Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Government

Virginia Police Spent $500K For An Ineffective Cellphone Surveillance System (muckrock.com) 19

Cell-site simulators can intercept phone calls and even provide locations (using GPS data). But Virginia's state police force just revealed details about their actual use of the device -- and it's not pretty. Long-time Slashdot reader v3rgEz writes: In 2014, the Virginia State Police spent $585,265 on a specially modified Suburban outfitted with the latest and greatest in cell phone surveillance: the DRT 1183C, affectionately known as the DRTbox. But according to logs uncovered by public records website MuckRock, the pricey ride was only used 12 times — and only worked seven of those times.
According to Virginia's ACLU director, "each of the 12 uses cost almost $50,000, and only 4 of them resulted in an arrest [raising] a significant question whether the more than half million dollars spent on the device and the vehicle...was a wise investment of public funds."
United Kingdom

For The UK's 'Snoopers' Charter', Politicians Voted Themselves An Exemption (independent.co.uk) 73

The "Snoopers' Charter" passed in the U.K. greatly expands the government's surveillance power. But before they'd enact the new Investigatory Powers Act, Britain's elected officials first voted to make themselves exempt from it. Sort of. An anonymous reader writes: While their internet browsing history will still be swept up, just like everyone else's, no one will ever be able to access it without specific approval from the Prime Minister. And according to The Independent, "That rule applies not only to members of the Westminster parliament but also politicians in the devolved assembly and members of the European Parliament."
The article adds that the exemption was the very first amendment they approved for the legislation. And for a very long time, the only amendment.
Security

Crooks Need Just Six Seconds To Guess A Credit Card Number (independent.co.uk) 78

schwit1 quotes The Independent: Criminals can work out the card number, expiration date, and security code for a Visa debit or credit card in as little as six seconds using guesswork, researchers have found... Fraudsters use a so-called Distributed Guessing Attack to get around security features put in place to stop online fraud, and this may have been the method used in the recent Tesco Bank hack...

According to a study published in the academic journal IEEE Security & Privacy, fraudsters could use computers to systematically fire different variations of security data at hundreds of websites simultaneously. Within seconds, by a process of elimination, the criminals could verify the correct card number, expiration date and the three-digit security number on the back of the card.

One of the researchers explained this attack combines two weaknesses into one powerful attack. "Firstly, current online payment systems do not detect multiple invalid payment requests from different websites... Secondly, different websites ask for different variations in the card data fields to validate an online purchase. This means it's quite easy to build up the information and piece it together like a jigsaw puzzle."
Iphone

iOS's 'Activation Lock' For Stolen iPads And iPhones Can Be Easily Bypassed (computerworld.com) 52

An anonymous reader quotes ComputerWorld: Two researchers claim to have found a way to bypass the activation lock feature in iOS that's supposed to prevent anyone from using an iPhone or iPad marked as lost by its owner... One of the few things allowed from the activation lock screen is connecting the device to a Wi-Fi network, including manually configuring one. [Security researcher] Hemanth had the idea of trying to crash the service that enforces the lock screen by entering very long strings of characters in the WPA2-Enterprise username and password fields.

The researcher claims that, after awhile, the screen froze, and he used the iPad smart cover sold by Apple to put the tablet to sleep and then reopen it... "After 20-25 seconds the Add Wifi Connection screen crashed to the iPad home screen, thereby bypassing the so-called Find My iPhone Activation Lock," he said in a blog post.

There's also a five-minute video on YouTube which purports to show a newer version of the same attack.
China

China's New 'Social Credit Score' Law Means Full Access To Customer Data (insurancejournal.com) 75

AnonymousCube shares this quote about China's new 'Social Credit Score' law from an insurance industry magazine: "Companies are also required to give government investigators complete access to their data if there is suspected wrong-doing, and Internet operators must cooperate in any national security or crime-related investigation."

Note that China has an extremely flexible definition of "national security". Additionally computer equipment will need to undergo mandatory certification, that could involve giving up source code, encryption keys, or even proprietary intellectual data, as Microsoft has been doing for some time.

