Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 2 hours 56 min ago

E3 Accidentally Doxxed Over 2,000 Journalists, YouTubers, and Streamers

Mon, 08/05/2019 - 15:20
The Entertainment Software Association, which runs the E3 video game expo, accidentally made phone numbers, emails, names, and addresses of over 2,000 attendees public on their website. "A copy of the list was archived on several popular message boards for trolls, and includes the home addresses of many reporters," reports BuzzFeed News. From the report: The leaked list was discovered by journalist and YouTube creator Sophia Narwitz. Narwitz made a video about the database, titled "The Entertainment Software Association just doxxed over 2000 journalists and content creators," last week. Narwitz told BuzzFeed News that some members of the media criticized her following her video, accusing her of drawing attention to the list. Making Narwitz's role in this more complicated is her history with the pro-GamerGate subreddit, r/KotakuInAction. She's currently arguing publicly with members of the gaming site Kotaku. Based on screenshots Narwitz tweeted, however, she did attempt to notify ESA about the leak before making her video about it. "I think this whole event shows a stunning level of incompetence on the ESA's part. The file wasn't password protected, it was just in the open for anyone to download with a single click," she said. Harassment against those included on the list appears to have already begun. "ESA was made aware of a website vulnerability that led to the contact list of registered journalists attending E3 being made public," the ESA wrote in a statement provided to Kotaku. "Once notified, we immediately took steps to protect that data and shut down the site, which is no longer available. We regret this occurrence and have put measures in place to ensure it will not occur again."

'There is No Evil Like reCAPTCHA (v3)'

Mon, 08/05/2019 - 12:05
An anonymous reader shares a post: Like many things that starts out as a mere annoyance, though eventually growing into somewhat of an affliction. One particularly dark and insidious thing has more than reared its ugly head in recent years, and now far more accurately described as an epidemic disease. I'm talking about the filth that is reCAPTCHA. Yes that seemingly harmless question of "Are you a human?" Truly I wish all this called for were sarcastic puns of 'The Matrix' variety but the matter is far more serious. Google describes reCAPTCHA as: "[reCAPTCHA] is a free security service that protects your websites from spam and abuse." However, this couldn't be further from the truth, as reCAPTCHA is actually something that causes abuse. In fact, I would go so far as to say that being subjected to constant reCAPTCHAs is actually an act of human torture and disregard for a person's human right of mental comfort. The author goes on to make several points.

Microsoft Launches Azure Security Lab, Doubles Top Bug Bounty To $40,000

Mon, 08/05/2019 - 11:25
At Black Hat 2019 today, Microsoft announced the Azure Security Lab, a sandbox-like environment for security researchers to test its cloud security. The company also doubled the top Azure bug bounty to $40,000. From a report: Bug bounty programs are a great complement to existing internal security programs. They help motivate individuals and groups of hackers to not only find flaws but disclose them properly, instead of using them maliciously or selling them to parties that will. Microsoft shared today that it has issued $4.4 million in bounty rewards over the past 12 months. The Azure Security Lab takes the idea to the next level. It's essentially a set of dedicated cloud hosts isolated from Azure customers so security researchers can test attacks against cloud scenarios. The isolation means researchers can not only research vulnerabilities in Azure, they can attempt to exploit them.

UK-based Mobile-Only Bank Monzo Admits To Storing Payment Card PINs in Internal Logs

Mon, 08/05/2019 - 08:45
Monzo, a mobile-only bank operating in the UK, admitted today to storing payment card PINs inside internal logs. From a report: The company is now notifying all impacted customers and urging users to change card PINs the next time they use a cash machine. Monzo described the issue as a "bug" that occurred when Monzo customers used two specific features of their Monzo mobile apps -- namely the feature that reminds users of their card number and the feature for canceling standing orders. When Monzo customers used one of these two features, they'd be asked to enter their account PIN, for authorization purposes, but unbeknowst to them, the PIN would also be logged inside Monzo's internal logs. Monzo said these logs were encrypted and that only a few employees had access to the data stored inside. The company said it discovered the bug on Friday, August 2, and spent all weekend removing PIN numbers from its internal logs.

