Bitcoin

Here's Why People Don't Buy Things With Bitcoin (vice.com) 160

An anonymous reader shares a report: One reason for this, if you live in Toronto like me (or anywhere else for that matter), is that there's basically nowhere to spend digital coins in the real world. Coinmap, a service that maps bitcoin-accepting locations all over the world, shows a few places that accept bitcoin in Toronto, but it's clearly out of date -- I called several businesses listed on the site and they had no idea what bitcoin even is. A bigger problem is perfectly illustrated in a Reddit post from Wednesday morning complaining that a bitcoin transaction worth just $9 still hasn't gone through the network after two days of waiting. Two. Days. The likely reason is that the fee attached to the transaction in order to incentivize faster confirmation -- 50 cents, which is about as much of a premium as I'd pay for a $9 transaction -- simply wasn't enough. "Should I have paid $3 on a $9 transfer to get it processed?" the person wrote.
Microsoft

Microsoft Will Never Again Sneakily Force Windows Downloads on Users (betanews.com) 144

A reader shares a report Windows users in Germany were particularly unimpressed when Microsoft forcibly downloaded many gigabytes of files to upgrade from Windows 7 and 8 to Windows 10. Having held out for 18 months, and losing its case twice, Microsoft has finally agreed to stop its nefarious tactics. After a lengthy battle with Germany's Baden-Wurtenberg consumer rights center, Microsoft made the announcement to avoid the continuation of legal action. A press release on the Baden-Wurtenberg website reveals that Microsoft has announced it will no longer download operating system files to users' computers without their permission: Microsoft will not download install files for new operating systems to a user system's hard disk without a user's consent. The consumer rights center hoped for this resolution to be reached much sooner, but Microsoft's decision will please the courts and could have a bearing on how the company acts in other countries.
The Internet

How a Tax Inspector Used Google Search To Locate the Founder of SilkRoad (bbc.com) 85

An anonymous reader shares a report: You could buy any drug imaginable, wherever you were in the world, on the Silk Road website. Hidden on the dark web, it made millions of dollars every week. The US government had been trying to shut it down for more than two years when tax agent Gary Alford was brought in to try to trace the money which passed through the site. In his spare time, Gary started searching Google to try to find the mysterious mastermind behind the site: Dread Pirate Roberts. And he was successful. Gary spent hours trawling the internet for the first ever mention of Silk Road. He says he came across a posting on Bitcoin forum. In the post, Roberts had shared his Gmail account. That escalated the investigation. Gary spoke with BBC describing the rest.
Security

Fourth US Navy Collision This Year Raises Suspicion of Cyber-Attacks (thenextweb.com) 353

An anonymous reader quotes a report from The Next Web: Early Monday morning a U.S. Navy Destroyer collided with a merchant vessel off the coast of Singapore. The U.S. Navy initially reported that 10 sailors were missing, and today found "some of the remains" in flooded compartments. While Americans mourn the loss of our brave warriors, top brass is looking for answers. Monday's crash involving the USS John McCain is the fourth in the area, and possibly the most difficult to understand. So far this year 17 U.S. sailors have died in the Pacific southeast due to seemingly accidental collisions with civilian vessels.

Should four collisions in the same geographical area be chalked up to coincidence? Could a military vessel be hacked? In essence, what if GPS spoofing or administrative lockout caused personnel to be unaware of any imminent danger or unable to respond? The Chief of Naval Operations (CNO) says there's no reason to think it was a cyber-attack, but they're looking into it: "2 clarify Re: possibility of cyber intrusion or sabotage, no indications right now...but review will consider all possibilities," tweeted Adm. John Richardson. The obvious suspects -- if a sovereign nation is behind any alleged attacks -- would be Russia, China, and North Korea, all of whom have reasonable access to the location of all four incidents. It may be chilling to imagine such a bold risk, but it's not outlandish to think a government might be testing cyber-attack capabilities in the field.

