Security

Anthem To Pay $115 Million In The Largest Data Breach Settlement Ever (cnet.com) 38

An anonymous reader quotes CNET: Anthem, the largest health insurance company in the U.S., has agreed to settle a class action lawsuit over a 2015 data breach for a record $115 million, according to lawyers for the plaintiffs. The settlement still has to be approved by US District Court Judge Lucy Koh, who is scheduled to hear the case on August 17 in San Jose, California. And Anthem, which didn't immediately respond to a request for confirmation and comment, isn't admitting any admitting any wrongdoing, according to a statement it made to CyberScoop acknowledging the settlement.

But if approved, it would be the largest data breach settlement in history, according to the plaintiffs' lawyers, who announced the agreement Friday. The funds would be used to provide victims of the data breach at least two years of credit monitoring and to reimburse customers for breach-related expenses. The settlement would also guarantee a certain level of funding for "information security to implement or maintain numerous specific changes to its data security systems, including encryption of certain information and archiving sensitive data with strict access controls," the plaintiff attorneys said.

The breach compromised data for 80 million people, including their social security numbers, birthdays, street addresses (and email addresses) as well as income data. The $115 million settlement averages out to $1.43 for every person who was affected.
Security

Account Registrations Enable 'Password Reset Man In The Middle' Attacks (helpnetsecurity.com) 73

"Attackers that have set up a malicious site can use users' account registration process to successfully perform a password reset process on a number of popular websites and messaging mobile applications, researchers have demonstrated." Orome1 quotes Help Net Security: The Password Reset Man in the Middle attack exploits the similarity of the registration and password reset processes. To launch such an attack, the attacker only needs to control a website. To entice victims to make an account on the malicious website, the attacker can offer free access to a wanted resource. Once the user initiates the account registration process by entering their email address, the attacker can use that information to initiate a password reset process on another website that uses that piece of information as the username (e.g. Google, YouTube, Amazon, Twitter, LinkedIn, PayPal, and so on). Every request for input from that site is forwarded to the potential victim, and then his or her answers forwarded back to that particular site.
Interestingly, it can also beat two-factor authentication -- since the targeted user will still input the phone code into the man-in-the-middle site.
United Kingdom

UK Parliament Emails Closed After 'Sustained And Determined' Cyber-Attack (theguardian.com) 44

An anonymous reader quotes the Guardian: Parliament has been hit by a "sustained and determined" cyber-attack by hackers attempting to gain access to MPs' and their staffers' email accounts. Both houses of parliament were targeted on Friday in an attack that sought to gain access to accounts protected by weak passwords... The estate's digital services team said they had made changes to accounts to block out the hackers, and that the changes could mean staff were unable to access their emails...

The international trade secretary, Liam Fox, told ITV News the attack was a "warning to everyone we need more security and better passwords. You wouldn't leave your door open at night." In an interview with the BBC, he added: "We know that there are regular attacks by hackers attempting to get passwords. We have seen reports in the last few days of even Cabinet ministers' passwords being for sale online. We know that our public services are attacked, so it is not at all surprising that there should be an attempt to hack into parliamentary emails."

One member of Parliament posted on Twitter "Sorry, no parliamentary email access today â" we're under cyber-attack from Kim Jong-un, Putin or a kid in his mom's basement or something." He added later, "I'm off to the pub."
Google

Google Will Stop Reading Your Emails For Gmail Ads (bloomberg.com) 67

Google will soon stop scanning emails received by some Gmail users, a practice that has allowed it to show them targeted advertising but which stirred privacy worries. From a report: The decision didn't come from Google's ad team, but from its cloud unit, which is angling to sign up more corporate customers. Alphabet's Google Cloud sells a package of office software, called G Suite, that competes with market leader Microsoft. Paying Gmail users never received the email-scanning ads like the free version of the program, but some business customers were confused by the distinction and its privacy implications, said Diane Greene, Google's senior vice president of cloud. "What we're going to do is make it unambiguous," she said. Ads will continue to appear inside the free version of Gmail, as promoted messages. But instead of scanning a user's email, the ads will now be targeted with other personal information Google already pulls from sources such as search and YouTube.
Communications

