Government

US Senators Propose Bug Bounties For Hacking Homeland Security (cnn.com) 49

An anonymous reader quotes CNN: U.S. senators want people to hack the Department of Homeland Security. On Thursday, Senators Maggie Hassan, a Democrat and Republican Rob Portman introduced the Hack DHS Act to establish a federal bug bounty program in the DHS... It would be modeled off the Department of Defense efforts, including Hack the Pentagon, the first program of its kind in the federal government. Launched a year ago, Hack the Pentagon paved the way for more recent bug bounty events including Hack the Army and Hack the Air Force...

The Hack the DHS Act establishes a framework for bug bounties, including establishing "mission-critical" systems that aren't allowed to be hacked, and making sure researchers who find bugs in DHS don't get prosecuted under the Computer Fraud and Abuse Act. "It's better to find vulnerabilities through someone you have engaged with and vetted," said Jeff Greene, the director of government affairs and policy at security firm Symantec. "In an era of constrained budgets, it's a cost-effective way of identifying vulnerabilities"... If passed, it would be among the first non-military bug bounty programs in the public sector.

Networking

New Privacy Vulnerability In IOT Devices: Traffic Rate Metadata (helpnetsecurity.com) 21

Orome1 quotes Help Net Security: Even though many IoT devices for smart homes encrypt their traffic, a passive network observer -- e.g. an ISP, or a neighborhood WiFi eavesdropper -- can infer consumer behavior and sensitive details about users from IoT device-associated traffic rate metadata. A group of researchers from the Computer Science Department of Princeton University have proven this fact by setting up smart home laboratory with a passive network tap, and examining the traffic rates of four IoT smart home devices: a Sense sleep monitor, a Nest Cam Indoor security camera, a WeMo smart outlet, and an Amazon Echo smart speaker... "Once an adversary identifies packet streams for a particular device, one or more of the streams are likely to encode device state. Simply plotting send/receive rates of the streams revealed potentially private user interactions for each device we tested," the researchers noted. [PDF]
In addition, the article notes, "Separating recorded network traffic into packet streams and associating each stream with an IoT device is not that hard."
Government

Silicon Valley Continues To Explore Universal Basic Incomes (siliconvalley.com) 270

A Silicon Valley Congressman "is pushing for a plan that has been described as a first step toward universal basic income...a long-shot $1 trillion expansion to the earned income tax credit that is already available to low-income families." An anonymous reader quotes the Mecury News: Stanford University also has created a Basic Income Lab to study the idea, and the San Francisco city treasurer's office has said it's designing pilot tests -- though the department told this news organization it has no updates on the status of that project... The problem is that giving all Americans a $10,000 annual income would cost upwards of $3 trillion a year -- more than three-fourths of the federal budget, said Bob Greenstein, president of Washington, D.C.-based Center for Budget and Policy Priorities. Some proponents advocate funding the move by cutting programs like food stamps and Medicaid. But that approach would take money set aside for low-income families and redistribute it upward, exacerbating poverty and inequality, Greenstein said... Jennifer Lin, deputy director of the East Bay Alliance for a Sustainable Economy, is skeptical that basic income can do much lasting good in Oakland. What the city needs is more high-paying jobs and affordable housing, she said... The idea, [Sam Altman, president of Y Combinator] said at the Commonwealth Club, tackles the question not enough people are asking: "What do we as the tech industry do to solve the problem that we're helping to create?"
This summer Y Combinator is expected to announce a larger Universal Basic Income program, though the article also describes "small pilot studies" in the 1960s and 1970s in Canada and in several U.S. states including New Jersey, Pennsylvania, North Carolina, Iowa and Indiana, where "Some studies showed improvements in participants' physical and mental health, and found children performed better in school or stayed in school longer. But some also showed that people receiving a basic income were inclined to spend fewer hours working."
Microsoft

Security Analyst Concludes Windows 10 Enterprise 'Tracks Too Much' (xato.net) 264

A viral Twitter rant about Windows 10 Enterprise supposedly ignoring users' privacy settings has since been clarified. "I made mistakes on my original testing and therefore saw more connections than I should have," writes IT security analyst Mark Burnett, "including some to Google ads." But his qualified results -- quoted below -- are still critical of Microsoft:
  • You can cut back even more using the Windows Restricted Traffic Limited Functionality Baseline but break many things.
  • Settings can be set wrong if you aren't paying attention. Also, settings are not consistent and can be confusing to beginners.
  • You are opted-in to just about everything by default and have to set hundreds of settings to opt out, even on an Enterprise Windows system. Sometimes multiple settings for the same feature. Most Microsoft documentation discourages opting out and warns of a less optimal experience... But you can't completely opt-out. Windows still tracks too much.
  • Home and Professional users are much worse off due to limitations of some settings and lack of an IT staff... I'm not saying ditch Windows. I'm saying let's fix this. If we can't fix it, then we ditch Windows.

