Google

Google Permanently Disables Touch Function On All Home Minis Due To Privacy Concerns (bbc.co.uk) 48

Big Hairy Ian shares a report from BBC: Google has stopped its Home Mini speakers responding when users touch them. It permanently turned off the touch activation feature after it found that sensors primed to spot a finger tap were too sensitive. Early users found that the touch sensors were registering "phantom" touches that turned them on. This meant the speakers were recording everything around them thousands of times a day. Google said it disabled the feature to give users "peace of mind." Google's Home Mini gadgets were unveiled on October 4th as part of a revamp of its line of smart speakers. The intelligent assistant feature on it could be activated two ways -- by either saying "OK, Google" or by tapping the surface. About 4,000 Google Home Mini units were distributed to early reviewers and those who attended Google's most recent launch event. Artem Russakovskii from Android Police first discovered the issue with his unit, ultimately causing Google to "permanently [nerf] all Home Minis" because his spied on everything he said 24/7.
Privacy

DJI Unveils Technology To Identify and Track Airborne Drones (suasnews.com) 59

garymortimer shares a report from sUAS News: DJI, the world's leader in civilian drones and aerial imaging technology, has unveiled AeroScope, its new solution to identify and monitor airborne drones with existing technology that can address safety, security and privacy concerns. AeroScope uses the existing communications link between a drone and its remote controller to broadcast identification information such as a registration or serial number, as well as basic telemetry, including location, altitude, speed and direction. Police, security agencies, aviation authorities and other authorized parties can use an AeroScope receiver to monitor, analyze and act on that information. AeroScope has been installed at two international airports since April, and is continuing to test and evaluate its performance in other operational environments. AeroScope works with all current models of DJI drones, which analysts estimate comprise over two-thirds of the global civilian drone market. Since AeroScope transmits on a DJI drone's existing communications link, it does not require new on-board equipment or modifications, or require extra steps or costs to be incurred by drone operators. Other drone manufacturers can easily configure their existing and future drones to transmit identification information in the same way.
Businesses

Hyatt Hotels Discovers Card Data Breach At 41 Properties Across 11 Countries (krebsonsecurity.com) 20

Hyatt Hotels has suffered a second card data breach in two years. In the first breach, hackers had gained access to credit card systems at 250 properties in 50 different countries. This time, the breach appears to have impacted 41 properties across 11 countries. Krebs on Security reports: Hyatt said its cyber security team discovered signs of unauthorized access to payment card information from cards manually entered or swiped at the front desk of certain Hyatt-managed locations between March 18, 2017 and July 2, 2017. "Upon discovery, we launched a comprehensive investigation to understand what happened and how this occurred, which included engaging leading third-party experts, payment card networks and authorities," the company said in a statement. "Hyatt's layers of defense and other cybersecurity measures helped to identify and resolve the issue. While this incident affects a small percentage of total payment cards used at the affected hotels during the at-risk dates." The hotel chain said the incident affected payment card information -- cardholder name, card number, expiration date and internal verification code -- from cards manually entered or swiped at the front desk of certain Hyatt-managed locations. It added there is no indication that any other information was involved.
Security

US Weapons Data Stolen During Raid of Australian Defense Contractor's Computers (wsj.com) 78

phalse phace writes: Another day, another report of a major breach of sensitive U.S. military and intelligence data. According to a report by The Wall Street Journal (Warning: source may be paywalled; alternative source), "A cyberattacker nicknamed 'Alf' gained access to an Australian defense contractor's computers and began a four-month raid that snared data on sophisticated U.S. weapons systems. Using the simple combinations of login names and passwords 'admin; admin' and 'guest; guest' and exploiting a vulnerability in the company's help-desk portal, the attacker roved the firm's network for four months. The identity and affiliation of the hackers in the Australian attack weren't disclosed, but officials with knowledge of the intrusion said the attack was thought to have originated in China."

