aggregator

Academic Research Finds Five US Telcos Vulnerable To SIM Swapping Attacks

Slashdot - Your Rights Online - Pn, 2020-01-13 18:50
A Princeton University academic study found that five major US prepaid wireless carriers are vulnerable to SIM swapping attacks. From a report: A SIM swap is when an attacker calls a mobile provider and tricks the telco's staff into changing a victim's phone number to an attacker-controlled SIM card. This allows the attacker to reset passwords and gain access to sensitive online accounts, like email inboxes, e-banking portals, or cryptocurrency trading systems. All last year, Princeton academics spent their time testing five major US telco providers to see if they could trick call center employees into changing a user's phone number to another SIM without providing proper credentials. According to the research team, AT&T, T-Mobile, Tracfone, US Mobile, and Verizon Wireless were found to be using vulnerable procedures with their customer support centers, procedures that attackers could use to conduct SIM swapping attacks. In addition, the research team also looked at 140 online services and websites and analyzed on which of these attackers could employ a SIM swap to hijack a user's account. According to the research team, 17 of the 140 websites were found to be vulnerable.

Read more of this story at Slashdot.

'Music Copyright Lawsuits Are Scaring Away New Hits', Argues Rolling Stone

Slashdot - Your Rights Online - Pn, 2020-01-13 06:47
A new article in Rolling Stone argues that the forgotten 2013 hit song "Blurred Lines", which a court later ruled infringed on a 1977 song by Marvin Gaye, turned copyright law into "a minefield" -- for the music industry. While copyright laws used to protect only lyrics and melodies (a prime example is the Chiffons' successful suit against George Harrison in 1976 for the strong compositional similarities between his "My Sweet Lord" and their "He's So Fine"), the "Blurred Lines" case raised the stakes by suggesting that the far more abstract qualities of rhythm, tempo, and even the general feel of a song are also eligible for protection -- and thus that a song can be sued for feeling like an earlier one. Sure enough, a jury in 2019 ruled that Katy Perry owed millions for ostensibly copying the beat of her hit "Dark Horse" from a little-known song by Christian rapper Flame, stunning both the music business and the legal community. "They're trying to own basic building blocks of music, the alphabet of music that should be available to everyone," Perry's lawyer Christine Lepera warned in the case's closing arguments. That case, which Perry's team is currently in the process of appealing, suggests a second point: Plaintiffs in copycat cases are largely targeting megahit songs because they've seen where the money is, and the increasing frequency of those court battles in headlines is causing an avalanche effect of further infringement lawsuits.... While some record labels may have the budget to hire on-call musicologists who vet new releases for potential copyright claims, smaller players who can't afford that luxury are turning toward a tried-and-true form of protection: insurance. Lucas Keller -- the founder of music management company Milk and Honey, which represents writers and producers who've worked with everyone from Alessia Cara and Carrie Underwood to 5 Seconds of Summer and Muse -- recently began encouraging all his songwriter clients to purchase errors-and-omissions insurance, which protects creative professionals from legal challenges to their intellectual property. "We all feel like the system has failed us," Keller says. "There are a lot of aggressive lawyers filing lawsuits and going ham on people." (He's particularly critical of publishers whose rosters are heavier on older catalogs than new acts: "Heritage publishers who aren't making a lot of money are coming out of the woodwork and saying, âWe're going to take a piece of your contemporary hit....'â") Artists are understandably reluctant to publicly disclose that they have copyright insurance, which could open them up to an increase in lawsuits. But music attorney Bob Celestin, who's helped represent acts like Pusha T and Missy Elliott, says it is safe to assume that the majority of artists who show up in Top 10 chart positions are covered in this way... The popularity of cheap music-production software, which offers the same features to every user, has added another layer of risk. "Music is now more similar than it is different, for the first time," says Ross Golan, a producer and songwriter who has released songs with stars like Ariana Grande and Justin Bieber. "People are using the same sample packs, the same plug-ins, because it's efficient." Then there's the issue of the finite number of notes, chord progressions, and melodies available...