The Courts

The Lawyer Who Founded Prenda Law Just Got Disbarred (engadget.com) 61

Long-time Slashdot reader lactose99 writes: One of the original copyright trolls finally got their comeuppance. From TFA: "John L. Steele, a Chicago lawyer who pled guilty to perjury, fraud and money laundering resulting from alleged 'honeypot' schemes, has just been disbarred by an Illinois court." John L. Steele, as you may know, is one of the principals of Prenda Law, a notorious copyright troll who has been featured on /. several times. The article goes on to describe how the Prenda lawyers used honeypot-like tactics to trick people into downloads and then subsequently scammed them for copyright violations.
Their operation brought in $6 million in settlement fees, reports Engadget, adding "While it is illegal to download copyrighted files from file-sharing sites, it is also against the law to extort downloaders."
Government

Investigation Demanded Over Fake FCC Comments Submitted By Dead People (bbc.com) 140

An anonymous reader writes: Fight for the Future has found another issue with the fake comments submitted to the FCC opposing net neutrality. "The campaign group says that some of the comments were posted using the names and details of dead people," according to the BBC. The exact same comment was also submitted more than 7,000 times using addresses in Colorado, where a reporter discovered that contacting the people at those addresses drew reactions which included "I have never seen this before in my life" and "No, I did not post this comment. In fact, I disagree with this comment." Fight for the Future also knocked on doors in Tampa, Florida, where the few people who answered "were shocked to hear that their name and address were publicly listed alongside a political message they did not necessarily understand or agree with." An alleged commenter in Montana told a reporter she didn't even know what net neutrality was.

14 people have already signed Fight for the Future's official complaint to the FCC, which calls for notification of all people affected, an investigation, and the immediate removal of all fake comments from the public docket. "Based on numerous media reports, nearly half a million Americans may have been impacted by whoever impersonated us," states the letter, "in a dishonest and deceitful campaign to manufacture false support for your plan to repeal net neutrality protections."

Fight for the Future says they've already verified "dozens" of instance of real people discovering a fake comment was submitted in their name -- and that in addition, more than 2,400 people have already used their site to contact their state Attorneys General demanding an investigation. They note the FCC has taken no steps to remove the fake comments from its docket, "risking the safety and privacy of potentially hundreds of thousands of people," while a campaign director at Fight for the Future added, "For the FCC's process to have any legitimacy, they simply cannot move forward until an investigation has been conducted."
Republicans

Hackers Have Targeted Both the Trump Organization And Democrat Election Data (arstechnica.com) 224

An anonymous reader writes: Two recent news stories give new prominence to politically-motivated data breaches. Friday the Wall Street Journal reported that last year Guccifer 2.0 sent 2.5 gigabytes of Democratic Congressional Campaign Committee election data to a Republican operative in Florida, including their critical voter turnout projections. At the same time ABC News is reporting that the FBI is investigating "an attempted overseas cyberattack against the Trump Organization," adding that such an attack would make his network a high priority for government monitoring.

"In the course of its investigation," they add, "the FBI could get access to the Trump Organization's computer network, meaning FBI agents could possibly find records connected to other investigations." A senior FBI official (now retired) concedes to ABC that "There could be stuff in there that they [the Trump organization] do not want to become part of a separate criminal investigation."

It seems like everyone's talking about the privacy of their communications. Tonight the Washington Post writes that Trump's son-in-law/senior advisor Jared Kushner "discussed the possibility of setting up a secret and secure communications channel between Trump's transition team and the Kremlin, using Russian diplomatic facilities in an apparent move to shield their pre-inauguration discussions from monitoring, according to U.S. officials briefed on intelligence reports." And Friday Hillary Clinton was even quoted as saying, "I would have won had I not been subjected to the unprecedented attacks by Comey and the Russians..."
Encryption

