Leap Towards a Career in Ethical Hacking with 60+ Hours of Prep Toward CISM, CISA, & More Certification Exams at 95% off ×
Facebook

Facebook Begins Tracking Non-Users Around the Internet (theverge.com) 120

Amar Toor, reporting for The Verge: Facebook will now display ads to web users who are not members of its social network, the company announced Thursday, in a bid to significantly expand its online ad network. As The Wall Street Journal reports, Facebook will use cookies, "like" buttons, and other plug-ins embedded on third-party sites to track members and non-members alike (Editor's note: link swapped with a non-paywall source). The company says it will be able to better target non-Facebook users and serve relevant ads to them, though its practices have come under criticism from regulators in Europe over privacy concerns. Facebook began displaying a banner notification at the top of its News Feed for users in Europe today, alerting them to its use of cookies as mandated under an EU directive.Mark Wilson of BetaNews adds that Facebook has outlined these changes in its cookies policy page. As part of which, the company is now allowing Facebook users to opt-out of the ad scheme by making changes to their Facebook settings. For users that don't have a Facebook account, they can opt-out through Digital Advertising Alliance in the United States and Canada, and the European Interactive Digital Adverting Alliance in Europe.
Government

Secret Text In Senate Bill Would Give FBI Warrantless Access To Email Records (theintercept.com) 149

mi quotes a report from The Intercept: A provision snuck into the still-secret text of the Senate's annual intelligence authorization would give the FBI the ability to demand individuals' email data and possibly web-surfing history from their service providers using those beloved 'National Security Letters' -- without a warrant and in complete secrecy. [The spy bill passed the Senate Intelligence Committee on Tuesday, with the provision in it. The lone no vote came from Sen. Ron Wyden, D-Ore., who wrote in a statement that one of the bill's provisions "would allow any FBI field office to demand email records without a court order, a major expansion of federal surveillance powers." If passed, the change would expand the reach of the FBI's already highly controversial national security letters. The FBI is currently allowed to get certain types of information with NSLs -- most commonly, information about the name, address, and call data associated with a phone number or details about a bank account. The FBI's power to issue NSLs is actually derived from the Electronic Communications Privacy Act -- a 1986 law that Congress is currently working to update to incorporate more protections for electronic communications -- not fewer. The House unanimously passed the Email Privacy Act in late April, while the Senate is due to vote on its version this week. "NSLs have a sordid history. They've been abused in a number of ways, including targeting of journalists and use to collect an essentially unbounded amount of information," Andrew Crocker, staff attorney for the Electronic Frontier Foundation, wrote. One thing that makes them particularly easy to abuse is that recipients of NSLs are subject to a gag order that forbids them from revealing the letters' existence to anyone, much less the public.]
Advertising

Smartphone Surveillance Tech Used To Target Anti-Abortion Ads At Pregnant Women (rewire.news) 232

VoiceOfDoom writes: Rewire reports: "Last year, an enterprising advertising executive based in Boston, Massachusetts, had an idea: Instead of using his sophisticated mobile surveillance techniques to figure out which consumers might be interested in buying shoes, cars, or any of the other products typically advertised online, what if he used the same technology to figure out which women were potentially contemplating abortion, and send them ads on behalf of anti-choice organizations?"

Regardless of one's personal stance on the pro-choice/anti-abortion debate, the unfettered use of tracking and ad-targeting technology which makes this kind of application possible is surely a cause for concern. In Europe, Canada and many other parts of the world, the use of a person's data in this way would be illegal thanks to strict privacy laws. Is it time for the U.S. to consider a similar approach to protect its citizens?
Google has been reportedly tracking users on around 80 percent of all 'Top 1 Million' domains. Facebook is doing something similar. A recent report shows that Facebook uses smartphone microphones to identify the things users are listening to or watching based on the music and TV shows its able to identify. Facebook says the feature must be turned on, and that "it's only active when you're writing a status update."
Privacy

Millennials Value Speed Over Security, Says Survey (dailydot.com) 127

An anonymous reader quotes a report from The Daily Dot: Millennials stand apart from other Americans in preferring faster Internet access to safer Internet access, according to a new survey. When digital-authentication firm SecureAuth asked people from all age groups whether they would rather be safer online or browse faster online, 57 percent of Americans chose security and 43 percent chose speed. But among millennials, the results were almost reversed: 54 percent chose speed over security. Young people are also more willing than the overall population to share sensitive information over public Wi-Fi connections, which are notoriously insecure as they allow anyone on the network to analyze and intercept passing traffic. While a clear majority (57 percent) of Americans told SecureAuth that they transmitted such information over public Wi-Fi, nearly eight in 10 (78 percent) of millennials said they did so. A surprising 44 percent of millennials believe their data is generally safe from hackers, and millennials are more likely than members of other age groups to share account passwords with friends. Americans overall are paying more attention to some aspects of digital security. An October 2015 study by the wireless industry's trade group found that 61 percent of Americans use passwords on their smartphones and 58 percent use them on their tablets, compared to 50 percent and 48 percent, respectively, in 2012. The recent study lines up with a report published on May 24 that found that the elderly use more secure passwords than millennials.
Privacy

