Learn to Build 14 Websites with 28 Hours of Instruction on HTML, JavaScript, MySQL & More for $14 ×
Security

Berkeley Researchers Examine Five Worst-Case Security Nightmares (berkeley.edu) 14

An anonymous reader writes: Berkeley researchers have gamed out five worst-case security scenarios at their Center for Long-Term Cybersecurity, calling it "a disciplined, imaginative approach to modeling what cybersecurity could mean in the future...to provoke a discussion about what the cybersecurity research and policy communities need to do now in order to be better positioned..." Two of the scenarios are set in 2020 -- one called "The New Normal" imagining a world were users assume their personal information can no longer be kept safe, and another involving the privacy and security implications in a world where hackers lurk undetected on a now-ubiquitous Internet of Things.

"Our goal is to identify emerging issues that will become more important..." they write in an executive summary, including "issues on the table today that may become less salient or critical; and new issues that researchers and decision-makers a few years from now will have wished people in the research and policy communities had noticed -- and begun to act on -- earlier.

Scenario #2 imagines a super-intelligent A.I. which can predict and even manipulate the behavior of individuals, and scenario #3 involves criminals exploiting valuable data sets -- and data scientists -- after an economic collapse.
Security

Slack To Disable Thousands of Logins Leaked on GitHub (detectify.com) 20

An anonymous reader writes: Thursday one technology site reported that thousands of developers building bots for the team-collaboration tool Slack were exposing their login credentials in public GitHub repositories and tickets. "The irony is that a lot of these bots are mostly fun 'weekend projects', reported Detectify. "We saw examples of fit bots, reminding you to stretch throughout the day, quote bots, quoting both Jurassic Park...and Don Quixote...."

Slack responded that they're now actively searching for publicly-posted login credentials, "and when we find any, we revoke the tokens and notify both the users who created them, as well as the owners of affected teams." Detectify notes the lapse in security had occurred at a wide variety of sites, including "Forbes 500 companies, payment providers, multiple internet service providers and health care providers... University classes at some of the world's best-known schools. Newspapers sharing their bots as part of stories. The list goes on and on..."

Democrats

White House Releases Report On How To Spur Smart-Gun Technology (computerworld.com) 178

Lucas123 writes: A report commissioned by the White House involving the Defense, Justice and Homeland Security Departments has begun a process to define, for the first time, the requirements that manufacturers would need to meet for federal, state, and municipal law enforcement agencies to consider purchasing firearms with "smart" safety technology. They've committed to completing that process by October, and will also identify agencies interested in taking part in a pilot program to develop the smart gun technology. The DoD will help manufacturers test smart guns under "real-world conditions" at the U.S. Army Aberdeen Test Center in Maryland. Manufacturers would be eligible to win cash prizes through that program as well. In addition to spurring the adoption of smart gun technology, the report stated that the Social Security Administration has published a proposed rule that would require individuals prohibited from buying a gun due to mental health issues to be included in a background check system.
Iphone

FBI Bought $1M iPhone 5C Hack, But Doesn't Know How It Works (theguardian.com) 72

An anonymous reader writes: The FBI has no idea how the hack used in unlocking the San Bernardino shooter's iPhone 5C works, but it paid a sum less than $1m for the mechanism, according to a report. Reuters, citing several U.S. government sources, note that the government intelligence agency didn't pay a value over $1.3m for purchasing the hack from professional hackers, as previously reported by many outlets. The technique can also be used as many times as needed without further payments, the report adds. The FBI director, James Comey, said last week that the agency paid more to get into the iPhone 5C than he will make in the remaining seven years and four months he has in his job, suggesting the hack cost more than $1.3m, based on his annual salary.
Security

GCHQ Has Disclosed Over 20 Vulnerabilities This Year (vice.com) 29

Joseph Cox, reporting for Motherboard: Earlier this week, it emerged that a section of Government Communications Headquarters (GCHQ), the UK's signal intelligence agency, had disclosed a serious vulnerability in Firefox to Mozilla. Now, GCHQ has said it helped fix nearly two dozen individual vulnerabilities in the past few months, including in highly popular pieces of software like iOS. "So far in 2016 GCHQ/CESG has disclosed more than 20 vulnerabilities across a number of software products," a GCHQ spokesperson told Motherboard in an email. CESG, or the National Technical Authority for Information Assurance, is the information security wing of GCHQ. Those issues include a kernel vulnerability in OS X El Captain v10.11.4, the latest version, that would allow arbitrary code execution, and two in iOS 9.3, one of which would have done largely the same thing, and the other could have let an application launch a denial of service attack.
Security

