aggregator

Cops Told 'Don't Look' at New iPhones To Avoid Face ID Lock-Out

Slashdot - Your Rights Online - Pt, 2018-10-12 23:40
As Apple continues to update its iPhones with new security features, law enforcement and other investigators are constantly playing catch-up, trying to find the best way to circumvent the protections or to grab evidence. From a report: Last month, Forbes reported the first known instance of a search warrant being used to unlock a suspect's iPhone X with their own face, leveraging the iPhone X's Face ID feature. But Face ID can of course also work against law enforcement -- too many failed attempts with the 'wrong' face can force the iPhone to request a potentially harder to obtain passcode instead. Taking advantage of legal differences in how passcodes are protected, US law enforcement have forced people to unlock their devices with not just their face but their fingerprints too. But still, in a set of presentation slides obtained by Motherboard this week, one company specialising in mobile forensics is telling investigators not to even look at phones with Face ID, because they might accidentally trigger this mechanism. "iPhone X: don't look at the screen, or else... The same thing will occur as happened on Apple's event," the slide, from forensics company Elcomsoft, reads. Motherboard obtained the presentation from a non-Elcomsoft source, and the company subsequently confirmed its veracity. The slide is referring to Apple's 2017 presentation of Face ID, in which Craig Federighi, Apple's senior vice president of software engineering, tried, and failed, to unlock an iPhone X with his own face. The phone then asked for a passcode instead. "This is quite simple. Passcode is required after five unsuccessful attempts to match a face," Vladimir Katalov, CEO of Elcomsoft, told Motherboard in an online chat, pointing to Apple's own documentation on Face ID. "So by looking into suspect's phone, [the] investigator immediately lose one of [the] attempts."

Read more of this story at Slashdot.

A Mysterious Grey-Hat Is Patching People's Outdated MikroTik Routers

Slashdot - Your Rights Online - Pt, 2018-10-12 23:00
An anonymous reader quotes a report from ZDNet: A Russian-speaking grey-hat hacker is breaking into people's MikroTik routers and patching devices so they can't be abused by cryptojackers, botnet herders, or other cyber-criminals, ZDNet has learned. The hacker, who goes by the name of Alexey and says he works as a server administrator, claims to have disinfected over 100,000 MikroTik routers already. "I added firewall rules that blocked access to the router from outside the local network," Alexey said. "In the comments, I wrote information about the vulnerability and left the address of the @router_os Telegram channel, where it was possible for them to ask questions." But despite adjusting firewall settings for over 100,000 users, Alexey says that only 50 users reached out via Telegram. A few said "thanks," but most were outraged. The vigilante server administrator says he's been only fixing routers that have not been patched by their owners against a MikroTik vulnerability that came to light in late April.

Read more of this story at Slashdot.

Google CEO Tells Senators That Censored Chinese Search Engine Could Provide 'Broad Benefits'

Slashdot - Your Rights Online - Pt, 2018-10-12 22:20
Google CEO Sundar Pichai has refused to answer a list of questions from U.S. lawmakers about the company's secretive plan for a censored search engine in China. From a report: In a letter newly obtained by The Intercept, Pichai told a bipartisan group of six senators that Google could have "broad benefits inside and outside of China," but said he could not share details about the censored search engine because it "remains unclear" whether the company "would or could release a search service" in the country. Pichai's letter contradicts the company's search engine chief, Ben Gomes, who informed staff during a private meeting that the company was aiming to release the platform in China between January and April 2019. Gomes told employees working on the Chinese search engine that they should get it ready to be "brought off the shelf and quickly deployed." [...] In his letter to the senators, dated August 31, Pichai did not mention the word "censorship" or address human rights concerns. He told the senators that "providing access to information to people around the world is central to our mission," and said he believed Google's tools could "help to facilitate an exchange of information and learning." The company was committed to "promoting access to information, freedom of expression, and user privacy," he wrote, while also "respecting the laws of jurisdictions in which we operate."

Read more of this story at Slashdot.

