Check out the brand new SourceForge HTML5 speed test! Test your internet connection now. Works on all devices. ×
Government

US Customs Wants To Know Travelers' Social Media Account Names (helpnetsecurity.com) 224

Orome1 quotes a report from Help Net Security: The U.S. Customs and Border Protection agency has submitted a request to the Office of Management and Budget, asking for permission to collect travelers social media account names as they enter the country. The CBP, which is part of the U.S. Department of Homeland Security, proposes that the request "Please enter information associated with your online presence -- Provider/Platform -- Social media identifier" be added to the Electronic System for Travel Authorization (ESTA) and to the CBP Form I-94W (Nonimmigrant Visa Waiver Arrival/Departure). "It will be an optional field to request social media identifiers to be used for vetting purposes, as well as applicant contact information," the CBP noted. "Collecting social media data will enhance the existing investigative process and provide DHS greater clarity and visibility to possible nefarious activity and connections by providing an additional tool set which analysts and investigators may use to better analyze and investigate the case." The public and affected agencies are asked to comment on the request within 60 days of its publication. Commenters are asked to send their comments to this address.
The Courts

President Obama Should Pardon Edward Snowden Before Leaving Office (theverge.com) 261

An anonymous reader writes from a report via The Verge: Ever since Edward Snowden set in motion the most powerful public act of whistleblowing in U.S. history, he has been living in exile in Russia from the United States. An article in this week's New York Magazine looks at how Snowden may have a narrow window of opportunity where President Obama could pardon him before he leaves office. Presumably, once he leaves office, the chances of Snowden being pardoned by Hillary Clinton or Donald Trump are miniscule. Obama has said nothing in the past few years to suggest he's interested in pardoning Snowden. Not only would it contradict his national security policy, but it will severely alienate the intelligence community for many years to come. With that said, anyone who values a free and secure internet believes pardoning Snowden would be the right thing to do. The Verge reports: "[Snowden] faces charges under the Espionage Act, which makes no distinction between delivering classified files to journalists and delivering the same files to a foreign power. For the first 80 years of its life, it was used almost entirely to prosecute spies. The president has prosecuted more whistleblowers under the Espionage Act than all president before him combined. His Justice Department has vastly expanded the scope of the law, turning it from a weapon against the nation's enemies to one that's pointed against its own citizens. The result will be less scrutiny of the nation's most powerful agencies, and fewer forces to keep them in check. With Snowden's push for clemency, the president has a chance to complicate that legacy and begin to undo it. It's the last chance we'll have."
Facebook

Facebook Is Using Your Phone's Location To Suggest New Friends (fusion.net) 123

Fusion's Kashmir Hill is reporting that Facebook is using your phone's location to suggest new friends. It's unclear exactly when the social juggernaut began doing this, but a number of instances suggest it only started recently. From the report:Last week, I met a man who suspected Facebook had tracked his location to figure out who he was meeting with. He was a dad who had recently attended a gathering for suicidal teens. The next morning, he told me, he opened Facebook to find that one of the anonymous parents at the gathering popped up as a "person you may know." [...] "People You May Know are people on Facebook that you might know," a Facebook spokesperson said. "We show you people based on mutual friends, work and education information, networks you're part of, contacts you've imported and many other factors." One of those factors is smartphone location. A Facebook spokesperson said though that shared location alone would not result in a friend suggestion, saying that the two parents must have had something else in common, such as overlapping networks.While this feature could be useful in some cases, many may -- and they should -- see it as a big invasion of their privacy -- Hill has succinctly explained a number of them.
Security

Google CEO Sundar Pichai's Quora Account Hacked (thenextweb.com) 24

Google CEO Sundar Pichai is the latest high-profile victim of a hacking group called OurMine. Earlier today, the group managed to get hold of Pichai's Quota account, which in turn, gave them access to his Twitter feed as well. In a statement to The Next Web, the group said that their intention is to just test people's security, and that they never change the victim's passwords. Looking at the comments they left after hacking Pichai's account, it is also clear that OurMine is promoting its security services. The same group recently also hacked Facebook CEO Mark Zuckerberg's Twitter and Pinterest accounts.
Government

