Privacy

German Court Rules Bosses Can't Use Keyboard-Tracking Software To Spy On Workers (thelocal.de) 50

An anonymous reader quotes a report from The Local: The Federal Labour Court ruled on Thursday that evidence collected by a company through keystroke-tracking software could not be used to fire an employee, explaining that such surveillance violates workers' personal rights. The complainant had been working as a web developer at a media agency in North Rhine-Westphalia since 2011 when the company sent an email out in April 2015 explaining that employees' complete "internet traffic" and use of the company computer systems would be logged and permanently saved. Company policy forbade private use of the computers. The firm then installed keylogger software on company PCs to monitor keyboard strokes and regularly take screenshots. Less than a month later, the complainant was called in to speak with his boss about what the company had discovered through the spying software. Based on their findings, they accused him of working for another company while at work, and of developing a computer game for them. [...] So the programmer took his case to court, arguing that the evidence used against him had been collected illegally. The Federal Labour Court agreed with this argument, stating in the ruling that the keylogger software was an unlawful way to control employees. The judges added that using such software could be legitimate if there was a concrete suspicion beforehand of a criminal offense or serious breach of work duties.
Crime

Feds Crack Trump Protesters' Phones To Charge Them With Felony Rioting (thedailybeast.com) 437

An anonymous reader quotes a report from The Daily Beast: Officials seized Trump protesters' cell phones, cracked their passwords, and are now attempting to use the contents to convict them of conspiracy to riot at the presidential inauguration. Prosecutors have indicted over 200 people on felony riot charges for protests in Washington, D.C. on January 20 that broke windows and damaged vehicles. Some defendants face up to 75 years in prison, despite little evidence against them. But a new court filing reveals that investigators have been able to crack into at least eight defendants' locked cell phones. Now prosecutors want to use the internet history, communications, and pictures they extracted from the phones as evidence against the defendants in court. [A] July 21 court document shows that investigators were successful in opening the locked phones. The July 21 filing moved to enter evidence from eight seized phones, six of which were "encrypted" and two of which were not encrypted. A Department of Justice representative confirmed that "encrypted" meant additional privacy settings beyond a lock screen. For the six encrypted phones, investigators were able to compile "a short data report which identifies the phone number associated with the cell phone and limited other information about the phone itself," the filing says. But investigators appear to have bypassed the lock on the two remaining phones to access the entirety of their contents.
Government

Travelers' Electronics At US Airports To Get Enhanced Screening, TSA Says (arstechnica.com) 149

An anonymous reader quotes a report from Ars Technica: Aviation security officials will begin enhanced screening measures of passengers' electronics at US airports, the Transportation Security Administration announced Wednesday. Travelers must remove electronics larger than a mobile phone from their carry-on bags and "place them in a bin with nothing on top or below, similar to how laptops have been screened for years. This simple step helps TSA officers obtain a clearer X-ray image," the TSA announced amid growing fears that electronic devices can pose as homemade bombs. The TSA was quick to point out that the revised security measures do not apply to passengers enrolled in the TSA Precheck program.

"Whether you're flying to, from, or within the United States, TSA is committed to raising the baseline for aviation security by strengthening the overall security of our commercial aviation network to keep flying as a safe option for everyone," TSA Acting Administrator Huban A. Gowadia said. "It is critical for TSA to constantly enhance and adjust security screening procedures to stay ahead of evolving threats and keep passengers safe. By separating personal electronic items such as laptops, tablets, e-readers and handheld game consoles for screening, TSA officers can more closely focus on resolving alarms and stopping terror threats."

