aggregator

New Hacking Tool Lets Users Access a Bunch of DVRs and Their Video Feeds

Slashdot - Your Rights Online - N, 2018-05-06 22:10
An anonymous reader writes: "An Argentinian security researcher named Ezequiel Fernandez has published a powerful new tool yesterday that can easily extract plaintext credentials for various DVR brands and grant attackers access to those systems, and inherently the video feeds they're supposed to record," reports Bleeping Computer. "The tool, named getDVR_Credentials, is a proof-of-concept for CVE-2018-9995, a vulnerability discovered by Fernandez at the start of last month, [affecting TBK DVR systems]. Fernandez discovered that by accessing the control panel of specific DVRs with a cookie header of 'Cookie: uid=admin,' the DVR would respond with the device's admin credentials in cleartext." Tens of thousands of vulnerable devices available online can be hijacked with their video feeds assembled in voyeur sites, like it's been done in the past.

Read more of this story at Slashdot.

Placing Election Ads On Google Will Require a Government ID

Slashdot - Your Rights Online - N, 2018-05-06 20:08
Google announced new policies Friday that will require advertisers to prove they are a U.S. citizen or permanent resident when buying election ads. "Under the new guidelines, Google will ask advertisers -- be they individuals, organizations, or political action committees -- to prove they are who they claim to be," reports Gizmodo. "It will also require the ads to include a clear disclosure of who is paying for it." From the report: The change comes after Google and other social media companies revealed their advertising platforms were abused by foreign actors, including the Russian government-backed troll farm Internet Research Agency, during the 2016 U.S. presidential election. It also places Google's policies in line with U.S. laws for traditional media that restrict foreign entities from running election ads. Where Google's effort falls short, at least in its current iteration, is the new policies only cover ads featuring candidates running for office. So-called "issue ads" that advocate a certain point of view on hot-button topics are not covered in Google's policies.

Read more of this story at Slashdot.

Chinese Government Is Behind a Decade of Hacks On Software Companies, Says Report

Slashdot - Your Rights Online - N, 2018-05-06 16:04
An anonymous reader quotes a report from Ars Technica: Researchers said Chinese intelligence officers are behind almost a decade's worth of network intrusions that use advanced malware to penetrate software and gaming companies in the US, Europe, Russia, and elsewhere. The hackers have struck as recently as March in a campaign that used phishing emails in an attempt to access corporate-sensitive Office 365 and Gmail accounts. In the process, they made serious operational security errors that revealed key information about their targets and possible location. Researchers from various security organizations have used a variety of names to assign responsibility for the hacks, including LEAD, BARIUM, Wicked Panda, GREF, PassCV, Axiom, and Winnti. In many cases, the researchers assumed the groups were distinct and unaffiliated. According to a 49-page report published Thursday, all of the attacks are the work of Chinese government's intelligence apparatus, which the report's authors dub the Winnti Umbrella. Researchers from 401TRG, the threat research and analysis team at security company ProtectWise, based the attribution on common network infrastructure, tactics, techniques, and procedures used in the attacks as well as operational security mistakes that revealed the possible location of individual members.

Read more of this story at Slashdot.

Are We Living in a World Where You Can't Opt Out of Data Sharing?

Slashdot - Your Rights Online - N, 2018-05-06 01:34
Long-time Slashdot reader Mr_Blank quotes the senior science writer at FiveThirtyEight on a new type of privacy violation: It's what happens when one person's voluntary disclosure of personal information exposes the personal information of others who had no say in the matter. Your choices didn't cause the breach. Your choices can't prevent it, either. Welcome to a world where you can't opt out of sharing, even if you didn't opt in... We all saw this in action in the recent Cambridge Analytica scandal. The "privacy of the commons" is how the 270,000 Facebook users who actually downloaded the "thisisyourdigitallife" app turned into as many as 87 million users whose data ended up in the hands of a political marketing firm. Much of the narrative surrounding that scandal has focused on what individuals should be doing to protect themselves. But that idea that privacy is all about your individual decisions is part of the problem, said Julie Cohen, a technology and law professor at Georgetown University. "There's a lot of burden being put on individuals to have an understanding and mastery of something that's so complex that it would be impossible for them to do what they need to do," she said... [E]xperts say these examples show that we need to think about online privacy less as a personal issue and more as a systemic one. Our digital commons is set up to encourage companies and governments to violate your privacy. If you live in a swamp and an alligator attacks you, do you blame yourself for being a slow swimmer? Or do you blame the swamp for forcing you to hang out with alligators? There isn't yet a clear answer for what the U.S. should do. Almost all of our privacy law and policy is framed around the idea of privacy as a personal choice, Cohen said. The result: very little regulation addressing what data can be collected, how it should be protected, or what can be done with it.

