Botnet

2 Million IoT Devices Enslaved By Fast-Growing BotNet (bleepingcomputer.com) 65

An anonymous reader writes: Since mid-September, a new IoT botnet has grown to massive proportions. Codenamed IoT_reaper, researchers estimate its current size at nearly two million infected devices. According to researchers, the botnet is mainly made up of IP-based security cameras, routers, network-attached storage (NAS) devices, network video recorders (NVRs), and digital video recorders (DVRs), primarily from vendors such as Netgear, D-Link, Linksys, GoAhead, JAWS, Vacron, AVTECH, MicroTik, TP-Link, and Synology.

The botnet reuses some Mirai source code, but it's unique in its own right. Unlike Mirai, which relied on scanning for devices with weak or default passwords, this botnet was put together using exploits for unpatched vulnerabilities. The botnet's author is still struggling to control his botnet, as researchers spotted over two million infected devices sitting in the botnet's C&C servers' queue, waiting to be processed. As of now, the botnet has not been used in live DDoS attacks, but the capability is in there.

Today is the one-year anniversary of the Dyn DDoS attack, the article points out, adding that "This week both the FBI and Europol warned about the dangers of leaving Internet of Things devices exposed online."
Media

Body Camera Giant Wants Police To Collect Your Videos Too (fastcompany.com) 58

tedlistens shares a report from Fast Company: Axon, the police supplier formerly known as Taser and now a leading maker of police body cameras, has also charged into police software with a service that allows police to manage and eventually analyze increasingly large caches of video, like a Dropbox for cops. Now it wants to add the public's video to the mix. An online tool called Citizen, set to launch later this year, will allow police to solicit the public for photos or video in the aftermath of suspected crimes and ingest them into Axon's online data platform. Todd Basche, Axon's executive vice president for worldwide products, said the tool was designed after the company conducted surveys of police customers and the public and found that potentially valuable evidence was not being collected. "They all pointed us to the need to collect evidence that's out there in the community."

[But] systems like Citizen still raise new privacy and policy questions, and could test the limits of already brittle police-community relations. Would Citizen, for instance, also be useful for gathering civilian evidence of incidents of police misconduct or brutality? [And how would ingesting citizen video into online police databases, like Axon's Evidence.com, allow police to mine it later for suspicious activity, in a sort of dragnet fashion?] "It all depends," says one observer, "on how agencies use the tool."

Twitter

Twitter Plans To End Revenge Porn Next Week, Hate Speech In Two (arstechnica.com) 262

An anonymous reader quotes a report from Ars Technica: In the beginning of 2017, Twitter said it would take on harassment and hate speech. CEO Jack Dorsey said the company would embrace a "completely new approach to abuse on Twitter" with open dialogue along the way. For months, though, the company has offered few details about what it would do, or when. That changed late yesterday, when Twitter posted a timeline with specific promises on actions it will take. The changes begin next week. On October 27, Twitter will expand what types of "non-consensual nudity" (aka "revenge porn") that it takes action against. The company will already act when a victim complains, but Twitter will soon act even in cases where the victims may not be aware images were taken, instances like upskirt photos and hidden webcams. "Anyone we identify as the original poster of non-consensual nudity will be suspended immediately," the October entry reads. On November 3, Twitter will ban hate imagery in profile headers and avatars, and the service will start suspending accounts "for organizations that use violence to advance their cause." The same day it will institute a policy of stopping "Unwanted Sexual Advances," although the company says it has already been taking enforcement actions on this front. Later in November, Twitter will ban "hateful display names."
Microsoft

Microsoft's Market Value Hits a Dot-Com Era Milestone: $600 Billion (wsj.com) 95

An anonymous reader shares a report: Microsoft's value is returning to tech-bubble peaks. The software giant closed with a market value of $600 billion Thursday for the first time since January 2000, according to the Journal's Market Data Group. Shares rose 0.4 percent to $77.91, setting a fresh all-time high. For the year, Microsoft shares are up 25% and on track for their best year since 2013, as the firm continues its rebirth as a force in cloud-computing. The firm is the third-largest S&P 500 company in market value, trailing Apple (about $800 billion) and Google's parent company, Alphabet, (about $690 billion). In July, fellow technology and internet stalwarts Facebook and Amazon.com joined the trio as the only U.S.-listed companies valued at more than in the $500 billion. The last time Microsoft was over $600 billion back in 2000, it didn't stay there for long. The tech bubble would peak in March of that year, and the Nasdaq Composite Index wouldn't climb back to the level it reach that year until 2015.
Facebook

