Trust the World's Fastest VPN with Your Internet Security & Freedom - A Lifetime Subscription of PureVPN at 88% off. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. ×
Databases

Story Of a Country Which Has Built a Centralized Biometrics Database Of 1.1B People But Appears To Be Mishandling It Now (mashable.com) 57

In a bid to get more Indians to have a birth certificate or any sort of ID card, India announced Aadhaar project in 2009. At the time, there were more Indians without these ID cards than those with. As a result of this, much of the government funding for the citizens were disappearing before they could see them. But according to several security experts, lawyers, politicians and journalists, the government is using poor security practices, and this is exposing the biometrics data -- photo, name, address, fingerprint, iris info -- of people at risk. More than 1.1 billion people -- and 99 percent of all adults -- in India have enrolled themselves to the system. From a report: "There are two fundamental flaws in Aadhaar: it is poorly designed, and it is being poorly verified," Member of Parliament and privacy advocate, Rajeev Chandrasekhar told Mashable India. Another issue with Aadhaar is, Chandrasekhar explains, there is no firm legislation to safeguard the privacy and rights of the billion people who have enrolled into the system. There's little a person whose Aadhaar data has been compromised could do. [...] "Aadhaar is remote, covert, and non-consensual," he told Mashable India, adding the existence of a central database of any kind, but especially in the context of the Aadhaar, and at the scale it is working is appalling. Abraham said fingerprint and iris data of a person can be stolen with little effort -- a "gummy bear" which sells for a few cents, can store one's fingerprint, while a high-resolution camera can capture one's iris data. The report goes on to say that the Indian government is also not telling how the data is being shared with private companies. Experts cited in the story have expressed concerns that those companies (some of which are run by people who were previously members of the team which designed the framework of Aadhaar) can store and create a parallel database of their own. On top of that, the government is making Aadhaar mandatory for availing several things including registration for nation-wide examinations, but in the beginning it promised Aadhaar will be used only to help poor get grocery at subsidized prices.
Security

Michael Flynn Resigns As Trump's National Security Adviser (go.com) 891

An anonymous reader quotes a report from ABC News: President Donald Trump's embattled national security adviser Michael Flynn, who faced questions about a call to the Russian ambassador prior to the inauguration, has resigned. Retired Army General Keith Kellogg was named acting national security adviser to replace Flynn. ABC News reported Monday that Flynn called Vice President Mike Pence on Friday to apologize for misleading him about his conversation with the ambassador in November. Flynn previously denied that he spoke about sanctions the U.S. imposed on Russia for its suspected interference in the 2016 election, a claim repeated by Pence in January. An administration official later claimed Pence was relying on information provided to him by Flynn. In his resignation later, Flynn cited the "fast pace of events" for "inadvertently" briefing "the Vice President Elect and others with incomplete information regarding [his] phone calls with the Russian Ambassador." You can view Flynn's full resignation letter, as provided by the White House, here.
Google

Engineers On Google's Self-Driving Car Project Were Paid So Much That They Quit (theverge.com) 95

According to a new report from Bloomberg, most of the money Google spent on it self-driving car project, now spun off into a new entity called Waymo, has gone to engineers and other staff. While it has helped retain a lot of influential and dedicated workers in the short run, it has resulted in many staffers leaving the company in the long run due to the immense financial security. The Verge reports: Bloomberg says that early staffers "had an unusual compensation system" that multiplied staffers salaries and bonuses based on the performance of the self-driving project. The payments accumulated as milestones were reached, even though Waymo remains years away from generating revenue. One staffer eventually "had a multiplier of 16 applied to bonuses and equity amassed over four years." The huge amounts of compensation worked -- for a while. But eventually, it gave many staffers such financial security that they were willing to leave the cuddly confines of Google. Two staffers that Bloomberg spoke to called it "F-you money," and the accumulated cash allowed them to depart Google for other firms, including Chris Urmson who co-founded a startup with ex-Tesla employee Sterling Anderson, and others who founded a self-driving truck company called Otto which was purchased by Uber last year, and another who founded Argo AI which received a $1 billion investment from Ford last week.
Businesses

