itwbennett writes: According to a new Google report, the search giant disabled more than 780 million "bad ads," including include ads for counterfeit products, misleading or unapproved pharmaceuticals, weight loss scams, phishing ploys, unwanted software and "trick-to-click" cons, globally last year. This marks a 49 percent increase over 2014. For perspective, it would take an individual nearly 25 years to look at the 780 million ads Google removed last year for just one second each, according to Google. If the trend continues, Google's team of more than 1,000 staffers dedicated to killing spam will be even busier in 2016, and they could disable more than a billion junky ads.

mdsolar writes: Twenty nations with significant atomic stockpiles or nuclear power plants have no government regulations requiring minimal protection of those facilities against cyberattacks, according to a study by the Nuclear Threat Initiative. The findings build on growing concerns that a cyberattack could be the easiest and most effective way to take over a nuclear power plant and sabotage it, or to disable defenses that are used to protect nuclear material from theft. The countries on the list include Argentina, China, Egypt, Israel, Mexico and North Korea.

msm1267 writes: OpenSSH today released a patch for a critical vulnerability that could be exploited by an attacker to force a client to leak private cryptographic keys. The attacker would have to control a malicious server in order to force the client to give up the key, OpenSSH and researchers at Qualys said in separate advisories. Qualys' security team privately disclosed the vulnerability Jan. 11 and the OpenSSH team had it patched within three days. The vulnerability was found in a non-documented feature called roaming that supports the resumption of interrupted SSH connections. OpenSSH said client code between versions 5.4 and 7.1 are vulnerable as it contains the roaming support. OpenSSH said that organizations may disable the vulnerable code by adding 'UseRoaming no' to the global ssh_config(5) file. Researchers at Qualys said organizations should patch immediately and regenerate private keys.

LichtSpektren writes: As you may recall, Microsoft has delivered KB3035583 as a 'recommended update' to users of Windows 7 and 8.1. What this update does is install GWX ("Get Windows 10"), a program which diagnoses the system to see if it is eligible for a free upgrade to Windows 10, and if so, asks the user if they would like to upgrade (though recently, the option to decline has been removed). Some users have gotten around this by editing Windows Registry values for "AllowOSUpgrade", "DisableOSUpgrade", "DisableGWX", and "ReservationsAllowed" in order to disable the prompt altogether. This advice was endorsed by Microsoft on their support forums.

According to a report by Woody Leonhard at InfoWorld, the newest version of the KB3035583 update includes a background process which scans the system's Windows Registry twice a day to see if the values for the four aforementioned registry inputs were manually edited to disable the upgrade prompt. If they were, the process will alter the values, silently re-download the Windows 10 installation files (about 6 GB in total), and prompt the user to upgrade.

Deathlizard writes with a report at Engadget that when this year's "Forbes 30 Under 30" list came out , "it featured a prominent security researcher. Other researchers were pleased to see one of their own getting positive attention, and visited the site in droves to view the list. On arrival, like a growing number of websites, Forbes asked readers to turn off ad blockers in order to view the article. After doing so, visitors were immediately served with pop-under malware, primed to infect their computers, and likely silently steal passwords, personal data and banking information."

jetkins writes: What would you do if your firewall was being persistently targeted by port scans from a specific group of machines from one particular company? I run a Sophos UTM9 software firewall appliance on my home network. Works great, and the free Home Use license provides a bunch of really nice features normally only found on commercial-grade gear. One of those is the ability to detect, block, and report port scans, and under normal circumstances I only get the occasional alert when some script kiddie comes a-knocking at my door.

But in recent months I have been getting flooded with alerts of scans from one particular company. I initially reported it to my own ISP's (RoadRunner's) abuse desk, on the assumption that if they're scanning me then they're probably scanning a bunch of my neighbors as well, and any responsible ISP would probably want to block this BS, but all I ever got back was an automated acknowledgment and zero action. So I used DNS lookup and WHOIS to find their phone number, and spoke with someone there; it appears that they're a small outfit, and I was assured that they had a good idea where it was coming from and that they would make it stop. Indeed, it did stop a few days later but then it was back again, unabated, after another week or so. So last week I called them again, and was once again assured of a resolution. No dice, the scans continue to pour in.

