Bug

Honeywell Home Controllers Open To Any Hacker Who Can Find Them Online 57 57

Trailrunner7 writes: Security issues continue to crop up within the so-called "smart home." A pair of vulnerabilities have been reported for the Tuxedo Touch controller made by Honeywell, a device that's designed to allow users to control home systems such as security, climate control, lighting, and others. The controller, of course, is accessible from the Internet. Researcher Maxim Rupp discovered that the vulnerabilities could allow an attacker to take arbitrary actions, including unlocking doors or modifying the climate controls in the house.
Security

Video Veteran IT Journalist Worries That Online Privacy May Not Exist (Video) 39 39

Tom Henderson is a long-time observer of the IT scene, complete with scowl and grey goatee. And cynicism. Tom is a world-class cynic, no doubt about it. Why? Cover enterprise IT security and other computing topics long enough for big-time industry publications like ITWorld and its IDG brethren, and you too may start to think that no matter what you do, your systems will always have (virtual) welcome mats in front of them, inviting crackers to come in and have a high old time with your data.

Note: Alert readers have probably noticed that we talked with Tom about cloud security back in March. Another good interview, worth seeing (or reading).
Chrome

Chrome Extension Thwarts User Profiling Based On Typing Behavior 60 60

An anonymous reader writes: Per Thorsheim, the founder of PasswordsCon, created and trained a biometric profile of his keystroke dynamics using the Tor browser at a demo site. He then switched over to Google Chrome and not using the Tor network, and the demo site correctly identified him when logging in and completing a demo financial transaction. Infosec consultant Paul Moore came up with a working solution to thwart this type of behavioral profiling. The result is a Chrome extension called Keyboard Privacy, which prevents profiling of users by the way they type by randomizing the rate at which characters reach the DOM. A Firefox version of the plugin is in the works.
Security

Your Stolen Identity Goes For $20 On the Internet Black Market 55 55

HughPickens.com writes: Keith Collins writes at Quartz that the going rate for a stolen identity is about twenty bucks on the internet black market. Collins analyzed hundreds of listings for a full set of someone's personal information—identification number, address, birthdate, etc., known as "fullz" that were put up for sale over the past year, using data collected by Grams, a search engine for the dark web. The listings ranged in price from less than $1 to about $450, converted from bitcoin. The median price for someone's identity was $21.35. The most expensive fullz came from a vendor called "OsamaBinFraudin," and listed a premium identity with a high credit score for $454.05. Listings on the lower end were typically less glamorous and included only the basics, like the victim's name, address, social security number, perhaps a mother's maiden name. Marketplaces on the dark web, not unlike eBay, have feedback systems for vendors ("cheap and good A+"), refund policies (usually stating that refunds are not allowed), and even well-labeled sections. "There is no shortage of hackers willing to do about anything, computer related, for money," writes Elizabeth Clarke. "and they are continually finding ways to monetize personal and business data."
Google

Google Is Dropping Its Google+ Requirement Across All Products Including YouTube 165 165

An anonymous reader writes: After years of plugging Google+ into all of its services, today Google announced that your Google+ profile will no longer be your identity in all its products. The company says it will take a few months for all the changes to happen, but the first product to be uncoupled will be YouTube. Bradley Horowitz, Google's vice president of streams, photos, and sharing, says the changes are a response to user feedback: "We've also heard that it doesn't make sense for your Google+ profile to be your identity in all the other Google products you use."
ch

Swiss Researchers Describe a Faster, More Secure Tor 59 59

An anonymous reader writes: Researchers from the Swiss Federal Institute of Technology and University College London published a paper this week describing a faster and more secure version of Tor called HORNET. On one hand, the new onion routing network can purportedly achieve speeds of up to 93 gigabits per second and "be scaled to support large numbers of users with minimal overhead". On the other hand, researchers cannot claim to be immune to "confirmation attacks" known to be implemented on Tor, but they point out that, given how HORNET works, perpetrators of such attacks would have to control significantly more ISPs across multiple geopolitical boundaries and probably sacrifice the secrecy of their operations in order to successfully deploy such attacks on HORNET.
KDE