Ransomware Insurance Is Coming (onthewire.io) 86

Trailrunner7 quotes a report from On the Wire: As bad as the ransomware problem is right now -- and it's plenty bad -- we're likely only at the beginning of what could become a crisis, experts say. "Lots of people are being infected and lots of people are paying. The bottom line its it's getting worse and it's going to continue to do so," Jeremiah Grossman, chief of security strategy at SentinelOne, said during a talk on the ransomware epidemic at the RSA Conference here Monday. "Seven-figure ransoms have already been paid. When you're out of business, you'll pay whatever you have to in order to stay in business. You're dealing with an active, sentient adversary." The ransomware market seems to be headed in the same direction as real-world kidnapping, where high-profile targets take out insurance policies to pay ransoms. Grossman said it probably won't be long before the insurance companies latch onto the ransomware game, too. "The insurance companies are going to see a large profit potential in this. Kidnapping and ransom insurance is still very boutique. This economic model will probably apply equally well to ransomware," he said. According to The FindLaw Corporate Counsel Blog, "Ransomware attacks fall under your cyber insurance policy's 'cyber extortion' coverage and can generally be considered "first-party" or "third-party" coverage, according to Christine Marciano, president of Cyber Data Risk Managers. Third-party coverage would likely leave a company uninsured when they are the victims of a ransomware attack. Even if your insurance policy covers ransomware attacks made against your company, the deductible may be so high that the company will be stuck paying any ransomware demands out of pocket (should the company decide to pay to decrypt its data). And your coverage may be sub-limited to relatively small amounts, according Kevin Kalinich, the global cyber risk practice leader for Aon Risk Solutions. A $10 million policy may only provide $500,000 for cyber extortion claims, he explains."
Privacy

Encrypted Email Is Still a Pain in 2017 (incoherency.co.uk) 216

Bristol-based software developer James Stanley, who used to work at Netcraft, shares how encrypted emails, something which was first introduced over 25 years ago, is still difficult to setup and use for even reasonably tech savvy people. He says he recently tried to install Enigmail, a Thunderbird add-on, but not only things like GPG, PGP, OpenPGP were -- for no reason -- confusing, Enigmail continues to suffer from a bug that takes forever in generating keys. From his blog post: Encrypted email is nothing new (PGP was initially released in 1991 -- 26 years ago!), but it still has a huge barrier to entry for anyone who isn't already familiar with how to use it. I think my experience would have been better if Enigmail had generated keys out-of-the-box, or if (a.) gpg agreed with Enigmail on nomenclature (is it a secring or a private key?) and (b.) output the paths of the files it had generated. My experience would have been a lot worse had I not been able to call on the help of somebody who already knows how to use it.
Businesses

Angry Birds Is the Most-Banned Mobile App By Businesses (fortune.com) 47

Barb Darrow, writing for Fortune: Corporate IT pros face the unenviable task of trying to protect valuable data from threats that change all the time. One vector of attack is clearly smartphones and tablets that employees use both for work and pleasure. To that end, mobile device management firm MobileIron just came out with its latest tally of the ten most blacklisted apps, based on a survey of 7,800 companies worldwide. Angry Birds tops the list of most-banned apps at companies worldwide, as well as in Australia, the U.S., and government sectors tracked by MobileIron in its twice-yearly Mobile Security and Risk Review. The survey covers the use of Android, iOS, and Windows devices from Oct. 1, 2016 and Dec. 31, 2016.
Wikipedia

34 'Highly Toxic Users' Wrote 9% of the Personal Attacks On Wikipedia (bleepingcomputer.com) 174

Researchers used machine learning to analyze every single comment left on Wikipedia in 2015. An anonymous reader shares their results: 34 "highly toxic users" were responsible for 9% of all the personal attacks in the comments on Wikipedia, according to a research team from Alphabet's Jigsaw and the Wikimedia Foundation. They concluded that "significant progress could be made by moderating a relatively small number of frequent attackers." But at the same time, in Wikipedia's comments "less than half of attacks come from users with little prior participation; and perhaps surprisingly, approximately 30% of attacks come from registered users with over a 100 contributions. These results suggest the problems associated with personal attacks do not have an easy solution... the majority of personal attacks on Wikipedia are not the result of a few malicious users, nor primarily the consequence of allowing anonymous contributions."