The article goes on to state that "Alf obtained around 30 gigabytes of data on Australia's planned purchase of up to 100 F-35 fighters made by Lockheed Martin, as well as information on new warships and Boeing-built P-8 Poseidon maritime-surveillance aircraft, in the July 2016 breach." The stolen data also included details of the C-130 Hercules transport aircraft and guided bombs used by the U.S. and Australian militaries as well as design information "down to the captain's chair" on new warships for Australia's navy.

Android

Down the Rabbit Hole With a BLU Phone Infection (threatpost.com) 43

msm1267 writes: BLU phones, marketed as affordable Android devices, have recently been pulled from Amazon and other retailers after allegations the devices were infected with spyware and posed a privacy threat to users. This is the tale of one such victim who purchased 11 devices that instantaneously began serving pop-up ads and downloading unwanted applications. The phones were analyzed and the root of the issue in this case was uncovered.
Social Networks

How Facebook Outs Sex Workers (gizmodo.com) 631

An anonymous reader shares a Gizmodo report: Leila has two identities, but Facebook is only supposed to know about one of them. Leila is a sex worker. She goes to great lengths to keep separate identities for ordinary life and for sex work, to avoid stigma, arrest, professional blowback, or clients who might be stalkers (or worse). Her "real identity" -- the public one, who lives in California, uses an academic email address, and posts about politics -- joined Facebook in 2011. Her sex-work identity is not on the social network at all; for it, she uses a different email address, a different phone number, and a different name. Yet earlier this year, looking at Facebook's "People You May Know" recommendations, Leila (a name I'm using in place of either of the names she uses) was shocked to see some of her regular sex-work clients. Despite the fact that she'd only given Facebook information from her vanilla identity, the company had somehow discerned her real-world connection to these people -- and, even more horrifyingly, her account was potentially being presented to them as a friend suggestion too, outing her regular identity to them. Because Facebook insists on concealing the methods and data it uses to link one user to another, Leila is not able to find out how the network exposed her or take steps to prevent it from happening again. "We're living in an age where you can weaponize personal information against people"Kashmir Hill, the reporter who wrote the above story, a few weeks ago shared another similar incident.
Privacy

US Government Has 'No Right To Rummage' Through Anti-Trump Protest Website Logs, Says Judge (theregister.co.uk) 276

A Washington D.C. judge has told the U.S. Department of Justice it "does not have the right to rummage" through the files of an anti-Trump protest website -- and has ordered the dot-org site's hosting company to protect the identities of its users. The Register reports: Chief Judge Robert E. Morin issued the revised order [PDF] Tuesday following a high-profile back and forth between the site's hosting biz DreamHost and prosecutors over what details Uncle Sam was entitled to with respect to the disruptj20.org website. "As previously observed, courts around the country have acknowledged that, in searches for electronically stored information, evidence of criminal activity will likely be intermingled with communications and other records not within the scope of the search warrant," he noted in his ruling. "Because of the potential breadth of the government's review in this case, the warrant in its execution may implicate otherwise innocuous and constitutionally protected activity. As the Court has previously stated, while the government has the right to execute its Warrant, it does not have the right to rummage through the information contained on DreamHost's website and discover the identity of, or access communications by, individuals not participating in alleged criminal activity, particularly those persons who were engaging in protected First Amendment activities." The order then lists a series of protocols designed to protect netizens "to comply with First Amendment and Fourth Amendment considerations, and to prevent the government from obtaining any identifying information of innocent persons."
Security

Equifax Breach Included 10 Million US Driving Licenses (engadget.com) 66

An anonymous reader quotes a report from Engadget: 10.9 million U.S. driver's licenses were stolen in the massive breach that Equifax suffered in mid-May, according to a new report by The Wall Street Journal. In addition, WSJ has revealed that the attackers got a hold of 15.2 million UK customers' records, though only 693,665 among them had enough info in the system for the breach to be a real threat to their privacy. Affected customers provided most of the driver's licenses on file to verify their identities when they disputed their credit-report information through an Equifax web page. That page was one of the entry points the attackers used to gain entry into the credit reporting agency's system.
Businesses

