Government

'Significant' Number of Equifax Victims Already Had Info Stolen, Says IRS (thehill.com) 99

An anonymous reader quotes a report from The Hill: The IRS does not expect the Equifax data breach to have a major effect on the upcoming tax filing season, Commissioner John Koskinen said Tuesday, adding that the agency believes a "significant" number of the victims already had their information stolen by cyber criminals. "We actually think that it won't make any significantly or noticeable difference," Koskinen told reporters during a briefing on the agency's data security efforts. "Our estimate is a significant percent of those taxpayers already had their information in the hands of criminals." The IRS estimates that more than 100 million Americans have had their personally identifiable information stolen by criminal hackers, he said.

The Equifax breach disclosed in early September is estimated to have affected more than 145 million U.S. consumers. "It's an important reminder to the public that everyone can take any actions that they can ... to make sure we can do everything we can to protect personal information," Koskinen said of the breach on Tuesday, in response to a reporter's question. The IRS commissioner advised Americans to "assume" their data is already in the hands of criminals and "act accordingly."

Google

Toronto To Be Home To Google Parent's Biggest Smart City Project Yet (techcrunch.com) 53

Sidewalk Labs, the smart city subsidiary of Alphabet (the parent company of Google) with the stated goal of "reimagining cities from the Internet up," now has a very big sandbox in which to conduct its high-tech experiments. From a report: That's obviously an ambitious project, but some of the groundwork is already being laid: Alphabet's Google will be the flagship tenant for the new neighbourhood, anchoring the easter waterfront, to be called "Quayside," and Sidewalk Labs has committed $50 million to kick off pilot testing and planning in partnership with the City of Toronto. Sidewalk Labs won the contract through its response to a Request for Proposals issues by Waterfront Toronto, and organization created by the Canadian federal government, the Ontario provincial government and the City of Toronto together to foster development of Toronto's lakefront areas in ways that address urban sprawl while respecting the realities of climate change and taking into account the ability of the city's residents to get around efficiently. The area involved in the RFP that Sidewalk Labs will work with the government coalition to develop spans around 800 acres (though 12 acres are specified for the initial project), and is one of the largest underdeveloped urban areas in any North American city, making it a good target for Sidewalk's ambitious vision, which involves building smart cities holistically from the very start. Ultimately, the partners hope to turn the area into a "place for tens of thousands of people to live, work, learn and play -- and to create and advance new ideas that improve city life," according to a release from Sidewalk.
Google

'Google Just Made Gmail the Most Secure Email Provider on the Planet' (vice.com) 195

Google announced on Tuesday that it would offer stronger online security for "high risk" users who may be frequent targets of online attacks. The company said anyone with a personal Google account can enroll in the new "advanced protection," while noting that it will require users to "trade off a bit of convenience" for extra security. Motherboard reports: The main advantage in terms of security is the need for a key or token to log in as the second factor, instead of a code sent via SMS or via app. This is much better because there's no way for hackers to steal or phish this key from afar (there have been isolated incidents of hackers using social engineering to gain access to someone's cell phone number by getting the provider to issue a new SIM card, for instance). Thanks to these new features, Gmail is now the most secure email provider available on the internet if you are worried about hackers breaking into your private correspondence. "This is a major step in the right direction in offering the same kind of protection available to high-profile figures to everyday people," Kenneth White, a Washington D.C. based security consultant to federal agencies, told Motherboard. "They have really thought this through, and while it may not make sense for everyone, for those that need it, it's a much needed option."
Wireless Networking

Every Patch For 'KRACK' Wi-Fi Vulnerability Available Right Now (zdnet.com) 131

An anonymous reader quotes a report from ZDNet: As reported previously by ZDNet, the bug, dubbed "KRACK" -- which stands for Key Reinstallation Attack -- is at heart a fundamental flaw in the way Wi-Fi Protected Access II (WPA2) operates. According to security researcher and academic Mathy Vanhoef, who discovered the flaw, threat actors can leverage the vulnerability to decrypt traffic, hijack connections, perform man-in-the-middle attacks, and eavesdrop on communication sent from a WPA2-enabled device. In total, ten CVE numbers have been preserved to describe the vulnerability and its impact, and according to the U.S. Department of Homeland Security (DHS), the main affected vendors are Aruba, Cisco, Espressif Systems, Fortinet, the FreeBSD Project, HostAP, Intel, Juniper Networks, Microchip Technology, Red Hat, Samsung, various units of Toshiba and Ubiquiti Networks. A list of the patches available is below. For the most up-to-date list with links to each patch/statement (if available), visit ZDNet's article.
Security

