Privacy

Sniffing and Tracking Wearable Tech and Smartphones 37

Posted by samzenpus
from the all-the-better-to-follow-you-with dept.
An anonymous reader writes: Senior researcher Scott Lester at Context Information Security has shown how someone can easily monitor and record Bluetooth Low Energy signals transmitted by many mobile phones, fitness monitors, and iBeacons. The findings have raised concerns about the privacy and confidentiality wearable devices may provide. “Many people wearing fitness devices don’t realize that they are broadcasting constantly and that these broadcasts can often be attributed to a unique device,” said Scott says. “Using cheap hardware or a smartphone, it could be possible to identify and locate a particular device – that may belong to a celebrity, politician or senior business executive – within 100 meters in the open air. This information could be used for social engineering as part of a planned cyber attack or for physical crime by knowing peoples’ movements.” The researchers have even developed an Android app that scans, detects and logs wearable devices.
Firefox

Firefox's Optional Tracking Protection Reduces Load Time For News Sites By 44% 178

Posted by Soulskill
from the definition-of-a-win-win dept.
An anonymous reader writes: Former Mozilla software engineer Monica Chew and Computer Science researcher Georgios Kontaxis recently released a paper (PDF) that examines Firefox's optional Tracking Protection feature. The duo found that with Tracking Protection enabled, the Alexa top 200 news sites saw a 67.5 percent reduction in the number of HTTP cookies set. Furthermore, performance benefits included a 44 percent median reduction in page load time and 39 percent reduction in data usage.
Security

Researchers Devise Voting System That Seems Secure, But Is Hard To Use 98

Posted by Soulskill
from the find-the-candidate-and-hand-them-your-vote dept.
An anonymous reader writes: According to an article in ReadWrite, a team of British and American researchers have developed a hacker resistant process for online voting called Du-Vote. It uses a credit card-sized device that helps to divide the security-sensitive tasks between your computer and the device in a way that neither your computer nor the device learns how you voted (PDF). If a hacker managed to control the computer and the Du-Vote token, he still can't change the votes without being detected.
Security

Hacker Warns Starbucks of Security Flaw, Gets Accused of Fraud 104

Posted by Soulskill
from the biting-the-hand-that-doesn't-steal-from-you dept.
Andy Smith writes: Here's another company that just doesn't get security research. White hat hacker Egor Homakov found a security flaw in Starbucks gift cards which allowed people to steal money from the company. He reported the flaw to Starbucks, but rather than thank him, the company accused him of fraud and said he had been acting maliciously.
Security

Adult Dating Site Hack Reveals Users' Sexual Preference, Extramarital Affairs 173

Posted by Soulskill
from the another-day,-another-breach dept.
An anonymous reader notes this report from Channel 4 News that Adult FriendFinder, one of the largest dating sites in the world, has suffered a database breach that revealed personal information for 3.9 million of its users. The leaked data includes email addresses, IP addresses, birth dates, postal codes, sexual preferences, and information indicating which of them are seeking extramarital affairs. There even seems to be data from accounts that were supposedly deleted. Channel 4 saw evidence that there were plans for a spam campaign against these users, and others are worried that a blackmail campaign will follow. "Where you've got names, dates of birth, ZIP codes, then that provides an opportunity to actually target specific individuals whether they be in government or healthcare for example, so you can profile that person and send more targeted blackmail-type emails," said cybercrime specialist Charlie McMurdy.
Android

Factory Reset On Millions of Android Devices Doesn't Wipe Storage 91

Posted by samzenpus
from the stucking-around dept.
Bismillah writes: Ross Anderson and Laurent Simon of Cambridge University studied a range of Android devices and found that even though a "factory reset" is supposed to fully wipe storage, it often doesn't. Interestingly enough, full-device encryption could be compromised by the incomplete wiping too. ITnews reports: "The researchers estimated that 500 million Android devices may not fully wipe device disk partitions. As many as 630 million phones may not wipe internal SD cards. Five 'critical failures' were outlined in the researchers' Security Analysis of Android Factory Resets paper.
Google

NSA Planned To Hijack Google App Store To Hack Smartphones 94

Posted by samzenpus
from the all-the-better-to-see-you-with dept.
Advocatus Diaboli writes: A newly released top secret document reveals that the NSA planned to hijack Google and Samsung app stores to plant spying software on smartphones. The report on the surveillance project, dubbed "IRRITANT HORN," shows the U.S. and its "Five Eyes" alliance: Canada, the United Kingdom, New Zealand and Australia, were looking at ways to hack smartphones and spy on users. According to The Intercept: "The top-secret document, obtained from NSA whistleblower Edward Snowden, was published Wednesday by CBC News in collaboration with The Intercept. The document outlines a series of tactics that the NSA and its counterparts in the Five Eyes were working on during workshops held in Australia and Canada between November 2011 and February 2012."
Security

