Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Security

97% of the Top Companies Have Leaked Credentials Online (onthewire.io) 15

Apparently lots of people have been use both their work email address and work password on third-party sites -- suggesting a huge vulnerability. Trailrunner7 quotes On The Wire: The last few years have seen a number of large-scale breaches at popular sites and companies, including LinkedIn, Adobe, MySpace, and Ashley Madison, and many of the credentials stolen during those incidents have ended up online in various places... [R]esearch from Digital Shadows found that the most significant breach for the global 1,000 companies it looked at was the LinkedIn incident... Digital Shadows found more than 1.6 million credentials online for the 1,000 companies it studied. Adobe's breach was next on the list, with more than 1.3 million credentials.
"For Ashley Madison alone, there were more than 200,000 leaked credentials from the top 1,000 global companies," the researchers report, noting they also found many leaked credentials from breaches at other dating and gaming sites, as well as Myspace. Their conclusion? "The vast majority of organizations have credentials exposed online..."
Media

Snapchat's 10-Second-Video Glasses Are Real And Cost $130 Bucks (techcrunch.com) 80

Long-time Slashdot reader bheerssen writes that Snapchat "announced a new product yesterday, Spectacles, which are sunglasses with a camera built into the frame." TechCrunch reports: Snapchat's long-rumored camera glasses are actually real. The startup's first foray into hardware will be a pair of glasses called "Spectacles" and will go on sale this fall for $129.99, according to the WSJ... To start recording you tap a button on the side of the glasses. Video capture will mimic Snapchat's app, meaning you can only capture 10 seconds of video at once. This video will sync wirelessly to your phone, presumably making it available to share as a snap.
The cameras will be using a circular 115-degree lens to mimic the human eye's natural field of vision, and in the Journal's article, Snap CEO Evan Spiegel remembers his first test of the product in 2015. "I could see my own memory, through my own eyes -- it was unbelievable... It was the closest I'd ever come to feeling like I was there again." The camera glasses will enter "limited distribution" sometime within the next three months, which TechCrunch believes "could end up being like Google Glass when it first launched -- officially on sale to the public but pretty hard to come by."
Security

Hacker Who Aided ISIS Gets 20 Years In Prison (softpedia.com) 121

An anonymous reader quotes a report from Softpedia: Ardit Ferizi, aka Th3Dir3ctorY, 20, a citizen of Kosovo, will spend 20 years in a U.S. prison for providing material support to ISIS hackers by handing over data for 1,351 U.S. government employees. Ferizi obtained the data by hacking into a U.S. retail company on June 13, 2015. The hacker then filtered the stolen information and put aside records related to government officials, which he later handed over to Junaid Hussain, the then leader of the Islamic State Hacking Division (ISHD). Hussain then uploaded this information online, asking fellow ISIS members to seek out these individuals and execute lone wolf attacks. Because of this leak, the U.S. Army targeted and killed Hussain in a drone strike in Syria in August 2015. Before helping ISIS, Ferizi had a prodigious hacking career as the leader of Kosova Hacker's Security (KHS) hacking crew. He was arrested on October 6, 2015, at the international airport in Kuala Lumpur, Malaysia, while trying to catch a flight back to Kosovo. Ferizi was in Kuala Lumpur studying computer science.
Security

Why the Silencing of KrebsOnSecurity Opens a Troubling Chapter For the Internet (arstechnica.com) 183