Cloudflare Terminates 8chan

Sun, 08/04/2019 - 19:25
"We just sent notice that we are terminating 8chan as a customer effective at midnight tonight Pacific Time," writes Cloudflare CEO Matthew Prince. "The rationale is simple: they have proven themselves to be lawless and that lawlessness has caused multiple tragic deaths. Even if 8chan may not have violated the letter of the law in refusing to moderate their hate-filled community, they have created an environment that revels in violating its spirit." We do not take this decision lightly. Cloudflare is a network provider. In pursuit of our goal of helping build a better internet, we've considered it important to provide our security services broadly to make sure as many users as possible are secure, and thereby making cyberattacks less attractive -- regardless of the content of those websites. Many of our customers run platforms of their own on top of our network. If our policies are more conservative than theirs it effectively undercuts their ability to run their services and set their own policies. We reluctantly tolerate content that we find reprehensible, but we draw the line at platforms that have demonstrated they directly inspire tragic events and are lawless by design. 8chan has crossed that line. It will therefore no longer be allowed to use our services. Unfortunately, we have seen this situation before and so we have a good sense of what will play out. Almost exactly two years ago we made the determination to kick another disgusting site off Cloudflare's network: the Daily Stormer. That caused a brief interruption in the site's operations but they quickly came back online using a Cloudflare competitor. That competitor at the time promoted as a feature the fact that they didn't respond to legal process. Today, the Daily Stormer is still available and still disgusting. They have bragged that they have more readers than ever. They are no longer Cloudflare's problem, but they remain the Internet's problem. I have little doubt we'll see the same happen with 8chan. Prince adds that since terminating the Daily Stormer they've been "engaging" with law enforcement and civil society organizations to "try and find solutions," which include "cooperating around monitoring potential hate sites on our network and notifying law enforcement when there was content that contained an indication of potential violence." Earlier today Prince had used this argument in defense of Cloudflare's hosting of the 8chan, telling the Guardian "There are lots of competitors to Cloudflare that are not nearly as law abiding as we have always been." He added in today's blog post that "We believe this is our responsibility and, given Cloudflare's scale and reach, we are hopeful we will continue to make progress toward solving the deeper problem." "We continue to feel incredibly uncomfortable about playing the role of content arbiter and do not plan to exercise it often.... Cloudflare is not a government. While we've been successful as a company, that does not give us the political legitimacy to make determinations on what content is good and bad. Nor should it. Questions around content are real societal issues that need politically legitimate solutions..." "What's hard is defining the policy that we can enforce transparently and consistently going forward. We, and other technology companies like us that enable the great parts of the Internet, have an obligation to help propose solutions to deal with the parts we're not proud of. That's our obligation and we're committed to it."

Google's Plans for Chrome Extensions 'Won't Really Help Security', Argues EFF

Sun, 08/04/2019 - 17:36
Is Google making the wrong response to the DataSpii report on a "catastrophic data leak"? The EFF writes: In response to questions about DataSpii from Ars Technica, Google officials pointed out that they have "announced technical changes to how extensions work that will mitigate or prevent this behavior." Here, Google is referring to its controversial set of proposed changes to curtail extension capabilities, known as Manifest V3. As both security experts and the developers of extensions that will be greatly harmed by Manifest V3, we're here to tell you: Google's statement just isn't true. Manifest V3 is a blunt instrument that will do little to improve security while severely limiting future innovation... The only part of Manifest V3 that goes directly to the heart of stopping DataSpii-like abuses is banning remotely hosted code. You can't ensure extensions are what they appear to be if you give them the ability to download new instructions after they're installed. But you don't need the rest of Google's proposed API changes to stop this narrow form of bad extension behavior. What Manifest V3 does do is stifle innovation... The EFF makes the following arguments Google's proposal: Manifest V3 will still allow extensions to observe the same data as before, including what URLs users visit and the contents of pages users visitManifest V3 won't change anything about how "content scripts" work...another way to extract user browsing data.Chrome will still allow users to give extensions permission to run on all sites. In response Google argued to Forbes that the EFF "fails to account for the proposed changes to how permissions work. It is the combination of these two changes, along with others included in the proposal, that would have prevented or significantly mitigated incidents such as this one." But the EFF's technology projects director also gave Forbes their response. "We agree that Google isn't killing ad-blockers. But they are killing a wide range of security and privacy enhancing extensions, and so far they haven't justified why that's necessary." And in the same article, security researcher Sean Wright added that Google's proposed change "appears to do little to prevent rogue extensions from obtaining information from loaded sites, which is certainly a privacy issue and it looks as if the V3 changes don't help." The EFF suggests Google just do a better job of reviewing extensions.