The article suggests businesses like insurers "will likely see the cost of complying with this new action as a disincentive to conducting business in China."
Encryption

Encryption Backdoor Sneaks Into UK Law (theregister.co.uk) 118

Coisiche found a disturbing article from The Register about the U.K.'s new "Snoopers' Charter" law that has implications for tech companies around the world: Among the many unpleasant things in the Investigatory Powers Act that was officially signed into law this week, one that has not gained as much attention is the apparent ability for the U.K. government to undermine encryption and demand surveillance backdoors... As per the final wording of the law, comms providers on the receiving end of a "technical capacity notice" will be obliged to do various things on demand for government snoops -- such as disclosing details of any system upgrades and removing "electronic protection" on encrypted communications. Thus, by "technical capability," the government really means backdoors and deliberate security weaknesses so citizens' encrypted online activities can be intercepted, deciphered and monitored... At the end of the day, will the U.K. security services be able to read your email, your messages, your posts and private tweets, and your communications if they believe you pose a threat to national security? Yes, they will.
The bill added the Secretaries of State as a required signatory to the "technical capacity" notices, which "introduces a minor choke-point and a degree of accountability." But the article argues the law ultimately anticipates the breaking of encryption, and without customer notification. "The U.K. government can certainly insist that a company not based in the U.K. carry out its orders -- that situation is specifically included in the new law -- but as to whether it can realistically impose such a requirement, well, that will come down to how far those companies are willing to push back and how much they are willing to walk away from the U.K. market."
Republicans

Of 8 Tech Companies, Only Twitter Says It Would Refuse To Help Build Muslim Registry For Trump (theintercept.com) 514

On the campaign trail last year, President-elect Donald Trump said he would consider requiring Muslim-Americans to register with a government database. While he has back-stepped on a number of campaign promises after being elected president, Trump and his transition team have recently resurfaced the idea to create a national Muslim registry. In response, The Intercept contacted nine of the "most prominent" technology companies in the United States "to ask if they would sell their services to help create a national Muslim registry." Twitter was the only company that responded with "No." The Intercept reports: Even on a purely hypothetical basis, such a project would provide American technology companies an easy line to draw in the sand -- pushing back against any effort to track individuals purely (or essentially) on the basis of their religious beliefs doesn't take much in the way of courage or conviction, even by the thin standards of corporate America. We'd also be remiss in assuming no company would ever tie itself to such a nakedly evil undertaking: IBM famously helped Nazi Germany computerize the Holocaust. (IBM has downplayed its logistical role in the Holocaust, claiming in a 2001 statement that "most [relevant] documents were destroyed or lost during the war.") With all this in mind, we contacted nine different American firms in the business of technology, broadly defined, with the following question: "Would [name of company], if solicited by the Trump administration, sell any goods, services, information, or consulting of any kind to help facilitate the creation of a national Muslim registry, a project which has been floated tentatively by the president-elect's transition team?" After two weeks of calls and emails, only three companies provided an answer, and only one said it would not participate in such a project. A complete tally is below.

Facebook: No answer. Twitter: "No," and a link to this blog post, which states as company policy a prohibition against the use, by outside developers, of "Twitter data for surveillance purposes. Period." Microsoft: "We're not going to talk about hypotheticals at this point," and a link to a company blog post that states that "we're committed to promoting not just diversity among all the men and women who work here, but [...] inclusive culture" and that "it will remain important for those in government and the tech sector to continue to work together to strike a balance that protects privacy and public safety in what remains a dangerous time." Google: No answer. Apple: No answer. IBM: No answer. Booz Allen Hamilton: Declined to comment. SRA International: No answer.

