Check out the brand new SourceForge HTML5 speed test! Test your internet connection now. Works on all devices. ×
Government

As It Searches For Suspects, The FBI May Be Looking At You (technologyreview.com) 76

schwit1 quotes the MIT Technology Review: The FBI has access to nearly 412 million photos in its facial recognition system—perhaps including the one on your driver's license. But according to a new government watchdog report, the bureau doesn't know how error-prone the system is, or whether it enhances or hinders investigations.

Since 2011, the bureau has quietly been using this system to compare new images, such as those taken from surveillance cameras, against a large set of photos to look for a match. That set of existing images is not limited to the FBI's own database, which includes some 30 million photos. The bureau also has access to face recognition systems used by law enforcement agencies in 16 different states, and it can tap into databases from the Department of State and the Department of Defense. And it is in negotiations with 18 other states to be able to search their databases, too...

Adding to the privacy concerns is another finding in the GAO report: that the FBI has not properly determined how often its system makes errors and has not "taken steps to determine whether face recognition systems used by external partners, such as states and federal agencies, are sufficiently accurate" to support investigations.

Crime

Why Are Hackers Increasingly Targeting the Healthcare Industry? (helpnetsecurity.com) 101

Slashdot reader Orome1 shares an article by Bitdefender's senior "e-threat analyst," warning about an increasing number of attacks on healthcare providers: In general, the healthcare industry is proving lucrative for cybercriminals because medical data can be used in multiple ways, for example fraud or identity theft. This personal data often contains information regarding a patient's medical history, which could be used in targeted spear-phishing attacks...and hackers are able to access this data via network-connected medical devices, now standard in high-tech hospitals. This is opening up new possibilities for attackers to breach a hospital or a pharmaceutical company's perimeter defenses.

If a device is connected to the internet and left vulnerable to attack, an attacker could remotely connect to it and use it as gateways for attacking network security... The majority of healthcare organizations have often been shown to fail basic security practices, such as disabling concurrent login to multiple devices, enforcing strong authentication and even isolating critical devices and medical data storing servers from a direct internet connection.

The article suggests the possibility of attackers tampering with the equipment that dispenses prescription medications, in which case "it is likely that future cyber-attacks could lead to the loss of human life."
Databases

154 Million Voter Records Exposed Due To Database Error (dailydot.com) 95

blottsie writes: Chris Vickery, a security researcher at MacKeeper, has uncovered a new voter database containing 154 million voter records, exposed as a result of a CouchDB installation error. The database includes names, addresses, Facebook profile URLs, gun ownership, and more. Who exposed the voter database? Vickery believes the suspect may be linked to L2, a company specializing in voter data utilization, after he noticed that the voter ID field was labeled "LALVOTERID." After calling the company, L2 said the database likely belongs to one of their clients, noting that there are very few clients big enough to have a national database like that. The database was secured within three hours of their phone call. L2's CEO Bruce Willsie said that the client told L2 that they were hacked and the firewall had been taken down. Their client is conducting their own research to figure out the extent of the incursion. The Daily Dot reports: "Why does this keep happening, and what is our government doing about it? No federal agency is enforcing data security in political organizations or non-profits, and so far, neither are state attorneys general."
Advertising

Advertiser That Tracked Around 100M Phone Users Without Consent Pays $950,000 (arstechnica.com) 31

Mobile advertising firm InMobi will be paying a fine of $950,000 and revamp its services to resolve federal regulators' claims that it deceptively tracked locations of hundreds of millions of people, including children. Ars Technica reports:The US Federal Trade Commission alleged in a complaint filed Wednesday that Singapore-based InMobi undermined phone users' ability to make informed decisions about the collection of their location information. While InMobi claimed that its software collected geographical whereabouts only when end users provided opt-in consent, the software in fact used nearby Wi-Fi signals to infer locations when permission wasn't given, FTC officials alleged. InMobi then archived the location information and used it to push targeted advertisements to individual phone users. Specifically, the FTC alleged, InMobi collected nearby basic service set identification addresses, which act as unique serial numbers for wireless access points. The company, which thousands of Android and iOS app makers use to deliver ads to end users, then fed each BSSID into a "geocorder" database to infer the phone user's latitude and longitude, even when an end user hadn't provided permission for location to be tracked through the phone's dedicated location feature.
Businesses

Indie Dev TinyBuild Lost $450K To Fraudulent Sales Facilitated By G2A (pastemagazine.com) 104