An anonymous reader quotes a report from Ars Technica: For the better part of a day, KrebsOnSecurity, arguably the world's most intrepid source of security news, has been silenced, presumably by a handful of individuals who didn't like a recent series of exposes reporter Brian Krebs wrote. The incident, and the record-breaking data assault that brought it on, open a troubling new chapter in the short history of the Internet. The crippling distributed denial-of-service attacks started shortly after Krebs published stories stemming from the hack of a DDoS-for-hire service known as vDOS. The first article analyzed leaked data that identified some of the previously anonymous people closely tied to vDOS. It documented how they took in more than $600,000 in two years by knocking other sites offline. A few days later, Krebs ran a follow-up piece detailing the arrests of two men who allegedly ran the service. A third post in the series is here. On Thursday morning, exactly two weeks after Krebs published his first post, he reported that a sustained attack was bombarding his site with as much as 620 gigabits per second of junk data. That staggering amount of data is among the biggest ever recorded. Krebs was able to stay online thanks to the generosity of Akamai, a network provider that supplied DDoS mitigation services to him for free. The attack showed no signs of waning as the day wore on. Some indications suggest it may have grown stronger. At 4 pm, Akamai gave Krebs two hours' notice that it would no longer assume the considerable cost of defending KrebsOnSecurity. Krebs opted to shut down the site to prevent collateral damage hitting his service provider and its customers. The assault against KrebsOnSecurity represents a much greater threat for at least two reasons. First, it's twice the size. Second and more significant, unlike the Spamhaus attacks, the staggering volume of bandwidth doesn't rely on misconfigured domain name system servers which, in the big picture, can be remedied with relative ease. The attackers used Internet-of-things devices since they're always-connected and easy to "remotely commandeer by people who turn them into digital cannons that spray the internet with shrapnel." "The biggest threats as far as I'm concerned in terms of censorship come from these ginormous weapons these guys are building," Krebs said. "The idea that tools that used to be exclusively in the hands of nation states are now in the hands of individual actors, it's kind of like the specter of a James Bond movie." While Krebs could retain a DDoS mitigation service, it would cost him between $100,000 and $200,000 per year for the type of protection he needs, which is more than he can afford. What's especially troubling is that this attack can happen to many other websites, not just KrebsOnSecurity.
Security

40 Percent of Organizations Store Admin Passwords In Word Documents, Says Survey (esecurityplanet.com) 104

While the IT industry is making progress in securing information and communications systems from cyberattacks, a new survey from cybersecurity company CyberArk says several critical areas, such as privileged account security, third-party vendor access and cloud platforms are undermining them. An anonymous Slashdot reader shares with us the details of the report via eSecurity Planet: According to the results of a recent survey of 750 IT security decision makers worldwide, 40 percent of organizations store privileged and administrative passwords in a Word document or spreadsheet, while 28 percent use a shared server or USB stick. Still, the survey, sponsored by CyberArk and conducted by Vanson Bourne, also found that 55 percent of respondents said they have evolved processes for managing privileged accounts. Fully 79 percent of respondents said they have learned lessons from major cyberattacks and have taken appropriate action to improve security. Sixty-seven percent now believe their CEO and board of directors provide sound cybersecurity leadership, up from 57 percent in 2015. Three out of four IT decision makers now believe they can prevent attackers from breaking into their internal network, a huge increase from 44 percent in 2015 -- and 82 percent believe the security industry in general is making progress against cyberattackers. Still, 36 percent believe a cyberattacker is currently on their network or has been within the past 12 months, and 46 percent believe their organization was a victim of a ransomware attack over the past two years. And while 95 percent of organizations now have a cybersecurity emergency response plan, only 45 percent communicate and regularly test that plan with all IT staff. Sixty-eight percent of organizations cite losing customer data as one of their biggest concerns following a cyberattack, and 57 percent of organizations that store information in the cloud are not completely confident in their cloud provider's ability to protect their data.
United States

Probe Of Leaked US NSA Hacking Tools Examines Operative's Mistake (reuters.com) 56

Joseph Menn and John Walcott, reporting for Reuters: A U.S. investigation into a leak of hacking tools used by the National Security Agency is focusing on a theory that one of its operatives carelessly left them available on a remote computer and Russian hackers found them, four people with direct knowledge of the probe told Reuters. The tools, which enable hackers to exploit software flaws in computer and communications systems from vendors such as Cisco Systems and Fortinet Inc, were dumped onto public websites last month by a group calling itself Shadow Brokers. The public release of the tools coincided with U.S. officials saying they had concluded that Russia or its proxies were responsible for hacking political party organizations in the run-up to the Nov. 8 presidential election. On Thursday, lawmakers accused Russia of being responsible. Various explanations have been floated by officials in Washington as to how the tools were stolen. Some feared it was the work of a leaker similar to former agency contractor Edward Snowden, while others suspected the Russians might have hacked into NSA headquarters in Fort Meade, Maryland.
Facebook

