Compare cell phone plans using Wirefly's innovative plan comparison tool ×
Crime

US Unveils Charges Against KickassTorrents, Names Two More Defendants (arstechnica.com) 29

A total of three men are said to be operators of file-sharing site KickassTorrents (KAT), according to U.S. prosecutors. Last month, federal authorities arrested the 30-year-old Ukrainian mastermind of KAT, Artem Vaulin, and formally charged him with one count of conspiracy to commit criminal copyright infringement, one count of conspiracy to commit money laundering, and two counts of criminal copyright infringement. Two other Ukrainians were named in the new indictment (PDF): Levgen (Eugene) Kutsenko and Oleksander (Alex) Radostin. While only Vaulin has been arrested, bench warrants have been issue for the arrest of all three men. Ars Technica reports: "Prosecutors say the three men developed and maintained the site together and used it to 'generate millions of dollars from the unlawful distribution of copyright-protected media, including movies, [...] television shows, music, video games, computer software, and electronic books.' They gave out 'Reputation' and 'User Achievement' awards to users who uploaded the most popular files, including a special award for users who had uploaded more than 1,000 torrents. The indictment presents a selection of the evidence that the government intends to use to convict the men, and it isn't just simple downloads of the copyrighted movies. The government combed through Vaulin's e-mails and traced the bitcoins that were given to him via a 'donation' button."
Patents

Apple Patenting a Way To Collect Fingerprints, Photos of Thieves (appleinsider.com) 38

An anonymous reader quotes a report from Apple Insider: As published by the U.S. Patent and Trademark Office, Apple's invention covering "Biometric capture for unauthorized user identification" details the simple but brilliant -- and legally fuzzy -- idea of using an iPhone or iPad's Touch ID module, camera and other sensors to capture and store information about a potential thief. Apple's patent is also governed by device triggers, though different constraints might be applied to unauthorized user data aggregation. For example, in one embodiment a single failed authentication triggers the immediate capture of fingerprint data and a picture of the user. In other cases, the device might be configured to evaluate the factors that ultimately trigger biometric capture based on a set of defaults defined by internal security protocols or the user. Interestingly, the patent application mentions machine learning as a potential solution for deciding when to capture biometric data and how to manage it. Other data can augment the biometric information, for example time stamps, device location, speed, air pressure, audio data and more, all collected and logged as background operations. The deemed unauthorized user's data is then either stored locally on the device or sent to a remote server for further evaluation.
Crime

FBI Authorized Informants To Break The Law 22,800 Times In 4 Years (dailydot.com) 106

blottsie quotes a report from the Daily Dot: Over a four-year period, the FBI authorized informants to break the law more than 22,800 times, according to newly reviewed documents. Official records obtained by the Daily Dot under the Freedom of Information Act show the Federal Bureau of Investigation gave informants permission at least 5,649 times in 2013 to engage in activity that would otherwise be considered a crime. In 2014, authorization was given 5,577 times, the records show. USA Today previously revealed confidential informants engaged in "otherwise illegal activity," as the bureau calls it, 5,658 times in 2011. The figure was at 5,939 the year before, according to documents acquired by the Huffington Post. In total, records obtained by reporters confirm the FBI authorized at least 22,823 crimes between 2011 and 2014. Unfortunately, many of those crimes can have serious and unintended consequences. One of the examples mentioned in the Daily Dot's report was of an FBI informant who "was responsible for facilitating the 2011 breach of Stratfor in one of the most high-profile cyberattacks of the last decade. While a handful of informants ultimately brought down the principal hacker responsible, the sting also caused Stratfor, an American intelligence firm, millions of dollars in damages and left and estimated 700,000 credit card holders vulnerable to fraud."
Crime

Turkish Journalist Jailed For Terrorism Was Framed, Forensic Report Shows (vice.com) 96

