Security

Huddle's 'Highly Secure' Work Tool Exposed KPMG And BBC Files (bbc.com) 36

Chris Foxx, reporting for BBC: The BBC has discovered a security flaw in the office collaboration tool Huddle that led to private documents being exposed to unauthorised parties. A BBC journalist was inadvertently signed in to a KPMG account, with full access to private financial documents. Huddle is an online tool that lets work colleagues share content and describes itself as "the global leader in secure content collaboration." The company said it had fixed the flaw. Its software is used by the Home Office, Cabinet Office, Revenue & Customs, and several branches of the NHS to share documents, diaries and messages. "If somebody is putting themselves out there as a world-class service to look after information for you, it just shouldn't happen," said Prof Alan Woodward, from the University of Surrey. "Huddles contain some very sensitive information."
Transportation

US Airports Still Fail New Security Tests (go.com) 182

schwit1 quotes ABC News: In recent undercover tests of multiple airport security checkpoints by the Department of Homeland Security, inspectors said screeners, their equipment or their procedures failed more than half the time, according to a source familiar with the classified report. When ABC News asked the source if the failure rate was 80 percent, the response was, "You are in the ballpark." In a public hearing after a private classified briefing to the House Committee on Homeland Security, members of Congress called the failures by the Transportation Security Administration disturbing. Rep. Mike Rogers went as far as to tell TSA Administrator David Pekoske, "This agency that you run is broken badly, and it needs your attention."
Bug

The iPhone X Becomes Unresponsive When It Gets Cold (zdnet.com) 196

sqorbit writes: Apple is working on a fix for the newly release iPhone X. It appears that the touch screen can become unresponsive when the iPhone is subjected to cold weather. Users are reporting that locking and unlocking the phone resolves the issue. Apple stated that it is aware of the issue and it will be addressed in a future update.
Businesses

Equifax Tells Investors They Could Be Breached Again - And That They're Still Profitable (nypost.com) 90

"Equifax executives will forgo their 2017 bonuses," reports CNBC. But according to the New York Post, the company "hasn't lost any significant business customers... Equifax largely does business with banks and other financial institutions -- not with the people they collect information on."

Even though it's facing more than 240 class-action lawsuits, Equifax's revenue actually increased 3.8% from July to September, to a whopping $834.8 million, while their net income for that period was $96.3 million -- which is still more than the $87.5 million that the breach cost them, according to a new article shared by chicksdaddy: The disclosure, made as part of the company's quarterly filing with the US Securities and Exchange Commission, is the first public disclosure of the direct costs of the incident, which saw the company's stock price plunge by more than 30% and wiped out billions of dollars in value to shareholders. Around $55.5m of the $87.5m in breach-related costs stems from product costs â" mostly credit monitoring services that it is offering to affected individuals. Professional fees added up to another $17.1m for Equifax and consumer support costs totaled $14.9m, the company said. Equifax also said it has spent $27.3 million of pretax expenses stemming from the cost of investigating and remediating the hack to Equifax's internal network as well as legal and other professional expenses.

But the costs are likely to continue. Equifax is estimating costs of $56 million to $110 million in "contingent liability" in the form of free credit monitoring and identity theft protection to all U.S. consumers as a good will gesture. The costs provided by Equifax are an estimate of the expenses necessary to provide this service to those who have signed up or will sign up by the January 31, 2018 deadline. So far, however, the company has only incurred $4.7 million through the end of September. So, while the upper bound of those contingent liability costs is high, there's good reason to believe that they will never be reached.

The Post reports that some business customers "have delayed new contracts until Equifax proves that they've done enough to shore up their cybersecurity."

But in their regulatory filing Thursday, Equifax admitted that "We cannot assure that all potential causes of the incident have been identified and remediated and will not occur again."
Encryption

iPhone Encryption Hampers Investigation of Texas Shooter, Says FBI (chron.com) 240

"FBI officials said Tuesday they have been stymied in their efforts to unlock the cellphone of the man who shot and killed at least 26 people at a church here on Sunday," reports the Houston Chronicle. Slashdot reader Anon E. Muss writes: The police obtained a search warrant for the phone, but so far they've been unable to unlock it. The phone has been sent to the FBI, in the hope that they can break in... If it is secure, and the FBI can't open it, expect all hell to break loose. The usual idiots (e.g. politicians) will soon be ranting hysterically about the evil tech industry, and how they're refusing to help law enforcement.
FBI special agent Christopher Combs complained to the Chronicle that "law enforcement increasingly cannot get in to these phones."

A law professor at the Georgia Institute of Technology argues there's other sources of information besides a phone, and police officers might recognize this with better training. As just one example, Apple says the FBI could've simply just used the dead shooter's fingerprint to open his iPhone. But after 48 hours, the iPhone's fingerprint ID stops working.
Bug

Researchers Run Unsigned Code on Intel ME By Exploiting USB Ports (thenextweb.com) 171

Slashdot user bongey writes: A pair of security researchers in Russia are claiming to have compromised the Intel Management Engine just using one of the computer's USB ports. The researchers gained access to a fully functional JTAG connection to Intel CSME via USB DCI. The claim is different from previous USB DCI JTAG examples from earlier this year. Full JTAG access to the ME would allow making permanent hidden changes to the machine.
"Getting into and hijacking the Management Engine means you can take full control of a box," reports the Register, "underneath and out of sight of whatever OS, hypervisor or antivirus is installed."

They add that "This powerful God-mode technology is barely documented," while The Next Web points out that USB ports are "a common attack vector."
United States

H1-B Administrators Are Challenging An Unusually Large Number of Applications (bloomberg.com) 304

Long-time Slashdot reader decaffeinated quotes Bloomberg: Starting this summer, employers began noticing that U.S. Citizenship and Immigration Services was challenging an unusually large number of H-1B applications. Cases that would have sailed through the approval process in earlier years ground to a halt under requests for new paperwork. The number of challenges -- officially known as "requests for evidence" or RFEs -- are up 44 percent compared to last year, according to statistics from USCIS...

"We're entering a new era," said Emily Neumann, an immigration lawyer in Houston who has been practicing for 12 years. "There's a lot more questioning, it's very burdensome." She said in past years she's counted on 90 percent of her petitions being approved by Oct. 1 in years past. This year, only 20 percent of the applications have been processed. Neumann predicts she'll still have many unresolved cases by the time next year's lottery happens in April 2018.

