Spam

Spam Is Back (theoutline.com) 140

Jon Christian, writing for The Outline: For a while, spam -- unsolicited bulk messages sent for commercial or fraudulent purposes -- seemed to be fading away. The 2003 CAN-SPAM Act mandated unsubscribe links in email marketing campaigns and criminalized attempts to hide the sender's identity, while sophisticated filters on what were then cutting-edge email providers like Gmail buried unwanted messages in out-of-sight spam folders. In 2004, Microsoft co-founder Bill Gates told a crowd at the World Economic Forum that "two years from now, spam will be solved." In 2011, cybersecurity reporter Brian Krebs noted that increasingly tech savvy law enforcement efforts were shutting down major spam operators -- including SpamIt.com, alleged to be a major hub in a Russian digital criminal organization that was responsible for an estimated fifth of the world's spam. These efforts meant that the proportion of all emails that are spam has slowly fallen to a low of about 50 percent in recent years, according to Symantec research.

But it's 2017, and spam has clawed itself back from the grave. It shows up on social media and dating sites as bots hoping to lure you into downloading malware or clicking an affiliate link. It creeps onto your phone as text messages and robocalls that ring you five times a day about luxury cruises and fictitious tax bills. Networks associated with the buzzy new cryptocurrency system Ethereum have been plagued with spam. Facebook recently fought a six-month battle against a spam operation that was administering fake accounts in Bangladesh, Indonesia, Saudi Arabia, and other countries. Last year, a Chicago resident sued the Trump campaign for allegedly sending unsolicited text message spam; this past November, ZDNet reported that voters were being inundated with political text messages they never signed up for. Apps can be horrid spam vectors, too. Repeated mass data breaches that include contact information, such as the Yahoo breach in which 3 billion user accounts were exposed, surely haven't helped. Meanwhile, you, me, and everyone we know is being plagued by robocalls.

Security

Forbes '30 Under 30' Conference Website Exposed Attendees' Personal Information (vice.com) 12

An anonymous reader shares a Motherboard report: Every year, Forbes' 30 Under 30 list recognizes people blessed with both youth and exceptional talent in their field -- including celebrities, startup founders, doctors, and artists. These are smart, savvy professionals -- and when some of them include information security pros, they're bound to go poking around for vulnerabilities. That's what Yan Zhu, a privacy engineer who made the 2015 list, was doing when she found a gaping privacy hole in the way Forbes handles recipients' personal information. Once you make the list, Yan told me in a Twitter direct message, Forbes asks you to register for its annual Under 30 Summit conference. "They send you a link for conference registration, but it's not tied to your email address," she said. "So you can literally enter anyone's email address who is also a 30 Under 30 member and it shows you their personal info." That information carries over into all future years, she said.
The Military

North Korean Hackers Are Targeting US Defense Contractors (wpengine.com) 146

chicksdaddy quotes Security Ledger: North Korean hackers have stepped up their attacks on U.S. defense contractors in an apparent effort to gain intelligence on weapon systems and other assets that might be used against the country in an armed conflict with the United States and its allies, The Security Ledger is reporting. Security experts and defense industry personnel interviewed by The Security Ledger say that probes and attacks by hacking groups known to be associated with the government of the Democratic People's Republic of Korea (DPRK) have increased markedly as hostilities between that country and the United States have ratcheted up in the last year. The hacking attempts seem to be aimed at gaining access to intellectual property belonging to the companies, including weapons systems deployed on the Korean peninsula.

"As the situation between the DPRK and the US has become more tense, we've definitely seen an increase in number of probe attempts from cyber actors coming out of the DPRK," an official at an aerospace and defense firm told Security Ledger. The so-called "probes" were targeting the company's administrative network and included spear phishing attacks via email and other channels. The goal was to compromise computers on the corporate network... So far, the attacks have targeted "weakest links" within the firms, such as Human Resources personnel and general inquiry mailboxes, rather than targeting technical staff directly. However, experts who follow the DPRK's fast evolving cyber capabilities say that the country may have more up their sleeve.

CNBC also reports that America's congressional defense committees have authorized a last-minute request for $4 billion in extra spending for "urgent missile defeat and defense enhancements to counter the threat of North Korea."

