News

Authorities Reportedly Question McAfee's Ex-girlfriend (networkworld.com) 41

netbuzz writes: While antivirus software pioneer John McAfee is in the media spotlight for his long-shot Libertarian presidential run, law enforcement authorities in Belize and the FBI have just this week reportedly questioned one of his ex-girlfriends as they continue to investigate the 2012 murder of McAfee's American neighbor. That probe prompted McAfee to flee Belize and eventually land back in the United States. McAfee has steadfastly denied any involvement in the murder.
Security

Ransomware Hits UK Website, Defaces Homepage 16

An anonymous reader writes: The website of the British Association for Counseling & Psychotherapy has been hit by a variant of the CTB-Locker ransomware. While the ransomware proclaims itself to be CTB-Locker, there are a ton of clues that reveal this may be a fake and this is actually the first ever ransomware family created to target websites and not computers.
Censorship

UK GHCQ Is Allowed To Hack (bbc.co.uk) 70

An anonymous reader writes: A security tribunal has just decreed that hacking by the UK security agency GCHQ is legal. [The case was launched after revelations by Edward Snowden about the extent of US and UK spying. Campaigners Privacy International claimed GCHQ's hacking operations were too intrusive]. The legal challenge that they were violating European law was rejected.
Crime

Hackers of Ukrainian Utilities Probably Hit Mining and Railroad Targets, Too (csoonline.com) 20

itwbennett writes: Trend Micro said Thursday that its latest technical research shows that the same malware — dubbed BlackEnergy and KillDisk — were likely used in attacks on a mining company and a railway operator that preceded the devastating power-company hacks and that those earlier attacks may have been test runs. 'The malware used in the attacks, known as Black Energy, has been linked by the security firm iSight Partners to a group nicknamed the Sandworm Team, which is suspected to be from Russia,' writes Jeremy Kirk.
Piracy

Pirate Bay Browser Streaming Technology Is a Security and Privacy Nightmare (softpedia.com) 70

An anonymous reader writes: Last week the Pirate Bay added support for streaming video torrents inside the browser in real-time. Kickass Torrents followed the next week. The technology they used is called Torrents Time. A security researcher has discovered that this technology which is a mix of client and server side code is actually a security and user privacy disaster. Attackers can carry out XSS attacks on TPB and KAT, the app runs on Mac as root, attackers can hijack downloads and force malicious code on the user's PC, and advertisers can collect info on any user that has Torrents Time installed.
Firefox

Pwn2Own 2016 Won't Attack Firefox (Because It's Too Easy) (eweek.com) 263

darthcamaro writes: For the last decade, the Pwn2own hacking competition has pitted the world's best hackers against web browsers to try and find zero-day vulnerabilities in a live event. The contest, which is sponsored by HPE and TrendMicro this year, is offering over half a million dollars in prize money, but for the first time, not a penny of that will directed to Mozilla Firefox. While Microsoft Edge, Google Chrome and Apple Safari are targets, Firefox isn't because it's apparently too easy and not keeping up with modern security: "'We wanted to focus on the browsers that have made serious security improvements in the last year,' Brian Gorenc, manager of Vulnerability Research at HPE said."
Security

ZDNet Writer Downplays Windows 10's Phoning-Home Habits 259

jones_supa writes: Gordon F. Kelly of Forbes whipped up a frenzy over Windows 10 when a Voat user found out in a little experiment that the operating system phones home thousands of times a day. ZDNet's Ed Bott has written a follow-up where he points out how the experiment should not be taken too dramatically. 602 connection attempts were to 192.168.1.255 using UDP port 137, which means local NetBIOS broadcasts. Another 630 were DNS requests. Next up was 1,619 dropped connection attempts to address 94.245.121.253, which is a Microsoft Teredo server. The list goes on with NTP, random HTTP requests, and various cloud hosts which probably are reached by UWP apps. He summarizes by saying that a lot of connections are not at all about telemetry. However, what kind of telemetry and data-mined information Windows specifically sends still remains largely a mystery; hopefully curious people will do analysis on the operating system and network traffic sent by it.
Security