Security

The Computer Scientist Who Prefers Voting With Paper (theatlantic.com) 219

Geoffrey.landis writes: The Atlantic profiles a computer scientist: Barbara Simons, who has been on the forefront of the pushback against electronic voting as a technology susceptible to fraud and hacking. When she first started writing articles about the dangers of electronic voting with no paper trail, the idea that software could be manipulated to rig elections was considered a fringe preoccupation; but Russia's efforts to influence the 2016 presidential election have reversed Simons's fortunes. According to the Department of Homeland Security, those efforts included attempts to meddle with the electoral process in 21 states; while a series of highly publicized hacks -- at Sony, Equifax, the U.S. Office of Personnel Management -- has driven home the reality that very few computerized systems are truly secure. Simons is a former President of the Association for Computing Machinery (ACM); and the group she helps run, Verified Voting, has been active in educating the public about the dangers of unverified voting since 2003.
Bug

Sex Toy Company Admits To Recording Users' Remote Sex Sessions, Calls It a 'Minor Bug' (theverge.com) 81

According to Reddit user jolioshmolio, Hong Kong-based sex toy company Lovense's remote control vibrator app (Lovense Remote) recorded a use session without their knowledge. "An audio file lasting six minutes was stored in the app's local folder," reports The Verge. "The user says he or she gave the app access to the mic and camera but only to use with the in-app chat function and to send voice clips on command -- not constant recording when in use." The app's behavior appears to be widespread as several others confirmed it too. From the report: A user claiming to represent Lovense responded and called this recording a "minor bug" that only affects Android users. Lovense also says no information or data was sent to the company's servers, and that this audio file exists only temporarily. An update issued today should fix the bug. This isn't Lovense's first security flub. Earlier this year, a butt plug made by the company -- the Hush -- was also found to be hackable. In the butt plug's case, the vulnerability had to do with Bluetooth, as opposed to the company spying on users.
Facebook

This Time, Facebook Is Sharing Its Employees' Data (fastcompany.com) 45

tedlistens writes from a report via Fast Company: "Facebook routinely shares the sensitive income and employment data of its U.S.-based employees with the Work Number database, owned by Equifax Workforce Solutions," reports Fast Company. "Every week, Facebook provides an electronic data feed of its employees' hourly work and wage information to Equifax Workforce Solutions, formerly known as TALX, a St. Louis-based unit of Equifax, Inc. The Work Number database is managed separately from the Equifax credit bureau database that suffered a breach exposing the data of more than 143 million Americans, but it contains another cache of extensive personal information about Facebook's employees, including their date of birth, social security number, job title, salary, pay raises or decreases, tenure, number of hours worked per week, wages by pay period, healthcare insurance coverage, dental care insurance coverage, and unemployment claim records."

Surprisingly, Facebook is among friends. Every payroll period, Amazon, Microsoft, and Oracle provide an electronic feed of their employees' hourly work and wage information to Equifax. So do Wal-Mart, Twitter, AT&T, Harvard Law School, and the Commonwealth of Pennsylvania. Even Edward Snowden's former employer, the sometimes secretive N.S.A. contractor Booz Allen Hamilton, sends salary and other personal data about its employees to the Equifax Work Number database. It now contains over 296 million employment records for employees at all wage levels, from CEOs to interns. The database helps streamline various processes for employers and even federal government agencies, says Equifax. But databases like the Work Number also come with considerable risks. As consumer journalist Bob Sullivan puts it, Equifax, "with the aid of thousands of human resource departments around the country, has assembled what may be the most powerful and thorough private database of Americans' personal information ever created." On October 8, a month after Equifax announced its giant data breach, security expert Brian Krebs uncovered a gaping hole in the separate Work Number online consumer application portal, which allowed anyone to view a person's salary and employment history "using little more than someone's Social Security number and date of birth -- both data elements that were stolen in the recent breach at Equifax."

Encryption

Following Equifax Breach, CEO Doesn't Know If Data Is Encrypted (techtarget.com) 104

An anonymous reader quotes a report from TechTarget: Equifax alerted the public in September 2017 to a massive data breach that exposed the personal and financial information -- including names, birthdays, credit card numbers and Social Security numbers -- of approximately 145 million customers in the United States to hackers. Following the Equifax breach, the former CEO Richard Smith and the current interim CEO Paulino do Rego Barros Jr. were called to testify before the Committee on Commerce, Science, and Transportation this week for a hearing titled "Protecting Consumers in the Era of Major Data Breaches." During the hearing, Sen. Cory Gardner (R-Colo.) questioned Smith and Barros about Equifax's use of -- or lack of -- encryption for customer data at rest. Smith confirmed that the company was not encrypting data at the time of the Equifax breach, and Gardner questioned whether or not that was intentional. "Was the fact that [customer] data remained unencrypted at rest the result of an oversight, or was that a decision that was made to manage that data unencrypted at rest?" Gardner asked Smith. Smith pointed out that encryption at rest is just one method of security, but eventually confirmed that a decision was made to leave customer data unencrypted at rest. "So, a decision was made to leave it unencrypted at rest?" Gardner pushed. "Correct," Smith responded.

Gardner moved on to Barros and asked whether he has implemented encryption for data at rest since he took over the position on Sept. 26. Barros began to answer by saying that Equifax has done a "top-down review" of its security, but Gardner interrupted, saying it was a yes or no question. Barros stumbled again and said it was being reviewed as part of the response process and Gardner pushed again. "Yes or no, does the data remain unencrypted at rest?" "I don't know at this stage," Barros responded. "Senator, if I may. It's my understanding that the entire environment [in] which this criminal attack occurred is much different; it's a more modern environment with multiple layers of security that did not exist before. Encryption is only one of those layers of security," Smith said.

Security

Man Who Sent GIF of Laughing Mouse To Employer After DDoS Attack Is Now Arrested (bleepingcomputer.com) 75

An anonymous reader writes: The FBI has arrested and charged a man for launching DDoS attacks against a wide range of targets, including his former employer, a Minnesota-based PoS repair shop. The man, who bought access to a VPN but didn't use it all the time, was caught after registering email accounts and sending taunting emails to victims, including his former employer. The taunting emails also included a GIF image of a laughing mouse, which eventually tied the man to the DDoS attacks as well. The guy also uploaded the image on Facebook in a post that asked people to join in DDoS attacks on banks as part of Anonymous' Operation Icarus. The suspect also created the fake email accounts using the name of another former colleague, trying to pin suspicions on him. The FBI was not only able to track the man's real IP address, but they also tied him to attacks without a doubt because he used a DDoS-for-hire service that was hacked and its database was shared with the FBI.
Spam

Security Firm Creates Chatbot To Respond To Scam Emails On Your Behalf (theverge.com) 70

An anonymous reader shares a report: Chatbots. They're usually a waste of your time, so why not have them waste someone else's instead? Better yet: why not have them waste an email scammer's time. That's the premise behind Re:scam , an email chatbot operated by New Zealand cybersecurity firm Netsafe. Next time you get a dodgy email in your inbox, says Netsafe, forward it on to me@rescam.org, and a proxy email address will start replying to the scammer for you, doing its very utmost to waste their time.
IT

After Outrage, Logitech Gives Free Upgrade To Owners of Soon To Be Obsolete Device (gizmodo.com) 105

It looks like Logitech didn't anticipate the barrage of criticism it received after announcing this week that it would be intentionally bricking its Harmony Link hub next March. The company is now reversing course. Its Harmony Link will still die next summer, but if you own one, the company is happy to give you a free upgrade to the more recent Harmony Hub model. From a report: Originally, Logitech planned to only offer Harmony Link owners with active warranties free upgrades to its new Harmony Hub devices. But for people out of warranty -- possibly the majority of Harmony Link users, as the devices were last sold in 2015 -- they would just get a one-time, 35 percent discount on a new $100 Harmony Hub. However, after customer outrage, Logitech revised it plans and announced that the company will give every Harmony Link owner a new Hub for free. Additionally, users who had already used the coupon to purchase a new Hub will also be able to contact Logitech in order to obtain a refund for the difference in price. However, Logitech is still not planning to extend support for the Harmony Link. The company says, "We made the business decision to end the support and services of the Harmony Link when the encryption certificate expires in the spring of 2018 -- we would be acting irresponsibly by continuing the service knowing its potential/future vulnerability."
Security