Read more of this story at Slashdot.

Internet Pioneers Fight For Control of<nobr> <wbr></nobr>.Org Registry By Forming a Nonprofit Alternative

Slashdot - Your Rights Online - Pn, 2020-01-13 02:44
Reuters reports that a group of "prominent internet pioneers" now has a plan to block the $1.1 billion sale of the .org internet domain registry to Ethos Capital. The group has created their own nonprofit cooperative to offer an alternative: "There needs to be a place on the internet that represents the public interest, where educational sites, humanitarian sites, and organizations like Wikipedia can provide a broader public benefit," said Katherine Maher, the CEO of Wikipedia parent Wikimedia Foundation, who signed on to be a director of the new nonprofit. The crowd-sourced research tool Wikipedia is the most visited of the 10 million .org sites registered worldwide... Hundreds of nonprofits have already objected to the transaction, worried that Ethos will raise registration and renewal prices, cut back on infrastructure and security spending, or make deals to sell sensitive data or allow censorship or surveillance... "What offended me about the Ethos Capital deal and the way it unfolded is that it seems to have completely betrayed this concept of stewardship," said Andrew McLaughlin, who oversaw the transfer of internet governance from the U.S. Commerce Department to ICANN, completed in 2016. Maher and others said the idea of the new cooperative is not to offer a competing financial bid for .org, which brings in roughly $100 million in revenue from domain sales. Instead, they hope that the unusual new entity, formally a California Consumer Cooperative Corporation, can manage the domain for security and stability and make sure it does not become a tool for censorship. The advocacy group Electronic Frontier Foundation (EFF), which previously organized a protest over the .org sale that drew in organizations including the YMCA of the United States, Greenpeace, and Consumer Reports, is also supporting the cooperative. "It's highly inappropriate for it to be turned over to a commercial venture at all, much less one that's going to need to recover $1 billion," said EFF Executive Director Cindy Cohn.

Read more of this story at Slashdot.

Equifax's Stock Rose More Than 50% In 2019

Slashdot - Your Rights Online - N, 2020-01-12 23:49
"There's still time to file a claim for a share of the $425 million that Equifax agreed to cough up after hosing almost half of the country in its massive data breach a few years ago," writes a Pennyslvania newspaper columnist, pointing victims to equifaxbreachsettlement.com. "But unless you can prove you were an identity theft victim who lost money, or had to waste time cleaning up the mess, don't expect much of a payout. Victims are being hosed again." The breach affected an estimated 147 million Americans. Hackers exploited a known but unpatched website vulnerability and gained access to names, Social Security numbers, birth dates, addresses, driver's license numbers and credit card numbers. Facing lawsuits from federal and state consumer protection agencies, Equifax agreed to a settlement. It offered several ways for people to file claims, with a deadline of Jan. 22. The option that applies to most people is 10 years of free credit monitoring, or a cash payout of up to $125 for those who already have monitoring. But you aren't going to get anywhere near $125. The settlement called for a pot of only $31 million for those payouts. And based on the number of people who have applied, that's not enough to cover the maximum payment. You may not even get enough to buy a decent sandwich, according to Ted Frank, director of litigation for Hamilton Lincoln Law Institute, which includes the Center for Class Action Fairness. "That's down to $6 or $7 now," Frank told CNBC in December. "Maybe even less than that." Frank spoke after the federal judge overseeing the settlement awarded $77.5 million of the $425 million settlement fund to the attorneys who represented consumers against Equifax. His organization had opposed that award as being too much. Meanwhile, the Motley Fool notes that in 2019 Equifax's stock rose 50.5% -- after dropping 21% in 2018 and remaining "relatively flat" in 2017. "The credit-reporting company's stock rose thanks to a series of earnings beats and with the shadow of the big 2017 data breach receding further into the rear view...."

