Leap Towards a Career in Ethical Hacking with 60+ Hours of Prep Toward CISM, CISA, & More Certification Exams at 95% off ×
Network

Tor To Use Distributed RNG To Generate Truly Random Numbers (softpedia.com) 61

An anonymous reader quotes a report from Softpedia: Tor developers have been working on the next iteration of the Tor network and its underbelly, the Onion routing protocol, in order to create a stronger, harder-to-crack anonymous communications system. To advance the project, the developer team schedules brainstorming and planning meetings at regular intervals. The most recent of these meetings took place last week, in Montreal, Canada. In this session, the team tested the next generation of the Tor network working on top of a revamped Onion protocol that uses a new algorithm for generating random numbers, never before seen on the Internet. The Tor Project says it created something it calls "a distributed RNG" (random number generator) that uses two or more computers to create random numbers and then blends their outputs together into a new random number. The end result is something that's almost impossible to crack without knowing which computers from a network contributed to the final random number, and which entropy each one used. Last week, two University of Texas academics have made a breakthrough in random number generation. The work is theoretical, but could lead to a number of advances in cryptography, scientific polling, and the study of various complex environments such as the climate.
Microsoft

Microsoft May Ban Your Favorite Password (securityweek.com) 149

wiredmikey writes from a report via SecurityWeek.Com: Microsoft is taking a step to better protect users by banning the use of weak and commonly-used passwords across its services. Microsoft has announced that it is dynamically banning common passwords from Microsoft Account and Azure Active Directory (AD) system. In addition to banning commonly used passwords to improve user account safety, Microsoft has implemented a feature called smart password lockout, meant to add an extra level of protection when an account is attacked. [Alex Weinert, Group Program Manager of Azure AD Identity Protection team explains in a blog post that] Microsoft is seeing more than 10 million accounts being attacked each day, and that this data is used to dynamically update the list of banned passwords. This list is then used to prevent people from choosing a common or similar password. Microsoft's new feature comes after last week's leak of 117 million LinkedIn credentials.
Open Source

CentOS Linux 6.8 Released (softpedia.com) 58

An anonymous reader writes: CentOS team is pleased to announce the immediate availability of CentOS Linux 6.8 and install media for i386 and x86_64 Architectures. Release Notes for 6.8 are available here. Softpedia writes: "CentOS Linux 6.8 arrives today with major changes, among which we can mention the latest Linux 2.6.32 kernel release from upstream with support for storing up to 300TB of data on XFS filesystems. The VPN endpoint solution implemented in the NetworkManager network connection manager utility is now provided on the libreswan library instead of the Openswan IPsec implementation used in previous release of the OS, and it looks like the SSLv2 protocol has been disabled by default for the SSSD (System Security Services Daemon), which also comes with support for smart cards now." In addition, the new release comes with updated applications, including the LibreOffice 4.3.7 office suite and Squid 3.4 caching and forwarding web proxy, many of which are supporting the Transport Layer Security (TLS) 1.2 protocol, including Git, YUM, Postfix, OpenLDAP, stunnel, and vsftpd. The dmidecode open-source tool now supports SMBIOS 3.0.0, you can now pull kickstart files from HTTPS (Secure HTTP) sources, the NTDp (Network Time Protocol daemon) package has an alternative solution as chrony, SSLv3 has been disabled by default, and there's improved support for Hyper-V.
Facebook

Facebook Could Be Eavesdropping On Your Phone Calls (news10.com) 161

An anonymous reader writes: Facebook is not just looking at user's personal information, interests, and online habits but also to your private conversations, revealed a new report. According to NBC report, this may be the case as Kelli Burns, a professor at University of South Florida states, "I don't think that people realize how much Facebook is tracking every move we're making online. Anything that you're doing on your phone, Facebook is watching." the professor said. Now how do you prove that? Professor Kelli tested out her theory by enabling the microphone feature, and talked about her desire to go on a safari, informing about the mode of transport she would take. "I'm really interested in going on an African safari. I think it'd be wonderful to ride in one of those jeeps," she said aloud, phone in hand. The results were shocking, as less than 60 seconds later, the first post on her Facebook feed was about a safari story out of nowhere, which was then revealed that the story had been posted three hours earlier. And, after mentioning a jeep, a car ad also appeared on her page. On a support page, Facebook explains how this feature works: "No, we don't record your conversations. If you choose to turn on this feature, we'll only use your microphone to identify the things you're listening to or watching based on the music and TV matches we're able to identify. If this feature is turned on, it's only active when you're writing a status update." I wonder how many people are actually aware of this.
Government