Apple Rebukes Australia's 'Dangerously Ambiguous' Anti-Encryption Bill

Slashdot - Your Rights Online - Pt, 2018-10-12 21:00
Apple has strongly criticized Australia's anti-encryption bill, calling it "dangerously ambiguous" and "alarming to every Australian." From a report: The Australian government's draft law -- known as the Access and Assistance Bill -- would compel tech companies operating in the country, like Apple, to provide "assistance" to law enforcement and intelligence agencies in accessing electronic data. The government claims that encrypted communications are "increasingly being used by terrorist groups and organized criminals to avoid detection and disruption," without citing evidence. But critics say that the bill's "broad authorities that would undermine cybersecurity and human rights, including the right to privacy" by forcing companies to build backdoors and hand over user data -- even when it's encrypted. Now, Apple is the latest company after Google and Facebook joined civil and digital rights groups -- including Amnesty International -- to oppose the bill, amid fears that the government will rush through the bill before the end of the year. In a seven-page letter to the Australian parliament, Apple said that it "would be wrong to weaken security for millions of law-abiding customers in order to investigate the very few who pose a threat." The company adds, "We appreciate the government's outreach to Apple and other companies during the drafting of this bill. While we are pleased that some of the suggestions incorporated improve the legislation, the unfortunate fact is that the draft legislation remains dangerously ambiguous with respect to encryption and security. This is no time to weaken encryption. Rather than serving the interests of Australian law enforcement, it will just weaken the security and privacy of regular customers while pushing criminals further off the grid."

Read more of this story at Slashdot.

The FBI Is Now Investigating Facebook's Security Breach Where Attackers Accessed 30 Million Users' Personal Information

Slashdot - Your Rights Online - Pt, 2018-10-12 19:45
An online attack that forced Facebook to log out 90 million users last month directly affected 29 million people on the social network [alternative source], the company said Friday as it released new details about the scope of an incident that has regulators and law enforcement on high alert. The company said the FBI is actively investigating the hack, and asked Facebook not to disclose any potential culprits. From a report: Through a series of interrelated bugs in Facebook's programming, unnamed attackers stole the names and contact information of 15 million users, Facebook said. The contact information included a mix of phone numbers and email addresses. An additional 14 million users were affected more deeply, by having additional details taken related to their profiles such as their recent search history, gender, educational background, geolocation data, birth dates, and lists of people and pages they follow. Facebook said last month that it detected the attack when it noticed an uptick in user activity. An investigation soon found that the activity was linked to the theft of security codes that, under normal circumstances, allow Facebook users to navigate away from the site while remaining logged in. The bugs that allowed the attack to occur gave hackers the ability to effectively take over Facebook accounts on a widespread basis, Facebook said when it disclosed the breach. The attackers began with a relatively small number of accounts that they directly controlled, exploiting flaws in the platform's "View As" feature to gain access to other users' profiles.

Read more of this story at Slashdot.

FCC Tells Court It Has No 'Legal Authority' To Impose Net Neutrality Rules

Slashdot - Your Rights Online - Pt, 2018-10-12 19:00
The Federal Communications Commission opened its defense of its net neutrality repeal yesterday, telling a court that it has no authority to keep the net neutrality rules in place. From a report: Chairman Ajit Pai's FCC argued that broadband is not a "telecommunications service" as defined in federal law, and therefore it must be classified as an information service instead. As an information service, broadband cannot be subject to common carrier regulations such as net neutrality rules, Pai's FCC said. The FCC is only allowed to impose common carrier regulations on telecommunications services. "Given these classification decisions, the Commission determined that the Communications Act does not endow it with legal authority to retain the former conduct rules," the FCC said in a summary of its defense filed yesterday in the US Court of Appeals for the District of Columbia Circuit. The FCC is defending the net neutrality repeal against a lawsuit filed by more than 20 state attorneys general, consumer advocacy groups, and tech companies. The FCC's opponents in the case will file reply briefs next month, and oral arguments are scheduled for February.

Read more of this story at Slashdot.