Other countries newly interested in purchasing missile defense systems include Japan, Sweden, Poland, and Saudi Arabia.
Security

Man Who Sent GIF of Laughing Mouse To Employer After DDoS Attack Is Now Arrested (bleepingcomputer.com) 75

An anonymous reader writes: The FBI has arrested and charged a man for launching DDoS attacks against a wide range of targets, including his former employer, a Minnesota-based PoS repair shop. The man, who bought access to a VPN but didn't use it all the time, was caught after registering email accounts and sending taunting emails to victims, including his former employer. The taunting emails also included a GIF image of a laughing mouse, which eventually tied the man to the DDoS attacks as well. The guy also uploaded the image on Facebook in a post that asked people to join in DDoS attacks on banks as part of Anonymous' Operation Icarus. The suspect also created the fake email accounts using the name of another former colleague, trying to pin suspicions on him. The FBI was not only able to track the man's real IP address, but they also tied him to attacks without a doubt because he used a DDoS-for-hire service that was hacked and its database was shared with the FBI.
Spam

Security Firm Creates Chatbot To Respond To Scam Emails On Your Behalf (theverge.com) 70

An anonymous reader shares a report: Chatbots. They're usually a waste of your time, so why not have them waste someone else's instead? Better yet: why not have them waste an email scammer's time. That's the premise behind Re:scam , an email chatbot operated by New Zealand cybersecurity firm Netsafe. Next time you get a dodgy email in your inbox, says Netsafe, forward it on to me@rescam.org, and a proxy email address will start replying to the scammer for you, doing its very utmost to waste their time.
Cloud

Logitech To Shut Down 'Service and Support' For Harmony Link Devices In 2018 (arstechnica.com) 131

Logitech recently informed customers that it will be discontinuing service for its popular Harmony Link remote system, which allows users to control home theater and sound equipment from a mobile app. "Customers received an email explaining that Logitech will 'discontinue service and support' for the Harmony Link as of March 16, 2018, adding that Harmony Link devices 'will no longer function after this date,'" reports Ars Technica. From the report: While Logitech is offering a one-time, 35-percent discount on its Harmony Hub to affected customers that are out of warranty, that's not enough for Harmony Link users who are expressing their dissatisfaction on Logitech support forums and Reddit. Users have not experienced major problems with the Harmony Link system that would indicate they are approaching end of life. Harmony Link customers do not pay a subscription or service fee to use the device, either. The only reason provided comes from a Logitech employee with the username Logi_WillWong, who explains in a response post from September 8, 2017 that Logitech will not be renewing a "technology certificate license" that expires in March. No details were provided about how this certificate license allows the Harmony Link to function, but it appears that without it, those devices will not work as promised. "The certificate will not be renewed as we are focusing resources on our current app-based remote, the Harmony Hub," Logi_WillWong added, which seems to indicate that the shutting down of the Harmony Link system is a way to get more customers on the newer Harmony Hub system.
Bitcoin

2x Called Off: Bitcoin Hard Fork Suspended for Lack of Consensus (coindesk.com) 50

Alyssa Hertig, writing for CoinDesk: The organizers of a controversial bitcoin scaling proposal are suspending an attempt to increase the block size by way of a software upgrade. Known for its strong early support from bitcoin startups and mining pools, the plan, called Segwit2x, or simply 2x, was to trigger a block size increase at block 494784, expected to occur on or around November 16th. The suspension was announced today in an email, written by Mike Belshe, CEO and co-founder of bitcoin wallet software provider BitGo. One of the leaders of the Segwit2x project, he argued that the scaling proposal is too controversial to move forward. He wrote: "Unfortunately, it is clear that we have not built sufficient consensus for a clean block size upgrade at this time. Continuing on the current path could divide the community and be a setback to Bitcoin's growth. This was never the goal of Segwit2x."
Facebook

