Security

Insurer Won't Pay Out For Security Breach Because of Lax Security 96

Posted by Soulskill
from the ounce-of-prevention-is-worth-a-ton-of-green dept.
chicksdaddy writes: In what may become a trend, an insurance company is denying a claim from a California healthcare provider following the leak of data on more than 32,000 patients. The insurer, Columbia Casualty, charges that Cottage Health System did an inadequate job of protecting patient data. In a complaint filed in U.S. District Court in California, Columbia alleges that the breach occurred because Cottage and a third party vendor, INSYNC Computer Solution, Inc. failed to follow "minimum required practices," as spelled out in the policy. Among other things, Cottage "stored medical records on a system that was fully accessible to the internet but failed to install encryption or take other security measures to protect patient information from becoming available to anyone who 'surfed' the Internet," the complaint alleges. Disputes like this may become more common, as insurers anxious to get into a cyber insurance market that's growing by about 40% annually use liberally written exclusions to hedge against "known unknowns" like lax IT practices, pre-existing conditions (like compromises) and so on.
Social Networks

Linux/Moose Worm Targets Routers, Modems, and Embedded Systems 107

Posted by Soulskill
from the moose-is-the-penguin's-natural-enemy dept.
An anonymous reader writes: Security firm ESET has published a report on new malware that targets Linux-based communication devices (modems, routers, and other internet-connected systems) to create a giant proxy network for manipulating social media. It's also capable of hijacking DNS settings. The people controlling the system use it for selling "follows," "likes," and so forth on social media sites like Twitter, Instagram, Vine, Facebook, and Google+. Affected router manufacturers include: Actiontec, Hik Vision, Netgear, Synology, TP-Link, ZyXEL, and Zhone. The researchers found that even some medical devices were vulnerable to the worm, though it wasn't designed specifically to work with them.
Businesses

Charter Strikes $56B Deal For Time Warner Cable 162

Posted by timothy
from the shaky-nervous-laughter dept.
mpicpp writes with word that Charter Communications has struck a $56 billion deal to buy Time Warner Cable; if the deal goes through (which the article says is likely, according to Macquarie Research analyst Amy Yong -- at least more likely than the recently scotched Comcast-Time Warner deal), it would mean that the second- and third-largest U.S. cable companies would share a letterhead, and more than 20 percent of the country's ISP market. From the linked Reuters article: The Federal Communications Commission immediately served notice that it would closely scrutinize the deal, focusing not only on absence of harm but benefits to the public. Charter, in which Malone-chaired Liberty Broadband Corp owns about 26 percent, is offering about $195.71 in cash-and-stock for each Time Warner Cable share, based on Charter's closing price on May 20. Including debt, the deal values Time Warner Cable at $78.7 billion. A key area of regulatory concern would be competition in broadband Internet.
Businesses

Large Amount of Star Citizen Art Assets Leaked 106

Posted by samzenpus
from the pre-pre-release dept.
jones_supa writes: A huge batch of work-in-progress assets for Star Citizen have leaked to the public. An unknown person, likely connected with Cloud Imperium Games in some way, provided a link to the 48 gigabytes of content. The link has now been taken down, but as we know, it's hard to remove material from Internet after once put there. Being a CryEngine game, it has been suggested that it might be possible to view some of the assets using CryEngine development tools. Leaks are always quite the conundrum with the opportunities they present to curious fans and competitor companies, but can also be very depressing for the developers and publisher of the game.
United Kingdom

Leaked Document Shows Europe Would Fight UK Plans To Block Porn 240

Posted by samzenpus
from the things-that-are-worth-fighting-for dept.
Mark Wilson writes: Before the UK elections earlier in the month, David Cameron spoke about his desire to clean up the internet. Pulling — as he is wont to do — on parental heartstrings, he suggested that access to porn on computers and mobiles should be blocked by default unless users specifically requested access to it. This opt-in system was mentioned again in the run-up to the election as Secretary of State for Culture, Media and Sport, Sajid Javid assured peopled that the party "will age restrict online porn". But it's not quite that simple. There is the small problem of Europe. A leaked EU Council document shows that plans are afoot to stop Cameron's plans in its tracks — and with the UK on the verge of trying to debate a better deal for itself within Europe, the Prime Minister is not in a particularly strong position for negotiating on the issue. Cameron has a fight on his hands, it seems, if he wants to deliver on his promise that "we need to protect our children from hardcore pornography". Documents seen by The Sunday Times reveal that the EU could make it illegal for ISPs and mobile companies to automatically block access to obscene material. Rather than implementing a default block on pornography, the Council of the European Union believes that users should opt in to web filtering and be able to opt out again at any time; this is precisely the opposite to the way Cameron would like things to work.
Privacy