Ask Slashdot: Do You Prefer One-Time Purchases or SaaS Subscriptions?

Sun, 08/04/2019 - 15:36
Long-time Slashdot reader shanen remembers the days of one-time software purchases, before companies began nudging customers to a subscription-based "software as a service" model: New bugs and security vulnerabilities keep being discovered, which means the product cannot EVER be regarded as completed. Whatever the original cost, no matter what the software was supposed to do, it needs unending support. Right now I'm unable to see any other solution than SaaS! Not limited to Microsoft, of course. Perhaps Apple was the original source of the approach... Slashdot reader dryriver sees a dire trend: Current computing younglings may never know a future where you can actually run software locally on a PC you own, and/or not pay for it as SaaS. All perpetual software licenses may go away in the next six years. Autodesk and Adobe have already moved to SaaS-only. But is there a case to made for ongoing payments to fund ongoing support? Or is SaaS just an exploitative business model that's bad for customers but good for software vendors? Share your own thoughts in the comments. And do you prefer one-time purchases or SaaS subscriptions?

New Vulnerabilities Found In WPA3 WiFi Standard

Sun, 08/04/2019 - 11:34
Slashdot reader Artem S. Tashkinov writes: Mathy Vanhoef and Eyal Ronen have recently disclosed two new additional bugs impacting WPA3. The security researched duo found the new bugs in the security recommendations the WiFi Alliance created for equipment vendors in order to mitigate the initial Dragonblood attacks [found by the same two security researchers]. "Just like the original Dragonblood vulnerabilities from April, these two new ones allow attackers to leak information from WPA3 cryptographic operations and brute-force a WiFi network's password," reports ZDNet. More from ZDNet: "[The] Wi-Fi standard is now being updated with proper defenses, which might lead to WPA3.1," Vanhoef said. "Although this update is not backwards-compatible with current deployments of WPA3, it does prevent most of our attacks," the researchers said. But besides just disclosing the two new Dragonblood vulnerabilities, the two researchers also took the chance to criticize the WiFi Alliance again for its closed standards development process that doesn't allow for the open-source community to contribute and prevent big vulnerabilities from making it into the standard in the first place. "This demonstrates that implementing Dragonfly and WPA3 without side-channel leaks is surprisingly hard," the researchers said. "It also, once again, shows that privately creating security recommendations and standards is at best irresponsible and at worst inept." While these type of feedback might be ignored when coming from other researchers, it means more when it comes from Vanhoef. The Belgian researchers is the one who discovered the KRACK attack that broke the WPA2 WiFi authentication standard and forced the WiFi Alliance to develop the WPA3 standard, which it launched in June 2018.

Voter Records For 80% of Chile's Population Left Exposed Online

Sun, 08/04/2019 - 06:34
An anonymous reader writes: "The voter information of more than 14.3 million Chileans, which accounts to nearly 80% of the country's entire population, was left exposed and leaking on the internet inside an Elasticsearch database," reports ZDNet. "The database contained names, home addresses, gender, age, and tax ID numbers (RUT, or Rol Único Tributario) for 14,308,151 individuals...including many high-profile Chilean officials." A spokesperson for the Chile Electoral Service said the data appears to have been scraped without authorization from its website, from a section that allows users to update their voting data. Chile now joins countries as the US, Mexico, Turkey, and the Philippines, whose voter information was gathered in bulk and then published online in one big pile, easy to access for any crooks.

Did WhatsApp Backdoor Rumor Come From 'Unanswered Questions ' and 'Leap of Faith' For Closed-Source Encryption Products?