Security

Hackers Steal $31 Million at Russia's Central Bank (cnn.com) 76

The Bank of Russia has confirmed Friday that hackers have stolen 2 billion rubles ($31 million) from correspondent accounts at the Russian central bank. Central bank security executive Artiom Sychev said it could've been much worse as hackers tried to steal 5 billion rubles, but the central banking authority managed to stop them. CNNMoney reports: Hackers also targeted the private banks and stole cash from their clients, the central bank reported. The central bank did not say when the heist occurred or how hackers moved the funds. But so far, the attack bears some similarity to a recent string of heists that has targeted the worldwide financial system. Researchers at the cybersecurity firm Symantec have concluded that the global banking system has been under sustained attack from a sophisticated group -- dubbed "Lazarus" -- that has been linked to North Korea. But it's unclear who has attacked Russian banks this time around. Earlier Friday, the Russian government claimed it had foiled an attempt to erode public confidence in its financial system. Russian's top law enforcement agency, the FSB, said hackers were planning to use a collection of computer servers in the Netherlands to attack Russian banks. Typically, hackers use this kind of infrastructure to launch a "denial of service" attack, which disrupts websites and business operations by flooding a target with data. The FSB said hackers also planned to spread fake news about Russian banks, sending mass text messages and publishing stories on social media questioning their financial stability and licenses to operate.
Facebook

Facebook Knows What You're Streaming (bloomberg.com) 98

Facebook is gathering information about the shows Roku and Apple TV owners are streaming. The company then uses the Facebook profile linked to the same IP addresses to tailor the commercials that are shown to individual users. From a report on Bloomberg: For the past few weeks, the social network says, it's been targeting ads to people streaming certain shows on their Roku or Apple TV set-top boxes. It customizes commercials based on the Facebook profiles tied to the IP addresses doing the streaming, according to a company spokesman. He says Facebook is trying out this approach with the A&E network (The Killing, Duck Dynasty) and streaming startup Tubi TV, selecting free test ads for nonprofits or its own products along with a handful of name brands. This push is part of a broader effort by social media companies to build their revenue with ads on video. Twitter is placing much of its ad-sales hopes on streaming partnerships with sports leagues and other content providers. In October, CFO Anthony Noto told analysts on an earnings call that the ads played during Twitter's NFL Thursday Night Football streaming exclusives had been especially successful, with many people watching them in their entirety with the sound turned on. The participants in these partnerships don't yet have a default answer to questions such as who should be responsible for selling the ads or who should get which slice of revenue.
Android

Multiple Vulnerabilities In AirDroid Opens At Least 10 Million Android Users To MITM Attacks, Hijackings (androidpolice.com) 29

AirDroid is a popular Android application that allows users to send and receive text messages and transfer files and see notifications from their computer. Zimperium, a mobile security company, recently released details of several major security vulnerabilities in the application, allowing attackers on the same network to access user information and execute code on a user's device. Since there are between 10 and 50 million installations of the app, many users may be imperiled by AirDroid. Android Police reports: The security issues are mainly due to AirDroid using the same HTTP request to authorize the device and send usage statistics. The request is encrypted, but uses a hardcoded key in the AirDroid application (so essentially, everyone using AirDroid has the same key). Attackers on the same network an intercept the authentication request (commonly known as a Man-in-the-middle attack) using the key extracted from any AirDroid APK to retrieve private account information. This includes the email address and password associated with the AirDroid account. Attackers using a transparent proxy can intercept the network request AirDroid sends to check for add-on updates, and inject any APK they want. AirDroid would then notify the user of an add-on update, then download the malicious APK and ask the user to accept the installation. Zimperium notified AirDroid of these security flaws on May 24, and a few days later, AirDroid acknowledged the problem. Zimperium continued to follow up until AirDroid informed them of the upcoming 4.0 release, which was made available last month. Zimperium later discovered that version 4.0 still had all these same issues, and finally went public with the security vulnerabilities today.
Mozilla

Mozilla Puts New Money To Use Fighting For 'Internet Health' (cnet.com) 109

Stephen Shankland, writing for CNET: Mozilla is marshaling public support for political positions, like backing net neutrality, defending encryption and keeping government surveillance from getting out of hand, says Denelle Dixon-Thayer, Mozilla's chief legal and business officer. The organization is funding the efforts with revenue from Firefox searches, which has jumped since 2014 when it switched from a global deal with Google to a set of regional deals. Mozilla brought in $421 million in revenue last year largely through partnerships with Yahoo in the US, Yandex in Russia and Baidu in China, according to tax documents released alongside Mozilla's 2015 annual report on Thursday. Pushing policy work brings new challenges well beyond traditional Mozilla work competing against Google's Chrome browser and Microsoft's Internet Explorer. They include squaring off against the incoming administration of Donald Trump.
Republicans