Security

Some Low-Cost Android Phones Come at a Price -- Your Privacy (cnet.com) 86

Cheap phones are coming at the price of your privacy, security analysts discovered. From a report: At $60, the BLU R1 HD is the top-selling phone on Amazon. Last November, researchers caught it secretly sending private data to China. Shanghai Adups Technology, the group behind the spying software on the BLU R1 HD, called it a mistake. But analysts at Kryptowire found the software provider is still making the same "mistake" on other phones. At the Black Hat security conference in Las Vegas on Wednesday, researchers from Kryptowire, a security firm, revealed that Adups' software is still sending a device's data to the company's server in Shanghai without alerting people. But now, it's being more secretive about it. "They replaced them with nicer versions," Ryan Johnson, a research engineer and co-founder at Kryptowire, said. "I have captured the network traffic of them using the Command and Control channel when they did it." An Adups spokeswoman said that it had resolved the issues in 2016 and that the issues "are not existing anymore." Kryptowire said it has observed the company sending data without telling users on at least three different phones.
Businesses

Kaspersky Launches Its Free Antivirus Software Worldwide (engadget.com) 141

Kaspersky has finally launched its free antivirus software after a year-and-a-half of testing it in select regions. From a report: While the software was only available in Russia, Ukraine, Belarus, China and in Nordic countries during its trial run, Kaspersky is releasing it worldwide. The free antivirus doesn't have VPN, Parental Controls and Online Payment Protection its paid counterpart offers, but it has all the essential features you need to protect your PC. It can scan files and emails, protect your PC while you use the web and quarantine malware that infects your system. The company says the software isn't riddled with advertisements like other free antivirus offerings. Instead of trying to make ad money off your patronage, Kaspersky will use the data you contribute to improve machine learning across its products. The free antivirus will be available in the US, Canada and most Asia-Pacific countries over the next couple of days, if it isn't yet. After this initial release, the company will roll it out in other regions from September to November.
China

China Forces Muslim Minority To Install Spyware On Their Phones (bleepingcomputer.com) 373

An anonymous reader quotes a report from Bleeping Computer: Chinese authorities in the province of Xinjiang are forcing locals of the Uyghur Muslim minority to install an app on their phones that will allow the government to scan their device for "terrorist propaganda," local media reports. In reality, the app creates MD5 hashes for the user's files and matches them against a database of known terrorist content. The app also makes copies of the user's Weibo and WeChat databases and uploads it to a government server, along with the user's IMEI, IMSI, and WiFi login information. The app is called Jingwang (Citizen Safety) and was developed by police forces from Urumqi, Xinjiang's capital. Authorities launched the app in April, and also included the ability to report suspicious activity to the police. At the start of July, Xinjiang officials started sending WeChat messages in Uyghur and Chinese to locals, asking them to install the app or face detainment of up to 10 days. Police have also stopped people on the street to check if they installed the app. Several were detained for refusing to install it. Locals are now sharing the locations of checkpoints online, so others can avoid getting arrested.
Businesses

Roomba's Next Big Step Is Selling Maps of Your Home to the Highest Bidder (gizmodo.com) 121

The maker of the Roomba robotic vacuum, iRobot -- which we have talked about several times in the past -- has found itself embroiled in a privacy row after its chief executive suggested it may begin selling floor plans of customers' homes, derived from the movement data of their autonomous servants. From a report: While it may seem like the information that a Roomba could gather is minimal, there's a lot to be gleaned from the maps it's constantly updating. It knows the floor plan of your home, the basic shape of everything on your floor, what areas require the most maintenance, and how often you require cleaning cycles, along with many other data points. [...] If a company like Amazon, for example, wanted to improve its Echo smart speaker, the Roomba's mapping info could certainly help out. Spatial mapping could improve audio performance by taking advantage of the room's acoustics. Do you have a large room that's practically empty? Targeted furniture ads might be quite effective. The laser and camera sensors would paint a nice portrait for lighting needs that would factor into smart lights that adjust in real time. Smart AC units could better control airflow. And additional sensors added in the future would gather even more data from this live-in double agent.
Social Networks

It Looks Like Facebook Is Also Building a Smart Speaker With Touch Screen (techcrunch.com) 46