Consumer Campaigners Read T&C Of Their Mobile Phone Apps To Prove a Point (bbc.com) 83

From a BBC report: Norwegians have spent more than 30 hours reading out terms and conditions from smartphone apps in a campaign by the country's consumer agency. The average Norwegian has 33 apps, the Norwegian Consumer Council says, whose terms and conditions together run longer than the New Testament. To prove the "absurd" length, the council got Norwegians to read each of them out in real time on their website. The reading finished on Wednesday, clocking in at 31:49:11. Some of the world's most popular apps were chosen, including Netflix, YouTube, Facebook, Skype, Instagram and Angry Birds. Finn Myrstad from the Norwegian Consumer Council, said: "The current state of terms and conditions for digital services is bordering on the absurd."
Privacy

Virtual Assistants Such As Amazon's Echo Break US Child Privacy Law, Experts Say (theguardian.com) 67

Mark Harris, reporting for The Guardian: An investigation by the Guardian has found that despite Amazon marketing the Echo to families with young children, the device is likely to contravene the US Children's Online Privacy Protection Act (COPPA), set up to regulate the collection and use of personal information from anyone younger than 13. Along with Google, Apple and others promoting voice-activated artificial intelligence systems to young children, the company could now face multimillion-dollar fines. "This is part of the initial wave of marketing to children using the internet of things," says Jeff Chester, executive director of the Center for Digital Democracy, a privacy advocacy group that helped write the law. "It is exactly why the law was enacted in the first place, to protect young people from pervasive data collection."
Microsoft

Microsoft May Ban Your Favorite Password (securityweek.com) 230

wiredmikey writes from a report via SecurityWeek.Com: Microsoft is taking a step to better protect users by banning the use of weak and commonly-used passwords across its services. Microsoft has announced that it is dynamically banning common passwords from Microsoft Account and Azure Active Directory (AD) system. In addition to banning commonly used passwords to improve user account safety, Microsoft has implemented a feature called smart password lockout, meant to add an extra level of protection when an account is attacked. [Alex Weinert, Group Program Manager of Azure AD Identity Protection team explains in a blog post that] Microsoft is seeing more than 10 million accounts being attacked each day, and that this data is used to dynamically update the list of banned passwords. This list is then used to prevent people from choosing a common or similar password. Microsoft's new feature comes after last week's leak of 117 million LinkedIn credentials.
Open Source

CentOS Linux 6.8 Released (softpedia.com) 88

An anonymous reader writes: CentOS team is pleased to announce the immediate availability of CentOS Linux 6.8 and install media for i386 and x86_64 Architectures. Release Notes for 6.8 are available here. Softpedia writes: "CentOS Linux 6.8 arrives today with major changes, among which we can mention the latest Linux 2.6.32 kernel release from upstream with support for storing up to 300TB of data on XFS filesystems. The VPN endpoint solution implemented in the NetworkManager network connection manager utility is now provided on the libreswan library instead of the Openswan IPsec implementation used in previous release of the OS, and it looks like the SSLv2 protocol has been disabled by default for the SSSD (System Security Services Daemon), which also comes with support for smart cards now." In addition, the new release comes with updated applications, including the LibreOffice 4.3.7 office suite and Squid 3.4 caching and forwarding web proxy, many of which are supporting the Transport Layer Security (TLS) 1.2 protocol, including Git, YUM, Postfix, OpenLDAP, stunnel, and vsftpd. The dmidecode open-source tool now supports SMBIOS 3.0.0, you can now pull kickstart files from HTTPS (Secure HTTP) sources, the NTDp (Network Time Protocol daemon) package has an alternative solution as chrony, SSLv3 has been disabled by default, and there's improved support for Hyper-V.
Facebook