Read more of this story at Slashdot.

New California Ballot Measure Demands Groundbreaking Privacy Rights

Slashdot - Your Rights Online - So, 2018-05-05 20:34
Supporters gathered 625,000 signatures to put the "California Consumer Privacy Act" on the ballot in November -- far exceeding the 365,880 signatures needed to qualify. The Mercury News reports: The proposed initiative aims to allow consumers to see what personal information companies are collecting about them and ask the companies to stop selling that information, and also seeks to hold businesses accountable for data breaches. "Today is a major step forward in our campaign, and an affirmation that California voters care deeply about the fundamental privacy protections provided in the California Consumer Privacy Act," said Alastair Mactaggart, the San Francisco real estate developer who is bankrolling the measure. He has spent $1.65 million on the effort, according to filings with the California secretary of state. The measure is opposed by companies such as AT&T, Comcast, Verizon and Google, which have all donated $200,000 each to fight the measure. Facebook has also given $200,000 to the opposition. However, Facebook last month said it would leave the effort to fight the initiative. The article notes that Facebook's decision to stop publicly opposing the privacy measure occurred "around the time Facebook CEO Mark Zuckerberg was testifying to Congress about the company's Cambridge Analytica privacy scandal."

Read more of this story at Slashdot.

Tens of Thousands of Malicious Apps Use Facebook's APIs

Slashdot - Your Rights Online - So, 2018-05-05 19:34
Slashdot reader lod123 quotes ThreatPost: At least 25,936 malicious apps are currently using one of Facebook's APIs, such as a login API or messaging API. These allow apps to access a range of information from Facebook profiles, like name, location and email address. Trustlook discovered the malicious apps using a formula, which created a risk score for apps based on more than 80 pieces of information for each app, including permissions, libraries, risky API calls and network activity... A malicious app (with a risk score above 7) "might be doing things such as capturing pictures and audio when the app is closed, or making an unusually large amount of network calls," a spokesperson told Threatpost... To be fair, Facebook is not the only company with its APIs embedded in malicious applications... "The problem, for the most part, is that this is data that is provided when their login is used elsewhere. The API is simply passing through intelligence it has gathered from their profile," said Chris Roberts, chief security architect at Acalvio, via email. "LinkedIn, Google and Twitter, among others, have similarly flawed APIs that can be used to harvest information both about you (the target) and possibly associated individuals...depending upon queries and other developer privileges that are being exploited." A Trustlook spokesperson summarized their position after the report. "Just as Coke does not want its ads running on certain websites, Facebook should not want malicious app developers using its APIs."

Read more of this story at Slashdot.

70-Year-Old Former Volkswagen CEO Charged With Fraud Over Emissions Scandal

Slashdot - Your Rights Online - So, 2018-05-05 16:34
An anonymous reader quotes CNN: The U.S.government has charged Martin Winterkorn, the former chief executive officer of Volkswagen, with fraud in the company's diesel emissions-cheating scandal. The indictment was unsealed in Detroit on Thursday, revealing that Winterkorn had been charged on March 14 with wire fraud and conspiracy to defraud Volkswagen's American customers and violate the Clean Air Act... Volkswagen admitted in late 2015 that it fitted as many as 11 million diesel vehicles worldwide with software that could cheat emissions tests... The indictment alleges that Winterkorn was made aware of emissions cheating in May 2014 and July 2015, and that he agreed with other senior executives to continue the practice... Winterkorn, 70, is believed to be a resident of Germany. He is the ninth person charged by the U.S. government over emissions cheating.

