The Military

The US Army Wants Distributed Bot Swarms And An 'Internet of Battlefield Things' (defenseone.com) 64

turkeydance shares a new report about the U.S. Army Research Lab: In the coming months, the Lab will fund new programs related to highly (but not fully) autonomous drones and robots that can withstand adversary electronic warfare operations... A second program called the Internet of Battlefield Things seeks to put to military use "the research that's going on in the commercial space" on distributed sensors and Internet-connected devices... One thrust will be equipping drones and other autonomous systems with bigger brains and better networking so that they can function even when an enemy jams their ability to radio back to a human controller for direction... "When you don't have bandwidth, when you're under cyber attack, when you're being jammed. That's the problem we're trying to address."
The lab's director also says they want "as much processing as possible on the node" so it can continue functioning in "contested environments."
Microsoft

Microsoft Launches A Counterattack Against Russia's 'Fancy Bear' Hackers (thedailybeast.com) 75

Kevin Poulsen writes on the Daily Beast: It turns out Microsoft has something even more formidable than Moscow's malware: Lawyers. Last year attorneys for the software maker quietly sued the hacker group known as Fancy Bear in a federal court outside Washington DC, accusing it of computer intrusion, cybersquatting, and infringing on Microsoft's trademarks... Since August, Microsoft has used the lawsuit to wrest control of 70 different command-and-control points from Fancy Bear... Rather than getting physical custody of the servers, which Fancy Bear rents from data centers around the world, Microsoft has been taking over the Internet domain names that route to them. These are addresses like "livemicrosoft[.]net" or "rsshotmail[.]com" that Fancy Bear registers under aliases for about $10 each. Once under Microsoft's control, the domains get redirected from Russia's servers to the company's, cutting off the hackers from their victims, and giving Microsoft a omniscient view of that servers' network of automated spies. "In other words," Microsoft outside counsel Sten Jenson explained in a court filing last year, "any time an infected computer attempts to contact a command-and-control server through one of the domains, it will instead be connected to a Microsoft-controlled, secure server."
Communications

Ask Slashdot: Someone Else Is Using My Email Address 459

periklisv writes: I daily receive emails from adult dating sites, loan services, government agencies, online retailers etc, all of them either asking me to verify my account, or, even worse, having signed me up to their service (especially dating sites), which makes me really uncomfortable, my being a married man with children... I was one of the early lucky people that registered a gmail address using my lastname@gmail.com. This has proven pretty convenient over the years, as it's simple and short, which makes it easy to communicate over the phone, write down on applications etc. However, over the past six months, some dude in Australia (I live in the EU) who happens to have the same last name as myself is using it to sign up to all sorts of services...

I tried to locate the person on Facebook, Twitter etc and contacted a few that seemed to match, but I never got a response. So the question is, how do you cope with such a case, especially nowadays that sites seem to ignore the email verification for signups?

Leave your best answers in the comments. What would you do if someone else started giving out your email address?
Encryption

Let's Encrypt Criticized Over Speedy HTTPS Certifications (threatpost.com) 175

100 million HTTPS certificates were issued in the last year by Let's Encrypt -- a free certificate authority founded by Mozilla, Cisco and the Electronic Frontier Foundation -- and they're now issuing more than 100,000 HTTPS certificates every day. Should they be performing more vetting? msm1267 shared this article from Kaspersky Lab's ThreatPost blog: [S]ome critics are sounding alarm bells and warning that Let's Encrypt might be guilty of going too far, too fast, and delivering too much of a good thing without the right checks and balances in place. The primary concern has been that while the growth of SSL/TLS encryption is a positive trend, it also offers criminals an easy way to facilitate website spoofing, server impersonation, man-in-the-middle attacks, and a way to sneak malware through company firewalls... Critics do not contend Let's Encrypt is responsible for these types of abuses. Rather, because it is the 800-pound gorilla when it comes to issuing basic domain validation certificates, critics believe Let's Encrypt could do a better job vetting applicants to weed out bad actors... "I think there should be some type of vetting process. That would make it more difficult for malicious actors to get them," said Justin Jett, director of audit and compliance at Plixer, a network traffic analytics firm...

Josh Aas, executive director of the Internet Security Research Group, the organization that oversees Let's Encrypt, points out that its role is not to police the internet, rather its mission is to make communications secure. He added that, unlike commercial certificate authorities, it keeps a searchable public database of every single domain it issues. "When people get surprised at the number of PayPal phishing sites and get worked up about it, the reason they know about it is because we allow anyone to search our records," he said. Many other certificate authorities keep their databases of issued certificates private, citing competitive reasons and that customers don't want to broadcast the names of their servers... The reason people treat us like a punching bag is that we are big and we are transparent. "

The criticism intensified after Let's Encrypt announced they'd soon offer wildcard certificates for subdomains. But the article also cites security researcher Scott Helme, who "argued if encryption is to be available to all then that includes the small percent of bad actors. 'I don't think it's for Signal, or Let's Encrypt, to decide who should have access to encryption."
Businesses