Privacy Behaviors Changed Little After Snowden 112

Posted by Soulskill
from the just-another-speed-bump-in-the-new-cycle dept.
An anonymous reader writes: An article in Communications of the ACM takes a look at how Edward Snowden's revelations about government surveillance have changed privacy behaviors across the world. The results are fairly disappointing. While the news that intelligence agencies were trawling data from everyday citizens sparked an interest in privacy, it was small, and faded quickly. Even through media coverage has continued for a long time after the initial reports, public interest dropped back to earlier levels long ago. The initial interest spike was notably less than for other major news events. Privacy-enhancing behaviors experienced a small surge, but that too failed to impart any long-term momentum. The author notes that the spike in interest "following the removal of privacy-enhancing functions in Facebook, Android, and Gmail" was stronger than the reaction to the government's privacy-eroding actions.
Education

Google and Gates-Backed Khan Academy Introduces "Grit"-Based Classroom Funding 115

Posted by samzenpus
from the effort-counts dept.
theodp writes: Their intentions are no doubt good, but some will be troubled by Google and Khan Academy's recently-concluded LearnStorm initiative, which pitted kids-against-kids, schools-against-schools, and cities-against-cities in a 3-month learning challenge for prizes based not only on students' mastery of math skills on Khan Academy, but also their perceived 'hustle' (aka 'grit'). "Points are earned by mastering math skills and also for taking on challenging new concepts and persevering," explained a Khan Academy FAQ. A blog entry further explained, "They've earned points and prizes not only for mastering math skills but also for showing 'hustle,' a metric we created to measure grit, perseverance, and growth. They competed over 200,000 hours of learning and 13.6 million standards-aligned math problems. In addition, thanks to the generosity of Google.org, DonorsChoose.org, and Comcast's Internet Essentials, 34 underserved schools unlocked new devices for their classrooms and free home internet service for eligible families, increasing student access to online learning tools like Khan Academy." Apparently funded by a $2 million Google grant, the Google, Khan Academy, and DonorsChoose grit-based classroom funding comes on the heels of the same organizations' gender-based classroom funding initiative. Supported by some of the world's wealthiest individuals and corporations, Khan Academy's Board members include a Google Board member (Diane Green), spouse of a Google Board member (Ann Doerr), and the Managing Partner of Bill Gates' bgC3 (Larry Cohen); former Board members include Google Executive Chairman Eric Schmidt.
Operating Systems

Google Developing 'Brillo' OS For Internet of Things 225

Posted by Soulskill
from the won't-run-on-your-brilloPad dept.
An anonymous reader writes: A new report from The Information (paywalled) says Google is working on an operating system called "Brillo" that would be a platform for Internet-of-things devices. It's supposedly a lightweight version of Android, capable of running on devices with extremely limited hardware — as little as 32 MB of RAM, for example. The company is expected to launch the code for Brillo at its I/O event next week. This is particularly relevant now that Google has acquired Nest, Dropcam, and Revolv — a trio of "smart home" companies whose devices could potentially by unified by Brillo.
Google

Cute Or Creepy? Google's Plan For a Sci-Fi Teddy Bear 101

Posted by timothy
from the teddy-ruxpin-pinned-it-on-the-one-armed-man dept.
HughPickens.com writes: Time Magazine reports that Google has designed and patented an "anthropomorphic device" that could take the form of a "doll or toy" and interact both with people as well as tech gadgets echoing the "super toy" teddy bear featured in Stephen Spielberg's 2001 movie AI. This could be one of Google's creepiest patents yet — especially if movies like "Chuckie" still give you nightmares. The patent filing diagrams a stuffed teddy bear and a bunny rabbit outfitted with microphones, speakers, cameras and motors as well as a wireless connection to the internet. If it senses you're looking at it, the fuzzy toy will rotate its head and look back at you. Once it receives and recognizes a voice command prompt, you can then tell it to control media devices in your home (e.g. turn on your music or TV). According to the patent filing: "To express interest, an anthropomorphic device may open its eyes, lift its head, and/or focus its gaze on the user or object of its interest. To express curiosity, an anthropomorphic device may tilt its head, furrow its brow, and/or scratch its head with an arm. To express boredom, an anthropomorphic device may defocus its gaze, direct its gaze in a downward fashion, tap its foot, and/or close its eyes. To express surprise, an anthropomorphic device may make a sudden movement, sit or stand up straight, and/or dilate its pupils."

