Compare cell phone plans using Wirefly's innovative plan comparison tool ×
Crime

FBI Authorized Informants To Break The Law 22,800 Times In 4 Years (dailydot.com) 36

blottsie quotes a report from the Daily Dot: Over a four-year period, the FBI authorized informants to break the law more than 22,800 times, according to newly reviewed documents. Official records obtained by the Daily Dot under the Freedom of Information Act show the Federal Bureau of Investigation gave informants permission at least 5,649 times in 2013 to engage in activity that would otherwise be considered a crime. In 2014, authorization was given 5,577 times, the records show. USA Today previously revealed confidential informants engaged in "otherwise illegal activity," as the bureau calls it, 5,658 times in 2011. The figure was at 5,939 the year before, according to documents acquired by the Huffington Post. In total, records obtained by reporters confirm the FBI authorized at least 22,823 crimes between 2011 and 2014. Unfortunately, many of those crimes can have serious and unintended consequences. One of the examples mentioned in the Daily Dot's report was of an FBI informant who "was responsible for facilitating the 2011 breach of Stratfor in one of the most high-profile cyberattacks of the last decade. While a handful of informants ultimately brought down the principal hacker responsible, the sting also caused Stratfor, an American intelligence firm, millions of dollars in damages and left and estimated 700,000 credit card holders vulnerable to fraud."
Canada

Ashley Madison Security Protocols Violated Canada, Austrialia Privacy Laws (www.cbc.ca) 16

The Office of the Privacy Commissioner of Canada said Tuesday that the Canada-based online dating and social networking service Ashely Madison used inadequate privacy and security technology while marketing itself as a discreet and secure way for consenting adults to have affairs. CBC.ca reports: "In a report Tuesday, the privacy watchdog says the Toronto-based company violated numerous privacy laws in Canada and abroad in the era before a massive data breach exposed confidential information from their clients to hackers. The hack stole correspondence, identifying details and even credit card information from millions of the site's users. The resulting scandal cost the company about a quarter of its annual revenues from irate customers who demanded refunds and cancelled their accounts. Working with a similar agency in Australia, the privacy group says the company knew that its security protocols were lacking but didn't do enough to guard against being hacked. The company even adorned its website with the logo of a 'trusted security award' -- a claim the company admits it fabricated." The report found that "poor habits such as inadequate authentication processes and sub-par key and password management practices were rampant at the company" and that "much of the company's efforts to monitor its own security were 'focused on detecting system performance issues and unusual employee requests for decryption of sensitive user data.'" What's more is that Ashley Madison continued to store personal information of its users even after some of which had deleted or deactivated their account(s). These people then had their information included in databases published online after the hack.
Privacy

WikiLeaks Published Rape Victims' Names, Credit Cards, Medical Data (arstechnica.com) 161

Joe Mullin, writing for ArsTechnica: Even as WikiLeaks founder Julian Assange sits trapped in the Ecuadorean embassy, the WikiLeaks website continues to publish the secrets of various governments worldwide. But that's not all it's publishing. A report today by the Associated Press highlights citizens who had "sensitive family, financial or identity records" published by the site. "They published everything: my phone, address, name, details," said one Saudi man whose paternity dispute was revealed in documents published by the site. "If the family of my wife saw this... Publishing personal stuff like that could destroy people." One document dump, from Saudi diplomatic cables, held at least 124 medical files. The files named sick children, refugees, and patients with psychiatric conditions. In one case, the cables included the name of a Saudi who was arrested for being gay. In Saudi Arabia, homosexuality is punishable by death. In two other cases, WikiLeaks published the names of teenage rape victims. "This has nothing to do with politics or corruption," said Dr. Nayef al-Fayez, who had a patient with brain cancer whose personal details were published.
Facebook

Facebook Knows Your Political Preferences (businessinsider.com) 112

Facebook knows a lot more about its users than they think. For instance, the New York Times reports, the company is categorizing its users as liberal, conservative, or moderate. These details are valuable for advertisers and campaign managers, especially ahead of the election season. From a BusinessInsider report: For some, Facebook is able to come to conclusions about your political leanings easily, if you mention a political party on your page. For those that are less open about politics on social media, Facebook makes assumptions based on pages you like. As The New York Times explained, if you like Ben and Jerry's Facebook page and most of the other people that like that page identify as liberal, Facebook might assume you too are liberal.
Electronic Frontier Foundation