Trump Appoints Third Net Neutrality Critic To FCC Advisory Team (dslreports.com) 191

Last week, President-elect Donald Trump appointed two new advisers to his transition team that will oversee his FCC and telecommunications policy agenda. Trump has added a third adviser today who, like the other two advisers, is a staunch opponent of net neutrality regulations. DSLReports adds: The incoming President chose Roslyn Layton, a visiting fellow at the broadband-industry-funded American Enterprise Institute, to help select the new FCC boss and guide the Trump administration on telecom policy. Layton joins Jeffrey Eisenach, a former Verizon consultant and vocal net neutrality critic, and Mark Jamison, a former Sprint lobbyist that has also fought tooth and nail against net neutrality; recently going so far as to argue he doesn't think telecom monopolies exist. Like Eisenach and Jamison, Layton has made a career out of fighting relentlessly against most of the FCC's more consumer-focused efforts, including net neutrality, consumer privacy rules, and increased competition in the residential broadband space. Back in October, Layton posted an article to the AEI blog proclaiming that the FCC's new privacy rules, which give consumers greater control over how their data is collected and sold, were somehow part of a "partisan endgame of corporate favoritism" that weren't necessary and only confused customers. Layton also has made it abundantly clear she supports zero rating, the practice of letting ISPs give their own (or high paying partners') content cap-exemption and therefore a competitive advantage in the market. She has similarly, again like Eisenach and Jamison, supported rolling back the FCC's classification of ISPs as common carriers under Title II, which would kill the existing net neutrality rules and greatly weaken the FCC's ability to protect consumers.
Privacy

Uber Wants To Track Your Location Even When You're Not Using the App, Here's Why (businessinsider.com) 130

With the most recent update to Uber's ride-hailing app, the company has begun requesting users if they are willing to share their location data with Uber app even while the app is not in use. The company says it plans to use the data gained to improve user experience -- including offering improved pick-up times and locations. From an article on Business Insider: In August the company moved away from using Google Maps for its service and began using its own mapping technology. Google's lack of accuracy in many non-Western countries led to increased friction between consumers and drivers. This means the company needs to boost the amount of location data it has. Location data could also be used to provide new channels of revenue for the digital platform. This could include serving ads of local businesses or recommending nearby places of interest to users. Mobile marketing, which relies on accurate location data is a rapidly growing industry and could serve as a revenue windfall for Uber in the years ahead as it faces increasing competition. In fact, revenue from location-targeted mobile ads is expected to grow at an annualized rate of almost 34% between 2014 and 2019, surpassing $18 billion, according to a forecast from BIA/Kelsey.
Government

FBI To Gain Expanded Hacking Powers as Senate Effort To Block Fails (reuters.com) 153

A last-ditch effort in the Senate to block or delay rule changes that would expand the U.S. government's hacking powers failed Wednesday, despite concerns the changes would jeopardize the privacy rights of innocent Americans and risk possible abuse by the incoming administration of President-elect Donald Trump. Reuters adds: Democratic Senator Ron Wyden attempted three times to delay the changes which, will take effect on Thursday and allow U.S. judges will be able to issue search warrants that give the FBI the authority to remotely access computers in any jurisdiction, potentially even overseas. His efforts were blocked by Senator John Cornyn of Texas, the Senate's second-ranking Republican. The changes will allow judges to issue warrants in cases when a suspect uses anonymizing technology to conceal the location of his or her computer or for an investigation into a network of hacked or infected computers, such as a botnet.
Privacy

China Pilots a System That Rates Citizens on 'Social Credit Score' To Determine Eligibility For Jobs, Travel (technologyreview.com) 204