Senators Demand Google Hand Over Internal Memo Urging Google+ Cover-up

Slashdot - Your Rights Online - Pt, 2018-10-12 17:25
An anonymous reader writes: Three Republican senators have sent a letter to Google demanding the company hand over an internal memo based on which Google decided to cover up a Google+ data leak instead of going public as most companies do. The existence of this internal memo came to light on Monday in a Wall Street Journal article that forced Google to go public with details about a Google+ API bug that could have been used to harvest data on Google users. According to the report, the internal memo, signed by Google's legal and policy staff, advised Google top execs not to disclose the existence of the API bug fearing "immediate regulatory interest." Google's legal staff also feared that the bug would bring Google "into the spotlight alongside or even instead of Facebook despite having stayed under the radar throughout the Cambridge Analytica scandal," and would "almost [guarantee] Sundar will testify before Congress," akin to Facebook's CEO. In a letter sent today to Google, three GOP senators want to see this internal memo for themselves by October 30, and also with on-the-record answers to seven questions in regards to what, why, and how Google handled the Google+ API data leak.

Read more of this story at Slashdot.

To Deter Foreign Hackers, Some States May Also Be Deterring Voters

Slashdot - Your Rights Online - Pt, 2018-10-12 16:40
A number of states are blocking web traffic from foreign countries to their voter registration websites, making the process harder for some U.S. citizens who live overseas to vote, despite the practice providing no real security benefits. From a report: On its face, the "geo-targeting" of foreign countries may seem like a solid plan: election officials around the country are concerned about foreign interference after Russia's efforts leading up to the 2016 election, so blocking traffic to election websites from outside the United States might seem like an obvious defense starting point. But cybersecurity experts and voting rights advocates say it's an ineffective solution that any hacker could easily sidestep using a virtual private network, or VPN, a commonly-used and easily-available service. Such networks allow for a computer user to use the Internet and appear in a different location than they actually are.

Read more of this story at Slashdot.

Pro-Privacy Search Engine DuckDuckGo Hits 30 Million Daily Searches, Up 50% In a Year

Slashdot - Your Rights Online - Pt, 2018-10-12 15:00
An anonymous reader quotes a report from TechCrunch: Some nice momentum for privacy-focused search engine DuckDuckGo which has just announced it's hit 30 million daily searches a year after reaching 20 million -- a year-on-year increase of 50%. Hitting the first 10 million daily searches took the search engine a full seven years, and then it was another two to get to 20 million. So as growth curves go it must have required patience and a little faith in the run up. It also recently emerged that DDG had quietly picked up $10 million in VC funding, which is only its second tranche of external investment. The company told us this financing would be used to respond to an expanding opportunity for pro-privacy business models, including by tuning its search engine for more local markets and expanding its marketing channels to "have more of a global focus."

Read more of this story at Slashdot.

45 Out of 50 Electronics Companies Illegally Void Warranties After Independent Repair, Sting Operation Finds

Slashdot - Your Rights Online - Pt, 2018-10-12 02:45
U.S. PIRG -- a non-profit that uses grassroots methods to advocate for political change -- found that 90 percent of manufacturers it contacted claimed that a third party repair would void its warranty. "PIRG researched the warranty information of 50 companies in the Association of Home Appliance Manufacturers (AHAM) -- an industry group of notorious for lobbying to protect is repair monopolies -- and found that 45 of them claimed independent repair would void their warranty," Motherboard reports. From the report: PIRG poured over the documentation for 50 companies such as Bissell, Whirlpool, and Panasonic to document their warranty policies. When it couldn't find clear language about warranty and repair, it reached out to the companies via their customer service lines. The overwhelming majority of the companies told PIRG that independent repair would void the warranty. The 1975 Magnuson-Moss Warranty Act states that no manufacturer who charges more than $5 for a product can put repair restrictions on a product they're offering a warranty on. In May, the U.S. Federal Trade Commission sent warning letters to Sony, Microsoft, Nintendo, HTC, Hyundai, and ASUS for violating the act by threatening to void the warranties of customers who repaired their own devices. Within 30 days, many of the companies had complied and changed the language on their websites around independent repair. It was a step in the right direction, but the PIRGs survey of the AHAM members shows that there's still a lot of work to do.