FCC's Claim That One ISP Counts As 'Competition' Faces Scrutiny In Court (arstechnica.com) 200

Jon Brodkin reports via Ars Technica: A Federal Communications Commission decision to eliminate price caps imposed on some business broadband providers should be struck down, advocacy groups told federal judges last week. The FCC failed to justify its claim that a market can be competitive even when there is only one Internet provider, the groups said. Led by Chairman Ajit Pai, the FCC's Republican majority voted in April of this year to eliminate price caps in a county if 50 percent of potential customers "are within a half mile of a location served by a competitive provider." That means business customers with just one choice are often considered to be located in a competitive market and thus no longer benefit from price controls. The decision affects Business Data Services (BDS), a dedicated, point-to-point broadband link that is delivered over copper-based TDM networks by incumbent phone companies like AT&T, Verizon, and CenturyLink.

But the FCC's claim that "potential competition" can rein in prices even in the absence of competition doesn't stand up to legal scrutiny, critics of the order say. "In 2016, after more than 10 years of examining the highly concentrated Business Data Services market, the FCC was poised to rein in anti-competitive pricing in the BDS market to provide enterprise customers, government agencies, schools, libraries, and hospitals with much-needed relief from monopoly rates," Phillip Berenbroick, senior policy counsel at consumer advocacy group Public Knowledge said. But after Republicans gained the FCC majority in 2017, "the commission illegally reversed course without proper notice and further deregulated the BDS market, leaving consumers at risk of paying up to $20 billion a year in excess charges from monopolistic pricing," Berenbroick said.

Piracy

Pirate Bay is Mining Cryptocurrency Again, No Opt Out (torrentfreak.com) 184

The Pirate Bay is mining cryptocurrency again, causing a spike in CPU usage among many visitors. From a report: For now, the notorious torrent site provides no option to disable it. The new mining expedition is not without risk. CDN provider Cloudflare previously suspended the account of a site that used a similar miner, which means that The Pirate Bay could be next. Last month The Pirate Bay caused some uproar by adding a Javascript-based cryptocurrency miner to its website. The miner utilizes CPU power from visitors to generate Monero coins for the site, providing an extra source of revenue. [...] The Pirate Bay currently has no opt-out option, nor has it informed users about the latest mining efforts. This could lead to another problem since Coinhive said it would crack down on customers who failed to keep users in the loop.
Government

Moscow Has Turned Kaspersky Antivirus Software Into a Global Spy Tool, Using It To Scan Computers For Secret US Data (wsj.com) 267

WSJ has a major scoop today. From a report: The Russian government used a popular antivirus software to secretly scan computers around the world for classified U.S. government documents and top-secret information, modifying the program to turn it into an espionage tool (could be paywalled), according to current and former U.S. officials with knowledge of the matter. The software, made by the Moscow-based company Kaspersky Lab, routinely scans files of computers on which it is installed looking for viruses and other malicious software. But in an adjustment to its normal operations that the officials say could only have been made with the company's knowledge, the program searched for terms as broad as "top secret," which may be written on classified government documents, as well as the classified code names of U.S. government programs, these people said. The Wall Street Journal reported last week that Russian hackers used Kaspersky's software in 2015 to target a contractor working for the National Security Agency, who had removed classified materials from his workplace and put them on his home computer, which was running the program. The hackers stole highly classified information on how the NSA conducts espionage and protects against incursions by other countries, said people familiar with the matter. But the use of the Kaspersky program to spy on the U.S. is broader and more pervasive than the operation against that one individual, whose name hasn't been publicly released, current and former officials said. This link should get you around WSJ's paywall. Also read: Israeli Spies 'Watched Russian Agents Breach Kaspersky Software'
Australia

