Trust the World's Fastest VPN with Your Internet Security & Freedom - A Lifetime Subscription of PureVPN at 88% off. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. ×
Security

Yahoo Notifying Users of Malicious Account Activity as Verizon Deal Progresses (techcrunch.com) 17

Kate Conger, writing for TechCrunch: Yahoo is continuing to issue warnings to users about several security incidents as it moves toward an acquisition by Verizon. Users are receiving notifications today about unauthorized access to their accounts in 2015 and 2016, which occurred due to previously disclosed cookie forging. "As we have previously disclosed, our outside forensic experts have been investigating the creation of forged cookies that could have enabled an intruder to access our users' accounts without a password. The investigation has identified user accounts for which we believe forged cookies were taken or used. Yahoo is in the process of notifying all potentially affected account holders. Yahoo has invalidated the forged cookies so they cannot be used again," a Yahoo spokesperson told TechCrunch.
Businesses

IT Decisions Makers and Executives Don't Agree On Cyber Security Responsibility (betanews.com) 118

Sead Fadilpasic, writing for BetaNews: There's a severe disconnect between IT decision makers and C-suite executives when it comes to handling cyber attacks. Namely, both believe the other one is responsible for keeping a company safe. This is according to a new and extensive research by BAE Systems. A total of 221 C-suite executives and 984 IT decision-makers were polled or the report. According to the research, a third (35 percent) of C-suite executives believe IT teams are responsible for data breaches. On the other hand, 50 percent of IT decision makers would place that responsibility in the hands of their senior management. Cost estimates of a successful breach also differ. IT decision makers think it would set them back $19.2 million, while C-suite thinks of a lesser figure, $11.6m. C-level thinks a tenth (10 percent) of their company's IT budget is spent on cyber security, while IT decision makers think that's 15 percent. Also, 84 percent of C-suite, and 81 percent of IT teams believe they have the right protection set up.
Security

Russian Cyberspies Blamed For US Election Hacks Are Now Targeting Macs (computerworld.com) 250

You may recall "APT28", the Russian hacking group which was tied to last year's interference in the presidential election. It has long been known for its advanced range of tools for penetrating Windows, iOS, Android, and Linux devices. Now, researchers have uncovered an equally sophisticated malware package the group used to compromise Macs. From a report on ComputerWorld: The group -- known in the security industry under different names including Fancy Bear, Pawn Storm, and APT28 -- has been operating for almost a decade. It is believed to be the sole user and likely developer of a Trojan program called Sofacy or X-Agent. X-Agent variants for Windows, Linux, Android, and iOS have been found in the wild in the past, but researchers from Bitdefender have now come across what appears to be the first macOS version of the Trojan. It's not entirely clear how the malware is being distributed because the Bitdefender researchers obtained only the malware sample, not the full attack chain. However, it's possible a macOS malware downloader dubbed Komplex, found in September, might be involved. Komplex infected Macs by exploiting a known vulnerability in the MacKeeper antivirus software, according to researchers from Palo Alto Networks who investigated the malware at the time. The vulnerability allowed attackers to execute remote commands on a Mac when users visited specially crafted web pages.Further reading on ArsTechnica.
Microsoft

Microsoft Delays February Patch Tuesday Indefinitely (sans.edu) 88

UnderAttack writes: Microsoft today announced that it had to delay its February Patch Tuesday due to issues with a particular patch. This was also supposed to be the first Patch Tuesday using a new format, which led some to believe that even Microsoft had issues understanding how the new format is exactly going to work with no more simple bulletin summary and patches being released as large monolithic updates. Ars Technica notes the importance of this Patch Tuesday as "there's an in-the-wild zero-day flaw in SMB, Microsoft's file sharing protocol, that at the very least allows systems to be crashed." They also elaborate on the way Microsoft is "continuing to tune the way updates are delivered to Windows 7, 8.1, Server 2008 R2, Server 2012, and Server 2012 R2."
Businesses