The patent adds that making the device look "cute" should encourage even the youngest members of a family to interact with it. But Mikhail Avady, from SmartUp, said he thought it belonged in "a horror film", and the campaign group Big Brother Watch has also expressed dismay. "When those devices are aimed specifically at children, then for many this will step over the creepy line," says Avady. "Children should be able to play in private and shouldn't have to fear this sort of passive invasion of their privacy."
Security

Adult Dating Site Hack Reveals Users' Sexual Preference, Extramarital Affairs 173

Posted by Soulskill
from the another-day,-another-breach dept.
An anonymous reader notes this report from Channel 4 News that Adult FriendFinder, one of the largest dating sites in the world, has suffered a database breach that revealed personal information for 3.9 million of its users. The leaked data includes email addresses, IP addresses, birth dates, postal codes, sexual preferences, and information indicating which of them are seeking extramarital affairs. There even seems to be data from accounts that were supposedly deleted. Channel 4 saw evidence that there were plans for a spam campaign against these users, and others are worried that a blackmail campaign will follow. "Where you've got names, dates of birth, ZIP codes, then that provides an opportunity to actually target specific individuals whether they be in government or healthcare for example, so you can profile that person and send more targeted blackmail-type emails," said cybercrime specialist Charlie McMurdy.
Communications

Academics Build a New Tor Client Designed To Beat the NSA 62

Posted by timothy
from the non-spy-vs-spy dept.
An anonymous reader writes: In response to a slew of new research about network-level attacks against Tor, academics from the U.S. and Israel built a new Tor client called Astoria designed to beat adversaries like the NSA, GCHQ, or Chinese intelligence who can monitor a user's Tor traffic from entry to exit. Astoria differs most significantly from Tor's default client in how it selects the circuits that connect a user to the network and then to the outside Internet. The tool is an algorithm designed to more accurately predict attacks and then securely select relays that mitigate timing attack opportunities for top-tier adversaries.
Security

Telstra Says Newly Acquired Pacnet Hacked, Customer Data Exposed 15

Posted by samzenpus
from the getting-to-know-all-about-you dept.
An anonymous reader writes: Telstra’s Asian-based data center and undersea cable operator Pacnet has been hacked exposing many of the telco’s customers to a massive security breach. The company said it could not determine whether personal details of customers had been stolen, but it acknowledged the possibility. The Stack reports: "Telstra said that an unauthorized third party had been able to gain access to the Pacnet business management systems through a malicious software installed via a vulnerability on an SQL server. The hack had taken place just weeks before Telstra acquired the Asian internet service provider for $550mn on 16 April this year. The telecom company confirmed that it had not been aware of the hack when it signed the deal in December 2014."
The Almighty Buck

FBI: Social Media, Virtual Currency Fraud Becoming a Huge Problem 39

Posted by samzenpus
from the buy-my-web-dollars dept.
coondoggie writes: Criminals taking advantage of personal data found on social media and vulnerabilities of the digital currency system are two of the emerging Internet law-breaking trends identified by the FBI's Internet Crime Complaint Center (IC3) in its annual look at online crime. The IC3 said 12% of the complaints submitted in 2014 contained a social media trait. Complaints involving social media have quadrupled over the last five years. In most cases, victim’s personal information was exploited through compromised accounts or social engineering.
Privacy

Simple Flaw Exposed Data On Millions of Charter Internet Customers 29

Posted by samzenpus
from the protect-ya-neck dept.
Daniel_Stuckey writes: A security flaw discovered in the website of Charter Communications, a cable and Internet provider active in 28 states, may have exposed the personal account details of millions of its customers. Security researcher Eric Taylor discovered the internet service provider's vulnerability as part of his research, and demonstrated how a simple header modification performed with a browser plug-in could reveal details of Charter subscriber accounts. After Fast Company notified Charter of the issue, the company said it had installed a fix within hours.
China