Indian Students Score a Partial Win in Facebook Privacy Dispute (bloomberg.com) 47

WhatsApp announced last month that it would stop begin sharing some of users' information -- phone number, contact information of people in your address book etc -- with Facebook. Two Indian students last month expressed their concern over this, adding that WhatsApp was "severely" compromising their privacy and those of other billion plus users, and that it was reneging from its original promise. They approached Delhi High Court, and after hearing from everyone, the bench of chief justice told WhatsApp that it must delete data of users who are opt out of privacy policy changes before September 25. Bloomberg adds: The Delhi High Court on Friday ruled that WhatsApp has to delete all data on users who choose to stop using the service before Sept. 25, when the new policy takes effect. Also, it can only share data collected after that date. However, going forward, WhatsApp is free to share information on users who haven't opted out. The court also asked India's government to consider if it was feasible to craft regulations to oversee WhatsApp and other messaging apps, though it didn't specify what form they could take.
IOS

19-Year-Old Jailbreaks iPhone 7 In 24 Hours (vice.com) 97

An anonymous reader writes: 19-year-old hacker qwertyoruiop, aka Luca Todesco, jailbroke the new iPhone 7 just 24 hours after he got it, in what's the first known iPhone 7 jailbreak. Todesco tweeted a screenshot of a terminal where he has "root," alongside the message: "This is a jailbroken iPhone 7." He even has video proof of the jailbreak. Motherboard reports: "He also said that he could definitely submit the vulnerabilities he found to Apple, since they fall under the newly launched bug bounty, but he hasn't decided whether to do that yet. The hacker told me that he needs to polish the exploits a bit more to make the jailbreak 'smoother,' and that he is also planning to make this jailbreak work through the Safari browser just like the famous 'jailbreakme.com,' which allowed anyone to jailbreak their iPhone 4 just by clicking on a link." Apple responded to the news by saying, "Apple strongly cautions against installing any software that hacks iOS."
Government

Hacker Leaks Michelle Obama's Passport (nypost.com) 121

The hacker who leaked Colin Powell's private email account last week has struck again. This time they have hacked a low-level White House staffer and released a picture of Michelle Obama's passport, along with detailed schedules for top U.S. officials and private email messages. New York Post reports: The information has been posted online by the group DC Leaks. The White House staffer -- who also apparently does advance work for Hillary Clinton's presidential campaign -- is named Ian Mellul. The released documents include a PowerPoint outline of Vice President Joe Biden's recent Cleveland trip, showing his planned route, where he'll meet with individuals and other sensitive information, according to the Daily Mail. In an email to The Post, the hacker writes, "The leaked files show the security level of our government. If terrorists hack emails of White House Office staff and get such sensitive information we will see the fall of our country." The hacker adds, "We hope you will tell the people about this criminal negligence of White House Office staffers."
Crime

Cops Are Raiding Homes of Innocent People Based Only On IP Addresses (fusion.net) 237

Kashmir Hill has a fascinating story today on what can go wrong when you solely rely on IP address in a crime investigation -- also highlighting how often police resort to IP addresses. In the story she follows a crime investigation that led police to raid a couple's house at 6am in the morning, because their IP address had been associated with the publication of child porn on notorious 4chan porn. The problem was, Hill writes: the couple -- David Robinson and Jan Bultmann -- weren't the ones who had uploaded the child porn. All they did was voluntarily use one of their old laptops as a Tor exit relay, a software used by activists, dissidents, privacy enthusiasts as well as criminals, so that people who want to stay anonymous when surfing the web could do so. Hill writes: Robinson and Bultmann had [...] specifically operated the riskiest node in the chain: the exit relay which provides the IP address ultimately associated with a user's activity. In this case, someone used Tor to make the porn post, and his or her traffic had been routed through the computer in Robinson and Bultmann's house. The couple wasn't pleased to have helped someone post child porn to the internet, but that's the thing about privacy-protective tools: They're going to be used for good and bad purposes, and to support one, you might have to support the other.Robinson added that he was a little let down because police didn't bother to look at the public list which details the IP addresses associated with Tor exit relays. Hill adds: The police asked Robinson to unlock one MacBook Air, and then seemed satisfied these weren't the criminals they were looking for and left. But months later, the case remains open with Robinson and Bultmann's names on police documents linking them to child pornography. "I haven't run an exit relay since. The police told me they'd be back if it happened again," Robinson said; he's still running a Tor node, just not the end point anymore. "I have to take the threat seriously because I don't want my wife or I to wake up with guns in our faces."Technologist Seth Schoen, and EFF Executive Director Cindy Cohn in a white paper aimed at courts and cops. "For many reasons, connecting an individual to a crime linked to an IP address, without any additional investigation, is irresponsible and threatens the civil liberties of innocent people."
Google