Facebook Security Chief Says Its Corporate Network Is Run 'Like a College Campus' (zdnet.com) 83

An anonymous reader quotes a report from ZDNet: Facebook's security chief has told employees that the social media giant needs to improve its internal security practices to be more akin to a defense contractor, according to a leaked recording obtained by ZDNet. Alex Stamos made the comments to employees at a late-July internal meeting where he argued that the company had not done enough to respond to the growing threats that the company faces, citing both technical challenges and cultural issues at the company. "The threats that we are facing have increased significantly and the quality of the adversaries that we are facing," he said. "Both technically and from a cultural perspective I don't feel like we have caught up with our responsibility. The way that I explain to [management] is that we have the threat profile of a Northrop Grumman or a Raytheon or another defense contractor, but we run our corporate network, for example, like a college campus, almost," he said.
Advertising

Senators Announce New Bill That Would Regulate Online Political Ads (theverge.com) 210

An anonymous reader quotes a report from The Verge: As tech companies face continued scrutiny over Russian activity on their ad platforms, Senators today announced legislation meant to regulate political ads on the internet. The new bill, called the Honest Ads Act, would require companies like Facebook and Google to keep copies of political ads and make them publicly available. Under the act, the companies would also be required to release information on who those ads were targeted to, as well as information on the buyer and the rates charged for the ads. The new rules would bring disclosure rules more in line with how political ads are regulated in mediums like print and TV, and apply to any platform with more than 50 million monthly viewers. The companies would be required to keep and release data on anyone spending more than $500 on political ads in a year. It's unclear how well the bill will fare. Companies like Facebook have been successfully fighting regulations for years. But this latest attempt has some bipartisan support: the act, sponsored by Sen. Amy Klobuchar (D-MN) and Sen. Mark Warner (D-VA) is also co-sponsored by Sen. John McCain (R-AZ). "Americans deserve to know who's paying for the online ads," Klobuchar said at a press conference announcing the legislation.
Verizon

Verizon Loses 18,000 Pay TV Subscribers, Signals Delay For Live TV Streaming Service (hollywoodreporter.com) 42

Verizon announced on Thursday that its FiOS video service lost 18,000 net pay TV subscribers in the third quarter, compared with the addition of 36,000 subscribers in the year-ago period and 15,000 subscriber drop in the second quarter. Hollywood Reporter reports: The company said the drop in the latest quarter was "reflecting the ongoing shift from traditional linear video to over-the-top offerings." Verizon, led by chairman and CEO Lowell McAdam, ended the third quarter with a total of 4.6 million subscribers to its FiOS video service, which competes with cable and satellite TV companies. Asked about a planned over-the-top (OTT) TV service from Verizon, Ellis said that the company continues to feel that "there's an opportunity for us to play," but signaling a delay, he emphasized that the company "doesn't want to launch a me-too product." He didn't provide any guidance on when the OTT service would launch, saying that was still "TBD" (to be determined), or what content it could offer beyond saying it was likely to be built "around live programming." Verizon also reported Thursday that it added 66,000 net new FiOS broadband connections in the third quarter to end it with 5.8 million.
The Almighty Buck

Amazon Spends $350K On Seattle Mayor's Race (jeffreifman.com) 62

reifman writes: Until this summer, Amazon had never contributed more than $15,000 to a city political campaign in Seattle, but this year's different. The company is a lead funder in the Seattle Chamber of Commerce's PAC which dropped $525,000 Monday on Jenny Durkan's PAC, the centrist business candidate. Her opponent Cary Moon is an advocate for affordable housing, which complicates Amazon's growth, and city-owned community broadband. Comcast and Century Link joined Amazon contributing $25,000 and $82,500 respectively to the Chamber's PAC. Amazon's $350,000 contribution represents .00014 of its CY 2016 net profit.
Chrome

Google Engineers Explore Ways To Stop In-Browser Cryptocurrency Miners in Chrome (bleepingcomputer.com) 185

