DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 internet speed test! ×
Businesses

A Lithuanian Phisher Tricked Two Big US Tech Companies Into Wiring Him $100 Million (theverge.com) 118

According to a recent indictment from the U.S. Department of Justice, a 48-year-old Lithuanian scammer named Evaldas Rimasauskas managed to trick two American technology companies into wiring him $100 million. He was able to perform this feat "by masquerading as a prominent Asian hardware manufacturer," reports The Verge, citing court documents, "and tricking employees into depositing tens of millions of dollars into bank accounts in Latvia, Cyprus, and numerous other countries." From the report: What makes this remarkable is not Rimasauskas' particular phishing scam, which sounds rather standard in the grand scheme of wire fraud and cybersecurity exploits. Rather, it's the amount of money he managed to score and the industry from which he stole it. The indictment specifically describes the companies in vague terms. The first company is "multinational technology company, specializing in internet-related services and products, with headquarters in the United States," the documents read. The second company is a "multinational corporation providing online social media and networking services." Both apparently worked with the same "Asia-based manufacturer of computer hardware," a supplier that the documents indicate was founded some time in the late '80s. What's more important is that representatives at both companies with the power to wire vast sums of money were still tricked by fraudulent email accounts. Rimasauskas even went so far as to create fake contracts on forged company letterhead, fake bank invoices, and various other official-looking documents to convince employees of the two companies to send him money. Rimasauskas has been charged with one count of wire fraud, three counts of money laundering, and aggravated identity theft. In other words, he faces serious prison time of convicted -- each charge of wire fraud and laundering carries a max sentence of 20 years. The court documents don't reveal the names of the two companies. Though, one could surely think of a few candidates that would fit the descriptions provided in the court documents.
Privacy

Hackers Claim Access To 300 Million iCloud Accounts, Demand $75,000 From Apple To Delete the Cache of Data (vice.com) 115

A hacker or group of hackers calling themselves the "Turkish Crime Family" claim they have access to at least 300 million iCloud accounts, and will delete the alleged cache of data if Apple pays a ransom by early next month. Motherboard is reporting that the hackers are demanding "$75,000 in Bitcoin or Ethereum, another increasingly popular crypto-currency, or $100,000 worth of iTunes gift cards in exchange for deleting the alleged cache of data." From the report: The hackers provided screenshots of alleged emails between the group and members of Apple's security team. One also gave Motherboard access to an email account allegedly used to communicate with Apple. "Are you willing to share a sample of the data set?" an unnamed member of Apple's security team wrote to the hackers a week ago, according to one of the emails stored in the account. (According to the email headers, the return-path of the email is to an address with the @apple.com domain). The hackers also uploaded a YouTube video of them allegedly logging into some of the stolen accounts. The hacker appears to access an elderly woman's iCloud account, which includes backed-up photos, and the ability to remotely wipe the device. Now, the hackers are threatening to reset a number of the iCloud accounts and remotely wipe victim's Apple devices on April 7, unless Apple pays the requested amount. According to one of the emails in the accessed account, the hackers claim to have access to over 300 million Apple email accounts, including those use @icloud and @me domains. However, the hackers appear to be inconsistent in their story; one of the hackers then claimed they had 559 million accounts in all. The hackers did not provide Motherboard with any of the supposedly stolen iCloud accounts to verify this claim, except those shown in the video.
Communications

Could We Eliminate Spam With DMARC? (zdnet.com) 124

An anonymous reader writes: "The spam problem would not only be significantly reduced, it'd probably almost go away," argues Paul Edmunds, the head of technology from the cybercrimes division of the U.K.'s National Crime Agency -- suggesting that more businesses should be using DMARC, an email validation system that uses both the Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). "Edmunds argued, if DMARC was rolled out everywhere in order to verify if messages come from legitimate domains, it would be a major blow to spam distributors and take a big step towards protecting organizations from this type of crime..." reports ZDNet. "However, according to a recent survey by the Global Cyber Alliance, DMARC isn't widely used and only 15% of cybersecurity vendors themselves are using DMARC to prevent email spoofing.
Earlier this month America's FTC also reported that 86% of major online businesses used SPF to help ISPs authenticate their emails -- but fewer than 10% have implemented DMARC.
Google