An anonymous reader quotes a report from Paste Magazine: Indie developer TinyBuild, the studio behind Punch Club, Party Hard and SpeedRunners, had thousands of their game codes stolen through fraudulent credit card purchases, which then wound up on G2A.com, a site that allows people to resell game codes. The basic idea behind G2A is straightforward and pretty harmless: with the amount of game codes sold through Steam, the Humble Store/Bundle, and more, the site gives consumers a place to sell unwanted game codes. However, in doing so, G2A has created a huge black market for game codes sales. As TinyBuild described in their blog post on the matter, the common practice for scammers is to "get ahold of a database of stolen credit cards on the dark web. Go to a bundle/3rd party key reseller and buy a ton of game keys. Put them up onto G2A and sell them at half the retail price." This allows scammers to make thousands of dollars while preventing any profit from reaching the game developers because, once the stolen credit cards are processed, the payments will be denied. G2A states that TinyBuild's retail partners are the ones selling the codes on G2A, not scammers, despite the thousands of codes they lost through their online store to fraudulent credit card purchases. In 2011, TinyBuild was in the news for uploading their own game, a platformer called No Time To Explain, to the Pirate Bay.
Democrats

DNC Hacker Releases Clinton Foundation Documents (washingtonexaminer.com) 156

An anonymous reader writes: Following a report that Russian hackers penetrated the DNC's database, a hacker, who identifies himself as "Guccifer 2.0" after a popular Romanian hacker who hacked various American political figures, most notably Hillary Clinton and her private server, has published documents on Tuesday that he says came from the party's digital files. The documents detail Clinton's weaknesses as a candidate, and include a collection of negative press clips about the Clinton Foundation and a list of defenses against attacks on her private email use. Washington Examiner reports: "Another document, titled '2016 Democrats Positions Cheat Sheet,' listed major policy issues and indicated where Clinton, Bernie Sanders, Martin O'Malley, Jim Webb, Lincoln Chaffee, Elizabeth Warren and Joe Biden -- all former or possible rivals for the Democratic nomination -- stood on each issue." The documents contain information ranging from how the Clinton Foundation and its allies should respond to criticisms of the Clinton Foundation's revenue sources to how Chelsea Clinton wasn't able to answer questions about Clinton Foundation donations and other instances in which Bill Clinton was called a "sexual predator" for his past indiscretions. Even though the cybersecurity breach was blamed on the Russian government, the Kremlin has denied any involvement. The DNC also has yet to confirm or deny the authenticity of the leaked documents.
Security

Slashdot Asks: Does Your Company Have A Breach Response Team? (helpnetsecurity.com) 47

This week HelpNetSecurity reported on a study that found that "the average data breach cost has grown to $4 million, representing a 29 percent increase since 2013.. 'The amount of time, effort and costs that companies face in the wake of a data breach can be devastating, and unfortunately most companies still don't have a plan in place to deal with this process efficiently," said Caleb Barlow, Vice President, of IBM Security."

But the most stunning part of the study was that each compromised record costs a company $158 (on average), and up to $355 per record in more highly-regulated industries like healthcare, according to the study -- $100 more than in 2013. And yet it also found that having an "incident response team" greatly reduces the cost of a data breach. So I'd be curious how many Slashdot readers work for a company that actually has a team in place to handle data breaches. Leave your answers in the comments. Does your company have an incident response team ?
Security

Ask Slashdot: Should You Store Medical Details In The Cloud? (caremonkey.com) 262

"Paper forms are a security risk", warns the web site for CareMonkey, which maintains digital and up-to-date medical information in the cloud "for any organization with a duty of care". This is raising concerns for long-time Slashdot reader rolandw, who says he's being asked by his daughter's school to approve using the site to store "her full medical details". CareMonkey say that this data is stored on AWS and their security page says that it is secured by every protocol ever claimed by AWS (apparently). As a sysadmin and developer who has used AWS extensively for non-secure information my alarm bells are sounding.
Should he ignore those alarm bells and approve the storage of his daughter's medical history in the cloud? And if not, what specific reason would you give for refusing?
Oracle