I've already blocked their subnet at my firewall, but the UTM apparently does attack detection before filtering, so that didn't stop the alerts. And although I *could* disable port scan alerts, it's an all-or-nothing thing and I'm not prepared to turn them off completely. This afternoon I forwarded the twenty-something alerts that I've received so far today, to their abuse@ address with an appeal for a Christmas Miracle, but frankly I'm not holding out much hope that it will have any effect. So, Slashdotters, what should I do if this continues into the new year? Start automatically bouncing every report to their abuse address? Sic Anonymous on them? Start calling them every time? I'm open to suggestions.

AmiMoJo writes: By default the popular AdBlock Plus plug-in allows some "acceptable" ads to be displayed. A blog post announcing updates to policy describes the goals of the update: easier to understand, more robust and more explicit about what is and isn't acceptable. The new criteria are listed on another page, and the option to disable acceptable ads remains.

JoeyRox writes: Yahoo is running an A/B test that blocks access to Yahoo email if the site detects that the user is running an Ad Blocker. Yahoo says that this a trial rather than a new policy, effecting only a "small number" of users. Those lucky users are greeted with a message that reads "Please disable Ad Blocker to continue using Yahoo Mail." Regarding the legality of the move, "Yahoo is well within its rights to do so," said Ansel Halliburton an attorney at Kronenberger Rosenfeld who specializes in Internet law.

chicksdaddy writes: The parade of horribles continues on the Internet of Things, with a report from the security firm Incapsula that its researchers discovered compromised closed circuit cameras as well as home network attached storage (NAS) devices participating in denial of service attacks. The compromised machines included a CCTV at a local mall, just a couple minutes from the Incapsula headquarters.

According to the report, Incapsula discovered the infections as part of an investigation into a distributed denial of service attack on what it described as a "rarely-used asset" at a "large cloud service." The attack used a network of 900 compromised cameras to create a flood of HTTP GET requests, at a rate of around 20,000 requests per second, to try to disable the cloud-based server. The cameras were running the same operating system: embedded Linux with BusyBox, which is a collection of Unix utilities designed for resource-constrained endpoints.

The malware in question was a variant of a self-replicating program known as Lightaidra, which targets systems running BusyBox and exploits vulnerable Telnet/SSH services using so-called "brute force dictionary attacks" (aka "password guessing"). Given that many Internet connected devices simply use the default administrator credentials when deployed, calling it a "brute force" attack is probably a stretch.

An anonymous reader writes: Online security firm Sicuri note a vertical rise in brute force attacks against WordPress websites using Brute Force Amplification, where a thousand passwords can be submitted within the scope of a single login attempt. The company notes that disabling the protocol is likely to interfere with the functionality of many plugins which rely on it. The Stack reports: "Sicuri note that most of the BFA calls are targeting the WordPress category enumerating hook wp.getCategories, and are targeting the ‘admin’ username, along with predictable default usernames. Sicuri recommend blocking system.multicall requests via a Web Access Firewall if available, but note that so many WordPress plugins depend on the point of vulnerability xmlrpc.php that blocking access to that functionality may interfere with normal operation of the site. The iThemes security system offers functionality to specifically disable XML-RPC as well, but this also requires a check against normal functioning of the site."

An anonymous reader writes: After the news earlier this month about Microsoft forcing the Windows 10 upgrade on people who don't want it, my sizeable extended family has been coming to me for a solution. They don't want to be guinea pigs this early in the Windows 10 release cycle, but it looks like Microsoft may not be giving them a choice. My reading of Woody Leonhard's advice is that the only way to ensure the upgrade doesn't happen is to disable Windows Update, but that seems extreme. I want my family to install security updates, but I don't relish the idea of explaining to them how to install just those and hide the less-desireable updates.

The ideal solution would be to have only security updates install automatically, but it looks like it's easier said than done. I've looked at third-party tools like Autopatcher and Portable Update, but a security-only option doesn't seem to be very standard. From what I've read, Microsoft doesn't even package security updates separately, sometimes mixing merely Important and Recommended updates in the downloaded CAB file. I wish I could get them off Windows, but it's not an option. They use Windows at work or school, and don't want to go through the process of learning another OS. Maybe the current situation with Windows 10 will convince them eventually, but they need something now. I would really like to come up with a solution before the next Patch Tuesday on October 13. Do any of the more knowledgeable Slashdotters out there have any advice?