Read more of this story at Slashdot.

How Genealogy Websites Make It Easier To Catch Killers

Slashdot - Your Rights Online - Pt, 2018-10-12 01:20
An anonymous reader quotes a report from IEEE Spectrum: Over the past six months a small, publicly available genealogy database has become the go-to source for solving cold case crimes. The free online tool, called GEDmatch, is an ancestry service that allows people to submit their DNA data and search for relatives -- an open access version of AncestryDNA or 23andMe. Since April, investigators have used GEDmatch to identify victims, killers, and missing persons all over the U.S. in at least 19 cases, many of them decades old, according to authors of a report published today in Science. The authors predict that in the near future, as genetic genealogy reports gain in popularity, such tools could be used to find nearly any individual in the U.S. of European descent. GEDmatch holds the genetic data of only about a million people. But cold case investigators have been exploiting the database using a genomic analysis technique called long-range familial search. The technique allows researchers to match an individual's DNA to distant relatives, such as third cousins. Chances are, one of those relatives will have used a genetic genealogy service. More than 17 million people have participated in these services -- a number that has grown rapidly over the last two years. AncestryDNA and 23andMe hold most of those customers. A genetic match to a distant relative can fairly quickly lead investigators to the person of interest. In a highly publicized case, GEDmatch was used earlier this year to identify the "Golden State Killer," a serial rapist and murderer who terrorized California in the 1970s and 1980s, but was never caught. In April, investigators were able to use a genealogy database to narrow down DNA data from crime scenes and identify the "Golden State Killer," a serial rapist and murderer who terrorized California in the 1970s and 1980s.

Read more of this story at Slashdot.

EU Ruling: Self-Driving Car Data Will Be Copyrighted By the Manufacturer

Slashdot - Your Rights Online - Pt, 2018-10-12 00:40
Yesterday, at a routine vote on regulations for self-driving cars, members of the European Peoples' Party voted down a clause that would protect a vehicle's telemetry so that it couldn't become someone's property. The clause affirmed that "data generated by autonomous transport are automatically generated and are by nature not creative, thus making copyright protection or the right on data-bases inapplicable." Boing Boing reports: This is data that we will need to evaluate the safety of autonomous vehicles, to fine-tune their performance, to ensure that they are working as the manufacturer claims -- data that will not be public domain (as copyright law dictates), but will instead be someone's exclusive purview, to release or withhold as they see fit. Who will own this data? It's unlikely that it will be the owners of the vehicles. It's already the case that most auto manufacturers use license agreements and DRM to lock up your car so that you can't fix it yourself or take it to an independent service center. The aggregated data from millions of self-driving cars across the EU aren't just useful to public safety analysts, consumer rights advocates, security researchers and reviewers (who would benefit from this data living in the public domain) -- it is also a potential gold-mine for car manufacturers who could sell it to insurers, market researchers and other deep-pocketed corporate interests who can profit by hiding that data from the public who generate it and who must share their cities and streets with high-speed killer robots.

Read more of this story at Slashdot.

Over Nine Million Cameras and DVRs Open To APTs, Botnet Herders, and Voyeurs

Slashdot - Your Rights Online - Cz, 2018-10-11 21:26
Millions of security cameras, DVRs, and NVRs contain vulnerabilities that can allow a remote attacker to take over devices with little effort, security researchers have revealed today. From a report: All vulnerable devices have been manufactured by Hangzhou Xiongmai Technology Co., Ltd. (Xiongmai hereinafter), a Chinese company based in the city of Hangzhou. But end users won't be able to tell that they're using a hackable device because the company doesn't sell any products with its name on them, but ships all equipment as white label products on which other companies put their logo on top. Security researchers from EU-based SEC Consult say they've identified over 100 companies that buy and re-brand Xiongmai devices as their own. All of these devices are vulnerable to easy hacks, researchers say. The source of all vulnerabilities is a feature found in all devices named the "XMEye P2P Cloud." The XMEye P2P Cloud works by creating a tunnel between a customer's device and an XMEye cloud account. Device owners can access this account via their browser or via a mobile app to view device video feeds in real time. SEC Consult researchers say that these XMEye cloud accounts have not been sufficiently protected. For starters, an attacker can guess account IDs because they've been based on devices' sequential physical addresses (MACs). Second, all new XMEye accounts use a default admin username of "admin" with no password.