Verizon Accused of Throttling Netflix and YouTube, Admits To 'Video Optimization' (arstechnica.com) 50

New submitter dgatwood writes: According to an Ars Technica article, Verizon recently began experimenting with throttling of video traffic. The remarkable part of this story is not that a wireless ISP would throttle video traffic, but rather that Verizon's own Go90 video platform is also affected by the throttling. From the article, "Verizon Wireless customers this week noticed that Netflix's speed test tool appears to be capped at 10Mbps, raising fears that the carrier is throttling video streaming on its mobile network. When contacted by Ars this morning, Verizon acknowledged using a new video optimization system but said it is part of a temporary test and that it did not affect the actual quality of video. The video optimization appears to apply both to unlimited and limited mobile plans. But some YouTube users are reporting degraded video, saying that using a VPN service can bypass the Verizon throttling."
If even Verizon can get on board with throttling sans paid prioritization, why is Comcast so scared of the new laws that are about to go into effect banning it?

Mozilla

The New Firefox and Ridiculous Numbers of Tabs (metafluff.com) 198

An anonymous reader shares a blog post: I've got a Firefox profile with 1691 tabs. As you would expect, Firefox handled this profile quite poorly for a long time. I got used to multi-minute startup time, waiting 15-30 seconds for tabs from external apps to show up, and all manner of non-responsive behavior. And then, quite recently, everything changed. Right now, more effort is being put into making Firefox fast than I've seen since... well, since I've been working on Firefox. And I've been at Mozilla for more than a decade. Part of this effort is a project called Quantum Flow -- a bunch of engineers making changes that directly impact Firefox responsiveness. A lot of the improvement in this particular scenario is from Kevin Jones' work on bringing the overall cost of unloaded tabs as close to zero as possible. While the major work has landed, the work continues in Bug 906076. Test scenario: I took my 1691 tab browser profile, and did a wall-clock measurement of start-up time and memory use for Firefox versions 20, 30, 40, and 50 through 56. In the result, the person found that Firefox startup time has gotten worse over time... until Firefox 51.
Communications

AlphaBay Owner Used Email Address For Both AlphaBay and LinkedIn Profile. 138

BarbaraHudson writes: The Register is reporting that Alexandre Cazes, the 25-year-old Canadian running the dark web site AlphaBay, was using a hotmail address easily connected to him via his Linkdin profile to administer the site. From the report: "[A]ccording to U.S. prosecutors, he used his real email address, albeit a Hotmail address -- Pimp_Alex_91@hotmail.com -- as the administrator password for the marketplace software. As a result, every new user received a welcome email from that address when they signed up to the site, and everyone using its password recovery tool also received an email from that address. However, rather than carefully set up and then abandon that email address, it turns out that Alexandre Cazes -- Pimp Alex -- had been using that address for years. Cazes had also used his Pimp Alex Hotmail address as well as an email address from his own business -- EBX Technologies -- to set up online bank accounts and crypto-currency accounts. How did law enforcement know that Cazes was behind EBX Technologies? It was on his LinkedIn profile."

BarbaraHudson adds: "His laptop wasn't encrypted, so expect more arrests as AlphaBay users are tracked down."
PlayStation (Games)

Sony Using Copyright Requests To Remove Leaked PS4 SDK From the Web (arstechnica.com) 146

An anonymous reader quotes a report from Ars Technica: Sony appears to be using copyright law in an attempt to remove all traces of a leaked PlayStation 4 Software Development Kit (PS4 SDK) from the Web. That effort also seems to have extended in recent days to the forced removal of the mere discussion of the leak and the posting of a separate open source, homebrew SDK designed to be used on jailbroken systems. The story began a few weeks ago, when word first hit that version 4.5 of the PS4 SDK had been leaked online by a hacker going by the handle Kromemods. These SDKs are usually provided only to authorized PS4 developers inside development kits. The SDKs contain significant documentation that, once made public, can aid hackers in figuring out how to jailbreak consoles, create and install homebrew software, and enable other activities usually prohibited by the hardware maker (as we've seen in the wake of previous leaks of PlayStation 3 SDKs). While you can still find reference to the version 4.5 SDK leak on places like Reddit and MaxConsole, threads discussing and linking to those leaked files on sites like GBATemp and PSXhax, for example, appear to have been removed after the fact. Cached versions of those pages show links (now defunct) to download those leaked files, along with a message from KromeMods to "Please spread this as much as possible since links will be taken down... We will get nowhere if everything keeps private; money isn't everything." KromeMods notes on Twitter that his original tweet posting a link to the leaked files was also hit with a copyright notice from Sony.
The Internet

Swedish Rail Firm Approves Trainy McTrainface As Name Following Online Poll (theguardian.com) 88