Transportation

Austria, Carmakers Agree To Update Software of 600,000 Diesel Cars (reuters.com) 11

An anonymous reader shares a report: Austria's Transport Minister Joerg Leichtfried said on Tuesday he had agreed with carmakers to update the software of 600,000 diesel cars to reduce pollution following a similar deal struck in Germany after a large-scale emissions scandal. Leichtfried said the deal also included extra payments to buyers of more environmentally friendly cars. He said that for potential buyers of electric cars all available financial help could add up to around 10,000 euros ($11,750) per vehicle. The exact amount of incentives, which will come in addition to existing government sweeteners for e-car buyers, will be decided and paid by the carmakers depending on the model of the vehicle exchanged for an old car, the spokesman of Austrian car importers association Guenther Kerle said.
Bitcoin

Two-Factor Authentication Fail: Identity Thieves Hijack Cellphone Accounts to Go After Virtual Currency (nytimes.com) 74

Reader Cludge shares an NYT report: Hackers have discovered that one of the most central elements of online security -- the mobile phone number -- is also one of the easiest to steal. In a growing number of online attacks, hackers have been calling up Verizon, T-Mobile U.S., Sprint and AT&T and asking them to transfer control of a victim's phone number to a device under the control of the hackers. Once they get control of the phone number, they can reset the passwords on every account that uses the phone number as a security backup -- as services like Google, Twitter and Facebook suggest. "My iPad restarted, my phone restarted and my computer restarted, and that's when I got the cold sweat and was like, 'O.K., this is really serious,'" said Chris Burniske, a virtual currency investor who lost control of his phone number late last year. A wide array of people have complained about being successfully targeted by this sort of attack, including a Black Lives Matter activist and the chief technologist of the Federal Trade Commission. The commission's own data shows that the number of so-called phone hijackings has been rising. In January 2013, there were 1,038 such incidents reported; by January 2016, that number had increased to 2,658. But a particularly concentrated wave of attacks has hit those with the most obviously valuable online accounts: virtual currency fanatics like Mr. Burniske. Within minutes of getting control of Mr. Burniske's phone, his attackers had changed the password on his virtual currency wallet and drained the contents -- some $150,000 at today's values. Most victims of these attacks in the virtual currency community have not wanted to acknowledge it publicly for fear of provoking their adversaries. But in interviews, dozens of prominent people in the industry acknowledged that they had been victimized in recent months.
Facebook

Facebook Makes Safety Check a Permanent Feature (techcrunch.com) 107

Facebook announced today that its "Safety Check" feature will be permanent in its app and on the desktop. The feature lets you check to see whether friends and family are safe following a crisis. TechCrunch reports: The change comes following new terrorist attacks, including one in Barcelona, where a vehicle was driven into a crowd, as well as the attack in Charlottesville, here in the U.S. According to Facebook, the dedicated button is gradually rolling out to users starting today, and will complete over the upcoming weeks. That means you may not see the option right away, but likely will soon. When Safety Check is accessed by way of the new button, you'll be able to view a feed of disasters, updates from friends who marked themselves as safe and offers of help. An "around the world" section will display where Safety Check has been recently enabled, too.
Iphone

iPhone 8's 3D Face Scanner Will Work In 'Millionths of a Second' (phonearena.com) 152

According to a report by the Korea Herald, Apple's upcoming iPhone 8 will ditch the fingerprint identification in favor of 3D face recognition, which will work "in the millionths of a second." PhoneArena reports: The Samsung Galaxy series were among the first mainstream devices to feature iris recognition, but the speed and accuracy of the current technology leave a lot to be desired, and maybe that is why current phones ship with an eye scanner AND a fingerprint reader. The iPhone 8, on the other hand, is expected to make a full dive into 3D scanning. Both Samsung and Apple are rumored to have tried to implement a fingerprint scanner under the display glass, but failed as the technology was not sufficiently advanced. The new iPhone will also introduce 3D sensors on both its front and back for Apple's new augmented reality (AR) platform. This latest report also reveals that Apple will not use curved edges for its iPhone 8 screen, but will instead use a flat AMOLED panel. The big benefit of using AMOLED for Apple thus is not the curve, but its thinner profile compared to an LCD screen.
Bitcoin