How AV Can Open You To Attacks That Otherwise Wouldn't Be Possible (arstechnica.com) 34

Antivirus suites expose a user's system to attacks that otherwise wouldn't be possible, a security researcher reported on Friday. From a report: On Friday, a researcher documented a vulnerability he had found in about a dozen name-brand AV programs that allows attackers who already have a toehold on a targeted computer to gain complete system control. AVGater, as the researcher is calling the vulnerability, works by relocating malware already put into an AV quarantine folder to a location of the attacker's choosing. Attackers can exploit it by first getting a vulnerable AV program to quarantine a piece of malicious code and then moving it into a sensitive directory such as C:\Windows or C:\Program Files, which normally would be off limits to the attacker. Six of the affected AV programs have patched the vulnerablity after it was privately reported. The remaining brands have yet to fix it, said Florian Bogner, a Vienna, Austria-based security researcher who gets paid to hack businesses so he can help them identify weaknesses in their networks. Bogner said he developed a series of AVGater exploits during several assignments that called for him to penetrate deep inside customer networks. Using malicious phishing e-mails, he was able to infect employee PCs, but he still faced a significant challenge. Because company administrators set up the PCs to run with limited system privileges, Bogner's malware was unable to access the password database -- known as the Security Account Manager -- that stored credentials he needed to pivot onto the corporate network.
Encryption

DOJ: Strong Encryption That We Don't Have Access To Is 'Unreasonable' (arstechnica.com) 510

An anonymous reader quotes a report from Ars Technica: Just two days after the FBI said it could not get into the Sutherland Springs shooter's seized iPhone, Politico Pro published a lengthy interview with a top Department of Justice official who has become the "government's unexpected encryption warrior." According to the interview, which was summarized and published in transcript form on Thursday for subscribers of the website, Deputy Attorney General Rod Rosenstein indicated that the showdown between the DOJ and Silicon Valley is quietly intensifying. "We have an ongoing dialogue with a lot of tech companies in a variety of different areas," he told Politico Pro. "There's some areas where they are cooperative with us. But on this particular issue of encryption, the tech companies are moving in the opposite direction. They're moving in favor of more and more warrant-proof encryption." "I want our prosecutors to know that, if there's a case where they believe they have an appropriate need for information and there is a legal avenue to get it, they should not be reluctant to pursue it," Rosenstein said. "I wouldn't say we're searching for a case. I''d say we're receptive, if a case arises, that we would litigate."

In the interview, Rosenstein also said he "favors strong encryption." "I favor strong encryption, because the stronger the encryption, the more secure data is against criminals who are trying to commit fraud," he explained. "And I'm in favor of that, because that means less business for us prosecuting cases of people who have stolen data and hacked into computer networks and done all sorts of damage. So I'm in favor of strong encryption." "This is, obviously, a related issue, but it's distinct, which is, what about cases where people are using electronic media to commit crimes? Having access to those devices is going to be critical to have evidence that we can present in court to prove the crime. I understand why some people merge the issues. I understand that they're related. But I think logically, we have to look at these differently. People want to secure their houses, but they still need to get in and out. Same issue here." He later added that the claim that the "absolutist position" that strong encryption should be by definition, unbreakable, is "unreasonable." "And I think it's necessary to weigh law enforcement equities in appropriate cases against the interest in security," he said.

Desktops (Apple)

Ask Slashdot: What Should A Mac User Know Before Buying a Windows Laptop? 449

New submitter Brentyl writes: Hello Slashdotters, longtime Mac user here faced with a challenge: Our 14-year-old wants a Windows laptop. He will use it for school and life, but the primary reason he wants Windows instead of a MacBook is gaming. I don't need a recommendation on which laptop to buy, but I do need a Windows survival kit. What does a fairly savvy fellow, who is a complete Windows neophyte, need to know? Is the antivirus/firewall in Windows 10 Home sufficient? Are there must-have utilities or programs I need to get? When connecting to my home network, I need to make sure I ____? And so on... Thanks in advance for your insights.
Security

WikiLeaks Starts Releasing Source Code For Alleged CIA Spying Tools (vice.com) 102

An anonymous reader quotes a report from Motherboard: WikiLeaks published new alleged material from the CIA on Thursday, releasing source code from a tool called Hive, which allows its operators to control malware it installed on different devices. WikiLeaks previously released documentation pertaining to the tool, but this is the first time WikiLeaks has released extensive source code for any CIA spying tool. This release is the first in what WikiLeaks founder Julian Assange says is a new series, Vault 8, that will release the code from the CIA hacking tools revealed as part of Vault 7. "This publication will enable investigative journalists, forensic experts and the general public to better identify and understand covert CIA infrastructure components," WikiLeaks said in its press release for Vault 8. "Hive solves a critical problem for the malware operators at the CIA. Even the most sophisticated malware implant on a target computer is useless if there is no way for it to communicate with its operators in a secure manner that does not draw attention." In its release, WikiLeaks said that materials published as part of Vault 8 will "not contain zero-days or similar security vulnerabilities which could be repurposed by others."
Google

Google Says Hackers Steal Almost 250,000 Logins Each Week (cnn.com) 33

Google is digging into the dark corners of the web to better secure people's accounts. From a report: For one year, Google researchers investigated the different ways hackers steal personal information and take over Google accounts. Google published its research, conducted between March 2016 and March 2017, on Thursday. Focusing exclusively on Google accounts and in partnership with the University of California, Berkeley, researchers created an automated system to scan public websites and criminal forums for stolen credentials. The group also investigated over 25,000 criminal hacking tools, which it received from undisclosed sources. Google said it is the first study taking a long term and comprehensive look at how criminals steal your data, and what tools are most popular. [...] Google researchers identified 788,000 potential victims of keylogging and 12.4 million potential victims of phishing. These types of attacks happen all the time. For example on average, the phishing tools Google studied collect 234,887 potentially valid login credentials, and the keylogging tools collected 14,879 credentials, each week.
Microsoft

Microsoft To Integrate 3rd-party Security Info Into Its Windows Defender Advanced Threat Protection Service (zdnet.com) 26

Microsoft is partnering with other security vendors to integrate their macOS, Linux, iOS, and Android security wares with its Windows Defender Advanced Threat Protection (ATP) service From a report: Microsoft has announced the first three such partners: Bitdefender, Lookoutm and Ziften. These companies will feed any threats detected into the single Windows Defender ATP console. With Defender ATP, every device has its own timeline with event history dating back up to six months. According to Microsoft, no additional infrastructure is needed to onboard events from macOS, Linux, iOS and/or Android devices. Integration with Bitdefender's GravityZone Cloud -- which allows users to get macOS and Linux threat intelligence on malware and suspicious files -- is in public preview as of today. A trial version is available now. Integration with Lookout's Mobile Endpoint Security for iOS and Android and Ziften's Zenith systems and security operations platform for macOS and Linux will be in public preview "soon," Microsoft's blog post says.
Crime