US Customs and Border Protection Wants To Know Who You Are On Twitter (eff.org) 305

An anonymous reader quotes a report from Electronic Frontier Foundation: U.S. border control agents want to gather Facebook and Twitter identities from visitors from around the world. But this flawed plan would violate travelers' privacy, and would have a wide-ranging impact on freedom of expression -- all while doing little or nothing to protect Americans from terrorism. A proposal has been issued by U.S. Customs and Border Protection to collect social media handles from visitors to the United States from visa waiver countries. The Electronic Frontier Foundation opposes the proposal and has commented on it individually and as part of a larger coalition. "CBP specifically seeks 'information associated with your online presence -- Provider/Platform -- Social media identifier' in order to provider DHS 'greater clarity and visibility to possible nefarious activity and connections' for 'vetting purposes,'" reports EFF. "In our comments, we argue that would-be terrorists are unlikely to disclose social media identifiers that reveal publicly available posts expressing support for terrorism." They say this plan "would unfairly violate the privacy of innocent travelers," would cause "innocent travelers" to "engage in self-censorship, cutting back on their online activity out of fear of being wrongly judged by the U.S. government," and would lead to a "slippery slope, where CBP would require U.S. citizens and residents returning home to disclose their social media handles, or subject both foreign visitors and U.S. persons to invasive device searches at ports of entry with the intent of easily accessing any and all cloud data."
Security

BHU's 'Tiger Will Power' Wi-Fi Router May Be The Most Insecure Router Ever Made (softpedia.com) 57

An anonymous reader writes from a report via Softpedia: A Wi-Fi router manufactured and sold only in China can easily run for the title of "most insecure router ever made." The BHU router, whose name translates to "Tiger Will Power," has a long list of security problems that include: four authentication bypass flaws (one of which is just hilarious); a built-in backdoor root account that gets created on every boot-up sequence; the fact that it opens the SSH port for external connections after every boot (somebody has to use that root backdoor account right?); a built-in proxy server that re-routes all traffic; an ad injection system that adds adverts to all the sites you visit; and a backup JS file embedded in the router firmware if the ad script fails to load from its server. For techies, there's a long technical write-up, which gets funnier and scarier at the same time as you read through it. "An attacker authenticating on the router can use a hardcoded session ID (SID) value of 700000000000000 to gain admin privileges," reports Softpedia. "If he misspells the SID and drops a zero, that's no problem. The BHU router will accept any value and still grant the user admin rights."
Crime

Turkish Journalist Jailed For Terrorism Was Framed, Forensic Report Shows (vice.com) 86

An anonymous reader quotes a report from Motherboard: Turkish investigative journalist Baris Pehlivan spent 19 months in jail, accused of terrorism based on documents found on his work computer. But when digital forensics experts examined his PC, they discovered that those files were put there by someone who removed the hard drive from the case, copied the documents, and then reinstalled the hard drive. The attackers also attempted to control the journalist's machine remotely, trying to infect it using malicious email attachments and thumb drives. Among the viruses detected in his computer was an extremely rare trojan called Ahtapot, in one of the only times it's been seen in the wild. Pehlivan went to jail in February of 2011, along with six of his colleagues, after electronic evidence seized during a police raid in 2011 appeared to connect all of them to Ergenekon, an alleged armed group accused of terrorism in Turkey. A paper recently published by computer expert Mark Spencer in Digital Forensics Magazine sheds light into the case after several other reports have acknowledged the presence of malware. Spencer said no other forensics expert noticed the Ahtapot trojan in the OdaTV case, nor has determined accurately how those documents showed up on the journalist's computer. However, almost all the reports have concluded that the incriminating files were planted. "We are not guilty," Baris Pehlivan told Andrada Fiscutean via Motherboard. "The files were put into our computers by a virus and by [attackers] entering the OdaTV office secretly. None of us has seen those documents before the prosecutor showed them to us." (OdaTV is the website Pehlivan works for and "has been critical of the government and the Gulen Movement, which was accused by Turkish president Recep Tayyip Erdogan of orchestrating the recent attempted coup.") In regard to the report, senior security consultant at F-Secure, Taneli Kaivola, says, "Yes, [the report] takes an impressive level of conviction to locally attack a computer four times, and remotely attack it seven times [between January 1, 2011, and February 11, 2011], as well as a certain level of technical skill to set up the infrastructure for those attacks, which included document forgery and date and time manipulation."
Government

