Compare cell phone plans using Wirefly's innovative plan comparison tool ×
Encryption

FBI Director Says Prolific Default Encryption Hurting Government Spying Efforts (go.com) 79

SonicSpike quotes a report from ABC News: FBI Director James Comey warned again Tuesday about the bureau's inability to access digital devices because of encryption and said investigators were collecting information about the challenge in preparation for an "adult conversation" next year. Widespread encryption built into smartphones is "making more and more of the room that we are charged to investigate dark," Comey said in a cybersecurity symposium. The remarks reiterated points that Comey has made repeatedly in the last two years, before Congress and in other settings, about the growing collision between electronic privacy and national security. "The conversation we've been trying to have about this has dipped below public consciousness now, and that's fine," Comey said at a symposium organized by Symantec, a technology company. "Because what we want to do is collect information this year so that next year we can have an adult conversation in this country." The American people, he said, have a reasonable expectation of privacy in private spaces -- including houses, cars and electronic devices. But that right is not absolute when law enforcement has probable cause to believe that there's evidence of a crime in one of those places, including a laptop or smartphone. "With good reason, the people of the United States -- through judges and law enforcement -- can invade our private spaces," Comey said, adding that that "bargain" has been at the center of the country since its inception. He said it's not the role of the FBI or tech companies to tell the American people how to live and govern themselves. "We need to understand in the FBI how is this exactly affecting our work, and then share that with folks," Comey said, conceding the American people might ultimately decide that its privacy was more important than "that portion of the room being dark." Comey made his remarks to the 2016 Symantec Government Symposium. The Daily Dot has another take on Comey's remarks, which you can read here.
Opera

Opera Sync Users May Have Been Compromised In Server Breach (fortune.com) 26

An anonymous reader writes: Someone broke into Opera's servers. The Opera browser has a handy feature for synchronizing browsing data across different devices. Unfortunately, some of the passwords and login information used to enable the feature may have been stolen from Opera's servers. Opera's sync service is used by around 1.7 million people each month. Overall, the browser has 350 million users. The Norwegian firm told its users that someone had gained access to the Opera sync system, and "some of our sync users' passwords and account information, such as login names, may have been compromised." As a result, Opera had to reset all the passwords for the feature, meaning users will need to select new ones.
NASA

Isolated NASA Team Ends Year-Long Mars Simulation In Hawaii (bbc.com) 174

An anonymous Slashdot reader quotes the BBC: A team of six people have completed a Mars simulation in Hawaii, where they lived in near isolation for a year. Since August 29th, 2015, the group lived in close quarters in a dome, without fresh air, fresh food or privacy... Having survived their year in isolation, the crew members said they were confident a mission to Mars could succeed. "I can give you my personal impression which is that a mission to Mars in the close future is realistic," Cyprien Verseux, a crew member from France, told journalists. "I think the technological and psychological obstacles can be overcome."

The team consisted of a French astro-biologist, a German physicist and four Americans -- a pilot, an architect, a journalist and a soil scientist... the six had to live with limited resources, wear a space-suit when outside the dome, and work to avoid personal conflicts. They each had a small sleeping cot and a desk inside their rooms. Provisions included powdered cheese and canned tuna.

Security

How Security Experts Are Protecting Their Own Data (siliconvalley.com) 206

Today the San Jose Mercury News asked several prominent security experts which security products they were actually using for their own data. An anonymous Slashdot reader writes: The EFF's chief technologist revealed that he doesn't run an anti-virus program, partly because he's using Linux, and partly because he feels anti-virus software creates a false sense of security. ("I don't like to get complacent and rely on it in any way...") He does regularly encrypt his e-mail, "but he doesn't recommend that average users scramble their email, because he thinks the encryption software is just too difficult to use."

The newspaper also interviewed security expert Eugene Spafford, who rarely updates the operating system on one of his computers -- because it's not connected to the internet -- and sometimes even accesses his files with a virtual machine, which he then deletes when he's done. His home router is equipped with a firewall device, and "he's developed some tools in his research center that he uses to try to detect security problems," according to the article. "There are some additional things I do," Spafford added, telling the reporter that "I'm not going to give details of all of them, because that doesn't help me."

Bruce Schneier had a similar answer. When the reporter asked how he protected his data, Schneier wouldn't tell them, adding "I'm kind of a target..."
Databases

100 Arrested In New York Thanks To Better Face-Recognition Technology (arstechnica.com) 85

New York doubled the number of "measurement points" used by their facial recognitation technology this year, leading to 100 arrests for fraud and identity theft, plus another 900 open cases. An anonymous reader quotes a report from Ars Technica: In all, since New York implemented facial recognition technology in 2010, more than 14,000 people have been hampered trying to get multiple licenses. The newly upgraded system increases the measurement points of a driver's license picture from 64 to 128.