As It Searches For Suspects, The FBI May Be Looking At You (technologyreview.com) 88

schwit1 quotes the MIT Technology Review: The FBI has access to nearly 412 million photos in its facial recognition system—perhaps including the one on your driver's license. But according to a new government watchdog report, the bureau doesn't know how error-prone the system is, or whether it enhances or hinders investigations.

Since 2011, the bureau has quietly been using this system to compare new images, such as those taken from surveillance cameras, against a large set of photos to look for a match. That set of existing images is not limited to the FBI's own database, which includes some 30 million photos. The bureau also has access to face recognition systems used by law enforcement agencies in 16 different states, and it can tap into databases from the Department of State and the Department of Defense. And it is in negotiations with 18 other states to be able to search their databases, too...

Adding to the privacy concerns is another finding in the GAO report: that the FBI has not properly determined how often its system makes errors and has not "taken steps to determine whether face recognition systems used by external partners, such as states and federal agencies, are sufficiently accurate" to support investigations.

Government

IRS Gets Hacked Again, Forced To Scrap Their Entire PIN System (engadget.com) 104

The IRS has abandoned a system of PIN numbers used when filing tax returns online after they detected "automated attacks taking place at an increasing frequency," adding that only "a small number" of taxpayers were affected. An anonymous reader quotes the highlights from Engadget: The IRS chose not to kill the tool back in February, since most commercial tax software products use it... If you'll recall, identity thieves used malware to steal taxpayers' info from other websites, which was then used to generate 100,000 PINs, back in February... This time, the IRS detected "automated attacks taking place at an increasing frequency" thanks to the additional defenses it added after that initial hack... the agency determined that it would be safer to give up on a verification method that's scheduled for the chopping block anyway.
Security

Crypto Ransomware Attacks Have Jumped 500% In The Last Year (onthewire.io) 36

Kaspersky Lab is reporting that the last year saw a 500% increase in the number of users who encountered crypto ransomware. Trailrunner7 shares an article from On The Wire: Data compiled by Kaspersky researchers from the company's cloud network shows that from April 2015 to March 2016, the volume of crypto ransomware encountered by users leapt from 131,111 to 718,536. That's a massive increase, especially considering the fact that ransomware is a somewhat mature threat. It didn't just burst onto the scene a couple of years ago. Kaspersky's researchers said the spike in crypto ransomware can be attributed to a small group of variants. "Looking at the malware groups that were active in the period covered by this report, it appears that a rather short list of suspects is responsible for most of the trouble caused by crypto-ransomware..."

It's difficult to overstate how much of an effect the emergence of ransomware has had on consumers, enterprises, and the security industry itself. The FBI has been warning users about crypto ransomware for some time now, and has consistently advised victims not to pay any ransoms. Security researchers have been publishing decryption tools for specific ransomware variants and law enforcement agencies have had some success in taking down ransomware gangs.

Enterprise targets now account for 13% of ransomware attacks, with attackers typically charging tens of thousands of dollars, the article reports, and "Recent attacks on networks at the University of Calgary and Hollywood Presbyterian Medical Center have demonstrated the brutal effectiveness of this strategy."
Communications

