Trust the World's Fastest VPN with Your Internet Security & Freedom with PureVPN - 79% off. ×
Security

Samsung Smart Home Flaws Let Hackers Pick Connected Doors From Anywhere In the World (arstechnica.com) 59

Researchers have discovered flaws in Samsung's Smart Home automation system, which if exploited, allows them to carry a range of remote attacks. These attacks include digitally picking connected door locks from anywhere in the world. The flaws have been documented by researchers from the University of Michigan ahead of the 2016 IEEE Symposium on Security and Privacy. "All of the above attacks expose a household to significant harm -- break-ins, theft, misinformation, and vandalism," the researchers wrote in a paper. "The attack vectors are not specific to a particular device and are broadly applicable." Dan Goodin, reports for Ars Technica: Other attacks included a malicious app that was able to obtain the PIN code to a smart lock and send it in a text message to attackers, disable a preprogrammed vacation mode setting, and issue a fake fire alarm. The one posing the biggest threat was the remote lock-picking attack, which the researchers referred to as a "backdoor pin code injection attack." It exploited vulnerabilities in an existing app in the SmartThings app store that gives an attacker sustained and largely surreptitious access to users' homes. The attack worked by obtaining the OAuth token that the app and SmartThings platform relied on to authenticate legitimate users. The only interaction it required was for targeted users to click on an attacker-supplied HTTPS link that looked much like this one that led to the authentic SmartThings login page. The user would then enter the username and password. A flaw in the app allowed the link to redirect the credentials away from the SmartThings page to an attacker-controlled address. From then on, the attackers had the same remote access over the lock that users had.
Ubuntu

Ubuntu Founder Pledges No Back Doors In Linux (eweek.com) 89

Mark Shuttleworth, founder of Canonical and Ubuntu Foundation, gave an interview to eWeek this week ahead of Ubuntu Online Summit (UOS). In the wide-ranging interview, Shuttleworth teased some features that we could expect in Ubuntu 16.10, and also talked about security and privacy. From the report: One thing that Ubuntu Linux users will also continue to rely on is the strong principled stance that Shuttleworth has on encryption. With the rapid growth of the Linux Foundation's Let's Encrypt free Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate platform this year, Shuttleworth noted that it's a good idea to consider how that might work in an integrated way with Ubuntu. Overall, he said, the move to encryption as a universal expectation is really important. "We don't do encryption to hide things; we do encryption so we can choose what to share," Shuttleworth said. "That's a profound choice we should all be able to make." Shuttleworth emphasized that on the encryption debate, Canonical and Ubuntu are crystal clear. "We will never backdoor Ubuntu; we will never weaken encryption," he said.
Government

Kim Jong-Un Bans All Weddings, Funerals And Freedom Of Movement In North Korea (independent.co.uk) 187

An anonymous reader quotes a report from The Independent: Weddings and funerals have been banned and Pyongyang is in lockdown as preparations for a once-in-a-generation party congress get underway in North Korea. The ruling Worker's Party of Korea, headed by the country's leader, Kim Jong-un, is due to stage the first gathering of its kind for 36 years on Friday. Free movement in and out of the capital has also been forbidden and there has been an increase in inspections and property searches, according to Daily NK, which claims to have sources in the country. The temporary measures are said to be an attempt to minimize the risk of "mishaps" at the event, according to Cheong Joon-hee, a spokesman at South Korea's Unification Ministry. Meanwhile, North Korea has been conducting missile tests left and right, many of which have failed miserably.
AI

Self-Driving Features Could Lead To More Sex In Moving Cars, Expert Warns (www.cbc.ca) 243