The DMV said this vastly improves its chances of matching new photographs with one already in a database of 16 million photos... "Facial recognition plays a critical role in keeping our communities safer by cracking down on individuals who break the law," Gov. Andrew M. Cuomo said in a statement. "New York is leading the nation with this technology, and the results from our use of this enhanced technology are proof positive that its use is vital in making our roads safer and holding fraudsters accountable."

At least 39 US states use some form of facial recognition software, and New York says their new system also "removes high-risk drivers from the road," stressing that new licenses will no longer be issued until a photo clears their database.
Security

New Ransomware Poses As A Windows Update (hothardware.com) 88

Slashdot reader MojoKid quotes an article from Hot Hardware: A security researcher for AVG has discovered a new piece of ransomware called Fantom that masquerades as a critical Windows update. Victims who fall for the ruse will see a Windows screen acting like it's installing the update, but what's really happening is that the user's documents and files are being encrypted in the background...

The scam starts with a pop-up labeled as a critical update from Microsoft. Once a user decides to apply the fake update, it extracts files and executes an embedded program called WindowsUpdate.exe... As with other EDA2 ransomware, Fantom generates a random AES-128 key, encrypts it using RSA, and then uploads it to the culprit. From there, Fantom targets specific file extensions and encrypts those files using AES-128 encryption... Users affected by this are instructed to email the culprit for payment instructions.

While the ransomware is busy encrypting your files, it displays Microsoft's standard warning about not turning off the computer while the "update" is in progress. Pressing Ctrl+F4 closes that window, according to the article, "but that doesn't stop the ransomware from encrypting files in the background."
Iphone

Apple Fixes Three Zero Days Used In Targeted Attack (onthewire.io) 75

Trailrunner7 quotes a report from On The Wire: Apple has patched three critical vulnerabilities in iOS that were identified when an attacker targeted a human rights activist in the UAE with an exploit chain that used the bugs to attempt to remotely jailbreak and infect his iPhone. The vulnerabilities include two kernel flaws and one in WebKit and Apple released iOS 9.3.5 to fix them.

The attack that set off the investigation into the vulnerabilities targeted Ahmed Mansoor, an activist living in the UAE. Earlier this month, he received a text message that included a link to what was supposedly new information on human rights abuses. Suspicious, Manor forwarded the link to researchers at the University of Toronto's Citizen Lab, who recognized what they were looking at. "On August 10 and 11, 2016, Mansoor received SMS text messages on his iPhone promising ;new secrets' about detainees tortured in UAE jails if he clicked on an included link. Instead of clicking, Mansoor sent the messages to Citizen Lab researchers. We recognized the links as belonging to an exploit infrastructure connected to NSO Group, an Israel-based 'cyber war' company that sells Pegasus, a government-exclusive "lawful intercept" spyware product," Citizen Lab said in a new report on the attack and iOS flaws.

Social Networks

'Social Media ID, Please?' Proposed US Law Greeted With Anger (computerworld.com) 219

The U.S. government announced plans to require some foreign travelers to provide their social media account names when entering the country -- and in June requested comments. Now the plan is being called "ludicrous," an "all-around bad idea," "blatant overreach," "desperate, paranoid heavy-handedness," "preposterous," "appalling," and "un-American," reports Slashdot reader dcblogs: That's just a sampling of the outrage. Some 800 responded to the U.S. request for comments about a proposed rule affecting people traveling from "visa waiver" countries to the U.S., where a visa is not required. This includes most of Europe, Singapore, Chile, Japan, South Korea, Australia and New Zealand... In a little twist of irony, some critics said U.S. President Obama's proposal for foreign travelers is so bad, it must have been hatched by Donald Trump.
"Travelers will be asked to provide their Twitter, Facebook, Instagram, LinkedIn, Google+, and whatever other social ID you can imagine to U.S. authorities," reports Computer World. "It's technically an 'optional' request, but since it's the government asking, critics believe travelers will fear consequences if they ignore it..."
Privacy

Eavesdropping On Tinder: Researcher Demonstrates Man-in-the-Middle Attacks (hert.org) 19

An anonymous Slashdot reader writes: Security expert Anthony Zboralski posted on HERT a social engineering attack for Tinder that lets you perform a man-in-the-middle attack against unsuspecting users. Zboralski says, "Not only we can eavesdrop on the conversation of two strangers, we can also change their reality." The attack can easily be extended to SMS, Whatsapp, iMessage and voice.
"At some point people exchange phone numbers and the Tinder convo stops. That's not a problem..." Zboralski explains, suggesting more ways to continue the man-in-the-middle exploits..