Federal Prosecutors Charge Man With Hiring Hackers To Sabotage Former Employer (apnews.com) 18

According to the Associated Press, federal prosecutors have charged a man with paying computer hackers to sabotage websites affiliated with his former employer. From the report: The FBI says the case represents a growing form of cybercrime in which professional hackers are paid to inflict damage on individuals, businesses and others who rely on digital devices connected to the web. Prosecutors say 46-year-old John Kelsey Gammell hired hackers to bring down Washburn Computer Group in Monticello, but also made monthly payments between July 2015 and September 2016 to damage web networks connected to the Minnesota Judicial Branch, Hennepin County and several banks. The Star Tribune reports Gammell's attorney, Rachel Paulose, has argued her client didn't personally attack Washburn. Paulose has asked a federal magistrate to throw out evidence the FBI obtained from an unnamed researcher because that data could have been obtained by hacking.
Security

Linux Has a USB Driver Security Problem (bleepingcomputer.com) 156

Catalin Cimpanu, reporting for BleepingComputer: USB drivers included in the Linux kernel are rife with security flaws that in some cases can be exploited to run untrusted code and take over users' computers. The vast majority of these vulnerabilities came to light on Monday, when Google security expert Andrey Konovalov informed the Linux community of 14 vulnerabilities he found in the Linux kernel USB subsystem. "All of them can be triggered with a crafted malicious USB device in case an attacker has physical access to the machine," Konovalov said. The 14 flaws are actually part of a larger list of 79 flaws Konovalov found in Linux kernel USB drivers during the past months. Not all of these 79 vulnerabilities have been reported, let alone patched. Most are simple DoS (Denial of Service) bugs that freeze or restart the OS, but some allow attackers to elevate privileges and execute malicious code.
Yahoo!

Former Yahoo CEO Marissa Mayer Apologizes For Data Breach, Blames Russians (reuters.com) 212

Former Yahoo chief executive officer Marissa Mayer apologized today for a pair of massive data breaches at Yahoo and blamed Russian agents on the growing number of incidents involving major U.S. companies. A reader shares a report: "As CEO, these thefts occurred during my tenure, and I want to sincerely apologize to each and every one of our users," she told the Senate Commerce Committee, testifying alongside the interim and former CEOs of Equifax and a senior Verizon Communications executive. "Unfortunately, while all our measures helped Yahoo successfully defend against the barrage of attacks by both private and state-sponsored hackers, Russian agents intruded on our systems and stole our users' data."
Chrome

'How Chrome Broke the Web' (tonsky.me) 283

Reader Tablizer writes (edited and condensed): The Chrome team "broke the web" to make Chrome perform better, according to Nikita Prokopov, a software engineer. So the story goes like this: there's a widely-used piece of DOM API called "addEventListener." Almost every web site or web app that does anything dynamic with JS probably depends on this method in some way. In 2016, Google came along and decided that this API was not extensible enough. But that's not the end of the story. Chrome team proposed the API change to add passive option because it allowed them to speed up scrolling on mobile websites. The gist of it: if you mark onscroll/ontouch event listener as passive, Mobile Google can scroll your page faster (let's not go into details, but that's how things are). Old websites continue to work (slow, as before), and new websites have an option to be made faster at the cost of an additional feature check and one more option. It's a win-win, right? Turned out, Google wasn't concerned about your websites at all. It was more concerned about its own product performance, Google Chrome Mobile. That's why on February 1, 2017, they made all top-level event listeners passive by default. They call it "an intervention." Now, this is a terrible thing to do. It's very, very, very bad. Basically, Chrome broke half of user websites, the ones that were relying on touch/scroll events being cancellable, at the benefit of winning some performance for websites that were not yet aware of this optional optimization. This was not backward compatible change by any means. All websites and web apps that did any sort of draggable UI (sliders, maps, reorderable lists, even slide-in panels) were affected and essentially broken by this change.
Encryption

Flaw Crippling Millions of Crypto Keys Is Worse Than First Disclosed (arstechnica.com) 76

An anonymous reader quotes a report from Ars Technica: A crippling flaw affecting millions -- and possibly hundreds of millions -- of encryption keys used in some of the highest-stakes security settings is considerably easier to exploit than originally reported, cryptographers declared over the weekend. The assessment came as Estonia abruptly suspended 760,000 national ID cards used for voting, filing taxes, and encrypting sensitive documents. The critical weakness allows attackers to calculate the private portion of any vulnerable key using nothing more than the corresponding public portion. Hackers can then use the private key to impersonate key owners, decrypt sensitive data, sneak malicious code into digitally signed software, and bypass protections that prevent accessing or tampering with stolen PCs. When researchers first disclosed the flaw three weeks ago, they estimated it would cost an attacker renting time on a commercial cloud service an average of $38 and 25 minutes to break a vulnerable 1024-bit key and $20,000 and nine days for a 2048-bit key. Organizations known to use keys vulnerable to ROCA—named for the Return of the Coppersmith Attack the factorization method is based on—have largely downplayed the severity of the weakness.

On Sunday, researchers Daniel J. Bernstein and Tanja Lange reported they developed an attack that was 25 percent more efficient than the one created by original ROCA researchers. The new attack was solely the result of Bernstein and Lange based only on the public disclosure information from October 16, which at the time omitted specifics of the factorization attack in an attempt to increase the time hackers would need to carry out real-world attacks. After creating their more efficient attack, they submitted it to the original researchers. The release last week of the original attack may help to improve attacks further and to stoke additional improvements from other researchers as well.

Encryption

How Cloudflare Uses Lava Lamps To Encrypt the Internet (zdnet.com) 110

YouTuber Tom Scott was invited to visit Cloudflare's San Francisco headquarters to check out the company's wall of lava lamps. These decorative novelty items -- while neat to look at -- serve a special purpose for the internet security company. Cloudflare takes pictures and video of the lava lamps to turn them into "a stream of random, unpredictable bytes," which is used to help create the keys that encrypt the traffic that flow through Cloudflare's network. ZDNet reports: Cloudflare is a DNS service which also offers distributed denial-of-service (DDoS) attack protection, security, free SSL, encryption, and domain name services. Cloudflare is known for providing good standards of encryption, but it seems the secret is out -- this reputation is built in part on lava lamps. Roughly 10 percent of the Internet's traffic passes through Cloudflare, and as the firm deals with so much encrypted traffic, many random numbers are required. According to Nick Sullivan, Cloudfare's head of cryptography, this is where the lava lamps shine. Instead of relying on code to generate these numbers for cryptographic purposes, the lava lamps and the random lights, swirling blobs and movements are recorded and photographs are taken. The information is then fed into a data center and Linux kernels which then seed random number generators used to create keys to encrypt traffic. "Every time you take a picture with a camera there's going to be some sort of static, some sort of noise," Sullivan said. "So it's not only just where the bubbles are flowing through the lava lamp; it is the state of the air, the ambient light -- every tiny change impacts the stream of data." Cloudflare also reportedly uses a "chaotic pendulum" in its London office to generate randomness, and in Singapore, they use a radioactive source.
Intel