Read more of this story at Slashdot.

Thoughts on Our Possible Future Without Work

Slashdot - Your Rights Online - N, 2020-01-12 21:38
There's a new book called A World Without Work by economics scholar/former government policy adviser Daniel Susskind. The Guardian succinctly summarizes its prognostications for the future: It used to be argued that workers who lost their low-skilled jobs should retrain for more challenging roles, but what happens when the robots, or drones, or driverless cars, come for those as well? Predictions vary but up to half of jobs are at least partially vulnerable to AI, from truck-driving, retail and warehouse work to medicine, law and accountancy. That's why the former US treasury secretary Larry Summers confessed in 2013 that he used to think "the Luddites were wrong, and the believers in technology and technological progress were right. I'm not so completely certain now." That same year, the economist and Keynes biographer Robert Skidelsky wrote that fears of technological unemployment were not so much wrong as premature: "Sooner or later, we will run out of jobs." Yet Skidelsky, like Keynes, saw this as an opportunity. If the doomsayers are to be finally proven right, then why not the utopians, too...? The work ethic, [Susskind] says, is a modern religion that purports to be the only source of meaning and purpose. "What do you do for a living?" is for many people the first question they ask when meeting a stranger, and there is no entity more beloved of politicians than the "hard-working family". Yet faced with precarious, unfulfilling jobs and stagnant wages, many are losing faith in the gospel of work. In a 2015 YouGov survey, 37% of UK workers said their jobs made no meaningful contribution. Susskind wonders in the final pages "whether the academics and commentators who write fearfully about a world with less work are just mistakenly projecting the personal enjoyment they take from their jobs on to the experience of everyone else". That deserves to be more than an afterthought. The challenge of a world without work isn't just economic but political and psychological... [I]s relying on work to provide self-worth and social status an inevitable human truth or the relatively recent product of a puritan work ethic? Keynes regretted that the possibility of an "age of leisure and abundance" was freighted with dread: "For we have been trained too long to strive and not to enjoy." The state, Susskind concedes with ambivalence, will need to smooth the transition. Moving beyond the "Age of Labour" will require something like a universal basic income (he prefers a more selective conditional basic income), funded by taxes on capital to share the proceeds of technological prosperity. The available work will also need to be more evenly distributed. After decades of a 40-hour week, the recent Labour manifesto, influenced by Skidelsky, promised 32 hours by 2030. And that's the relatively easy part. Moving society's centre of gravity away from waged labour will require visionary "leisure policies" on every level, from urban planning to education, and a revolution in thinking. "We will be forced to consider what it really means to live a meaningful life," Susskind writes, implying that this is above his pay grade. The review concludes that "if AI really does to employment what previous technologies did not, radical change can't be postponed indefinitely. "It may well be utopia or bust."

Read more of this story at Slashdot.

How Facebook Tried To Defend Its Privacy Policies at CES

Slashdot - Your Rights Online - N, 2020-01-12 14:34
Slashdot reader Tekla Perry found some interesting quotes in IEEE Spectrum's "View From the Valley" blog: Apple, Facebook, and Proctor & Gamble executives faced some tough questions about privacy during a CES panel, and pushback from U.S. FTC Commissioner Rebecca Slaughter. In one exchanged, Facebook's representative argued that Apple's model of adding noise to data to keep it anonymous and avoiding sending too much data to the cloud wouldn't work for Facebook. "If you come to Facebook, you want to share," she said, continuing: "I take issue with the idea that the advertising we serve involves surveilling people. "We don't do surveillance capitalism, that by definition is surreptitious; we work hard to be transparent." The Facebook representative argued later that "we provide real value to people in terms of the advertising we deliver and we do it in a privacy protected way." But Apple's senior director of global privacy had already said "I don't think we can ever say we are doing enough." Despite the fact that Apple has "teams" of privacy lawyers as well as privacy engineers who consider every product, "We always have to be pushing the envelope, and figure out how to put the consumer in control of their data." "Everything that she said about Apple holds for Facebook," replied the Facebook representative. "But the question is what do people expect..." And at one point, Proctor & Gamble's representative even said "We collect the data to serve people."