How Facebook Figures Out Everyone You've Ever Met (gizmodo.com) 219

"I deleted Facebook after it recommended as People You May Know a man who was defense counsel on one of my cases. We had only communicated through my work email, which is not connected to my Facebook, which convinced me Facebook was scanning my work email," an attorney told Gizmodo. Kashmir Hill, a reporter at the news outlet, who recently documented how Facebook figured out a connection between her and a family member she did not know existed, shares several more instances others have reported and explains how Facebook gathers information. She reports: Behind the Facebook profile you've built for yourself is another one, a shadow profile, built from the inboxes and smartphones of other Facebook users. Contact information you've never given the network gets associated with your account, making it easier for Facebook to more completely map your social connections. Because shadow-profile connections happen inside Facebook's algorithmic black box, people can't see how deep the data-mining of their lives truly is, until an uncanny recommendation pops up. Facebook isn't scanning the work email of the attorney above. But it likely has her work email address on file, even if she never gave it to Facebook herself. If anyone who has the lawyer's address in their contacts has chosen to share it with Facebook, the company can link her to anyone else who has it, such as the defense counsel in one of her cases. Facebook will not confirm how it makes specific People You May Know connections, and a Facebook spokesperson suggested that there could be other plausible explanations for most of those examples -- "mutual friendships," or people being "in the same city/network." The spokesperson did say that of the stories on the list, the lawyer was the likeliest case for a shadow-profile connection. Handing over address books is one of the first steps Facebook asks people to take when they initially sign up, so that they can "Find Friends." The problem with all this, Hill writes, is that Facebook doesn't explicitly say the scale at which it would be using the contact information it gleans from a user's address book. Furthermore, most people are not aware that Facebook is using contact information taken from their phones for these purposes.
Businesses

Many Employers Are Using Tools To Monitor Their Staff's Web-browsing Patterns, Keystrokes, Social Media Posts (theguardian.com) 187

Olivia Solon, reporting for The Guardian: How can an employer make sure its remote workers aren't slacking off? In the case of talent management company Crossover, the answer is to take photos of them every 10 minutes through their webcam. The pictures are taken by Crossover's productivity tool, WorkSmart, and combine with screenshots of their workstations along with other data -- including app use and keystrokes -- to come up with a "focus score" and an "intensity score" that can be used to assess the value of freelancers. Today's workplace surveillance software is a digital panopticon that began with email and phone monitoring but now includes keeping track of web-browsing patterns, text messages, screenshots, keystrokes, social media posts, private messaging apps like WhatsApp and even face-to-face interactions with co-workers. Crossover's Sanjeev Patni insists that workers get over the initial self-consciousness after a few days and accept the need for such monitoring as they do CCTV in shopping malls.
Businesses

Paradise Papers Leak Reveals Apple's Secret Tax Bolthole (bbc.com) 174

An anonymous reader quotes a report from BBC: The world's most profitable firm has a secretive new structure that would enable it to continue avoiding billions in taxes, the Paradise Papers show. They reveal how Apple sidestepped a 2013 crackdown on its controversial Irish tax practices by actively shopping around for a tax haven. It then moved the firm holding most of its untaxed offshore cash, now $252 billion, to the Channel Island of Jersey. Apple said the new structure had not lowered its taxes. It said it remained the world's largest taxpayer, paying about $35 billion in corporation tax over the past three years, that it had followed the law and its changes "did not reduce our tax payments in any country."

Leaked emails also make it clear that Apple wanted to keep the move secret. One email sent between senior partners at Appleby says: "For those of you who are not aware, Apple [officials] are extremely sensitive concerning publicity. They also expect the work that is being done for them only to be discussed amongst personnel who need to know." Apple chose Jersey, a UK Crown dependency that makes its own tax laws and which has a 0% corporate tax rate for foreign companies. Paradise Papers documents show Apple's two key Irish subsidiaries, Apple Operations International (AOI), believed to hold most of Apple's massive $252 billion overseas cash hoard, and Apple Sales International (ASI), were managed from Appleby's office in Jersey from the start of 2015 until early 2016. This would have enabled Apple to continue avoiding billions in tax around the world.
The report notes that Apple paid just $1.65 billion in taxes to foreign governments, despite making $44.7 billion outside the U.S. That's a tax rate of 3.7%, which is less than a sixth of the average rate of corporation tax in the world.
Privacy

One in Four UK Workers Maliciously Leaks Business Data Via Email, Study Says (betanews.com) 30

From a report: New research into insider threats reveals that 24 percent of UK employees have deliberately shared confidential business information outside their company. The study from privacy and risk management specialist Egress Software Technologies also shows that almost half (46 percent) of respondents say they have received a panicked email recall request, which is not surprising given more than a third (37 percent) say they don't always check emails before sending them. The survey of 2,000 UK workers who regularly use email as part of their jobs shows the biggest human factor in sending emails in error is listed as 'rushing' (68 percent). However alcohol also plays a part in eight percent of all wrongly sent emails -- where are these people working!? Autofill technology, meanwhile, caused almost half (42 percent) to select the wrong recipient in the list.
Social Networks

9.6% of Facebook's Users 'May Be Fakes' (nytimes.com) 96

An anonymous reader quotes the New York Times: Facebook estimates that about 200 million of its more than 2.07 billion users may be fakes... [Non-paywalled article here.] Colin Stretch, the general counsel of Facebook, told the Senate Intelligence Committee the company was doubling its review staff to 20,000 and using artificial intelligence to find more "bad actors"... Sean Edgett, Twitter's general counsel, testified before Congress that about 5 percent of its 330 million users are "false accounts or spam," which would add up to more than 16 million fakes.