The researchers "developed a machine learning algorithm that was able to identify and distinguish different forms of online abuse and personal attacks," reports Bleeping Computer, adding that the team "hopes that Wikipedia uses their study to build a comments monitoring dashboard that could track down hotspots of abusive personal attacks and help moderators ban or block toxic users." The paper describes it as a method "that combines crowdsourcing and machine learning to analyze personal attacks at scale."

NASA

US-Born NASA Scientist Detained At The Border Until He Unlocked His Phone (theverge.com) 626

Sidd Bikkannavar works at NASA's Jet Propulsion Laboratory. After racing solar-powered cars in Chile, he had trouble returning to America. mspohr quote The Verge: Bikkannavar says he was detained by U.S. Customs and Border Patrol and pressured to give the Customs and Border Protection agents his phone and access PIN. Since the phone was issued by NASA, it may have contained sensitive material that wasn't supposed to be shared. Bikkannavar's phone was returned to him after it was searched by CBP, but he doesn't know exactly what information officials might have taken from the device...

The officer also presented Bikkannavar with a document titled "Inspection of Electronic Devices" and explained that CBP had authority to search his phone. Bikkannavar did not want to hand over the device, because it was given to him by JPL and is technically NASA property. He even showed the officer the JPL barcode on the back of phone. Nonetheless, CBP asked for the phone and the access PIN. "I was cautiously telling him I wasn't allowed to give it out, because I didn't want to seem like I was not cooperating," says Bikkannavar. "I told him I'm not really allowed to give the passcode; I have to protect access. But he insisted they had the authority to search it."

While border agents have the right to search devices, The Verge reports that travelers aren't legally required to unlock their phones, "although agents can detain them for significant periods of time if they do not." They also report that Bikkannavar "was not allowed to leave until he gave CBP his PIN," adding that the cybersecurity team at JPL "was not happy about the breach."
Government

Face Recognition + Mandatory Police Body Cameras = Mass Surveillance? (siliconvalley.com) 110

Facial recognition software is already in use, and it has privacy advocates worried. An anonymous reader quotes the Bay Area Newsgroup. Southern California-based FaceFirst sells its facial recognition technology to retail stores, which use it to identify shoplifters who have been banned from the store, and alert management if they return. Corporate offices and banks also use the software to recognize people who are wanted by police... Several local law enforcement agencies have expressed interest in the technology, but so far none have had the budget for it. FaceFirst sells software police officers can install on their smartphones and use to identify people in the field from up to 12 feet away.

Some privacy experts worry facial recognition technology will show up next in police body cameras, with potentially dangerous consequences... The problem, say privacy advocates, is that all kinds of people come into contact with police, including many who are never suspected of any crimes. So lots of innocent people could be caught up in a police database fed by face-recognizing body cameras. The body cameras could turn into a "massive mobile surveillance network," said Jeramie Scott, national security counsel for the Electronic Privacy Information Center.