Read more of this story at Slashdot.

A Quick Look At the Fight Against Encryption

Slashdot - Your Rights Online - So, 2020-01-11 23:34
b-dayyy shared this overview from the Linux Security site: Strong encryption is imperative to securing sensitive data and protecting individuals' privacy online, yet governments around the world refuse to recognize this, and are continually aiming to break encryption in an effort to increase the power of their law enforcement agencies... This fear of strong, unbroken encryption is not only unfounded -- it is dangerous. Encryption with built-in backdoors which provide special access for select groups not only has the potential to be abused by law enforcement and government agencies by allowing them to eavesdrop on potentially any digital conversation, it could also be easily exploited by threat actors and criminals. U.S. Attorney General William Barr and U.S. senators are currently pushing for legislation that would force technology companies to build backdoors into their products, but technology companies are fighting back full force. Apple and Facebook have spoken out against the introduction of encryption backdoors, warning that it would introduce massive security and privacy threats and would serve as an incentive for users to choose devices from overseas. Apple's user privacy manager Erik Neuenschwander states, "We've been unable to identify any way to create a backdoor that would work only for the good guys." Facebook has taken a more defiant stance on the issue, adamantly saying that it would not provide access to encrypted messages in Facebook and WhatsApp. Senator Lindsey Graham has responded to this resistance authoritatively, advising the technology giants to "get on with it", and stating that the Senate will ultimately "impose its will" on privacy advocates and technologists. However, Graham's statement appears unrealistic, and several lawmakers have indicated that Congress won't make much progress on this front in 2020... Encryption is an essential component of digital security that should be embraced, not feared. In any scenario, unencrypted data is subject to prying eyes. Strong, unbroken encryption is vital in protecting privacy and securing data both in transit and in storage, and backdoors would leave sensitive data vulnerable to tampering and theft.

Read more of this story at Slashdot.

Amazon Fires More Employees For Leaking Customer Data (Again)

Slashdot - Your Rights Online - So, 2020-01-11 20:34
Ring isn't the only place where Amazon employees have been fired for accessing user data. Amazon itself also fired several employees this week "after they leaked private customer data to an undisclosed third-party," reports Gizmodo. They note that Amazon also fired more data-leaking employees at the end of 2018. An Amazon spokesperson confirmed the news with multiple outlets after several customers received notifications from the company warning that their e-mail addresses and phone numbers had been leaked "to a third-party in violation of our policies," per a screenshot shared by TechCrunch. The email goes on to say that the Amazon employee -- singular -- responsible has since been identified and fired. However, a later company statement appears to imply there were multiple Amazon defectors behind the leak: "The individuals responsible for this incident have been terminated and we are supporting law enforcement in their prosecution," an Amazon spokesperson told Gizmodo via email.... It all makes for an embarrassing start to the new year given Amazon's myriad customer data breaches that wrapped up 2019. In one case, the Wall Street Journal found evidence of several Amazon employees hawking customer data to sellers in exchange for bribes.

Read more of this story at Slashdot.

A Facebook Bug Exposed Anonymous Admins of Pages

Slashdot - Your Rights Online - So, 2020-01-11 15:00
An anonymous reader quotes a report from Wired: Facebook Pages give public figures, businesses, and other entities a presence on Facebook that isn't tied to an individual profile. The accounts behind those pages are anonymous unless a Page owner opts to make the admins public. You can't see, for example, the names of the people who post to Facebook on WIRED's behalf. But a bug that was live from Thursday evening until Friday morning allowed anyone to easily reveal the accounts running a Page, essentially doxing anyone who posted to one. All software has flaws, and Facebook quickly pushed a fix for this one -- but not before word got around on message boards like 4chan, where people posted screenshots that doxed the accounts behind prominent pages. All it took to exploit the bug was opening a target page and checking the edit history of a post. Facebook mistakenly displayed the account or accounts that made edits to each post, rather than just the edits themselves. Facebook says the bug was the result of a code update that it pushed Thursday evening. Facebook points out that no information beyond a name and public profile link were available, but that information isn't supposed to appear in the edit history at all. And for people, say, running anti-regime Pages under a repressive government, making even that much information public is plenty alarming.