Group Wants To Shut Down Tor For a Day On September 1 (softpedia.com) 219

An anonymous reader writes: An internal group at the Tor Project is calling for a full 24-hour shutdown of the Tor network to protest the way the Tor Project dealt with the Jake Applebaum sexual misconduct accusations, and because of recent rumors it might be letting former government agents in its ranks. Two Tor members, also node operators, have shut down their servers as well, because of the same reason. They explained their motivations here and here.
"The protesters have made 16 demands," according to the article, six related to related to supposed infiltration of Tor by government agents, and 10 regarding the Appelbaum ruling and investigation -- including "asking all Tor employees that participated in this investigation to leave" and "the persons behind the JacobAppelbaum.net and the @JakeMustDie and @VictimsOfJake Twitter accounts to come forward and their identities made public."
Security

Software Exploits Aren't Needed To Hack Most Organizations (darkreading.com) 56

The five most common ways of hacking an organization all involve stolen credentials, "based on data from 75 organizations, 100 penetration tests, and 450 real-world attacks," writes an anonymous Slashdot reader. In fact, 66% of the researchers' successful attacks involved cracking a weak domain user password. From an article on Dark Reading: Playing whack-a-mole with software vulnerabilities should not be top of security pros' priority list because exploiting software doesn't even rank among the top five plays in the attacker's playbook, according to a new report from Praetorian. Organizations would be far better served by improving credential management and network segmentation...

"If we assume that 1 percent [of users] will click on the [malicious] link, what will we do next?" says Joshua Abraham, practice manager at Praetorian. The report suggests specific mitigation tactics organizations should take in response to each one of these attacks -- tactics that may not stop attackers from stealing credentials, but "building in the defenses so it's really not a big deal if they do"... [O]ne stolen password should not give an attacker (or pen tester) the leverage to access an organization's entire computing environment, exfiltrating all documents along the way.

Similar results were reported in Verizon's 2016 Data Breach Investigations Report.
Government

Will Internet Voting Endanger The Secret Ballot? 214

MIT recently identified the states "at the greatest risk of having their voting process hacked". but added this week that "Maintaining the secrecy of ballots returned via the Internet is 'technologically impossible'..." Long-time Slashdot reader Presto Vivace quotes their article: That's according to a new report from Verified Voting, a group that advocates for transparency and accuracy in elections. A cornerstone of democracy, the secret ballot guards against voter coercion. But "because of current technical challenges and the unique challenge of running public elections, it is impossible to maintain the separation of voters' identities from their votes when Internet voting is used," concludes the report, which was written in collaboration with the Electronic Privacy Information Center and the anticorruption advocacy group Common Cause.
32 states are already offering some form of online voting, apparently prompting the creation of Verified Voting's new site, SecretBallotAtRisk.org.
Security

German Minister Wants Facial Recognition Software At Airports and Train Stations (www.rte.ie) 110

An anonymous Slashdot reader quotes a surprising report from Ireland's National Public Service Broadcaster (based on a report in the German newspaper Bild am Sonntag): Germany's Interior Minister wants to introduce facial recognition software at train stations and airports to help identify terror suspects following two Islamist attacks in the country last month... "Then, if a suspect appears and is recognised, it will show up in the system," he told the paper. He said a similar system was already being tested for unattended luggage, which the camera reports after a certain number of minutes. The article reports that other countries are also considering the technology.
Security

Has WikiLeaks Morphed Into A Malware Hub? (backchannel.com) 125

Slashdot reader mirandakatz writes: In releasing an unredacted database of emails from the Turkish party AKP, WikiLeaks exposed the public to a collection of malware -- and even after a Bulgarian security expert pointed this out publicly, the organization only removed the select pieces of malware that he identified, leaving well over a thousand malicious files on the site.

That AKP leak also included the addresses and other personal details of millions of Turkish women, not unlike the recent DNC leak, which included the personal data of many private individuals. WikiLeaks says this is all in the name of its "accuracy policy," but the organization seems to be increasingly putting the public at risk.