Sat, 08/03/2019 - 20:34
On Friday technologist Bruce Schneier wrote that after reviewing responses from WhatsApp, he's concluded that reports of a pre-encryption backdoor are a false alarm. He also says he got an equally strong confirmation from WhatsApp's Privacy Policy Manager Nate Cardozo, who Facebook hired last December from the EFF. "He basically leveraged his historical reputation to assure me that WhatsApp, and Facebook in general, would never do something like this." Schneier has also added the words "This story is wrong" to his original blog post. "The only source for that post was a Forbes essay by Kalev Leetaru, which links to a previous Forbes essay by him, which links to a video presentation from a Facebook developers conference." But that Forbes contributor has also responded, saying that he'd first asked Facebook three times about when they'd deploy the backdoor in WhatsApp -- and never received a response. Asked again on July 25th the company's plans for "moderating end to end encrypted conversations such as WhatsApp by using on device algorithms," a company spokesperson did not dispute the statement, instead pointing to Zuckerberg's blog post calling for precisely such filtering in its end-to-end encrypted products including WhatsApp [apparently this blog post], but declined to comment when asked for more detail about precisely when such an integration might happen... [T]here are myriad unanswered questions, with the company declining to answer any of the questions posed to it regarding why it is investing in building a technology that appears to serve little purpose outside filtering end-to-end encrypted communications and which so precisely matches Zuckerberg's call. Moreover, beyond its F8 presentation, given Zuckerberg's call for filtering of its end-to-end encrypted products, how does the company plan on accomplishing this apparent contradiction with the very meaning of end-to-end encryption? The company's lack of transparency and unwillingness to answer even the most basic questions about how it plans to balance the protections of end-to-end encryption in its products including WhatsApp with the need to eliminate illegal content reminds us the giant leap of faith we take when we use closed encryption products whose source we cannot review... Governments are increasingly demanding some kind of compromise regarding end-to-end encryption that would permit them to prevent such tools from being used to conduct illegal activity. What would happen if WhatsApp were to receive a lawful court order from a government instructing it to insert such content moderation within the WhatsApp client and provide real-time notification to the government of posts that match the filter, along with a copy of the offending content? Asked about this scenario, Carl Woog, Director of Communications for WhatsApp, stated that he was not aware of any such cases to date and noted that "we've repeatedly defended end-to-end encryption before the courts, most notably in Brazil." When it was noted that the Brazilian case involved the encryption itself, rather than a court order to install a real-time filter and bypass directly within the client before and after the encryption process at national scale, which would preserve the encryption, Woog initially said he would look into providing a response, but ultimately did not respond. Given Zuckerberg's call for moderation of the company's end-to-end encryption products and given that Facebook's on-device content moderation appears to answer directly to this call, Woog was asked whether its on-device moderation might be applied in future to its other end-to-end encrypted products rather than WhatsApp. After initially saying he would look into providing a response, Woog ultimately did not respond. Here's the exact words from Zuckerberg's March blog post. It said Facebook is "working to improve our ability to identify and stop bad actors across our apps by detecting patterns of activity or through other means, even when we can't see the content of the messages, and we will continue to invest in this work. "

Another Breach: What Capital One Could Have Learned From Google's 'BeyondCorp'

Sat, 08/03/2019 - 11:34
"Firewalls can be notoriously and fiendishly difficult to configure correctly, and often present a target-rich environment for successful attacks," writes long-time Slashdot reader Lauren Weinstein. "The thing is, firewall vulnerabilities are not headline news -- they're an old story, and better solutions to providing network security already exist." In particular, Google's "BeyondCorp" approach is something that every enterprise involved in computing should make itself familiar with. Right now! BeyondCorp techniques are how Google protects its own internal networks and systems from attack, with enormous success. In a nutshell, BeyondCorp is a set of practices that effectively puts "zero trust" in the networks themselves, moving access control and other authentication elements to individual devices and users. This eliminates traditional firewalls (and in nearly all instances, VPNs) because there is no longer any need for such devices or systems that, once breached, give an attacker access to internal goodies. If Capital One had been following BeyondCorp principles, there'd likely be 100+ million fewer potentially panicky people today.