Read more of this story at Slashdot.

Apple's Eddy Cue To Be Deposed In Qualcomm Patent Battle

Slashdot - Your Rights Online - So, 2018-05-05 12:00
"Apple executive Eddy Cue will be questioned by Qualcomm's lawyers as part of a legal battle between the companies over billions of dollars in patents and licensing fees," reports Bloomberg. "On Friday, San Diego Federal Judge Mitchell D. Dembin ordered Cue to be deposed in the case, granting a Qualcomm request and turning down Apple's arguments against the move." From the report: At the heart of the standoff is a dispute over how much Qualcomm can charge phone makers to use its patents, whether or not they use its chips. The San Diego, California-based company gets the majority of profit from licensing technology that covers the fundamentals of modern mobile phone systems. Apple has cut off license payments to Qualcomm and filed an antitrust lawsuit that accused the chipmaker of trying to monopolize the industry. In November, Qualcomm filed a motion to depose Cue. Apple pushed back stating that Cue's role overseeing services made him unrelated to the case. Qualcomm cited past Apple statements pinpointing Cue as one of the lead negotiators when the iPhone launched in 2007 exclusively on AT&T's network in the U.S.

Read more of this story at Slashdot.

Gmail's 'Self-Destruct' Feature Will Probably Be Used To Illegally Destroy Government Records

Slashdot - Your Rights Online - So, 2018-05-05 02:03
An anonymous reader quotes a report from Motherboard: A new update rolling out for Gmail offers a "self destruct" feature that allows users to send messages that expire after a set amount of time. While this may sound great for personal use, activists fear that government organizations will use the feature to delete public records to hide them from reporters and others interested in government transparency. Normally, government emails are available to journalists, researchers, and citizens using Freedom of Information Act requests (and its state-level analogues.) The self destruct feature was announced on April 25 as part of Google's new confidential mode for G Suite. In addition to self destruct, confidential mode allows users to delete messages after they have been sent and places restrictions on how recipients can interact with received emails. "As more local and state governments and their various agencies seek to use Gmail, there is the potential that state public records laws will be circumvented by emails that 'disappear' after a period of time," the National Freedom of Information Coalition wrote in a letter to Google CEO Sundar Pichai. "The public's fundamental right to transparency and openness by their governments will be compromised. We urge you take steps to assure the 'self-destruct' feature be disabled on government Gmail accounts and on emails directed to a government entity."

Read more of this story at Slashdot.

Criminals Used a Fleet of Drones To Disrupt an FBI Hostage Operation

Slashdot - Your Rights Online - So, 2018-05-05 00:45
Criminals have discovered another use for drones -- to distract and spy on law enforcement. From a report: They recently tried to thwart an FBI hostage rescue, Joe Mazel, chief of the FBI's operational technology law unit, said this week, according to a report by news site Defense One. Mazel, speaking at the AUVSI Xponential drone conference in Denver, said that criminals launched a swarm of drones at an FBI rescue team during an unspecified hostage situation near a large U.S. city, confusing law enforcement. The criminals flew the drones at high speed over the heads of FBI agents to drive them away while also shooting video that they then uploaded to YouTube as a way to alert other nearby criminal members about law enforcement's location.

Read more of this story at Slashdot.

NSA Collected 500 Million US Call Records In 2017, Says Report

Slashdot - Your Rights Online - Pt, 2018-05-04 22:45
An anonymous reader quotes a report from Reuters: The U.S. National Security Agency collected more than 500 million phone call records of Americans last year, more than triple gathered in 2016, a U.S. intelligence agency report released on Friday said. The sharp increase to 534 million call records from 151 million occurred during the second full year of a new surveillance system established at the spy agency after U.S. lawmakers passed a law in 2015 that sought to limit its ability to collect such records in bulk. The reason for the spike was not immediately clear. The metadata records collected by the NSA include the numbers and time of a call, but not its content.