The article opens with the question, "What the hell happened to WikiLeaks?" then argues that "Once an inspiring effort at transparency, WikiLeaks now seems more driven by personal grudges and reckless releases of information..."
Security

Computer Science Professor Mocks The NSA's Buggy Code (softpedia.com) 177

After performing hours of analysis, a computer science professor says he's "not impressed" by the quality of the recently-leaked code that's supposedly from an NSA hacking tool. An anonymous Slashdot reader writes: The professor, who teaches Software Vulnerability Analysis and Advanced Computer Security at the University of Illinois, Chicago, gripes about the cryptography operations employed in the code of an exploit called BANANAGLEE, used against Fortinet firewalls. Some of his criticism include the words "ridiculous", "very bad", "crazy" and "boring memory leaks".

"I would expect relatively bug-free code. And I would expect minimal cryptographic competence. None of those were true of the code I examined which was quite surprising," the professor told Softpedia in an email.

If these were cyberweapons, "I'm pretty underwhelmed by their quality," professor Checkoway writes on his blog, adding that he found "sloppy and buggy code," no authentication of the encrypted communication channel, 128-bit keys generated using 64 bits of entropy, and cypher initialization vectors that leaked bits of the hash of the plain text...
Privacy

PSA: Twitch's 'Activity Sharing' Feature Exposes Your Activity By Default (betanews.com) 12

The 'Activity Sharing' feature that Twitch announced on Thursday aims to notify your entire Friends list if you're doing something interesting. The video games streaming platform hopes that it would bolster the engagement level, as people will want to know what their friends are doing. The problem is that this feature is on by default. An anonymous reader writes: While the feature is fairly harmless, it is understandable that some people won't want others to easily spy on their behaviors. As an example, maybe you are watching a Hello Kitty game stream -- some folks might be embarrassed to have that displayed under their name. To turn it off, simply deselect the box as seen in this image.
Security

Password Strength Meters on Websites Are Doing a Terrible Job (theregister.co.uk) 147

An anonymous reader shares a report on The Register: Password strength meters used during web sites' signup process remain incapable of doing their job, says Compound Eye developer Mark Stockley. Indeed, a majority of security experts consider the tools a useless control that grant little more than an illusion of protection. Stockley revisited his examination of five popular password meters and found they failed to prevent users from entering the world's worst passwords. "You can't trust password strength meters on websites," Stockley says. "The passwords I used in the test are all, deliberately, absolutely dreadful ... they're chosen from a list of the 10,000 most common passwords and have characteristics I thought the password strength meters might overrate." The basis for his argument is that the meters rate character complexity but fail to identify those combinations that can be guessed outright such as popular passwords or those based on cliches.
Government

How The US Will Likely Respond To Shadow Brokers Leak (dailydot.com) 110

blottsie writes: The NSA and FBI are both expected to investigate the leak of NSA-linked cyberweapons this week by an entity calling itself the Shadow Brokers, experts with knowledge of the process tell the Daily Dot. However, multiple experts say any retaliation by the U.S. will likely remain secret to keep the tactical advantage. Meanwhile, Motherboard reports that some former NSA staffers believe the leak is the work of a "rogue NSA insider." "First, the incident will be investigated by the National Security Agency as it tracks down exactly what went so wrong that top-secret offensive code and exploits ended up stolen and published for the world to see," reports Daily Dot. "An FBI counterintelligence investigation will likely follow, according to experts with knowledge of the process. [...] Following the investigation, the NSA and other entities within the United States government will have to decide on a response." The response will depend on a lot of things, such as whether or not an insider at the NSA is responsible for the breach -- a theory that is backed by a former NSA staffer and other experts. "The process is called an IGL: Intelligence Gain/Loss," reports Daily Dot. "Authorities suss out a pro and con list for various reactions, including directly and publicly blaming another country. [Chris Finan, a former director of cybersecurity legislation in the Obama administration and now CEO of the security firm Manifold Technology, said:] 'Some people think about responding in kind: A U.S. cyberattack. Doing that gives up the asymmetric response advantage you have in cyberspace.' Finan urged authorities to look at all tools, including economic sanctions against individuals, companies, groups, governments, or diplomatic constraints, to send a message through money rather than possibly burning a cyberwar advantage. Exactly if and how the U.S. responds to the Shadow Brokers incident will depend on the source of the attack. Attribution in cyberwar is tricky or even impossible much of the time. It quickly becomes a highly politicized process ripe with anonymous sources and little solid fact."
Government

Cisco Patches 'ExtraBacon' Zero-day Exploit Leaked By NSA Hackers (dailydot.com) 100

