Fully Pwnable Thanks To Wrecked RNG (theregister.co.uk) 127

Reader mask.of.sanity writes: Users of popular audiophile torrent site What.CD can make themselves administrators to completely compromise the private music site and bypass its notorious download ratio limits thanks to the use of the mt_rand function for password resets, a researcher has found. From the report (edited and condensed):What.CD is the world's most popular high quality music private torrent site that requires its users to pass an interview testing their knowledge of audio matters before they are granted an account. Users must maintain a high upload to download ratio to continue to download from the site. [...] "I reported it a year ago, and they acknowledged it but said 'don't worry about it,'" said New-Zealand-based independent security researcher who goes by the alias ss23.
Bitcoin

Craig Wright Claims He's Satoshi Nakamoto, the Creator Of Bitcoin 147

Australian entrepreneur Craig Wright has put an end to the years-long speculation about the creator of Bitcoin. In an interview with the BBC, The Economist (may have a paywall), and GQ, Wright claimed that he is indeed the person who developed the concepts on which Bitcoin cryptocurrency is built. According to the BBC, Mr. Wright provided "technical proof to back up his claim using coins known to be owned by Bitcoin's creator." Wright writes in a blog post: [A]fter many years, and having experienced the ebb and flow of life those years have brought, I think I am finally at peace with what he meant. If I sign Craig Wright, it is not the same as if I sign Craig Wright, Satoshi[...] Since those early days, after distancing myself from the public persona that was Satoshi, I have poured every measure of myself into research. I have been silent, but I have not been absent. I have been engaged with an exceptional group and look forward to sharing our remarkable work when they are ready. Satoshi is dead. But this is only the beginning. According to Wright's website, he is a "computer scientist, businessman and inventor" born in Brisbane, Australia, in October 1970. Some have questioned the authenticity and relevance of the "technical proof" Wright has provided. Nik Cubrilovic, an Australian former hacker and leading internet security blogger, wrote, "I don't believe for a second Wright is Satoshi. I know two people who worked with Wright, characterized him as crazy and schemer/charlatan." Michele Spagnuolo, Information Security Engineer at Google added, "He's not Satoshi. He just reused a signed message (of a Sartre text) by Satoshi with block 9 key as 'proof.'"
Crime

The Government Wants Your Fingerprint To Unlock Phones (dailygazette.com) 223

schwit1 quotes this report from the Daily Gazette: "As the world watched the FBI spar with Apple this winter in an attempt to hack into a San Bernardino shooter's iPhone, federal officials were quietly waging a different encryption battle in a Los Angeles courtroom. There, authorities obtained a search warrant compelling the girlfriend of an alleged Armenian gang member to press her finger against an iPhone that had been seized from a Glendale home. The phone contained Apple's fingerprint identification system for unlocking, and prosecutors wanted access to the data inside it.

It marked a rare time that prosecutors have demanded a person provide a fingerprint to open a computer, but experts expect such cases to become more common as cracking digital security becomes a larger part of law enforcement work. The Glendale case and others like it are forcing courts to address a basic question: How far can the government go to obtain biometric markers such as fingerprints and hair?"

Slashdot Top Deals