One-third of America's police departments use body cameras. (And just in San Jose, there's already 450 neighborhood cameras that have also agreed to share their footage for police investigations.) The new technologies concern the ACLU's policy director for technology and civil liberties. "You have very powerful systems being purchased, most often in secret, with little-to-no public debate and no process in place to make sure that there are policies in place to safeguard community members."
Electronic Frontier Foundation

Three Privacy Groups Challenge The FBI's Malware-Obtained Evidence (eff.org) 115

In 2015 the FBI took over a Tor-accessible child pornography site to infect its users with malware so they could be identified and prosecuted. But now one suspect is challenging that evidence in court, with three different privacy groups filing briefs in his support. An anonymous reader writes. One EFF attorney argues it's a classic case of an unreasonable search, which is prohibited by the U.S. Constitution. "If the FBI tried to get a single warrant to search 8,000 houses, such a request would unquestionably be denied." But there's another problem, since the FBI infected users in 120 different countries. "According to Privacy International, the case also raises important questions: What if a foreign country had carried out a similar hacking operation that affected U.S. citizens?" writes Computerworld. "Would the U.S. welcome this...? The U.S. was overstepping its bounds by conducting an investigation outside its borders without the consent of affected countries, the group said."
The FBI's evidence is also being challenged by the ACLU of Massachusetts, and the EFF plans to file two more challenges in March, warning that otherwise "the precedent is likely to impact the digital privacy rights of all Internet users for years to come... Courts need to send a very clear message that vague search warrants that lack the required specifics about who and what is to be searched won't be upheld."
Security

Trend Micro's Own Cybersecurity Blog Gets Hacked (silicon.co.uk) 17

Mickeycaskill quotes Silicon: Just to illustrate that you can never be too careful, cybersecurity specialist Trend Micro has confirmed that one of the blogs it uses to communicate with customers was itself the victim of a content spoofing attack. The culprits exploited a vulnerability in WordPress to inject fake content onto the blog before it was removed by Trend Micro and the bug fixed... "Unfortunately there are many different URLs attackers can use to carry out the same attack, so a couple of fake 'articles' ended up posted on CounterMeasures," head of security research Rik Ferguson told Silicon. "We have responded and shut down the vulnerability completely to resolve the issue."
The chairman of Trend Micro claimed in 2011 that open source software was inherently less secure than closed source -- but instead of blaming Wordpress, Ferguson "said it goes to show how breaches are an unfortunate fact of life and that companies should be judged on how they respond... 'Of course technology and best practice can mitigate the vast majority of intrusion attempts, but when one is successful, even one as low-level as this, you are more defined by how you respond than you are by the fact that it happened.'"
Networking

College Network Attacked With Its Own Insecure IoT Devices (zdnet.com) 53

An anonymous reader writes:An attacker compromised over 5,000 IoT devices on a campus network -- including vending machines and light sensors -- and then used them to attack that same network. "In this instance, all of the DNS requests were attempting to look up seafood restaurants," reports ZDNet, though the attack was eventually blocked by cybersecurity professionals. Verizon's managing principal of investigative response blames the problem on devices configured using default credentials -- and says it's only gong to get worse. "There's going to be so many of these things used by people with very limited understanding of what they are... There's going to be endless amounts of technology out there that people are going to easily be able to get access to."
The article suggests "ensuring that IoT devices are on a completely different network to the rest of the IT estate." But it ends by warning that "until IoT manufacturers bother to properly secure their devices -- and the organizations which deploy them learn to properly manage them -- DDoS attacks by IoT botnets are going to remain a huge threat."
Cellphones

Mission Possible: Self-Destructing Phones Are Now a Reality (yahoo.com) 142

drunkdrone quotes the International Business Times: Self-destructing gadgets favored by the likes of James Bond and Mission: Impossible's Ethan Hunt have taken one step closer to reality. Researchers in Saudi Arabia have developed a mechanism that, when triggered, can destroy a smartphone or other electronic device in as little as 10 seconds. The self-destruct mechanism has been created by electrical engineers at the King Abdulla University of Science and Technology and consists of a polymer layer that rapidly expands when subjected to temperatures above 80 degrees Celsius, effectively bursting the phone open from the inside. The mechanism can be adapted to be triggered in various ways, including remotely through a smartphone app or when it's subjected to pressure.

Once triggered, power from the device's battery is directed to electrodes that rapidly heat, causing the polymer layer to expand to around seven times its original size within 10-15 seconds. This crushes the vital components inside the device, destroying any information stored on board.