Netgear and ZyXEL Confirm NetUSB Flaw, Are Working On Fixes 34

Posted by samzenpus
from the protect-ya-neck dept.
itwbennett writes: In follow-up to a story that appeared on Slashdot yesterday about a critical vulnerability in the NetUSB service, networking device manufacturers ZyXEL Communications and Netgear have confirmed that some of their routers are affected and said they are working on fixes. ZyXEL will begin issuing firmware updates in June, while Netgear plans to start releasing patches in the third quarter of the year.
United States

What Was the Effect of Rand Paul's 10-Hour "Filibuster"? 362

Posted by samzenpus
from the lets-keep-talking dept.
An anonymous reader writes: Sen. Rand Paul held up a vote on the Fast Track Authority for an eleven hour dissertation on the flaws of: the Patriot Act, the replacement the USA Freedom Act, bulk data collection including credit card purchases, the DEA and IRS's use of NSA intel. for "parallel construction", warrant-less GPS bugs on vehicles, as well as the important distinction of a general warrant versus a specific one. "There is a general veil of suspicion that is placed on every American now. Every American is somehow said to be under suspicion because we are collecting the records of every American," Paul said. The questions is what did the "filibuster" really accomplish? The speeches caused a delay in Senate business but it's unclear what larger effect, if any, that will have.
Businesses

Security Researchers Wary of Wassenaar Rules 34

Posted by samzenpus
from the rules-of-the-game dept.
msm1267 writes: The Commerce Department's Bureau of Industry and Security today made public its proposal to implement the controversial Wassenaar Arrangement, and computer security specialists are wary of its language and vagaries. For starters, its definition of "intrusion software" that originally was meant to stem the effect of spying software such as FinFisher and Hacking Team, has also apparently snared many penetration testing tools. Also, despite the Commerce Department's insistence that vulnerability research does not fall under Wassenaar, researchers say that's up for interpretation.
Security

Stanford Researcher Finds Little To Love In Would-Be Hacker Marketplace 72

Posted by timothy
from the it-is-what-it-is dept.
An anonymous reader writes: What if there were an Uber for hackers? Well, there is. It's called Hacker's List, and it made the front page of the New York Times this year. Anyone can post or bid on an 'ethical' hacking project. According to new Stanford research, however, the site is a wreck. 'Most requests are unsophisticated and unlawful, very few deals are actually struck, and most completed projects appear to be criminal.' And it gets worse. 'Many users on Hacker's List are trivially identifiable,' with an email address or Facebook account. The research dataset includes thousands of individuals soliciting federal crimes.
Privacy

CareFirst Admits More Than a Million Customer Accounts Were Exposed In Security Breach 82

Posted by timothy
from the camel-cased-in-triplicate dept.
An anonymous reader writes with news, as reported by The Stack, that regional health insurer CareFirst BlueCross BlueShield, has confirmed a breach which took place last summer, and may have leaked personal details of as many as 1.1 million of the company's customers: "The Washington D.C.-based firm announced yesterday that the hack had taken place in June last year. CareFirst said that the breach had been a 'sophisticated cyberattack' and that those behind the crime had accessed and potentially stolen sensitive customer data including names, dates of birth, email addresses and ID numbers. All affected members will receive letters of apology, offering two years of free credit monitoring and identity threat protection as compensation, CareFirst said in a statement posted on its website." Free credit monitoring is pretty weak sauce for anyone who actually ends up faced with identity fraud.
Government

US Proposes Tighter Export Rules For Computer Security Tools 126

Posted by timothy
from the we'd-like-to-inspect-that-package dept.
itwbennett writes: The U.S. Commerce Department has proposed tighter export rules for computer security tools and could prohibit the export of penetration testing tools without a license. The proposal would modify rules added to the Wassenaar Arrangement in 2013 that limit the export of technologies related to intrusion and traffic inspection. The definition of intrusion software would also encompass 'proprietary research on the vulnerabilities and exploitation of computers and network-capable devices,' the proposal said.
Security

Telstra Says Newly Acquired Pacnet Hacked, Customer Data Exposed 15

Posted by samzenpus
from the getting-to-know-all-about-you dept.
An anonymous reader writes: Telstra’s Asian-based data center and undersea cable operator Pacnet has been hacked exposing many of the telco’s customers to a massive security breach. The company said it could not determine whether personal details of customers had been stolen, but it acknowledged the possibility. The Stack reports: "Telstra said that an unauthorized third party had been able to gain access to the Pacnet business management systems through a malicious software installed via a vulnerability on an SQL server. The hack had taken place just weeks before Telstra acquired the Asian internet service provider for $550mn on 16 April this year. The telecom company confirmed that it had not been aware of the hack when it signed the deal in December 2014."
Sci-Fi