His article drew a response from Tinder, arguing they "employ several manual and automated mechanisms" to deter fake and duplicate profiles. But while they're looking for ways to improve, "ultimately, it is unrealistic for any company to positively validate the real-world identity of millions of users while maintaining the commonly expected level of usability."
United Kingdom

British Companies Are Selling Advanced Spy Tech To Authoritarian Regimes (vice.com) 57

An anonymous reader quotes a report from Motherboard: Since early 2015, over a dozen UK companies have been granted licenses to export powerful telecommunications interception technology to countries around the world, Motherboard has learned. Many of these exports include IMSI-catchers, devices which can monitor large numbers of mobile phones over broad areas. Some of the UK companies were given permission to export their products to authoritarian states such as Saudi Arabia, the United Arab Emirates, Turkey, and Egypt; countries with poor human rights records that have been well-documented to abuse surveillance technology. In 2015, the UK's Department for Business, Innovation and Skills (BIS) started publishing basic data about the exportation of telecommunications interception devices. Through the Freedom of Information Act, Motherboard obtained the names of companies that have applied for exportation licenses, as well as details on the technologies being shipped, including, in some cases, individual product names. The companies include a subsidiary of defense giant BAE Systems, as well as Pro-Solve International, ComsTrac, CellXion, Cobham, and Domo Tactical Communications (DTC). Many of these companies sell IMSI-catchers. IMSI-catchers, sometimes known as "Stingrays" after a particularly popular brand, are fake cell phone towers which force devices in their proximity to connect. In the data obtained by Motherboard, 33 licenses are explicitly marked as being for IMSI-catchers, including for export to Turkey and Indonesia. Other listings heavily suggest the export of IMSI-catchers too: one granted application to export to Iraq is for a "Wideband Passive GSM Monitoring System," which is a more technical description of what many IMSI-catchers do. In all, Motherboard received entries for 148 export license applications, from February 2015 to April 2016. A small number of the named companies do not provide interception capabilities, but defensive measures, for example to monitor the radio spectrum.
Democrats

Hillary Clinton Used BleachBit To Wipe Emails (neowin.net) 562

An anonymous reader quotes a report from Neowin: The open-source disk cleaning application, BleachBit, got quite a decent ad pitch from the world of politics after it was revealed lawyers of the presidential hopeful, Hillary Clinton, used the software to wipe her email servers. Clinton is currently in hot water, being accused of using private servers for storing sensitive emails. "[South Carolina Representative, Trey Gowdy, spoke to Fox News about Hillary Clinton's lawyers using BleachBit to wipe the private servers. He said:] 'She and her lawyers had those emails deleted. And they didn't just push the delete button; they had them deleted where even God can't read them. They were using something called BleachBit. You don't use BleachBit for yoga emails or bridesmaids emails. When you're using BleachBit, it is something you really do not want the world to see.'" Two of the main features that are listed on the BleachBit website include "Shred files to hide their contents and prevent data recovery," and "Overwrite free disk space to hide previously deleted files." These two features would make it pretty difficult for anyone trying to recover the deleted emails. Slashdot reader ahziem adds: The IT team for presidential candidate Hillary Clinton used the open source cleaning software BleachBit to wipe systems "so even God couldn't read them," according to South Carolina Rep. Trey Gowdy on Fox News. His comments on the "drastic cyber-measure" were in response to the question of whether emails on her private Microsoft Exchange Server were simply about "yoga and wedding plans." Perhaps Clinton's team used an open-source application because, unlike proprietary applications, it can be audited, like for backdoors. In response to the Edward Snowden leaks in 2013, privacy expert Bruce Schneier advised in an article in which he stated he also uses BleachBit, "Closed-source software is easier for the NSA to backdoor than open-source software." Ironically, Schneier was writing to a non-governmental audience. Have any Slashdotters had any experience with BleachBit? Specifically, have you used it for erasing "yoga emails" or "bridesmaids emails?"
Security