New Office Sensors Know When You Leave Your Desk (bloomberg.com) 158

An anonymous reader quotes a report from Bloomberg: About a year ago, in a widely reported story, journalists at British newspaper the Telegraph found little black boxes installed under their desks. The devices, which had "OccupEye" emblazoned on them, detected if employees were at their workstations. Not shockingly, writers and editors were suspicious, worried that bosses were monitoring their moves, even their bathroom breaks. The National Union of Journalists complained to management about Big Brother-style surveillance. The company insisted the boxes were intended to reduce energy costs, ensuring that empty cubicles weren't overheated or over-air-conditioned, but the damage was done, and the devices were removed. Sensors that keep tabs on more than temperature are already all over offices -- they're just less conspicuous and don't have names that suggest Bond villains. "Most people, when they walk into buildings, don't even notice them," says Joe Costello, chief executive officer of Enlighted, whose sensors, he says, are collecting data at more than 350 companies, including 15 percent of the Fortune 500. They're hidden in lights, ID badges, and elsewhere, tracking things such as conference room usage, employee whereabouts, and "latency" -- how long someone goes without speaking to another co-worker. Proponents claim the goal is efficiency: Some sensors generate heat maps that show how people move through an office, to help maximize space; others, such as OccupEye, tap into HVAC systems.
Microsoft

Microsoft Calls For 'Digital Geneva Convention' (usatoday.com) 144

Microsoft is calling for a digital Geneva Convention to outline protections for civilians and companies from government-sponsored cyberattacks. In comments Tuesday at the RSA security industry conference in San Francisco, Microsoft President and Chief Legal Officer Brad Smith said the rising trend of government entities wielding the internet as a weapon was worrying. From a report on USA Today: In the cyber realm, tech must be committed to "100% defense and zero percent offense," Smith said at the opening keynote at the RSA computer security conference. Smith called for a "digital Geneva Convention," like the one created in the aftermath of World War II which set ground rules for how conduct during wartime, defining basic rights for civilians caught up armed conflicts. In the 21st century such rules are needed "to commit governments to protect civilians from nation-state attacks in times of peace," a draft of Smith's speech released to USA TODAY said. This digital Geneva Convention would establish protocols, norms and international processes for how tech companies would deal with cyber aggression and attacks of nations aimed at civilian targets, which appears to effectively mean anything but military servers.
Databases

Story Of a Country Which Has Built a Centralized Biometrics Database Of 1.1B People But Appears To Be Mishandling It Now (mashable.com) 57

In a bid to get more Indians to have a birth certificate or any sort of ID card, India announced Aadhaar project in 2009. At the time, there were more Indians without these ID cards than those with. As a result of this, much of the government funding for the citizens were disappearing before they could see them. But according to several security experts, lawyers, politicians and journalists, the government is using poor security practices, and this is exposing the biometrics data -- photo, name, address, fingerprint, iris info -- of people at risk. More than 1.1 billion people -- and 99 percent of all adults -- in India have enrolled themselves to the system. From a report: "There are two fundamental flaws in Aadhaar: it is poorly designed, and it is being poorly verified," Member of Parliament and privacy advocate, Rajeev Chandrasekhar told Mashable India. Another issue with Aadhaar is, Chandrasekhar explains, there is no firm legislation to safeguard the privacy and rights of the billion people who have enrolled into the system. There's little a person whose Aadhaar data has been compromised could do. [...] "Aadhaar is remote, covert, and non-consensual," he told Mashable India, adding the existence of a central database of any kind, but especially in the context of the Aadhaar, and at the scale it is working is appalling. Abraham said fingerprint and iris data of a person can be stolen with little effort -- a "gummy bear" which sells for a few cents, can store one's fingerprint, while a high-resolution camera can capture one's iris data. The report goes on to say that the Indian government is also not telling how the data is being shared with private companies. Experts cited in the story have expressed concerns that those companies (some of which are run by people who were previously members of the team which designed the framework of Aadhaar) can store and create a parallel database of their own. On top of that, the government is making Aadhaar mandatory for availing several things including registration for nation-wide examinations, but in the beginning it promised Aadhaar will be used only to help poor get grocery at subsidized prices.
Security