From a report: Facebook may launch its own smart home gadget to get you messaging more friends and looking at more photos. DigiTimes reports from Taiwan that Facebook is building a 15-inch touch screen smart speaker. Citing sources from the "upstream supply chain", Chinese iPhone manufacturer Pegatron is building the device for a Q1 2018 launch, with a small pilot run having already been produced. It's said to have been designed by Facebook secretive new hardware lab Building 8, using an LG in-cell touch screen with magnesium-aluminum-alloy chassis. While no further details are known about the speaker's functionality, it could potentially extend Facebook's feed of photos and videos plus its dominant messaging platform into the bedroom, living room, or kitchen.
Medicine

Global Network of Labs Will Test Security of Medical Devices (securityledger.com) 49

chicksdaddy shares a report from The Security Ledger: Amid increasing concerns about cyber threats to healthcare environments, a global network of labs will test the security of medical devices, according to an announcement on Monday by a consortium of healthcare industry firms, universities and technology firms, The Security Ledger reports. The "World Health Information Security Testing Labs (or "WHISTL") will adopt a model akin to the Underwriters Laboratory, which started out testing electrical devices, and focus on issues related to cyber security and privacy, helping medical device makers "address the public health challenges" created by connected health devices and complex, connected healthcare environments, according to a statement by The Medical Device Innovation, Safety and Security Consortium. "MDISS WHISTL facilities will dramatically improve access to medical device security know-how while protecting patient privacy and the intellectual property of our various stakeholders," said Dr. Nordenberg, MD, Executive Director of MDISS.

The labs will be one of the only independent, open and non-profit network of labs specifically designed for the needs of medical field, including medical device designers, hospital IT, and clinical engineering professionals. Experts will assess the security of medical devices using standards and specifications designed by testing organizations like Underwriters Labs. Evaluations will include application security testing like "fuzzing," static code analysis and penetration testing of devices. Any vulnerabilities found will be reported directly to manufacturers in accordance with best practices, and publicly disclosed to the international medical device vulnerability database (MDVIPER) which is maintained by MDISS and the National Health Information Sharing and Analysis Center (NH-ISAC). The group says it plans for 10 new device testing labs by the end of the year including in the U.S. in states like New York to Indiana, Tennessee and California and outside North America in the UK, Israel, Finland, and Singapore. The WHISTL facilities will work with Underwriters Labs as well as AAMI, the Association for the Advancement of Medical Instrumentation. Specifically, MDISS labs will base its work on the UL Cybersecurity Assurance Program specifications (UL CAP) and follow testing standards developed by both groups including the UL 2900 and AAMI 80001 standards.

Biotech

Wisconsin Company Will Let Employees Use Microchip Implants To Buy Snacks, Open Doors (theverge.com) 112

A Wisconsin company called Three Square Market will soon offer employees implantable chips to open doors, buy snacks, log in to computers, and use office equipment like copy machines. The chips use near field communication (NFC) technology and will be implanted between the thumb and forefinger of participating employees. According to The Verge, around 50 people are supposedly getting the optional implants. From the report: NFC chips are already used in a couple of workplaces in Europe; The Los Angeles Times reported on startup workspace Epicenter's chip program earlier this year. In the US, installing them is also a form of simple biohacking. They're essentially an extension of the chips you'd find in contactless smart cards or microchipped pets: passive devices that store very small amounts of information. A Swedish rail company also lets people use implants as a substitute for fare cards. 32M CEO Todd Westby is clearly trying to head off misunderstandings and paranoia by saying that they contain "no GPS tracking at all" -- because again, it's comparable to an office keycard here.
Privacy

Sweden Accidentally Leaks Personal Details of Nearly All Citizens (thehackernews.com) 241

An anonymous reader quotes a report from The Hacker News: Swedish media is reporting of a massive data breach in the Swedish Transport Agency (Transportstyrelsen) after the agency mishandled an outsourcing deal with IBM, which led to the leak of the private data about every vehicle in the country, including those used by both police and military. The data breach exposed the names, photos and home addresses of millions of Swedish citizen, including fighter pilots of Swedish air force, members of the military's most secretive units, police suspects, people under the witness relocation program, the weight capacity of all roads and bridges, and much more. The incident is believed to be one of the worst government information security disasters ever.