TSA Replaces Security Chief As Tension Grows At Airports 257

HughPickens.com writes: Ron Nixon reports at the NYT that facing a backlash over long security lines and management problems, TSA administrator Peter V. Neffenger has shaken up his leadership team, replacing the agency's top security official Kelly Hoggan (Warning: source may be paywalled) and adding a new group of administrators at Chicago O'Hare International Airport. Beginning late that year, Hoggan received $90,000 in bonuses over a 13-month period, even though a leaked report from the Department of Homeland Security showed that auditors were able to get fake weapons and explosives past security screeners 95 percent of the time in 70 covert tests. Hoggan's bonus was paid out in $10,000 increments, an arrangement that members of Congress have said was intended to disguise the payments. During a hearing of the House Oversight Committee two weeks ago, lawmakers grilled Mr. Neffenger about the bonus, which was issued before he joined the agency in July. Last week and over the weekend, hundreds of passengers, including 450 on American Airlines alone, missed flights because of waits of two or three hours in security lines, according to local news reports. Many of the passengers had to spend the night in the terminal sleeping on cots. The TSA has sent 58 additional security officers and four more bomb-sniffing dog teams to O'Hare. Several current and former TSA employees said the moves to replace Hoggan and add the new officials in Chicago, where passengers have endured hours long waits at security checkpoints, were insufficient. "The timing of this decision is too late to make a real difference for the summer," says Andrew Rhoades, an assistant federal security director at Minneapolis-St. Paul International Airport who testified his supervisor accused him of "going native" after attending a meeting at a local mosque and that TSA's alleged practice of "directed reassignments," or unwanted job transfers were intended to punish employees who speak their minds. "Neffenger is only doing this because the media and Congress are making him look bad."
Java

Pastejacking Attack Appends Malicious Terminal Commands To Your Clipboard (softpedia.com) 81

An anonymous reader writes: "It has been possible for a long time for developers to use CSS to append malicious content to the clipboard without a user noticing and thus fool them into executing unwanted terminal commands," writes Softpedia. "This type of attack is known as clipboard hijacking, and in most scenarios, is useless, except when the user copies something inside their terminal." Security researcher Dylan Ayrey published a new version of this attack last week, which uses only JavaScript as the attack medium, giving the attack more versatility and making it now easier to carry out. The attack is called Pastejacking and it uses Javascript to theoretically allow attackers to add their malicious code to the entire page to run commands behind a user's back when they paste anything inside the console. "The attack can be deadly if combined with tech support or phishing emails," writes Softpedia. "Users might think they're copying innocent text into their console, but in fact, they're running the crook's exploit for them."
Security

Elderly Use More Secure Passwords Than Millennials, Says Report (qz.com) 149

An anonymous reader writes from a report via Quartz: A report released May 24 by Gigya surveyed 4,000 adults in the U.S. and U.K. and found that 18- to 34-year-olds are more likely to use bad passwords and report their online accounts being compromised. The majority of respondents ages 51 to 69 say they completely steer away from easily cracked passwords like "password," "1234," or birthdays, while two-thirds of those in the 18-to-34 age bracket were caught using those kind of terms. Quartz writes, "The diligence of the older group could help explain why 82% of respondents in this age range did not report having had any of their online accounts compromised in the past year. In contrast, 35% of respondents between 18 and 34 said at least one of their accounts was hacked within the last 12 months, twice the rate of those aged 51 to 69."
The Internet

Hacker Phineas Fisher is Trying To Start a 'Hack Back' Political Movement (vice.com) 122

An anonymous reader writes: The hacker who breached Hacking Team and FinFisher is trying to get more people to "hack back" and fight "the system." For some, thanks to his targeted attacks and sophisticated political views, Phineas Fisher is quickly becoming the most influential hacktivist of the last few years. In response to his most recent hack where he released a 39-minute how-to video showing how to strip data from targeted websites, specifically a website of the Catalan police union, Phineas Fisher told Motherboard, "Everything doesn't have to be big. I wanted to strike a small blow at the system, teach a bit of hacking with the video, and inspire people to take action." Biella Coleman, professor at McGill University in Montreal, believes Phineas Fisher has a good chance of inspiring a new generation of hacktivists and "setting the stage for other hackers to follow in his footsteps." She says he has been better at choosing targets and justifying his actions with more rounded and sophisticated political and ethical views than Anonymous and LulzSec-inspired hackers. Phineas Fisher told Motherboard, "I don't want to be the lone hacker fighting the system. I want to inspire others to take similar action, and try to provide the information so they can learn how."
Government