Google Backs Off On Previously Announced Allo Privacy Feature (theverge.com) 84

When Google first unveiled its Allo messaging app, the company said it would not keep a log of chats you have with people when in incognito mode. The company released Allo for iOS and Android users last night, and it seems it is reneging on some of those promises. The Verge reports:The version of Allo rolling out today will store all non-incognito messages by default -- a clear change from Google's earlier statements that the app would only store messages transiently and in non-identifiable form. The records will now persist until the user actively deletes them, giving Google default access to a full history of conversations in the app. Users can also avoid the logging by using Alo's Incognito Mode, which is still fully end-to-end encrypted and unchanged from the initial announcement. Like Hangouts and Gmail, Allo messages will still be encrypted between the device and Google servers, and stored on servers using encryption that leaves the messages accessible to Google's algorithms. According to Google, the change was made to improve the Allo assistant's smart reply feature, which generates suggested responses to a given conversation. Like most machine learning systems, the smart replies work better with more data. As the Allo team tested those replies, they decided the performance boost from permanently stored messages was worth giving up privacy benefits of transient storage.
Security

College Student Got 15 Million Miles By Hacking United Airlines (fortune.com) 79

An anonymous reader quotes a report from Fortune: University of Georgia Tech student Ryan Pickren used to get in trouble for hacking websites -- in 2015, he hacked his college's master calendar and almost spent 15 years in prison. But now he's being rewarded for his skills. Pickren participated in United Airlines' Bug Bounty Program and earned 15 million United miles. At two cents a mile, that's about $300,000 worth. United's white hat hacking program invites computer experts to legally hack their systems, paying up to one million United miles to hackers who can reveal security flaws. At that rate, we can presume Pickren reported as many as 15 severe bugs. The only drawback to all those free miles? Taxes. Having earned $300,000 of taxable income from the Bug Bounty Program, Pickren could owe the Internal Revenue Service tens of thousands of dollars. He's not keeping all of the, though: Pickren donated five million miles to Georgia Tech. The ultimate thank-you for not pressing charges last year. In May, certified ethical hackers at Offensi.com identified a bug allowing remote code execution on one of United Airlines' sites and were rewarded with 1,000,000 Mileage Plus air miles. Instead of accepting the award themselves, they decided to distribute their air miles among three charities.
Security

Anonymous Hacker Explains His Attack On Boston Children's Hospital (huffingtonpost.com) 294

Okian Warrior writes: Martin Gottesfeld of Anonymous was arrested in connection with the Spring 2014 attacks on a number of healthcare and treatment facilities in the Boston area. The attacks were in response/defense of a patient there named Justina Pelletier. Gottesfeld now explains why he did what he did, in a statement provided to The Huffington Post. Here's an excerpt from his statement: [Why I Knocked Boston Children's Hospital Off The Internet] The answer is simpler than you might think: The defense of an innocent, learning disabled, 15-year-old girl. In the criminal complaint, she's called 'Patient A,' but to me, she has a name, Justina Pelletier. Boston Children's Hospital disagreed with her diagnosis. They said her symptoms were psychological. They made misleading statement on an affidavit, went to court, and had Justina's parents stripped of custody. They stopped her painkillers, leaving her in agony. They stopped her heart medication, leaving her tachycardic. They said she was a danger to herself, and locked her in a psych ward. They said her family was part of the problem, so they limited, monitored, and censored her contact with them..."
Robotics