US Toy Maker Maisto's Website Pushes Ransomware (pcworld.com) 26

An anonymous reader shares a PCWorld article: Attackers are aggressively pushing a new file-encrypting ransomware program called CryptXXX by compromising websites, the latest victim being U.S. toy maker Maisto. Fortunately, there's a tool that can help users decrypt CryptXXX affected files for free. Security researchers from Malwarebytes reported Thursday that maisto.com was infected with malicious JavaScript that loaded the Angler exploit kit. This is a Web-based attack tool that installs malware on users' computers by exploiting vulnerabilities in their browser plug-ins. It also steals bitcoins from local wallets, a double hit to victims, because it then asks for the equivalent of $500 in bitcoins in order to decrypt their files. [...] Researchers from antivirus firm Kaspersky Lab recently updated their ransomware decryption toolto add support for CryptXXX affected files. The attack code exploits vulnerabilities in older versions of applications such as Flash, Java, Internet Explorer, and Silverlight. At this point, it isn't clear exactly how many users are affected.
Government

Supreme Court Gives FBI More Hacking Power (theintercept.com) 170

An anonymous reader cites an article on The Intercept (edited and condensed): The Supreme Court on Thursday approved changes that would make it easier for the FBI to hack into computers, many of them belonging to victims of cybercrime. The changes, which will take immediate effect in December unless Congress adopts competing legislation, would allow the FBI go hunting for anyone browsing the Internet anonymously in the U.S. with a single warrant. Previously, under the federal rules on criminal procedures, a magistrate judge couldn't approve a warrant request to search a computer remotely if the investigator didn't know where the computer was -- because it might be outside his or her jurisdiction. The rule change would allow a magistrate judge to issue a warrant to search or seize an electronic device if the target is using anonymity software like Tor."Unbelievable," said Edward Snowden. "FBI sneaks radical expansion of power through courts, avoiding public debate." Ahmed Ghappour, a visiting professor at University of California Hastings Law School, has described it as "possibly the broadest expansion of extraterritorial surveillance power since the FBI's inception."
Communications

The Critical Hole At the Heart Of Our Cell Phone Networks (wired.com) 30

An anonymous reader writes: Kim Zetter from WIRED writes an intriguing report about a vulnerability at the heart of our cell phone networks. It centers around Signaling System No. 7 (SS7), which refers to a data network -- and the protocols or rules that govern how information gets exchanged over it. Zetter writes, "It was designed in the 1970s to track and connect landline calls across different carrier networks, but is now commonly used to calculate cellular billing and send text messages, in addition to routing mobile and landline calls between carriers and regional switching centers. SS7 is part of the telecommunications backbone but is not the network your voice calls go through; it's a separate administrative network with a different function." According to WIRED, the problem is that SS7 is based on trust -- any request a telecom receives is considered legitimate. In addition to telecoms, government agencies, commercial companies and criminal groups can gain access to the network. Most attacks can be defended with readily available technologies, but more involved attacks take longer to defend against. T-Mobile and ATT have vulnerabilities with fixes that have yet to be implemented for example.
Earth

All Belgians To Be Given Iodine Pills In Case Of Nuclear Accident (phys.org) 180

mdsolar quotes a report from Phys.Org: Belgium is to provide iodine pills to its entire population of around 11 million people to protect against radioactivity in case of a nuclear accident, the health minister was quoted as saying Thursday. The move comes as Belgium faces growing pressure from neighboring Germany to shutter two ageing nuclear power plants near their border due to concerns over their safety. Iodine pills, which help reduce radiation build-up in the human thyroid gland, had previously only been given to people living within 20 kilometres (14 miles) of the Tihange and Doel nuclear plants. Health Minister Maggie De Block was quoted by La Libre Belgique newspaper as telling parliament that the range had now been expanded to 100 kilometers, effectively covering the whole country. The health ministry did not immediately respond to AFP when asked to comment. The head of Belgium's French-speaking Green party, Jean-Marc Nollet, backed the measures but added that "just because everyone will get these pills doesn't mean there is no longer any nuclear risk," La Libre reported. Belgium's creaking nuclear plants have been causing safety concerns for some time after a series of problems ranging from leaks to cracks and an unsolved sabotage incident. Yesterday, a nuclear plant in Germany was reportedly infected with a computer virus.
Encryption

Top Security Experts Say Anti-Encryption Bill Authors Are 'Woefully Ignorant' (dailydot.com) 88

blottsie writes from a report on the Daily Dot: In a Wall Street Journal editorial titled "Encryption Without Tears," Sens. Richard Burr and Dianne Feinstein pushed back on widespread condemnation of their Compliance with Court Orders Act, which would require tech companies to provide authorities with user data in an "intelligible" format if served with a warrant. But security experts Bruce Schneir, Matthew Green, and others say the lawmakers entirely misunderstand the issue. "On a weekly basis we see gigabytes of that information dumped to the Internet," Green told the Daily Dot. "This is the whole problem that encryption is intended to solve." He added: "You can't hold out the current flaws in the Internet as a justification for why the Internet shouldn't be made secure." "These criticisms of Burr and Feinstein's analogy emphasize an important point about digital security: The differences between the levels of encryption protecting certain types of data -- purchase records on Amazon's servers versus photos on an iPhone, for example -- lead to different levels of risk," writes Eric Geller of the Daily Dot.
The Military