Speculations have turned out be true. The Chinese government is now testing systems that will be used to create digital records of citizens' social and financial behavior. In turn, these will be used to create a so-called social credit score, which will determine whether individuals have access to services, from travel and education to loans and insurance cover. Some citizens -- such as lawyers and journalists -- will be more closely monitored. From a report on MIT Technology Review: Planning documents apparently describe the system as being created to "allow the trustworthy to roam everywhere under heaven while making it hard for the discredited to take a single step." The Journal claims that the system will at first log "infractions such as fare cheating, jaywalking and violating family-planning rules" but will be expanded in the future -- potentially even to Internet activity. Some aspects of the system are already in testing, but there are some challenges to implementing such a far-reaching apparatus. It's difficult to centralize all that data, check it for accuracy, and process it, for example -- let alone feed it back into the system to control everyday life. And China has data from 1.4 billion people to handle.
Java

Muni System Hacker Hit Others By Scanning For Year-Old Java Vulnerability (arstechnica.com) 30

An anonymous reader quotes a report from Ars Technica: The attacker who infected servers and desktop computers at the San Francisco Metropolitan Transit Agency (SFMTA) with ransomware on November 25 apparently gained access to the agency's network by way of a known vulnerability in an Oracle WebLogic server. That vulnerability is similar to the one used to hack a Maryland hospital network's systems in April and infect multiple hospitals with crypto-ransomware. And evidence suggests that SFMTA wasn't specifically targeted by the attackers; the agency just came up as a target of opportunity through a vulnerability scan. In an e-mail to Ars, SFMTA spokesperson Paul Rose said that on November 25, "we became aware of a potential security issue with our computer systems, including e-mail." The ransomware "encrypted some systems mainly affecting computer workstations," he said, "as well as access to various systems. However, the SFMTA network was not breached from the outside, nor did hackers gain entry through our firewalls. Muni operations and safety were not affected. Our customer payment systems were not hacked. Also, despite media reports, no data was accessed from any of our servers." That description of the ransomware attack is not consistent with some of the evidence of previous ransomware attacks by those behind the SFMTA incident -- which Rose said primarily affected about 900 desktop computers throughout the agency. Based on communications uncovered from the ransomware operator behind the Muni attack published by security reporter Brian Krebs, an SFMTA Web-facing server was likely compromised by what is referred to as a "deserialization" attack after it was identified by a vulnerability scan. A security researcher told Krebs that he had been able to gain access to the mailbox used in the malware attack on the Russian e-mail and search provider Yandex by guessing its owner's security question, and he provided details from the mailbox and another linked mailbox on Yandex. Based on details found in e-mails for the accounts, the attacker ran a server loaded with open source vulnerability scanning tools to identify and compromise servers to use in spreading the ransomware, known as HDDCryptor and Mamba, within multiple organizations' networks.
Security

Holding Shift + F10 During Windows 10 Updates Opens Root CLI, Bypasses BitLocker (bleepingcomputer.com) 138

An anonymous reader quotes a report from BleepingComputer: Windows security expert and infrastructure trainer Sami Laiho says that by holding SHIFT + F10 while a Windows 10 computer is installing a new OS build, an attacker can open a command-line interface with SYSTEM privileges. This CLI debugging interface also grants the attacker full access to the computer's hard drive data, despite the presence of BitLocker. The CLI debugging interface is present when updating to new Windows 10 and Windows 10 Insiders builds. The most obvious exploitation scenario is when a user leaves his computer unattended during the update procedure. A malicious insider can open the CLI debugger and perform malicious operations under a root user, despite BitLocker's presence. But there are other scenarios where Laiho's SHIFT + F10 trick can come in handy. For example when police have seized computers from users who deployed BitLocker or when someone steals your laptop. Windows 10 defaults help police/thieves in this case because these defaults forcibly update computers, even if the user hasn't logged on for weeks or months. This CLI debugging interface grants the attacker full access to the computer's hard drive, despite the presence of BitLocker. The reason is that during the Windows 10 update procedure, the OS disables BitLocker while the Windows PE (Preinstallation Environment) installs a new image of the main Windows 10 operating system. "This [update procedure] has a feature for troubleshooting that allows you to press SHIFT + F10 to get a Command Prompt," Laiho writes on his blog. "The real issue here is the Elevation of Privilege that takes a non-admin to SYSTEM (the root of Windows) even on a BitLocker (Microsoft's hard disk encryption) protected machine." Laiho informed Microsoft of the issue and the company is apparently working on a fix.
Privacy