An anonymous reader writes: According to CBC.ca, "At least one expert is anticipating that, as the so-called 'smart' cars get smarter, there will eventually be an increase in an unusual form of distracted driving: hanky-panky behind the wheel." Barrie Kirk of the Canadian Automated Vehicles Centre of Excellence said, "I am predicting that, once computers are doing the driving, there will be a lot more sex in cars. That's one of several things people will do which will inhibit their ability to respond quickly when the computer says to the human, 'Take over.'" Federal officials, who have been tasked with building a regulatory framework to govern driverless cars, highlighted their concerns in briefing notes compiled for Transport Minister Marc Garneau. "Drivers tend to overestimate the performance of automation and will naturally turn their focus away from the road when they turn on their auto-pilot," said the note. The Tesla autopilot feature has been receiving the most criticism as there have been many videos posted online showing Tesla drivers engaged in questionable practices, including reading a newspaper or brushing their teeth.
Encryption

Without Encryption, Everything Stops, Says Snowden (thehill.com) 139

An anonymous reader writes about Snowden's appearance on a debate with CNN's Fareed Zakaria: Edward Snowden defended the importance of encryption, calling it the "backbone of computer security." He said, "Encryption saves lives. Encryption protects property. Without it, our economy stops. Our government stops. Everything stops. Our intelligence agencies say computer security is a bigger problem than terrorism, than crime, than anything else," he noted. "[...] Lawful access to any device or communication cannot be provided to anybody without fatally compromising the security of everybody."
Crime

The Government Wants Your Fingerprint To Unlock Phones (dailygazette.com) 220

schwit1 quotes this report from the Daily Gazette: "As the world watched the FBI spar with Apple this winter in an attempt to hack into a San Bernardino shooter's iPhone, federal officials were quietly waging a different encryption battle in a Los Angeles courtroom. There, authorities obtained a search warrant compelling the girlfriend of an alleged Armenian gang member to press her finger against an iPhone that had been seized from a Glendale home. The phone contained Apple's fingerprint identification system for unlocking, and prosecutors wanted access to the data inside it.

It marked a rare time that prosecutors have demanded a person provide a fingerprint to open a computer, but experts expect such cases to become more common as cracking digital security becomes a larger part of law enforcement work. The Glendale case and others like it are forcing courts to address a basic question: How far can the government go to obtain biometric markers such as fingerprints and hair?"

The Military

Drones Being Used By Peeping Toms, The Military, And Terrorists (newsweek.com) 100

An anonymous reader writes: A 19-year-old woman called Massachusetts police about a drone peeking through her second-story window at 3 a.m. -- and was told no laws had been violated. Kansas is now passing an anti-harassment law after a woman reported her neighbor's drone was hovering over their pool and outside the window where her 16-year-old daughter was washing dishes. But meanwhile, the U.S. Navy has just outfitted one supercarrier with a new drone control room, while one Dutch activist writes in Newsweek that terrorist drone attacks "are not a matter of 'If' but 'When'." Noting that drones are cheap, portable and useful, PAX's Wim Zwijnenburg warns that "Terrorists and armed militia groups are already using consumer drones in conflict situations" -- for example, in Iraq, Syria, Gaza, and the Ukraine -- "and it is likely only a matter of time before they use them to carry out attacks in Europe or the U.S."

He believes ISIS is developing its own drone fleet, and warns about the possibility of swarms with "dozens of drones equipped with explosives or chemicals". Zwijnenburg proposes background checks and registrations for certain types of drones, as well as counter-drone technology to protect airports, crowded stadiums, and critical infrastructure points. Citing the blurring lines between military and civilian drones, he writes that "there needs to be an urgent and frank discussion among industry, the military, law enforcement, and most of all, the public, as to where we go from here."

Meanwhile, another prison just reported a drone had flown over their wall -- this time a Teenage Mutant Ninja Turtle Heli Ball.
Electronic Frontier Foundation

Humble Bundle Announces 'Hacker' Pay-What-You-Want Sale (humblebundle.com) 52

An anonymous reader writes: Humble Bundle announced a special "pay what you want" sale for four ebooks from No Starch Press, with proceeds going to the Electronic Frontier Foundation (or to the charity of your choice). This "hacker edition" sale includes two relatively new titles from 2015 -- "Automate the Boring Stuff with Python" and Violet Blue's "Smart Girl's Guide to Privacy," as well as "Hacking the Xbox: An Introduction to Reverse Engineering" by Andrew "bunnie" Huang, and "The Linux Command Line".