An anonymous reader writes: YouTube users have lit up twitter today, angry about an apparent change of policy by Google, which now seems to be showing ads in front of videos on YouTube even when using Adblock. Neowin reports: "Google's workaround seems to be applicable to all similar extensions and isn't exclusive to just AdBlock Plus. The company has not stopped at just skirting the extension, however. Users with AdBlock enabled will now have to see full-length video ads with no option to skip them half-way through, a feature YouTube has offered for a very long time. The only way to get the option back is to disable AdBlock, or to whitelist YouTube."

MojoKid writes: Amid the privacy concerns and arguably invasive nature of Microsoft's Windows 10 regarding user information, it's no surprise that details on how to minimize leaks as much as possible are often requested by users who have recently made the jump to the new operating system. If you are using Windows 10, or plan to upgrade soon, it's worth bearing in mind a number of privacy-related options that are available, even during the installation/upgrade. If you are already running the OS and forgot to turn them off during installation (or didn't even see them), they can be accessed via the Settings menu on the start menu, and then selecting Privacy from the pop-up menu. Among these menus are a plethora of options regarding what data can be gathered about you. It's worth noting, however, that changing any of these options may disable various OS related services, namely Cortana, as Microsoft's digital assistant has it tendrils buried deep.

An anonymous reader writes: Unlike older versions of Firefox, more recent versions will make a request to a destination server just by hovering over a link. No CSS, no JavaScript, no prefetch required. Try it for yourself. Disable CSS and JavaScript and fire up iftop or Windows Resource Monitor, hover over some links and watch the fun begin. There once was a time when you hovered over a link to check the 'real link' before you clicked on it. Well no more. Just looking at it makes a 'silent request.' This behavior is the result of the Mozilla speculative connect API . Here is a bug referencing the API when hovering over a thumbnail on the new tab page. And another bug requesting there be an option to turn it off. Strangely enough the latter bug is still labeled WONTFIX even though the solution is in the comments (setting network.http.speculative-parallel-limit to 0).

Firefox's own How to stop Firefox from making automatic connections also mentions setting network.http.speculative-parallel-limit to 0 to to stop predictive connections when a user "hovers their mouse over thumbnails on the New Tab Page or the user starts to search in the Search Bar" but no mention regarding hovering over a normal link. Good thing setting network.http.speculative-parallel-limit to 0 does appear to disable speculative connect on normal links too. One can expect Firefox to make requests in the background to its own servers for things such as checking for updates to plugins etc. But silently making requests to random links on a page (and connecting to those servers) simply by hovering over them is something very different.

An anonymous reader writes: The launch of Windows 10 brought a lot of users kicking and screaming to the "connected desktop." Its benefits come with tradeoffs: "the online service providers can track which devices are making which requests, which devices are near which Wi-Fi networks, and feasibly might be able to track how devices move around. The service providers will all claim that the data is anonymized, and that no persistent tracking is performed... but it almost certainly could be." There are non-trivial privacy concerns, particularly for default settings.

According to Peter Bright, for better or worse this is the new normal for mainstream operating systems. We're going to have to either get used to it, or get used to fighting with settings to turn it all off. "The days of mainstream operating systems that don't integrate cloud services, that don't exploit machine learning and big data, that don't let developers know which features are used and what problems occur, are behind us, and they're not coming back. This may cost us some amount of privacy, but we'll tend to get something in return: software that can do more things and that works better."

An anonymous reader writes: I really want to upgrade to Windows 10, but have begun seeing stories come out about the new Terms and how they affect your privacy. It looks like the default Windows 10 system puts copies of your data out on the "cloud", gives your passwords out, and targets advertising to you. The main reason I am looking to upgrade is that Bitlocker is not available on Windows 7 Pro, but is on Windows 10 Pro, and Microsoft no longer offers Anytime Upgrades to Windows 7 Ultimate. However, I don't want to give away my privacy for security. The other option is to wait until October to see what the Windows 10 Enterprise version offers, but it may not be available through retail. Are the privacy minded Slashdot readers not going with Windows 10?