Ask Slashdot: What Are Some Hard Truths IT Must Learn To Accept? (cio.com) 400

snydeq writes: "The rise of shadow IT, shortcomings in the cloud, security breaches -- IT leadership is all about navigating hurdles and deficiencies, and learning to adapt to inevitable setbacks," writes Dan Tynan in an article on six hard truths IT must learn to accept. "It can be hard to admit that you've lost control over how your organization deploys technology, or that your network is porous and your code poorly written. Or no matter how much bandwidth you've budgeted for, it never quite seems to be enough, and that despite its bright promise, the cloud isn't the best solution for everything." What are some hard truths your organization has been dealing with? Tynan writes about how the idea of engineering teams sticking a server in a closet and using it to run their own skunkworks has become more open; how an organization can't do everything in the cloud, contrasting the 40 percent of CIOs surveyed by Gartner six years ago who believed they'd be running most of their IT operations in the cloud by now; and how your organization should assume from the get-go that your environment has already been compromised and design a security plan around that. Can you think of any other hard truths IT must learn to accept?
Google

Google Chrome for Windows Gets Basic Antivirus Features (betanews.com) 54

Google is rolling out a trio of important changes to Chrome for Windows users. From a report: At the heart of these changes is Chrome Cleanup. This feature detects unwanted software that might be bundled with downloads, and provides help with removing it. Google's Philippe Rivard explains that Chrome now has built-in hijack detection which should be able to detect when user settings are changes without consent. This is a setting that has already rolled out to users, and Google says that millions of users have already been protected against unwanted setting changes such as having their search engine altered. But it's the Chrome Cleanup tool that Google is particularly keen to highlight. A redesigned interface makes it easier to use and to see what unwanted software has been detected and singled out for removal.
Security

Millions of High-Security Crypto Keys Crippled by Newly Discovered Flaw (arstechnica.com) 55

Slovak and Czech researchers have found a vulnerability that leaves government and corporate encryption cards vulnerable to hackers to impersonate key owners, inject malicious code into digitally signed software, and decrypt sensitive data, reports ArsTechnica. From the report: The weakness allows attackers to calculate the private portion of any vulnerable key using nothing more than the corresponding public portion. Hackers can then use the private key to impersonate key owners, decrypt sensitive data, sneak malicious code into digitally signed software, and bypass protections that prevent accessing or tampering with stolen PCs. The five-year-old flaw is also troubling because it's located in code that complies with two internationally recognized security certification standards that are binding on many governments, contractors, and companies around the world. The code library was developed by German chipmaker Infineon and has been generating weak keys since 2012 at the latest. The flaw is the one Estonia's government obliquely referred to last month when it warned that 750,000 digital IDs issued since 2014 were vulnerable to attack. Estonian officials said they were closing the ID card public key database to prevent abuse. On Monday, officials posted this update. Last week, Microsoft, Google, and Infineon all warned how the weakness can impair the protections built into TPM products that ironically enough are designed to give an additional measure of security to high-targeted individuals and organizations.
Microsoft

US Supreme Court To Decide Microsoft Email Privacy Dispute (reuters.com) 68

The U.S. Supreme Court on Monday agreed to resolve a major privacy dispute between the Justice Department and Microsoft Corp over whether prosecutors should get access to emails stored on company servers overseas. From a report: The justices will hear the Trump administration's appeal of a lower court's ruling last year preventing federal prosecutors from obtaining emails stored in Microsoft computer servers in Dublin, Ireland in a drug trafficking investigation. That decision by the New York-based 2nd U.S. Court of Appeals marked a victory for privacy advocates and technology companies that increasingly offer cloud computing services in which data is stored remotely. Microsoft, which has 100 data centers in 40 countries, was the first U.S. company to challenge a domestic search warrant seeking data held outside the country. There have been several similar challenges, most brought by Google.
Security

WPA2 Security Flaw Puts Almost Every Wi-Fi Device at Risk of Hijack, Eavesdropping (zdnet.com) 247