An anonymous reader quotes a report from Motherboard: Turkish investigative journalist Baris Pehlivan spent 19 months in jail, accused of terrorism based on documents found on his work computer. But when digital forensics experts examined his PC, they discovered that those files were put there by someone who removed the hard drive from the case, copied the documents, and then reinstalled the hard drive. The attackers also attempted to control the journalist's machine remotely, trying to infect it using malicious email attachments and thumb drives. Among the viruses detected in his computer was an extremely rare trojan called Ahtapot, in one of the only times it's been seen in the wild. Pehlivan went to jail in February of 2011, along with six of his colleagues, after electronic evidence seized during a police raid in 2011 appeared to connect all of them to Ergenekon, an alleged armed group accused of terrorism in Turkey. A paper recently published by computer expert Mark Spencer in Digital Forensics Magazine sheds light into the case after several other reports have acknowledged the presence of malware. Spencer said no other forensics expert noticed the Ahtapot trojan in the OdaTV case, nor has determined accurately how those documents showed up on the journalist's computer. However, almost all the reports have concluded that the incriminating files were planted. "We are not guilty," Baris Pehlivan told Andrada Fiscutean via Motherboard. "The files were put into our computers by a virus and by [attackers] entering the OdaTV office secretly. None of us has seen those documents before the prosecutor showed them to us." (OdaTV is the website Pehlivan works for and "has been critical of the government and the Gulen Movement, which was accused by Turkish president Recep Tayyip Erdogan of orchestrating the recent attempted coup.") In regard to the report, senior security consultant at F-Secure, Taneli Kaivola, says, "Yes, [the report] takes an impressive level of conviction to locally attack a computer four times, and remotely attack it seven times [between January 1, 2011, and February 11, 2011], as well as a certain level of technical skill to set up the infrastructure for those attacks, which included document forgery and date and time manipulation."
Security

Software Exploits Aren't Needed To Hack Most Organizations (darkreading.com) 56

The five most common ways of hacking an organization all involve stolen credentials, "based on data from 75 organizations, 100 penetration tests, and 450 real-world attacks," writes an anonymous Slashdot reader. In fact, 66% of the researchers' successful attacks involved cracking a weak domain user password. From an article on Dark Reading: Playing whack-a-mole with software vulnerabilities should not be top of security pros' priority list because exploiting software doesn't even rank among the top five plays in the attacker's playbook, according to a new report from Praetorian. Organizations would be far better served by improving credential management and network segmentation...

"If we assume that 1 percent [of users] will click on the [malicious] link, what will we do next?" says Joshua Abraham, practice manager at Praetorian. The report suggests specific mitigation tactics organizations should take in response to each one of these attacks -- tactics that may not stop attackers from stealing credentials, but "building in the defenses so it's really not a big deal if they do"... [O]ne stolen password should not give an attacker (or pen tester) the leverage to access an organization's entire computing environment, exfiltrating all documents along the way.

Similar results were reported in Verizon's 2016 Data Breach Investigations Report.
AI

Chicago's Experiment In Predictive Policing Isn't Working (theverge.com) 191

The U.S. will phase out private prisons, a move made possible by fewer and shorter sentences for drug offenses, reports the BBC. But when it comes to reducing arrests for violent crimes, police officers in Chicago found themselves resorting ineffectively to a $2 million algorithm which ultimately had them visiting people before any crime had been committed. schwit1 quotes Ars Technica: Struggling to reduce its high murder rate, the city of Chicago has become an incubator for experimental policing techniques. Community policing, stop and frisk, "interruption" tactics --- the city has tried many strategies. Perhaps most controversial and promising has been the city's futuristic "heat list" -- an algorithm-generated list identifying people most likely to be involved in a shooting.

The hope was that the list would allow police to provide social services to people in danger, while also preventing likely shooters from picking up a gun. But a new report from the RAND Corporation shows nothing of the sort has happened. Instead, it indicates that the list is, at best, not even as effective as a most wanted list. At worst, it unnecessarily targets people for police attention, creating a new form of profiling.