Lawsuit Filed Against GitHub In Wake of Capital One Data Breach

Sat, 08/03/2019 - 05:00
An anonymous reader quotes a report from The Hill: Capital One and GitHub have been hit with a class-action lawsuit over the recent data breach that resulted in the data of over 100 million Capital One customers being exposed. The law firm Tycko & Zavareei LLP filed the lawsuit on Thursday, arguing that GitHub and Capital One demonstrated negligence in their response to the breach. The firm filed the class-action complaint on behalf of those impacted by the breach, alleging that both companies failed to protect customer data. Personal information for tens of millions of customers was exposed after a firewall misconfiguration in an Amazon cloud storage service used by Capital One was exploited. The breach exposed around 140,000 Social Security numbers and 80,000 bank account numbers, along with the credit card applications of millions in both the U.S. and Canada. The individual who allegedly perpetrated the data breach, Seattle-based software engineer Paige Thompson, was arrested earlier this week. Thompson, a former Amazon employee, allegedly accessed the data in March and posted about her theft of the information on GitHub in April, according to the complaint. Another GitHub user notified Capital One, which subsequently notified the FBI. The law firm also alleged that computer logs "demonstrate that Capital One knew or should have known" about the data breach when it occurred in March, and criticized Capital One for not taking action to respond to the breach until last month.

GermanWiper Ransomware Hits Germany Hard, Destroys Files, Asks For Ransom

Fri, 08/02/2019 - 14:40
An anonymous reader quotes a report from ZDNet: For the past week, a new ransomware strain has been wreaking havoc across Germany. Named GermanWiper, this ransomware doesn't encrypt files but instead it rewrites their content with zeroes, permanently destroying users' data. As a result, any users who get infected by this ransomware should be aware that paying the ransom demand will not help them recover their files. Unless users had created offline backups of their data, their files are most likely gone for good. For now, the only good news is that this ransomware appears to be limited to spreading in German-speaking countries only, and with a focus on Germany primarily. According to German security researcher Marius Genheimer and CERT-Bund, Germany's Computer Emergency Response Team, the GermanWiper ransomware is currently being distributed via malicious email spam (malspam) campaigns. These emails claim to be job applications from a person named "Lena Kretschmer." A CV is attached as a ZIP file to these emails, and contains a LNK shortcut file. The LNK file is boobytrapped and will install the GermanWiper ransomware. When users run this file, the ransomware will rewrite the content of various local files with the 0x00 (zero character), and append a new extension to all files. This extension has a format of five random alpha-numerical characters, such as .08kJA, .AVco3, .OQn1B, .rjzR8, etc.. After it "encrypts" all targeted files, GermanWiper will open the ransom note (an HTML file) inside the user's default browser. The ransom note looks like the one below. A video of the infection process is also available here. Victims are given seven days to pay the ransom demand. It is important to remember that paying the ransom note won't help users recover their files.

US Cities Are Helping People Buy Amazon Surveillance Cameras Using Taxpayer Money

Fri, 08/02/2019 - 13:25
popcornfan679 writes: The Ring doorbell surveillance camera sits squarely in the center of a Tiffany-blue online flyer, which provides details about a "Security Product Subsidy Event" in Arcadia, California. "Big Sale," the advertisement says, in citrus-colored script. "$100 off." "HELP STOP CRIME BEFORE IT HAPPENS," the ad continues. This isn't an ad from Best Buy or an electronics store. It's an ad from the Arcadia city government. The local city government is selling discounted surveillance cameras directly to its residents, and the "discount" is subsidized by the city. In other words, taxpayer money is being paid to Ring, Amazon's home surveillance company, in exchange for hundreds of surveillance cameras. Cities and towns around the country are paying Ring up to $100,000 to subsidize the purchase of the company's surveillance cameras for private residents. For every dollar committed by a city per these agreements, Ring will match it. This motivates cities to pledge tens of thousands of dollars to a tech giant that is building a private, nationwide surveillance network -- which Amazon is using, in part, to secure the packages it delivers. A typical discount program will last several weeks, or until a certain number of residents take advantage of the program. Motherboard has identified 14 American cities that have these discount programs as well as one city in the United Kingdom. However, there are probably more cities that have offered similar discount programs. Motherboard has reported that Ring courts local governments and police departments around the country to advertise, distribute, and use its products.