Judge Rejects Google Deal Over Email Scanning (fortune.com) 48

A federal judge in San Francisco slammed a legal settlement that proposed to pay $2.2 million to lawyers, but nothing to consumers who had the contents of their email scanned by Google without their knowledge or permission. From a report: In a 6-page order, Judge Lucy Koh told Google and class action attorneys the proposed settlement was insufficient, in part because it failed to clearly tell consumers what the search giant had done. "This notice is difficult to understand and does not clearly disclose the fact that Google intercepts, scans and analyzes the content of emails sent by non-Gmail users to Gmail users for the purpose of creating user profiles of the Gmail users to create targeted advertising for the Gmail users," Koh wrote.
Security

Millions of Records Leaked From Huge US Corporate Database (zdnet.com) 66

Millions of records from a commercial corporate database have been leaked. ZDNet reports: The database, about 52 gigabytes in size, contains just under 33.7 million unique email addresses and other contact information from employees of thousands of companies, representing a large portion of the US corporate population. Dun & Bradstreet, a business services giant, confirmed that it owns the database, which it acquired as part of a 2015 deal to buy NetProspex for $125 million. The purchased database contains dozens of fields, some including personal information such as names, job titles and functions, work email addresses, and phone numbers. Other information includes more generic corporate and publicly sourced data, such as believed office location, the number of employees in the business unit, and other descriptions of the kind of industry the company falls into, such as advertising, legal, media and broadcasting, and telecoms.
Government

Justice Department Charging Russian Spies and Criminal Hackers in Yahoo Intrusion (washingtonpost.com) 57

The Justice Department is set to announce Wednesday, reports the Washington Post, the indictments of two Russian spies and two criminal hackers in connection with the heist of 500 million Yahoo user accounts in 2014, marking the first U.S. criminal cyber charges ever against Russian government officials (Editor's note: the link could be paywalled; alternate source). From the report: The indictments target two members of the Russian intelligence agency FSB, and two hackers hired by the Russians. The charges include hacking, wire fraud, trade secret theft and economic espionage, according to officials, who spoke on the condition of anonymity because the charges have not yet been announced. The indictments are part of the largest hacking case brought by the United States.
The Courts

Hacking Victim Can't Sue Foreign Government For Hacking Him On US Soil, Says Court (vice.com) 102

According to Motherboard, a court of appeals in Washington D.C. ruled that an American citizen can't sue the Ethiopian government for hacking into his computer and monitoring him with spyware. "The decision on Tuesday is a blow to anti-surveillance and digital rights activists who were hoping to establish an important precedent in a widely documented case of illegitimate government-sponsored hacking." From the report: In late 2012, the Ethiopian government allegedly hacked the victim, an Ethiopian-born man who goes by the pseudonym Kidane for fear for government reprisals. Ethiopian government spies from the Information Network Security Agency (INSA) allegedly used software known as FinSpy to break into Kidane's computer, and secretly record his Skype conversations and steal his emails. FinSpy was made by the infamous FinFisher, a company that has sold malware to several governments around the world, according to researchers at Citizen Lab, a digital watchdog group at the University of Toronto's Munk School of Global Affairs, who studied the malware that infected Kidane's computer. The U.S. Court of Appeals for the District of Columbia Circuit ruled that Kidane didn't have jurisdiction to sue the Ethiopian government in the United States. Kidane and his lawyers invoked an exception to the Foreign Sovereign Immunities Act (FSIA), which says foreign governments can be sued in the U.S. as long as the entire tort on which the lawsuit is based occurred on American soil. According to the court, however, the hacking in this case didn't occur entirely in the U.S. "Ethiopia's placement of the FinSpy virus on Kidane's computer, although completed in the United States when Kidane opened the infected email attachment, began outside the United States," the decision read. "[It] gives foreign governments carte blanche to do whatever they want to Americans in America so long as they do it by remote control," Nate Cardozo, a staff attorney at the Electronic Frontier Foundation, a digital rights group who represented Kidane in this first-of-its-kind lawsuit, told Motherboard.
Google

You Can Now Send, Request Money In Gmail On Android (techcrunch.com) 38

While Google Wallet has been integrated into Gmail on the web since 2013, it has yet to be available for mobile users. Today, Google is officially rolling out the new integration so that users of the Gmail app on Android will be able to send or request money with anyone -- even those who don't have a Gmail email address. TechCrunch reports: The user experience has been designed to make exchanging money as easy as attaching a file, Google explains in its announcement. To access the new feature, you tap the attachment icon (the paperclip), then choose either send or request money, depending on your needs. A pop-up window appears where you can input the amount and add a note, and send. The entire process takes place in the Gmail app -- you don't have to have Google Wallet installed. In addition, recipients can configure it so the money they receive through Gmail goes directly into their bank account. There are no fees involved, notes Google. The goal, seemingly, is to take on quick payment apps like PayPal, Venmo or Square Cash, by offering a feature to move money right within Gmail's app. This could be useful for those times where the money is already a topic of an email conversation -- like when you're planning a trip with friends, or getting the family to go in together on a gift for your parents, for example.
Communications