Cisco ASA Firewall Has a Wormable Problem — And a Million Installs (csoonline.com) 78

itwbennett writes: Cisco has published an advisory for a vulnerability with a CVSS (Common Vulnerability Scoring System) score of 10 that was discovered by researchers from Exodus Intelligence. According to the advisory, 'a vulnerability in the Internet Key Exchange (IKE) version 1 (v1) and IKE version 2 (v2) code of Cisco ASA Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code.' As CSO's Dave Lewis points out, 'the part of this that is most pressing is that Cisco claims that there are over a million of these deployed.'
And attackers have not been sitting on their thumbs.
Bitcoin

Researchers Discover a Cheap Method of Breaking Bitcoin Wallet Passwords (softpedia.com) 94

An anonymous reader writes: Three researchers have published a paper that details a new method of cracking Bitcoin "brain wallet passwords," which is 2.5 times speedier than previous techniques and incredibly cheap to perform. The researcher revealed that by using a run-of-the-mill Amazon EC2 account, an attacker would be able to check over 500,000 Bitcoin passwords per second. For each US dollar spent on renting the EC2 server, an attacker would be able to check 17.9 billion password strings. To check a trillion passwords, it would cost the attacker only $55.86 (€49.63). In the end, they managed to crack around 18,000 passwords used for real accounts.
Security

Trane Takes 2 Years To Remove Hard-Coded Root Passwords From IoT Thermostat (softpedia.com) 75

An anonymous reader writes: It took 22 months for Trane to patch three security bugs in its ComfortLink II XL950 smart Wi-Fi thermostat product, the ComfortLink II XL950, a modern IoT device along the lines of Google Nest, which offers a simple way to manage your apartment's or building's internal temperature. Researchers contacted Trane about their three issues in April 2014, the company fixed the RCE flaws in April 2015 and recently released a firmware update at the end of January to fix the last issue. During all this time, the company barely answered emails and continued to sell an exposed product.
Government

Identity Thieves Obtain 100,000 Electronic Filing PINs From IRS System (csoonline.com) 104

itwbennett writes: In January attackers targeted an IRS Web application in an attempt to obtain E-file PINs corresponding to 464,000 previously stolen social security numbers (SSNs) and other taxpayer data. The automated bot was blocked by the IRS after obtaining 100,000 PINs. The IRS said in a statement Tuesday that the SSNs were not stolen from the agency and that the agency would be notifying affected taxpayers.
Encryption

Federal Bill Could Override State-Level Encryption Bans (thestack.com) 137

An anonymous reader writes: A new bill has been proposed in Congress today by Representatives Ted Lieu (D-Calif.) and Blake Farenthold (R-Tex.) which looks to put a stop to any pending state-level legislation that could result in misguided encryption measures. The Ensuring National Constitutional Rights of Your Private Telecommunications Act of 2016 comes as a response to state-level encryption bills which have already been proposed in New York state and California. These near-identical proposals argued in favour of banning the sale of smartphones sold in the U.S. that feature strong encryption and cannot be accessed by the manufacturer. If these bills are passed, current smartphones, including iPhone and Android models, would need to be significantly redesigned for sale in these two states. Now Lieu and Farenthold are making moves to prevent the passing of the bills because of their potential impact on trade [PDF] and the competitiveness of American firms.
Privacy

Most IT Pros Have Seen Embarrassing Information About Their Colleagues 143

An anonymous reader writes: Often working in isolation, IT teams are still considered to be supporting players in many workplaces, yet the responsibility being placed on them is huge. In the event of a cyber attack, network outage or other major issue, they will typically drop everything to fix the problem at hand. Almost all the respondents (95%) to a new AlienVault survey said that they have fixed a user or executive's personal computer issue during their work hours. In addition, over three-quarters (77%) said that they had seen and kept secret potentially embarrassing information relating to their colleagues' or executives' use of company-owned IT resources.
Facebook

French Gov't Gives Facebook 3 Months To Stop Tracking Non-User Browsers 176

Reader iamthecheese writes RT reports that France's National Commission of Information and Freedoms found Facebook tracking of non-user browsers to be illegal. Facebook has three months to stop doing it. The ruling points to violations of members and non-members privacy in violation of an earlier ruling. The guidance, published last October, invalidates safe harbor provisions. If Facebook fails to comply the French authority will appoint someone to decide upon a sanction. Related: A copy of the TPP leaked last year no longer requires signing countries to have a safe harbor provision.
Crime