Facebook Insists No Security 'Backdoor' Is Planned for WhatsApp

Fri, 08/02/2019 - 12:45
An anonymous reader shares a report: Billions of people use the messaging tool WhatsApp, which added end-to-end encryption for every form of communication available on its platform back in 2016. This ensures that conversations between users and their contacts -- whether they occur via text or voice calls -- are private, inaccessible even to the company itself. But several recent posts published to Forbes' blogging platform call WhatsApp's future security into question. The posts, which were written by contributor Kalev Leetaru, allege that Facebook, WhatsApp's parent company, plans to detect abuse by implementing a feature to scan messages directly on people's phones before they are encrypted. The posts gained significant attention: A blog post by technologist Bruce Schneier rehashing one of the Forbes posts has the headline "Facebook Plans on Backdooring WhatsApp." It is a claim Facebook unequivocally denies. "We haven't added a backdoor to WhatsApp," Will Cathcart, WhatsApp's vice president of product management, wrote in a statement. "To be crystal clear, we have not done this, have zero plans to do so, and if we ever did, it would be quite obvious and detectable that we had done it. We understand the serious concerns this type of approach would raise, which is why we are opposed to it." UPDATE: Later Friday technologist Bruce Schneier wrote that after reviewing responses from WhatsApp, he's concluded that reports of a pre-encryption backdoor are a false alarm. He also says he got an equally strong confirmation from WhatsApp's Privacy Policy Manager Nate Cardozo, who Facebook hired last December from EFF. "He basically leveraged his historical reputation to assure me that WhatsApp, and Facebook in general, would never do something like this."

Pentagon Testing Mass Surveillance Balloons Across the US

Fri, 08/02/2019 - 11:25
The US military is conducting wide-area surveillance tests across six midwest states using experimental high-altitude balloons, documents filed with the Federal Communications Commission (FCC) reveal. From a report: Up to 25 unmanned solar-powered balloons are being launched from rural South Dakota and drifting 250 miles through an area spanning portions of Minnesota, Iowa, Wisconsin and Missouri, before concluding in central Illinois. Traveling in the stratosphere at altitudes of up to 65,000ft, the balloons are intended to "provide a persistent surveillance system to locate and deter narcotic trafficking and homeland security threats," according to a filing made on behalf of the Sierra Nevada Corporation, an aerospace and defense company. The balloons are carrying hi-tech radars designed to simultaneously track many individual vehicles day or night, through any kind of weather. The tests, which have not previously been reported, received an FCC license to operate from mid-July until September, following similar flights licensed last year.

Google Project Zero: 95.8% of All Bug Reports Are Fixed Before Deadline Expires

Fri, 08/02/2019 - 07:25
The Google Project Zero team said that around 95.8% of the security bugs they find in other software and report to their respective vendors get fixed before the 90-day deadline for a public disclosure expires. From a report: That's quite the batting average for one of world's most infamous cybersecurity programs. In a statistic shared on Wednesday, Google's elite security team said that during its whole history -- from July 17, 2014, when Project Zero was created and until July 30, this week -- its researchers found and reported a total of 1,585 vulnerabilities to a wide range of hardware and software vendors. Of these, Google said that vendors failed to deliver a patch before the final deadline expired only for 66 reports. As a result, its researchers were forced to make vulnerability technical details public before a fix was made available to users.