One engineer believes the phone will see adoption in the intelligence and financial communities, though it can also be retrofitted to existing phones for just $15. This raises an interesting question -- would you want a self-destructing phone?
Government

Senators Push Trump Administration For Clarity On Privacy Act Exclusions (onthewire.io) 135

Trailrunner7 quotes a report from On the Wire: A group of influential lawmakers, including Sen. Ed Markey and Sen. Ron Wyden, are pressing the Trump administration for answers about how an executive order that includes changes to the Privacy Act will affect non-U.S. persons and whether the administration plans to release immigrants' private data. The letter comes from six senators who are concerned about the executive order that President Trump issued two weeks ago that excludes from privacy protections people who aren't U.S. citizens or permanent residents. The order is mostly about changes to immigration policy, but Trump also included a small section that requires federal government agencies to exclude immigrants from Privacy Act protections. On Thursday, Markey, Wyden, and four other senators sent a letter to Secretary of Homeland Security Jon Kelly, asking a series of 10 questions about how the exclusion would be implemented, what it would cost, and whether the government plans to release the private data of people affected by the order. "These Privacy Act exclusions could have a devastating impact on immigrant communities, and would be inconsistent with the commitments made when the government collected much of this information," the senators said in the letter to Kelly. In the letter, the lawmakers ask Kelly whether people affected by the order will be allowed full access to their own private data that has been collected by the government. They also ask how the government plans to identify U.S. persons in their databases and what policies DHS will apply to separate them from non-U.S persons. The letter also asks for clarification on how the executive order will affect the Privacy Shield pact between the U.S and the European Union. That agreement enables companies to move private data between countries under certain data protection laws.
Republicans

Russia Considers Sending Snowden Back To US As a 'Gift' To Trump (nbcnews.com) 294

An anonymous reader quotes a report from NBC News: U.S. intelligence has collected information that Russia is considering turning over Edward Snowden as a "gift" to President Donald Trump -- who has called the NSA leaker a "spy" and a "traitor" who deserves to be executed. That's according to a senior U.S. official who has analyzed a series of highly sensitive intelligence reports detailing Russian deliberations and who says a Snowden handover is one of various ploys to "curry favor" with Trump. A second source in the intelligence community confirms the intelligence about the Russian conversations and notes it has been gathered since the inauguration. Snowden's ACLU lawyer, Ben Wizner, told NBC News they are unaware of any plans that would send him back to the United States. "Team Snowden has received no such signals and has no new reason for concern," Wizner said. Former deputy national security adviser Juan Zarate urged the Trump administration to be cautious in accepting any Snowden offer from Russian President Vladimir Putin. The White House had no comment, but the Justice Department told NBC News it would welcome the return of Snowden, who currently faces federal charges that carry a minimum of 30 years in prison. Putin spokesman Dmitry Peskov said talk about returning Snowden is "nonsense." If he were returned to American soil, Snowden -- a divisive figure in America who is seen by some as a hero and others as treasonous -- would face an administration that has condemned him in the strongest terms.
The Courts

Former CIA Analyst Sues Defense Department To Vindicate NSA Whistleblowers (theintercept.com) 22

An anonymous reader quotes a report from The Intercept: In 2010, Thomas Drake, a former senior employee at the National Security Agency, was charged with espionage for speaking to a reporter from the Baltimore Sun about a bloated, dysfunctional intelligence program he believed would violate Americans' privacy. The case against him eventually fell apart, and he pled guilty to a single misdemeanor, but his career in the NSA was over. Though Drake was largely vindicated, the central question he raised about technology and privacy has never been resolved. Almost seven years have passed now, but Pat Eddington, a former CIA analyst, is still trying to prove that Drake was right. While working for Rep. Rush Holt, D-N.J., Eddington had the unique opportunity to comb through still-classified documents that outline the history of two competing NSA programs known as ThinThread and Trailblazer. He's seen an unredacted version of the Pentagon inspector general's 2004 audit of the NSA's failures during that time, and has filed Freedom of Information Act requests. In January, Eddington decided to take those efforts a step further by suing the Department of Defense to obtain the material, he tells The Intercept. "Those documents completely vindicate" those who advocated for ThinThread at personal risk, says Eddington.
Google