A security protocol at the heart of most modern Wi-Fi devices, including computers, phones, and routers, has been broken, putting almost every wireless-enabled device at risk of attack. From a report: The bug, known as "KRACK" for Key Reinstallation Attack, exposes a fundamental flaw in WPA2, a common protocol used in securing most modern wireless networks. Mathy Vanhoef, a computer security academic, who found the flaw, said the weakness lies in the protocol's four-way handshake, which securely allows new devices with a pre-shared password to join the network. That weakness can, at its worst, allow an attacker to decrypt network traffic from a WPA2-enabled device, hijack connections, and inject content into the traffic stream. In other words: hackers can eavesdrop on your network traffic. The bug represents a complete breakdown of the WPA2 protocol, for both personal and enterprise devices -- putting every supported device at risk. "If your device supports Wi-Fi, it is most likely affected," said Vanhoef, on his website. News of the vulnerability was later confirmed on Monday by US Homeland Security's cyber-emergency unit US-CERT, which about two months ago had confidentially warned vendors and experts of the bug, ZDNet has learned.
Government

Ask Slashdot: Should Users Uninstall Kaspersky's Antivirus Software? (slashdot.org) 305

First, here's the opinion of two former NSA cybersecurity analysts (via Consumer Reports): "It's a big deal," says Blake Darche, a former NSA cybersecurity analyst and the founder of the cybersecurity firm Area 1. "For any consumers or small businesses that are concerned about privacy or have sensitive information, I wouldn't recommend running Kaspersky." By its very nature antivirus software is an appealing tool for hackers who want to access remote computers, security experts say. Such software is designed to scan a computer comprehensively as it searches for malware, then send regular reports back to a company server. "One of the things people don't realize, by installing that tool you give [the software manufacturer] the right to pull any information that might be interesting," says Chris O'Rourke, another former NSA cybersecurity expert who is the CEO of cybersecurity firm Soteria.
But for that reason, Bloomberg View columnist Leonid Bershidsky suggests any anti-virus software will be targetted by nation-state actors, and argues that for most users, "non-state criminal threats are worse. That's why Interpol this week signed a new information-sharing agreement with Kaspersky despite all the revelations in the U.S. media: The international police cooperation organization deals mainly with non-state actors, including profit-seeking hackers, rather than with the warring intelligence services."

And long-time Slashdot reader freddieb is a loyal Kaspersky user who is wondering what to do, calling the software "very effective and non-intrusive." And in addition, "Numerous recent hacks have gotten my data (Equifax, and others) so I expect I have nothing else to fear except ransomware."

Share your own informed opinions in the comments. Should users uninstall Kaspersky's antivirus software?
Crime

Dutch Police Build a Pokemon Go-Style App For Hunting Wanted Criminals (csoonline.com) 62

"How can the police induce citizens to help investigate crime? By trying to make it 'cool' and turning it into a game that awards points for hits," reports CSO. mrwireless writes: Through their 'police of the future' innovation initiative, and inspired by Pokemon Go, the Dutch police are building an app where you can score points by photographing the license plates of stolen cars. When a car is reported stolen the app will notify people in the neighbourhood, and then the game is on! Privacy activists are worried this creates a whole new relationship with the police, as a deputization of citizens blurs boundaries, and institutionalizes 'coveillance' -- citizens spying on citizens. It could be a slippery slope to situations that more resemble the Stasi regime's, which famously used this form of neighborly surveillance as its preferred method of control.
CSO cites Spiegel Online's description of the unofficial 189,000 Stasi informants as "totally normal citizens of East Germany who betrayed others: neighbors reporting on neighbors, schoolchildren informing on classmates, university students passing along information on other students, managers spying on employees and Communist bosses denouncing party members."

The Dutch police are also building another app that allows citizens to search for missing persons.
Privacy

Dutch Privacy Regulator Says Windows 10 Breaks the Law (arstechnica.com) 63

An anonymous reader quotes a report from Ars Technica: The lack of clear information about what Microsoft does with the data that Windows 10 collects prevents consumers from giving their informed consent, says the Dutch Data Protection Authority (DPA). As such, the regulator says that the operating system is breaking the law. To comply with the law, the DPA says that Microsoft needs to get valid user consent: this means the company must be clearer about what data is collected and how that data is processed. The regulator also complains that the Windows 10 Creators Update doesn't always respect previously chosen settings about data collection. In the Creators Update, Microsoft introduced new, clearer wording about the data collection -- though this language still wasn't explicit about what was collected and why -- and it forced everyone to re-assert their privacy choices through a new settings page. In some situations, though, that page defaulted to the standard Windows options rather than defaulting to the settings previously chosen. In the Creators Update, Microsoft also explicitly enumerated all the data collected in Windows 10's "Basic" telemetry setting. However, the company has not done so for the "Full" option, and the Full option remains the default. The DPA's complaint doesn't call for Microsoft to offer a complete opt out of the telemetry and data collection, instead focusing on ensuring that Windows 10 users know what the operating system and Microsoft are doing with their data. The regulator says that Microsoft wants to "end all violations," but if the software company fails to do so, it faces sanctions.
Data Storage

