Security

Crooks Reused Passwords On the Dark Web So Dutch Police Took Over Their Accounts (bleepingcomputer.com) 9

An anonymous reader writes: Dutch Police is aggressively going after Dark Web vendors using data they collected from the recently seized Hansa Market. According to reports, police is using the Hansa login credentials to authenticate on other Dark Web portals, such as Dream. If vendors reused passwords, police take over the accounts and set up traps or map the sales of illegal products. Other crooks noticed the account hijacks because Dutch Police changed the PGP key for the hijacked accounts with their own, which was accidentally signed with the name "Dutch Police." The second method of operation spotted by the Dark Web community involves so-called "locktime" files that were downloaded from the Hansa Market before Dutch authorities shut it down on July 20. Under normal circumstances a locktime file is a simple log of a vendor's market transaction, containing details about the sold product, the buyer, the time of the sale, the price, and Hansa's signature. The files are used as authentication by vendors to request the release of Bitcoin funds after a sale's conclusion, or if the market was down due to technical reasons. Before the market went down, these locktime files were replaced with Excel files that contained a hidden image that would beacon back to police servers, exposing the vendor's real location. Dutch Police was able to do this because they took over Hansa servers on June 20 and operated the market for one more month, collecting data on vendors.
Security

Ask Slashdot: Should Average Consumers Install More Than One Antivirus Program On Their System? 41

Even though you would assume that people would know better, an anonymous reader writes, in my experience, I have found many who think installing more than one antivirus program on their computer is the right way to go about it. Some have installed as many as three third-party security suites, which among other things, takes a toll on the performance. This week the New York Times' tech tip section addresses the matter. From the article, which could be paywalled, but you don't have to read it in entirety anyway: Installing more than one program to constantly scan and monitor your PC for viruses and other security threats can create problems, because the two applications will likely interfere with each other's work. Clashing antivirus programs can cause the computer to behave erratically and run more slowly as the applications battle for system resources. Microsoft advises against running its Windows Defender security software on the same system with another installed third-party antivirus program. Likewise, antivirus software companies also warn against using other system security products when you are using theirs; Bitdefender, Kaspersky Lab and Symantec all have articles on their sites explaining the potential problems in detail. Programs that do not constantly patrol your operating system, like mail scanners, may not be an issue. What do you folks recommend to people who are not as tech-savvy?
Security

Roomba Is No Spy: CEO Says iRobot Will Never Sell Your Data (zdnet.com) 68

It's been a challenging week for iRobot, the company behind the popular Roomba robotic vacuums. From a report: It started with an interview in Reuters, in which the company's chief executive Colin Angle gave the clear impression that iRobot was selling consumers' home mapping data (Editor's note: the chief executive said the company intended to explore the opportunity). Last night, Angle and iRobot got back to me on this issue. They provided the following response to the concerns I and others shared. "First things first, iRobot will never sell your data. Our mission is to help you keep a cleaner home and, in time, to help the smart home and the devices in it work better. There's no doubt that a robot can help your home be smarter. It's the data it collects to do its job, and the trusted relationship between you, your robot and iRobot, that is critical for that to happen. Information that is shared needs to be controlled by the customer and not as a data asset of a corporation to exploit. That is how data is handled by iRobot today. Customers have control over sharing it. I want to make very clear that this is how data will be handled in the future."
United States

Congress Asks US Agencies For Kaspersky Lab Cyber Documents (reuters.com) 24

Reuters reports: A U.S. congressional panel this week asked 22 government agencies to share documents on Moscow-based cyber firm Kaspersky Lab, saying its products could be used to carry out "nefarious activities against the United States," according to letters seen by Reuters. The requests made on Thursday by the U.S. House of Representatives Committee on Science, Space and Technology are the latest blow to the antivirus company, which has been countering accusations by U.S. officials that it may be vulnerable to Russian government influence. The committee asked the agencies for all documents and communications about Kaspersky Lab products dating back to Jan. 1, 2013, including any internal risk assessments. It also requested lists of any systems that use Kaspersky products and the names of any U.S. government contractors or subcontractors that do so. Kaspersky has repeatedly denied that it has ties to any government and said it would not help any government with cyber espionage. It said there is no evidence for the accusations made by U.S. officials. The committee "is concerned that Kaspersky Lab is susceptible to manipulation by the Russian government, and that its products could be used as a tool for espionage, sabotage, or other nefarious activities against the United States," wrote the panel's Republican chairman, Lamar Smith, in the letters.
Privacy