An anonymous reader writes: Google Chrome engineers are considering adding a special browser permission that will thwart the rising trend of in-browser cryptocurrency miners. Discussions on the topic of in-browser miners have been going on the Chromium project's bug tracker since mid-September when Coinhive, the first such service, launched. "Here's my current thinking," Ojan Vafai, a Chrome engineering working on the Chromium project, wrote in one of the recent bug reports. "If a site is using more than XX% CPU for more than YY seconds, then we put the page into 'battery saver mode' where we aggressively throttle tasks and show a toast [notification popup] allowing the user to opt-out of battery saver mode. When a battery saver mode tab is backgrounded, we stop running tasks entirely. I think we'll want measurement to figure out what values to use for XX and YY, but we can start with really egregious things like 100% and 60 seconds. I'm effectively suggesting we add a permission here, but it would have unusual triggering conditions [...]. It only triggers when the page is doing a likely bad thing."

An earlier suggestion had Google create a blacklist and block the mining code at the browser level. That suggestion was shut down as being too impractical and something better left to extensions.

EU

EU: No Encryption Backdoors But, Let's Help Each Other Crack That Crypto (theregister.co.uk) 81

The European Commission has proposed that member states help each other break into encrypted devices by sharing expertise around the bloc. From a report: In an attempt to tackle the rise of citizens using encryption and its effects on solving crimes, the commission decided to sidestep the well-worn, and well-ridiculed, path of demanding decryption backdoors in the stuff we all use. Instead, the plans set out in its antiterrorism measures on Wednesday take a more collegiate approach -- by offering member states more support when they actually get their hands on an encrypted device. "The commission's position is very clear -- we are not in favour of so-called backdoors, the utilisation of systemic vulnerabilities, because it weakens the overall security of our cyberspace, which we rely upon," security commissioner Julian King told a press briefing. "We're trying to move beyond a sometimes sterile debate between backdoors or no backdoors, and address some of the concrete law enforcement challenges. For instance, when [a member state] gets a device, how do they get information that might be encrypted on the device." [...] Share the wealth. "Some member states are more equipped technically to do that [extract information from a seized device] than others," King said. "We want to make sure no member state is at a disadvantage, by sharing the tech expertise among the member states and reinforcing the support that Europol can offer."
The Internet

Mozilla To Document Cross-Browser Web Dev Standards with Google, Microsoft, Samsung, and W3C (venturebeat.com) 44

Mozilla has announced deeper partnerships with Microsoft, Google, Samsung, and web standards body W3C to create cross-browser documentation on MDN Web Docs, a web development documentation portal created by Mozilla. From a report: MDN Web Docs first came to fruition in 2005, and it has since been known under various names, including the Mozilla Developer Network and Mozilla Developer Center. Today, MDN Web Docs serves as a community and library of sorts covering all things related to web technologies and standards, including JavaScript, HTML, CSS, open web app development, Firefox add-on development, and more. The web constitutes multiple players from across the technology spectrum and, of course, multiple browsers, including Microsoft's Edge, Google's Chrome, Mozilla's Firefox, and the Samsung Internet Browser. To avoid fragmentation and ensure end-users have a (fairly) consistent browsing experience, it helps if all the players involved adhere to a similar set of standards.
Security

The Internet Is Ripe With In-Browser Miners and It's Getting Worse Each Day (bleepingcomputer.com) 355

Catalin Cimpanu, reporting for BleepingComputer: Ever since mid-September, when Coinhive launched and the whole cryptojacking frenzy started, the Internet has gone crazy with in-browser cryptocurrency miners, and new sites that offer similar services are popping up on a weekly basis. While one might argue that mining Monero in a site's background is an acceptable alternative to viewing intrusive ads, almost none of these services that have recently appeared provide a way to let users know what's happening, let alone a way to stop mining behavior. In other words, most are behaving like malware, intruding on users' computers and using resources without permission. [...] Bleeping Computer spotted two new services named MineMyTraffic and JSEcoin, while security researcher Troy Mursch also spotted Coin Have and PPoi, a Coinhive clone for Chinese users. On top of this, just last night, Microsoft spotted two new services called CoinBlind and CoinNebula, both offering similar in-browser mining services, with CoinNebula configured in such a way that users couldn't report abuse. Furthermore, none of these two services even have a homepage, revealing their true intentions to be deployed in questionable scenarios.
The Internet