The police argue they've updated the algorithm and improved their techniques for using it. But the article notes that the researchers began following the "heat list" when it launched in 2013, and "found that the program has saved no lives at all."
Security

New Linux Trojan Is A DDoS Tool, a Bitcoin Miner, and Web Ransomware (softpedia.com) 63

An anonymous reader writes: A trojan that targeted Drupal sites on Linux servers last May that was incredibly simplistic and laughable in its attempt to install (and fail) web ransomware on compromised websites, has now received a major update and has become a top threat on the malware scene. That trojan, named Rex, has evolved in only three months into an all-around threat that can: (1) compromise servers and devices running platforms like Drupal, WordPress, Magento, Jetspeed, Exarid, AirOS; (2) install cryptocurrency mining in the background; (3) send spam; (4) use a complex P2P structure to manage its botnet; and (5) install a DDoS agent which crooks use to launch DDoS attacks.

Worse is that they use their DDoS capabilities to extort companies. The crooks send emails to server owners announcing them of 15-minute DDoS tests, as a forewarning of future attacks unless they pay a ransom. To scare victims, they pose as a known hacking group named Armada Collective. Other groups have used the same tactic, posing as Armada Collective, and extorting companies, according to CloudFlare.

Crime

Want To Hunt Bank Robbers? There's an App For That, Says The FBI (networkworld.com) 67

Long-time Slashdot reader coondoggie quotes an article from Network World: The FBI today said it released a new application making it easier for the public -- as well as financial institutions, law enforcement agencies, and others -- to view photos and information about bank robberies in different geographic areas of the country.
The FBI's new "Bank Robbers" application runs on both Android and iOS, according to the article, "and lets users sort bank robberies by the date they occurred, the category they fall under (i.e., armed serial bank robber), the FBI field office working the case, or the state where the robbery occurred." The app ties into BankRobbers.fbi.gov, which overlays FBI information about bank robberies onto Google Maps.

The app's users "can also select push notifications to be informed when a bank robbery has taken place near their location," according to the FBI's site, which adds innocently that "If the location services on your device are enabled, you can view a map that shows the relevant bank robberies that took place in your geographic area..."
Crime

Maker of Web Monitoring Software Can Be Sued (cio.com) 99

Reader Presto Vivace shares a CIO report: The maker of so-called spyware program WebWatcher can be sued for violating state and federal wiretap laws, a U.S. appeals court has ruled, in a case that may have broader implications for online monitoring software and software as a service. The U.S. Court of Appeals for the Sixth Circuit rejected WebWatcher vendor Awareness Technologies' motion to dismiss a lawsuit against the company. The appeals court overturned a lower court ruling granting the motion to dismiss. The appeals court, in a 2-1 decision rejected Awareness' claims that WebWatcher does not intercept communications in real time, in violation of the U.S. wiretap act, but instead allows users to review targets' communications. While plaintiff Javier Luis' lawsuit doesn't address real-time interception of communications, his allegations "give rise to a reasonable inference" of that happening, Judge Ronald Lee Gilman wrote. Awareness pitches WebWatcher as monitoring software for parents and employers. "All WebWatcher products install easily in 5 minutes or less, are undetectable (thus tamper proof) and all recorded data is sent to a secure web-based account which allows you to monitor kids and employees at your convenience from any computer," the company says.
Cellphones

FCC Complaint: Baltimore Police Breaking Law With Use of Stingray Phone Trackers (baltimoresun.com) 108