In 2015, the Swedish Transport Agency hand over IBM an IT maintenance contract to manage its databases and networks. However, the Swedish Transport Agency uploaded IBM's entire database onto cloud servers, which covered details on every vehicle in the country, including police and military registrations, and individuals on witness protection programs. The transport agency then emailed the entire database in messages to marketers that subscribe to it. And what's terrible is that the messages were sent in clear text. When the error was discovered, the transport agency merely thought of sending a new list in another email, asking the subscribers to delete the old list themselves.

Encryption

Let's Encrypt Criticized Over Speedy HTTPS Certifications (threatpost.com) 203

100 million HTTPS certificates were issued in the last year by Let's Encrypt -- a free certificate authority founded by Mozilla, Cisco and the Electronic Frontier Foundation -- and they're now issuing more than 100,000 HTTPS certificates every day. Should they be performing more vetting? msm1267 shared this article from Kaspersky Lab's ThreatPost blog: [S]ome critics are sounding alarm bells and warning that Let's Encrypt might be guilty of going too far, too fast, and delivering too much of a good thing without the right checks and balances in place. The primary concern has been that while the growth of SSL/TLS encryption is a positive trend, it also offers criminals an easy way to facilitate website spoofing, server impersonation, man-in-the-middle attacks, and a way to sneak malware through company firewalls... Critics do not contend Let's Encrypt is responsible for these types of abuses. Rather, because it is the 800-pound gorilla when it comes to issuing basic domain validation certificates, critics believe Let's Encrypt could do a better job vetting applicants to weed out bad actors... "I think there should be some type of vetting process. That would make it more difficult for malicious actors to get them," said Justin Jett, director of audit and compliance at Plixer, a network traffic analytics firm...

Josh Aas, executive director of the Internet Security Research Group, the organization that oversees Let's Encrypt, points out that its role is not to police the internet, rather its mission is to make communications secure. He added that, unlike commercial certificate authorities, it keeps a searchable public database of every single domain it issues. "When people get surprised at the number of PayPal phishing sites and get worked up about it, the reason they know about it is because we allow anyone to search our records," he said. Many other certificate authorities keep their databases of issued certificates private, citing competitive reasons and that customers don't want to broadcast the names of their servers... The reason people treat us like a punching bag is that we are big and we are transparent. "

The criticism intensified after Let's Encrypt announced they'd soon offer wildcard certificates for subdomains. But the article also cites security researcher Scott Helme, who "argued if encryption is to be available to all then that includes the small percent of bad actors. 'I don't think it's for Signal, or Let's Encrypt, to decide who should have access to encryption."
Encryption

Apple Flies Top Privacy Executives Into Australia To Lobby Against Proposed Encryption Laws (patentlyapple.com) 65

An anonymous reader quotes a report from Patently Apple: Last week Patently Apple posted a report titled "Australia proposed new Laws Compelling Companies like Facebook & Apple to Provide Access to Encrypted Messages." Days later, Australia's Prime Minister spoke about the encryption problem with the Australian press as noted in the video in our report. Now we're learning that Apple has flown in top executives to lobby Turnbull government on encryption laws. It sounds like a showdown is on the horizon. This is the second time this month that Apple has flown executives into Australia to lobby the government according to a Sydney publication. Apple executives met with Attorney-General George Brandis and senior staff in Prime Minister Malcolm Turnbull's office on Tuesday to discuss the company's concerns about the legal changes, which could see tech companies compelled to provide access to locked phones and third party messaging applications. Apple has argued in the meetings that as a starting point it does not want the updated laws to block tech companies from using encryption on their devices, nor for companies to have to provide decryption keys to allow access to secure communications. The company has argued that if it is compelled to provide a software "back door" into its phones to help law enforcement agencies catch criminals and terrorists, this would reduce the security for all users. It also says it has provided significant assistance to police agencies engaged in investigations, when asked. UPDATE 07/20/17: Headline has been updated to clarify that Apple is lobbying against the proposed encryption laws in Australia.
Privacy

