Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 2 days 11 hours ago

Why Social Media Users Have Trouble Reclaiming Hijacked Accounts

Sun, 04/07/2019 - 15:16
After their Instagram accounts were hijacked, two different users say they contacted Instagram ten times -- and even proved their identity by submitting selfies -- but received no response. And one Silicon Valley newspaper points out that If your account is hijacked at Instagram, Google, Facebook, or Twitter, "there's nobody to call... your options are limited to submitting an automated online form and hoping an actual human being gets back to you." In his book "Zucked: Waking Up to the Facebook Catastrophe," longtime Silicon Valley investor Roger McNamee criticized tech companies' approach to user service: "The customer service department is reserved for advertisers. Users are the product, at best, so there is no one for them to call." That's by design at most companies that offer free online services. In "I'm Feeling Lucky: The Confessions of Google Employee Number 59," a 2011 book by Douglas Edwards, he wrote that as Google was beginning to grow, co-founder Sergey Brin asked, "Why do we need to answer user email anyway?" Problems have multiplied as the companies' user bases have skyrocketed. Instagram cited its scale (1 billion users, a spokeswoman pointed out) as one reason all user questions are routed first to an automated system. Facebook, Twitter and Google said they use a combination of humans and automation -- but mostly automation, and in Google's case, forums made up of other users -- to respond to users' concerns. A Google spokesman said the company focuses on making sure user accounts don't get hacked in the first place... One woman discovered her Instagram account had been hijacked and was now posting pornography. "My grandma and cousins are going to block me..." she complained in a tweet, adding "Thanks for nothing!" And the article also cites another woman in California who says she lost access to more than 600 photos she'd posted on Instagram -- only half of which were backed up. Her response? She created a new Instagram account, this one with two-factor authentication, "and plans to change her password more often." James Plouffe, a lead security architect at a Silicon Valley security software company, also suggests that if you ever do regain access to a hijacked account, "check the account recovery procedures to make sure they're yours, not your attacker's!"

Police Refer Teenaged Crackers For 'Second Chance' Jobs at Cyber-Security Company

Sun, 04/07/2019 - 06:34
This week the BBC reported on teenaged "hackers dragged from a world of crime to fight for the other side" at "a fairly ordinary looking cyber-security company" in southwest England. Bruce66423 shared their report: Bluescreen employs hackers the authorities have deemed worthy of a second chance, who pit their wits against some of the anonymous online criminals they used to see as brothers in arms... Bluescreen IT has a direct link with the police to find hackers in need of direction. These are young men who have been accused of serious crimes, but instead of being taken through the criminal justice system, they've been given a second chance. About 15 people work in the Security Operations Centre, a handful of whom have been referred to the company as hackers who aren't malicious in nature and are deemed capable of reform... There's a relaxed atmosphere when you walk into the Security Operations Centre, but it's serious work. Three monitors on the wall detail which of Bluescreen's clients are being attacked, and how serious the threat is. The clients, mostly smaller and medium-sized businesses from around the South West, are given codenames like "Black Mamba" or "Green Starfish" -- usually a colour and an animal... Bluescreen sees itself as a place to develop young people, give them a second chance, and be a haven for those with nowhere else to go. "It makes me really proud when they achieve industry-recognised qualifications," said the company's chief operating officer, Richard Cashmore. A 16-year-old named Jack stole personal information from about 1,000 people. Years later, when he was 19, "the police sent five squad cars, a tech team and a riot van to his home.... Another employee, Cameron, was arrested on his way to school when he was just 14 years old. "Officers from the National Crime Agency had planned the sting so that Cameron would be out of the house, and unable to destroy his hard drives in the event he heard them coming." As "apprentices" they start at £650 a month, reports the BBC, but "after five years of experience they could easily be earning close to £50,000 a year."