Robot Handcuffed and Arrested At Moscow Rally (abc.net.au) 46

Russian police have arrested a robot. Long-time Slashdot reader ferret4 quotes ABC News: A robot has been detained by police at a political rally in Moscow, with authorities attempting to handcuff the machine. Police have not confirmed why they detained the machine named Promobot, but local media was reporting the company behind the robot said police were called because it was 'recording voters' opinions on [a] variety of topics for further processing and analysis by the candidate's team'."
Interestingly, an earlier model of the same robot escaped its research lab in June, traveling 150 feet before its batteries died -- and despite being reprogrammed twice, continued to move towards the exits.
Privacy

Assange Agrees to US Prison If Obama Pardons Chelsea Manning (theverge.com) 374

"If Obama grants Manning clemency, Assange will agree to U.S. prison in exchange -- despite its clear unlawfulness," Wikileaks announced on Twitter Thursday. An anonymous Slashdot reader quotes The Verge: WikiLeaks' statement was released one day before a Swedish appeals court decided to maintain a warrant for Assange's arrest over a 2010 rape charge. Assange has said that extradition to Sweden would lead to his eventual extradition to the US, where he could face charges related to WikiLeaks' publication of secret government documents... Assange has been living in political asylum at the Ecuadorian embassy in London since 2012...

Chelsea Manning, a former US Army private, was convicted in 2013 for providing a trove of documents and videos to WikiLeaks, and is currently serving a 35-year sentence at the US Disciplinary Barracks in Leavenworth, Kansas. She was hospitalized after a reported suicide attempt in July, and this month went on a hunger strike to seek treatment for her gender dysphoria. Manning ended her hunger strike this week after the military agreed to allow her to have gender reassignment surgery. She still faces indefinite solitary confinement due to administrative charges related to her suicide attempt.

The tweet also included a link to a letter from Assange's attorney, Barry Pollack, calling on the Justice Department to be more transparent about its investigation into WikiLeaks -- and citing the FBI's investigation into Hillary Clinton's handling of classified information. "Director Comey made it clear his conclusion was based on the necessity of proving criminal intent [and] noted that responsible prosecutors consider the context of a person's actions... Criminal prosecution is appropriate only when a person...was intending to aid enemies of the United States or was attempting to obstruct justice."
Privacy

Woman Sues Sex Toy App For Secretly Capturing Sensitive Information (ctvnews.ca) 211

A woman in Chicago filed a class action lawsuit against the makers of a smartphone-enabled vibrator, alleging their devices "secretly collect and transmit 'highly sensitive' information." CTV News reports: The lawsuit, which was filed earlier this month in an Illinois court, explains that to fully operate the device, users download the We-Connect app on a smartphone, allowing them and their partners remote control over the Bluetooth-equipped vibrator's settings... The suit alleges that unbeknownst to its customers, Standard Innovation designed the We-Connect app to collect and record intimate and sensitive data on use of the vibrator, including the date and time of each use as well as vibration settings...

It also alleges the usage data and the user's personal email address was transmitted to the company's servers in Canada. The statement of claim alleges the company's conduct demonstrates "a wholesale disregard" for consumer privacy rights and violated a number of state and federal laws.

Slashdot reader BarbaraHudson argues that "It kind of has to share that information if it's going to be remotely controlled by someone else." But the woman's lawsuit claims she wouldn't have bought the device if she'd known that while using it, the manufacturer "would monitor, collect and transmit her usage information."
Education

Code.org Disses Wolfram Language, Touts Apple's Swift Playgrounds (edsurge.com) 240

America is changing the way it teaches computer science. "There are now 31 states that allow CS to count towards high school graduation," according to an announcement this week by the White House, while a new Advance Placement course "will be offered in more than 2,000 U.S. classrooms this fall...the largest course launch in the history of the AP exam." But what's the best way to teach coding? theodp reports: Tech-backed Code.org, one of the leaders of the new CSforAll Consortium that was announced at the White House on Wednesday, took to its blog Thursday to say "Thanks, Tim [Cook], for supporting the effort to give every student the opportunity to learn computer science," giving a shout out to Apple for providing "resources for teachers who want to put Swift Playgrounds in their classrooms. (A day earlier, the White House said Apple developed Swift Playgrounds "in support of the President's call to action" for CS for All).