Read more of this story at Slashdot.

Phone Maker BLU Settles With FTC Over Unauthorized User Data Extraction

Slashdot - Your Rights Online - Pt, 2018-05-04 01:05
lod123 shares a report from Threatpost: Android phone-maker BLU Products agreed to a proposed settlement on Tuesday with the Federal Trade Commission, over allegations it allowed the third-party firm Adups Technology to collect detailed consumer data from users without their consent. In an administrative complaint filed earlier this week against BLU and the company's co-owner and president Samuel Ohev-Zion, the FTC accused the firm of sharing with China-based Adups the full contents of their users' text messages, real-time cell tower location data, call and text-message logs, contact lists, and applications used and installed on devices. Ultimately, the FTC is alleging Ohev-Zion and BLU violated the FTC Act's section pertaining to "deceptive representation regarding disclosure of personal information." The proposed settlement will be made final after a 30-day public comment period. In its proposed complaint, the FTC said Florida-based BLU contracted with Adups to issue security and operating system updates to millions of phones sold by the firm through Amazon, Best Buy and Walmart. In addition to allegedly failing to protect consumer privacy, the FTC asserts that BLU failed "to adequately assess the privacy and security risks of third-party software installed on BLU devices" resulting in "common security vulnerabilities that could enable attackers to gain full access to the devices." Security researchers at Kryptowire first reported in 2016 that several models of BLU phones actively transmitted user and device information to Adups.

Read more of this story at Slashdot.

Twitter Says Glitch Exposed 'Substantial' Number of Users' Passwords In Plain Text

Slashdot - Your Rights Online - Cz, 2018-05-03 22:25
Twitter is urging its more than 330 million users to change their passwords after a glitch exposed some in plain text on its internal computer network. Reuters is first to report the news: The social network said an internal investigation had found no indication passwords were stolen or misused by insiders, but that it urged all users to consider changing their passwords "out of an abundance of caution." The blog did not say how many passwords were affected. Here's what Twitter has to say about the bug: "We mask passwords through a process called hashing using a function known as bcrypt, which replaces the actual password with a random set of numbers and letters that are stored in Twitter's system. This allows our systems to validate your account credentials without revealing your password. This is an industry standard. Due to a bug, passwords were written to an internal log before completing the hashing process. We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again." The social networking service is asking users to change their password "on all services where you've used this password." You can do so via the password settings page.

Read more of this story at Slashdot.

Facebook Placed An Employee Who Harvested User Data For Cambridge Analytica On Leave

Slashdot - Your Rights Online - Cz, 2018-05-03 19:50
Ryan Mac, reporting for BuzzFeed News: A Facebook employee, who helped harvest and sell data from millions of users of the social network for political consulting firm Cambridge Analytica in a previous job, has quietly been placed on administrative leave by the Menlo Park, California-based company. Joseph Chancellor, a quantitative social psychologist for Facebook, has been on leave for a few weeks following revelations of his role in a data privacy scandal that has rocked the Silicon Valley giant, according to two sources familiar with the situation. In March, it was revealed that Cambridge Analytica, a consulting company that did elections work for Republican presidential candidates Ted Cruz, Ben Carson, and Donald Trump, inappropriately obtained user data from a third-party app developer. That app company, Global Science Research (GSR), was founded by Chancellor and his research partner Aleksandr Kogan, and obtained Facebook user data on up to 87 million people.

Read more of this story at Slashdot.