Unsent Text On Mobile Counts As a Will, Australian Court Finds (abc.net.au) 144

A court in Australia has accepted an unsent, draft text message on a dead man's mobile phone as an official will. The 55-year-old man had composed a text message addressed to his brother, in which he gave "all that I have" to his brother and nephew. From a report: The Supreme Court in Brisbane heard the 55-year-old took his own life in October 2016, after composing a text addressed to his brother, which indicated his brother and nephew should "keep all that I have," because he was unhappy with this wife. A friend found the text message in the drafts folder of the man's mobile phone, which was found near his body. The unsent message detailed how to access the man's bank account details and where he wanted his ashes to be buried.
Businesses

Israeli Spies 'Watched Russian Agents Breach Kaspersky Software' (bbc.com) 194

Israeli spies looked on as Russian hackers breached Kaspersky cyber-security software two years ago, according to reports. From a report: The Russians were allegedly attempting to gather data on US intelligence programs, according to the New York Times and Washington Post. Israeli agents made the discovery after breaching the software themselves. Kaspersky has said it was neither involved in nor aware of the situation and denies collusion with authorities. Last month, the US government decided to stop using the Russian firm's software on its computers. The Israelis are said to have notified the US, which led to the ban on Kaspersky programs. The New York Times said that the situation had been described by "multiple people who have been briefed on the matter."
Encryption

Justice Department To Be More Aggressive In Seeking Encrypted Data From Tech Companies (wsj.com) 204

An anonymous reader quotes a report from The Wall Street Journal (Warning: source may be paywalled; alternative source): The Justice Department signaled Tuesday it intends to take a more aggressive posture in seeking access to encrypted information from technology companies, setting the stage for another round of clashes in the tug of war between privacy and public safety. Deputy Attorney General Rod Rosenstein issued the warning in a speech in Annapolis, Md., saying that negotiating with technology companies hasn't worked. "Warrant-proof encryption is not just a law enforcement problem," Mr. Rosenstein said at a conference at the U.S. Naval Academy. "The public bears the cost. When our investigations of violent criminal organizations come to a halt because we cannot access a phone, even with a court order, lives may be lost." Mr. Rosenstein didn't say what precise steps the Justice Department or Trump administration would take. Measures could include seeking court orders to compel companies to cooperate or a push for legislation. A Justice Department official said no specific plans were in the works and Mr. Rosenstein's speech was intended to spur public awareness and discussion of the issue because companies "have no incentive to address this on their own."
Operating Systems

OxygenOS Telemetry Lets OnePlus Tie Phones To Individual Users (bleepingcomputer.com) 164

An anonymous reader quotes a report from Bleeping Computer: OxygenOS, a custom version of the Android operating system that comes installed on all OnePlus smartphones, is tracking users actions without anonymizing data, allowing OnePlus to connect each phone to its customer. A security researcher going by the pseudonym of Tux discovered the abusive tracking in July 2016, but his tweet went largely unnoticed in the daily sea of security tweets sent out each day. The data collection issue was brought up to everyone's attention again, today, after British security researcher Christopher Moore published the results of a recent study on his site.

Just like Tux, Moore discovered that OxygenOS was sending regular telemetry to OnePlus' servers. This is no issue of concern, as almost all applications these days collect telemetry data for market analytics and to identify and debug application flaws. The problem is that OnePlus is not anonymizing this information. The Shenzhen-based Chinese smartphone company is collecting a long list of details, such as: IMEI code, IMSI code, ESSID and BSSID wireless network identifiers, and more. The data collection process cannot be disabled from anywhere in the phone's settings. When Moore contacted OnePlus support, the company did not provide a suitable answer for his queries.