Researcher Turns HDD Into Rudimentary Microphone (bleepingcomputer.com) 64

An anonymous reader writes from Bleeping Computer: Speaking at a security conference, researcher Alfredo Ortega has revealed that you can use your hard disk drive (HDD) as a rudimentary microphone to pick up nearby sounds. This is possible because of how hard drives are designed to work. Sounds or nearby vibrations are nothing more than mechanical waves that cause HDD platters to vibrate. By design, a hard drive cannot read or write information to an HDD platter that moves under vibrations, so the hard drive must wait for the oscillation to stop before carrying out any actions. Because modern operating systems come with utilities that measure HDD operations up to nanosecond accuracy, Ortega realized that he could use these tools to measure delays in HDD operations. The longer the delay, the louder the sound or the intense the vibration that causes it. These read-write delays allowed the researcher to reconstruct sound or vibration waves picked up by the HDD platters. A video demo is here.

"It's not accurate yet to pick up conversations," Ortega told Bleeping Computer in a private conversation. "However, there is research that can recover voice data from very low-quality signals using pattern recognition. I didn't have time to replicate the pattern-recognition portion of that research into mine. However, it's certainly applicable." Furthermore, the researcher also used sound to attack hard drives. Ortega played a 130Hz tone to make an HDD stop responding to commands. "The Linux kernel disconnected it entirely after 120 seconds," he said. There's a video of this demo on YouTube.

Google

Google Permanently Disables Touch Function On All Home Minis Due To Privacy Concerns (bbc.co.uk) 48

Big Hairy Ian shares a report from BBC: Google has stopped its Home Mini speakers responding when users touch them. It permanently turned off the touch activation feature after it found that sensors primed to spot a finger tap were too sensitive. Early users found that the touch sensors were registering "phantom" touches that turned them on. This meant the speakers were recording everything around them thousands of times a day. Google said it disabled the feature to give users "peace of mind." Google's Home Mini gadgets were unveiled on October 4th as part of a revamp of its line of smart speakers. The intelligent assistant feature on it could be activated two ways -- by either saying "OK, Google" or by tapping the surface. About 4,000 Google Home Mini units were distributed to early reviewers and those who attended Google's most recent launch event. Artem Russakovskii from Android Police first discovered the issue with his unit, ultimately causing Google to "permanently [nerf] all Home Minis" because his spied on everything he said 24/7.
Privacy

DJI Unveils Technology To Identify and Track Airborne Drones (suasnews.com) 61

garymortimer shares a report from sUAS News: DJI, the world's leader in civilian drones and aerial imaging technology, has unveiled AeroScope, its new solution to identify and monitor airborne drones with existing technology that can address safety, security and privacy concerns. AeroScope uses the existing communications link between a drone and its remote controller to broadcast identification information such as a registration or serial number, as well as basic telemetry, including location, altitude, speed and direction. Police, security agencies, aviation authorities and other authorized parties can use an AeroScope receiver to monitor, analyze and act on that information. AeroScope has been installed at two international airports since April, and is continuing to test and evaluate its performance in other operational environments. AeroScope works with all current models of DJI drones, which analysts estimate comprise over two-thirds of the global civilian drone market. Since AeroScope transmits on a DJI drone's existing communications link, it does not require new on-board equipment or modifications, or require extra steps or costs to be incurred by drone operators. Other drone manufacturers can easily configure their existing and future drones to transmit identification information in the same way.
Businesses

Hyatt Hotels Discovers Card Data Breach At 41 Properties Across 11 Countries (krebsonsecurity.com) 20

Hyatt Hotels has suffered a second card data breach in two years. In the first breach, hackers had gained access to credit card systems at 250 properties in 50 different countries. This time, the breach appears to have impacted 41 properties across 11 countries. Krebs on Security reports: Hyatt said its cyber security team discovered signs of unauthorized access to payment card information from cards manually entered or swiped at the front desk of certain Hyatt-managed locations between March 18, 2017 and July 2, 2017. "Upon discovery, we launched a comprehensive investigation to understand what happened and how this occurred, which included engaging leading third-party experts, payment card networks and authorities," the company said in a statement. "Hyatt's layers of defense and other cybersecurity measures helped to identify and resolve the issue. While this incident affects a small percentage of total payment cards used at the affected hotels during the at-risk dates." The hotel chain said the incident affected payment card information -- cardholder name, card number, expiration date and internal verification code -- from cards manually entered or swiped at the front desk of certain Hyatt-managed locations. It added there is no indication that any other information was involved.
Security