Read more of this story at Slashdot.

MindBody-Owned FitMetrix Exposed Millions of User Records -- Thanks To Servers Without Passwords

Slashdot - Your Rights Online - Cz, 2018-10-11 17:20
An anonymous reader writes: FitMetrix, a fitness technology and performance tracking company owned by gym booking giant Mindbody, has exposed millions of user records because it left several of its servers without a password. The company builds fitness tracking software for gyms and group classes -- like CrossFit and SoulCycle -- that displays heart rate and other fitness metric information for interactive workouts. FitMetrix was acquired by gym and wellness scheduling service Mindbody earlier this year for $15.3 million, according to a government filing. Last week, a security researcher found three FitMetrix unprotected servers leaking customer data. It isn't known how long the servers had been exposed, but the servers were indexed by Shodan, a search engine for open ports and databases, in September. The servers included two of the same ElasticSearch instances and a storage server -- all hosted on Amazon Web Service -- yet none were protected by a password, allowing anyone who knew where to look to access the data on millions of users. Bob Diachenko, Hacken.io's director of cyber risk research, found the databases containing 113.5 million records -- though it's not known how many users were directly affected. Each record contained a user's name, gender, email address, phone numbers, profile photos, their primary workout location, emergency contacts and more. Many of the records were not fully complete.

Read more of this story at Slashdot.

The Breach That Killed Google+ Wasn't a Breach At All

Slashdot - Your Rights Online - Cz, 2018-10-11 00:40
An anonymous reader quotes a report from The Verge: For months, Google has been trying to stay out of the way of the growing tech backlash, but yesterday, the dam finally broke with news of a bug in the rarely used Google+ network that exposed private information for as many as 500,000 users. Google found and fixed the bug back in March, around the same time the Cambridge Analytica story was heating up in earnest. [...] The vulnerability itself seems to have been relatively small in scope. The heart of the problem was a specific developer API that could be used to see non-public information. But crucially, there's no evidence that it actually was used to see private data, and given the thin user base, it's not clear how much non-public data there really was to see. The API was theoretically accessible to anyone who asked, but only 432 people actually applied for access (again, it's Google+), so it's plausible that none of them ever thought of using it this way. The bigger problem for Google isn't the crime, but the cover-up. The vulnerability was fixed in March, but Google didn't come clean until seven months later when The Wall Street Journal got hold of some of the memos discussing the bug. [...] Part of the disconnect comes from the fact that, legally, Google is in the clear. There are lots of laws about reporting breaches -- primarily the GDPR but also a string of state-level bills -- but by that standard, what happened to Google+ wasn't technically a breach. Those laws are concerned with unauthorized access to user information, codifying the basic idea that if someone steals your credit card or phone number, you have a right to know about it. But Google just found that data was available to developers, not that any data was actually taken. With no clear data stolen, Google had no legal reporting requirements. As far as the lawyers were concerned, it wasn't a breach, and quietly fixing the problem was good enough.

Read more of this story at Slashdot.

WhatsApp Fixes Bug That Let Hackers Take Over App When Answering a Video Call

Slashdot - Your Rights Online - Śr, 2018-10-10 23:20
WhatsApp developers have fixed a bug in the Android and iOS versions of the WhatsApp mobile app that allowed hackers to take over the application when users answered an incoming video call. From a report: Natalie Silvanovich, a security researcher with Google's Project Zero security research team, discovered the WhatsApp vulnerability at the end of August. She described the vulnerability as a "memory corruption bug in WhatsApp's non-WebRTC video conferencing implementation." "Heap corruption can occur when the WhatsApp mobile application receives a malformed RTP packet," Silvanovich said in a bug report. "This issue can occur when a WhatsApp user accepts a call from a malicious peer." It is unclear how popular the video feature is on WhatsApp, which is used by more than 1.2 billion users. But in July, the company said users were spending over two billion minutes on calls (including voice) each day.