An anonymous reader writes from a report via Baltimore Sun: Civil rights groups have complained to the FCC over the Baltimore Police Department's use of stingray phone tracking devices. They claim that "the way police use it interferes with emergency calls and is racially discriminatory." Baltimore Sun reports: "The complaint argues that the police department doesn't have a proper license to use the devices and is in violation of federal law. It calls on regulators at the Federal Communications Commission to step in and formally remind law enforcement agencies of the rules. 'The public is relying on the Commission to carry out its statutory obligation to do so, to fulfill its public commitment to do so, and to put an end to widespread network interference caused by rampant unlicensed transmissions made by BPD and other departments around the country,' the groups say in the complaint. Police in Baltimore acknowledged in court last year that they had used the devices thousands of times to investigate crimes ranging from violent attacks to the theft of cellphones. Investigators had been concealing the technology from judges and defense lawyers and after the revelations Maryland's second highest court ruled that police should get a warrant before using a Stingray. The groups argue that surveillance using the devices also undermines people's free speech rights and describe the use of Stingrays as an electronic form of the intrusive police practices described in the scathing Justice Department report on the police department's pattern of civil rights violations."
Social Networks

Metropolitan Police To Target Online Hate Crime and Abuse (bbc.com) 161

A new team of specialist police officers is being set up to investigate online hate crimes, including abuse on Twitter and Facebook. The London-based hub will include a team of five officers who will support victims and identify online abuse, reports BBC. From the report: The two-year pilot will cost 1.7m pound and has received 452,000 pound from the Home Office, the London Mayor's office said. A spokesman said there was "no place for hate" in London and there would be a "zero tolerance" of online abuse. The team, which will be set up in the coming months, will identify the location of crimes and allocate them to the appropriate force. They will work with a team of volunteers. The Mayor's Office for Policing And Crime (Mopac) said social media "provides hate crime perpetrators with a veil of anonymity, making it harder to bring them to justice and potentially impacting on a larger number of people".
Crime

LinkedIn Sues 100 Individuals For Scraping User Data From the Site (betanews.com) 112

Mark Wilson, writing for BetaNews: Professional social network LinkedIn is suing 100 anonymous individuals for data scraping. It is hoped that a court order will be able to reveal the identities of those responsible for using bots to harvest user data from the site. The Microsoft-owned service takes pride in the relationship it has with its users and the security it offers their data. Its lawsuit seeks to use the data scrapers' IP addresses and then discover their true identity in order to take action against them. LinkedIn says that a botnet has been used to gain access to user data which is then passed on to third parties. The site has a number of measures in place to prevent this type of data harvesting, but it seems that scrapers have found a way to circumvent these security restrictions. A series of automated tools -- FUSE, Quicksand, Sentinel, and Org Block -- are used to monitor suspicious activity and blocking scraping.
Australia

Australian Authorities Hacked Computers in the US (vice.com) 75

Motherboard is reporting that Australian authorities hacked Tor users in the United States as part of a child pornography investigation. The revelation comes through recently-filed US court documents. The incident underscores a trend where law enforcement around the world are increasingly pursuing targets overseas using hacking tools, raising legal questions around agencies' reach. From the report: In one case, Australian authorities remotely hacked a computer in Michigan to obtain the suspect's IP address. "The Love Zone" was a prolific dark web child abuse site, where users were instructed to upload material at least once a month to maintain access to the forum. By July 2014, the site had over 29,000 members, according to US court documents, constituting what the US Department of Justice described as a "technologically sophisticated conspiracy." In 2014, Queensland Police Service's Task Force Argos, a small, specialised unit focused on combating child exploitation crimes, identified the site's Australian administrator in part because of a localized greeting he signed messages with. The unit quietly took over his account, and for months ran the site in an undercover capacity, posing as its owner. Task Force Argos' logo includes a scorpion, and the tagline "Leave No Stone Unturned." Because The Love Zone was based on the dark web, users typically connected via the Tor network, masking their IP addresses even from the law enforcement agents who were secretly in control of the site. Task Force Argos could see what the users were viewing, and what pages they were visiting, but not where they were really connecting from.
Government

Under Fire, US Social Security Site Changes Security Policy Again (vortex.com) 37