Hackers who are willing to pay "more than the average" -- currently $14.87 -- can also unlock a set of five more books, which includes "The Maker's Guide to the Zombie Apocalypse: Defend Your Base with Simple Circuits, Arduino, and Raspberry Pi". (This level also includes "Bitcoin for the Befuddled" and "Designing BSD Rootkits: An Introduction to Kernel Hacking".) And at the $15 level -- just 13 cents more -- four additional books are unlocked. "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software" is available at this level, as well as "Hacking: The Art of Exploitation" and "Black Hat Python."

Nice to see they've already sold 28,506 bundles, which are DRM-free and available in PDF, EPUB, and MOBI format. (I still remember Slashdot's 2012 interview with Make magazine's Andrew "bunnie" Huang, who Samzenpus described as "one of the most famous hardware and software hackers in the world.")
Security

Berkeley Researchers Examine Five Worst-Case Security Nightmares (berkeley.edu) 22

An anonymous reader writes: Berkeley researchers have gamed out five worst-case security scenarios at their Center for Long-Term Cybersecurity, calling it "a disciplined, imaginative approach to modeling what cybersecurity could mean in the future...to provoke a discussion about what the cybersecurity research and policy communities need to do now in order to be better positioned..." Two of the scenarios are set in 2020 -- one called "The New Normal" imagining a world were users assume their personal information can no longer be kept safe, and another involving the privacy and security implications in a world where hackers lurk undetected on a now-ubiquitous Internet of Things.

"Our goal is to identify emerging issues that will become more important..." they write in an executive summary, including "issues on the table today that may become less salient or critical; and new issues that researchers and decision-makers a few years from now will have wished people in the research and policy communities had noticed -- and begun to act on -- earlier.

Scenario #2 imagines a super-intelligent A.I. which can predict and even manipulate the behavior of individuals, and scenario #3 involves criminals exploiting valuable data sets -- and data scientists -- after an economic collapse.
Security

Slack To Disable Thousands of Logins Leaked on GitHub (detectify.com) 27

An anonymous reader writes: Thursday one technology site reported that thousands of developers building bots for the team-collaboration tool Slack were exposing their login credentials in public GitHub repositories and tickets. "The irony is that a lot of these bots are mostly fun 'weekend projects', reported Detectify. "We saw examples of fit bots, reminding you to stretch throughout the day, quote bots, quoting both Jurassic Park...and Don Quixote...."

Slack responded that they're now actively searching for publicly-posted login credentials, "and when we find any, we revoke the tokens and notify both the users who created them, as well as the owners of affected teams." Detectify notes the lapse in security had occurred at a wide variety of sites, including "Forbes 500 companies, payment providers, multiple internet service providers and health care providers... University classes at some of the world's best-known schools. Newspapers sharing their bots as part of stories. The list goes on and on..."

AI

Google AI Has Access To 1.6M People's NHS Records (newscientist.com) 49

Hal Hodson, reporting for New Scientist:It's no secret that Google has broad ambitions in healthcare. But a document obtained by New Scientist reveals that the tech giant's collaboration with the UK's National Health Service goes far beyond what has been publicly announced. The document -- a data-sharing agreement between Google-owned artificial intelligence company DeepMind and the Royal Free NHS Trust -- gives the clearest picture yet of what the company is doing and what sensitive data it now has access to. The agreement gives DeepMind access to a wide range of healthcare data on the 1.6 million patients who pass through three London hospitals run by the Royal Free NHS Trust -- Barnet, Chase Farm and the Royal Free -- each year. This will include information about people who are HIV-positive, for instance, as well as details of drug overdoses and abortions. The agreement also includes access to patient data from the last five years. According to their original agreement, Google cannot use the data in any other part of its business.
Government