Chinese HR Firms Have Leaked Over 590 Million Resumes Via Open Databases

Sat, 04/06/2019 - 13:34
An anonymous reader quotes ZDNet: Chinese companies have leaked a whopping 590 million resumes in the first three months of the year, ZDNet has learned from multiple security researchers. Most of the resume leaks have occurred because of poorly secured MongoDB databases and ElasticSearch servers that have been left exposed online without a password, or have ended up online following unexpected firewall errors. Over the past few months, and especially over the last few weeks, ZDNet has received several tips about exposed servers that --when investigated-- belonged to Chinese HR-focused companies. From tiny firms exposing a handful of CVs to professional executive head-hunting firms, they've all leaked their customers' details, in one form or another... Counting all, we have 590.497 million resumes that have leaked from Chinese companies over the past three months, a worrying sign that Chinese HR companies are not taking the security of their servers seriously. The article points out that the resumes include personal information including phone numbers, home addresses, family and marital status, and in some cases, even ID numbers.

White Hat Hackers Cracked 50 UK Universities' Computer Systems In 2 Hours

Sat, 04/06/2019 - 12:34
"A test of UK university defences against cyber-attacks found that in every case hackers were able to obtain 'high-value' data within two hours," writes the BBC. Bruce66423 shares their report: The tests were carried out by "ethical hackers" working for Jisc, the agency providing internet services to the UK's universities and research centres. They were able to access personal data, finance systems and research networks.... The simulated attacks, so-called "penetration testing", were carried out on more than 50 universities in the UK, with some being attacked multiple times. A report into their effectiveness, published by Jisc (formerly the Joint Information Systems Committee) and the Higher Education Policy Institute (Hepi), showed a 100% success rate in getting through the cyber-defences. Within two hours, and in some cases one hour, they were able to reach student and staff personal information, override financial systems and access research databases. The tests were carried out by Jisc's in-house team of ethical hackers, with one of the most effective approaches being so-called "spear phishing"...where an email might appear to be from someone you know or a trusted source but is really a way of concealing an attack, such as downloading "malware".

Security Expert Launches BreachClarity.com, A New Data Breach Response Tool

Sat, 04/06/2019 - 08:34
A new online tool "analyzes publicly disclosed data breaches and gives concrete advice to victims," reported CNET last week. Now the site's creator, data breach expert jimvandyke, is asking Slashdot's readers for feedback: At BreachClarity.com, just enter the name of any data breach you were in (such as 'Anthem', 'Equifax', 'Yahoo', etc.), and click the bright green 'search' button. Every publicly-reported breach since January 2017 (and noteworthy older ones) are in the database, and eventually every publicly-reported breach will be in the database, thanks to my non-profit partner the IDTheftCenter.org (ITRC). Breach Clarity is now available for free in basic form to consumers, as a very simple UI sitting in front of a comprehensive algorithm of my own design. The goal of Breach Clarity is to help people by demystifying how any new data breach creates identity-holder risk of identity theft, identity fraud, and other harms. My goal in creating Breach Clarity is to move past the myths and victim-blaming (for instance, my research finds that very few people are actually 'apathetic' or 'lazy' when it comes to security, and it's simply not true that 'everyone's data is all already out there' for any cyber-criminal who wants to commit fraud in another person's name). Breach Clarity uses dynamic research, technology, and design-thinking to protect people in the face of an onslaught of ongoing data breaches (The ITRC recorded 1,244 publicly reported US ones last year, leading to over $10B in annual identity crimes as reported by my former company Javelin Strategy & Research!)... If you like what you see, please use it and spread the word. The original submission says the site's creator is currently "a one-person pre-funded operation, aiming to create an advanced and more full-featured version of Breach Clarity that will be licensed for financial institutions and employers." But if this is beta testing, there's some great technical support. "If you're confused by what you see, you can actually call the phone number in the upper right of BreachClarity and talk to a real person for free. You'll reach my partner, the ITRC, who gets grant funding from law enforcement and foundations." CNET notes that "You can already find out if you've lost login credentials and other sensitive information by visiting Have I Been Pwned or Firefox Monitor. Breach Clarity takes things a step further by helping you decide what to do afterward."