Facebook Could Be Eavesdropping On Your Phone Calls (news10.com) 163

An anonymous reader writes: Facebook is not just looking at user's personal information, interests, and online habits but also to your private conversations, revealed a new report. According to NBC report, this may be the case as Kelli Burns, a professor at University of South Florida states, "I don't think that people realize how much Facebook is tracking every move we're making online. Anything that you're doing on your phone, Facebook is watching." the professor said. Now how do you prove that? Professor Kelli tested out her theory by enabling the microphone feature, and talked about her desire to go on a safari, informing about the mode of transport she would take. "I'm really interested in going on an African safari. I think it'd be wonderful to ride in one of those jeeps," she said aloud, phone in hand. The results were shocking, as less than 60 seconds later, the first post on her Facebook feed was about a safari story out of nowhere, which was then revealed that the story had been posted three hours earlier. And, after mentioning a jeep, a car ad also appeared on her page. On a support page, Facebook explains how this feature works: "No, we don't record your conversations. If you choose to turn on this feature, we'll only use your microphone to identify the things you're listening to or watching based on the music and TV matches we're able to identify. If this feature is turned on, it's only active when you're writing a status update." I wonder how many people are actually aware of this.
Government

TSA Replaces Security Chief As Tension Grows At Airports 264

HughPickens.com writes: Ron Nixon reports at the NYT that facing a backlash over long security lines and management problems, TSA administrator Peter V. Neffenger has shaken up his leadership team, replacing the agency's top security official Kelly Hoggan (Warning: source may be paywalled) and adding a new group of administrators at Chicago O'Hare International Airport. Beginning late that year, Hoggan received $90,000 in bonuses over a 13-month period, even though a leaked report from the Department of Homeland Security showed that auditors were able to get fake weapons and explosives past security screeners 95 percent of the time in 70 covert tests. Hoggan's bonus was paid out in $10,000 increments, an arrangement that members of Congress have said was intended to disguise the payments. During a hearing of the House Oversight Committee two weeks ago, lawmakers grilled Mr. Neffenger about the bonus, which was issued before he joined the agency in July. Last week and over the weekend, hundreds of passengers, including 450 on American Airlines alone, missed flights because of waits of two or three hours in security lines, according to local news reports. Many of the passengers had to spend the night in the terminal sleeping on cots. The TSA has sent 58 additional security officers and four more bomb-sniffing dog teams to O'Hare. Several current and former TSA employees said the moves to replace Hoggan and add the new officials in Chicago, where passengers have endured hours long waits at security checkpoints, were insufficient. "The timing of this decision is too late to make a real difference for the summer," says Andrew Rhoades, an assistant federal security director at Minneapolis-St. Paul International Airport who testified his supervisor accused him of "going native" after attending a meeting at a local mosque and that TSA's alleged practice of "directed reassignments," or unwanted job transfers were intended to punish employees who speak their minds. "Neffenger is only doing this because the media and Congress are making him look bad."
Java

Pastejacking Attack Appends Malicious Terminal Commands To Your Clipboard (softpedia.com) 89

An anonymous reader writes: "It has been possible for a long time for developers to use CSS to append malicious content to the clipboard without a user noticing and thus fool them into executing unwanted terminal commands," writes Softpedia. "This type of attack is known as clipboard hijacking, and in most scenarios, is useless, except when the user copies something inside their terminal." Security researcher Dylan Ayrey published a new version of this attack last week, which uses only JavaScript as the attack medium, giving the attack more versatility and making it now easier to carry out. The attack is called Pastejacking and it uses Javascript to theoretically allow attackers to add their malicious code to the entire page to run commands behind a user's back when they paste anything inside the console. "The attack can be deadly if combined with tech support or phishing emails," writes Softpedia. "Users might think they're copying innocent text into their console, but in fact, they're running the crook's exploit for them."
Security

Elderly Use More Secure Passwords Than Millennials, Says Report (qz.com) 153

An anonymous reader writes from a report via Quartz: A report released May 24 by Gigya surveyed 4,000 adults in the U.S. and U.K. and found that 18- to 34-year-olds are more likely to use bad passwords and report their online accounts being compromised. The majority of respondents ages 51 to 69 say they completely steer away from easily cracked passwords like "password," "1234," or birthdays, while two-thirds of those in the 18-to-34 age bracket were caught using those kind of terms. Quartz writes, "The diligence of the older group could help explain why 82% of respondents in this age range did not report having had any of their online accounts compromised in the past year. In contrast, 35% of respondents between 18 and 34 said at least one of their accounts was hacked within the last 12 months, twice the rate of those aged 51 to 69."
The Internet

Hacker Phineas Fisher is Trying To Start a 'Hack Back' Political Movement (vice.com) 123