Supreme Court Gives FBI More Hacking Power (theintercept.com) 174

An anonymous reader cites an article on The Intercept (edited and condensed): The Supreme Court on Thursday approved changes that would make it easier for the FBI to hack into computers, many of them belonging to victims of cybercrime. The changes, which will take immediate effect in December unless Congress adopts competing legislation, would allow the FBI go hunting for anyone browsing the Internet anonymously in the U.S. with a single warrant. Previously, under the federal rules on criminal procedures, a magistrate judge couldn't approve a warrant request to search a computer remotely if the investigator didn't know where the computer was -- because it might be outside his or her jurisdiction. The rule change would allow a magistrate judge to issue a warrant to search or seize an electronic device if the target is using anonymity software like Tor."Unbelievable," said Edward Snowden. "FBI sneaks radical expansion of power through courts, avoiding public debate." Ahmed Ghappour, a visiting professor at University of California Hastings Law School, has described it as "possibly the broadest expansion of extraterritorial surveillance power since the FBI's inception."
Communications

The Critical Hole At the Heart Of Our Cell Phone Networks (wired.com) 32

An anonymous reader writes: Kim Zetter from WIRED writes an intriguing report about a vulnerability at the heart of our cell phone networks. It centers around Signaling System No. 7 (SS7), which refers to a data network -- and the protocols or rules that govern how information gets exchanged over it. Zetter writes, "It was designed in the 1970s to track and connect landline calls across different carrier networks, but is now commonly used to calculate cellular billing and send text messages, in addition to routing mobile and landline calls between carriers and regional switching centers. SS7 is part of the telecommunications backbone but is not the network your voice calls go through; it's a separate administrative network with a different function." According to WIRED, the problem is that SS7 is based on trust -- any request a telecom receives is considered legitimate. In addition to telecoms, government agencies, commercial companies and criminal groups can gain access to the network. Most attacks can be defended with readily available technologies, but more involved attacks take longer to defend against. T-Mobile and ATT have vulnerabilities with fixes that have yet to be implemented for example.
Encryption

Top Security Experts Say Anti-Encryption Bill Authors Are 'Woefully Ignorant' (dailydot.com) 90

blottsie writes from a report on the Daily Dot: In a Wall Street Journal editorial titled "Encryption Without Tears," Sens. Richard Burr and Dianne Feinstein pushed back on widespread condemnation of their Compliance with Court Orders Act, which would require tech companies to provide authorities with user data in an "intelligible" format if served with a warrant. But security experts Bruce Schneir, Matthew Green, and others say the lawmakers entirely misunderstand the issue. "On a weekly basis we see gigabytes of that information dumped to the Internet," Green told the Daily Dot. "This is the whole problem that encryption is intended to solve." He added: "You can't hold out the current flaws in the Internet as a justification for why the Internet shouldn't be made secure." "These criticisms of Burr and Feinstein's analogy emphasize an important point about digital security: The differences between the levels of encryption protecting certain types of data -- purchase records on Amazon's servers versus photos on an iPhone, for example -- lead to different levels of risk," writes Eric Geller of the Daily Dot.
Security

Cisco Finds Backdoor Installed On 12 Million PCs (securityweek.com) 67

Reader wiredmikey writes: Security researchers at Cisco have come across a piece of software that installed backdoors on 12 million computers around the world. Researchers determined that the application, installed with administrator rights, was capable not only of downloading and installing other tools, such as a known scareware called System Healer, but also of harvesting personal information. The software, which exhibits adware and spyware capabilities, was developed by a French online advertising company called Tuto4PC. The "features" have led Cisco Talos to classify the Tuto4PC software as a "full backdoor capable of a multitude of undesirable functions on the victim machine." Tuto4PC said its network consisted of nearly 12 million PCs in 2014, which could explain why Cisco's systems detected the backdoor on 12 million devices. An analysis of a sample set revealed infections in the United States, Australia, Japan, Spain, the UK, France and New Zealand.Tuto4PC has received flak from many over the years, including French regulators.
Bug

American Samoa Domain Registry Was Exposing Client Data Since the Mid-1990s (softpedia.com) 17