Dropbox Is Urging Users To Reset Their Passwords (fortune.com) 30

Dropbox is forcing a number of users to change their passwords after the cloud storage company found some account details linked to an old data breach. "The next time you visit dropbox.com, you may be asked to create a new password. We proactively initiated this password update prompt for Dropbox users who meet certain criteria," the company writes on its website. Fortune reports: The popular cloud storage said the move was related to the theft of an old set of Dropbox credentials, dating back to 2012. So the users the company has contacted are those who created Dropbox accounts before mid-2012 and have not updated their passwords since that time. Dropbox disclosed in July 2012 that some users were getting spammed, and the cause appeared to be the theft of usernames and passwords from other websites. As is often the case, some people reuse their usernames and passwords across different web services. (If it still needs saying, you really shouldn't reuse your passwords, ever.)
Android

Facebook's WhatsApp Data Gambit Faces Federal Privacy Complaint (vice.com) 94

Sam Gustin, writing for Motherboard: Facebook's decision to begin harvesting data from its popular WhatsApp messaging service provoked a social media uproar on Thursday, and prompted leading privacy advocates to prepare a federal complaint accusing the tech titan of violating US law. On Thursday morning, WhatsApp, which for years has dined out on its reputation for privacy and security, announced that it would begin sharing user phone numbers with its Menlo Park-based parent company in an effort "to improve your Facebook ads and products experiences." Consumer privacy advocates denounced the move as a betrayal of WhatsApp's one billion users -- users who had been assured by the two companies that "nothing would change" about the messaging service's privacy practices after Facebook snapped up the startup for a whopping $19 billion in 2014. "WhatsApp users should be shocked and upset," Claire Gartland, Consumer Protection Counsel at the Electronic Privacy Information Center, a leading US consumer advocacy group, told Motherboard. "WhatsApp obtained one billion users by promising that it would protect user privacy. Both Facebook and WhatsApp made very public promises that the companies would maintain a separation. Those were the key selling points of the deal."
AT&T

ISP Lobbyists Pushing Telecom Act Rewrite (dslreports.com) 76

Karl Bode, reporting for DSLReports:Telecom lobbyists are pushing hard for a rewrite of the Telecom Act, this time with a notable eye on cutting FCC funding and overall authority. AT&T donated at least $70,000 to back Republican House Speaker Paul Ryan, and clearly expects him to spearhead the rewrite and make it a priority in 2017. The push is an industry backlash to a number of consumer friendly initiatives at the FCC, including new net neutrality rules, the reclassification of ISPs under Title II, new broadband privacy rules, new cable box reform and an attempt to protect municipal broadband. AT&T's Ryan donation is the largest amount AT&T has ever donated to a single candidate, though outgoing top AT&T lobbyist Jim Cicconi has also thrown his support behind Hillary Clinton.
Government

Malware Sold To Governments Helped Them Spy on iPhones (washingtonpost.com) 31

One of the world's most evasive digital arms dealers is believed to have been taking advantage of three security vulnerabilities in popular Apple products in its efforts to spy on dissidents and journalists, reports The New York Times. (Editor's note: the link could be paywalled, here's an alternate source). From the report: Investigators discovered that a company called the NSO Group, an Israeli outfit that sells software that invisibly tracks a target's mobile phone, was responsible for the intrusions. The NSO Group's software can read text messages and emails and track calls and contacts. It can even record sounds, collect passwords and trace the whereabouts of the phone user. In response, Apple on Thursday released a patched version of its mobile software, iOS 9.3.5. Users can get the patch through a normal software update.The Washington Post reports that these "zero-day" flaws were previously used by the governments to take over victims' phones by tricking them into clicking on a link to a text message. Motherboard says that this is the first time anyone has uncovered such an attack in the wild. "Until this month, no one had seen an attempted spyware infection leveraging three unknown bugs, or zero-days, in the iPhone. The tools and technology needed for such an attack, which is essentially a remote jailbreak of the iPhone, can be worth as much as one million dollars."
Facebook

WhatsApp To Share Some Data With Facebook (bloomberg.com) 103

Two years ago when Facebook bought WhatsApp, the instant messaging client said that the deal would not affect the digital privacy of its users. Things are changing now, WhatsApp said Thursday. The Facebook-owned app will share with the company some member information, as well as some analytics data of its users. Bloomberg reports: WhatsApp announced a change to its privacy policy today that allows businesses to communicate with users. The messages could include appointment reminders, delivery and shipping notifications or marketing material, the company said in its revised terms of service. In a blog post, WhatsApp said it will be testing these business features over the coming months. The strategy is an important step for Facebook as it attempts to make money from its most expensive acquisition. In addition to the messages from businesses, WhatsApp said it would begin sharing more information about its users with the "Facebook family." The data, including a person's phone number, could be used to better targets ads when browsing Facebook or Instagram, WhatsApp said.
Crime