FBI Wants Biometric Database Hidden From Privacy Act (onthewire.io) 81

Trailrunner7 quotes a report from onthewire.io: The FBI is working to keep information contained in a key biometric database private and unavailable, even to people whose information is contained in the records. The database is known as the Next Generation Identification System (NGIS), and it is an amalgamation of biometric records accumulated from people who have been through one of a number of biometric collection processes. That could include convicted criminals, anyone who has submitted records to employers, and many other people. The NGIS also has information from agencies outside of the FBI, including foreign law enforcement agencies and governments. Because of the nature of the records, the FBI is asking the federal government to exempt the database from the Privacy Act, making the records inaccessible through information requests. From the report: "The bureau says in a proposal to exempt the database from disclosure that the NGIS should be exempt from the Privacy Act for a number of reasons, including the possibility that providing access 'could compromise sensitive law enforcement information, disclose information which would constitute an unwarranted invasion of another's personal privacy; reveal a sensitive investigative technique; could provide information that would allow a subject to avoid detection or apprehension; or constitute a potential danger to the health or safety of law enforcement personnel, confidential sources, and witnesses.'" RT released a similar report on the matter.
AI

Avoiding BlackBerry's Fate: How Apple Could End Up In a Similar Position (marco.org) 214

It's almost unbelievable today that BlackBerry ruled the smartphone market once. The Canadian company's handset, however, started to lose relevance when Apple launched the iPhone in 2007. At the time, BlackBerry said that nobody would purchase an iPhone, as there's a battery trade-off. Wittingly or not, Apple could end up in a similar position to BlackBerry, argues Marco Arment. Arment -- who is best known for his Apple commentary, Overcast and Instapaper apps, and co-founding Tumblr -- says that Apple's strong stand on privacy is keeping it from being the frontrunner in the advanced AI, a category which has seen large investments from Google, Apple, Facebook, and Amazon in the recent years. He adds that privacy cannot be an excuse, as Apple could utilize public data like the web, mapping databases, and business directories. He writes: Today, Amazon, Facebook, and Google are placing large bets on advanced AI, ubiquitous assistants, and voice interfaces, hoping that these will become the next thing that our devices are for. If they're right -- and that's a big "if" -- I'm worried for Apple. Today, Apple's being led properly day-to-day and doing very well overall. But if the landscape shifts to prioritise those big-data AI services, Apple will find itself in a similar position as BlackBerry did almost a decade ago: what they're able to do, despite being very good at it, won't be enough anymore, and they won't be able to catch up. Where Apple suffers is big-data services and AI, such as search, relevance, classification, and complex natural-language queries. Apple can do rudimentary versions of all of those, but their competitors -- again, especially Google -- are far ahead of them, and the gap is only widening. And Apple is showing worryingly few signs of meaningful improvement or investment in these areas. Apple's apparent inaction shows that they're content with their services' quality, management, performance, advancement, and talent acquisition and retention. One company that is missing from Mr. Arment's column is Microsoft. The Cortana-maker has also placed large bets on AI. According to job postings on its portal, it appears, for instance, that Microsoft is also working on Google Home-like service.
Crime

Real-Life RoboCop Guards Shopping Centers In California (metro.co.uk) 100

An anonymous reader quotes a report from Metro: While machines from the likes of RoboCop and Chappie might just be the reserve of films for now, this new type of robot is already fighting crime. This particular example can be found guarding a shopping center in California but there are other machines in operation all over the state. Equipped with self-navigation, infra-red cameras and microphones that can detect breaking glass, the robots, designed by Knightscope, are intended to support security services. Stacy Dean Stephens, who came up with the idea, told The Guardian the problem that needed solving was one of intelligence. "And the only way to gain accurate intelligence is through eyes and ears," he said. "So, we started looking at different ways to deploy eyes and ears into situations like that." The robot costs about $7 an hour to rent and was inspired by the Sandy Hook school shooting after which it was claimed 12 lives could have been saved if officers arrived a minute earlier.
Privacy