Read more of this story at Slashdot.

Apple Said To Have 'Dramatically Reduced' Multi-Billion-Dollar iPhone Repair Fraud in China

Slashdot - Your Rights Online - Śr, 2018-10-10 20:40
From a report: Within the past four years, Apple has managed to "dramatically reduce" the rate of iPhone-related repair fraud in its retail stores in China, according to The Information's Wayne Ma. The report is based on interviews with more than a dozen former Apple employees who spoke on condition of anonymity. In 2013, Apple is said to have discovered a highly sophisticated fraud scheme in which organized thieves would buy or steal iPhones, remove valuable components like the processor or logic board, swap in fake components, and return the "broken" iPhones to receive replacements they could resell. From the report: "Thieves would stand outside stores with suitcases full of iPhones with some of the original components stripped out and replaced with inferior parts, two of the people said. The fraudsters would hire people to pretend to be customers to return them, each taking a device to stand in line at the Genius Bar, the people said. Once the phones were swapped, the actors would pass the new phones to the fraudsters and get paid for their time, the people said."

Read more of this story at Slashdot.

More Than One Third of Music Consumers Still Pirate Music

Slashdot - Your Rights Online - Śr, 2018-10-10 19:20
More than one-third of global music listeners are still pirating music, according to a new report by the International Federation of the Phonographic Industry (IFPI). From a report: While the massive rise in legal streaming platforms such as Spotify, Apple Music and Tidal was thought to have stemmed illegal consumption, 38% of listeners continue to acquire music through illegal means. The most popular form of copyright infringement is stream-ripping (32%): using easily available software to record the audio from sites like YouTube at a low-quality bit rate. Downloads through "cyberlocker" file hosting services or P2P software like BitTorrent came second (23%), with acquisition via search engines in third place (17%).

Read more of this story at Slashdot.

New App Lets You 'Sue Anyone By Pressing a Button'

Slashdot - Your Rights Online - Śr, 2018-10-10 17:20
Jason Koebler writes: Do Not Pay, a free service that launched in the iOS App store today, uses artificial intelligence to help people win up to $25,000 in small claims court. It's the latest project from 21-year-old Stanford senior Joshua Browder, whose service previously allowed people to fight parking tickets or sue Equifax; now, the app has streamlined the process. It's the "first ever service to sue anyone (in all 3,000 counties in 50 states) by pressing a button."

Read more of this story at Slashdot.

Google Appeals $5 Billion EU Fine In Android Case

Slashdot - Your Rights Online - Śr, 2018-10-10 15:00
An anonymous reader quotes a report from The Wall Street Journal: Alphabet's Google on Tuesday said it filed an appeal of the European Union's $4.97 billion antitrust fine (Warning: source may be paywalled; alternative source) for allegedly abusing the dominance of its Android operating system for mobile phones. But Google said it has no plans to ask for so-called interim measures to pause application of the decision. Without further action, Google will have to meet a deadline at the end of October to end the behavior the EU says is anticompetitive or face additional fines of up to 5% of average daily global revenue for each day it doesn't comply. Google had promised that it would appeal the decision when the European Commission, the bloc's antitrust regulator, delivered it in mid-July. The commission said that Google broke the block's competition laws in part by strong-arming phone makers that use its free Android operating system to pre-install its namesake search engine, from which the company makes the bulk of its advertising revenue. In the Android case, the European Commission has ordered Google to stop making phone manufacturers pre-install its search app and the Chrome web browser if they want to pre-install Google's Play store, which is the main way to download Android apps. The bloc also ordered Google to end restrictions that discourage manufacturers from selling devices that run unofficial versions of Android. It contends both restrictions illegally constrained competing search engines and operating systems. Google has argued that Android, which is free for manufacturers to use, has increased competition among smartphone makers, lowering prices for consumers. The company has said the allegation that it stymied competing apps is false because manufacturers typically install many rival apps on Android devices, and consumers can easily download others.

Read more of this story at Slashdot.