Third Party Trackers On Web Shops Can Identify Users Behind Bitcoin Transactions (helpnetsecurity.com) 62

An anonymous reader quotes a report from Help Net Security: More and more shopping websites accept cryptocurrencies as a method of payment, but users should be aware that these transactions can be used to deanonymize them -- even if they are using blockchain anonymity techniques such as CoinJoin. Independent researcher Dillon Reisman and Steven Goldfeder, Harry Kalodner and Arvind Narayanan from Princeton University have demonstrated that third-party online tracking provides enough information to identify a transaction on the blockchain, link it to the user's cookie and, ultimately, to the user's real identity. "Based on tracking cookies, the transaction can be linked to the user's activities across the web. And based on well-known Bitcoin address clustering techniques, it can be linked to their other Bitcoin transactions," they noted. "We show that a small amount of additional information, namely that two (or more) transactions were made by the same entity, is sufficient to undo the effect of mixing. While such auxiliary information is available to many potential entities -- merchants, other counterparties such as websites that accept donations, intermediaries such as payment processors, and potentially network eavesdroppers -- web trackers are in the ideal position to carry out this attack," they pointed out.
United Kingdom

Energy Firm Slapped With $65,000 Fine For Making 1.5 Million Nuisance Calls (theregister.co.uk) 66

A UK firm offering people energy-saving solutions has been fined after making almost 1.5 million unsolicited calls without checking if the numbers were registered on the UK's opt-out database. From a report: Southampton-based Home Logic used a dialler system to screen the telephone numbers that it planned to call against the Telephone Preference Service register, which allows people to opt out of receiving marketing calls. This system was unavailable for at least 90 days out of the 220 between April 2015 and March 2016 due to technical issues -- but that didn't stop Home Logic from continuing to make phone calls. Some 1,475,969 were made in that time. And, as a result, Blighty's data protection watchdog the Information Commissioner's Office received 133 complaints about the firm from people who had registered with the TPS and did not expect to be picking up the phone to marketeers. It ruled that the biz had breached the Privacy and Electronic Communications Regulations and duly fined it 50,000 pound ($64,500).
Security

UK.gov To Treat Online Abuse as Seriously as Hate Crime in Real Life (theregister.co.uk) 300

The UK's Crown Prosecution Service has pledged to tackle online abuse with the same seriousness as it does hate crimes committed in the flesh. From a report: Following public concern about the increasing amount of racist, anti-religious, homophobic and transphobic attacks on social media, the CPS has today published a new set of policy documents on hate crime. This includes revised legal guidance for prosecutors on how they should make decisions on criminal charges and handle cases in court. The rules officially put online abuse on the same level as offline hate crimes -- defined as an action motivated by hostility or prejudice -- like shouting abuse at someone face-to-face. They commit the CPS to prosecuting complaints about online material "with the same robust and proactive approach used with online offending." Prosecutors are told to consider the effect on the wider community and whether to identify both the originators and the "amplifiers or disseminators."
Apple

Apple Looks For Exceptional Engineer With a Secret Job Posting (9to5mac.com) 64

An anonymous reader writes: A hidden Apple website that hosts a job description and invitation to apply for an important position has recently been discovered. The posting describes a role that should be filled by a "talented engineer" who will develop a critical infrastructure component for the company's ecosystem. Discovered late yesterday by ZDNet's Zach Whittaker, the secret posting was found at us-west-1.blobstore.apple.com (now pulled). The posting stated how critical the role is, the scale of the work, key qualifications, and a description of the type of employee Apple is looking for. In the "How Critical?" section Apple says that the engineer will be working on developing infrastructure that will deal with millions of drives, tens of thousands of servers, and Exabytes of data.
Bug