Alleged Dark Web Kingpin Doxed Himself With His Personal Hotmail Address (vice.com) 62

Joseph Cox, reporting for Motherboard: On Thursday, US authorities announced the seizure of the largest dark web marketplace AlphaBay. Europol and Dutch police also claimed seizure of Hansa, another popular market. In their dark web investigations, law enforcement have increasingly turned to hacking tools, including the deployment of browser exploits on a mass scale. But tracking down the alleged AlphaBay administrator was much more mundane, officials said. Alexandre Cazes, who US authorities say used the handle alpha02 as administrator of the site, allegedly left his personal email in a welcome message to new AlphaBay members, according to the forfeiture complaint published on Thursday. The news echoes the arrest of Ross Ulbricht, the convicted creator of the original Silk Road, who made a similar security mistake. "In December 2016, law enforcement learned that CAZES' personal email was included in the header of AlphaBay's 'welcome email' to new users in December 2014," the complaint reads. Users received this message once they signed up to AlphaBay's forum and entered an email address. Cazes' email address -- Pimp_Alex_91@hotmail.com -- was also included in the header of the AlphaBay forum password recovery process, the complaint adds. From there, investigators found the address was linked to an Alexandre Cazes, and discovered his alleged front company, EBX Technologies.
Government

FCC Says It Has No Documentation of Cyberattack That It Claims Happened (thehill.com) 54

An anonymous reader quotes a report from The Hill: The Federal Communications Commission (FCC) declined to reveal analysis proving that it was the victim of a cyberattack in May. The agency claimed at the time that its Electronic Comment Filing System (ECFS) did not actually crash because of a large amount of traffic on the site prompted by John Oliver telling viewers to file comments in favor of net neutrality on his HBO show, Last Week Tonight. Instead, the FCC said that the ECFS went down as a result of a DDoS attack. In its response to Gizmodo's FOIA request, the FCC said that the attack "did not result in written documentation." "Based on a review of the logs, we have already provided a detailed description of what happened. We stand by our career IT staff's analysis of the evidence in our possession," an FCC spokesperson said when asked for comment on the matter.
EU

EU Court to Rule On 'Right to Be Forgotten' Outside Europe (wsj.com) 182

The European Union's top court is set to decide whether the bloc's "right to be forgotten" policy stretches beyond Europe's borders, a test of how far national laws can -- or should -- stretch when regulating cyberspace. From a report: The case stems from France, where the highest administrative court on Wednesday asked the EU's Court of Justice to weigh in on a dispute between Alphabet's Google and France's privacy regulator over how broadly to apply the right (Editor's note: the link could be paywalled; alternative source), which allows EU residents to ask search engines to remove some links from searches for their own names. At issue: Can France force Google to apply it not just to searches in Europe, but anywhere in the world? The case will set a precedent for how far EU regulators can go in enforcing the bloc's strict new privacy law. It will also help define Europe's position on clashes between governments over how to regulate everything that happens on the internet -- from political debate to online commerce. France's regulator says enforcement of some fundamental rights -- like personal privacy -- is too easily circumvented on the borderless internet, and so must be implemented everywhere. Google argues that allowing any one country to apply its rules globally risks upsetting international law and, when it comes to content, creates a global censorship race among autocrats.
AMD

AMD Has No Plans To Release PSP Code (twitch.tv) 125

AMD has faced calls from Edward Snowden, Libreboot and the Reddit community to release the source code to the AMD Secure Processor (PSP), a network-capable co-processor which some believe has the capacity to act as a backdoor. But despite some signs earlier that it might consider opening the PSP code at some point, the chip-maker has now confirmed that there hasn't been a change of heart yet. "We have no plans on releasing it to the public," the company executives said in a tech talk (video).
Privacy