MINIX: Intel's Hidden In-chip Operating System (zdnet.com) 271

Steven J. Vaughan-Nichols, writing for ZDNet: Matthew Garrett, the well-known Linux and security developer who works for Google, explained recently that, "Intel chipsets for some years have included a Management Engine [ME], a small microprocessor that runs independently of the main CPU and operating system. Various pieces of software run on the ME, ranging from code to handle media DRM to an implementation of a TPM. AMT [Active Management Technology] is another piece of software running on the ME." [...] At a presentation at Embedded Linux Conference Europe, Ronald Minnich, a Google software engineer reported that systems using Intel chips that have AMT, are running MINIX. So, what's it doing in Intel chips? A lot. These processors are running a closed-source variation of the open-source MINIX 3. We don't know exactly what version or how it's been modified since we don't have the source code. In addition, thanks to Minnich and his fellow researchers' work, MINIX is running on three separate x86 cores on modern chips. There, it's running: TCP/IP networking stacks (4 and 6), file systems, drivers (disk, net, USB, mouse), web servers. MINIX also has access to your passwords. It can also reimage your computer's firmware even if it's powered off. Let me repeat that. If your computer is "off" but still plugged in, MINIX can still potentially change your computer's fundamental settings. And, for even more fun, it "can implement self-modifying code that can persist across power cycles." So, if an exploit happens here, even if you unplug your server in one last desperate attempt to save it, the attack will still be there waiting for you when you plug it back in. How? MINIX can do all this because it runs at a fundamentally lower level. [...] According to Minnich, "there are big giant holes that people can drive exploits through." He continued, "Are you scared yet? If you're not scared yet, maybe I didn't explain it very well, because I sure am scared." Also read: Andrew S. Tanenbaum's (a professor of Computer Science at Vrije Universiteit) open letter to Intel.
Microsoft

Microsoft Releases Standards For Highly Secure Windows 10 Devices (bleepingcomputer.com) 173

An anonymous reader writes from a report via BleepingComputer: Yesterday, Microsoft released new standards that consumers should follow in order to have a highly secure Windows 10 device. These standards include the type of hardware that should be included with Windows 10 systems and the minimum firmware features. The hardware standards are broken up into 6 categories, which are minimum specs for processor generation, processor architecture, virtualization, trusted platform modules (TPM), platform boot verification, and RAM. Similarly, firmware features should support at least UEFI 2.4 or later, Secure Boot, Secure MOR 2 or later, and support the Windows UEFI Firmware Capsule Update specification.
Security

Should Private Companies Be Allowed To Hit Back At Hackers? (vice.com) 141

An anonymous reader quotes a report from Motherboard: The former director of the NSA and the U.S. military's cybersecurity branch doesn't believe private companies should be allowed to hit back at hackers. "If it starts a war, you can't have companies starting a war. That's an inherently governmental responsibility, and plus the chances of a company getting it wrong are fairly high," Alexander said during a meeting with a small group of reporters on Monday. During a keynote he gave at a cybersecurity conference in Manhattan, Alexander hit back at defenders of the extremely common, although rarely discussed or acknowledged, practice of revenge hacking, or hack back. During his talk, Alexander said that no company, especially those attacked by nation state hackers, should ever be allowed to try to retaliate on its own.

Using the example of Sony, which was famously hacked by North Korea in late 2014, Alexander said that if Sony had gone after the hackers, it might have prompted them to throw artillery into South Korea once they saw someone attacking them back. "We can give Sony six guys from my old place there," he said, presumably referring to the NSA, "and they'd beat up North Korea like red-headed stepchild -- no pun intended." But that's not a good idea because it could escalate a conflict, and "that's an inherently governmental responsibility. So if Sony can't defend it, the government has to." Instead, Keith argued that the U.S. government should be able to not only hit back at hackers -- as it already does -- but should also have more powers and responsibilities when it comes to stopping hackers before they even get in. Private companies should share more data with the U.S. government to prevent breaches, ha said.

Privacy

One in Four UK Workers Maliciously Leaks Business Data Via Email, Study Says (betanews.com) 30

From a report: New research into insider threats reveals that 24 percent of UK employees have deliberately shared confidential business information outside their company. The study from privacy and risk management specialist Egress Software Technologies also shows that almost half (46 percent) of respondents say they have received a panicked email recall request, which is not surprising given more than a third (37 percent) say they don't always check emails before sending them. The survey of 2,000 UK workers who regularly use email as part of their jobs shows the biggest human factor in sending emails in error is listed as 'rushing' (68 percent). However alcohol also plays a part in eight percent of all wrongly sent emails -- where are these people working!? Autofill technology, meanwhile, caused almost half (42 percent) to select the wrong recipient in the list.
Encryption

Mozilla Might Distrust Dutch Government Certs Over 'False Keys' (bleepingcomputer.com) 112

Long-time Slashdot reader Artem Tashkinov quotes BleepingComputer: Mozilla engineers are discussing plans to remove support for a state-operated Dutch TLS/HTTPS provider after the Dutch government has voted a new law that grants local authorities the power to intercept Internet communications using "false keys". If the plan is approved, Firefox will not trust certificates issued by the Staat der Nederlanden (State of the Netherlands) Certificate Authority (CA)...

This new law gives Dutch authorities the powers to intercept and analyze Internet traffic. While other countries have similar laws, what makes this one special is that authorities will have authorization to carry out covert technical attacks to access encrypted traffic. Such covert technical capabilities include the use of "false keys," as mentioned in Article 45 1.b, a broad term that includes TLS certificates.

"Fears arise of mass Dutch Internet surveillance," reads a subhead on the article, citing a bug report which notes, among other things, the potential for man-in-the-middle attacks and the fact that the Netherlands hosts a major internet transit point.
Bug

An iOS 11.1 Glitch Is Replacing Vowels (mashable.com) 123

An anonymous reader quotes Mashable: We became privy to a new iPhone keyboard glitch after a few Mashable staffers recently started having issues with their iPhone keyboards, specifically with vowels. The issue started when iOS 11's predictive text feature began to display an odd character in the place of the letter "I," offering up "A[?] instead and autocorrecting within the message field...The bug was also covered by MacRumors, but it appears that my colleagues have even more issues than just the letter "I." One reported that they were also seeing the glitch with the letters "U" and "O" as well, making the problem strictly restricted to vowels. They also said the letters showed up oddly in iMessage on Mac devices, and shared some more screenshots of what the glitch looks like when they went through with sending a message. The glitch wasn't just limited to iMessage, however. My colleagues shared screenshots of their increasingly futile attempts to type out messages on Facebook Messenger...and Twitter.
Apple seems to be acknowledging that the iOS 11.1 glitch may affect iPhones, iPads, and iPod Touches. "Here's what you can do to work around the issue until it's fixed by a future software update," Apple posted on a support page, advising readers to "Try setting up Text Replacement for the letter 'i'."
Programming

Should Developers Do All Their Own QA? (itnews.com.au) 299

An anonymous reader quotes IT News: Fashion retailer The Iconic is no longer running quality assurance as a separate function within its software development process, having shifted QA responsibilities directly onto developers... "We decided: we've got all these [developers] who are [coding] every day, and they're testing their own work -- we don't need a second layer of advice on it," head of development Oliver Brennan told the New Relic FutureStack conference in Sydney last week. "It just makes people lazy..."