An anonymous reader writes: The hacker who breached Hacking Team and FinFisher is trying to get more people to "hack back" and fight "the system." For some, thanks to his targeted attacks and sophisticated political views, Phineas Fisher is quickly becoming the most influential hacktivist of the last few years. In response to his most recent hack where he released a 39-minute how-to video showing how to strip data from targeted websites, specifically a website of the Catalan police union, Phineas Fisher told Motherboard, "Everything doesn't have to be big. I wanted to strike a small blow at the system, teach a bit of hacking with the video, and inspire people to take action." Biella Coleman, professor at McGill University in Montreal, believes Phineas Fisher has a good chance of inspiring a new generation of hacktivists and "setting the stage for other hackers to follow in his footsteps." She says he has been better at choosing targets and justifying his actions with more rounded and sophisticated political and ethical views than Anonymous and LulzSec-inspired hackers. Phineas Fisher told Motherboard, "I don't want to be the lone hacker fighting the system. I want to inspire others to take similar action, and try to provide the information so they can learn how."
Government

FBI Wants Biometric Database Hidden From Privacy Act (onthewire.io) 81

Trailrunner7 quotes a report from onthewire.io: The FBI is working to keep information contained in a key biometric database private and unavailable, even to people whose information is contained in the records. The database is known as the Next Generation Identification System (NGIS), and it is an amalgamation of biometric records accumulated from people who have been through one of a number of biometric collection processes. That could include convicted criminals, anyone who has submitted records to employers, and many other people. The NGIS also has information from agencies outside of the FBI, including foreign law enforcement agencies and governments. Because of the nature of the records, the FBI is asking the federal government to exempt the database from the Privacy Act, making the records inaccessible through information requests. From the report: "The bureau says in a proposal to exempt the database from disclosure that the NGIS should be exempt from the Privacy Act for a number of reasons, including the possibility that providing access 'could compromise sensitive law enforcement information, disclose information which would constitute an unwarranted invasion of another's personal privacy; reveal a sensitive investigative technique; could provide information that would allow a subject to avoid detection or apprehension; or constitute a potential danger to the health or safety of law enforcement personnel, confidential sources, and witnesses.'" RT released a similar report on the matter.
AI

Avoiding BlackBerry's Fate: How Apple Could End Up In a Similar Position (marco.org) 214

It's almost unbelievable today that BlackBerry ruled the smartphone market once. The Canadian company's handset, however, started to lose relevance when Apple launched the iPhone in 2007. At the time, BlackBerry said that nobody would purchase an iPhone, as there's a battery trade-off. Wittingly or not, Apple could end up in a similar position to BlackBerry, argues Marco Arment. Arment -- who is best known for his Apple commentary, Overcast and Instapaper apps, and co-founding Tumblr -- says that Apple's strong stand on privacy is keeping it from being the frontrunner in the advanced AI, a category which has seen large investments from Google, Apple, Facebook, and Amazon in the recent years. He adds that privacy cannot be an excuse, as Apple could utilize public data like the web, mapping databases, and business directories. He writes: Today, Amazon, Facebook, and Google are placing large bets on advanced AI, ubiquitous assistants, and voice interfaces, hoping that these will become the next thing that our devices are for. If they're right -- and that's a big "if" -- I'm worried for Apple. Today, Apple's being led properly day-to-day and doing very well overall. But if the landscape shifts to prioritise those big-data AI services, Apple will find itself in a similar position as BlackBerry did almost a decade ago: what they're able to do, despite being very good at it, won't be enough anymore, and they won't be able to catch up. Where Apple suffers is big-data services and AI, such as search, relevance, classification, and complex natural-language queries. Apple can do rudimentary versions of all of those, but their competitors -- again, especially Google -- are far ahead of them, and the gap is only widening. And Apple is showing worryingly few signs of meaningful improvement or investment in these areas. Apple's apparent inaction shows that they're content with their services' quality, management, performance, advancement, and talent acquisition and retention. One company that is missing from Mr. Arment's column is Microsoft. The Cortana-maker has also placed large bets on AI. According to job postings on its portal, it appears, for instance, that Microsoft is also working on Google Home-like service.
Crime

Real-Life RoboCop Guards Shopping Centers In California (metro.co.uk) 100

An anonymous reader quotes a report from Metro: While machines from the likes of RoboCop and Chappie might just be the reserve of films for now, this new type of robot is already fighting crime. This particular example can be found guarding a shopping center in California but there are other machines in operation all over the state. Equipped with self-navigation, infra-red cameras and microphones that can detect breaking glass, the robots, designed by Knightscope, are intended to support security services. Stacy Dean Stephens, who came up with the idea, told The Guardian the problem that needed solving was one of intelligence. "And the only way to gain accurate intelligence is through eyes and ears," he said. "So, we started looking at different ways to deploy eyes and ears into situations like that." The robot costs about $7 an hour to rent and was inspired by the Sandy Hook school shooting after which it was claimed 12 lives could have been saved if officers arrived a minute earlier.
Privacy