Secretary of State Rex Tillerson Allegedly Used Email Alias As Exxon CEO (arstechnica.com) 171

According to New York Attorney General Eric Schneiderman, Rex Tillerson used an email alias of "Wayne Tracker" to communicate with other Exxon executives about climate change while serving as CEO of Exxon Mobil. "New York Attorney General Eric Schneiderman has been leading an investigation of Exxon Mobil centered on whether the company misled investors by publicly arguing against the reality of climate change even though its executives knew the science was accurate," reports Ars Technica. "The investigation was triggered by news reports describing climate research the company undertook in the 1970s and 1980s, which affirmed the work of other climate scientists and showed that greenhouse gas emissions were causing climate change. Exxon buried that work and spent the next couple decades claiming that the science was unclear, although it has recently publicly acknowledged reality." From the report: The e-mails that were provided allowed the attorney general to figure out that Tillerson used the account between 2008 and 2015 at least, but it didn't appear on Exxon's list of accounts for which records were preserved. The letter also mentions 34 other e-mail accounts "specifically assigned to top executives, board members, or assistants" that the attorney general thinks should have been included. In a statement, an Exxon spokesperson explained, "The e-mail address, Wayne.Tracker@exxonmobil.com, is part of the company's e-mail system and was put in place for secure and expedited communications between select senior company officials and the former chairman for a broad range of business-related topics." The Office of the Attorney General's letter claims that "Exxon has continuously delayed and obstructed the production of documents from its top executives and board members, which are crucial to OAG's investigation into Exxon's touted risk-management practices regarding climate change."
Privacy

Vibrator Maker To Pay Millions Over Claims It Secretly Tracked Use (npr.org) 113

An anonymous reader quotes a report from NPR: The makers of the We-Vibe, a line of vibrators that can be paired with an app for remote-controlled use, have reached a $3.75 million class action settlement with users following allegations that the company was collecting data on when and how the sex toy was used. The We-Vibe product line includes a number of Bluetooth-enabled vibrators that, when linked to the "We-Connect" app, can be controlled from a smartphone. It allows a user to vary rhythms, patterns and settings -- or give a partner, in the room or anywhere in the world, control of the device. Since the app was released in 2014, some observers have raised concerns that Internet-connected sex toys could be vulnerable to hacking. But the lawsuit doesn't involve any outside meddling -- instead, it centers on concerns that the company itself was tracking users' sex lives. The lawsuit was filed in federal court in Illinois in September. It alleges that -- without customers' knowledge -- the app was designed to collect information about how often, and with what settings, the vibrator was used. The lawyers for the anonymous plaintiffs contended that the app, "incredibly," collected users' email addresses, allowing the company "to link the usage information to specific customer accounts." Customers' email addresses and usage data were transmitted to the company's Canadian servers, the lawsuit alleges. When a We-Vibe was remotely linked to a partner, the connection was described as "secure," but some information was also routed through We-Connect and collected, the lawsuit says.
Government

Apple, Amazon, and Microsoft Are Helping Google Fight an Order To Hand Over Foreign Emails (businessinsider.com) 67

Apple, Microsoft, Amazon, and Cisco have filed an amicus brief in support of Google, after a Pennsylvania court ruled that the company had to hand over emails stored overseas in response to an FBI warrant. From a report: An amicus brief is filed by people or companies who have an interest in the case, but aren't directly involved. In this case, it's in Silicon Valley's interest to keep US law enforcement from accessing customer data stored outside the US. It isn't clear what data Google might have to hand over and, last month, the company said it would fight to the order. In the brief, the companies argue: "When a warrant seeks email content from a foreign data center, that invasion of privacy occurs outside the United States -- in the place where the customers' private communications are stored, and where they are accessed, and copied for the benefit of law enforcement, without the customer's consent."
Firefox