Why You Should Stop Using Telegram Right Now (gizmodo.com) 67

Earlier this week, The Intercept evaluated the best instant messaging clients from the privacy standpoint. The list included Facebook's WhatsApp, Google's Allo, and Signal -- three apps that employ end-to-end encryption. One popular name that was missing from the list was Telegram. A report on Gizmodo sheds further light on the matter, adding that Telegram is riddled with a wide range of security issues, and "doesn't live up to its proclamations as a safe and secure messaging application." Citing many security experts, the report states:One major problem Telegram has is that it doesn't encrypt chats by default, something the FBI has advocated for. "There are many Telegram users who think they are communicating in an encrypted way, when they're not because they don't realize that they have to turn on an additional setting," Christopher Soghoian, Principal Technologist and Senior Policy Analyst at the American Civil Liberties Union, told Gizmodo. "Telegram has delivered everything that the government wants. Would I prefer that they used a method of encryption that followed industry best practices like WhatsApp and Signal? Certainly. But, if it's not turned on by default, it doesn't matter."The other issue that security experts have taken a note of is that Telegram employs its own encryption, which according to them, "is widely considered to be a fatal flaw when developing encrypted messaging apps." The report adds:"They use the MTproto protocol which is effectively homegrown and I've seen no proper proofs of its security," Alan Woodward, professor at the University of Surrey told Gizmodo. Woodward criticized Telegram for their lack of transparency regarding their home cooked encryption protocol. "At present we don't know enough to know if it's secure or insecure. That's the trouble with security by obscurity. It's usual for cryptographers to reveal the algorithms completely, but here we are in the dark. Unless you have considerable experience, you shouldn't write your own crypto. No one really understands why they did that."The list goes on and on.
Security

NASCAR Team Pays Ransomware Fee To Recover Files Worth $2 Million (softpedia.com) 58

An anonymous reader writes: "NASCAR team Circle Sport-Leavine Family Racing (CSLFR) revealed today it faced a ransomware infection this past April when it almost lost access to crucial files worth nearly $2 million, containing car parts lists and custom high-profile simulations that would have taken 1,500 man-hours to replicate," reports Softpedia. "The infection took place on the computer belonging to CSLFR's crew chief. Winston's staff detected the infection when encrypted files from Winston's computer began syncing to their joint Dropbox account." It was later discovered that he was infected with the TeslaCrypt ransomware. Because the team had no backups of the crucial data, they eventually paid the ransom (around $500). This happened before TeslaCrypt's authors decided to shut down their operations and release free decryption keys.
AI

Apple Won't Collect Your Data For Its AI Services Unless You Let It (recode.net) 35

Apple doesn't like collecting your data. This is one of iPhone maker's biggest selling points. But this approach has arguably acted as a major roadblock for Apple in its AI and bots efforts. With iOS 10, the latest version of company's mobile operating system, Apple announced that it will begin collecting a range of new information as it seeks to make Siri and iPhone as well as other apps and services better at predicting the information its owner might want at a given time. Apple announced that it will be collecting data employing something called differential privacy. The company wasn't very clear at the event, which caused confusion among many as to what data Apple is exactly collecting. But now it is offering more explanation. Recode reports:As for what data is being collected, Apple says that differential privacy will initially be limited to four specific use cases: New words that users add to their local dictionaries, emojis typed by the user (so that Apple can suggest emoji replacements), deep links used inside apps (provided they are marked for public indexing) and lookup hints within notes. Apple will also continue to do a lot of its predictive work on the device, something it started with the proactive features in iOS 9. This work doesn't tap the cloud for analysis, nor is the data shared using differential privacy.Additionally, Recode adds that Apple hasn't yet begun collecting data, and it will ask for a user's consent before doing so. The company adds that it is not using a users' cloud-stored photos to power its image recognition feature.
Communications