Read more of this story at Slashdot.

A Billion Medical Images Are Exposed Online, As Doctors Ignore Warnings

Slashdot - Your Rights Online - So, 2020-01-11 12:00
Insecure storage systems being used by hundreds of hospitals, medical offices and imaging centers are exposing over 1 billion medical images of patients across the world. "Yet despite warnings from security researchers who have spent weeks alerting hospitals and doctors' offices to the problem, many have ignored their warnings and continue to expose their patients' private health information," writes Zack Whittaker from TechCrunch. From the report: "It seems to get worse every day," said Dirk Schrader, who led the research at Germany-based security firm Greenbone Networks, which has been monitoring the number of exposed servers for the past year. The problem is well-documented. Greenbone found 24 million patient exams storing more than 720 million medical images in September, which first unearthed the scale of the problem as reported by ProPublica. Two months later, the number of exposed servers had increased by more than half, to 35 million patient exams, exposing 1.19 billion scans and representing a considerable violation of patient privacy. A decades-old file format and industry standard known as DICOM was designed to make it easier for medical practitioners to store medical images in a single file and share them with other medical practices. DICOM images can be viewed using any of the free-to-use apps, as would any radiologist. DICOM images are typically stored in a picture archiving and communications system, known as a PACS server, allowing for easy storage and sharing. But many doctors' offices disregard security best practices and connect their PACS server directly to the internet without a password. These unprotected servers not only expose medical imaging but also patient personal health information. Many patient scans include cover sheets baked into the DICOM file, including the patient's name, date of birth and sensitive information about their diagnoses. In some cases, hospitals use a patient's Social Security number to identify patients in these systems.

Read more of this story at Slashdot.

SIM Swappers Are Using RDP To Directly Access Internal T-Mobile, AT&amp;T, and Sprint Tools

Slashdot - Your Rights Online - So, 2020-01-11 02:02
An anonymous reader quotes a report from Motherboard: Hackers are now getting telecom employees to run software that lets the hackers directly reach into the internal systems of U.S. telecom companies to take over customer cell phone numbers, Motherboard has learned. Multiple sources in and familiar with the SIM swapping community as well as screenshots shared with Motherboard suggest at least AT&T, T-Mobile, and Sprint have been impacted. The technique uses Remote Desktop Protocol (RDP) software. RDP lets a user control a computer over the internet rather than being physically in front of it. It's commonly used for legitimate purposes such as customer support. But scammers also make heavy use of RDP. In an age-old scam, a fraudster will phone an ordinary consumer and tell them their computer is infected with malware. To fix the issue, the victim needs to enable RDP and let the fake customer support representative into their machine. From here, the scammer could do all sorts of things, such as logging into online bank accounts and stealing funds. This use of RDP is essentially what SIM swappers are now doing. But instead of targeting consumers, they're tricking telecom employees to install or activate RDP software, and then remotely reaching into the company's systems to SIM swap individuals. The process starts with convincing an employee in a telecom company's customer support center to run or install RDP software. The active SIM swapper said they provide an employee with something akin to an employee ID, "and they believe it." Hackers may also convince employees to provide credentials to a RDP service if they already use it. Once RDP is enabled, "They RDP into the store or call center [computer] [...] and mess around on the employees' computers including using tools," said Nicholas Ceraolo, an independent security researcher who first flagged the issue to Motherboard. Motherboard then verified Ceraolo's findings with the active SIM swapper.

Read more of this story at Slashdot.