Former Senate Staffer Admits To Doxxing Five Senators On Wikipedia

Fri, 04/05/2019 - 16:50
Jackson Cosko, a former employee of Senator Maggie Hassan, has "admitted to breaking into Hassan's office after being fired, stealing data that included personal contact information, then posting that information online during Supreme Court Justice Brett Kavanaugh's confirmation hearing," reports The Verge. The report says Cosko added several senators' private phone numbers and addresses to Wikipedia. He has pleaded guilty to computer fraud, witness tampering, obstruction of justice, and making restricted personal information public. From the report: Cosko worked as a computer system administrator for Hassan, but he was fired in May of 2018. According to a plea agreement, he retaliated by using another employee's key to break into his old workplace at least four times, installing keyloggers on computers and using stolen login credentials to download gigabytes of data. While watching the Supreme Court confirmation hearing in September, Cosko "became angry" at Republican senators questioning Kavanaugh -- so he posted contact information for Senators Lindsey Graham, Mike Lee, and Orrin Hatch on Wikipedia. Cosko was interning for US Representative Sheila Jackson Lee at the time, and his changes were flagged by a bot that detects Wikipedia edits from congressional computers. The bot inadvertently helped spread the senators' information across Twitter, a process that prosecutors say Cosko aided by tweeting about his leaks. Cosko struck again a few days later, posting information about Senate Majority Leader Mitch McConnell and Senator Rand Paul -- who had called for an investigation -- on Wikipedia. He added comments calling himself a "golden god" who had a legal right to post the information, asking readers to "send us bitcoins." When a witness spotted him in Hassan's office the next day, Cosko responded with a threatening email titled "I own EVERYTHING." Cosko claimed he would release private emails, encrypted messages, and the health data and social security numbers for senators' children. "If you tell anyone I will leak it all," he wrote. Cosko was arrested soon after. Attorneys say Cosko could serve up to 57 months in prison, and he's required to give up all the equipment used in the crimes.

Google Adding Chrome Admin Policy To Uninstall Blacklisted Extensions

Fri, 04/05/2019 - 16:10
An anonymous reader quotes a report from BleepingComputer: Google is adding a new admin policy to Chrome that will automatically uninstall browser extensions that are blacklisted by administrators. Currently, administrators can enable a policy called "Configure extension installation blacklist" to create a blacklist of Chrome extension. These blacklisted extensions are added as individual extension ids, and once added, will prevent managed users from installing the associated extensions. To do this, Windows administrators can download Chrome's policy templates and add them to the Group Policy Editor. Once added, they will be able to configure various group polices. While this policy prevents users from installing an extension, it does not do anything for those users who have already installed the extension. Due to this, administrators have been requesting a new group policy that will cause Chrome to remove any extension that is listed under the "Configure extension installation blacklist" policy. Google agrees and have started working on a new Chrome policy called "Uninstall blacklisted extensions" that will uninstall any extensions whose IDs have been blacklisted. In addition to removing the extensions, it will remove any associated local user data as well. The new policy is expected to be released with Chrome 75, which is heading to beta in May and expected to be released to the Stable channel in June.

Airbnb Guest Found Hidden Surveillance Camera By Scanning Wi-Fi Network

Fri, 04/05/2019 - 14:10
An anonymous reader quotes a report from Ars Technica: A New Zealand family that booked an Airbnb in Ireland recently discovered an undisclosed camera in the living room, and the family says that Airbnb initially cleared the host of any wrongdoing before finally banning the offender from its platform. "Once the family had unpacked, Andrew Barker, who works in IT security, scanned the house's Wi-Fi network," CNN reported today. "The scan unearthed a camera and subsequently a live feed. From the angle of the video, the family tracked down the camera, concealed in what appeared to be a smoke alarm or carbon monoxide detector." Nealie Barker posted an image on Facebook showing the location of the camera in the living room and a shot of the family from the sneaky video feed. Based on the photo, the video of the Barkers seems to have been taken on March 3 and was viewable on the local Wi-Fi network at 192.168.0.4/video/livemb.asp. The family relocated to a hotel and contacted both Airbnb and the property host. The host initially hung up but later called back and told them, "The camera in the living room was the only one in the house," CNN wrote. It's not clear whether the host was recording the video, whether he was capturing audio, whether he was monitoring it remotely in real time, or whether he was using it for anything more than monitoring guests. [...] Airbnb temporarily suspended the listing and promised to investigate, CNN wrote. But when Barker contacted Airbnb again two weeks later, "the company told her that the host had been 'exonerated,' and the listing reinstated." Airbnb finally banned the host after Nealie Barker posted about the disturbing incident on Facebook on Monday this week. Barker's Facebook post said that Airbnb's "investigation which didn't include any follow-up with us exonerated the host, no explanation provided," and that "the listing (with hidden camera not mentioned) is still on Airbnb." Airbnb said in a statement to Ars Technica: "Our original handling of this incident did not meet the high standards we set for ourselves, and we have apologized to the family and fully refunded their stay." Airbnb's policy states that hosts must disclose "any type of surveillance device" in listings, "even if it's not turned on or hooked up." Cameras are allowed in certain spaces if they are disclosed, but Airbnb "prohibit[s] any surveillance devices that are in or that observe the interior of certain private spaces (such as bedrooms and bathrooms) regardless of whether they've been disclosed. [...] If a host discloses the device after booking, Airbnb will allow the guest to cancel the reservation and receive a refund. Host cancellation penalties may apply."