Will WebAssembly Replace JavaScript? (medium.com) 235

On Tuesday Firefox 52 became the first browser to support WebAssembly, a new standard "to enable near-native performance for web applications" without a plug-in by pre-compiling code into low-level, machine-ready instructions. Mozilla engineer Lin Clark sees this as an inflection point where the speed of browser-based applications increases dramatically. An anonymous reader quotes David Bryant, the head of platform engineering at Mozilla. This new standard will enable amazing video games and high-performance web apps for things like computer-aided design, video and image editing, and scientific visualization... Over time, many existing productivity apps (e.g. email, social networks, word processing) and JavaScript frameworks will likely use WebAssembly to significantly reduce load times while simultaneously improving performance while running... developers can integrate WebAssembly libraries for CPU-intensive calculations (e.g. compression, face detection, physics) into existing web apps that use JavaScript for less intensive work... In some ways, WebAssembly changes what it means to be a web developer, as well as the fundamental abilities of the web.
Mozilla celebrated with a demo video of the high-resolution graphics of Zen Garden, and while right now WebAssembly supports compilation from C and C++ (plus some preliminary support for Rust), "We expect that, as WebAssembly continues to evolve, you'll also be able to use it with programming languages often used for mobile apps, like Java, Swift, and C#."
Google

Google Launches Official Gmail Add-On Program (pcworld.com) 32

Google is making it possible for developers to bring their services into Gmail using new integrations called Add-ons. From a report on PCWorld: It's built so that developers can write one set of code in Google's Apps Script language and have their integration run in Gmail on the web, as well as inside Google's Android and iOS apps for the service. For example, a QuickBooks add-on would let users easily send invoices to people who they're emailing. Google already offers Add-ons for its Docs word processing and Sheets spreadsheet software. This sort of system could be useful for users because it helps them get work done without leaving Gmail. It also helps draw users into Google's official email app, rather than use one of the many other clients that can access the service, including Microsoft Outlook.
Google

Google Hangouts' New Features Make Work Meetings Slightly Less Annoying (cnet.com) 65

Google is rolling out two new features in its communication and messaging app, Hangouts. From a report: (Unfortunately, neither tools help decrease the utterances of such phrases like "How will this scale?" and "Run it up the flagpole.") The first is a video conferencing feature called Hangouts Meet. Meet allows people to hop on meetings via a web link through their laptops or mobile app. This link can be shared in an email or directly through a Google Calendar invite. Colleagues who are traveling without Internet can use a dedicated dial-in phone number. The second feature is Hangouts Chat, which lets coworkers message each other in dedicated chat rooms.
Government

How Wiretaps Actually Work (washingtonpost.com) 519

David Kris, assistant attorney general for national security from 2009 to 2011, has responded to the recent accusations made by president Donald Trump. On Saturday, Trump accused former president Obama of orchestrating a "Nixon/Watergate" plot to tap the phones at his Trump Tower headquarters in the run-up to last fall's election. He writes in an opinion piece for The Washington Post: First, the U.S. government needs probable cause, signatures from government officials and advance approval from a federal court before engaging in wiretapping in the United States. There are some narrow exceptions, for things such as short-term emergencies, which are then reviewed by a judge promptly after the fact. This is not something that the president simply orders. Under the law governing foreign intelligence wiretaps, the government has to show probable cause that a "facility" is being used or about to be used by a "foreign power" -- e.g., a foreign government or an international terrorist group -- or by an "agent of a foreign power." A facility is something like a telephone number or an email address. Second, there is no requirement that the facility being wiretapped be owned, leased or listed in the name of the person who is committing the offense or is the agent of a foreign power. [...] Third, government officials, including the president, don't normally speak publicly about wiretaps. Indeed, it is in some cases a federal crime to disclose a wiretap without authorization, including not only the information obtained from the wiretap, but also the mere existence of a wiretap with an intent to obstruct it. With respect to intelligence wiretaps, there is an additional issue: They are always classified, and disclosure of classified information is also generally a crime. The president enjoys authority over classified information, of course, but at a minimum it would be highly irregular to disclose an intelligence wiretap via Twitter.
Businesses

Big Tech Lobbying Is On the Verge of Killing Right To Repair Legislation In Minnesota (vice.com) 136