Fitbit and Garmin Are Under Federal Investigation For Alleged Patent Violations

Slashdot - Your Rights Online - So, 2020-01-11 00:40
U.S. trade regulators said on Friday they will investigate wearable monitoring devices, including those made by Fitbit and Garmin, following allegations of patent violations by rival Koninklijke Philips and its North America unit. Reuters reports: The U.S. International Trade Commission, in a statement, said the probe would also look at devices by made by California-based Ingram Micro as well as China-based Maintek Computer and Inventec Appliances. Netherlands-based Philips and Philips North America LLC, in their complaint, are calling for tariffs or an import ban and allege the other companies have infringed on Philips' patents or otherwise misappropriated its intellectual property. Although the USITC agreed to launch an investigation, it said it "has not yet made any decision on the merits of the case" and would make its determination "at the earliest practicable time." "We believe these claims are without merit and a result of Philips' failure to succeed in the wearables market," Fitbit said in a statement. In a statement to The Verge, Philips said that the company had attempted to negotiate licensing agreements with Fitbit and Garmin for three years, but talks ultimately broke down. "Philips expects third parties to respect Philips' intellectual property in the same way as Philips respects the intellectual property rights of third parties," a spokesperson said.

Read more of this story at Slashdot.

Indian Supreme Court Finds 150-Day Internet Blackout In Kashmir Illegal

Slashdot - Your Rights Online - So, 2020-01-11 00:00
An anonymous reader quotes a report from Ars Technica: The Indian region of Kashmir has had most Internet service blacked out since August. The government of Narendra Modi says the online blackout is a necessary security measure in the face of growing unrest in the region triggered by a change in Kashmir's status under the Indian constitution. (Kashmir's status within India has been a topic of controversy for decades.) But on Friday, India's highest court rejected the government's rationale, arguing that the blackout violated Indian telecommunications laws. "Freedom of Internet access is a fundamental right," justice N. V. Ramana said. "The Supreme Court ruling won't lead to an immediate restoration of Internet access in Kashmir, however," the report adds. "Instead, India's highest court has given the government a week to revise its policies. The court also required the government to be more transparent about its Internet shutdown orders." Further reading: Reuters

Read more of this story at Slashdot.

Streaming Services Reckon With Password-Sharing 'Havoc'

Slashdot - Your Rights Online - Pt, 2020-01-10 22:50
In 2019, companies lost about $9.1 billion to password piracy and sharing. From a report: On Dec. 9, Charter Communications CEO Tom Rutledge took aim at the "content companies" entering the direct-to-consumer streaming business. The cable executive told a roomful of investment bankers in Manhattan that these new streamers are "creating havoc in the ecosystem." Rutledge wasn't talking about the proliferation of content or the fight to secure exclusive deals with talent. He was targeting the lax security and rampant password sharing that's prevalent across the streaming landscape. "Half the people in the country live in houses with two or less people in them, and yet these services have five streams," Rutledge added. "There are more streams available than there are homes to use them." Password sharing has serious economic consequences. In 2019, companies lost about $9.1 billion to password piracy and sharing, and that will rise to $12.5 billion in 2024, according to data released by research firm Parks Associates. For now, many streamers -- including Netflix, Hulu, Disney+ and Amazon Prime -- seem content to allow the practice to continue, even while they crack down on illicit password sales. But as services mature, priorities will likely change. "When the growth starts to flatten and you start to look at the balance sheet, you are going to be looking for revenue," says Jean-Marc Racine, chief product officer of video delivery and security firm Synamedia. The company (which counts Disney, Comcast and AT&T among its clients) conducted a study of two anonymous video providers and said Jan. 6 that it found they were losing more than $70 million annually from password sharing.

Read more of this story at Slashdot.