12 Years After It Was Notified, Firefox To Add Full Protection Against 'Login Prompt' Spam

Fri, 04/05/2019 - 12:55
Twelve years after it was first notified of the issue, Mozilla has finally shipped a fix this week that will prevent abusive websites -- usually tech support scam sites -- from flooding users with non-stop "authentication required" login popups and prevent users from leaving or closing their browsers. From a report: The fix has been shipped in Firefox v68, the current Nightly release, and will hit the browser's stable branch sometimes in early July. According to Firefox engineer Johann Hofmann, starting with Firefox 68, web pages won't be allowed to show more than two login prompts. Starting with the third request, Firefox will intervene to suppress the authentication popup. Mozilla previously shipped a fix for this issue, but it was incomplete, as it blocked authentication prompts that originated from subresources, such as iframes. This latest patch completes the fix by blocking all types of authentication required prompts -- including those generated by the site's main domain.

Making Video Games Is Not a Dream Job

Fri, 04/05/2019 - 07:30
The video game industry is richer than it has ever been. Its revenue in 2018 was $43.8 billion, a recent report estimated, thanks in large part to hugely popular games like Fortnite and Call of Duty. These record-breaking profits could have led one to think that the people who develop video games had it made. But then the blood bath began. From a story, shared by an anonymous reader: In February, Call of Duty's publisher, Activision Blizzard, laid off 8 percent of its staff, or nearly 800 workers, in a cost-cutting massacre. A few weeks later, the game studio ArenaNet cut dozens of positions, while smaller layoffs hit companies like Valve and the digital store operator GOG. And just last week, the video game giant Electronic Arts announced that it was laying off 350 people across the globe. This brutal start to 2019 followed the closures of major game companies like Telltale, the makers of games based on The Walking Dead, and Capcom Vancouver, the large studio behind the popular action series Dead Rising in 2018. All in all, thousands of video game workers have lost their jobs in the past 12 months. In many of these cases, laid-off employees had no idea what was coming. One developer at a major studio told me in February that he and his colleagues had been crunching -- putting in long hours, including nights and weekends -- for a video game release, only to be suddenly told that security was waiting to escort them off the premises. Worker exploitation has always been part of the video game industry's DNA. Executives with multimillion-dollar stock packages often treat their employees like Tetris pieces, to be put into place as efficiently as possible, then promptly disposed of. For many kids who grew up with controllers in their hands, being a game developer is a dream job, so when it comes to talent, supply is higher than demand. Some people who make video games receive decent salaries and benefits (experienced programmers at the richest studios can make six figures), but many do not.

Hacker Group Has Been Hijacking DNS Traffic On D-Link Routers For Three Months [Update]