Hawaii To Ban Certain Sunscreens To Protect Coral Reefs

Slashdot - Your Rights Online - Cz, 2018-05-03 12:00
Hawaii lawmakers passed a bill Tuesday that would prohibit the sale of over-the-counter sunscreens containing chemicals they say are contributing to the destruction of the state's coral reefs and other ocean life. NPR reports: The chemicals oxybenzone and octinoxate, which are used in more than 3,500 of the world's most popular sunscreen products, including Hawaiian Tropic, Coppertone and Banana Boat, would be prohibited. Prescription sunscreens containing those chemicals would still be permitted. As NPR reported, a 2015 study of coral reefs in Hawaii, the U.S. Virgin Islands and Israel determined oxybenzone "leaches the coral of its nutrients and bleaches it white. It can also disrupt the development of fish and other wildlife." Even a small drop is enough to damage delicate corals. At the time, researchers estimated about 14,000 tons of sunscreen lotions end up in coral reefs around the world each year. Opposition to the ban came from sunscreen manufacturers, including Bayer, the maker of Coppertone. And the state's major doctors group said the ban goes too far. The Honolulu Star-Advertiser wrote: "Bayer said there are limited, active ingredients available within the U.S. with the same proven effectiveness as oxybenzone for sunscreens over SPF 50. The Hawaii Medical Association said it wanted the issue to be studied more deeply because there was a lack of peer-reviewed evidence suggesting sunscreen is a cause of coral bleaching, and overwhelming evidence that not wearing sunscreen increases cancer rates."

Read more of this story at Slashdot.

Facebook Has Fired Multiple Employees for Snooping on Users: Motherboard

Slashdot - Your Rights Online - Cz, 2018-05-03 05:05
Joseph Cox and Max Hoppenstedt, reporting for Motherboard: On Tuesday, Facebook fired an employee who had allegedly used their privileged data access to stalk women online. Now, multiple former Facebook employees and people familiar with the company describe to Motherboard parts of the social media giant's data access policies. This includes how those in the security team, which the fired employee was allegedly a part of, have less oversight on their access than others. The news emphasizes something that typical users may forget when scrolling through a Silicon Valley company's service or site: although safeguards against abuse may be in place, there are people who have the power to see information you believe to be private, and sometimes they may look at that data. Motherboard granted the sources in this story anonymity to speak more candidly about Facebook's policies and procedures. One source specifically mentioned Facebook's strict non-disclosure agreement. One former Facebook worker said when they joined the company multiple people had been terminated for abusing access to user data, including for stalking exes. Another former Facebook employee said that they know of three cases where people were fired because they mishandled data, one of which included stalking. Typically, these incidents are not publicly reported.

Read more of this story at Slashdot.

Hacktivists, Tech Giants Protest Georgia's 'Hack-Back' Bill

Slashdot - Your Rights Online - Cz, 2018-05-03 02:45
lod123 shares a report from Threatpost: As Georgia Governor Nathan Deal considers whether to sign a controversial piece of legislation that would allow companies to 'hack back' with offensive initiatives in the face of a cyberattack, companies from across the tech spectrum are lining up to protest the measure. Also, a hacktivist group has targeted Georgia Southern University, two restaurants and a church to protest the bill. Opponents have twin beefs when it comes to Senate Bill 315: Some are questioning whether legitimizing offensive attacks will open the door to a new kind of corporate warfare; and others are concerned that the law will have a chilling effect on cyber-research by criminalizing white-hat activity like vulnerability research and pen-testing. Google and Microsoft are in the former camp, and have asked Deal to veto the bill, which was passed by the Georgia General Assembly in March and which is nearing its deadline for signing into law. The two giants take issue with a provision in the bill that allows "active defense measures that are designed to prevent or detect unauthorized computer access." In a letter to the governor, the two argued that S.B. 315 "will make Georgia a laboratory for offensive cybersecurity practices that may have unintended consequences and that have not been authorized in other jurisdictions," and that "provisions such as this could easily lead to abuse and be deployed for anti-competitive, not protective purposes." They added: "On its face, this provision broadly authorizes the hacking of other networks and systems under the undefined guise of cybersecurity... [B]efore Georgia endorses the 'hack back' authority in 'defense' or even anticipation of a potential attack with no statutory criteria, it should have a much more thorough understanding of the ramifications of such a policy." Tripwire also filed a letter with the governor's office: "[A]ccording to the wording of S.B. 315, well-intentioned ('white-hat') researchers could be subject to civil or criminal prosecution when following industry best practices in investigating a website for protection from a potential cyber-attack. It is our firm belief that an explicit exception is required to exclude prosecution when the party in question is acting in good-faith to protect a business or their customers from attack. Without this exclusion, S.B. 315 will discourage good actors from reporting vulnerabilities and ultimately increase the likelihood that adversaries will find and exploit the underlying weaknesses."