Independent experts say the real numbers are far higher. On Twitter, little more than an email address is needed to start tweeting. Facebook's requirement that users be their authentic selves means the company asks for a smattering of information to sign up -- name, birthday, gender and email address. But few checks exist to verify if that information is true when a user signs up.

Security

Student Charged By FBI For Hacking His Grades More Than 90 times (sophos.com) 142

An anonymous reader shares a report: In college, you can use your time to study. Or then again, you could perhaps rely on the Hand of God. And when I say "Hand of God," what I really mean is "keylogger." Think of it like the "Nimble Fingers of God." "Hand of God" (that makes sense) and "pineapple" (???) are two of the nicknames allegedly used to refer to keyloggers used by a former University of Iowa wrestler and student who was arrested last week on federal computer-hacking charges in a high-tech cheating scheme. According to the New York Times, Trevor Graves, 22, is accused in an FBI affidavit of working with an unnamed accomplice to secretly plug keyloggers into university computers in classrooms and in labs. The FBI says keyloggers allowed Graves to record whatever his professors typed, including credentials to log into university grading and email systems. Court documents allege that Graves intercepted exams and test questions in advance and repeatedly changed grades on tests, quizzes and homework assignments. This went on for 21 months -- between March 2015 and December 2016. The scheme was discovered when a professor noticed that a number of Graves' grades had been changed without her authorization. She reported it to campus IT security officials.
Microsoft

Microsoft is Killing Outlook.com Premium (thurrott.com) 49

Paul Thurrott, writing for Thurrott.com: A support document describing new premium Outlook.com features for Office 365 subscribers hides the real story today: Microsoft just killed Outlook.com Premium. I wrote earlier about how Microsoft was bringing some Outlook.com Premium features, like an ad-free inbox, to Office 365 Home and Personal subscribers. That's great news, of course. But a related support document buries the lede. "The Outlook.com Premium standalone offering is now closed to new subscribers," the support document notes. "Current subscribers can renew their subscriptions to continue receiving subscription benefits." Yikes. There's also a link to another support document that continues this conversation. But there really isn't much more to say. If you're already using Outlook.com Premium, you can continue to do so. And for now, at least, you can even renew the subscription and keep using its unique features, like custom domain support.
Security

Critical Flaws In Maritime Communications System Could Endanger Entire Ships (helpnetsecurity.com) 41

Orome1 shares a report from Help Net Security: IOActive security consultant Mario Ballano has discovered two critical cybersecurity vulnerabilities affecting Stratos Global's AmosConnect communication shipboard platform. The platform works in conjunction with the ships' satellite equipment, and integrates vessel and shore-based office applications, as well as provides services like Internet access for the crew, email, IM, position reporting, etc. The first vulnerability is a blind SQL injection in a login form. Attackers that successfully exploit it can retrieve credentials to log into the service and access sensitive information stored in it. The second one is a built-in backdoor account with full system privileges. "Among other things, this vulnerability allows attackers to execute commands with SYSTEM privileges on the remote system by abusing AmosConnect Task Manager," Bellano shared. The found flaws can be exploited only by an attacker that has access to the ship's IT systems network, he noted, but on some ships the various networks might not be segmented, or AmosConnect might be exposed to one or more of them. The vulnerabilities were found in AmosConnect 8.4.0, and Stratos Global was notified a year ago. But Inmarsat won't fix them, and has discontinued the 8.0 version of the platform in June 2017.
Data Storage

US Voting Server At Heart of Russian Hack Probe Mysteriously Wiped (theregister.co.uk) 431