Bug In Lowe's Site Sold Goods For Free. Couple Arrested For Exploiting It (bleepingcomputer.com) 239

An anonymous reader writes: A couple from the Brick Township in New Jersey stands accused of using a flaw in the Lowes online portal to receive goods for free at their home. According to the Ocean County Prosecutor's Office, the couple tried to steal goods worth $258,068.01, but only managed to receive approximately $12,971.23 worth of merchandise. Officers executing a search warrant said the residence resembled "more of a warehouse than a home." Investigators said they recovered enough merchandise to fill an 18-foot trailer. Most items were in their original packaging and still had their price tags. Police say one of the suspects posted ads for some of the stolen goods on a Facebook group used to buy and sell used objects. The suspect was selling most of the items at half the price offered on the Lowes website. Authorities did not provide in-depth technical details but revealed the flaw resided in the site's gift card module.
One of the suspects' lawyer argued that his client didn't have the skills to penetrate the security on the web site of a Fortune 500 company -- and insisted instead that his client just had a really special knack for finding good deals.
Security

Researchers Win $100,000 For New Spear-Phishing Detection Method (bleepingcomputer.com) 28

An anonymous reader writes: Facebook has awarded this year's Internet Defense Prize worth $100,000 to a team of researchers from the University of California, Berkeley, who came up with a new method of detecting spear-phishing attacks in closely monitored enterprise networks. The team created a detection system -- called DAS (Directed Anomaly Scoring) -- that identifies uncommon patterns in emails communications. They trained DAS by having it analyze 370 million emails from one single large enterprise with thousands of employees, sent between March 2013 and January 2017.

"Out of 19 spearphishing attacks, our detector failed to detect 2 attacks," the research team said. "Our detector [also] achieved an average false positive rate of 0.004%," researchers added, pointing out that this is almost 200 times better than previous research.

Honorable mentions went two other projects, one for using existing static analysis techniques to find a large number of vulnerabilities in Linux kernel drivers, and another for preventing specific classes of vulnerabilities in low-level code.

Crime

FBI Warns US Private Sector To Cut Ties With Kaspersky (cyberscoop.com) 170

An anonymous reader quotes CyberScoop: The FBI has been briefing private sector companies on intelligence claiming to show that the Moscow-based cybersecurity company Kaspersky Lab is an unacceptable threat to national security, current and former senior U.S. officials familiar with the matter tell CyberScoop... The FBI's goal is to have U.S. firms push Kaspersky out of their systems as soon as possible or refrain from using them in new products or other efforts, the current and former officials say.

The FBI's counterintelligence section has been giving briefings since beginning of the year on a priority basis, prioritizing companies in the energy sector and those that use industrial control (ICS) and Supervisory Control and Data Acquisition (SCADA) systems. In light of successive cyberattacks against the electric grid in Ukraine, the FBI has focused on this sector due to the critical infrastructure designation assigned to it by the Department of Homeland Security... The U.S. government's actions come as Russia is engaged in its own push to stamp American tech giants like Microsoft out of that country's systems.

Meanwhile Bloomberg Businessweek claims to have seen emails which "show that Kaspersky Lab has maintained a much closer working relationship with Russia's main intelligence agency, the FSB, than it has publicly admitted" -- and that Kaspersky Lab "confirmed the emails are authentic."

Kaspersky Lab told ZDNet they have not confirmed the emails' authenticity. A representative for Kaspersky Lab says that the company does not have "inappropriate" ties with any government, adding that "the company does regularly work with governments and law enforcement agencies around the world with the sole purpose of fighting cybercrime."
Encryption

Google Warns Webmasters About Insecure HTTP Web Forms (searchengineland.com) 94

In April Chrome began marking HTTP pages as "not secure" in its address bar if the pages had password or credit card fields. They're about to take the next step. An anonymous reader quotes SearchEngineLand: Last night, Google sent email notifications via Google Search Console to site owners that have forms on web pages over HTTP... Google said, "Beginning in October 2017, Chrome will show the 'Not secure' warning in two additional situations: when users enter data on an HTTP page, and on all HTTP pages visited in Incognito mode."
Google warned in April that "Our plan to label HTTP sites as non-secure is taking place in gradual steps, based on increasingly broad criteria. Since the change in Chrome 56, there has been a 23% reduction in the fraction of navigations to HTTP pages with password or credit card forms on desktop, and we're ready to take the next steps..."