Google Might Be Gearing Up To Remove Millions of Play Store Apps Next Month (pcworld.com) 53

An anonymous reader shares a PCWorld report: Take a look at the digital shelves of the Google Play Store and you're likely to come across a bevy of so-called zombie apps. These apps typically take the form of a knock-off of a popular game or a sloppy utility that doesn't quite match its description, and they strategically turn up alongside legitimate apps, which makes them hard to spot if you're not doing a forensic analysis of reviews while you shop. Now it looks like something is finally being done about them. In a letter uncovered by The Next Web, Google has begun warning some developers that one or more of their apps has been flagged for a lack of an adequate privacy policy, a common problem among these sort of hastily published and subsequently ignored apps. In the message, Google reiterates its policy, which "requires developers to provide a valid privacy policy when the app requests or handles sensitive user information." Such permissions include camera, microphone, account, contacts, or phone access, which requires a transparent disclosure of how user data is handled, according to Google's requirements. It's unclear how many letters were sent out, but The Next Web estimates it could affect millions of apps.
Iphone

Apple Fails To Remove 'Deleted' Safari Web Browser Histories From iCloud (betanews.com) 29

Reader BrianFagioli writes: Apple was storing Safari browsing histories in iCloud, even after they had been 'deleted' by the user, with such records being kept going back to 2015 -- although apparently this was an accidental by-product of the way the cloud syncing system works rather than anything malicious, and the issue has now been fixed. This information first came to light in a Forbes report, which cited Vladimir Katalov, the chief executive of Elcomsoft, a Russian security firm (which focuses on password/system recovery). Katalov stumbled onto the issue when reviewing the browsing history on his iPhone, when he discovered his supposedly deleted surfing history still present in iCloud, being able to extract it by using his company's Phone Breaker tool.
Security

State-sponsored Hackers Targeting Prominent Journalists, Google Warns (politico.com) 102

State-sponsored hackers are attempting to steal email passwords of a number of prominent journalists, Google has warned. The hackers are suspected to be Russians, reports POLITICO. Some of the journalists who have received such warnings from Google as recent as two-to-three weeks ago include Jonathan Chait of New York Magazine, Julia Ioffe, who recently started at The Atlantic, Ezra Klein of Vox, and CNN's Brian Stelter. From the report: "The fact that all this started right after the election suggests to me that journalists are the next wave to be targeted by state-sponsored hackers in the way that Democrats were during it," said one journalist who got the warning. "I worry that the outcome is going to be the same: Someone, somewhere, is going to get hacked, and then the contents of their Gmail will be weaponized against them -- and by extension all media."
Security

Attacks On WordPress Sites Intensify As Hackers Deface Over 1.5 Million Pages (bleepingcomputer.com) 119

An anonymous reader writes: "Attacks on WordPress sites using a vulnerability in the REST API, patched in WordPress version 4.7.2, have intensified over the past two days, as attackers have now defaced over 1.5 million pages, spread across 39,000 unique domains," reports BleepingComputer. "Initial attacks using the WordPress REST API flaw were reported on Monday by web security firm Sucuri, who said four groups of attackers defaced over 67,000 pages. The number grew to over 100,000 pages the next day, but according to a report from fellow web security firm WordFence, these numbers have skyrocketed today to over 1.5 million pages, as there are now 20 hacking groups involved in a defacement turf war." Making matters worse, over the weekend Google's Search Console service, formerly known as Google Webmaster, was sending out security alerts to people it shouldn't. Google attempted to send security alerts to all WordPress 4.7.0 and 4.7.1 website owners (vulnerable to the REST API flaw), but some emails reached WordPress 4.7.2 owners. Some of which misinterpreted the email and panicked, fearing their site might lose search engine ranking.

Slashdot Top Deals