Leap Towards a Career in Ethical Hacking with 60+ Hours of Prep Toward CISM, CISA, & More Certification Exams at 95% off ×
Java

Pastejacking Attack Appends Malicious Terminal Commands To Your Clipboard (softpedia.com)

An anonymous reader writes: "It has been possible for a long time for developers to use CSS to append malicious content to the clipboard without a user noticing and thus fool them into executing unwanted terminal commands," writes Softpedia. "This type of attack is known as clipboard hijacking, and in most scenarios, is useless, except when the user copies something inside their terminal." Security researcher Dylan Ayrey published a new version of this attack last week, which uses only JavaScript as the attack medium, giving the attack more versatility and making it now easier to carry out. The attack is called Pastejacking and it uses Javascript to theoretically allow attackers to add their malicious code to the entire page to run commands behind a user's back when they paste anything inside the console. "The attack can be deadly if combined with tech support or phishing emails," writes Softpedia. "Users might think they're copying innocent text into their console, but in fact, they're running the crook's exploit for them."
Security

Elderly Use More Secure Passwords Than Millennials, Says Report (qz.com) 30

An anonymous reader writes from a report via Quartz: A report released May 24 by Gigya surveyed 4,000 adults in the U.S. and U.K. and found that 18- to 34-year-olds are more likely to use bad passwords and report their online accounts being compromised. The majority of respondents ages 51 to 69 say they completely steer away from easily cracked passwords like "password," "1234," or birthdays, while two-thirds of those in the 18-to-34 age bracket were caught using those kind of terms. Quartz writes, "The diligence of the older group could help explain why 82% of respondents in this age range did not report having had any of their online accounts compromised in the past year. In contrast, 35% of respondents between 18 and 34 said at least one of their accounts was hacked within the last 12 months, twice the rate of those aged 51 to 69."
Google

Google France Being Raided For Unpaid Taxes (reuters.com) 51

jones_supa writes: Investigators in France have raided Google's Paris headquarters amid a probe over the company's tax payments, Reuters reports. The French Finance Ministry is investigating $1.8 billion in back taxes. According to a report in French daily Le Parisien, at least 100 investigators are part of the raid at Google's offices. A source close to the finance ministry said that the raid at Google's offices has been ongoing on Tuesday since 03:00 GMT. In February, a source at the French Finance Ministry told Reuters that the government was seeking the $1.8 billion from Google. At the time, official spokespeople for Google France and the Finance Ministry refused to comment on the situation. Google could face up to a $11.14 million fine if it is found guilty, or a fine of half of the value of the laundered amount involved. In April, the EU revealed plans to force multinationals such as Google, Amazon and Facebook to disclose exactly where and how much tax they pay across the continent. A new clause was added since the Panama Papers leak requiring the companies to report how much money they make in so-called "tax havens."
Facebook

Too Fat For Facebook: Photo Banned For Depicting Body In 'Undesirable Manner' (theguardian.com) 268

An anonymous reader shares a report on The Guardian: Facebook has apologized for banning a photo of a plus-sized model and telling the feminist group that posted the image that it depicts "body parts in an undesirable manner". Cherchez la Femme, an Australian group that hosts popular culture talkshows with "an unapologetically feminist angle", said Facebook rejected an advert featuring Tess Holliday, a plus-sized model wearing a bikini, telling the group it violated the company's "ad guidelines". After the group appealed against the rejection, Facebook's ad team initially defended the decision, writing that the photo failed to comply with the social networking site's "health and fitness policy". "Ads may not depict a state of health or body weight as being perfect or extremely undesirable," Facebook wrote. "Ads like these are not allowed since they make viewers feel bad about themselves. Instead, we recommend using an image of a relevant activity, such as running or riding a bike." In a statement on Monday, Facebook apologized for its original stance and said it had determined that the photo does comply with its guidelines.Facebook said that its team scans millions of ad images every week, and sometimes understandably misses out on a few.
China

China's Huawei Sues Samsung Claiming Mobile Patent Infringement (reuters.com) 37

An anonymous reader writes: Huawei said on Wednesday it has filed lawsuits against Samsung claiming infringement of smartphone patents, in the first such case by the Chinese firm against the world's biggest mobile maker. Huawei has filed lawsuits in the United States and China seeking compensation for what it said was unlicensed use of fourth-generation (4G) cellular communications technology, operating systems and user interface software in Samsung phones. The lawsuit marks a reversal of roles in China where firms have often been on the receiving end of patent infringement disputes. In smartphones, makers have grown rapidly in recent years but different intellectual property laws outside of China have slowed overseas expansion. "We hope Samsung will ... stop infringing our patents and get the necessary license from Huawei, and work together with Huawei to jointly drive the industry forward," Ding Jianxing, president of Huawei's Intellectual Property Rights Department, said.
AT&T