"Any type of data that users type into websites should not be accessible to others on the network, so starting in version 62 Chrome will show the 'Not secure' warning when users type data into HTTP sites."
Security

Hacker Helps Family Recover Minivan After Losing One-Of-A-Kind Car Key (bleepingcomputer.com) 167

An anonymous reader writes: A hacker and a mechanic have helped a family regain access to their hybrid car after they've lost their one-of-a-kind car key while on vacation. The car in question is a Toyota Estima minivan, which a Canadian family bought reused and imported from Japan. When they did so, they received only one key, which the father says he lost when he bent down to tie his son's shoelaces.

Because it was a hybrid and the on-board computer was synced to the battery recharge cycles, the car owner couldn't simply replace the car key without risking the car battery to overcharge and catch fire. After offering a reward, going viral on Facebook, in Canadian media, and attempting to find the lost keys using crows, the family finally accepted the help of a local hacker who stripped the car apart and reprogrammed the car immobilizer with new car keys. The whole ordeal cost the family two months of their lives and around $3,500.

Security

Marcus Hutchins' Code Used In Malware May Have Come From GitHub (itwire.com) 52

troublemaker_23 quotes ITWire: A security researcher says code has been discovered that was written by British hacker Marcus Hutchins that was apparently 'borrowed' by the creator of the banking trojan Kronos. The researcher, known as Hasherezade, posted a tweet identifying the code that had been taken from Hutchins' repository on GitHub.
Hasherezade also found a 2015 tweet where a then-20-year-old Hutchins first announces he's discovered the hooking engine he wrote for his own blog -- being used in a malware sample. ("This is why we can't have nice things," Hutchins jokes.) Hasherezade analyzed Kronos's code and concluded "the author has a prior knowledge in implementing malware solutions... The level of precision lead us to the hypothesis, that Kronos is the work of a mature developer, rather than an experimenting youngster."

Monday on Twitter Hutchins posted that "I'm still on trial, still not allowed to go home, still on house arrest; but now I am allowed online. Will get my computers back soon."
Music

How Hackers Can Use Pop Songs To 'Watch' You (fastcompany.com) 33

An anonymous reader quotes a report from Fast Company: Forget your classic listening device: Researchers at the University of Washington have demonstrated that phones, smart TVs, Amazon Echo-like assistants, and other devices equipped with speakers and microphones could be used by hackers as clandestine sonar "bugs" capable of tracking your location in a room. Their system, called CovertBand, emits high-pitched sonar signals hidden within popular songs -- their examples include songs by Michael Jackson and Justin Timberlake -- then records them with the machine's microphone to detect people's activities. Jumping, walking, and "supine pelvic tilts" all produce distinguishable patterns, they say in a paper. (Of course, someone who hacked the microphone on a smart TV or computer could likely listen to its users, as well.)
The Military

US Military To Create Separate Unified Cyber Warfare Command (securityweek.com) 56

wiredmikey quotes a report from SecurityWeek: President Donald Trump has ordered the U.S. military to elevate its cyber warfare operations to a separate command, signaling a new strategic emphasis on electronic and online offensive and defensive operations. "I have directed that United States Cyber Command be elevated to the status of a Unified Combatant Command focused on cyberspace operations," Trump said in a statement Friday. The move would expand the number of the Defense Department's unified combatant commands to 10, putting cyber warfare on an equal footing with the Strategic Command, the Special Operations Command, and regional commands. Until now cyber warfare operations have been run under the umbrella of the National Security Agency, the country's main electronic spying agency, with Admiral Michael Rogers heading both.

Slashdot Top Deals