Even Telecom Workers Don't Want To Talk On the Phone (fastcompany.com) 51

An anonymous reader shares a report: Of the 1,000 Americans surveyed by Fundera, more than half said they prefer email, even though an often overflowing inbox has been proven to hinder productivity. Other methods of communicating paled in comparison. For instance, face-to-face conversations came in a distant second, preferred by only 15.8% of respondents, while phone calls came in at the bottom across 17 different industries. Even telecom workers don't want to talk on the phone: 70% would prefer to use instant messages or email.
Software

Uber Finally Adds a Tipping Option To Its App (gizmodo.com) 85

After years of complaints, Uber is rolling out a tipping option for drivers. "Tipping is available in Seattle, Minneapolis and Houston as of today. We're starting with only 3 cities so we can create the best tipping experience for you and your riders. We'll be adding more cities over the next few weeks, and will make tips available to all U.S. drivers, by the end of July 2017," Uber said in an email to drivers. Gizmodo reports: Uber will also roll out a full set of driver-friendly features. The cancellation window will narrow to two minutes (it was previously five) and drivers will get a per-minute fee if a rider makes them wait beyond two minutes. Drivers will also get a cut of Uber's "teen fare" which had previously gone exclusively to Uber. Now, drivers will get $2 of the fee. Uber will also offer drivers the option to enroll in injury-protection insurance. Uber has always argued that it offers a seamless experience and that adding a tip feature into its app would interfere with that. The company promises an up-front fare to the rider, with no fumbling around for cash or evaluation of a driver's performance beyond assigning a rating.
Government

Using Texts as Lures, Government Spyware Targets Mexican Journalists and Their Families (nytimes.com) 54

Mexico's most prominent human rights lawyers, journalists and anti-corruption activists have been targeted by advanced spyware sold to the Mexican government on the condition that it be used only to investigate criminals and terrorists, reports the New York Times. From the report: The targets include lawyers looking into the mass disappearance of 43 students (alternative source), a highly respected academic who helped write anti-corruption legislation, two of Mexico's most influential journalists and an American representing victims of sexual abuse by the police. The spying even swept up family members, including a teenage boy. Since 2011, at least three Mexican federal agencies have purchased about $80 million worth of spyware created by an Israeli cyberarms manufacturer. The software, known as Pegasus, infiltrates smartphones to monitor every detail of a person's cellular life -- calls, texts, email, contacts and calendars. It can even use the microphone and camera on phones for surveillance, turning a target's smartphone into a personal bug.
The Almighty Buck

Is Coinbase Closing Accounts For Paying Ransoms With Bitcoins? (coindesk.com) 200

Even as some comparnies are stockpiling bitcoins so they can quickly pay ransom demands, security firms that try paying those ransoms may face losing their accounts on Coinbase. Slashdot reader Mosquito Bites quotes a report from CoinDesk: Less than a year ago, Vinny Troia, CEO and principal security consultant of Night Lion Security and a certified white hat hacker, was sent a compliance form by US bitcoin exchange Coinbase, where he had an account. Coinbase wanted to know how Troia was using bitcoin and his account. "I told them I run a security firm. I pay for ransoms and buy documents on the dark web when clients request it," Troia told CoinDesk. The ransoms Troia helps his clients pay are those stemming from ransomware attacks, which have surged in number over the past few years. Many, like the well-publicized WannaCry attack, are asking for bitcoin.