Such a move has the obvious potential to create problems should a developer drop the ball; to make sure the impact of any unforeseen issues is minimised for customers, The Iconic introduced feature toggles -- allowing developers to turn off troublesome functionality without having to deploy new code. Every new feature that goes into production must now sit behind one of these toggles, which dictates whether a user is served the new or old version of the feature in question. The error rates between the new and old versions are then monitored for any discrepancies... While Brennan is no fan of "people breaking things", he argues moving fast is more beneficial for customers.

"If our site is down now, people will generally come back later," Brennan adds, and the company has now moved all of its QA workers into engineering roles.
Botnet

A Third of the Internet Experienced DoS Attacks in the Last Two Years (sciencedaily.com) 31

Long-time Slashdot reader doom writes: Over a two year period, a third of the IPv4 address space have experienced some sort of DoS attack, though the researchers who've ascertained this suspect this is an underestimate. This is from a story at Science Daily reporting on a study recently presented in London at the Internet Measurement Conference.

"As might be expected, more than a quarter of the targeted addresses in the study came in the United States, the nation with the most internet addresses in the world. Japan, with the third most internet addresses, ranks anywhere from 14th to 25th for the number of DoS attacks, indicating a relatively safe nation for DoS attacks..."

The study itself states, "On average, on a single day, about 3% of all Web sites were involved in attacks (i.e., by being hosted on targeted IP addresses)."

"Put another way," said the report's principal investigator, "during this recent two-year period under study, the internet was targeted by nearly 30,000 attacks per day."
Cloud

Are You OK With Google Reading Your Data? (infoworld.com) 154

Remember when Google randomly flagged files in Google Docs for violating its terms of service? An anonymous reader quotes InfoWorld: Many people worried that Google was scanning users' documents in real time to determine if they're being mean or somehow bad. You actually agree to such oversight in Google G Suite's terms of service. Those terms include personal conduct stipulations and copyright protection, as well as adhering to "program policies"... Even though this is spelled out in the terms of service, it's uncomfortably Big Brother-ish, and raises anew questions about how confidential and secure corporate information really is in the cloud.

So, do SaaS, IaaS, and PaaS providers make it their business to go through your data? If you read their privacy policies (as I have), the good news is that most don't seem to. But have you actually read through them to know who, like Google, does have the right to scan and act on your data? Most enterprises do a good legal review for enterprise-level agreements, but much of the use of cloud services is by individuals or departments who don't get such IT or legal review. Enterprises need to be proactive about reading the terms of service for cloud services used in their company, including those set up directly by individuals and departments. It's still your data, after all, and you should know how it is being used and could be used...

The article argues that "Chances are you or your employees have signed similar terms in the many agreements that people accept without reading."
Security

Experts Propose Standard For IoT Firmware Updates (bleepingcomputer.com) 61

An anonymous reader quotes a report from Bleeping Computer: Security experts have filed a proposal with the Internet Engineering Task Force (IETF) that defines a secure framework for delivering firmware updates to Internet of Things (IoT) devices. Filed on Monday by three ARM employees, their submission has entered the first phase of a three-stage process for becoming an official Internet standard. Titled "IoT Firmware Update Architecture," their proposal -- if approved -- puts forward a series of ground rules that device makers could implement when designing the firmware update mechanism for their future devices. The proposed rules are nothing out of the ordinary, and security experts have recommended and advocated for most of these measures for years. Some hardware vendors are most likely already compliant with the requirements included in this IETF draft. Nonetheless, the role of this proposal is to have the IETF put forward an official document that companies could use as a baseline when designing the architecture of future products. This document could also serve as a general guideline for lawmakers who could draft regulations forcing manufacturers to adhere to this baseline. Some of the main requirements put forward by three ARM engineers in their IETF draft include: The update mechanism must work the same even if the firmware binary is delivered via Bluetooth, WiFi, UART, USB, or other mediums; The update mechanism must work in a broadcast type of delivery, allowing updates to reach multiple users at once; End-to-end security (public key cryptography) must be used to verify and validate firmware images.
Security

Equifax Investigation Clears Execs Who Dumped Stock Before Hack Announcement (gizmodo.com) 155

An anonymous reader quotes a report from Gizmodo: Equifax discovered on July 29th that it had been hacked, losing the Social Security numbers and other personal information of 143 million Americans -- and then just a few days later, several of its executives sold stock worth a total of nearly $1.8 million. When the hack was publicly announced in September, Equifax's stock promptly tanked, which made the trades look very, very sketchy. At the time, Equifax claimed that its executives had no idea about the massive data breach when they sold their stock. Today, the credit reporting company released further details about its internal investigation that cleared all four executives of any wrongdoing.

The report, prepared by a board-appointed special committee, concludes that "none of the four executives had knowledge of the incident when their trades were made, that preclearance for the four trades was appropriately obtained, that each of the four trades at issue comported with Company policy, and that none of the four executives engaged in insider trading." The committee says it reviewed 55,000 documents to reach its conclusions, including emails and text messages, and conducted 62 in-person interviews. "The review was designed to pinpoint the date on which each of the four senior officers first learned of the security investigation that uncovered the breach and to determine whether any of those officers was informed of or otherwise learned of the security investigation before his trades were executed," the report states.

Communications

Chelsea Manning Archivist Excludes Hacktivist Jailed By Carmen Ortiz From Aaron Swartz Day (huffingtonpost.com) 124

New submitter Danngggg writes: As you may recall from Slashdot last year, alleged Anonymous hacktivist Martin Gottesfeld has been imprisoned without bail since federal agents arrested him on board a Disney Cruise ship in February of 2016 to face hacking charges brought by controversial former U.S. attorney Carmen Ortiz. Though he's the only activist after Aaron Swartz to face a felony CFAA indictment from Ortiz, apparently Aaron Swartz Day organizer and Chelsea Manning archivist Lisa Rein don't want to include Gottesfeld in the festivities this year. So, he has taken to Huffington Post to argue that his story should be told this November 4th and, perhaps with a sense of irony, to publish some potentially scandalous Signal messages allegedly sent by Rein to his wife revealing what seems to be disdain for hacking in general and Anonymous in particular. Indeed, Rein seems to borrow from the movie Mean Girls in her contemptuous rejection of Mrs. Gottesfeld's appeals on behalf of her embattled husband. What does the Slashdot crowd have to say about whether Gottesfeld's story belongs at Aaron Swartz Day as well as Rein's alleged attitude towards his significant other?

"One might think that my voice would be welcomed at Aaron Swartz Day given all that the late internet/freedom of information activist and I share in common," writes Gottesfeld. "For starters, we were both indicted under the same controversial federal law, the CFAA, by the same Boston U.S. Attorney's Office and indeed under the tenure of the same notorious U.S. Attorney, Carmen Ortiz. Both of us have been persecuted for doing the moral thing; Aaron for trying to make taxpayer-funded research available to the general public and me for stopping the torture of an innocent child."