10 Years Later: FileZilla Adds Support For Master Password That Encrypts Your Logins (bleepingcomputer.com) 80

An anonymous reader writes: "Following years of criticism and user requests, the FileZilla FTP client is finally adding support for a master password that will act as a key for storing FTP login credentials in an encrypted format," reports BleepingComputer. "This feature is scheduled to arrive in FileZilla 3.26.0, but you can use it now if you download the 3.26.0 (unstable) release candidate from here." By encrypting its saved FTP logins, FileZilla will finally thwart malware that scrapes the sitemanager.xml file and steals FTP credentials, which were previously stolen in plain text. The move is extremely surprising, at least for the FileZilla user base. Users have been requesting this feature for a decade, since 2007, and they have asked it many and many times since then. All their requests have fallen on deaf ears and met with refusal from FileZilla maintainer, Tim Kosse. In November 2016, a user frustrated with Koose's stance forked the FileZilla FTP client and added support for a master password via a spin-off app called FileZilla Secure.
Facebook

Facebook Bans Sale of Piracy-Enabling Set-Top Boxes 67

Lirodon quotes a report from Variety: Facebook has joined the fight against illegal video-streaming devices. The social behemoth recently added a new category to products it prohibits users to sell under its commerce policy: Products or items that "facilitate or encourage unauthorized access to digital media." The change in Facebook's policy, previously reported by The Drum, appears primarily aimed at blocking the sale of Kodi-based devices loaded with software that allows unauthorized, free access to piracy-streaming services. Kodi is free, open-source media player software. The app has grown popular among pirates, who modify the code with third-party add-ons for illegal streaming. Even with the ban officially in place, numerous "jail-broken" Kodi-enabled devices remain listed in Facebook's Marketplace section, indicating that the company has yet to fully enforce the new ban. A Facebook rep confirmed the policy went into effect earlier this month. In addition, the company updated its advertising policy to explicitly ban ads for illegal streaming services and devices.
Bug

Two Different Studies Find Thousands of Bugs In Pacemakers, Insulin Pumps and Other Medical Devices 48

Two studies are warning of thousands of vulnerabilities found in pacemakers, insulin pumps and other medical devices. "One study solely on pacemakers found more than 8,000 known vulnerabilities in code inside the cardiac devices," reports BBC. "The other study of the broader device market found only 17% of manufacturers had taken steps to secure gadgets." From the report: The report on pacemakers looked at a range of implantable devices from four manufacturers as well as the "ecosystem" of other equipment used to monitor and manage them. Researcher Billy Rios and Dr Jonathan Butts from security company Whitescope said their study showed the "serious challenges" pacemaker manufacturers faced in trying to keep devices patched and free from bugs that attackers could exploit. They found that few of the manufacturers encrypted or otherwise protected data on a device or when it was being transferred to monitoring systems. Also, none was protected with the most basic login name and password systems or checked that devices they were connecting to were authentic. Often, wrote Mr Rios, the small size and low computing power of internal devices made it hard to apply security standards that helped keep other devices safe. In a longer paper, the pair said device makers had work to do more to "protect against potential system compromises that may have implications to patient care." The separate study that quizzed manufacturers, hospitals and health organizations about the equipment they used when treating patients found that 80% said devices were hard to secure. Bugs in code, lack of knowledge about how to write secure code and time pressures made many devices vulnerable to attack, suggested the study.
Security

Chipotle Says 'Most' of Its Restaurants Were Infected With Credit Card Stealing Malware (theverge.com) 115

Earlier this year, Chipotle announced that the their payment processing system was hacked. Today, the company has released more information about the hack, identifying the malware that was responsible and releasing a new tool to help customers check whether the restaurant they visited was involved. The company did not say how many restaurants were affected, but it did tell The Verge that "most" locations nationwide may have been involved. The Verge reports: "The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the POS device," Chipotle said in a statement. "There is no indication that other customer information was affected." We browsed through the tool and found that every state Chipotle operates in had restaurants that were breached, including most major cities. The restaurants were vulnerable in various time frames between March 24th and April 18th, 2017. Chipotle also operates another chain called Pizzeria Locale, which was affected by the hack as well. (The list of identified restaurants can be found here, which includes locations in Kansas, Missouri, Colorado, and Ohio.) Chipotle noted that not all locations have been identified, but it's a starting guide to check whether your visit lines up with the breached period.
Businesses

Sean Parker Is Going To Great Lengths To Ensure 'Screening Room' Is Piracy Free, Patents Reveal (torrentfreak.com) 139