Uber Knows Exactly When You'll Pay Surge Pricing (yahoo.com) 210

An anonymous reader writes: Uber has figured out exactly when you are more likely to pay double or triple the cost of your ride: when your phone battery is low. Uber's head of economic research, Keith Chen, recently told NPR on an episode of The Hidden Brain podcast that people are willing to accept up to 9.9 times surge pricing if their phones are about to go dead. Data about user batteries is collected because the app uses that information to know when to switch into low-power mode. The idea being: If you really need to get where you're going, you'll pay just about anything (or at least 9.9 times anything) to ensure you're getting a ride home and won't be stranded. A person with a more fully charged device has time to wait and see if the surge pricing goes down.The company insists that it won't use this information against you.
Government

New Surveillance System May Let Cops Use All Of The Cameras (engadget.com) 116

An anonymous reader quotes a report from Wired: [Computer scientists have created a way of letting law enforcement tap any camera that isn't password protected so they can determine where to send help or how to respond to a crime.] The system, which is just a proof of concept, alarms privacy advocates who worry that prudent surveillance could easily lead to government overreach, or worse, unauthorized use. It relies upon two tools developed independently at Purdue. The Visual Analytics Law Enforcement Toolkit superimposes the rate and location of crimes and the location of police surveillance cameras. CAM2 reveals the location and orientation of public network cameras, like the one outside your apartment. You could do the same thing with a search engine like Shodan, but CAM2 makes the job far easier, which is the scary part. Aggregating all these individual feeds makes it potentially much more invasive. [Purdue limits access to registered users, and the terms of service for CAM2 state "you agree not to use the platform to determine the identity of any specific individuals contained in any video or video stream." A reasonable step to ensure privacy, but difficult to enforce (though the team promises the system will have strict security if it ever goes online). Beyond the specter of universal government surveillance lies the risk of someone hacking the system.] EFF discovered that anyone could access more than 100 "secure" automated license plate readers last year.
The Courts

Google Appeals French Order For Global 'Right To Be Forgotten' (reuters.com) 166

An anonymous reader quotes a report from Reuters: Alphabet Inc's Google appealed on Thursday an order from the French data protection authority to remove certain web search results globally in response to a European privacy ruling, escalating a fight on the extra-territorial reach of EU law. In May 2014, the European Court of Justice (ECJ) ruled that people could ask search engines, such as Google and Microsoft's Bing, to remove inadequate or irrelevant information from web results appearing under searches for people's names -- dubbed the "right to be forgotten." Google complied, but it only scrubbed results across its European websites such as Google.de in Germany and Google.fr in France, arguing that to do otherwise would set a dangerous precedent on the territorial reach of national laws. The French regulator, the Commission Nationale de l'Informatique et des Libertes (CNIL), fined Google 100,000 euros ($112,150.00) in March for not delisting more widely, arguing that was the only way to uphold Europeans' right to privacy. The company filed its appeal of the CNIL's order with France's supreme administrative court, the Council of State. "One nation does not make laws for another," said Dave Price, senior product counsel, Google. "Data protection law, in France and around Europe, is explicitly territorial, that is limited to the territory of the country whose law is being applied." Google's Transparency Report indicates the company accepts around 40 percent of requests for the removal of links appearing under search results for people's names.
Google

Google Is A Serial Tracker (softpedia.com) 110

An anonymous reader writes: Two Princeton academics conducted a massive research into how websites track users using various techniques. The results of the study, which they claim to be the biggest to date, shows that Google, through multiple domains, is tracking users on around 80 percent of all Top 1 Million domains. Researchers say that Google-owned domains account for the top 5 most popular trackers and 12 of the top 20 tracker domains. Additionally, besides tracking scripts, HTML5 canvas fingerprinting and WebRTC local IP discover, researchers discovered a new user fingerprinting technique that uses the AudioContext API. Third-party trackers use it to send low-frequency sounds to a user's PC and measure how the PC processes the data, creating an unique fingerprint based on the user's hardware and software capabilities. A demo page for this technique is available. Of course, this sort of thing is nothing new and occurs all across the web and beyond. MIT and Oxford published a study this week that revealed that Twitter location tags on only a few tweets can reveal details about the account's owner, such as his/her real world address, hobbies and medical history. Another recently released study by Stanford shows that phone call metadata can also be used to infer personal details about a phone owner.
Network