Fri, 04/05/2019 - 05:00
An anonymous reader quotes a report from ZDNet: For the past three months, a cybercrime group has been hacking into home routers -- mostly D-Link models -- to change DNS server settings and hijack traffic meant for legitimate sites and redirect it to malicious clones. The attackers operate by using well-known exploits in router firmware to hack into vulnerable devices and make silent changes to the router's DNS configuration, changes that most users won't ever notice. Targeted routers include the following models (the number to the side of each model lists the number of internet-exposed routers, as seen by the BinaryEdge search engine): D-Link DSL-2640B - 14,327; D-Link DSL-2740R - 379; D-Link DSL-2780B - 0; D-Link DSL-526B - 7; ARG-W4 ADSL routers - 0; DSLink 260E routers - 7; Secutech routers - 17; and TOTOLINK routers - 2,265. Troy Mursch, founder and security researcher at internet monitoring firm Bad Packets, said he detected three distinct waves during which hackers have launched attacks to poison routers' DNS settings --late December 2018, early February 2019, and late March 2019. Attacks are still ongoing, he said today in a report about these attacks. A normal attack would look like this: 1. User's computer or smartphone receives wrong DNS server settings from the hacked router. 2. User tries to access legitimate site. 3. User's device makes a DNS request to the malicious DNS server. 4. Rogue server returns an incorrect IP address for the legitimate site. 5. User lands on a clone of the legitimate site, where he might be required to log in and share his password with the attackers. Update: 04/05 16:45 GMT by M : The story adds, "According to Stefan Tanase, security researcher at Ixia, these campaigns have hijacked traffic meant for Netflix, Google,PayPal, and some Brazilian banks, and have redirected users to clone sites, hosted over HTTP, on the networks of known bulletproof hosting providers."

Apple Hires AI Expert Ian Goodfellow

Thu, 04/04/2019 - 18:10
One of Google's top minds in artificial intelligence has joined Apple in a director role. Ian Goodfellow said on his LinkedIn profile that he switched employers in March. He said he's a director of machine learning in the Special Projects Group. CNBC reports: Goodfellow is the father of an AI approach known as generative adversarial networks, or GANs. The approach draws on two networks, one known as a generative network and the other known as a discriminative network, and can be used to come up with unusual and creative outputs in the form of audio, video and text. GAN systems have been used to generate "deepfake" fake media content. Goodfellow got his Ph.D. at the University of Montreal in 2014, and since then he has worked at OpenAI and Google. At OpenAI he was paid more than $800,000, according to a tax filing. His research is widely cited in academic literature. At Google Goodfellow did work around GANs and security, including an area known as adversarial attacks. People working on AI at Apple have previously done research that drew on the GAN technology.

Apache Web Server Bug Grants Root Access On Shared Hosting Environments

Thu, 04/04/2019 - 14:50
An anonymous reader quotes a report from ZDNet: This week, the Apache Software Foundation has patched a severe vulnerability in the Apache (httpd) web server project that could --under certain circumstances-- allow rogue server scripts to execute code with root privileges and take over the underlying server. The vulnerability, tracked as CVE-2019-0211, affects Apache web server releases for Unix systems only, from 2.4.17 to 2.4.38, and was fixed this week with the release of version 2.4.39. According to the Apache team, less-privileged Apache child processes (such as CGI scripts) can execute malicious code with the privileges of the parent process. Because on most Unix systems Apache httpd runs under the root user, any threat actor who has planted a malicious CGI script on an Apache server can use CVE-2019-0211 to take over the underlying system running the Apache httpd process, and inherently control the entire machine. "First of all, it is a LOCAL vulnerability, which means you need to have some kind of access to the server," Charles Fol, the security researcher who discovered this vulnerability told ZDNet in an interview yesterday. This means that attackers either have to register accounts with shared hosting providers or compromise existing accounts. Once this happens, the attacker only needs to upload a malicious CGI script through their rented/compromised server's control panel to take control of the hosting provider's server to plant malware or steal data from other customers who have data stored on the same machine. "The web hoster has total access to the server through the 'root' account. If one of the users successfully exploits the vulnerability I reported, he/she will get full access to the server, just like the web hoster," Fol said. "This implies read/write/delete any file/database of the other clients."

Windows 10 Will No Longer Auto Install Feature Updates Twice a Year

Thu, 04/04/2019 - 10:10
Microsoft has announced that starting with the Windows 10 May 2019 Update, which will hit general availability late next month, users will no longer be forced to install new Windows 10 feature updates as they become available. From a report: This comes after feedback from users who have had countless issues with updates breaking programs, losing files, and installing at inconvenient times. Microsoft has been working hard to improve Windows Update, and while the system is better than it was at launch in 2015, it's still not perfect. Now, users will have the option to not have to deal with feature updates when they are released. What Microsoft is doing here is splitting Windows Update in two. The normal "check for updates" button will now only function for security and monthly patches. Feature updates now get their own area in Windows Update where the user can initiate the download and install process for the latest feature update available. If the user doesn't want to initiate that process, they don't have to. The user will be alerted that a new feature update is available every now and then, but at no point will the user be forced to install that update, as long as the version of Windows 10 they're currently running is still in support.