Those 100,000 Lost Air Force Files Have Been Found Again (govexec.com) 36

The Air Force now says it will be able to recover those 100,000 investigation files dating back to 2004, after "aggressively leveraging all vendor and department capabilities." An anonymous reader quotes a report from Government Executive about the mysteriously corrupted database: In a short, four-sentence statement released midday on Wednesday, service officials said the Air Force continues to investigate the embarrassing incident in which the files and their backups were corrupted. "Through extensive data recovery efforts over the weekend and this week, the Air Force has been able to regain access to the data in the Air Force Inspector General Automated Case Tracking System..." the statement reads. Earlier on Wednesday, the Air Force chief of staff said that the effort to recover the files involved Lockheed Martin and Oracle, the two defense contractors that run the database, plus Air Force cyber and defense cyber crime personnel.
The Chief of Staff hopes "there won't be a long-term impact, other than making sure we understand exactly what happened, how it happened and how we keep it from ever happening again." The Air Force is conducting an independent review, while Lockheed Martin is now also performing a separate internal review.
Databases

FBI Can Access Hundreds of Millions of Face Recognition Photos (eff.org) 97

An anonymous reader writes from a report via EFF: The federal Government Accountability Office published a report on the FBI's face recognition capabilities that says the FBI has access to hundreds of millions of photos. According to the GAO report, the FBI's Facial Analysis, Comparison, and Evaluation (FACE) Services unit not only has access to the FBI's Next Generation Identification (NGI) face recognition database of nearly 30 million civil and criminal mug shot photos, but it also has access to the State Department's Visa and Passport databases, the Defense Department's biometric database, and the drivers license databases of at least 16 states. This totals 411.9 million images, most of which are Americans and foreigners who have committed no crimes. In May, it was reported that the FBI is keeping information contained in the NGI database private and unavailable. It argues in a proposal that the database should be exempt from the Privacy Act.
Security

DNC Hacker Releases Trump Opposition File (gawker.com) 420

An anonymous reader writes: Following the report that Russian hackers penetrated the DNC's database and stole research on Donald Trump, a 200+ page Democratic anti-Trump playbook compiled by the DNC has leaked online. In the book, Trump is called a "bad businessman" and "misogynist in chief." The document was created on December 19th, 2015, and was sent to Gawker by a hacker calling himself "Guccifer 2.0." (Guccifer is a popular Romanian hacker who hacked various American political figures, most notably Hillary Clinton and her private server.) The hacker said in an email to Gawker that the package contains a variety of donor registries and other strategy files, "just a few docs from many thousands I extracted when hacking into DNC's network," adding that he's in possession of "about 100GB of data including financial reports, donors' lists, election programs, action plans against Republicans, personal mails, etc." His motive is to be "a fighter against all those illuminati that captured our world." The "Donald Trump Report," as it's called, appears to be a summary of the Democratic Party's strategy for delegitimizing and undermining Trump's presidential aspirations. There's a section titled "Top Narratives" that describes a seven-pronged attack on Trump's character and record. The hack was first revealed Tuesday by the cybersecurity firm CrowdStrike, linking the hack to Russian intelligence. Wikileaks founder Julian Assange says later this year it will publish enough new information about Hillary Clinton to indict her.
Encryption

Hacker Steals 45 Million Accounts From Hundreds of Car, Tech, Sports Forums (zdnet.com) 47

An anonymous reader quotes a report from ZDNet: A hacker has stolen tens of millions of accounts from over a thousand popular forums, which host popular car, tech, and sports communities. The stolen database contains close to 45 million records from 1,100 websites and forums hosted by VerticalScope, a Toronto-based media company with dozens of major properties, including forums and sites run by AutoGuide.com, PetGuide.com, and TopHosts.com. "We are aware of the possible issue and our internal security team has been investigating and will be collecting information to provide to the appropriate law enforcement agencies," said Jerry Orban, vice-president of corporate development, in an email. In a sample given to ZDNet, the database shows email addresses, passwords that were hashed and salted passwords with MD5 (an algorithm that nowadays is easy to crack), as well as a user's IP address (which in some cases can determine location), and the site that the record was taken from. LeakedSource, which confirmed the findings, said in its blog post that it was "likely that VerticalScope stored all of their data on interconnected or even the same servers as there is no other way to explain a theft on such a large scale." A LeakedSource group member said it was "not related" to the recent hacks against MySpace, LinkedIn, and Tumblr. The report goes on to say: "A cursory search of the list of domains caught up in the hack revealed that none of the sites [ZDNet] checked offered basic HTTPS website encryption, which would prevent usernames and passwords from being intercepted."
Democrats

Russian Government Hackers Penetrated DNC, Stole Opposition Research On Donald Trump (washingtonpost.com) 160