AI-Written Articles Are Copyright-Protected, Rules Chinese Court

Slashdot - Your Rights Online - Pt, 2020-01-10 19:30
A Chinese court has ruled that AI-generated works are entitled to copyright protection, in a win for tech giant Tencent. From a report: According to state media outlet China News Service (CNS), a court in Shenzhen this month ruled in favour of Tencent, which claimed that work created by its Dreamwriter robot had been copied by a local financial news company. The Shenzhen Nanshan District People's Court ruled that, in copying the Dreamwriter article, Shanghai Yingxun Technology Company had infringed Tencent's copyright. Dreamwriter is an automated writing system created by Tencent and based on the company's own algorithms. According to the reports, Shanghai Yingxun reposted a financial report written by Dreamwriter in August 2018 without Tencent's permission. The question of whether AI-generated works are protectable under copyright law have been the subject of much debate.

Read more of this story at Slashdot.

Skype Audio Graded by Workers in China With 'No Security Measures'

Slashdot - Your Rights Online - Pt, 2020-01-10 16:42
A Microsoft program to transcribe and vet audio from Skype and Cortana, its voice assistant, ran for years with "no security measures," according to a former contractor who says he reviewed thousands of potentially sensitive recordings on his personal laptop from his home in Beijing over the two years he worked for the company. From a report: The recordings, both deliberate and accidentally invoked activations of the voice assistant, as well as some Skype phone calls, were simply accessed by Microsoft workers through a web app running in Google's Chrome browser, on their personal laptops, over the Chinese internet, according to the contractor. Workers had no cybersecurity help to protect the data from criminal or state interference, and were even instructed to do the work using new Microsoft accounts all with the same password, for ease of management, the former contractor said. Employee vetting was practically nonexistent, he added. "There were no security measures, I don't even remember them doing proper KYC [know your customer] on me. I think they just took my Chinese bank account details," he told the Guardian. While the grader began by working in an office, he said the contractor that employed him "after a while allowed me to do it from home in Beijing. I judged British English (because I'm British), so I listened to people who had their Microsoft device set to British English, and I had access to all of this from my home laptop with a simple username and password login." Both username and password were emailed to new contractors in plaintext, he said, with the former following a simple schema and the latter being the same for every employee who joined in any given year.

Read more of this story at Slashdot.

Secretive Surveillance Company Is Selling Cops Cameras Hidden In Gravestones

Slashdot - Your Rights Online - Pt, 2020-01-10 02:45
An anonymous reader quotes a report from Motherboard: A surveillance vendor that works with U.S. government agencies, such as the FBI, DEA, and ICE, is marketing spying capabilities to local police departments, including cameras that are hidden inside a tombstone, a baby car seat, and a vacuum cleaner. The brochure highlights some of the capabilities on offer to law enforcement agencies, from the novel to the sometimes straight-up bizarre. Special Services Group, the vendor behind the brochure, does not advertise its products publicly. Its logo is the floating-eye-in-pyramid logo seen on the back of the $1 bill, which conspiracy theorists associate with the Illuminati, and the company's slogan is "Constant Vigilance." The company is so secretive that, when asked for comment for this story, it threatened VICE with legal action if we published this article. The brochure, dubbed "Black Book" by its authors, contains a cornucopia of surveillance devices. "The Tombstone Cam is our newest video concealment offering the ability to conduct remote surveillance operations from cemeteries," one section of the Black Book reads. The device can also capture audio, its battery can last for two days, and "the Tombstone Cam is fully portable and can be easily moved from location to location as necessary," the brochure adds. Another product is a video and audio capturing device that looks like an alarm clock, suitable for "hotel room stings," and other cameras are designed to appear like small tree trunks and rocks, the brochure reads. Other products include more traditional surveillance cameras and lenses as well as tools for surreptitiously gaining entry to buildings. The "Phantom RFID Exploitation Toolkit" lets a user clone an access card or fob, and the so-called "Shadow" product can "covertly provide the user with PIN code to an alarm panel," the brochure reads.

Read more of this story at Slashdot.