And the documents? Troia said, "We do breach investigations a lot of times. If a fraudster is saying they're selling my client's stolen documents, the only way to make sure they have what they say they have is to buy those documents." According to Troia, Coinbase "did not like that at all." Coinbase then asked the IT expert whether he had a letter from the Department of Justice giving him permission to do those things. No, Troia said. Upon further research, Troia has not found that any such permission exists. But, "I have my clients authorizing me to do this," he said. Coinbase sent Troia back an email explaining that those actions were against the exchange's rules and shut down his account... "My entire family is blocked from Coinbase," he said.

Displays

Xerox Alto Designer, Co-Inventor Of Ethernet, Dies at 74 (arstechnica.com) 95

An anonymous reader quotes Ars Technica: Charles Thacker, one of the lead hardware designers on the Xerox Alto, the first modern personal computer, died of a brief illness on Monday. He was 74. The Alto, which was released in 1973 but was never a commercial success, was an incredibly influential machine... Thomas Haigh, a computer historian and professor at the University of Wisconsin, Milwaukee, wrote in an email to Ars, "Alto is the direct ancestor of today's personal computers. It provided the model: GUI, windows, high-resolution screen, Ethernet, mouse, etc. that the computer industry spent the next 15 years catching up to. Of course others like Alan Kay and Butler Lampson spent years evolving the software side of the platform, but without Thacker's creation of what was, by the standards of the early 1970s, an amazingly powerful personal hardware platform, none of that other work would have been possible."
In 1999 Thacker also designed the hardware for Microsoft's Tablet PC, "which was first conceived of by his PARC colleague Alan Kay during the early 1970s," according to the article. "I've found over my career that it's been very difficult to predict the future," Thacker said in a guest lecture in 2013. "People who tried to do it generally wind up being wrong."
Government

eBay Urges Customers To Oppose Washington Internet Tax (knkx.org) 71

An anonymous reader quotes a report from KNKX: If you live in Washington state, you might have gotten the email from eBay. It begins: "The Washington State Legislature is threatening to impose new Internet sales tax burdens on you." It goes on to urge the recipient to send a form letter to Washington lawmakers opposing "harmful tax laws." So what's this about? EBay's Brian Bieron said the company is alerting its customers to a proposal to require out-of-state retailers to collect sales tax from Washington residents. "It's the right of all of our users to know when new tax policies would impact their ability to sell online or shop online, we think that they want to know and they want to get involved," Bieron said. The fact eBay is emailing its customer base now indicates the company is concerned the internet tax bill will be part of a final budget deal in Olympia. Washington House Democrats and Senate Republicans are currently trying to hash out a compromise budget that fully fund schools. That agreement will likely include some additional sources of tax revenue. Of all the choices on the table, capturing sales tax from more online sales might prove the most palatable to tax-averse Republicans. House Democrats estimate the proposal could bring in an estimated $341 million over the next two years.
Yahoo!

Ask Slashdot: Advice For a Yahoo Mail Refugee 322

New submitter ma1wrbu5tr writes: Very shortly after the announcement of Verizon's acquisition of Yahoo, two things happened that caught my attention. First, I was sent an email that basically said "these are our new Terms of Service and if you don't agree to them, you have until June 8th to close your account". Subsequently, I noticed that when working in my mailbox via the browser, I kept seeing messages in the status bar saying "uploading..." and "upload complete". I understand that Y! has started advertising heavily in the webmail app but I find these "uploads" disturbing. I've since broken out a pop client and have downloaded 15 years worth of mail and am going through to ensure there are no other online accounts tied to that address. My question to slashdotters is this: "What paid or free secure email service do you recommend as a replacement and why?" I'm on the hunt for an email service that supports encryption, has a good Privacy Policy, and doesn't have a history of breaches or allowing snooping.
Security