Michael Flynn Resigns As Trump's National Security Adviser (go.com) 893

An anonymous reader quotes a report from ABC News: President Donald Trump's embattled national security adviser Michael Flynn, who faced questions about a call to the Russian ambassador prior to the inauguration, has resigned. Retired Army General Keith Kellogg was named acting national security adviser to replace Flynn. ABC News reported Monday that Flynn called Vice President Mike Pence on Friday to apologize for misleading him about his conversation with the ambassador in November. Flynn previously denied that he spoke about sanctions the U.S. imposed on Russia for its suspected interference in the 2016 election, a claim repeated by Pence in January. An administration official later claimed Pence was relying on information provided to him by Flynn. In his resignation later, Flynn cited the "fast pace of events" for "inadvertently" briefing "the Vice President Elect and others with incomplete information regarding [his] phone calls with the Russian Ambassador." You can view Flynn's full resignation letter, as provided by the White House, here.
Programming

H-1Bs Reduced Computer Programmer Employment By Up To 11%, Study Finds (marketwatch.com) 268

An anonymous reader quotes a report from MarketWatch: There would have been up to 11% more computer science jobs at wages up to 5% higher were it not for the immigration program that brings in foreign high-skilled employees, a new study finds. The paper -- by John Bound and Nicolas Morales of the University of Michigan and Gaurav Khanna of the University of California, San Diego -- was conducted by studying the economy between 1994 and 2001, during the internet boom. It was also a period where the recruitment of so-called H-1B labor was at or close to the cap and largely before the onset of the vibrant IT sector in India. In 2001, the number of U.S. computer scientists was between 6.1%-10.8% lower and wages were between 2.6% and 5.1% lower. Of course, there also were beneficiaries -- namely consumers and employers. Immigration lowered prices by between 1.9% and 2.4%, and profits increased as did the total number of IT firms.
Businesses

Ransomware Insurance Is Coming (onthewire.io) 86

Trailrunner7 quotes a report from On the Wire: As bad as the ransomware problem is right now -- and it's plenty bad -- we're likely only at the beginning of what could become a crisis, experts say. "Lots of people are being infected and lots of people are paying. The bottom line its it's getting worse and it's going to continue to do so," Jeremiah Grossman, chief of security strategy at SentinelOne, said during a talk on the ransomware epidemic at the RSA Conference here Monday. "Seven-figure ransoms have already been paid. When you're out of business, you'll pay whatever you have to in order to stay in business. You're dealing with an active, sentient adversary." The ransomware market seems to be headed in the same direction as real-world kidnapping, where high-profile targets take out insurance policies to pay ransoms. Grossman said it probably won't be long before the insurance companies latch onto the ransomware game, too. "The insurance companies are going to see a large profit potential in this. Kidnapping and ransom insurance is still very boutique. This economic model will probably apply equally well to ransomware," he said. According to The FindLaw Corporate Counsel Blog, "Ransomware attacks fall under your cyber insurance policy's 'cyber extortion' coverage and can generally be considered "first-party" or "third-party" coverage, according to Christine Marciano, president of Cyber Data Risk Managers. Third-party coverage would likely leave a company uninsured when they are the victims of a ransomware attack. Even if your insurance policy covers ransomware attacks made against your company, the deductible may be so high that the company will be stuck paying any ransomware demands out of pocket (should the company decide to pay to decrypt its data). And your coverage may be sub-limited to relatively small amounts, according Kevin Kalinich, the global cyber risk practice leader for Aon Risk Solutions. A $10 million policy may only provide $500,000 for cyber extortion claims, he explains."
Privacy