Cops Are Giving Amazon's Ring Your Real-Time 911 Caller Data

Thu, 08/01/2019 - 18:02
Gizmodo has learned that Amazon's Ring home security system is pursuing contracts with police departments that would grant it direct access to real-time emergency dispatch data. From the report: The California-based company is seeking police departments' permission to tap into the computer-aided dispatch (CAD) feeds used to automate and improve decisions made by emergency dispatch personnel and cut down on police response times. Ring has requested access to the data streams so it can curate "crime news" posts for its "neighborhood watch" app, Neighbors. Ring says it does not provide the personal information of its customers to the authorities without consent. To wit, the company has positioned itself as an intermediary through which police requests access to citizen-captured surveillance footage. When police make a request, they don't know who receives it, Ring says, until a user chooses to share their video. Users are also prompted with the option to review their footage before turning it over. But how often is one the victims of a crime in their own neighborhood? Likely not enough to stay engaged with the app for too long. Ring's solution is to push out alerts about alleged criminal activity reported nearby in real-time, according to company documents obtained by Gizmodo. Hiring people to monitor police scanners all day, however, is presumably too costly and inefficient. To pull off this trick, Ring needs something better: direct access to raw police dispatch data. Through its police partnerships, Ring has requested access to CAD, which includes information provided voluntarily by 911 callers, among other types of data automatically collected. CAD data is typically compromised of details such as names, phone numbers, addresses, medical conditions and potentially other types of personally identifiable information, including, in some instances, GPS coordinates. Ring confirmed on Thursday that it does receive location information, including precise addresses from CAD data, which it does not publish to its app. It denied receiving other forms of personal information. According to internal documents, police CAD data is received by Ring's "Neighbors News team" and is then reformatted before being posted on Neighbors in the form of an "alert" to users in the vicinity of the alleged incident. The document states that Ring's team only posts alerts for eight different crimes: burglary, vehicle break-in and theft, robbery, shots fired, shootings, stabbing, hostage, and arson.

A Newly Discovered Hacking Group Is Targeting Energy and Telecoms Companies

Thu, 08/01/2019 - 15:20
A new hacking group called "Hexane" is targeting telecommunications and oil and gas companies across Africa and the Middle East. Industrial security company Dragos said that the group's activity has ramped up in recent months amid heightened tensions in the region since the group first emerged a year ago. TechCrunch reports: Dragos said Hexane, the latest in a list of nine hacking groups it tracks, was observed targeting telecoms companies, potentially as a "stepping stone" to gain access to the networks of oil and gas companies. Dragos would not go into specifics about the threat group but hinted that it targets and compromises "devices, firmware, or telecommunications networks" in the supply chain, which could be used to breach a victim's network from within. The researchers have "moderate confidence" that Hexane does not yet have an attack capability to disrupt industrial control networks critical to the continued operations of power plants, energy suppliers and other critical infrastructure, but the group may use its leverage on telecommunications networks as a "precursor" to an attack on industrial control networks. Dragos said Hexane is expected to increase targeting oil and gas companies in the region.

Is Facebook Planning on Backdooring WhatsApp?

Thu, 08/01/2019 - 09:25
Bruce Schneier: This article points out that Facebook's planned content moderation scheme will result in an encryption backdoor into WhatsApp: "In Facebook's vision, the actual end-to-end encryption client itself such as WhatsApp will include embedded content moderation and blacklist filtering algorithms. These algorithms will be continually updated from a central cloud service, but will run locally on the user's device, scanning each cleartext message before it is sent and each encrypted message after it is decrypted. The company even noted. that when it detects violations it will need to quietly stream a copy of the formerly encrypted content back to its central servers to analyze further, even if the user objects, acting as true wiretapping service. Facebook's model entirely bypasses the encryption debate by globalizing the current practice of compromising devices by building those encryption bypasses directly into the communications clients themselves and deploying what amounts to machine-based wiretaps to billions of users at once." Once this is in place, it's easy for the government to demand that Facebook add another filter -- one that searches for communications that they care about -- and alert them when it gets triggered. Of course alternatives like Signal will exist for those who don't want to be subject to Facebook's content moderation, but what happens when this filtering technology is built into operating systems? Separately The Guardian reports: British, American and other intelligence agencies from English-speaking countries have concluded a two-day meeting in London amid calls for spies and police officers to be given special, backdoor access to WhatsApp and other encrypted communications. The meeting of the "Five Eyes" nations -- the UK, US, Australia, Canada and New Zealand -- was hosted by new home secretary, Priti Patel, in an effort to coordinate efforts to combat terrorism and child abuse. UPDATE: 8/2/2019 On Friday technologist Bruce Schneier wrote that after reviewing responses from WhatsApp, he's concluded that reports of a pre-encryption backdoor are a false alarm. He also says he got an equally strong confirmation from WhatsApp's Privacy Policy Manager Nate Cardozo, who Facebook hired last December from EFF. "He basically leveraged his historical reputation to assure me that WhatsApp, and Facebook in general, would never do something like this."