Russian government hackers penetrated Democratic National Committee's database and stole research on Donald Trump (could be paywalled; alternate source), according to a report on Washington Post. DNC officials and security experts say the hackers were able to read all e-mail and chats in the DNC system. Some of the hackers had been in the DNC system for a year, the report adds. They were expelled from the computer system this past weekend. Russian spies also targeted the computers of Donald Trump, Hillary Clinton and several GOP political action committees. From the report: The intrusions are an example of Russia's interest in the U.S. political system and its desire to understand the policies, strengths and weaknesses of a potential future president -- much as American spies gather similar information on foreign candidates and leaders. The depth of the penetration reflects the skill and determination of the United States' top cyber adversary as Russia goes after strategic targets, from the White House and State Department to political campaign organizations.
Medicine

Repurposing Drugs To Tackle Cancer (theguardian.com) 51

sackvillian writes: Many Slashdotters are aware of the infamous thalidomide birth defect crisis. What might come as a surprise is the incredible success that thalidomide and some analogs have recently found as treatments for cancer, ulcers, lupus, and more. In fact, thanks in part to their success, there's a growing research movement that's attempting to treat cancer with other existing drugs that are commonly used for totally unrelated conditions. Drugs as common as aspirin, which is in the early stages of a clinical trial that will involve over 10,000 cancer patients, are being used. As described in the article written by The Guardian, at least one major international collaboration has taken this approach: The Repurposing Drugs in Oncology (ReDO) project. However, as most of the drugs are long since off-patent, researchers are having to be creative in obtaining funding for their work. Last week, Vice President Joe Biden unveiled a public database for clinical data on cancer that aims to help researchers and doctors better tailor new treatments to individuals.
Music

Hacker Puts 51 Million iMesh Accounts For Sale On Dark Web (zdnet.com) 21

An anonymous reader shares a ZDNet report: User accounts for iMesh, a now-defunct file sharing service, are for sale on the dark web. The New York-based music and video sharing company was a peer-to-peer service, which rose to fame in the file sharing era of the early-2000s, riding the waves of the aftermath of the "dotcom" boom. LeakedSource, a breach notification site that allows users to see if their details have been leaked, has obtained the database. The group's analysis of the database shows it contains a little over 51 million accounts. The database, of which a portion was shared with ZDNet for verification, contains user information that dates back to late-2005 when the site launched, including email addresses, passwords (which were hashed and salted with MD5, an algorithm that nowadays is easy to crack), usernames, a user's location and IP address, registration date, and other information -- such as if the account is disabled, or if the account has inbox messages.
The Military

Air Force Has Lost 100,000 Inspector General Records (thehill.com) 116

schwit1 shares an article from The Hill: The Air Force announced on Friday that it has lost thousands of records belonging to the service's inspector general due to a database crash. "We estimate we've lost information for 100,000 cases dating back to 2004," Air Force spokeswoman Ann Stefanek told The Hill in an email. "The database crashed and there is no data..." The database, called the Automated Case Tracking System (ACTS), holds all records related to IG complaints, investigations, appeals and Freedom of Information Act requests.... "We also use ACTS to track congressional/constituent inquiries."
The Air Force said they were "aggressively" trying to recover the data, adding that they had no evidence of malicious intent.
Databases

DEA Wants Access To Medical Records Without Warrant (thedailybeast.com) 176

mi writes from a report via The Daily Beast: Unlike in cases of commercially-held data, where the Third Party doctrine allows police warrantless access, prescription drug monitoring databases are maintained by state-governments. The difference is lost to the Obama Administration, which argues that "since the records have already been submitted to a third party (a state's Prescription Drug Monitoring Program) that patients no longer enjoy an expectation of privacy." The DEA has claimed for years that under federal law it has the authority to access the states' prescription drug databases using only an "administrative subpoena." These are unilaterally issued orders that do not require a showing of probable cause before a court, like what's required to obtain a warrant. Some states, like Oregon, fight it; some, like Wisconsin, do not. "The federal government is eager to see all these databases linked," reports The Daily Beast. "The Department of Justice has developed a software platform to facilitate sharing among all state PDMPs. So far 32 states already share their PDMP data through a National Association of Boards of Pharmacy program. The Comprehensive Addiction and Recovery Act (CARA), which passed Congress in March, calls for expanding sharing of PDMP data."
Security