Security

TorMoil Vulnerability Leaks Real IP Address From Tor Browser Users; Security Update Released (bleepingcomputer.com) 21

Catalin Cimpanu, reporting for BleepingComputer: The Tor Project has released a security update for the Tor Browser on Mac and Linux to fix a vulnerability that leaks users' real IP addresses. The vulnerability was spotted by Filippo Cavallarin, CEO of We Are Segment, an Italian company specialized in cyber-security and ethical hacking. Cavallarin privately reported the issue -- which he codenamed TorMoil -- to the Tor Project last week. Tor Project developers worked with the Firefox team (Tor Browser is based on the Firefox browser) to release a fix. Today, the Tor team released version 7.0.9 to address the vulnerability. Tor Browser 7.0.9 is only available for Mac and Linux users. Tor Browser on Windows is not affected.
Upgrades

Xbox One X is the Perfect Representation of the Tech Industry's Existential Crisis (mashable.com) 190

A reader shares commentary on the newly launched Xbox One X gaming console: Fundamentally, Xbox One X is the same machine that Microsoft released in 2013. It plays the same games, runs the same apps, depends on the same operating system. You can still plug your cable box into it and watch OneGuide magically sync with your local TV listings. Most of the things you can do look a little better and run a little faster/more efficiently, sure. The actual casing is smaller than the previous iterations, too. It's a gorgeous $500 machine. That's why I keep eyeballing it. My brain screams, "Why do you exist?" The Xbox One X does not answer. This is a familiar problem in 2017. Look around at all the tech in your life and do a quick, informal poll: How many of those items become outdated every year or every few years when a newer, shinier version of the same thing comes along? I'm talking about your iPhone and iPad. Your Amazon Echo and Kindle. Your Pixel and Daydream VR headset. Your Apple Watch. Your Roku, your Apple TV, your Chromecast. Incremental upgrades that push features like 4K! HDR! Wireless charging! Slimmer design! No headphone jack! (Wait, no, that last one is awful.) Breathless bullet point after breathless bullet point. Some of these additions have genuine utility and add value to the product. Many don't, or depend on you also possessing some other piece of incrementally upgraded tech (like the kinds of fancy-shmancy TVs that play the nicest with Xbox One X).
Botnet

Malware Developer Who Used Spam Botnet To Pay For College Gets No Prison Time (bleepingcomputer.com) 57

An anonymous reader writes: The operator of a 77,000-strong spam botnet was sentenced to two years probation and no prison time after admitting his crime and completely reforming his life. The former botnet operator is now working for a cybersecurity company, and admitted his actions as soon as the FBI knocked on his door back in 2013. The botnet operator, a 29-year-old from Santa Clara, California, says he was tricked by fellow co-schemers who told him they were not doing anything wrong by infecting computers with malware because they were not accessing private information such as banking or financial records. Furthermore, the botnet operator escaped prison time because he used all the money he earned in getting a college degree at Cal Poly instead of using it on a lavish lifestyle or drugs. This case is similar to the one that MalwareTech (aka Marcus Hutchins) now faces in the U.S. for his role in developing the Kronos trojan, but also after turning his life around and working as a cybersecurity researcher for years.
AI

Eric Schmidt and Bob Work: Our AI 'Sputnik Moment' Is Now (breakingdefense.com) 174

schwit1 shares a report from Breaking Defense: China's just announced an AI strategy designed to assure it will be dominant in the host of technologies by 2030. "If you believe this is important, as I believe, then we need to get our act together as a country," [Alphabet Exec Chairman Eric] Schmidt said this morning. In a Q and A session at the event organized by the Center for a New American Security, Schmidt said he thought the U.S. will maintain its lead over the People's Republic of China for the next five years, but he expects China to catch up about then and pass us "extremely quickly." How important does China think AI can be? Former Deputy Defense Secretary Bob Work told Breaking Defense the Chinese estimate they can boost economic growth with AI by 26 percent by 2030. "It's quite stunning," Work said. And, of course, the PRC's government has published a national strategy and released it to the world. What's the best response by the United States, I asked Work after Schmidt spoke. The federal government needs to answer this question at its highest levels, as happened after the Soviet Union stunned the world and launched the first satellite, Sputnik, Work said.
Security

Hilton Paid a $700K Fine For 2015 Breach; Under GDPR, It Would Be $420 Million (digitalguardian.com) 110

chicksdaddy writes from a report via Digital Guardian: If you want to understand the ground shaking change that the EU's General Data Protection Rule (GDPR) will have when it comes into force in May of 2018, look no further than hotel giant Hilton Domestic Operating Company, Inc., formerly known as Hilton Worldwide, Inc (a.k.a. "Hilton."). On Tuesday, the New York Attorney General Eric T. Schneiderman slapped a $700,000 fine on the hotel giant for two 2015 incidents in which the company was hacked, spilling credit card and other information for 350,000 customers. Schneiderman also punished Hilton for its response to the incident. The company first learned in February 2015 that its customer data had been exposed through a UK-based system belonging to the company, which was observed by a contractor communicating with "a suspicious computer outside Hilton's computer network." Still, it took Hilton until November 24, 2015 -- over nine months after the first intrusion was discovered -- to notify the public. That kind of lackluster response has become pretty typical among Fortune 500 companies (see also: Equifax). And why not? The $700,000 fine from the NY AG is a palatable $2 per lost record -- and a mere rounding error for Hilton, which reported revenues of $11.2 billion in 2015, the year of the breach. That means the $700,000 fine was just %.00006 of Hilton's annual revenue in the year of the breach. Schneiderman's fine was less "bringing down the hammer" than a butterfly kiss for Hilton's C-suite, board and shareholders.

But things are going to be different for Hilton and other companies like it come May 2018 when provisions of the EU's General Data Protection Rule (or GDPR) go into effect, as Digital Guardian points out on their blog. Under that new law, data "controllers" like Hilton (in other words: organizations that collect data on customers or employees) can be fined up to 4% of annual turnover in the year preceding the incident for failing to meet the law's charge to protect that data. What does that mean practically for a company like Hilton? Well, the company's FY 2014 revenue (or "turnover") was $10.5 billion. Four percent of that is a cool $420 million dollars -- or $1,200, rather than $2, for every customer record lost. Needless to say, that's a number that will get the attention of the company's Board of Directors and shareholders.