Curiously, Code.org CEO Hadi Partovi argued Friday that "the Wolfram Language has serious shortcomings for broad educational use" in an EdSurge op-ed that was called a "response to a recent blog post by Stephen Wolfram" on Wolfram's ambitious plan to teach computational thinking in schools. Partovi's complaints? "It requires login for all but the simplest use cases, but doesn't provide any privacy safeguards for young children (required in the U.S. through legislation such as COPPA). Also, a serious user would need to pay for usage, making implementation inaccessible in most schools. Lastly, it's a bit difficult to use by students who struggle with English reading or writing, such as English language learners or early elementary school students."

The submission ultimately asks how should computer science be taught to teenagers. "Would you be inclined to embrace Wolfram's approach, Apple's Swift Playgrounds, Microsoft TEALS' Java-centric AP CS curriculum, or something else (e.g., R, Tableau, Excel+VBA)?"
Open Source

The World's Most Secure Home Computer Reaches Crowdfunding Goal (pcworld.com) 126

"If the PC is tampered with, it will trigger an alert and erase the PC's encryption key, making the data totally inaccessible." Last month Design SHIFT began crowdfunding an elaborate "open source, physically secure personal computer" named ORWL (after George Orwell). "Having exceeded its $25,000 funding goal on Crowd Supply, the super-secure PC is in production," reports PC World, in an article shared by Slashdot reader ogcricket about the device which tries to anticipate every possible attack: The encryption key to the drive is stored on a security microcontroller instead of the drive... The ORWL's makers say the wire mesh itself is constantly monitored... Any attempts to trick, bypass, or short the wire mesh will cause the encryption key to be deleted. The unit's security processor also monitors movement, and a user can select a setting that will wipe or lock down the PC's data if it is moved to another location... The RAM is soldered to the motherboard and can't be easily removed to be read elsewhere...

Your ORWL unlocks by using a secure NFC and Bluetooth LE keyfob. Pressing it against the top of the ORWL and entering a password authenticates the user. Once the user has been authenticated, Bluetooth LE is then ensures that the user is always nearby. Walk away, and the ORWL will lock.

Encryption

How The FBI Might've Opened the San Bernardino Shooter's iPhone 5c (schneier.com) 66

"Remember the San Bernardino killer's iPhone, and how the FBI maintained that they couldn't get the encryption key without Apple providing them with a universal backdoor?" Slashdot reader LichtSpektren quotes Bruce Schneier: Many of us computer-security experts said that they were wrong, and there were several possible techniques they could use. One of them was manually removing the flash chip from the phone, extracting the memory, and then running a brute-force attack without worrying about the phone deleting the key. The FBI said it was impossible. We all said they were wrong. Now, Sergei Skorobogatov has proved them wrong.
Sergei's new paper describes "a real world mirroring attack on the Apple iPhone 5c passcode retry counter under iOS 9." The process does not require any expensive and sophisticated equipment. All needed parts are low cost and were obtained from local electronics distributors. By using the described and successful hardware mirroring process it was possible to bypass the limit on passcode retry attempts... Although the process can be improved, it is still a successful proof-of-concept project.
Security

Alleged Hacker Lauri Love To Be Extradited To US (bbc.com) 71

An anonymous reader quotes a report from BBC: An autistic man suspected of hacking into U.S. government computer systems is to be extradited from Britain to face trial, a court has ruled. Lauri Love, 31, who has Asperger's syndrome, is accused of hacking into the FBI, the U.S. central bank and the country's missile defense agency. Mr Love, from Stradishall, Suffolk, has previously said he feared he would die in a U.S. prison if he was extradited. Earlier, his lawyer said his alleged hacking had "embarrassed" U.S. authorities. Tor Ekeland said the U.S. government "had very, very bad security and these hacks utilized exploits that were publicly-known for months." Mr Love's lawyers said he could face up to 99 years in prison if convicted of the hacking offenses. Mr Love's defense team argues his depression and Asperger's syndrome mean he should not be sent abroad, but U.S. prosecutors say he is using his mental health issues as an excuse to escape justice.

Slashdot Top Deals