A computer at the center of a lawsuit digging into Russian interference in the U.S. presidential election has been wiped. "The server in question is based in Georgia -- a state that narrowly backed Donald Trump, giving him 16 electoral votes -- and stored the results of the state's vote-management system," reports The Register. "The deletion of its filesystem data makes analysis of whether the system was compromised impossible to ascertain." From the report: There is good reason to believe that the computer may have been tampered with: it is 15 years old, and could be harboring all sorts of exploitable software and hardware vulnerabilities. No hard copies of the votes are kept, making the electronic copy the only official record. While investigating the Kennesaw State University's Center for Election Systems, which oversees Georgia's voting system, last year, security researcher Logan Lamb found its system was misconfigured, exposing the state's entire voter registration records, multiple PDFs with instructions and passwords for election workers, and the software systems used to tally votes cast. Despite Lamb letting the election center knows of his findings, the security holes were left unpatched for seven months. He later went public after the U.S. security services announced there had been a determined effort by the Russian government to sway the presidential elections, including looking at compromising electronic voting machines.

In an effort to force the state to scrap the system, a number of Georgia voters bandied together and sued. They asked for an independent security review of the server, expecting to find flaws that would lend weight to their argument for investment in a more modern and secure system. But emails released this week following a Freedom of Information Act request reveal that technicians at the election center deleted the server's data on July 7 -- just days after the lawsuit was filed. The memos reveal multiple references to the data wipe, including a message sent just last week from an assistant state attorney general to the plaintiffs in the case. That same email also notes that backups of the server data were also deleted more than a month after the initial wipe -- just as the lawsuit moved to a federal court. It is unclear who ordered the destruction of the data, and why, but they have raised yet more suspicions of collusion between the Trump campaign team, the Republican Party, and the Russian government.

Businesses

McAfee Says It No Longer Will Permit Government Source Code Reviews (reuters.com) 79

Dustin Volz, Joel Schectman, and Jack Stubbs, reporting for Reuters: U.S.-based cyber firm McAfee said it will no longer permit foreign governments to scrutinize the source code of its products, halting a practice some security experts have warned could be leveraged by nation-states to carry out cyber attacks. Reuters reported in June that McAfee was among several Western technology companies that had acceded in recent years to greater demands by Moscow for access to source code, the instructions that control basic operations of computer equipment. The reviews, conducted in secure facilities known as "clean rooms" by Russian companies with expertise in technology testing, are required by Russian defense agencies for the stated purpose of ensuring no hidden "backdoors" exist in foreign-made software. But security experts and former U.S. officials have said those inspections provide Russia with opportunities to find vulnerabilities that could be exploited in offensive cyber operations. McAfee ended the reviews earlier this year after spinning off from Intel in April as an independent company, a McAfee spokeswoman said in an email to Reuters last week.
Businesses

More Than Half of Emails Worldwide Are Now Opened in a Mobile Environment (emarketer.com) 47

A reader shares a research report: The world of email marketing has changed pretty significantly over the past five years. Where desktop clients like Outlook were once a more important delivery medium, readers of email are now in the thrall of mobile clients and webmail services like Gmail. In fact, new research from Return Path found that more than half of emails worldwide (55%) are opened in a mobile environment in 2017, significantly more than either webmail (28%) or desktop (16%). Mobile has emerged as the dominant email environment since Return Path last conducted its survey in 2012, when only 29% of emails were opened on a mobile device, and webmail clients were the most popular method of accessing such electronic missives. Return Path also found that Apple's iOS was dominant among mobile email users worldwide, with 79% of mobile emails opened on either an iPhone or iPad this year. While only 20% of emails were opened on a device running Android, that was actually an increase of 6 percentage points from 2012's figure.
Android

Some Pixel 2 Users Are Complaining About A High-Pitched Whine and Clicking Noises (arstechnica.com) 105

After dealing with all sorts of screen issues, another problem with Google's flagship smartphone is popping up. This time it's an audio issue: users on Google's official forums and elsewhere are reporting odd sounds coming from the Pixel 2 speakers. Ars Technica reports: Customers are complaining of "clicking" and a "high-pitched whine" coming from the Pixel 2 and Pixel 2 XL. Most reports on the forums say the noises are coming from the top or bottom speaker on the Pixel 2 and Pixel 2 XL. Some reports say the sounds come through during calls, while other users say the speaker noises happen any time the screen is on. A user made a recording of the sound, which can be heard here. Most users are being told to return their devices after contacting support, but at least one person claims they were told this issue would be patched in an upcoming update. One possible workaround is to turn off NFC, which some users say stops or lowers the noises.

Slashdot Top Deals