Uber Knows Exactly When You'll Pay Surge Pricing (yahoo.com) 210

An anonymous reader writes: Uber has figured out exactly when you are more likely to pay double or triple the cost of your ride: when your phone battery is low. Uber's head of economic research, Keith Chen, recently told NPR on an episode of The Hidden Brain podcast that people are willing to accept up to 9.9 times surge pricing if their phones are about to go dead. Data about user batteries is collected because the app uses that information to know when to switch into low-power mode. The idea being: If you really need to get where you're going, you'll pay just about anything (or at least 9.9 times anything) to ensure you're getting a ride home and won't be stranded. A person with a more fully charged device has time to wait and see if the surge pricing goes down.The company insists that it won't use this information against you.
Government

New Surveillance System May Let Cops Use All Of The Cameras (engadget.com) 117

An anonymous reader quotes a report from Wired: [Computer scientists have created a way of letting law enforcement tap any camera that isn't password protected so they can determine where to send help or how to respond to a crime.] The system, which is just a proof of concept, alarms privacy advocates who worry that prudent surveillance could easily lead to government overreach, or worse, unauthorized use. It relies upon two tools developed independently at Purdue. The Visual Analytics Law Enforcement Toolkit superimposes the rate and location of crimes and the location of police surveillance cameras. CAM2 reveals the location and orientation of public network cameras, like the one outside your apartment. You could do the same thing with a search engine like Shodan, but CAM2 makes the job far easier, which is the scary part. Aggregating all these individual feeds makes it potentially much more invasive. [Purdue limits access to registered users, and the terms of service for CAM2 state "you agree not to use the platform to determine the identity of any specific individuals contained in any video or video stream." A reasonable step to ensure privacy, but difficult to enforce (though the team promises the system will have strict security if it ever goes online). Beyond the specter of universal government surveillance lies the risk of someone hacking the system.] EFF discovered that anyone could access more than 100 "secure" automated license plate readers last year.
The Courts

Google Appeals French Order For Global 'Right To Be Forgotten' (reuters.com) 169

An anonymous reader quotes a report from Reuters: Alphabet Inc's Google appealed on Thursday an order from the French data protection authority to remove certain web search results globally in response to a European privacy ruling, escalating a fight on the extra-territorial reach of EU law. In May 2014, the European Court of Justice (ECJ) ruled that people could ask search engines, such as Google and Microsoft's Bing, to remove inadequate or irrelevant information from web results appearing under searches for people's names -- dubbed the "right to be forgotten." Google complied, but it only scrubbed results across its European websites such as Google.de in Germany and Google.fr in France, arguing that to do otherwise would set a dangerous precedent on the territorial reach of national laws. The French regulator, the Commission Nationale de l'Informatique et des Libertes (CNIL), fined Google 100,000 euros ($112,150.00) in March for not delisting more widely, arguing that was the only way to uphold Europeans' right to privacy. The company filed its appeal of the CNIL's order with France's supreme administrative court, the Council of State. "One nation does not make laws for another," said Dave Price, senior product counsel, Google. "Data protection law, in France and around Europe, is explicitly territorial, that is limited to the territory of the country whose law is being applied." Google's Transparency Report indicates the company accepts around 40 percent of requests for the removal of links appearing under search results for people's names.
Google

Google Is A Serial Tracker (softpedia.com) 110

An anonymous reader writes: Two Princeton academics conducted a massive research into how websites track users using various techniques. The results of the study, which they claim to be the biggest to date, shows that Google, through multiple domains, is tracking users on around 80 percent of all Top 1 Million domains. Researchers say that Google-owned domains account for the top 5 most popular trackers and 12 of the top 20 tracker domains. Additionally, besides tracking scripts, HTML5 canvas fingerprinting and WebRTC local IP discover, researchers discovered a new user fingerprinting technique that uses the AudioContext API. Third-party trackers use it to send low-frequency sounds to a user's PC and measure how the PC processes the data, creating an unique fingerprint based on the user's hardware and software capabilities. A demo page for this technique is available. Of course, this sort of thing is nothing new and occurs all across the web and beyond. MIT and Oxford published a study this week that revealed that Twitter location tags on only a few tweets can reveal details about the account's owner, such as his/her real world address, hobbies and medical history. Another recently released study by Stanford shows that phone call metadata can also be used to infer personal details about a phone owner.

Slashdot Top Deals