Oil Changes, Safety Recalls, and Software Patches (daemonology.net) 129

An anonymous reader shares a blog post: Every few months I get an email from my local mechanic reminding me that it's time to get my car's oil changed. I generally ignore these emails; it costs time and money to get this done and I drive little enough -- about 2000 km/year -- that I'm not too worried about the consequences of going for a bit longer than nominally advised between oil changes. I do get oil changes done... but typically once every 8-12 months, rather than the recommended 4-6 months. On the other hand, there's another type of notification which elicits more prompt attention: Safety recalls. There are two good reasons for this: First, whether for vehicles, food, or other products, the risk of ignoring a safety recall is not merely that the product will break, but rather that the product will be actively unsafe; and second, when there's a safety recall you don't have to pay for the replacement or fix -- the cost is covered by the manufacturer. I started thinking about this distinction -- and more specifically the difference in user behaviour -- in the aftermath of the "WannaCry" malware. While WannaCry attracted widespread attention for its "ransomware" nature, the more concerning aspect of this incident is how it propagated: By exploiting a vulnerability in SMB for which Microsoft issued patches two months earlier. As someone who works in computer security, I find this horrifying -- and I was particularly concerned when I heard that the NHS was postponing surgeries because they couldn't access patient records. [...] I imagine that most people in my industry would agree that security patches should be treated in the same vein as safety recalls -- unless you're certain that you're not affected, take care of them as a matter of urgency -- but it seems that far more users instead treat security patches more like oil changes: something to be taken care of when convenient... or not at all, if not convenient. It's easy to say that such users are wrong; but as an industry it's time that we think about why they are wrong rather than merely blaming them for their problems.
Businesses

Uber CEO To Take Leave, Diminished Role After Workplace Scandals (bloomberg.com) 86

Uber CEO Travis Kalanick will take a leave of absence from the world's most valuable privately held company, he announced in an email to employees Tuesday. From a report: Uber Chief Executive Officer Travis Kalanick told staff he plans to take a leave of absence, without disclosing a return date. The company will strip him of some duties and appoint an independent chair to limit his influence after a slew of scandals, according to an advance copy of a report prepared for the board. At a staff meeting Tuesday, the company will convey the results of a probe conducted by Eric Holder, the former U.S. attorney general who Uber hired to look into allegations of harassment, discrimination and an aggressive culture. The 47 recommendations include creating a board oversight committee, rewriting Uber's cultural values, reducing alcohol use at work events, and prohibiting intimate relationships between employees and their bosses. Uber's board met Sunday to review a detailed version of the report and voted unanimously to approve the recommendations. Afterward, the San Francisco-based company ousted Emil Michael, Uber's head of business.
United States

Trump-Style Tactics Finally Stopped Working For Uber (buzzfeed.com) 238

BuzzFeed Editor-in-Chief Ben Smith describes a three-year-old meeting that Uber held -- which saw several influencers including actor Ed Norton among attendees -- as the beginning of the ride-hailing company's long slow meltdown. Later today, the company is expected to announce that its CEO Travis Kalanick would be temporarily stepping away, and his closest lieutenant is all set to hand his resignation. On Sunday, the company held a board meeting, which according to several journalists, lasted for nearly seven hours. The meeting capped a difficult stretch for the ride-hailing company, which is trying to weather an investigation into its workplace culture, a lawsuit by Google parent Alphabet over the alleged theft of self-driving car trade secrets, a federal probe into its business practices, and the recent departures of top executives. Back to Ben: At the dinner (which took place three years ago), Emil Michael, the right hand of CEO Travis Kalanick, heatedly complained to me about the press. The company, he told me, could hire a team of opposition researchers to fight fire with fire and attack the media -- specifically to smear a female journalist who has criticized the company. I suggested to him that this plan wouldn't really work because the story would immediately become a story about Uber behaving like maniacs. "Nobody would know it was us," Michael responded. "But you just told me!," I replied. [...] Instead of making any meaningful changes, Uber simply pressed on for years. It found both continued growth and accumulating scandals. Many of its crises, like those remarks to me, were tinged with misogyny, whether sexual harassment of its engineers or pulling a rape victim's medical files. After one of those engineers, Susan Fowler, stepped forward with a blog post detailing systemic sexual harassment and discrimination -- a post that was followed up by a series of devastating stories by The New York Times, Recode, and others -- the company invited former Attorney General Eric Holder to lead an internal investigation. Sunday, the Wall Street Journal reported that Michael is set to resign, and Reuters reported Kalanick will take a leave of absence ahead of what's expected to be a deeply damning Holder report. (Kalanick is also coping with a family tragedy.) They will leave having built the most valuable private company in the world. But it is a company whose cultural darkness is inseparable from its place as the icon of the tech boom. Uber -- and the boom -- have been defined both by massive new conveniences and by a corporate culture that is aggressive, paranoid, and dismissive of, in particular, complaints from women; a culture of enemies lists and cavalier approaches to the law. Emil Michael told Uber employees Monday that he has left the company.
United States