India Installs 'Laser Walls' At Border With Pakistan (nbcnews.com) 92

schwit1 writes: After experimenting with barbed wire, surveillance cameras and even cowbells and camels, India has now reportedly introduced "laser walls" at its border with archenemy Pakistan. Both New Delhi and Islamabad deploy more than half of their 1 million and 600,000-strong armies, respectively, on the border. India is setting up the laser walls to "plug the porous riverine and treacherous terrain and keep an effective vigil against intruders and terrorists" in Punjab state, the state-run Press Trust of India reported. According to the PTI report, around 45 laser walls will be installed in Punjab state. Lasers beamed over rivers and hills will set off an alarm and alert the Indian Border Security Force if someone attempts to pass by, it added.
Security

Office 365 Flaw Allowed Anyone To Log In To Almost Any Business Account (threatpost.com) 59

Reader msm1267 writes: A severe vulnerability in the way Microsoft Office 365 handles federated identities via SAML put an attacker in a position to have access to any account and data, including emails and files stored in the cloud-based service. Microsoft pushed through a mitigation to the service on Jan. 5, seven hours after being notified by researchers Yiannis Kakavas and Klemen Bratec. "The attack surface was quite big (Outlook Online, OneDrive, Skype for Business, OneNote -- depending on what the company has paid for in terms of licensing)," Kakavas and Bratec told Threatpost via email. "And a malicious user exploiting this vulnerability could have gained access to very sensitive private and company information (emails, internal documents etc. )." Office 365 users who had configured domains as federated were affected. The list includes British Airways, Microsoft, Vodafone, Verizon and many others, as mentioned in a report published late Wednesday.
Security

Cisco Finds Backdoor Installed On 12 Million PCs (securityweek.com) 67

Reader wiredmikey writes: Security researchers at Cisco have come across a piece of software that installed backdoors on 12 million computers around the world. Researchers determined that the application, installed with administrator rights, was capable not only of downloading and installing other tools, such as a known scareware called System Healer, but also of harvesting personal information. The software, which exhibits adware and spyware capabilities, was developed by a French online advertising company called Tuto4PC. The "features" have led Cisco Talos to classify the Tuto4PC software as a "full backdoor capable of a multitude of undesirable functions on the victim machine." Tuto4PC said its network consisted of nearly 12 million PCs in 2014, which could explain why Cisco's systems detected the backdoor on 12 million devices. An analysis of a sample set revealed infections in the United States, Australia, Japan, Spain, the UK, France and New Zealand.Tuto4PC has received flak from many over the years, including French regulators.
Bug

American Samoa Domain Registry Was Exposing Client Data Since the Mid-1990s (softpedia.com) 17

An anonymous reader quotes a report from Softpedia: A British security researcher that goes online only by the name of InfoSec Guy revealed today that American Samoa domain registry ASNIC was using an outdated domain name management system that contained a bug allowing anyone to view the personal details of any .as domain owner. The researcher also claims that anyone knowing of this bug would have been able to edit and delete any .as domain, just by altering the ASNIC domain info URL. Some of the big brands that own .as domains include Opera, Flickr, Twitter, McDonald's, British Gas, Bose, Adidas, the University of Texas, and many link shortening services. This flawed system has been online since the mid-1990s. The researcher contacted ASNIC after discovering the flaw at the end of January 2016, but email exchanges with the domain registry were scarce and confusing, with the registry issuing a statement today denying the incident and calling the allegations "inaccurate, misleading and sexed-up to the max," after previously acknowledging and fixing the security flaws.
Government

House Passes Email Privacy Act, Requiring Warrants For Obtaining Emails (techcrunch.com) 61

An anonymous reader quotes a report from TechCrunch: The U.S. House of Representatives has passed H.R. 699, the Email Privacy Act, sending it on to the Senate and from there, hopefully anyhow, to the President. The yeas were swift and unanimous. The bill, which was introduced in the House early last year and quickly found bipartisan support, updates the 1986 Electronic Communications Privacy Act, closing a loophole that allowed emails and other communications to be obtained without a warrant. It's actually a good law, even if it is arriving a couple of decades late. "Under current law, there are more protections for a letter in a filing cabinet than an email on a server," said Congresswoman Suzan Delbene during the debate period. An earlier version of the bill also required that authorities disclose that warrant to the person it affected within 10 days, or 3 if the warrant related to a government entity. That clause was taken out in committee -- something trade groups and some of the Representatives objected to as an unpleasant compromise.
Government