Patrick O'Neill quotes a report from The Daily Dot: After a group of hackers stole and published a set of NSA cyberweapons earlier this week, the multibillion dollar tech firm Cisco is now updating its software to counter two potent leaked exploits that attack and take over crucial security software used to protect corporate and government networks. "Cisco immediately conducted a thorough investigation of the files released, and has identified two vulnerabilities affecting Cisco ASA devices that require customer attention," the company said in a statement. "On Aug. 17, 2016, we issued two Security Advisories, which deliver free software updates and workarounds where possible." The report adds: "An unknown group of hackers dubbed the Shadow Brokers posted cyberweapons stolen from the so-called Equation Group, the National Security Agency-linked outfit known as 'the most advanced' group of cyberwarriors in the internet's history. One of the cyberweapons posted was an exploit called ExtraBacon that can be used to attack Cisco Adaptive Security Appliance (ASA) software designed to protect corporate networks and data centers. 'ExtraBacon targets a particular firewall, Cisco ASA, running a particular version (8.x, up to 8.4), and you must have SNMP read access to it,' Khalil Sehnaoui, a Middle East-based cybersecurity specialist and founder of Krypton Security, told the Daily Dot. 'If run successfully, the exploit will enable the attacker to access the firewall without a valid username or password.' ExtraBacon was a zero-day exploit, Cisco confirmed. That means it was unknown to Cisco or its customers, leaving them open to attack by anyone who possessed the right tools."
Crime

Maker of Web Monitoring Software Can Be Sued (cio.com) 98

Reader Presto Vivace shares a CIO report: The maker of so-called spyware program WebWatcher can be sued for violating state and federal wiretap laws, a U.S. appeals court has ruled, in a case that may have broader implications for online monitoring software and software as a service. The U.S. Court of Appeals for the Sixth Circuit rejected WebWatcher vendor Awareness Technologies' motion to dismiss a lawsuit against the company. The appeals court overturned a lower court ruling granting the motion to dismiss. The appeals court, in a 2-1 decision rejected Awareness' claims that WebWatcher does not intercept communications in real time, in violation of the U.S. wiretap act, but instead allows users to review targets' communications. While plaintiff Javier Luis' lawsuit doesn't address real-time interception of communications, his allegations "give rise to a reasonable inference" of that happening, Judge Ronald Lee Gilman wrote. Awareness pitches WebWatcher as monitoring software for parents and employers. "All WebWatcher products install easily in 5 minutes or less, are undetectable (thus tamper proof) and all recorded data is sent to a secure web-based account which allows you to monitor kids and employees at your convenience from any computer," the company says.
Privacy

NSA Worried About Implications of Leaked Toolkits (businessinsider.com) 272

Reader wierd_w writes: According to Business Insider, the NSA is worried about the possible scope of information leaked from the agency, after a group calling themselves the 'Shadow Brokers' absconded with a sizable trove of penetration tools and technical exploits, which it plans to sell on the black market. Among the concerns are worries that active operations may have been exposed. Business insider quotes an undisclosed source as stating the possibility of the loss of such security and stealth (eg privacy) has had chilling effects for the agency, as they attempt to determine the fullness and scope of the leak.
(Does anyone besides me feel a little tickled about the irony of the NSA complaining about chilling effects of possibly being monitored?)

Businesses

Univision To Buy Gawker Media For $135 Million (recode.net) 137

An anonymous reader quotes a report from Recode: Univision has won the auction for Gawker Media. The TV network and digital publisher has agreed to pay $135 million for the bankrupt blog network, according to a person familiar with the deal. Univision's offer will encompass all seven of Gawker Media's sites, including Gawker.com. Ziff Davis and Univision were the only two bidders for Gawker, which filed for bankruptcy after Hulk Hogan and Peter Thiel won a $140 million judgment in a privacy case. Ziff Davis had originally offered $90 million for Gawker Media. Here's a statement from Gawker Media owner Nick Denton: "Gawker Media Group has agreed this evening to sell our business and popular brands to Univision, one of America's largest media companies that is rapidly assembling the leading digital media group for millennial and multicultural audiences. I am pleased that our employees are protected and will continue their work under new ownership -- disentangled from the legal campaign against the company. We could not have picked an acquirer more devoted to vibrant journalism." The deal won't be official for a bit. For starters, a U.S. bankruptcy court judge needs to sign off on the transaction. When it is final, the judgment funds will be set aside while Gawker appeals its court case; eventually the money will go to the side that wins.

Slashdot Top Deals