Former FBI Director Predicts Russian Hackers Will Interfere With More Elections (nytimes.com) 506

An anonymous reader quotes the New York Times: James B. Comey, the former director of the F.B.I., testified that the Russians had not only intervened in last year's election, but would try to do it again... Russian hackers did not just breach Democratic email accounts; according to Mr. Comey, they orchestrated a "massive effort" targeting hundreds of -- and possibly more than 1,000 -- American government and private organizations since 2015... As F.B.I. director, he supervised counterintelligence investigations into computer break-ins that harvested emails from the State Department and the White House, and that penetrated deep into the computer systems of the Joint Chiefs of Staff. Yet President Barack Obama's administration did not want to publicize those intrusions, choosing to handle them diplomatically -- perhaps because at the time they looked more like classic espionage than an effort to manipulate American politics...

Graham Allison, a longtime Russia scholar at Harvard, said, "Russia's cyberintrusion into the recent presidential election signals the beginning of what is almost sure to be an intensified cyberwar in which both they -- and we -- seek to participate in picking the leaders of an adversary." The difference, he added, is that American elections are generally fair, so "we are much more vulnerable to such manipulation than is Russia," where results are often preordained... Similar warnings have been issued by others in the intelligence community, led by James R. Clapper Jr., who has sounded the alarm since retiring in January as director of national intelligence. "I don't think people have their head around the scope of what the Russians are doing," he said recently.

Daniel Fried, a career diplomat who oversaw sanctions imposed on Russia before retiring this year, told the Times that Comey "was spot-on right that Russia is coming after us, but not just the U.S., but the free world in general. And we need to take this seriously."
Security

New Malware Downloader Can Infect PCs Without A Mouse Click (engadget.com) 151

An anonymous reader quotes Engadget: You think you're safe from malware since you never click suspicious-looking links, then somebody finds a way to infect your PC anyway. Security researchers have discovered that cybercriminals have recently started using a malware downloader that installs a banking Trojan to your computer even if you don't click anything. All it takes to trigger the download is to hover your mouse pointer over a hyperlink in a carrier PowerPoint file. According to researchers from Trend Micro and Dodge This Security the technique was used by a recent spam email campaign targeting companies and organizations in Europe, the Middle East and Africa. The emails' subjects were mostly finance-related, such as "Invoice" and "Order #," with an attached PowerPoint presentation. The PowerPoint file has a single hyperlink in the center that says "Loading... please wait" that has an embedded malicious PowerShell script. When you hover your mouse pointer over the link, it executes the script.
Trend Micro writes that "while the numbers aren't impressive, it can also be construed as a dry run for future campaigns, given the technique's seeming novelty," adding "It wouldn't be far-fetched for other malware like ransomware to follow suit."
Desktops (Apple)