Read more of this story at Slashdot.

Cambridge Analytica Shuts Down Amid Scandal Over Use of Facebook Data

Slashdot - Your Rights Online - Cz, 2018-05-03 00:00
Gizmodo reports that Cambridge Analytica and its parent company, the SCL Group, are shutting down. "The news was announced during a conference call led by Julian Wheatland, the current chairman of the SCL Group who was reportedly tapped to take over as Cambridge Analytica's next CEO," reports Gizmodo. "Both Cambridge Analytica and SCL Elections will now close their doors." From the report: During the call, Wheatland said that the board determined that rebranding the company's current offerings in the current environment is "futile." Cambridge Analytica and SCL have offices in London, New York City, Arlington, Virginia, and Washington, D.C. The conference call was originally scheduled for Tuesday morning, but was repeatedly pushed back until early Wednesday afternoon, ultimately getting rescheduled more than half a dozen times. In explaining the decision to close the offices, Wheatland cited the ongoing investigations into Cambridge Analytica's massive data harvesting scandal, damage to the company's reputation, and loss of clients. In March, Britain's information commissioner announced that she was seeking a warrant to investigate any misconduct by the data analytics firm, looking to search both its offices and its servers. UK authorities raided the London office later that month, but have yet to release their findings. Meanwhile, embattled former CEO Alexander Nix refused to testify before the British Parliamentary media committee regarding the firm's misuse of Facebook user data.

Read more of this story at Slashdot.

The Pentagon Bans Huawei, ZTE Phones From Retail Stores On Military Bases

Slashdot - Your Rights Online - Śr, 2018-05-02 23:20
The Pentagon is ordering retail outlets on U.S. military bases to stop selling Huawei and ZTE smartphones, citing security risks. "Huawei and ZTE devices may pose an unacceptable risk to the department's personnel, information and mission," a Pentagon spokesperson said in a statement to The Wall Street Journal. "In light of this information, it was not prudent for the department's exchanges to continue selling them." The Verge reports: U.S. military members can still buy Huawei and ZTE devices for personal use from other stores, as there's no outright ban on that for now. But the spokesperson elaborated that the Pentagon is considering whether it should send out a military-wide advisory about the devices. U.S. government officials have said that China could order its manufacturers to create backdoors for spying in their devices, although both Huawei and ZTE have denied the possibility. An anonymous source told the WSJ that military leaders are wary that Beijing could use ZTE and Huawei devices to locate soldiers' exact coordinates and track their movements. Huawei responded to the news in a statement to The Verge: "Huawei's products are sold in 170 countries worldwide and meet the highest standards of security, privacy and engineering in every country we operate globally including the U.S. We remain committed to openness and transparency in everything we do and want to be clear that no government has ever asked us compromise the security or integrity of any of our networks or devices."

Read more of this story at Slashdot.

Facebook Fires Employee Who Allegedly Used Data Access To Stalk Women

Slashdot - Your Rights Online - Śr, 2018-05-02 19:30
After a member of the information security community provided evidence to Facebook's chief information security officer, the company has terminated a security engineer who allegedly used their work position to stalk women online. From a report: On Monday, Motherboard reported that Facebook was investigating a claim that one of its employees used access to data granted by their job to stalk women online. Facebook has since terminated the employee, Facebook confirmed to Motherboard on Tuesday, coincidentally shortly after the social media giant announced its upcoming dating service. "We are investigating this as a matter of urgency. It's important that people's information is kept secure and private when they use Facebook," Alex Stamos, Facebook's chief information security officer, told Motherboard in a statement.

Read more of this story at Slashdot.