FBI Authorized Informants To Break The Law 22,800 Times In 4 Years (dailydot.com) 106

blottsie quotes a report from the Daily Dot: Over a four-year period, the FBI authorized informants to break the law more than 22,800 times, according to newly reviewed documents. Official records obtained by the Daily Dot under the Freedom of Information Act show the Federal Bureau of Investigation gave informants permission at least 5,649 times in 2013 to engage in activity that would otherwise be considered a crime. In 2014, authorization was given 5,577 times, the records show. USA Today previously revealed confidential informants engaged in "otherwise illegal activity," as the bureau calls it, 5,658 times in 2011. The figure was at 5,939 the year before, according to documents acquired by the Huffington Post. In total, records obtained by reporters confirm the FBI authorized at least 22,823 crimes between 2011 and 2014. Unfortunately, many of those crimes can have serious and unintended consequences. One of the examples mentioned in the Daily Dot's report was of an FBI informant who "was responsible for facilitating the 2011 breach of Stratfor in one of the most high-profile cyberattacks of the last decade. While a handful of informants ultimately brought down the principal hacker responsible, the sting also caused Stratfor, an American intelligence firm, millions of dollars in damages and left and estimated 700,000 credit card holders vulnerable to fraud."
Canada

Ashley Madison Security Protocols Violated Canada, Austrialia Privacy Laws (www.cbc.ca) 29

The Office of the Privacy Commissioner of Canada said Tuesday that the Canada-based online dating and social networking service Ashely Madison used inadequate privacy and security technology while marketing itself as a discreet and secure way for consenting adults to have affairs. CBC.ca reports: "In a report Tuesday, the privacy watchdog says the Toronto-based company violated numerous privacy laws in Canada and abroad in the era before a massive data breach exposed confidential information from their clients to hackers. The hack stole correspondence, identifying details and even credit card information from millions of the site's users. The resulting scandal cost the company about a quarter of its annual revenues from irate customers who demanded refunds and cancelled their accounts. Working with a similar agency in Australia, the privacy group says the company knew that its security protocols were lacking but didn't do enough to guard against being hacked. The company even adorned its website with the logo of a 'trusted security award' -- a claim the company admits it fabricated." The report found that "poor habits such as inadequate authentication processes and sub-par key and password management practices were rampant at the company" and that "much of the company's efforts to monitor its own security were 'focused on detecting system performance issues and unusual employee requests for decryption of sensitive user data.'" What's more is that Ashley Madison continued to store personal information of its users even after some of which had deleted or deactivated their account(s). These people then had their information included in databases published online after the hack.
Privacy

WikiLeaks Published Rape Victims' Names, Credit Cards, Medical Data (arstechnica.com) 304

Joe Mullin, writing for ArsTechnica: Even as WikiLeaks founder Julian Assange sits trapped in the Ecuadorean embassy, the WikiLeaks website continues to publish the secrets of various governments worldwide. But that's not all it's publishing. A report today by the Associated Press highlights citizens who had "sensitive family, financial or identity records" published by the site. "They published everything: my phone, address, name, details," said one Saudi man whose paternity dispute was revealed in documents published by the site. "If the family of my wife saw this... Publishing personal stuff like that could destroy people." One document dump, from Saudi diplomatic cables, held at least 124 medical files. The files named sick children, refugees, and patients with psychiatric conditions. In one case, the cables included the name of a Saudi who was arrested for being gay. In Saudi Arabia, homosexuality is punishable by death. In two other cases, WikiLeaks published the names of teenage rape victims. "This has nothing to do with politics or corruption," said Dr. Nayef al-Fayez, who had a patient with brain cancer whose personal details were published.
Facebook

Facebook Knows Your Political Preferences (businessinsider.com) 183

Facebook knows a lot more about its users than they think. For instance, the New York Times reports, the company is categorizing its users as liberal, conservative, or moderate. These details are valuable for advertisers and campaign managers, especially ahead of the election season. From a BusinessInsider report: For some, Facebook is able to come to conclusions about your political leanings easily, if you mention a political party on your page. For those that are less open about politics on social media, Facebook makes assumptions based on pages you like. As The New York Times explained, if you like Ben and Jerry's Facebook page and most of the other people that like that page identify as liberal, Facebook might assume you too are liberal.

Slashdot Top Deals