Huawei's LiteOS Internet of Things Operating System Is a Minuscule 10KB 167

Posted by samzenpus
from the in-the-future dept.
Mark Wilson writes: Chinese firm Huawei today announces its IoT OS at an event in Beijing. The company predicts that within a decade there will be 100 billion connected devices and it is keen for its ultra-lightweight operating system to be at the heart of the infrastructure. Based on Linux, LiteOS weighs in at a mere 10KB — smaller than a Word document — but manages to pack in support for zero configuration, auto-discovery, and auto-networking. The operating system will be open for developers to tinker with, and is destined for use in smart homes, wearables, and connected vehicles. LiteOS will run on Huawei's newly announced Agile Network 3.0 Architecture and the company hopes that by promoting a standard infrastructure, it will be able to push the development of internet and IoT applications
Security

How 1990s Encryption Backdoors Put Today's Internet In Jeopardy 42

Posted by samzenpus
from the grunge-net dept.
An anonymous reader writes: While debate swirls in Washington D.C. about new encryption laws, the consequences of the last crypto war is still being felt. Logjam vulnerabilities making headlines today is "a direct result of weakening cryptography legislation in the 1990s," researcher J. Alex Halderman said. "Thanks to Moore's law and improvements in cryptanalysis, the ability to break that crypto is something really anyone can do with open-source software. The backdoor might have seemed like a good idea at the time. Maybe the arguments 20 years ago convinced people this was going to be safe. History has shown otherwise. This is the second time in two months we've seen 90s era crypto blow up and put the safety of everyone on the internet in jeopardy."
Canada

Canadian Piracy Rates Plummet As Industry Points To New Copyright Notice System 224

Posted by samzenpus
from the no-downloading-for-you dept.
An anonymous reader writes: Canada's copyright notice-and-notice system took effect earlier this year, leading to thousands of notifications being forwarded by Internet providers to their subscribers. Since its launch, there have been serious concerns about the use of notices to demand settlements and to shift the costs of enforcement to consumers and Internet providers. Yet reports indicate that piracy rates in Canada have plummeted, with some ISPs seeing a 70% decrease in online infringement.
Networking

Critical Vulnerability In NetUSB Driver Exposes Millions of Routers To Hacking 70

Posted by Soulskill
from the it's-not-even-another-day-yet dept.
itwbennett writes: NetUSB, a service that lets devices connected over USB to a computer be shared with other machines on a local network or the Internet, is implemented in Linux-based embedded systems, such as routers, as a kernel driver. Once enabled, it opens a server that listens on TCP port 20005 for connecting clients. Security researchers from a company called Sec Consult found that if a connecting computer has a name longer than 64 characters, a stack buffer overflow is triggered in the NetUSB service. The advisory notice has a list of affected routers.
Encryption

'Logjam' Vulnerability Threatens Encrypted Connections 71

Posted by Soulskill
from the another-day-another-vulnerability dept.
An anonymous reader writes: A team of security researchers has revealed a new encryption vulnerability called 'Logjam,' which is the result of a flaw in the TLS protocol used to create encrypted connections. It affects servers supporting the Diffie-Hellman key exchange, and it's caused by export restrictions mandated by the U.S. government during the Clinton administration. "Attackers with the ability to monitor the connection between an end user and a Diffie-Hellman-enabled server that supports the export cipher can inject a special payload into the traffic that downgrades encrypted connections to use extremely weak 512-bit key material. Using precomputed data prepared ahead of time, the attackers can then deduce the encryption key negotiated between the two parties."

Internet Explorer is the only browser yet updated to block such an attack — patches for Chrome, Firefox, and Safari are expected soon. The researchers add, "Breaking the single, most common 1024-bit prime used by web servers would allow passive eavesdropping on connections to 18% of the Top 1 Million HTTPS domains. A second prime would allow passive decryption of connections to 66% of VPN servers and 26% of SSH servers. A close reading of published NSA leaks shows that the agency's attacks on VPNs are consistent with having achieved such a break." Here is their full technical report (PDF).