Hacker Cracks Smart Gun Security To Shoot It Without Approval (cnn.com) 360

An anonymous reader shares a CNN report:Smart guns are supposed to be safer than traditional weapons. They're designed to only fire when paired with a second piece of technology that identifies the shooter, like an electronic chip or a fingerprint. Supporters say they could stop accidental shootings or misfires. And they've been lauded by law enforcement to prevent criminals from using stolen or misplaced guns. However, like any technology, they're not unhackable. A hacker known by the pseudonym Plore doesn't want to put a stop to smart guns, but he wants the firearm industry that's increasingly manufacturing these devices to know that they can be hacked. The model Plore hacked is called the Armatix IPI. It pairs electronically with a smart watch so that only the person wearing the watch can fire it. The devices authenticate users via radio signals, electronically talking to each other within a small range. Plore broke the security features in three different ways, including jamming radio signals in the weapon and watch so the gun couldn't be fired, and shooting the gun with no watch nearby by placing strong magnets next to the weapon.
Privacy

Hackers Vandalize Vegas Pool Party Club in 'All Out War' (cnet.com) 44

From a CNET report: Next to DJ Tiesto's loud image on Wet Republic's website sits a photo of a bikini model with a beard and an eye patch, with a simple message: "It's all out war." Not exactly the type of message you'd expect from a spot that advertises itself as a dance club that doubles as a pool party, but when hackers are in town for Defcon, everything seems to be fair game. The hacker convention, which is in its 25th year in Las Vegas, typically has hotels on alert for its three days of Sin City talk, demos and mischief. Guests are encouraged not to pick up any flash drives lying around, and employees are trained to be wary of social engineering -- that is, bad guys pretending to be someone innocent and in need of just a little help. Small acts of vandalism pop up around town. At Caesars Palace, where Defcon is happening, the casino's UPS store told guests it was not accepting any print requests from USB drives or links, and only printing from email attachments. Hackers who saw this laughed, considering that emails are hardly immune from malware. But the message is clear: During these next few days, hackers are going to have their fun, whether it's through a compromised Wi-Fi network or an open-to-mischief website. Wet Republic's site had two images vandalized, both for the "Hot 100" party with DJ Shift. The digital graffiti popped up early Friday morning, less than 24 hours after Defcon kicked off.
Security

Flush Times For Hackers in Booming Cyber Security Job Market (reuters.com) 39

The surge in far-flung and destructive cyber attacks is not good for national security, but for an increasing number of hackers and researchers, it is great for job security. From a report: The new reality is on display in Las Vegas this week at the annual Black Hat and Def Con security conferences, which now have a booming side business in recruiting. "Hosting big parties has enabled us to meet more talent in the community, helping fill key positions and also retain great people," said Jen Ellis, a vice president with cybersecurity firm Rapid7 Inc, which filled the hip Hakkasan nightclub on Wednesday at one of the week's most popular parties. Twenty or even 10 years ago, career options for technology tinkerers were mostly limited to security firms, handfuls of jobs inside mainstream companies, and in government agencies. But as tech has taken over the world, the opportunities in the security field have exploded.
Power