Former Tor Developer Created Malware To Hack Tor Users For The FBI (dailydot.com) 72

Patrick O'Neill writes: Matt Edman is a cybersecurity expert who worked as a part-time employee at Tor Project, the nonprofit that builds Tor software and maintains the network, almost a decade ago. Since then, he's developed potent malware used by law enforcement to unmask Tor users. It's been wielded in multiple investigations by federal law-enforcement and U.S. intelligence agencies in several high-profile cases. The Tor Project has confirmed this report in a statement after being contacted by the Daily Dot, "It has come to out attention that Matt Edman, who worked with the Tor Project until 2009, subsequently was employed by a defense contractor working for the FBI to develop anti-Tor malware." Maybe Tor users will now be less likely to anonymously check Facebook each month...
Government

India Makes It Compulsory For Phones To Have a 'Panic Button' (cio.com) 96

Reader itwbennett writes: Starting in January 2017, all feature phones sold in India will need to have a panic button that will alert "police, designated friends and relatives, for immediate response in case of distress or security related issues," said Minister of Communications, Ravi Shankar Prasad, on Twitter late Tuesday. The measure is one of many responses by the Indian government to the growing women safety issues in the country. Furthermore, starting in January 2018, mobile phones will also be required to have GPS systems to help pinpoint the location of the affected person in the event of harassment or distress, said Prasad.Mashable has more details.
Robotics

Chinese Security Robot Draws Dalek, Terminator Comparisons (abc.net.au) 109

An anonymous reader writes: China's first "intelligent security robot," which reportedly includes an "electrically charged riot control tool" and an SOS button for people to notify police, has been compared to the killer Dalek from Doctor Who after being shown off at a tech fair. Intelligence agency whistleblower Edward Snowden shared the news on Twitter with the caption: "Surely this will end well." The robot, unveiled at the 12th Chongqing Hi-Tech Fair, is 1.49 metres tall, weighs 78 kilograms, has a claimed top speed of 18 kilometres per hour and an operating duration of eight hours between charges, according to a report by People's Daily Online. Dubbed AnBot, it was built by the National Defence University in China and has "sensors that mimic the human brain, eyes and ears." The report said AnBot represented breakthroughs in "key technologies including low-cost autonomous navigation and intelligent video analysis" and would play an important role in anti-terrorism and anti-riot operations. AnBot has an SOS button for people to use to notify police of a problem, but it is unclear what criteria AnBot uses to assess threats autonomously.
Encryption

A Complete Guide To The New 'Crypto Wars' (dailydot.com) 68

blottsie writes: The latest debate over encryption did not begin with a court order demanding Apple help the FBI unlock a dead terrorist's iPhone. The new "Crypto Wars," chronicled in a comprehensive timeline by Eric Geller of the Daily Dot, dates back to at least 2003, with the introduction of "Patriot Act II." The battle over privacy and personal security versus crime-fighting and national security has, however, become a mainstream debate in recent months. The timeline covers a wide-range of incidents where the U.S. and other allied governments have tried to restrict citizens' access to strong encryption. The timeline ends with the director of national intelligence blaming NSA whistleblower Edward Snowden for advancing the spread of user-friendly, widely available strong encryption.
Encryption

Millions Of Waze Users Can Have Their Movements Tracked By Hackers (fusion.net) 55

An anonymous reader quotes a report from Fusion: Researchers at the University of California-Santa Barbara recently discovered a Waze vulnerability that allowed them to create thousands of "ghost drivers" that can monitor the drivers around them -- an exploit that could be used to track Waze users in real-time. Here's how the exploit works. Waze's servers communicate with phones using an SSL encrypted connection, a security precaution meant to ensure that Waze's computers are really talking to a Waze app on someone's smartphone. Zhao and his graduate students discovered they could intercept that communication by getting the phone to accept their own computer as a go-between in the connection. Once in between the phone and the Waze servers, they could reverse-engineer the Waze protocol, learning the language that the Waze app uses to talk to Waze's back-end app servers. With that knowledge in hand, the team was able to write a program that issued commands directly to Waze servers, allowing the researchers to populate the Waze system with thousands of "ghost cars" -- cars that could cause a fake traffic jam or, because Waze is a social app where drivers broadcast their locations, monitor all the drivers around them. You can read the full paper detailing the researchers' findings here. Is there a solution to not being tracked? Yes. If you're a Waze user, you can set the app to invisible mode. However, Waze turns off invisible mode every time you restart the app so beware.

Slashdot Top Deals