An anonymous reader quotes a report from Softpedia: A British security researcher that goes online only by the name of InfoSec Guy revealed today that American Samoa domain registry ASNIC was using an outdated domain name management system that contained a bug allowing anyone to view the personal details of any .as domain owner. The researcher also claims that anyone knowing of this bug would have been able to edit and delete any .as domain, just by altering the ASNIC domain info URL. Some of the big brands that own .as domains include Opera, Flickr, Twitter, McDonald's, British Gas, Bose, Adidas, the University of Texas, and many link shortening services. This flawed system has been online since the mid-1990s. The researcher contacted ASNIC after discovering the flaw at the end of January 2016, but email exchanges with the domain registry were scarce and confusing, with the registry issuing a statement today denying the incident and calling the allegations "inaccurate, misleading and sexed-up to the max," after previously acknowledging and fixing the security flaws.
Government

House Passes Email Privacy Act, Requiring Warrants For Obtaining Emails (techcrunch.com) 61

An anonymous reader quotes a report from TechCrunch: The U.S. House of Representatives has passed H.R. 699, the Email Privacy Act, sending it on to the Senate and from there, hopefully anyhow, to the President. The yeas were swift and unanimous. The bill, which was introduced in the House early last year and quickly found bipartisan support, updates the 1986 Electronic Communications Privacy Act, closing a loophole that allowed emails and other communications to be obtained without a warrant. It's actually a good law, even if it is arriving a couple of decades late. "Under current law, there are more protections for a letter in a filing cabinet than an email on a server," said Congresswoman Suzan Delbene during the debate period. An earlier version of the bill also required that authorities disclose that warrant to the person it affected within 10 days, or 3 if the warrant related to a government entity. That clause was taken out in committee -- something trade groups and some of the Representatives objected to as an unpleasant compromise.
Government

Former Tor Developer Created Malware To Hack Tor Users For The FBI (dailydot.com) 72

Patrick O'Neill writes: Matt Edman is a cybersecurity expert who worked as a part-time employee at Tor Project, the nonprofit that builds Tor software and maintains the network, almost a decade ago. Since then, he's developed potent malware used by law enforcement to unmask Tor users. It's been wielded in multiple investigations by federal law-enforcement and U.S. intelligence agencies in several high-profile cases. The Tor Project has confirmed this report in a statement after being contacted by the Daily Dot, "It has come to out attention that Matt Edman, who worked with the Tor Project until 2009, subsequently was employed by a defense contractor working for the FBI to develop anti-Tor malware." Maybe Tor users will now be less likely to anonymously check Facebook each month...
Communications

There Will Be A Huge New 'Panama Papers' Data Dump (businessinsider.com) 109

An anonymous reader writes: The International Consortium of Investigative Journalists said in an email that on May 9 it would "publish what will likely be the largest-ever release of information about secret offshore companies and the people behind them," based on data from the Panama Papers investigation. "The searchable database will include information about more than 200,000 companies, trusts, foundations, and funds incorporated in 21 tax havens, from Hong Kong to Nevada in the United States." The ICIJ said in the email, "The impact of Panama Papers has been epic." The investigation has caused Icelandic Prime Minister Sigmundur David Gunnlaugsson to resign following revelations about his personal finances. It has caused Putin to point fingers at the West, accusing the U.S. of trying to weaken Russia. It has even created drama in the UK with calls for Prime Minister David Cameron to resign after his connections to offshore companies became evident. In addition, the ICIJ said, "[The Panama Papers investigation] sparked a new sense of urgency among lawmakers and regulators to close loopholes and make information about the owners of shell companies public."
Encryption

A Complete Guide To The New 'Crypto Wars' (dailydot.com) 68

blottsie writes: The latest debate over encryption did not begin with a court order demanding Apple help the FBI unlock a dead terrorist's iPhone. The new "Crypto Wars," chronicled in a comprehensive timeline by Eric Geller of the Daily Dot, dates back to at least 2003, with the introduction of "Patriot Act II." The battle over privacy and personal security versus crime-fighting and national security has, however, become a mainstream debate in recent months. The timeline covers a wide-range of incidents where the U.S. and other allied governments have tried to restrict citizens' access to strong encryption. The timeline ends with the director of national intelligence blaming NSA whistleblower Edward Snowden for advancing the spread of user-friendly, widely available strong encryption.

Slashdot Top Deals