Teardown of New iMac Reveals Upgradable Processors, RAM (macrumors.com) 205

According to an iFixit teardown, Apple's new 4K 21.5-inch iMac has both removable RAM and a Kaby Lake processor that's not soldered onto the logic board. Whereas the previous models had soldered memory modules, the new iMac's memory sit in two removable SO-DIMM slots. MacRumors reports: iFixit made the discovery by disassembling Apple's $1,299 mid-range 3.0GHz stock option, which includes 8GB of 2400MHz DDR4 memory, a Radeon Pro 555 graphics card with 2GB of VRAM, and a 1TB 5400-RPM hard drive. After slicing through the adhesive that secures the 4K display to the iMac's housing and removing the power supply, hard drive, and fan, iFixit discovered that the memory modules aren't soldered onto the logic board like previous models, but instead sit in two removable SO-DIMM slots. Similarly, after detaching the heatsink and removing the warranty voiding stickers on the backside of the logic board, iFixit found that the Intel SR32W Core i5-7400 Kaby Lake processor sits in a standard LGA 1151 CPU socket, making it possible to replace or upgrade the CPU without a reflow station.
EU

EU Seeks New Powers To Obtain Data 'Directly' From Tech Firms (zdnet.com) 40

Zack Whittaker reports via ZDNet: European authorities are seeking new powers to allow police and intelligence agencies to directly obtain user data stored on the continent by U.S. tech companies. The move comes in the wake of an uptick in terrorist attacks, including several attacks in Britain and France, among others across the bloc. Tech companies have been asked to do more to help law enforcement, while police have long argued the process for gathering data overseas is slow and cumbersome. The bloc's justice commissioner, Vera Jourova, presented several plans to a meeting of justice ministers in Luxembourg on Thursday to speed up access for EU police forces to obtain evidence -- including one proposal to allow police to obtain data "directly" from the cloud servers of U.S. tech companies in urgent cases. "Commissioner Jourova presented at the Justice Council three legislative options to improve access to e-evidence," said Christian Wiga, an EU spokesperson, in an email. "Based on the discussion between justice ministers, the Commission will now prepare a legislative proposal," he added. Discussions are thought to have included what kind of data could be made available, ranging from geolocation data to the contents of private messages. Such powers would only be used in "emergency" situations, said Jourova, adding that safeguards would require police to ensure that each request is "necessary" and "proportionate." Further reading: Reuters
Encryption

Apple To Force Users To 2FA On iOS 11, macOS High Sierra (onthewire.io) 119

Trailrunner7 quotes a report from On the Wire: With the upcoming releases of iOS 11 and macOS High Sierra later this year, Apple is planning to force many users to adopt two-factor authentication for their accounts. The company this week sent an email to customers who have the existing two-step verification enabled for their Apple IDs, informing them that once they install the public betas of the new operating systems they will be migrated to two-factor authentication automatically. Two-step verification is an older method of account security that Apple rolled out before full two-factor authentication was available. Apple is phasing that out and will be upgrading people with eligible devices automatically. "Once updated, you'll get the same extra layer of security you enjoy with two-step verification today, but with an even better user experience. Verification codes will be displayed on your trusted devices automatically whenever you sign in, and you will no longer need to keep a printed recovery key to make sure you can reset a forgotten password," the email from Apple says.
Ubuntu

Ubuntu Touch Mobile OS Now Maintained By UBports (phoronix.com) 22

An anonymous reader quotes Phoronix: UBports continues to be the leading community project for trying to let Ubuntu Touch live on and evolve under their direction... Among their recent achievements were acquiring more sponsors, all devices that were sold with Ubuntu Touch can now run with UBports' builds, they are working on their own version of Mozilla's AGPS Location Service to replace Canonical's GPS system, the Halium OS platform continues evolving, the Dekko email client is back under development, installation improvements are being worked on, they are still striving for Wayland support, and more.
The UBports Patreon page has even raised enough to allow UBports founder Marius Gripsgard to work full-time on what they're calling "a beautiful, free and open-source mobile OS." Their recent community update announced that "we are seeing more activity on Ubuntu Touch than for a very long time, and that is really encouraging."

Slashdot Top Deals