AT&T Begins Capping Broadband Users (dslreports.com) 146

Karl Bode, reporting for DSLReports (edited for clarity): Just a reminder to AT&T customers: the company's usage caps on U-Verse broadband connections is now in effect. When AT&T originally announced broadband caps on fixed-line connections back in 2011, it capped DSL customers at 150 GB per month and U-Verse customers at 250 GB per month. But while the DSL customer cap was enforced (by and large because AT&T wants these users to migrate to wireless anyway), AT&T didn't enforce caps for its U-Verse customers. Until now, anyway. Back in March AT&T announced it would begin enforcing usage caps on all connections starting May 23. As of today, U-Verse customers face different caps depending on their speed tier. AT&T says customers on U-Verse tiers with speeds between 768 Kbps and 6 Mbps will now face a 300 GB cap; customers on U-Verse tiers of speeds between 12 Mbps and 75Mbps will see a 600 GB cap, and customers on speeds between 100 Mbps and 1 Gbps will see a cap of 1 terabyte. Users who exceed these caps in any given month will automatically have to pay for 50 GB of additional data for $10 each.
Facebook

Facebook Is Tweaking Trending Topics To Counter Charges of Bias (recode.net) 146

An anonymous reader writes: Facebook has said once again in an open letter to Sen. John Thune, chairman of the Senate Commerce Committee, that its Trending Topics section is free of any political bias or manipulation. But in response to Gizmodo's report that Facebook employees were suppressing conservative news stories, Facebook is revamping how editors find trending stories. "We could not fully exclude the possibility of isolated improper actions or unintentional bias in the implementation of our guidelines or policies," Facebook general Counsel Colin Stretch wrote. Of course, Facebook is going to train the human editors who work on their trending section; they're also going to abandon several automated tools it used to find and categorize trending news in the past. Recode provides some examples, writing, "[Facebook] will no longer use its "1K list," a group of 1,000 websites it used to help verify headlines." Facebook will also get rid of several top publications, including the New York Times and CNN.
The Internet

Hacker Phineas Fisher is Trying To Start a 'Hack Back' Political Movement (vice.com) 113

An anonymous reader writes: The hacker who breached Hacking Team and FinFisher is trying to get more people to "hack back" and fight "the system." For some, thanks to his targeted attacks and sophisticated political views, Phineas Fisher is quickly becoming the most influential hacktivist of the last few years. In response to his most recent hack where he released a 39-minute how-to video showing how to strip data from targeted websites, specifically a website of the Catalan police union, Phineas Fisher told Motherboard, "Everything doesn't have to be big. I wanted to strike a small blow at the system, teach a bit of hacking with the video, and inspire people to take action." Biella Coleman, professor at McGill University in Montreal, believes Phineas Fisher has a good chance of inspiring a new generation of hacktivists and "setting the stage for other hackers to follow in his footsteps." She says he has been better at choosing targets and justifying his actions with more rounded and sophisticated political and ethical views than Anonymous and LulzSec-inspired hackers. Phineas Fisher told Motherboard, "I don't want to be the lone hacker fighting the system. I want to inspire others to take similar action, and try to provide the information so they can learn how."
Iphone

Apple Sued Over iPhones Making Calls, Sending Email (fortune.com) 127

An anonymous reader quotes a report from Fortune: A company that seemingly does nothing but license patents or, if necessary, sue other companies to get royalties, has taken aim at Apple. But here's the kicker: the lawsuit alleges that Apple's last several iPhones and iPads violate a slew of patents related to seemingly standard features, including the ability to place calls as well as sending and receiving emails. A total of six patent infringement claims were brought against Apple by Corydoras Technologies on May 20, according to Apple-tracking site Patently Apple, which obtained a copy of the lawsuit. According to Patently Apple, the counts against Apple cover every iPhone dating back to the iPhone 4 and every iPad dating back to the iPad 2. In addition to taking issue with Apple's devices placing calls, the lawsuits also allege that the tech giant violates patents Corydoras holds related to video calling, which is similar to Apple's FaceTime, as well as displaying a person's geographic location through a feature like Find My iPhone and the ability to block unwanted calls. Last year, Apple was ordered to pay $533 million to Smartflash LLC for allegedly violating three patents related to copy protection.
Government

FBI Wants Biometric Database Hidden From Privacy Act (onthewire.io) 74

Trailrunner7 quotes a report from onthewire.io: The FBI is working to keep information contained in a key biometric database private and unavailable, even to people whose information is contained in the records. The database is known as the Next Generation Identification System (NGIS), and it is an amalgamation of biometric records accumulated from people who have been through one of a number of biometric collection processes. That could include convicted criminals, anyone who has submitted records to employers, and many other people. The NGIS also has information from agencies outside of the FBI, including foreign law enforcement agencies and governments. Because of the nature of the records, the FBI is asking the federal government to exempt the database from the Privacy Act, making the records inaccessible through information requests. From the report: "The bureau says in a proposal to exempt the database from disclosure that the NGIS should be exempt from the Privacy Act for a number of reasons, including the possibility that providing access 'could compromise sensitive law enforcement information, disclose information which would constitute an unwarranted invasion of another's personal privacy; reveal a sensitive investigative technique; could provide information that would allow a subject to avoid detection or apprehension; or constitute a potential danger to the health or safety of law enforcement personnel, confidential sources, and witnesses.'" RT released a similar report on the matter.
The Almighty Buck