For reference, I am referring to these articles. (Not to mention claims that it steals your bandwidth.)

An anonymous reader writes: It was inevitable: as soon as we heard about computer-aimed rifles, we knew somebody would find a way to compromise their security. At the upcoming Black Hat security conference, researchers Runa Sandvik and Michael Auger will present their techniques for doing just that. "Their tricks can change variables in the scope's calculations that make the rifle inexplicably miss its target, permanently disable the scope's computer, or even prevent the gun from firing." In one demonstration they were able to tweak the rifle's ballistic calculations by making it think a piece of ammunition weighed 72 lbs instead of 0.4 ounces. After changing this value, the gun tried to automatically adjust for the weight, and shot significantly to the left. Fortunately, they couldn't find a way to make the gun fire without physically pulling the trigger.

Required Snark writes: During the recent North Fire that burned vehicles on I-15 in California, firefighters had to suspend aerial operations because of the presence of drone aircraft, according to CNN. Quoting: "Five such 'unmanned aircraft systems' prevented California firefighters from dispatching helicopters with water buckets for up to 20 minutes over a wildfire that roared Friday onto a Los Angeles area freeway that leads to Las Vegas. Helicopters couldn't drop water because five drones hovered over the blaze, creating hazards in smoky winds for a deadly midair disaster, officials said."

In response, state officials have introduced legislation that would allow first responders to disable drones in emergency situations. A second bill would allow jail time and fines for drone users that interfere with firefighting efforts. "Senate Bill 168, introduced by Gatto and Sen. Ted Gaines, R-El Dorado, would grant 'immunity to any emergency responder who damages an unmanned aircraft in the course of firefighting, air ambulance, or search-and-rescue operations.' Los Angeles County fire Inspector David Dantic declined to comment on the specific legislation, but said his agency's aircraft cannot operate safely if a drone is in the same airspace."

AmiMoJo sends a report stating that Windows 10 Home users don't seem to have any way to disable automatic updates to the operating system. Throughout the testing of the Technical Preview, users noted that this option wasn't available, but it wasn't clear whether that was intended for the full release. Now that the suspected RTM build has been distributed, only two options are available regarding update installation: update then reboot automatically, or update then reboot manually. A quote from the EULA seems to support this: "The Software periodically checks for system and app updates, and downloads and installs them for you. ... By accepting this agreement, you agree to receive these types of automatic updates without any additional notice."

The article notes, "This has immediately raised concerns. Today, if a Windows user finds that an update breaks something that they need, they can generally refuse that update for an extended period. ... For Windows 10 Home users, this isn't going to be an option. If a future update breaks something essential, the user is going to be out of luck." Windows 10 Pro users will be able to delay updates for some period of time, and Enterprise users will have update functionality similar to that of Windows 8.

An anonymous reader writes: I've carried a smart phone for several years, but for much of that time it's been (and I suspect this is true for anyone for whom money is an object) kept pretty dumb — at least for anything more data-intensive than Twitter and the occasional map checking. I've been using more of the smart features lately (Google Drive and Keep are seductive.) Since the data package can be expensive, though, and even though data is cheaper than it used to be, that means I don't check Facebook often, or upload pictures to friends by email, unless I'm in Wi-Fi zone (like home, or a coffee shop, etc). Even so, it seems I'm using more data than I realized, and I'd like to keep it under the 2GB allotment I'm paying for. I used to think half a gig was generous, but now I'm getting close to that 2GB I've paid for, most months.

This makes me a little paranoid, which leads to my first question: How accurate are carriers' own internal tools for measuring use, and do you recommend any third-party apps for keeping track of data use? Ideally, I'd like a detailed breakdown by app, over time: I don't think I'm at risk for data-stealing malware on my phone (the apps I use are either built-in, or plain-vanilla ones from Google's store, like Instagram, Twitter's official client, etc.), but of course really well-crafted malware would be tough to guard against or to spot. And even if they can be defeated, more and more sites (Facebook, for one) now play video just because I've rolled over a thumbnail. Read on for second part of the question.