Piracy Phishing Scam Targets US ISPs and Subscribers (torrentfreak.com) 20

According to a report on TorrentFreak, an elaborate piracy phishing operating is tageting US ISPs and subscribers. Scammers are reportedly masquerading as anti-piracy company IP-Echelon and rightholders such as Lionsgate to send fake DMCA notices and settlement demands to ISPs. From the report:TorrentFreak was alerted to a takedown notice Lionsgate purportedly sent to a Cox subscriber, for allegedly downloading a pirated copy of the movie Allegiant. Under threat of a lawsuit, the subscriber was asked to pay a $150 settlement fee. This request is unique as neither Lionsgate nor its tracking company IP-Echelon is known to engage in this practice. When we contacted IP-Echelon about Lionsgate's supposed settlement offer, we heard to our surprise that these emails are part of a large phishing scam, which has at least one large ISPs fooled. "The notices are fake and not sent by us. It's a phishing scam," IP-Echelon informed TorrentFreak. For a phishing scam the fake DMCA notice does its job well. At first sight the email appears to be legit, and for Cox Communications it was real enough to forward it to their customers.U.S. law enforcement has been notified and is currently investigating the matter.
Businesses

Russia Lawmakers Pass Spying Law That Requires Encryption Backdoors, Call Surveillance (dailydot.com) 109

A bill that was proposed recently in the Russian Duma to make cryptographic backdoors mandatory in all messaging apps, has passed. Patrick Howell O'Neill, reports for DailyDot:A massive surveillance bill is now on its way to becoming law in Russia. The "anti-terrorism" legislation includes a vast data-eavesdropping and -retention program so that telecom and internet companies have to record and store all customer communications for six months, potentially at a multitrillion-dollar cost. Additionally, all internet firms have to provide mandatory backdoor access into encrypted communications for the FSB, the Russian intelligence agency and successor to the KGB. The bill, with support from the ruling United Russia party, passed Friday in the Duma, Russia's lower legislative house, with 277 votes for, 148 against, and one abstaining. It now moves to Russia's Federal Council and the Kremlin, where it's expected to pass into law.
Security

FBI Is Classifying Its Tor Browser Exploit Because 'National Security' (vice.com) 81

Joseph Cox, reporting for Motherboard:Defense teams across the US have been trying to get access to a piece of malware the FBI used to hack visitors of a child pornography site. None have been successful at obtaining all of the malware's code, and the government appears to have no intention of handing it over. Now, the FBI is classifying the Tor Browser exploit for reasons of national security, despite the exploit already being used in normal criminal investigations well over a year ago. Experts say it indicates a lack of organization or technical capabilities within the FBI. "The FBI has derivatively classified portions of the tool, the exploits used in connection with the tool, and some of the operational aspects of the tool in accordance with the FBI's National Security Information Classification Guide," government attorneys wrote in a filing earlier this month. It came in response to the defense of Gerald Andrew Darby, who is charged with child pornography offenses.
Advertising

HTML5 Ads Aren't That Safe Compared To Flash, Experts Say (softpedia.com) 108

An anonymous reader writes: [Softpedia reports:] "A study from GeoEdge (PDF), an ad scanning vendor, reveals that Flash has been wrongly accused as the root cause of today's malvertising campaigns, but in reality, switching to HTML5 ads won't safeguard users from attacks because the vulnerabilities are in the ad platforms and advertising standards themselves. The company argues that for video ads, the primary root of malvertising is the VAST and VPAID advertising standards. VAST and VPAID are the rules of the game when it comes to online video advertising, defining the road an ad needs to take from the ad's creator to the user's browser. Even if the ad is Flash or HTML5, there are critical points in this ad delivery path where ad creators can alter the ad via JavaScript injections. These same critical points are also there so advertisers or ad networks can feed JavaScript code that fingerprints and tracks users." The real culprit is the ability to send JavaScript code at runtime, and not if the ad is a Flash object, an image or a block of HTML(5) code.
Security