Amazon Stops Giving Refunds When an Item's Price Drops After You Purchase It (recode.net) 157

Amazon has for years issued refunds to users when the price of an item drops after they've purchased it. But lately the e-commerce giant hasn't been doing that on a number of products, except for televisions, according to price-tracking companies. Recode reports: The move may have something to do with the rise of startups that track prices for Amazon customers and automatically request refunds when appropriate. One of them, a Santa Monica-based startup called Earny that is backed by the startup incubator Science, first pointed out the change. Earny scours a customer's email inbox for digital receipts, and then continuously checks the price on a retailer's website to see if it drops.
Google

How Copyright Law Is Being Misused To Remove Material From the Internet (theguardian.com) 99

London-based resident Annabelle Narey posted a negative review of a building firm on Mumsnet. She noted in her review that her ceiling fell down in an upstairs bedroom. The Guardian reports about what happened to her in the aftermath of posting that review. Building firm BuildTeam sent a letter to Mumsnet, which the site passed on to Narey. According to Narey, BuildTeam found Narey's comment defamatory and untrue, and asked for the removal of the comment from the website. The original comment saw several other users also post similar grievances, though many of these users pulled their comments in response to the legal threats from BuildTeam. Narey wanted to keep hers up. Then things got even weirder, reports the Guardian. Narey says BuiltTeam staff visited her apartment, and instead of offering any apology, asked her to remove the comment. Mumsnet received a warning from Google: a takedown request under DMCA, alleging copyright infringement. This led Google to de-list the entire thread. From the report: No copyright infringement had occurred at all. At some point after Narey posted her comments on Mumsnet, someone had copied the entire text of one of her posts and pasted it, verbatim, to a spammy blog titled "Home Improvement Tips and Tricks". The post, headlined "Buildteam interior designers" was backdated to September 14 2015, three months before Narey had written it. BuildTeam says it has no idea why Narey's review was reposted, but that it had nothing to do with it.The Guardian deep dives into what is wrong with the copyright system, the issues Google faces in dealing with them, and the consequences many users are facing because of this.
Government

How the Pentagon Punished NSA Whistleblowers (theguardian.com) 133

10 years before Edward Snowden's leak, an earlier whistle-blower on NSA spying "was fired, arrested at dawn by gun-wielding FBI agents, stripped of his security clearance, charged with crimes that could have sent him to prison for the rest of his life, and all but ruined financially and professionally," according to a new article in The Guardian. "The only job he could find afterwards was working in an Apple store in suburban Washington, where he remains today... The supreme irony? In their zeal to punish Drake, these Pentagon officials unwittingly taught Snowden how to evade their clutches when the 29-year-old NSA contract employee blew the whistle himself."

But today The Guardian reveals a new story about John Crane, a senior official at the Department of Defense "who fought to provide fair treatment for whistleblowers such as Thomas Drake -- until Crane himself was forced out of his job and became a whistleblower as well..." Crane told me how senior Defense Department officials repeatedly broke the law to persecute whistleblower Thomas Drake. First, he alleged, they revealed Drake's identity to the Justice Department; then they withheld (and perhaps destroyed) evidence after Drake was indicted; finally, they lied about all this to a federal judge...

Crane's failed battle to protect earlier whistleblowers should now make it very clear that Snowden had good reasons to go public with his revelations... if [Crane's] allegations are confirmed in court, they could put current and former senior Pentagon officials in jail. (Official investigations are quietly under way.)

Meanwhile, George Maschke writes: In a presentation to a group of Texas law students, a polygraph examiner for the U.S. Department of Defense revealed that in the aftermath of Edward Snowden's revelations, the number of polygraphs conducted annually by the department tripled (to over 120,000). Morris also conceded that mental countermeasures to the polygraph are a "tough thing."
Security

Hundreds of Drupal Sites Targeted With Fake Ransomware (softpedia.com) 51

An anonymous reader writes: A group of hackers have created a ransomware strain that specifically targets Drupal sites. Infection occurs thanks to an automated bot which scans Drupal sites and then uses an SQL injection (CVE-2014-3704) to change the site admin's password. The bot also dumps any emails it finds on the server, and then overwrites the site's main page to show a typical ransomware note. Over 400 sites have been infected until now, but nobody has paid the ransom yet.

This case yet again proves why "Web ransomware" will never work because even the worst Web hosting service provides automatic backups from where they could retrieve a clean version of their site.

Crime

Attackers Steal $12.7M In Massive ATM Heist (mainichi.jp) 74

Within two hours $12.7 million in cash was stolen from 1,400 ATMs located at convenience stores all across Japan, investigators announced Sunday. An anonymous reader quotes a Japanese newspaper: Police suspect that the cash was withdrawn at ATMs using counterfeit credit cards containing account information leaked from a South African bank. Japanese police will work with South African authorities through the International Criminal Police Organization to look into the major theft, including how credit card information was leaked, the sources said.
Over the two hours attackers withdrew the equivalent of $907 in 14,000 different transactions.

Slashdot Top Deals