Jason Koebler, writing for Motherboard: Statehouse employees in Minnesota say that lobbying efforts by big tech companies and John Deere are on the verge of killing right to repair legislation in the state that would have made it easier for consumers and small businesses to fix their electronics. According to two of the bill's sponsors, the bill, which would have introduced "fair repair" requirements for manufacturers in the state, will not get a hearing that's necessary to move the legislation forward. Minnesota Senate rules automatically kills any bills that do not have a hearing scheduled by a certain date (this year, it's March 10). Last year, tech industry lobbying killed a similar bill in New York. "Unfortunately, it's not going to make deadline this session," Republican Sen. David Osmek, one of the sponsors, told me in an email. Osmek would not give additional specifics about his colleagues' concerns with the bill, but a legislative assistant for the bill's other sponsor told me that electronic manufacturer lobbying is likely to blame, while another source close to the legislature told me that tractor manufacturer John Deere -- a long time enemy of fair repair -- helped kill the bill as well.
Security

Payments Giant Verifone Investigating Breach (krebsonsecurity.com) 8

Verifone is investigating a breach of its internal networks that appears to have impacted a number of companies running its point-of-sale card terminals, security reporter Brian Krebs reports. From the report: Verifone says the extent of the breach was limited to its corporate network and that its payment services network was not impacted. San Jose, Calif.-based Verifone is the largest maker of credit card terminals used in the United States. It sells point-of-sale terminals and services to support the swiping and processing of credit and debit card payments at a variety of businesses, including retailers, taxis, and fuel stations. On Jan. 23, 2017, Verifone sent an "urgent" email to all company staff and contractors, warning they had 24 hours to change all company passwords.
Microsoft

Microsoft Says It Is Working On Fix After Users Report Skype, Outlook, Xbox Live Outages (foxnews.com) 23

An anonymous reader shares a report: A huge outage hit Microsoft services Tuesday morning, with users across the globe experiencing problems accessing Outlook, Xbox and Skype. Users were unable to log onto the Outlook email client via mobile devices and received an error message when trying to access the desktop version of the service. Users also reportedly experienced problems with Microsoft's Xbox and Skype services. Microsoft acknowledged the Xbox issues in a statement posted to its Xbox Live status page. "Another issue has been identified that is causing problems for some members signing in to Xbox Live. The team is working to resolve the issue as quickly as possible. Thanks for your patience," it said.
Security

Huge Database Leak Reveals 1.37 Billion Email Addresses and Exposes Illegal Spam Operation (betanews.com) 141

One of the largest spam operations in the world has exposed its entire operation to the public, leaking its database of 1.37bn email addresses thanks to a faulty backup. From a report: A faulty backup has inadvertently exposed the entire working database of notorious spam operator River City Media (RCM). In all, the database contains more than 1.37 billion email addresses, and for some records there are additional details such as names, real-world addresses, and IP addresses. It's a situation that's described as "a tangible threat to online privacy and security." Details about the leak come courtesy of Chris Vickery from macOS security firm MacKeeper who -- with a team of helpers -- has been investigating since January. River City Media's database ended up online thanks to incorrectly-configured Rsync backups. In the words of Vickery: "Chances are you, or at least someone you know, is affected." The leaked, and unprotected, database is what's behind the sending of over a billion spam emails every day -- helped, as Vickery points out, by "a lot of automation, years of research, and fair bit of illegal hacking techniques." But it's more than a database that has leaked -- it's River City Media's entire operation.
Google

Google's Featured Snippets Are Worse Than Fake News (theoutline.com) 183

Adrianne Jeffries, reporting for The Outline: Peter Shulman, an associate history professor at Case Western Reserve University in Ohio, was lecturing on the reemergence of the Ku Klux Klan in the 1920s when a student asked an odd question: Was President Warren Harding a member of the KKK? Shulman was taken aback. He confessed that he was not aware of that allegation, but that Harding had been in favor of anti-lynching legislation, so it seemed unlikely. But then a second student pulled out his phone and announced that yes, Harding had been a Klan member, and so had four other presidents. It was right there on Google, clearly emphasized inside a box at the top of the page. "I understand what Google is trying to do, and it's work that perhaps requires algorithmic aid," Shulman said in an email. "But in this instance, the question its algorithm scoured the internet to answer is simply a poorly conceived one. There have been no presidents in the Klan." Google needs to invest in human experts who can judge what type of queries should produce a direct answer like this, Shulman said. "Or, at least in this case, not send an algorithm in search of an answer that isn't simply 'There is no evidence any American president has been a member of the Klan.' It'd be great if instead of highlighting a bogus answer, it provided links to accessible, peer-reviewed scholarship."

Slashdot Top Deals