Internet Trolls Hack Popular YouTube Channel WatchMojo (csoonline.com) 32

An anonymous reader writes: WatchMojo, one of the most popular channels of YouTube with over 12 million subscribers, has been hacked. Subscribers of one of YouTube's most popular channels, WatchMojo, were greeted with an unusual surprise on Wednesday evening, as a couple of hackers, known only as Obnoxious and Pein, hacked the lineup of the channel's videos. The two hackers then proceeded to rename almost all of WatchMojo's videos with the title "HACKED BY OBNOXIOUS AND PEIN twitter.com/poodlecorp." Since the channel was compromised, the hackers have uploaded two new videos, "Top 5 Facts About the Yakuza," and a video about Neanderthal myths. Apart from these, however, the hackers have not touched anything else on the channel. Though, most of WatchMojo's videos still remain hacked as of writing. The popular channel announced that it is fully aware of the hack. WatchMojo further stated that it has already contacted YouTube about the incident and that it is already starting to fix the changes to its videos.
The Courts

Federal Court: The Fourth Amendment Does Not Protect Your Home Computer (eff.org) 307

An anonymous reader writes: The EFF reports that a federal court in Virginia today ruled that a criminal defendant has no "reasonable expectation of privacy" in his personal computer (PDF), located inside his home. The court says the federal government does not need a warrant to hack into an individual's computer. EFF reports: "The implications for the decision, if upheld, are staggering: law enforcement would be free to remotely search and seize information from your computer, without a warrant, without probable cause, or without any suspicion at all. To say the least, the decision is bad news for privacy. But it's also incorrect as a matter of law, and we expect there is little chance it would hold up on appeal. (It also was not the central component of the judge's decision, which also diminishes the likelihood that it will become reliable precedent.) But the decision underscores a broader trend in these cases: courts across the country, faced with unfamiliar technology and unsympathetic defendants, are issuing decisions that threaten everyone's rights.
Censorship

The New Censorship: 'How Did Google Become The Internet's Censor and Master Manipulator?' (usnews.com) 245

An anonymous reader writes: Robert Epstein from U.S. News and World Report writes an article describing how Google has become the internet's censor and master manipulator. He writes about the company's nine different blacklists that impact our lives: autocomplete blacklist, Google Maps blacklist, YouTube blacklist, Google account blacklist, Google News blacklist, Google AdWords blacklist, Google AdSense blacklist, search engine blacklist, and quarantine list. The autocomplete blacklist filters out select phrases like profanities and other controversial terms like "torrent," "bisexual" and "penis." It can also be used to protect or discredit political candidates. For example, at the moment autocomplete shows you "Ted" (for former GOP presidential candidate Ted Cruz) when you type "lying," but it will not show you "Hillary" when you type "crooked." While Google Maps photographs your home for everyone to see, Google maintains a list of properties it either blacks out or blurs out in its images depending on the property, e.g. military installations or wealthy residences. Epstein makes the case that while YouTube allows users to flag videos, Google employees seem far more apt to ban politically conservative videos than liberal ones. As for the Google account blacklist, you may lose access to a number of Google's products, which are all bundled into one account as of a couple of years ago, if you violate Google's terms of service agreement because Google reserves the right to "stop providing Services to you ... at any time." Google is the largest news aggregator in the world via Google News. Epstein writes, "Selective blacklisting of news sources is a powerful way of promoting a political, religious or moral agenda, with no one the wiser." Google can easily put a business out of business if a Google executive decides your business or industry doesn't meet its moral standards and revokes a business' access to Google AdWords, which makes up 70 percent of Google's $80 billion in annual revenue. Recently, Google blacklisted an entire industry -- companies providing high-interest "payday" loans. If your website has been approved by AdWords, Google's search engine is what ultimately determines the success of your business as its algorithms can be tweaked and search rankings can be manipulated, which may ruin businesses. Epstein makes an interesting case for how Google has become the internet's censor and master manipulator. Given Google's online dominance, do you think Google should be regulated like a public utility?
Security

Battle of the Secure Messaging Apps: Signal Triumphs Over WhatsApp, Allo (theintercept.com) 168