Researchers Discover Critical Security Flaws Found In Nuke Plant Radiation Monitors (securityweek.com) 42

wiredmikey writes from a report via Security Week: Researchers have discovered multiple unpatched vulnerabilities in radiation monitoring devices that could be leveraged by attackers to reduce personnel safety, delay detection of radiation leaks, or help international smuggling of radioactive material. Ruben Santamarta, a security consultant at Seattle-based IOActive, at the Black Hat conference on Wednesday, saying that radiation monitors supplied by Ludlum, Mirion and Digi contain multiple vulnerabilities. There are many kinds of radiation monitors used in many different environments. IOActive concentrated its research on portal monitors, used at airports and seaports; and area monitors, used at Nuclear Power Plants (NPPs). However, little effort was required for the portal monitors: "the initial analysis revealed a complete lack of security in these devices, so further testing wasn't necessary to identify significant vulnerabilities," Santamarta explained in his report (PDF). In the Ludlum Model 53 personnel portal, IOActive found a backdoor password, which could be used to bypass authentication and take control of the device, preventing the triggering of proper alarms.
Bitcoin

US Indicts Suspected Russian 'Mastermind' of $4 Billion Bitcoin Laundering Scheme (reuters.com) 99

schwit1 shares a report from Reuters: A U.S. jury indicted a Russian man on Wednesday as the operator of a digital currency exchange he allegedly used to launder more than $4 billion for people involved in crimes ranging from computer hacking to drug trafficking. Alexander Vinnik was arrested in a small beachside village in northern Greece on Tuesday, according to local authorities, following an investigation led by the U.S. Justice Department along with several other federal agencies and task forces. U.S. officials described Vinnik in a Justice Department statement as the operator of BTC-e, an exchange used to trade the digital currency bitcoin since 2011. They alleged Vinnik and his firm "received" more than $4 billion in bitcoin and did substantial business in the United States without following appropriate protocols to protect against money laundering and other crimes. U.S. authorities also linked him to the failure of Mt. Gox, a Japan-based bitcoin exchange that collapsed in 2014 after being hacked. Vinnik "obtained" funds from the hack of Mt. Gox and laundered them through BTC-e and Tradehill, another San Francisco-based exchange he owned, they said in the statement.
Privacy

German Court Rules Bosses Can't Use Keyboard-Tracking Software To Spy On Workers (thelocal.de) 70

An anonymous reader quotes a report from The Local: The Federal Labour Court ruled on Thursday that evidence collected by a company through keystroke-tracking software could not be used to fire an employee, explaining that such surveillance violates workers' personal rights. The complainant had been working as a web developer at a media agency in North Rhine-Westphalia since 2011 when the company sent an email out in April 2015 explaining that employees' complete "internet traffic" and use of the company computer systems would be logged and permanently saved. Company policy forbade private use of the computers. The firm then installed keylogger software on company PCs to monitor keyboard strokes and regularly take screenshots. Less than a month later, the complainant was called in to speak with his boss about what the company had discovered through the spying software. Based on their findings, they accused him of working for another company while at work, and of developing a computer game for them. [...] So the programmer took his case to court, arguing that the evidence used against him had been collected illegally. The Federal Labour Court agreed with this argument, stating in the ruling that the keylogger software was an unlawful way to control employees. The judges added that using such software could be legitimate if there was a concrete suspicion beforehand of a criminal offense or serious breach of work duties.
Crime

Feds Crack Trump Protesters' Phones To Charge Them With Felony Rioting (thedailybeast.com) 456

An anonymous reader quotes a report from The Daily Beast: Officials seized Trump protesters' cell phones, cracked their passwords, and are now attempting to use the contents to convict them of conspiracy to riot at the presidential inauguration. Prosecutors have indicted over 200 people on felony riot charges for protests in Washington, D.C. on January 20 that broke windows and damaged vehicles. Some defendants face up to 75 years in prison, despite little evidence against them. But a new court filing reveals that investigators have been able to crack into at least eight defendants' locked cell phones. Now prosecutors want to use the internet history, communications, and pictures they extracted from the phones as evidence against the defendants in court. [A] July 21 court document shows that investigators were successful in opening the locked phones. The July 21 filing moved to enter evidence from eight seized phones, six of which were "encrypted" and two of which were not encrypted. A Department of Justice representative confirmed that "encrypted" meant additional privacy settings beyond a lock screen. For the six encrypted phones, investigators were able to compile "a short data report which identifies the phone number associated with the cell phone and limited other information about the phone itself," the filing says. But investigators appear to have bypassed the lock on the two remaining phones to access the entirety of their contents.
Government