Bug

Google Explains Tuesday's Drive, Docs Bug That Marked Some Files As Violating Terms of Service (9to5google.com) 97

On Tuesday, Google's cloud-based word processing software was randomly flagging files for supposedly "violating" Google's Terms of Service, resulting in some users not being able to access or share their files. Google today explained the issue and addressed concerns that arose. 9to5Google reports: Several users on Tuesday morning reported no longer being able to open certain files they were working on in Docs, while others were locked out mid-edit. "On Tuesday, October 31, we mistakenly blocked access to some of our users' files, including Google Docs," Google said in a blog post. "This was due to a short-lived bug that incorrectly flagged some files as violating our terms of service (TOS)." Afterwards, Google provided a comment to Gizmodo noting that a code push made earlier that morning was at fault and that full access had been restored to users hours after the bug first arose. Today's clarification goes on to explain how that error on Tuesday caused Drive to "misinterpret" responses from the antivirus system designed to protect against malware, phishing, and spam. As a result, Docs "erroneously mark[ed] some files as TOS violations, thus causing access denials for users of those files."
United States

Russia Hackers Had Targets Worldwide, Beyond US Election (apnews.com) 254

Raphael Satter, Jeff Donn, and Justin Myers, reporting for Associated Press: The hackers who disrupted the U.S. presidential election had ambitions well beyond Hillary Clinton's campaign, targeting the emails of Ukrainian officers, Russian opposition figures, U.S. defense contractors and thousands of others of interest to the Kremlin, according to a previously unpublished digital hit list obtained by The Associated Press. The list provides the most detailed forensic evidence yet of the close alignment between the hackers and the Russian government, exposing an operation that stretched back years and tried to break into the inboxes of 4,700 Gmail users across the globe -- from the pope's representative in Kiev to the punk band Pussy Riot in Moscow. "It's a wish list of who you'd want to target to further Russian interests," said Keir Giles, director of the Conflict Studies Research Center in Cambridge, England, and one of five outside experts who reviewed the AP's findings. He said the data was "a master list of individuals whom Russia would like to spy on, embarrass, discredit or silence."
ISS

The International Space Station Is Getting Its First Printer Upgrade in 17 Years (mashable.com) 174

Lance Ulanoff, writing for Mashable: Somewhere, 254 miles above us, an astronaut is probably printing something. Ever since the International Space Station (ISS) welcomed its first residents in November of 2000, there have been printers on board. Astronauts use them to print out critical mission information, emergency evacuation procedures and, sometimes, photos from home. According to NASA, they print roughly 1,000 pages a month on two printers; one is installed on the U.S. side of the ISS, the other in the Russian segment. ISS residents do all this on 20-year-old technology. "When the printer was new, it was like 2000-era tech and we had 2000-era laptop computers. Everything worked pretty good," recalled NASA Astronaut Don Pettit, who brought the first printer up to the ISS. But "the printer's been problematic for the last five or six years," said Pettit who's spent a total of one year on the station. It's not that the Space Station has been orbiting with the same printer since Justin Timberlake was still N'Sync. NASA had dozens of this printer and, as one failed, they'd send up another identical model. But now it's time for something truly new. In 2018, NASA will send two brand new, specialized printers up to the station. However, figuring out the right kind of printer to send was a lot more complicated than you'd probably expect. NASA has turned to HP for its IT supply and needs. The agency requires the following things in its printer: print and handle paper management in zero gravity, handle ink waste during printing, be flame retardant, and be power efficient. HP, Mashable reports, has recommended the HP Envy 5600, its all-in-one (printer, scanner, copier, fax) device that retails for $129.99. The model has been modified, according to the report.
Data Storage

CIA Releases 321GB of Bin Laden's Digital Library (arstechnica.com) 125

An anonymous reader quotes a report from Ars Technica: Today, the Central Intelligence Agency posted a cache of files obtained from Osama Bin Laden's personal computer and other devices recovered from his compound in Abbottabad, Pakistan by Navy SEALs during the raid in which he was killed on May 2, 2011. The 470,000 files, 321 gigabytes in all, include documents, images, videos, and audio recordings, including Al Qaeda propaganda and planning documents, home videos of Bin Laden's son Hazma, and "drafts" of propaganda videos. There is also a lot of digital junk among the files.

The CIA site presents a raft of warnings about the content of the downloads: "The material in this file collection may contain content that is offensive and/or emotionally disturbing. This material may not be suitable for all ages. Please view it with discretion. Prior to accessing this file collection, please understand that this material was seized from a terrorist organization. While the files underwent interagency review, there is no absolute guarantee that all malware has been removed."

Security

LastPass Reveals the Threats Posed By Passwords in the Workplace (betanews.com) 72

A reader shares a BetaNews report: A new report by LastPass -- The Password Expose -- reveals the threats posed, and the opportunities presented, by employee passwords. The report starts by pointing out that while nearly everyone (91 percent) knows that it is dangerous to reuse passwords -- with 81 percent of data breaches attributable to "weak, reused, or stolen passwords," more than half (61 percent) do reuse passwords. But the real purpose of the report is to "reveal the true gap between what IT thinks, and what's really happening." Jumping straight into the number, the report says that even in a 250-employee company, there are an average of 53,250 passwords in use -- a near-impossible number to keep track of and to know the strength of. LastPass found that people have nearly 200 passwords to remember, so it's little wonder that password reuse is an issue.
Security

Student Charged By FBI For Hacking His Grades More Than 90 times (sophos.com) 142

An anonymous reader shares a report: In college, you can use your time to study. Or then again, you could perhaps rely on the Hand of God. And when I say "Hand of God," what I really mean is "keylogger." Think of it like the "Nimble Fingers of God." "Hand of God" (that makes sense) and "pineapple" (???) are two of the nicknames allegedly used to refer to keyloggers used by a former University of Iowa wrestler and student who was arrested last week on federal computer-hacking charges in a high-tech cheating scheme. According to the New York Times, Trevor Graves, 22, is accused in an FBI affidavit of working with an unnamed accomplice to secretly plug keyloggers into university computers in classrooms and in labs. The FBI says keyloggers allowed Graves to record whatever his professors typed, including credentials to log into university grading and email systems. Court documents allege that Graves intercepted exams and test questions in advance and repeatedly changed grades on tests, quizzes and homework assignments. This went on for 21 months -- between March 2015 and December 2016. The scheme was discovered when a professor noticed that a number of Graves' grades had been changed without her authorization. She reported it to campus IT security officials.
Google

Android Oreo Bug Sends Thousands of Phones Into Infinite Boot Loops (bleepingcomputer.com) 78

An anonymous reader writes: A bug in the new "Adaptive Icons" feature introduced in Android Oreo has sent thousands of phones into infinite boot loops, forcing some users to reset their devices to factory settings, causing users to lose data along the way. The bug was discovered by Jcbsera, the developer of the Swipe for Facebook Android app (energy-efficient Facebook wrapper app), and does not affect Android Oreo (8.0) in its default state. The bug occurs only with apps that use adaptive icons -- a new feature introduced in Android Oreo that allows icons to change shape and size based on the device they're viewed on, or the type of launcher the user is using on his Android device. For example, adaptive icons will appear in square, rounded, or circle containers depending on the theme or launcher the user is using. The style of adaptive icons is defined a local XML file. The bug first manifested itself when the developer of the Swipe for Facebook Android app accidentally renamed the foreground image of his adaptive icon with the same name as this XML file (ic_launcher_main.png and ic_launcher_main.xml). This naming scheme sends Android Oreo in an infinite loop that regularly crashes the device. At one point, Android detects something is wrong and prompts the user to reset the device to factory settings. Users don't have to open an app, and the crashes still happen just by having an app with malformed adaptive icons artifacts on your phone. Google said it will fix the issue in Android Oreo 8.1.

Slashdot Top Deals