There is no shortage of messaging apps out there, so which one should you be using? If you care about your privacy, you would want your messaging client to be end-to-end encrypted. This narrows down the list to WhatsApp, Signal, and Allo. The Intercept has evaluated the apps to find which among the three is the best from the privacy standpoint. The publication says that while all the three aforementioned apps use the same secure messaging protocol (Open Whisper System's), they differ on exactly what information is encrypted, what metadata is collected, and what, precisely, is stored in the cloud.
WhatsApp:It's important to keep in mind that, even with the Signal protocol in place, WhatsApp's servers can still see messages that users send through the service. They can't see what's inside the messages, but they can see who is sending a message to whom and when.In addition, WhatsApp also retains your contact list -- provided you have shared it with the service. If government requests access to this data, WhatsApp could hand it over.
Allo:The first thing to understand about Google's forthcoming Allo app is that, by default, Google will be able to read all of your Allo messages. If you want end-to-end encryption via the Signal protocol, you need to switch to an "incognito mode" within the app, which will be secure but include fewer features. [...] Allo's machine learning features prevent Google from turning on end-to-end encryption for all messages, since Google needs to be able to ingest the content of messages for the machine learning to work, a Google spokesperson confirmed. Signal:The first thing that sets Signal apart from WhatsApp and Allo is that it is open source. The app's code is freely available for experts to inspect for flaws or back doors in its security. Another thing that makes Signal unique is its business model: There is none. In stark contrast to Facebook and Google, which make their money selling ads, Open Whisper Systems is entirely supported by grants and donations. With no advertising to target, the company intentionally stores as little user data as possible. Signal's privacy policy is short and concise. Unlike WhatsApp, Signal doesn't store any message metadata. [...] If you back up your phone to your Google or iCloud account, Signal doesn't include any of your messages in this backup.But what about Telegram, you ask? A Gizmodo report, also published on Wednesday, says that Telegram's default settings store your message on its unencrypted servers. "This is pretty much one of the worst things you could imagine when trying to send secure messages."
Advertising

Advertiser That Tracked Around 100M Phone Users Without Consent Pays $950,000 (arstechnica.com) 31

Mobile advertising firm InMobi will be paying a fine of $950,000 and revamp its services to resolve federal regulators' claims that it deceptively tracked locations of hundreds of millions of people, including children. Ars Technica reports:The US Federal Trade Commission alleged in a complaint filed Wednesday that Singapore-based InMobi undermined phone users' ability to make informed decisions about the collection of their location information. While InMobi claimed that its software collected geographical whereabouts only when end users provided opt-in consent, the software in fact used nearby Wi-Fi signals to infer locations when permission wasn't given, FTC officials alleged. InMobi then archived the location information and used it to push targeted advertisements to individual phone users. Specifically, the FTC alleged, InMobi collected nearby basic service set identification addresses, which act as unique serial numbers for wireless access points. The company, which thousands of Android and iOS app makers use to deliver ads to end users, then fed each BSSID into a "geocorder" database to infer the phone user's latitude and longitude, even when an end user hadn't provided permission for location to be tracked through the phone's dedicated location feature.
Communications

Senate Rejects FBI Bid For Warrantless Access To Internet Browsing Histories (zdnet.com) 224

Zack Whittaker, reporting for ZDNet:An amendment designed to allow the government warrantless access to internet browsing histories has been narrowly defeated in the Senate. The amendment fell two votes short of the required 60 votes to advance. Mitch McConnell (R-KY) switched his vote at the last minute. He submitted a motion to reconsider the vote following the defeat. A new vote may be set for later on Wednesday. Sen. John McCain (R-AZ) introduced the amendment as an add-on to the commerce, justice, and science appropriations bill earlier this week. McCain said in a statement on Monday that the amendment would "track lone wolves" in the wake of the Orlando massacre, in which Omar Mateen, who authorities say radicalized himself online, killed 49 people at a gay nightclub in the Florida city. The amendment, which may be reconsidered in the near future, aims to broaden the rules governing national security letters, which don't require court approval. These letters allow the FBI to demand records associated with Americans' online communications -- so-called electronic communications transactional records.

Slashdot Top Deals