Encrypted Email Is Still a Pain in 2017 (incoherency.co.uk) 216

Bristol-based software developer James Stanley, who used to work at Netcraft, shares how encrypted emails, something which was first introduced over 25 years ago, is still difficult to setup and use for even reasonably tech savvy people. He says he recently tried to install Enigmail, a Thunderbird add-on, but not only things like GPG, PGP, OpenPGP were -- for no reason -- confusing, Enigmail continues to suffer from a bug that takes forever in generating keys. From his blog post: Encrypted email is nothing new (PGP was initially released in 1991 -- 26 years ago!), but it still has a huge barrier to entry for anyone who isn't already familiar with how to use it. I think my experience would have been better if Enigmail had generated keys out-of-the-box, or if (a.) gpg agreed with Enigmail on nomenclature (is it a secring or a private key?) and (b.) output the paths of the files it had generated. My experience would have been a lot worse had I not been able to call on the help of somebody who already knows how to use it.
Government

CS Professor Argues Silicon Valley Is Exploiting Both H-1B Visas And Workers (huffingtonpost.com) 318

schwit1 quotes Norm Matloff, a CS professor at the University of California at Davis, on H-1B visa programs: The Trump administration has drafted a new executive order that could actually mean higher wages for both foreign workers and Americans working in Silicon Valley. The Silicon Valley companies, of course, will not be happy if it goes into effect... Their lobbyists claim there is a "talent shortage" among Americans and thus that the industry needs more of such work visas. This is patently false. The truth is that they want an expansion of the H-1B work visa program because they want to hire cheap, immobile labor -- i.e., foreign workers.

To see how this works, note that most Silicon Valley firms sponsor their H-1B workers, who hold a temporary visa, for U.S. permanent residency (green card) under the employment-based program in immigration law. EB sponsorship renders the workers de facto indentured servants; though they have the right to move to another employer, they do not dare do so, as it would mean starting the lengthy green card process all over again.

Computerworld also argues this year's annual H-1B visa lottery "may be different, because of President Donald Trump," reporting that the lottery has historically favored the largest firms heavily. "In the 2015 fiscal year, for instance, the top 10 firms received 38% of all the H-1B visas in computer occupations alone. All these firms, except for Amazon and to a partial extent IBM, are outsourcers."
Security

Trend Micro's Own Cybersecurity Blog Gets Hacked (silicon.co.uk) 17

Mickeycaskill quotes Silicon: Just to illustrate that you can never be too careful, cybersecurity specialist Trend Micro has confirmed that one of the blogs it uses to communicate with customers was itself the victim of a content spoofing attack. The culprits exploited a vulnerability in WordPress to inject fake content onto the blog before it was removed by Trend Micro and the bug fixed... "Unfortunately there are many different URLs attackers can use to carry out the same attack, so a couple of fake 'articles' ended up posted on CounterMeasures," head of security research Rik Ferguson told Silicon. "We have responded and shut down the vulnerability completely to resolve the issue."
The chairman of Trend Micro claimed in 2011 that open source software was inherently less secure than closed source -- but instead of blaming Wordpress, Ferguson "said it goes to show how breaches are an unfortunate fact of life and that companies should be judged on how they respond... 'Of course technology and best practice can mitigate the vast majority of intrusion attempts, but when one is successful, even one as low-level as this, you are more defined by how you respond than you are by the fact that it happened.'"
Networking

College Network Attacked With Its Own Insecure IoT Devices (zdnet.com) 53

An anonymous reader writes:An attacker compromised over 5,000 IoT devices on a campus network -- including vending machines and light sensors -- and then used them to attack that same network. "In this instance, all of the DNS requests were attempting to look up seafood restaurants," reports ZDNet, though the attack was eventually blocked by cybersecurity professionals. Verizon's managing principal of investigative response blames the problem on devices configured using default credentials -- and says it's only gong to get worse. "There's going to be so many of these things used by people with very limited understanding of what they are... There's going to be endless amounts of technology out there that people are going to easily be able to get access to."
The article suggests "ensuring that IoT devices are on a completely different network to the rest of the IT estate." But it ends by warning that "until IoT manufacturers bother to properly secure their devices -- and the organizations which deploy them learn to properly manage them -- DDoS attacks by IoT botnets are going to remain a huge threat."
Cellphones