Long-time Slashdot reader Lauren Weinstein writes: I'm told that Social Security Administration has now removed the mandatory cell phone access requirement that was strongly criticized... I appreciate that SSA has done the right thing in this case. Perhaps in the future they'll think these things through better ahead of time!
The web site now describes the "extra security" of two-factor cellphone authentication as entirely optional -- but security researcher Brian Krebs had also warned that the bigger risk was how easy it was to impersonate somebody else when creating an account online. He wrote Thursday that now "the SSA is mailing letters if you sign up online, but they don't take that opportunity to deliver a special code to securely complete the sign up. Go figure."
Businesses

One Year in Jail For Abusive Silicon Valley CEO (theguardian.com) 287

He grew up in San Jose, and at the age of 25 sold his second online advertising company to Yahoo for $300 million just nine years ago. Friday Gurbaksh Chahal was sentenced to one year in jail for violating his probation on 47 felony charges from 2013, according to an article in The Guardian submitted by an anonymous Slashdot reader: Police officials said that a 30-minute security camera video they obtained showed the entrepreneur hitting and kicking his then girlfriend 117 times and attempting to suffocate her inside his $7 million San Francisco penthouse. Chahal's lawyers, however, claimed that police had illegally seized the video, and a judge ruled that the footage was inadmissible despite prosecutors' argument that officers didn't have time to secure a warrant out of fear that the tech executive would erase the footage.

Without the video, most of the charges were dropped, and Chahal, 34, pleaded guilty to two misdemeanor battery charges of domestic violence... In Silicon Valley, critics have argued that Chahal's case and the lack of serious consequences he faced highlight the way in which privileged and wealthy businessmen can get away with serious misconduct.. On September 17, 2014, prosecutors say he attacked another woman in his home, leading to another arrest.

Friday Chahal was released on bail while his lawyer appeals the one-year jail sentence for violating his probation.
Security

Voting Machines Can Be Easily Compromised, Symantec Demonstrates (cbsnews.com) 217

An anonymous Slashdot reader quotes a report from CBS News: For the hackers at Symantec Security Response, Election Day results could be manipulated by an affordable device you can find online. "I can insert it, and then it resets the card, and now I'm able to vote again," said Brian Varner, a principle researcher at Symantec, demonstrating the device...

Symantec Security Response director Kevin Haley said elections can also be hacked by breaking into the machines after the votes are collected. "The results go from that machine into a piece of electronics that takes it to the central counting place," Haley said. "That data is not encrypted and that's vulnerable for manipulation."

40 states are using a voting technology that's at least 10 years old, according to the article. And while one of America's national election official argues that "there are paper trails everywhere," CBS reports that only 60% of states conduct routine audits of their paper trails, while "not all states even have paper records, like in some parts of swing states Virginia and Pennsylvania, which experts say could be devastating."
Crime

Irish Court Orders Alleged Silk Road Admin To Be Extradited To US (arstechnica.com) 73

An anonymous reader writes: A 27-year-old Irishman who American prosecutors believe was a top administrator on Silk Road named "Libertas" has been approved for extradition to the United States. According to the Irish Times, a High Court judge ordered Gary Davis to be handed over to American authorities on Friday. In December 2013, federal prosecutors in New York unveiled charges against Davis and two other Silk Road staffers, Andrew Michael Jones ("Inigo") and Peter Phillip Nash ("Samesamebutdifferent"). They were all charged with narcotics trafficking conspiracy, computer hacking conspiracy, and money laundering conspiracy. After a few years of operation, Silk Road itself was shuttered when its creator, Ross Ulbricht, was arrested in San Francisco in October 2013. Ulbricht was convicted at a high-profile trial and was sentenced to life in prison in May 2015.
Crime

US Seizure of Kim Dotcom's Assets Will Stand, Says Appeals Court (arstechnica.com) 166