The End of the Desktop?

Thu, 04/04/2019 - 09:30
Steven J. Vaughan-Nichols, writing for ComputerWorld : Of course, at one time, to get any work done with a computer, you first had to learn a lot, about computers, operating systems, commands and more. Eventually, "friendly" became the most important adverb in computing circles, and we've reached the point in user-friendliness that people don't even talk about it anymore. Today, Google has shown with its Chrome OS that most of us can pretty much do anything we need to do on a computer with just a web browser. But Google's path is not Microsoft's path. Instead, it's moving us first to Windows as desktop as a service (DaaS) via Microsoft Managed Desktop (MMD). This bundles Windows 10 Enterprise, Office 365 and Enterprise Mobility + Security and cloud-based system management into Microsoft 365 Enterprise. The next step, Windows Virtual Desktop, enables companies to virtualize Windows 7 and 10, Office 365 ProPlus apps and other third-party applications on Azure-based virtual machines. If all goes well, you'll be able to subscribe to Windows Virtual Desktop this fall. Of course, Virtual Desktop is a play for business users -- for now. I expect Virtual Desktop to be offered to consumers in 2020. By 2025, Windows as an actual desktop operating system will be a niche product. Sound crazy? Uh, you do know that Microsoft already really, really wants you to "rent" Office 365 rather than buy Office 2019, don't you? But what about games, you say? We'll always have Windows for games! Will we? Google, with its Google Stadia gaming cloud service, is betting we're ready to move our games to the cloud as well. It's no pipe dream. Valve has been doing pretty well for years now with its Steam variation on this theme. So where is all this taking us? I see a world where the PC desktop disappears for all but a few. Most of us will be writing our documents, filling out our spreadsheets and doing whatever else we now do on our PCs via cloud-based applications on smart terminals running Chrome OS or Windows Lite. If you want a "real" PC, your choices are going to be Linux or macOS.

Microsoft Bounty Program Offers Larger Rewards For Bug Hunters

Thu, 04/04/2019 - 08:10
Microsoft, which already offers one of the biggest bug bounty programs, said today it is increasing the payouts it makes and the time it takes to push the payments. From a report: A key change in policy is that Microsoft will no longer wait until a fix has been produced for a bug until making a payout -- now the only requirement is that a bug can be reproduced. This is thanks in part to a partnership with HackerOne. [...] The maximum bounty has increased from $15,000 to $50,000 for the Windows Insider Preview bounty and from $15K to $20K for the Microsoft Cloud Bounty.

MIT Cuts Funding Ties With Huawei, ZTE Citing US National Security Concerns

Thu, 04/04/2019 - 02:00
Following similar moves by Stanford, University of California Berkeley and University of Minnesota, Massachusetts Institute of Technology announced that it is cutting ties with Huawei and ZTE, citing U.S. national security concerns. "At this time, based on this enhanced review, MIT is not accepting new engagements or renewing existing ones with Huawei and ZTE or their respective subsidiaries due to federal investigations regarding violations of sanction restrictions," Richard Lester, MIT's associate provost, and Maria Zuber, the school's vice-president for research, said in a letter to faculty on Wednesday. The South China Morning Post reports: MIT's move is part of a broader effort to strengthen its vetting of research partners, which may affect relationships with other entities in mainland China, Hong Kong, Russia and Saudi Arabia. "Most recently we have determined that engagements with certain countries -- currently China [including Hong Kong], Russia and Saudi Arabia -- merit additional faculty and administrative review beyond the usual evaluations that all international projects receive," the letter said. The Protect Our Universities Act, introduced last month by Representative Jim Banks, an Indiana Republican, would establish a task force, led by the U.S. Department of Education, to maintain a list of "sensitive" research projects, including those financed by the defense and energy departments and U.S. intelligence agencies. The proposed body would monitor foreign student participation in those projects. Students with past or current Chinese citizenship would not be allowed access to the projects without a waiver from the director of national intelligence. The Act also calls for the intelligence director to create a list of foreign entities that "pose a threat of espionage with respect to sensitive research," and stipulates that Huawei and ZTE be included.