Facebook Developers Can See Private Links Shared Through Messenger (theverge.com) 22

Earlier this week, security researchers at Checkpoint reported about vulnerabilities in Facebook Chat and Messenger that, if exploited, could allow anyone to essentially take control of any message sent by Chat or Messenger. Now a developer named Inti De Ceukelaire is pointing out another flaw in how Facebook deals with URLs. The Verge reports: Through the right API call, De Ceukelaire was able to summon links shared by specific users in private messages. The links were collected by the Facebook crawler, where De Ceukelaire discovered they were easily accessible to anyone running a Facebook app. Those links could be anything from a popular news story to directions to an abortion clinic. As long as they're shared in private messages, they're logged in Facebook's database, and accessible to API calls. It would be hard to exploit that bug at scale for a few different reasons. De Ceukelaire was only able to make the API call because he's registered as a Facebook developer, and if he started pulling those links en masse, Facebook would quickly catch on and pull his credentials. Still, the bug points to a number of lingering problems with the conflicting way web services treat URLs, and how those conflicts can put private information into public view.
Businesses

Tesla Suspension Breakage: It's Not The Crime, It's The Coverup (dailykanban.com) 271

schwit1 quotes a report from Daily Kanban: For several months now, reports have circulated in comment sections and forum threads about a possible defect in Tesla's vehicles that may cause suspension control arms to break. Many of those reports appeared to come from a single, highly-motivated and potentially unreliable source, a fact which led many to dismiss them as crankery. But as more reports of suspension failure in Teslas have come in, Daily Kanban has investigated the matter and can now report on this deeply troubling issue. Our investigation began in earnest upon reading a thread titled "Suspension Problem on Model S" in the Tesla Motors Club forum. The original poster (OP) in that thread described the suspension in his 2013 Model S (with 70,000 miles) failing at relatively low speed, saying the "left front hub assembly separated from the upper control arm." Images of the broken suspension components showed high levels of rust in the steel ball joint and the OP reported being told by Tesla service center employees that the "ball joint bolt was loose and caused the wear," which was "not normal." Because his Tesla was out of warranty, the repair was reportedly sent to Tesla management for consideration. According to a subsequent post by the OP, Tesla management refused to repair the broken suspension under warranty despite the "not normal" levels of wear reported by the service techs. Then, just days later, the OP reported that Tesla had offered to pay 50% of the $3,100 repair bill in exchange for his signature on a "Goodwill Agreement" which he subsequently posted here (a scan of the stock agreement can be found here). That agreement included the following passage:

"The Goodwill is being provided to you without any admission of liability or wrongdoing or acceptance of any facts by Tesla, and shall not be treated as or considered evidence of Tesla's liability with respect to any claim or incidents. You agree to keep confidential our provision of the Goodwill, the terms of this agreement and the incidents or claims leading or related to our provision of the Goodwill. In accepting the Goodwill, you hereby release and discharge Tesla and related persons or entities from any and all claims or damages arising out of or in any way connected with any claims or incidents leading or related to our provision of the Goodwill. You further agree that you will not commence, participate or voluntarily aid in any action at law or in equity or any legal proceeding against Tesla or related persons or entities based upon facts related to the claims or incidents leading to or related to this Goodwill." [Emphasis added]

This offer, to repair a defective part in exchange for a non-disclosure agreement, is unheard of in the auto industry. More troublingly, it represents a potential assault by Tesla Motors on the right of vehicle owners to report defects to the National Highway Traffic Safety Administration's complaint database, the auto safety regulators sole means of discovering defects independent of the automakers they regulate.
Reuters also reports today that U.S. auto safety investigators are reviewing reports of suspension problems in Tesla Motors Inc's Model S cars.
Bitcoin

Russian Hacker Selling Information of 32 Million Twitter Accounts, Report Says (zdnet.com) 54

An anonymous reader writes: The hacker who has links to the recent Myspace, LinkedIn, and Tumblr data breaches, is claiming to have obtained a database of millions of Twitter accounts. The data reportedly includes addresses, usernames, and plain-text passwords of 379 million Twitter accounts. The hacker, Tessa88, wants 10 bitcoins, or about $5,820 for the cache. On Wednesday, LeakedSource claimed that the real number of accounts was just under 33 million, which is more than 10 percent of Twitter's monthly active accounts. This follows the hacking of Mark Zuckerberg's Twitter and Pinterest accounts.

Slashdot Top Deals