Unpatched VPN Makes Travelex Latest Victim of 'REvil' Ransomware

Slashdot - Your Rights Online - Cz, 2020-01-09 00:40
An anonymous reader quotes a report from Ars Technica: In April of 2019, Pulse Secure issued an urgent patch to a vulnerability in its popular corporate VPN software -- a vulnerability that not only allowed remote attackers to gain access without a username or password but also to turn off multi-factor authentication and view logs, usernames, and passwords cached by the VPN server in plain text. Now, a cybercriminal group is using that vulnerability to target and infiltrate victims, steal data, and plant ransomware. Travelex, the foreign currency exchange and travel insurance company, appears to be the latest victim of the group. On New Year's Eve, the company was hit by Sodinokibi ransomware, also known as REvil. The ransomware operators contacted the BBC and said they want Travelex to pay $6 million. They also claimed to have had access to Travelex's network for six months and to have extracted five gigabytes of customer data -- including dates of birth, credit card information, and other personally identifiable information. "In the case of payment, we will delete and will not use that [data]base and restore them the entire network," the individual claiming to be part of the Sodinokibi operation told the BBC. "The deadline for doubling the payment is two days. Then another seven days and the sale of the entire base." Security researcher Kevin Beaumont found that Travelex had seven unpatched Pulse Secure servers. An exploit for the vulnerability has been available on Internet bulletin boards since August of 2019.

Read more of this story at Slashdot.

Ring Fired Employees for Watching Customer Videos

Slashdot - Your Rights Online - Śr, 2020-01-08 23:21
Amazon-owned home security camera company Ring has fired employees for improperly accessing Ring users' video data, Motherboard reported Wednesday, citing a letter the company wrote to Senators. From the report: The news highlights a risk across many different tech companies: employees may abuse access granted as part of their jobs to look at customer data or information. In Ring's case this data can be particularly sensitive though, as customers often put the cameras inside their home. "We are aware of incidents discussed below where employees violated our policies," the letter from Ring, dated January 6th, reads. "Over the last four years, Ring has received four complaints or inquiries regarding a team member's access to Ring video data," it continues. Ring explains that although each of these people were authorized to view video data, their attempted access went beyond what they needed to access for their job.

Read more of this story at Slashdot.

FBI Asks Apple To Help Unlock Two iPhones

Slashdot - Your Rights Online - Śr, 2020-01-08 15:00
An anonymous reader quotes a report from The New York Times: The encryption debate between Apple and the F.B.I. might have found its new test case. The F.B.I. said on Tuesday that it had asked Apple for the data on two iPhones that belonged to the gunman in the shooting last month at a naval base in Pensacola, Fla., possibly setting up another showdown over law enforcement's access to smartphones. Dana Boente, the F.B.I.'s general counsel, said in a letter to Apple that federal investigators could not gain access to the iPhones because they were locked and encrypted and their owner, Second Lt. Mohammed Saeed Alshamrani of the Saudi Royal Air Force, is dead. The F.B.I. has a search warrant for the devices and is seeking Apple's assistance executing it, the people said. Apple said in a statement that it had given the F.B.I. all the data "in our possession" related to the Pensacola case when it was asked a month ago. "We will continue to support them with the data we have available," the company said. Apple regularly complies with court orders to turn over information it has on its servers, such as iCloud data, but it has long argued that it does not have access to material stored only on a locked, encrypted iPhone. Before sending the letter, the F.B.I. checked with other government agencies and its national security allies to see if they had a way into the devices -- but they did not, according to one of the people familiar with the investigation. "The official said the F.B.I. was not asking Apple to create a so-called backdoor or technological solution to get past its encryption that must be shared with the government," the report adds. "Instead, the government is seeking the data that is on the two phones, the official said." "Apple has argued in the past that obtaining such data would require it to build a backdoor, which it said would set a dangerous precedent for user privacy and cybersecurity." Apple did not comment on the request.

Read more of this story at Slashdot.