Software

Symantec CEO: Source Code Reviews Pose Unacceptable Risk (reuters.com) 172

In an exclusive report from Reuters, Symantec's CEO says it is no longer allowing governments to review the source code of its software because of fears the agreements would compromise the security of its products. From the report: Tech companies have been under increasing pressure to allow the Russian government to examine source code, the closely guarded inner workings of software, in exchange for approvals to sell products in Russia. Symantec's decision highlights a growing tension for U.S. technology companies that must weigh their role as protectors of U.S. cybersecurity as they pursue business with some of Washington's adversaries, including Russia and China, according to security experts. While Symantec once allowed the reviews, Clark said that he now sees the security threats as too great. At a time of increased nation-state hacking, Symantec concluded the risk of losing customer confidence by allowing reviews was not worth the business the company could win, he said.
Security

Equifax Increases Number of Britons Affected By Data Breach To 700,000 (telegraph.co.uk) 58

phalse phace writes: You know those 400,000 Britons that were exposed in Equifax's data breach? Well, it turns out the number is actually closer to 700,000. The Telegraph reports: "Equifax has just admitted that almost double the number of UK customers had their information stolen in a major data breach earlier this year than it originally thought, and that millions more could have had their details compromised. The company originally estimated that the number of people affected in the UK was 'fewer than 400,000.' But on Tuesday night it emerged that cyber criminals had targeted 15.2 million records in the UK. It said 693,665 people could have had their data exposed, including email addresses, passwords, driving license numbers, phone numbers. The stolen data included partial credit card details of less than 15,000 customers."
Cellphones

Security, Privacy Focused Librem 5 Linux Smartphone Successfully Crowdfunded (softpedia.com) 82

prisoninmate shares a report from Softpedia: Believe it or not, Purism's Librem 5 security and privacy-focused smartphone has been successfully crowdfunded a few hours ago when it reached and even passed its goal of $1.5 million, with 13 days left. Librem 5 wants to be an open source and truly free mobile phone designed with security and privacy in mind, powered by a GNU/Linux operating system based on Debian GNU/Linux and running only Open Source software apps on top of a popular desktop environment like KDE Plasma Mobile or GNOME Shell. Featuring a 5-inch screen, Librem 5 is compatible with 2G, 3G, 4G, GSM, UMTS, and LTE mobile networks. Under the hood, it uses an i.MX 6 or i.MX 8 processor with separate baseband modem to offer you the protection you need in today's communication challenges, where you're being monitored by lots of government agencies.
Transportation

Dutch Government Confirms Plan To Ban New Petrol, Diesel Cars By 2030 (electrek.co) 347

An anonymous reader quotes a report from Electrek: Today, the new Dutch government presented its detailed plan for the coming years and it includes making all new cars emission-free by 2030 -- virtually banning petrol- and diesel-powered cars in favor of battery-powered vehicles. The four coalition parties have been negotiating their plans since the election in March and now after over 200 days, they have finally released the plan they agreed upon. NL Times posted all the main points of the plan and in "transportation," it includes: By 2030 all cars in the Netherlands must be emission free. While some local publications are reporting "all cars," we are told that it would be for "all new cars" as it is the case for the countries with similar bans under consideration. The potential for the ban has been under consideration in the country since last year. The year 2025, like in Norway, has been mentioned, but they apparently decided for the less ambitious goal of 2030.
Privacy

Amazon Is Reportedly Building a Doorbell That Lets Drivers Into Your House (cnbc.com) 202

According to CNBC, Amazon is working with Phrame, a maker of smart license plates that allow items to be delivered to a car's trunk, to build a smart doorbell that would give delivery drivers one-time access to a person's home to drop off items. From the report: Phrame's product fits around a license plate and contains a secure box that holds the keys to the car. Users unlock the box with their smartphone, and can grant access to others -- such as delivery drivers -- remotely. The new initiatives are part of Amazon's effort to go beyond convenience and fix problems associated with unattended delivery. As more consumers shop online and have their packages shipped to their homes, valuable items are often left unattended for hours. Web retailers are dealing with products getting damaged by bad weather as well as the rise of so-called porch pirates, who steal items from doorsteps. Amazon also has an incentive to reduce the number of lost packages, as they can be costly.

Slashdot Top Deals