Mission Possible: Self-Destructing Phones Are Now a Reality (yahoo.com) 142

drunkdrone quotes the International Business Times: Self-destructing gadgets favored by the likes of James Bond and Mission: Impossible's Ethan Hunt have taken one step closer to reality. Researchers in Saudi Arabia have developed a mechanism that, when triggered, can destroy a smartphone or other electronic device in as little as 10 seconds. The self-destruct mechanism has been created by electrical engineers at the King Abdulla University of Science and Technology and consists of a polymer layer that rapidly expands when subjected to temperatures above 80 degrees Celsius, effectively bursting the phone open from the inside. The mechanism can be adapted to be triggered in various ways, including remotely through a smartphone app or when it's subjected to pressure.

Once triggered, power from the device's battery is directed to electrodes that rapidly heat, causing the polymer layer to expand to around seven times its original size within 10-15 seconds. This crushes the vital components inside the device, destroying any information stored on board.

One engineer believes the phone will see adoption in the intelligence and financial communities, though it can also be retrofitted to existing phones for just $15. This raises an interesting question -- would you want a self-destructing phone?
EU

The City Of Munich Now Wants To Abandon Linux And Switch Back to Windows (techrepublic.com) 557

"The prestigious FOSS project replacing the entire city's administration IT with FOSS based systems, is about to be cancelled and decommissioned," writes long-time Slashdot reader Qbertino. TechRepublic reports: Politicians at open-source champion Munich will next week vote on whether to abandon Linux and return to Windows by 2021. The city authority, which made headlines for ditching Windows, will discuss proposals to replace the Linux-based OS used across the council with a Windows 10-based client. If the city leaders back the proposition it would be a notable U-turn by the council, which spent years migrating about 15,000 staff from Windows to LiMux, a custom version of the Ubuntu desktop OS, and only completed the move in 2013...

The use of the open-source Thunderbird email client and LibreOffice suite across the council would also be phased out, in favor of using "market standard products" that offer the "highest possible compatibility" with external and internal software... The full council will vote on whether to back the plan next Wednesday. If all SPD and CSU councillors back the proposal put forward by their party officials, then this new proposal will pass, because the two parties hold the majority.

The leader of the Munich Green Party says the city will lose "many millions of euros" if the change is implemented. The article also reports that Microsoft moved its German headquarters to Munich last year.
Government

Senators Push Trump Administration For Clarity On Privacy Act Exclusions (onthewire.io) 135

Trailrunner7 quotes a report from On the Wire: A group of influential lawmakers, including Sen. Ed Markey and Sen. Ron Wyden, are pressing the Trump administration for answers about how an executive order that includes changes to the Privacy Act will affect non-U.S. persons and whether the administration plans to release immigrants' private data. The letter comes from six senators who are concerned about the executive order that President Trump issued two weeks ago that excludes from privacy protections people who aren't U.S. citizens or permanent residents. The order is mostly about changes to immigration policy, but Trump also included a small section that requires federal government agencies to exclude immigrants from Privacy Act protections. On Thursday, Markey, Wyden, and four other senators sent a letter to Secretary of Homeland Security Jon Kelly, asking a series of 10 questions about how the exclusion would be implemented, what it would cost, and whether the government plans to release the private data of people affected by the order. "These Privacy Act exclusions could have a devastating impact on immigrant communities, and would be inconsistent with the commitments made when the government collected much of this information," the senators said in the letter to Kelly. In the letter, the lawmakers ask Kelly whether people affected by the order will be allowed full access to their own private data that has been collected by the government. They also ask how the government plans to identify U.S. persons in their databases and what policies DHS will apply to separate them from non-U.S persons. The letter also asks for clarification on how the executive order will affect the Privacy Shield pact between the U.S and the European Union. That agreement enables companies to move private data between countries under certain data protection laws.
Spam