US Weapons Data Stolen During Raid of Australian Defense Contractor's Computers (wsj.com) 78

phalse phace writes: Another day, another report of a major breach of sensitive U.S. military and intelligence data. According to a report by The Wall Street Journal (Warning: source may be paywalled; alternative source), "A cyberattacker nicknamed 'Alf' gained access to an Australian defense contractor's computers and began a four-month raid that snared data on sophisticated U.S. weapons systems. Using the simple combinations of login names and passwords 'admin; admin' and 'guest; guest' and exploiting a vulnerability in the company's help-desk portal, the attacker roved the firm's network for four months. The identity and affiliation of the hackers in the Australian attack weren't disclosed, but officials with knowledge of the intrusion said the attack was thought to have originated in China."

The article goes on to state that "Alf obtained around 30 gigabytes of data on Australia's planned purchase of up to 100 F-35 fighters made by Lockheed Martin, as well as information on new warships and Boeing-built P-8 Poseidon maritime-surveillance aircraft, in the July 2016 breach." The stolen data also included details of the C-130 Hercules transport aircraft and guided bombs used by the U.S. and Australian militaries as well as design information "down to the captain's chair" on new warships for Australia's navy.

Android

Down the Rabbit Hole With a BLU Phone Infection (threatpost.com) 43

msm1267 writes: BLU phones, marketed as affordable Android devices, have recently been pulled from Amazon and other retailers after allegations the devices were infected with spyware and posed a privacy threat to users. This is the tale of one such victim who purchased 11 devices that instantaneously began serving pop-up ads and downloading unwanted applications. The phones were analyzed and the root of the issue in this case was uncovered.
Social Networks

How Facebook Outs Sex Workers (gizmodo.com) 634

An anonymous reader shares a Gizmodo report: Leila has two identities, but Facebook is only supposed to know about one of them. Leila is a sex worker. She goes to great lengths to keep separate identities for ordinary life and for sex work, to avoid stigma, arrest, professional blowback, or clients who might be stalkers (or worse). Her "real identity" -- the public one, who lives in California, uses an academic email address, and posts about politics -- joined Facebook in 2011. Her sex-work identity is not on the social network at all; for it, she uses a different email address, a different phone number, and a different name. Yet earlier this year, looking at Facebook's "People You May Know" recommendations, Leila (a name I'm using in place of either of the names she uses) was shocked to see some of her regular sex-work clients. Despite the fact that she'd only given Facebook information from her vanilla identity, the company had somehow discerned her real-world connection to these people -- and, even more horrifyingly, her account was potentially being presented to them as a friend suggestion too, outing her regular identity to them. Because Facebook insists on concealing the methods and data it uses to link one user to another, Leila is not able to find out how the network exposed her or take steps to prevent it from happening again. "We're living in an age where you can weaponize personal information against people"Kashmir Hill, the reporter who wrote the above story, a few weeks ago shared another similar incident.
Privacy

US Government Has 'No Right To Rummage' Through Anti-Trump Protest Website Logs, Says Judge (theregister.co.uk) 277

A Washington D.C. judge has told the U.S. Department of Justice it "does not have the right to rummage" through the files of an anti-Trump protest website -- and has ordered the dot-org site's hosting company to protect the identities of its users. The Register reports: Chief Judge Robert E. Morin issued the revised order [PDF] Tuesday following a high-profile back and forth between the site's hosting biz DreamHost and prosecutors over what details Uncle Sam was entitled to with respect to the disruptj20.org website. "As previously observed, courts around the country have acknowledged that, in searches for electronically stored information, evidence of criminal activity will likely be intermingled with communications and other records not within the scope of the search warrant," he noted in his ruling. "Because of the potential breadth of the government's review in this case, the warrant in its execution may implicate otherwise innocuous and constitutionally protected activity. As the Court has previously stated, while the government has the right to execute its Warrant, it does not have the right to rummage through the information contained on DreamHost's website and discover the identity of, or access communications by, individuals not participating in alleged criminal activity, particularly those persons who were engaging in protected First Amendment activities." The order then lists a series of protocols designed to protect netizens "to comply with First Amendment and Fourth Amendment considerations, and to prevent the government from obtaining any identifying information of innocent persons."

Slashdot Top Deals