TeslaCrypt Ransomware Maker Shuts Down, Releases Master Key (techcrunch.com) 49

An anonymous reader writes: The TeslaCrypt ransomware makers have officially closed down shop and apologized for all the damage they have caused in the past. TeslaCrypt upset a lot of gamers as it would locate and encrypt video games on your Windows PC. With the recent decision to shut down, anti-ransomware researchers have been able to create a fool-proof decryption app called TeslaDecoder (Link is a direct download). Now, many of the hard drives rendered useless by the malware are available to use, and almost every file can be accessed using the unlock system. "TeslaCrypt's website was on the Tor network and now consists of a master key and an apology," writes TechCrunch.
Google

Don't Use Google Allo (vice.com) 127

At its developer conference on Wednesday, Google announced Allo, a chatbot-enabled messaging app. The app offers a range of interesting features such as the ability to quickly doodle on an image and get prompt responses. Additionally, it is the "first Google" product to offer end-to-end encryption, though that is not turned on by default. If you're concerned about privacy, you will probably still want to avoid Allo, says the publication. From the report: Allo's big innovation is "Google Assistant," a Siri competitor that will give personalized suggestions and answers to your questions on Allo as well as on the newly announced Google Home, which is a competitor to Amazon's Echo. On Allo, Google Assistant will learn how you talk to certain friends and offer suggested replies to make responding easier. Let that sink in for a moment: The selling point of this app is that Google will read your messages, for your convenience. Google would be insane to not offer some version of end-to-end encryption in a chat app in 2016, when all of its biggest competitors have it enabled by default. Allo uses the Signal Protocol for its encryption, which is good. But as with all other Google products, Allo will work much better if you let Google into your life. Google is banking on the idea that you won't want to enable Incognito Mode, and thus won't enable encryption.Edward Snowden also chimed in on the matter. He said, "Google's decision to disable end-to-end encryption by default in its new Allo chat app is dangerous, and makes it unsafe. Avoid it for now."
Security

Updated Skimer Malware Infects ATMs Worldwide (thestack.com) 121

An anonymous reader writes: Researchers at Kaspersky have discovered an improved version of Backdoor.Win32.Skimer infecting ATM machines worldwide. The new Skimer allows criminal access to card data, including PIN numbers, as well as to the actual cash located in the machine. The malicious installers use the packer Thermida to disguise the Skimer malware which is then installed on the ATM. If the ATM file system is FAT32, the malware drops the file netmgr.dll in the folder C:\Windows\System32. If the ATM has an NTFS file system, netmgr.dll is placed in the executable file of the NTFS data stream, which makes detection and analysis of the malware more difficult. Skimer may lie dormant for months until it is activated with the phsyical use of a "magic card," which gives access control to the malware, and then offers a list of options that are accessed by inputing a choice on the pin pad. The user can then request the ATM to: show installation details, dispense money, start collecting the details of inserted cards, print collected card details, self delete, enable debug mode, and update. Here's a video of the Skimer malware in action.
Security

LinkedIn User? Your Data May Be Up For Sale (zdnet.com) 71

An anonymous reader cites a ZDNet report: Reports indicate that a LinkedIn data breach may have led to the sale of sensitive data belonging to 117 million users. The company's website experienced a data breach in 2012, but the true consequences of the breach are only now becoming apparent. Users of LinkedIn's website in 2012 discovered that roughly 6.5 million user account passwords were posted online, and the company never completely confirmed just who was impacted by the security incident. However, a hacker called "Peace" told the publication that this information is being sold on the dark web for roughly $2,200, and paid hacker data search engine LeakedSource also claims to have the data. Both sources say there are approximately 167 million accounts in the data dump, 117 million of which have both emails and encrypted passwords.LinkedIn has acknowledged the breach. In a blog post, the company writes: Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012. We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords. We have no indication that this is as a result of a new security breach.
Government

Developer Of Anonymous Tor Software Dodges FBI, Leaves US (cnn.com) 323

An anonymous reader quotes a report from CNN: FBI agents are currently trying to subpoena one of Tor's core software developers to testify in a criminal hacking investigation, CNNMoney has learned. But the developer, who goes by the name Isis Agora Lovecruft, fears that federal agents will coerce her to undermine the Tor system -- and expose Tor users around the world to potential spying. That's why, when FBI agents approached her and her family over Thanksgiving break last year, she immediately packed her suitcase and left the United States for Germany. "I was worried they'd ask me to do something that hurts innocent people -- and prevent me from telling people it's happening," she said in an exclusive interview with CNNMoney. Earlier in the month, Tech Dirt reported the Department of Homeland Security wants to subpoena the site over the identity of a hyperbolic commenter.

Slashdot Top Deals