Napster co-founder Sean Parker has been working on his new service called Screening Room, which when becomes reality, could allow people to watch the latest Hollywood blockbusters in their living room as soon as they premiere at the box office. This week we get a glimpse at the kind of technologies Parker is using to ensure that the movies don't get distributed easily. From a report: Over the past several weeks, Screening Room Media, Inc. has submitted no less than eight patent applications related to its plans, all with some sort of anti-piracy angle. For example, a patent titled "Presenting Sonic Signals to Prevent Digital Content Misuse" describes a technology where acoustic signals are regularly sent to mobile devices, to confirm that the user is near the set-top box and is authorized to play the content. Similarly, the "Monitoring Nearby Mobile Computing Devices to Prevent Digital Content Misuse" patent, describes a system that detects the number of mobile devices near the client-side device, to make sure that too many people aren't tuning in. The general technology outlined in the patents also includes forensic watermarking and a "P2P polluter." The watermarking technology can be used to detect when pirated content spreads outside of the protected network onto the public Internet. "At this point, the member's movie accessing system will be shut off and quarantined. If the abuse or illicit activity is confirmed, the member and the household will be banned from the content distribution network," the patent reads. [...] Screening Room's system also comes with a wide range of other anti-piracy scans built in. Among other things, it regularly scans the Wi-Fi network to see which devices are connected, and Bluetooth is used to check what other devices are near.
Businesses

Disney Chief Bob Iger Doesn't Believe Movie Hack Threat Was Real (hollywoodreporter.com) 27

You may remember Disney's boss revealing that hackers had threatened to leak one of the studio's new films unless it paid a ransom. Bob Iger didn't name the film, but it was thought to be "Pirates of the Caribbean: Dead Men Tell No Tales." But now Iger says: "To our knowledge we were not hacked." From a report: Disney chairman-CEO Bob Iger confirmed Thursday that a hacker claiming to have stolen an upcoming Disney movie and demanding a ransom didn't appear to have the goods. "To our knowledge we were not hacked," Iger told Yahoo Finance. "We had a threat of a hack of a movie being stolen. We decided to take it seriously but not react in the manner in which the person who was threatening us had required." Iger continued, "We don't believe that it was real and nothing has happened." On May 15, as first reported by The Hollywood Reporter, Iger told ABC employees at a town hall meeting in New York that someone claiming to have stolen an upcoming movie would release the film on the internet unless the company paid a ransom. Iger told staff that the studio wouldn't meet any such demands.
Government

Major US Tech Firms Press Congress For Internet Surveillance Reforms (reuters.com) 38

Dustin Volz, reporting for Reuters: Facebook, Amazon and more than two dozen other U.S. technology companies pressed Congress on Friday to make changes to a broad internet surveillance law, saying they were necessary to improve privacy protections and increase government transparency. The request marks the first significant public effort by Silicon Valley to wade into what is expected to be a contentious debate later the year over the Foreign Intelligence Surveillance Act, parts of which will expire on Dec. 31 unless Congress reauthorizes them. Of particular concern to the technology industry and privacy advocates is Section 702, which allows U.S. intelligence agencies to vacuum up vast amounts of communications from foreigners but also incidentally collects some data belonging to Americans that can be searched by analysts without a warrant.
Government

Proposed Active-Defense Bill Would Allow Destruction of Data, Use of Beacon Tech (onthewire.io) 68

Trailrunner7 quotes a report from On the Wire: A bill that would allow victims of cybercrime to use active defense techniques to stop attacks and identify attackers has been amended to require victims to notify the FBI of their actions and also add an exemption to allow victims to destroy their data once they locate it on an attacker's machine. The Active Cyber Defense Certainty Act, drafted by Rep. Tom Graves (R-Ga.) in March, is designed to enable people who have been targets of cybercrime to employ certain specific techniques to trace the attack and identify the attacker. The bill defines active cyber defense as "any measure -- (I) undertaken by, or at the direction of, a victim"; and "(II) consisting of accessing without authorization the computer of the attacker to the victim" own network to gather information in order to establish attribution of criminal activity to share with law enforcement or to disrupt continued unauthorized activity against the victim's own network." After releasing an initial draft of the bill in March, Rep. Tom Graves held a public event in Georgia to collect feedback on the legislation. Based on that event and other feedback, Graves made several changes to the bill, including the addition of the notification of law enforcement and an exception in the Computer Fraud and Abuse Act for victims who use so-called beaconing technology to identify an attacker. "The provisions of this section shall not apply with respect to the use of attributional technology in regard to a defender who uses a program, code, or command for attributional purposes that beacons or returns locational or attributional data in response to a cyber intrusion in order to identify the source of the intrusion," the bill says.

Slashdot Top Deals