KDE Community Announces Fully Open Source Plasma Mobile 44 44

sfcrazy writes: Today, during the Akademy event, the KDE Community announced Plasma Mobile project. It's a Free (as in Freedom and beer), user-friendly, privacy-enabling and customizable platform for mobile devices. Plasma Mobile claims to be developed in an open process, and considering the community behind it, I don't doubt it. A great line: "Plasma Mobile is designed as an ‘inclusive’ platform and will support all kinds of apps. In addition to native apps written in Qt, it also supports GTK apps, Android apps, Ubuntu apps, and many others." And if you have a Nexus 5, you can download and play with a prototype now.
Privacy

After Progressive Insurance's Snapshot Hacked, Manufacturer Has Been, Too 3 3

An anonymous reader writes: Progressive Insurance sells a tracking device called Snapshot that is advertised as a "little device [that] turns your safe driving into savings." However Snapshot itself has been hacked, and Xirgo Technologies, which makes Snapshot, is currently hacked due to out-of-date software on their website — and has been that way since at least May 5th of 2015. Given that Chrysler just did a recall of 1.4 million cars, people should really think twice before blindly trusting the safety of their cars to any random company, especially if that company can't even keep their WordPress up-to-date or remove hacked code from their site.
Communications

An Interview With Hacking Team's CEO 80 80

Alastair Stevenson writes: I talked to the leader of the world's most hated surveillance company about its path to recovery and morals, following a massive attack on its systems. CEO David Vincenzetti, as you might expect, thinks that his company "deserves the protection of law and order," and disclaims (also as you'd expect) responsibility for what its clients do with the privacy-unraveling software it provides: Law enforcement must have a way to do what it has always done, that is to track criminals and prevent or prosecute crime. With the development of global terrorism and especially the ‘lone wolf’ terrorist, this requirement is even more important. Hacking Team has helped fight crime by providing a surveillance tool to law enforcement. The company believes this is a small step toward a more secure world for all who wish to used the Internet and digital tools lawfully.
Privacy

Researchers: Mobile Users Will Trade Data For Fun and Profit 21 21

itwbennett writes: Even as mobile users become more security and privacy conscious, researchers and other mobile data collectors still to collect user data in order to build products and services. The question: How to get users to give up that data? Researchers at the New Jersey Institute of Technology tested two incentives: gamification and micropayments. The test involved building a campus Wi-Fi coverage map using user data collected from student participants who either played a first-person shooter game or who were paid to complete certain tasks (e.g., taking photos). The game turned out to be a quick and efficient way to build the Wi-Fi coverage map. But data from the micropayments group was found to be "sometimes unreliable, and individuals were trying to trick the system into thinking they had accomplished tasks."
Privacy

US Court: 'Pocket-Dialed' Calls Are Not Private 179 179

itwbennett writes: In a case of a pocket-dialed call, a conscientious secretary, and sensitive personnel issues, a federal appeals court in Ohio has ruled pocket-dialers shouldn't have any expectation of privacy. 'Under the plain-view doctrine, if a homeowner neglects to cover a window with drapes, he would lose his reasonable expectation of privacy with respect to a viewer looking into the window from outside of his property,' the court said. The same applies to pocket-dialed calls, according to the court. If a person doesn't take reasonable steps to keep their call private, their communications are not protected by the Wiretap Act.
Facebook

New York Judge Rules Against Facebook In Search Warrant Case 157 157

itwbennett writes: Last year, Facebook appealed a court decision requiring it to hand over data, including photos and private messages, relating to 381 user accounts. (Google, Microsoft, and Twitter, among other companies backed Facebook in the dispute). On Tuesday, Judge Dianne Renwick of the New York State Supreme Court ruled against Facebook, saying that Facebook has no legal standing to challenge the constitutionality of search warrants served on its users.
Privacy

FCC CIO: Consumers Need Privacy Controls In the Internet of Everything Era 46 46

Lemeowski writes: Who is responsible for ensuring security and privacy in the age of the Internet of Things? As the number of Internet-connected devices explodes — Gartner estimates that 25 billion devices and objects will be connected to the Internet by 2020 — security and privacy issues are poised to affect everyone from families with connected refrigerators to grandparents with healthcare wearables. In this interview, U.S. Federal Communications Commission CIO David Bray says control should be put in the hands of individual consumers. Speaking in a personal capacity, Bray shares his learnings from a recent educational trip to Taiwan and Australia he took as part of an Eisenhower Fellowship: "A common idea Bray discussed with leaders during his Eisenhower Fellowship was that the interface for selecting privacy preferences should move away from individual Internet platforms and be put into the hands of individual consumers." Bray says it could be done through an open source agent that uses APIs to broker their privacy preferences on different platforms.
Bug