Travelers' Electronics At US Airports To Get Enhanced Screening, TSA Says (arstechnica.com) 150

An anonymous reader quotes a report from Ars Technica: Aviation security officials will begin enhanced screening measures of passengers' electronics at US airports, the Transportation Security Administration announced Wednesday. Travelers must remove electronics larger than a mobile phone from their carry-on bags and "place them in a bin with nothing on top or below, similar to how laptops have been screened for years. This simple step helps TSA officers obtain a clearer X-ray image," the TSA announced amid growing fears that electronic devices can pose as homemade bombs. The TSA was quick to point out that the revised security measures do not apply to passengers enrolled in the TSA Precheck program.

"Whether you're flying to, from, or within the United States, TSA is committed to raising the baseline for aviation security by strengthening the overall security of our commercial aviation network to keep flying as a safe option for everyone," TSA Acting Administrator Huban A. Gowadia said. "It is critical for TSA to constantly enhance and adjust security screening procedures to stay ahead of evolving threats and keep passengers safe. By separating personal electronic items such as laptops, tablets, e-readers and handheld game consoles for screening, TSA officers can more closely focus on resolving alarms and stopping terror threats."

Microsoft

Microsoft Launches Windows Bug Bounty Program With Rewards Ranging From $500 To $250,000 (venturebeat.com) 34

Microsoft on Wednesday announced the Windows Bounty Program. Rewards start at a minimum of $500 and can go up to as high as $250,000. From a report: To be clear, Microsoft already offers many bug bounty programs. This is also not the first to target Windows features -- the company has launched many Windows-specific bounties for those starting in 2012. The Windows Bounty Program, however, encompasses Windows 10 and even the Windows Insider Preview, the company's program for testing Windows 10 preview builds. Furthermore, it also has specific focus areas: Hyper-V, Mitigation bypass, Windows Defender Application Guard, and Microsoft Edge.
Security

Some Low-Cost Android Phones Come at a Price -- Your Privacy (cnet.com) 86

Cheap phones are coming at the price of your privacy, security analysts discovered. From a report: At $60, the BLU R1 HD is the top-selling phone on Amazon. Last November, researchers caught it secretly sending private data to China. Shanghai Adups Technology, the group behind the spying software on the BLU R1 HD, called it a mistake. But analysts at Kryptowire found the software provider is still making the same "mistake" on other phones. At the Black Hat security conference in Las Vegas on Wednesday, researchers from Kryptowire, a security firm, revealed that Adups' software is still sending a device's data to the company's server in Shanghai without alerting people. But now, it's being more secretive about it. "They replaced them with nicer versions," Ryan Johnson, a research engineer and co-founder at Kryptowire, said. "I have captured the network traffic of them using the Command and Control channel when they did it." An Adups spokeswoman said that it had resolved the issues in 2016 and that the issues "are not existing anymore." Kryptowire said it has observed the company sending data without telling users on at least three different phones.
Businesses

Kaspersky Launches Its Free Antivirus Software Worldwide (engadget.com) 142

Kaspersky has finally launched its free antivirus software after a year-and-a-half of testing it in select regions. From a report: While the software was only available in Russia, Ukraine, Belarus, China and in Nordic countries during its trial run, Kaspersky is releasing it worldwide. The free antivirus doesn't have VPN, Parental Controls and Online Payment Protection its paid counterpart offers, but it has all the essential features you need to protect your PC. It can scan files and emails, protect your PC while you use the web and quarantine malware that infects your system. The company says the software isn't riddled with advertisements like other free antivirus offerings. Instead of trying to make ad money off your patronage, Kaspersky will use the data you contribute to improve machine learning across its products. The free antivirus will be available in the US, Canada and most Asia-Pacific countries over the next couple of days, if it isn't yet. After this initial release, the company will roll it out in other regions from September to November.

Slashdot Top Deals