Hearthstone Cheats and Tools Spiked With Malware (csoonline.com) 41

itwbennett writes: Cheating at the online card game Hearthstone (which is based on Blizzard's World of Warcraft) can get you banned from the game, but now it also puts you at risk of 'financial losses and system ruin,' writes CSO's Steve Ragan. Symantec is warning Hearthstone players about add-on tools and cheat scripts that are spiked with malware. 'In one example, Hearth Buddy, a tool that allows bots to play the game instead of a human player (which is supposed to help with rank earnings and gold earning) compromises the entire system,' says Ragan. 'Another example, are the dust and gold hacking tools (Hearthstone Hack Tool), which install malware that targets Bitcoin wallets.'
Twitter

Twitter Launches Trust and Safety Council To Help Put End To Trolling (thestack.com) 203

An anonymous reader writes: Twitter has announced a new trust and safety council to stamp out bullying and trolling on the microblogging site. The Twitter Trust & Safety Council will initially be formed of around 40 bodies, including the Cyber Civil Rights Initiative, ICT Watch, NetSafe, and Samaritans. These organisations, along with safety experts, academics and security researchers, will work to ensure a safe and secure platform for users to express themselves freely and safely. The Council's main focus will be to protect minors, encourage 'greater compassion and empathy on the internet,' and promote efforts in media literacy and digital citizenship. Community groups will also participate to help prevent online 'abuse, harassment, and bullying,' as well as mental health problems and suicide.
Security

President Obama Unveils $19 Billion Plan To Overhaul U.S. Cybersecurity 185

erier2003 writes: President Obama on Tuesday unveiled an expansive plan to bolster government and private-sector cybersecurity by establishing a federal coordinator for cyber efforts, proposing a commission to study future work, and asking Congress for funds to overhaul dangerously obsolete computer systems. His newly signed executive orders contain initiatives to better prepare college students for cybersecurity careers, streamline federal computer networks, and certify Internet-connected devices as secure. The Cybersecurity National Action Plan also establishes a Federal Privacy Council (to review how the government stores Americans' personal information), creates the post of Chief Information Security Officer, and establishes a Commission on Enhancing National Cybersecurity.
Crime

Hackers Leak List of FBI Employees (vice.com) 128

puddingebola writes: The hackers responsible for the leaking of DHS employees made good on their threat to reveal the names of 20,000 FBI employees. From the article: "The hacker provided Motherboard with a copy of the data on Sunday. The list includes names, email addresses (many of which are non-public) and job descriptions, such as task force deputy director, security specialist, special agent, and many more. The list also includes roughly 1,000 FBI employees in an intelligence analysis role."
Bug

The Internet of Broken Things (hackaday.com) 95

szczys writes: The Internet of Things is all the hype these days. On one side we have companies clamoring to sell you Internet-Connected-everything to replace all of the stuff you already have that is now considered "dumb." On the other side are security researchers screaming that we're installing remote access with little thought about securing it properly. The truth is a little of both is happening, and that this isn't a new thing. It's been around for years in industry, the new part is that it's much wider spread and much closer to your life. Al Williams walks through some real examples of the unintended consequences of IoT, including his experiences building and deploying devices, and some recent IoT gaffs like the NEST firmware upgrade that had some users waking up to an icy-cold home.
Oracle

Java Installer Flaw Shows Why You Should Clear Your Downloads Folder (csoonline.com) 64

itwbennett writes: On Friday, Oracle published a security advisory recommending that users delete all the Java installers they might have laying around on their computers and use new ones for versions 6u113, 7u97, 8u73 or later. The reason: Older versions of the Java installer were vulnerable to binary planting in the Downloads folder. 'Though considered relatively complex to exploit, this vulnerability may result, if successfully exploited, in a complete compromise of the unsuspecting user's system,' said Eric Maurice, Oracle's software security assurance director, in a blog post.

Slashdot Top Deals