'It's Time To End the NSA's Metadata Collection Program'

Wed, 04/03/2019 - 16:30
Jake Laperruque, Senior Counsel at The Constitution Project, where he is working on issues of government surveillance, national security and defending privacy rights in the digital age, argues via Wired that it's time to end the National Security Agency's metadata collection program, known as CDR. An anonymous reader shares an excerpt: In 2015, Congress passed the USA Freedom Act to reform Section 215 and prohibit the nationwide bulk collection of communications metadata, like who we make calls to and receive them from, when, and the call duration. The provision was replaced with a significantly slimmed-down call detail record program, known as CDR. Rather than collecting information in bulk, CDR collects communications metadata of surveillance targets as well as those of individuals up to two degrees of separation (commonly called "two hops") from the surveillance target. But this newer system appears to be no more effective than its predecessor and is highly damaging to constitutional rights. Given this combination, it's time for Congress to pull the plug and end the authority for the CDR program. It's unsurprising that just last week a bipartisan group in Congress introduced a bill to do so. Last month, the New York Times reported that a highly placed congressional staffer had stated that the CDR program has been out of operation for months, and several days later, NSA Director Paul Nakasone issued comments responding to questions about the Times story by saying the NSA was deliberating the future of the program. If accurate, this news is major but not shocking; this large-scale-collection program has been fraught with problems. Last year, the NSA announced that technical problems had caused it to collect information it wasn't legally authorized to, and that in response, the agency had voluntarily deleted all the call detail records it had previously acquired through the CDR program -- without even waiting for a court order or trying to save some of the data -- indicating that the system was unwieldy and the data being collected was not important to the agency.

Huawei Laptop 'Backdoor' Flaw Raises Concerns

Wed, 04/03/2019 - 14:30
A flaw in Huawei Matebook laptops, found by Microsoft researchers, could have been used to take control of machines. From a report: The "sophisticated flaw" had probably been introduced at the manufacturing stage, one expert told BBC News. Huawei is under increasing scrutiny around the world over how closely it is tied to the Chinese government. The company, which denies any collusion with Beijing, corrected the flaw after it was notified about it in January. Prof Alan Woodward, a computer security expert based at Surrey University, told BBC News the flaw had the hallmarks of a "backdoor" created by the US's National Security Agency to spy on the computers of targets. That tool was leaked online and has been used by a wide variety of hackers, including those who are state-sponsored and criminal gangs. "It was introduced at the manufacture stage but the path by which it came to be there is unknown and the fact that it looks like an exploit that is linked to the NSA doesn't mean anything," Prof Woodward said.

Kaspersky Lab Will Warn You If Your Phone is Infected With Stalkerware

Wed, 04/03/2019 - 13:50
Kaspersky Lab said today it would start flagging stalkerware as malicious, and warn people through its Android app when stalkerware is installed on their phones. In 2018 Kaspersky Lab detected stalkerware on 58,487 mobile devices. From a report: Stalkerware is frequently used by stalkers and abusers to spy on people through their phones. It essentially turns victims' phones into surveillance devices, letting an attacker track a person's every step and listen in on every word. Stalkerware is quietly installed on people's devices, and then accesses personal data including GPS location, text messages, photos and microphone feeds. You don't have to be an expert to get your hands on it -- stalkerware is sold online, for as little as a few hundred dollars. Some purveyors offer subscription plans for $68 a month, according to Kaspersky Lab. Kaspersky Lab said it was motivated to start flagging stalkerware apps after speaking with Eva Galperin, the Electronic Frontier Foundation's head of cybersecurity. "As a result, we now flag commercial spyware with a specific alert which warns users of the dangers stalkerware poses," Alexey Firsh, a security researcher at Kaspersky Lab, said in a statement. "We believe users have a right to know if such a program is installed on their device."