An anonymous reader quotes a report from Ars Technica: The 4th Circuit Court of Appeals ruled Friday in favor of the American government's seizure of a large number of Megaupload founder Kim Dotcom's overseas assets. Seized items include millions of dollars in various seized bank accounts in Hong Kong and New Zealand, multiple cars, four jet skis, the Dotcom mansion, several luxury cars, two 108-inch TVs, three 82-inch TVs, a $10,000 watch, and a photograph by Olaf Mueller worth over $100,000. After years of delay, in December 2015, Dotcom was finally ordered to be extradited to the United States to face criminal charges. But his appeal is set to be heard before the High Court in Auckland on August 29. In its court filings, prosecutors argued that because Dotcom had not appeared to face the charges against him in the United States, he is therefore susceptible to "fugitive disentitlement." That legal theory posits that if a defendant has fled the country to evade prosecution, he or she cannot make a claim to the assets that the government wants to seize under civil forfeiture. But as the Dotcom legal team claimed, the U.S. can neither use its legal system to seize assets abroad nor can Dotcom be considered a fugitive if he has never set foot in the United States. However, the 4th Circuit disagreed: "Because the statute must apply to people with no reason to come to the United States other than to face charges, a "sole" or "principal" purpose test cannot stand. The principal reason such a person remains outside the United States will typically be that they live elsewhere. A criminal indictment gives such a person a reason to make the journey, and the statute is aimed at those who resist nevertheless." Civil forfeiture in the United States allows law enforcement to seize one's assets if they are believed to be illegally acquired -- even without filing any criminal charges.
Crime

Bleeping Computer Countersues Maker of SpyHunter 43

An anonymous reader writes: Bleeping Computer, a longstanding popular discussion forum that helps people rid their computers of malware, has now countersued Enigma Software Group (ESG), which makes an antivirus software known as SpyHunter. Bleeping now claims that ESG has been violating Bleeping's trademarks by registering new domain names that include "bleepingcomputer" and posting some of the company's webpage's source code on other websites without its authorization, among other allegations. ESG had sued Bleeping for libel earlier this year over a series of messages that it claims disparaged SpyHunter and the company as a whole.From the filing:Enigma's lawsuit is plainly nothing more than an attempt to bully and censor Bleeping Computer, and to deter anyone who might criticize it -- one more attempt in Enigma's long pattern of threats, intimidation and litigation. Worse, however, is that all the while, Enigma has been engaged in aggressive, secretive, and cowardly attacks against Bleeping Computer, including ripping off Bleeping Computer's content and pretending it was authored by Enigma, repeatedly misusing Bleeping's registered trademark to trade upon its goodwill, and publishing blatantly false claims about Bleeping. As the following allegations demonstrate, Enigma conducts its business in a manner that is illegal, unethical and simply immoral, thereby demonstrating that Quietman7's mildly critical statements about Enigma's product, that so enraged Enigma and lead to this lawsuit, pale in comparison to the egregious misconduct Enigma perpetrates on a regular basis.
Crime

France Says Fight Against Messaging Encryption Needs Worldwide Initiative (reuters.com) 446

An anonymous reader shares a Reuters report: Messaging encryption, widely used by Islamist extremists to plan attacks, needs to be fought at international level, French Interior Minister Bernard Cazeneuve said on Thursday, and he wants Germany to help him promote a global initiative. He meets his German counterpart, Thomas de Maiziere, on Aug. 23 in Paris and they will discuss a European initiative with a view to launching an international action plan, Cazeneuve said. French intelligence services are struggling to intercept messages from Islamist extremists who increasingly switch from mainstream social media to encrypted messaging services, with Islamic State being a big user of such apps, including Telegram. "Many messages relating to the execution of terror attacks are sent using encryption; it is a central issue in the fight against terrorism," Cazeneuve told reporters after a government meeting on security. "France will make proposals. I have sent a number of them to my Germany colleague," he said.

Slashdot Top Deals