Bug Exposes OpenSSH Servers To Brute-Force Password Guessing Attacks 157 157

itwbennett writes: OpenSSH servers with keyboard-interactive authentication enabled, which is the default setting on many systems, including FreeBSD ones, can be tricked to allow many authentication retries over a single connection, according to a security researcher who uses the online alias Kingcope, who disclosed the issue on his blog last week. According to a discussion on Reddit, setting PasswordAuthentication to 'no' in the OpenSSH configuration and using public-key authentication does not prevent this attack, because keyboard-interactive authentication is a different subsystem that also relies on passwords.
Government

FBI's Hacks Don't Comply With Legal Safeguards 64 64

An anonymous reader writes: The FBI hacks computers. Specifics are scarce, and only a trickle of news has emerged from court filings and FOIA responses. But we know it happens. In a new law review article, a Stanford Ph.D. candidate and privacy expert pulls together what's been disclosed, and then matches it against established law. The results sure aren't pretty. FBI agents deceive judges, ignore time limits, don't tell computer owners after they've been hacked, and don't get 'super-warrants' for webcam snooping. Whatever you think of law enforcement hacking, it probably shouldn't be this lawless.
Privacy

Free Tools For Detecting Hacking Team Malware In Your Systems 62 62

An anonymous reader writes: Worried that you might have been targeted with Hacking Team spyware, but don't know how to find out for sure? IT security firm Rook Security has released Milano, a free automated tool meant to detect the Hacking Team malware on a computer system. Facebook has also offered a way to discover if your Mac(s) have been compromised by Hacking Team malware: they have provided a specific query pack for its open source OS analysis tool osquery.
Privacy

Red Star Linux Adds Secret Watermarks To Files 100 100

An anonymous reader writes: ERNW security analyst Florian Grunow says that North Korea's Red Star Linux operating system is tracking users by tagging content with unique hidden tags. He particularizes that files including Word documents and JPEG images connected to but not necessarily executed in Red Star will have a tag introduced into its code that includes a number based on hardware serial numbers. Red Star's development team seems to have created some quite interesting custom additions to Linux kernel and userspace, based on which Grunow has written a technical analysis.
Security

How Developers Can Rebuild Trust On the Internet 65 65

snydeq writes: Public keys, trusted hardware, block chains — InfoWorld's Peter Wayner discusses tech tools developers should be investigating to help secure the Internet for all. 'The Internet is a pit of epistemological chaos. As Peter Steiner posited — and millions of chuckles peer-reviewed — in his famous New Yorker cartoon, there's no way to know if you're swapping packets with a dog or the bank that claims to safeguard your money,' Wayner writes. 'We may not be able to wave a wand and make the Internet perfect, but we can certainly add features to improve trust on the Internet. To that end, we offer the following nine ideas for bolstering a stronger sense of assurance that our data, privacy, and communications are secure.'
Security

Netragard Ends Exploit Acquisition Program After Hacking Team Breach 48 48

Trailrunner7 writes: After the fallout from the HackingTeam breach, Netragard, a company that buys and sells exploits, has decided to shut down its exploit acquisition program. Leaked documents show that Natragard was selling exploits to the Italian maker of intrusion and surveillance software. In addition, documents further showed that the company sold its products to a variety of oppressive regimes, including Egypt and Ethiopia. A company statement reads in part: "We’ve decided to terminate our Exploit Acquisition Program (again). Our motivation for termination revolves around ethics, politics, and our primary business focus. The HackingTeam breach proved that we could not sufficiently vet the ethics and intentions of new buyers. HackingTeam unbeknownst to us until after their breach was clearly selling their technology to questionable parties, including but not limited to parties known for human rights violations. While it is not a vendors responsibility to control what a buyer does with the acquired product, HackingTeam’s exposed customer list is unacceptable to us. The ethics of that are appalling and we want nothing to do with it."
Privacy

Affair Site Hackers Threaten Release of All User Data Unless It Closes 446 446

heretic108 writes: According to KrebsOnSecurity, the infamous Ashley Madison affairs hookup website has been hacked by a group calling itself The Impact Team. This group is demanding the immediate and permanent shutdown of Ashley Madison, as well as similar sites Cougar Life and Established Man, owned by the same company: Avid Life Media. If the sites aren't shut down, the hackers are threatening to publicly release personal data for 37 million users. ALM has confirmed that a hack took place, and the hackers posted snippets of account data, as well as bank and salary information from the company itself.