Russian Troll Factory Paid US Activists To Fund Protests During Election (theguardian.com) 650

bestweasel writes: The Guardian reports on another story about Russian meddling, but interestingly, this one comes from a respected Russian news source, the RBC. From the report: "Russian trolls posing as Americans made payments to genuine activists in the U.S. to help fund protest movements on socially divisive issues. On Tuesday, the newspaper RBC published a major investigation into the work of a so-called Russian 'troll factory' since 2015, including during the period of the U.S. election campaign, disclosures that are likely to put further spotlight on alleged Russian meddling in the election. RBC said it had identified 118 accounts or groups in Facebook, Instagram and Twitter that were linked to the troll factory, all of which had been blocked in August and September this year as part of the U.S. investigation into Russian electoral meddling. Perhaps the most alarming element of the article was the claim that employees of the troll factory had contacted about 100 real U.S.-based activists to help with the organization of protests and events. RBC claimed the activists were contacted by Facebook group administrators hiding their Russian origin and were offered financial help to pay for transport or printing costs. About $80,000 was spent during a two-year period, according to the report."
Piracy

Netflix, Amazon, Movie Studios Sue Over TickBox Streaming Device (arstechnica.com) 131

Movies studios, Netflix, and Amazon have teamed up to file a lawsuit against a streaming media player called TickBox TV. The device in question runs Kodi on top of Android 6.0, and searches the internet for streams that it can make available to users without actually hosting any of the content itself. An anonymous reader quotes a report from Ars Technica: The complaint (PDF), filed Friday, says the TickBox devices are nothing more than "tool[s] for mass infringement," which operate by grabbing pirated video streams from the Internet. The lawsuit was filed by Amazon and Netflix Studios, along with six big movie studios that make up the Motion Picture Association of America: Universal, Columbia, Disney, Paramount, 20th Century Fox, and Warner Bros.

"What TickBox actually sells is nothing less than illegal access to Plaintiffs' copyrighted content," write the plaintiffs' lawyers. "TickBox TV uses software to link TickBox's customers to infringing content on the Internet. When those customers use TickBox TV as Defendant intends and instructs, they have nearly instantaneous access to multiple sources that stream Plaintiffs' Copyrighted Works without authorization." The device's marketing materials let users know the box is meant to replace paid-for content, with "a wink and a nod," by predicting that prospective customers who currently pay for Amazon Video, Netflix, or Hulu will find that "you no longer need those subscriptions." The lawsuit shows that Amazon and Netflix, two Internet companies that are relatively new to the entertainment business, are more than willing to join together with movie studios to go after businesses that grab their content.

Google

Toronto To Be Home To Google Parent's Biggest Smart City Project Yet (techcrunch.com) 54

Sidewalk Labs, the smart city subsidiary of Alphabet (the parent company of Google) with the stated goal of "reimagining cities from the Internet up," now has a very big sandbox in which to conduct its high-tech experiments. From a report: That's obviously an ambitious project, but some of the groundwork is already being laid: Alphabet's Google will be the flagship tenant for the new neighbourhood, anchoring the easter waterfront, to be called "Quayside," and Sidewalk Labs has committed $50 million to kick off pilot testing and planning in partnership with the City of Toronto. Sidewalk Labs won the contract through its response to a Request for Proposals issues by Waterfront Toronto, and organization created by the Canadian federal government, the Ontario provincial government and the City of Toronto together to foster development of Toronto's lakefront areas in ways that address urban sprawl while respecting the realities of climate change and taking into account the ability of the city's residents to get around efficiently. The area involved in the RFP that Sidewalk Labs will work with the government coalition to develop spans around 800 acres (though 12 acres are specified for the initial project), and is one of the largest underdeveloped urban areas in any North American city, making it a good target for Sidewalk's ambitious vision, which involves building smart cities holistically from the very start. Ultimately, the partners hope to turn the area into a "place for tens of thousands of people to live, work, learn and play -- and to create and advance new ideas that improve city life," according to a release from Sidewalk.
Open Source