Spammer Faces Decades In Prison For Sending More Than 1 Million Spam Emails (suntimes.com) 146

mi quotes a report from Chicago Sun-Times: A man has been indicted on federal fraud charges for allegedly sending more than a million spam emails. The indictment charges 36-year-old Michael Persaud of Scottsdale, Arizona, with 10 counts of wire fraud and seeks the forfeiture of four computers, according to a statement from the U.S. attorney's office. The indictment was returned Dec. 9, 2016, and was unsealed after Persaud was arrested last month in Arizona. Between 2012 and 2015, Persaud used multiple IP addresses and domains to send spam emails over at least nine networks, including several servers in Chicago, according to the indictment. He sent more than a million spam emails to people in the U.S. and abroad, using false names to register domains and creating fraudulent "from address" fields to conceal the fact that he was the one sending the emails. Each count carries a maximum sentence of 20 years in prison.
mi leaves us with some rather unpleasant imagery, writing: "Personally, I wish [the sentence] carried removal of 1 square millimeter of skin for each message instead."
Republicans

Russia Considers Sending Snowden Back To US As a 'Gift' To Trump (nbcnews.com) 294

An anonymous reader quotes a report from NBC News: U.S. intelligence has collected information that Russia is considering turning over Edward Snowden as a "gift" to President Donald Trump -- who has called the NSA leaker a "spy" and a "traitor" who deserves to be executed. That's according to a senior U.S. official who has analyzed a series of highly sensitive intelligence reports detailing Russian deliberations and who says a Snowden handover is one of various ploys to "curry favor" with Trump. A second source in the intelligence community confirms the intelligence about the Russian conversations and notes it has been gathered since the inauguration. Snowden's ACLU lawyer, Ben Wizner, told NBC News they are unaware of any plans that would send him back to the United States. "Team Snowden has received no such signals and has no new reason for concern," Wizner said. Former deputy national security adviser Juan Zarate urged the Trump administration to be cautious in accepting any Snowden offer from Russian President Vladimir Putin. The White House had no comment, but the Justice Department told NBC News it would welcome the return of Snowden, who currently faces federal charges that carry a minimum of 30 years in prison. Putin spokesman Dmitry Peskov said talk about returning Snowden is "nonsense." If he were returned to American soil, Snowden -- a divisive figure in America who is seen by some as a hero and others as treasonous -- would face an administration that has condemned him in the strongest terms.
The Courts

Former CIA Analyst Sues Defense Department To Vindicate NSA Whistleblowers (theintercept.com) 22

An anonymous reader quotes a report from The Intercept: In 2010, Thomas Drake, a former senior employee at the National Security Agency, was charged with espionage for speaking to a reporter from the Baltimore Sun about a bloated, dysfunctional intelligence program he believed would violate Americans' privacy. The case against him eventually fell apart, and he pled guilty to a single misdemeanor, but his career in the NSA was over. Though Drake was largely vindicated, the central question he raised about technology and privacy has never been resolved. Almost seven years have passed now, but Pat Eddington, a former CIA analyst, is still trying to prove that Drake was right. While working for Rep. Rush Holt, D-N.J., Eddington had the unique opportunity to comb through still-classified documents that outline the history of two competing NSA programs known as ThinThread and Trailblazer. He's seen an unredacted version of the Pentagon inspector general's 2004 audit of the NSA's failures during that time, and has filed Freedom of Information Act requests. In January, Eddington decided to take those efforts a step further by suing the Department of Defense to obtain the material, he tells The Intercept. "Those documents completely vindicate" those who advocated for ThinThread at personal risk, says Eddington.

Slashdot Top Deals