Secret Files Reveal UK Police Feared That Trekkies Could Turn On Society 214

Posted by samzenpus
from the live-long-and-riot dept.
An anonymous reader writes: Scotland Yard was worried that fans of shows like the X Files and Star Trek might run amok during the Millennium according to secret files. The file, called UFO New Religious Movements (NRMs) And The Millennium, reveals that anti-terrorism experts were also concerned about the brain-washing effect of Dark Skies, Roswell, Millennium and The Lawnmower Man on viewers. According to the Telegraph: "The secret briefing note was obtained from the Met under the Freedom of Information Act by Sheffield-based British X-Files expert Dr Dave Clarke while researching a new book, How UFOs Conquered the World. Dr Clarke, who teaches investigative journalism at Sheffield Hallam University, said: 'The documents show the police and security services were concerned about the export of some new religious movements concerning UFOs and aliens from the USA in the aftermath of the mass suicide by followers of the Heaven's Gate.'"
The Almighty Buck

FBI: Social Media, Virtual Currency Fraud Becoming a Huge Problem 39

Posted by samzenpus
from the buy-my-web-dollars dept.
coondoggie writes: Criminals taking advantage of personal data found on social media and vulnerabilities of the digital currency system are two of the emerging Internet law-breaking trends identified by the FBI's Internet Crime Complaint Center (IC3) in its annual look at online crime. The IC3 said 12% of the complaints submitted in 2014 contained a social media trait. Complaints involving social media have quadrupled over the last five years. In most cases, victim’s personal information was exploited through compromised accounts or social engineering.
Privacy

Simple Flaw Exposed Data On Millions of Charter Internet Customers 29

Posted by samzenpus
from the protect-ya-neck dept.
Daniel_Stuckey writes: A security flaw discovered in the website of Charter Communications, a cable and Internet provider active in 28 states, may have exposed the personal account details of millions of its customers. Security researcher Eric Taylor discovered the internet service provider's vulnerability as part of his research, and demonstrated how a simple header modification performed with a browser plug-in could reveal details of Charter subscriber accounts. After Fast Company notified Charter of the issue, the company said it had installed a fix within hours.
Security

How 1990s Encryption Backdoors Put Today's Internet In Jeopardy 42

Posted by samzenpus
from the grunge-net dept.
An anonymous reader writes: While debate swirls in Washington D.C. about new encryption laws, the consequences of the last crypto war is still being felt. Logjam vulnerabilities making headlines today is "a direct result of weakening cryptography legislation in the 1990s," researcher J. Alex Halderman said. "Thanks to Moore's law and improvements in cryptanalysis, the ability to break that crypto is something really anyone can do with open-source software. The backdoor might have seemed like a good idea at the time. Maybe the arguments 20 years ago convinced people this was going to be safe. History has shown otherwise. This is the second time in two months we've seen 90s era crypto blow up and put the safety of everyone on the internet in jeopardy."
Security

Eugene Kaspersky: "Our Business Is Saving the World From Computer Villains" 288

Posted by samzenpus
from the listen-up dept.
blottsie writes: While the nature of Kaspersky's relationship with the Kremlin remains, at the very least, a matter of contention, his company's influence is anything but hazy. On top of their successful antivirus business, Kaspersky Lab researchers have discovered key details about the now-infamous Stuxnet virus, which was deployed by the U.S. and Israel against Iran's nuclear facilities. Kaspersky analysts later uncovered Flame, which the Washington Post found was another American-Israeli cyberweapon against Iran. All of this is on top of building a highly successful antivirus business. In a new interview with the Daily Dot, Kaspersky elaborates on thoughts about his company, his wealth, and the state of modern cybersecurity.
Government

Do Russian Uranium Deals Threaten World Supply Security? 99

Posted by samzenpus
from the plenty-to-go-around dept.
Lasrick writes: A recent article in the New York Times notes that the Russian state nuclear corporation Rosatom and associated firms are gaining control of a growing number of uranium resources and mining operations. The article, headlined Cash Flowed to Clinton Foundation Amid Russian Uranium Deal focuses on donations to charities connected to former US President Bill Clinton and his family, made by businessmen who stood to profit from the sale of Uranium One, a Canadian company with worldwide uranium-mining interests. But a major premise of the article is that Russian uranium control threatens the security of the global uranium supply. Steve Fetter and Erich Schneider demolish the idea that Russian control of uranium stocks is a threat to global security.