Ask Slashdot: Is Password Masking On Its Way Out? 234

New submitter thegreatbob writes: Perhaps you've noticed in the last 5 years or so, progressively more entities have been providing the ability to reveal the contents of a password field. While this ability is, in many cases (especially on devices with lousy keyboards), legitimately useful, it does seem to be a reasonable source of concern. Fast forward to today; I was setting up a new router (cheapest dual-band router money can, from Tenda) and I was almost horrified to discover that it does not mask any of its passwords by default. So I ask Slashdot: is password masking really on its way out, and does password masking do anything beyond preventing the casual shoulder-surfer?
Security

Should We Ignore the South Carolina Election Hacking Story? (securityledger.com) 139

chicksdaddy provides five (or more) "good" reasons why we should ignore the South Carolina election hacking story that was reported yesterday. According to yesterday's reports, South Carolina's voter-registration system was hit with nearly 150,000 hack attempts on election day. Slashdot reader chicksdaddy writes from an opinion piece via The Security Ledger: What should we make of the latest reports from WSJ, The Hill, etc. that South Carolina's election systems were bombarded with 150,000 hacking attempts? Not much, argues Security Ledger in a news analysis that argues there are lots of good reasons to ignore this story, if not the very real problem of election hacking. The stories were based on this report from The South Carolina Election Commission. The key phrase in that report is "attempts to penetrate," Security Ledger notes. Information security professionals would refer to that by more mundane terms like "port scans" or probes. These are kind of the "dog bites man" stories of the cyber beat -- common (here's one from 2012 US News & World Report) but ill informed. "The kinds of undifferentiated scans that the report is talking about are the internet equivalent of people driving slowly past your house." While some of those 150,000 attempts may well be attempts to hack South Carolina's elections systems, many are undifferentiated, while some may be legitimate, if misdirected. Whatever the case, they're background noise on the internet and hardly unique to South Carolina's voter registration systems. They're certainly not evidence of sophisticated, nation-state efforts to crack the U.S. election system by Russia, China or anyone else, Security Ledger argues. "The problem with lumping all these 'hacking attempts' in the same breath as you talk about sophisticated and targeted attacks on the Clinton Campaign, the DCCC, and successful penetration of some state election boards is that it dramatically distorts the nature and scope of the threat to the U.S. election system which -- again -- is very real." The election story is one "that demands thoughtful and pointed reporting that can explore (and explode) efforts by foreign actors to subvert the U.S. vote and thus its democracy," the piece goes on to argue. "That's especially true in an environment in which regulators and elected officials seem strangely incurious about such incidents and disinclined to investigate them."
Bug

Flaw In IoT Security Cameras Leaves Millions of Devices Open To Hackers (vice.com) 53

New submitter Aliciadivo writes: A nasty vulnerability found in Axis security cameras could allow hackers to take full control of several types of Internet of Things devices, and in some cases, software programs, too. The Senrio research team found that devices and software programs using an open source software library called gSOAP to enable their product to communicate to the internet could be affected. Stephen Ridley, founder of Senrio, said: "I bet you all these other manufacturers have the same vulnerability throughout their product lines as well. It's a vulnerability in virtually every IoT device [...] Every kind of device you can possibly think of." A spokesperson for ONVIF, an electronics industry consortium that includes Axis and has includes some members that use gSOAP, said it has notified its members of the flaw, but it's not "up to each member to handle this in the way they best see fit." Also, gSOAP "is not in any way mandated by the ONVIF specifications, but as SOAP is the base for the ONVIF API, it is possible that ONVIF members would be affected." Hundreds of thousands of devices might be affected, as a search for the term "Axis" on Shodan, an engine that scours the internet for vulnerable devices, returns around 14,000 results. You can view Senrio Labs' video on the exploit (which they refer to as the "Devil's Ivy Exploit") here.

Slashdot Top Deals