Companies Overlook Risks in Open Source Software, Survey Finds (betanews.com) 132

An anonymous reader shares a report: Open source code helps software suppliers to be nimble and build products faster, but a new report reveals hidden software supply chain risks of open source that all software suppliers and IoT manufacturers should know about. The recent Equifax breach for example exploited a vulnerability in a widely used open source web framework, Apache Struts, and the study by software monetization specialist Flexera points out that as much as 50 percent of code in commercial and IoT software products is open source. "We can't lose sight that open source is indeed a clear win. Ready-to-go code gets products out the door faster, which is important given the lightning pace of the software space," says Jeff Luszcz, vice president of product management at Flexera. "However, most software engineers don't track open source use, and most software executives don't realize there's a gap and a security/compliance risk." Flexera surveyed 400 software suppliers, Internet of Things manufacturers and in-house development teams. It finds only 37 percent of respondents to the survey have an open source acquisition or usage policy, while 63 percent say either their companies either don't have a policy, or they don't know if one exists. Worryingly, of the 63 percent who say their companies don't have an open source acquisition or usage policy, 43 percent say they contribute to open source projects. There is an issue over who takes charge of open source software too. No one within their company is responsible for open source compliance, or they don't know who is, according to 39 percent of respondents.
Google

'Google Just Made Gmail the Most Secure Email Provider on the Planet' (vice.com) 197

Google announced on Tuesday that it would offer stronger online security for "high risk" users who may be frequent targets of online attacks. The company said anyone with a personal Google account can enroll in the new "advanced protection," while noting that it will require users to "trade off a bit of convenience" for extra security. Motherboard reports: The main advantage in terms of security is the need for a key or token to log in as the second factor, instead of a code sent via SMS or via app. This is much better because there's no way for hackers to steal or phish this key from afar (there have been isolated incidents of hackers using social engineering to gain access to someone's cell phone number by getting the provider to issue a new SIM card, for instance). Thanks to these new features, Gmail is now the most secure email provider available on the internet if you are worried about hackers breaking into your private correspondence. "This is a major step in the right direction in offering the same kind of protection available to high-profile figures to everyday people," Kenneth White, a Washington D.C. based security consultant to federal agencies, told Motherboard. "They have really thought this through, and while it may not make sense for everyone, for those that need it, it's a much needed option."
AT&T

Mobile Phone Companies Appear To Be Selling Your Location To Almost Anyone (techcrunch.com) 149

An anonymous reader quotes a report from TechCrunch: You may remember that last year, Verizon (which owns Oath, which owns TechCrunch) was punished by the FCC for injecting information into its subscribers' traffic that allowed them to be tracked without their consent. That practice appears to be alive and well despite being disallowed in a ruling last March: companies appear to be able to request your number, location, and other details from your mobile provider quite easily. The possibility was discovered by Philip Neustrom, co-founder of Shotwell Labs, who documented it in a blog post earlier this week. He found a pair of websites which, if visited from a mobile data connection, report back in no time with numerous details: full name, billing zip code, current location (as inferred from cell tower data), and more. (Others found the same thing with slightly different results depending on carrier, but the demo sites were taken down before I could try it myself.)
Television

Netflix Adds 5.3 Million Subs In Q3, Beating Forecasts (variety.com) 69

Netflix shows no signs of slowing down. The company announced its third quarter results, adding more subscribers in both the U.S. and abroad than expected. Variety reports: The company gained 850,000 streaming subs in the U.S. and 4.45 million overseas in the period. Analysts had estimated Netflix to add 784,000 net subscribers in the U.S. and 3.62 million internationally for Q3. "We added a Q3-record 5.3 million memberships globally (up 49% year-over-year) as we continued to benefit from strong appetite for our original series and films, as well as the adoption of internet entertainment across the world," the company said in announcing the results, noting that it had under-forecast both U.S. and international subscriber growth. Netflix also indicated that its content spending may be even higher next year than previously projected. The company had said it was targeting programming expenditures of $7 billion in 2018; on Monday, Netflix said it will spend between $7 billion and $8 billion on content (on a profit-and-loss basis) next year. For 2017, original content will represent more than 25% of total programming spending, and that "will continue to grow," Netflix said.

Slashdot Top Deals