Jolla's Sailfish OS Now Certified as Russian Government's First 'Android Alternative' (techcrunch.com) 97

The future for one of the few remaining alternative mobile OS platforms, Jolla's Sailfish OS, looks to be taking clearer shape. Today the Finnish company which develops and maintains the core code, with the aim of licensing it to others, announced Sailfish has achieved domestic certification in Russia for government and corporate use. TechCrunch adds:In recent years the Russian government has made moves to encourage the development of alternatives to the duopoly of US-dominated smartphone platforms, Android and Apple's iOS -- flagging Sailfish as one possibility, along with Tizen. Although Sailfish looks to have won out as the preferred Android alternative for Russia at this point. The government has said it wants to radically reduce its reliance on foreign mobile OSes -- to 50 per cent by 2025 vs the 95 per cent of the market garnered by Android and iOS in 2015. Sailfish's local certification in Russia also follows an announcement earlier this year that a new Russian company, Open Mobile Platform (OMP), had licensed the OS with the intention of developing a custom version of the platform for use in the domestic market. So, in other words, a Russian, strategic 'Android alternative' is currently being built on Sailfish.
Communications

The UK Is About to Legalize Mass Surveillance [Update] (vice.com) 394

From a report on Motherboard: On Tuesday, the UK is due to pass its controversial new surveillance law, the Investigatory Powers Act, according to the Home Office. The Act, which has received overwhelming support in both the House of Commons and Lords, formally legalizes a number of mass surveillance programs revealed by Edward Snowden in 2013. It also introduces a new power which will force internet service providers to store browsing data on all customers for 12 months. Civil liberties campaigners have described the Act as one of the most extreme surveillance laws in any democracy, while law enforcement agencies believe that the collection of browsing data is vital in an age of ubiquitous internet communications. "The Investigatory Powers Act 2016 will ensure that law enforcement and the security and intelligence agencies have the powers they need in a digital age to disrupt terrorist attacks, subject to strict safeguards and world-leading oversight," a statement from the Home Office reads. Much of the Act gives stronger legal footing to the UK's various bulk powers, including "bulk interception," which is, in general terms, the collection of internet and phone communications en masse. In June 2013, using documents provided by Edward Snowden, The Guardian revealed that the GCHQ taps fibre-optic undersea cables in order to intercept emails, internet histories, calls, and a wealth of other data. Update: "Snooper's charter" bill has become the law. The home secretary said:"The Investigatory Powers Act is world-leading legislation, that provides unprecedented transparency and substantial privacy protection. "The government is clear that, at a time of heightened security threat, it is essential our law enforcement and security and intelligence services have the power they need to keep people safe. The internet presents new opportunities for terrorists and we must ensure we have the capabilities to confront this challenge. But it is also right that these powers are subject to strict safeguards and rigorous oversight."
China

Microsoft Confirms Its Chinese-Language Chatbot Filters Certain Topics (fortune.com) 19

Microsoft's Chinese-language AI chat bot filters certain topics, the company confirmed Monday, although it did not clarify whether that included interactions deemed politically sensitive. From a report on Fortune: Last week, CNNMoney and China Digital Times reported that Xiaoice would not directly respond to questions surrounding topics deemed sensitive by the Chinese state. References to the Tiananmen Square massacre of 1989 or "Steamed Bun Xi," a nickname of Chinese President Xi Jinping, would draw evasive answers or non sequiturs from the chat bot, according to the report. "Am I stupid? Once I answer you'd take a screengrab," read one answer to a question that contained the words "topple the Communist Party." Even the mention of Donald Trump, the American President-elect, drew an evasive response from the chat bot, according to reports. "I don't want to talk about it," Xiaoice said, reports CNN Money. In response to inquiries from Fortune, Microsoft confirmed that there was some filtering around Xiaoice's interaction. "We are committed to creating the best experience for everyone chatting with Xiaoice," a Microsoft spokesperson tells Fortune. "With this in mind, we have implemented filtering on a range of topics." The tech giant did not further elaborate to which specific topics the filtering applied.

Slashdot Top Deals