Those disappointed when Britain rejected the name Boaty McBoatface for a polar research ship should find joy in the name of a new train in Sweden. After a public vote, a Swedish rail operator has vowed to name one of its trains Trainy McTrainface. The Guardian reports: Trainy McTrainface won 49% of the votes in the naming competition, conducted online by train operator MTR Express and Swedish newspaper Metro, beating choices such as Hakan, Miriam and Poseidon. The train will run between the Swedish capital Stockholm and Gothenburg, the country's second-biggest city. MTR said another train had been voted to be named "Glenn," an apparent tribute to an IFK Gothenburg soccer team of the 1980s that featured four players of that name -- uncommon in Sweden -- including Glenn Hysen, who later captained Liverpool.
The Courts

Judge Rules That Government Can Force Glassdoor To Unmask Anonymous Users Online (arstechnica.com) 119

pogopop77 shares a report from Ars Technica: An appeals court will soon decide whether the U.S. government can unmask anonymous users of Glassdoor -- and the entire proceeding is set to happen in secret. Federal investigators sent a subpoena asking for the identities of more than 100 anonymous users of the business-review site Glassdoor, who apparently posted reviews of a company that's under investigation for potential fraud related to its contracting practices. The government later scaled back its demand to just eight users. Prosecutors believe these eight Glassdoor users are "third-party witnesses to certain business practices relevant to [the] investigation." The name of the company under investigation is redacted from all public briefs. Glassdoor made a compromise proposal to the government: it would notify the users in question about the government's subpoena and then provide identifying information about users who were willing to participate. The government rejected that idea. At that point, Glassdoor lawyered up and headed to court, seeking to have the subpoena thrown out. Lawyers for Glassdoor argued that its users have a First Amendment right to speak anonymously. While the company has "no desire to interfere" with the investigation, if its users were forcibly identified, the investigation "could have a chilling effect on both Glassdoor's reviewers' and readers' willingness to use glassdoor.com," states Glassdoor's motion (PDF). The government opposed the motion, though, and prevailed in district court.
Crime

Authorities Take Down Hansa Dark Web Market, Confirm AlphaBay Takedown (bleepingcomputer.com) 40

An anonymous reader writes via Bleeping Computer: Today, in coordinated press releases, the U.S. Department of Justice (DOJ) and Europol announced the takedown of two Dark Web marketplaces -- AlphaBay and Hansa Market. First to fall was the Hansa Market after Dutch officers seized control over their servers located inside one of the country's hosting providers. Dutch Police seized Hansa servers on June 20, but the site was allowed to operate for one more month as officers gathered more evidence about its clientele. The Hansa honeypot received an influx of new users as the FBI shut down AlphaBay on July 5, a day after it took control over servers on July 4. Europol and the FBI say they collected mountains of evidence such as "usernames and passwords of thousands of buyers and sellers of illicit commodities" and "delivery addresses for a large number of orders." FBI Active Director McCabe said AlphaBay was ten times larger than Silk Road, with over 350,000 listings. In opposition, Silk Road, which authorities seized in November 2013, listed a meager 14,000 listings for illicit goods and services at the time authorities took down the service.
Piracy

Game of Thrones Pirates Being Monitored By HBO, Warnings On The Way (torrentfreak.com) 282

HBO is leaving no stones unturned in keeping Game of Thrones' piracy under control. The company is monitoring various popular torrent swarms and sending thousands of warnings targeted at internet subscribers whose connections are used to share the season 7 premiere of the popular TV series, reports TorrentFreak: Soon after the first episode of the new season appeared online Sunday evening, the company's anti-piracy partner IP Echelon started sending warnings targeted at torrenting pirates. The warnings in question include the IP-addresses of alleged BitTorrent users and ask the associated ISPs to alert their subscribers, in order to prevent further infringements. "We have information leading us to believe that the IP address xx.xxx.xxx.xx was used to download or share Game of Thrones without authorization," the notification begins. "HBO owns the copyright or exclusive rights to Game of Thrones, and the unauthorized download or distribution constitutes copyright infringement. Downloading unauthorized or unknown content is also a security risk for computers, devices, and networks." Under US copyright law, ISPs are not obligated to forward these emails, which are sent as a DMCA notification. However, many do as a courtesy to the affected rightsholders. The warnings are not targeted at a single swarm but cover a wide variety of torrents. TorrentFreak has already seen takedown notices for the following files, but it's likely that many more are being tracked.
Businesses

Why is Comcast Using Self-driving Cars To Justify Abolishing Net Neutrality? (theverge.com) 223

Earlier this week, Comcast filed its comments in favor of the FCC's plan to eliminate the 2015 net neutrality rules. While much of the document was devoted to arguments we've heard before -- Comcast believes the current rules are anti-competitive and hurt investment, but generally supports the principles of net neutrality -- one statement stood out. The Verge adds: Buried in the 161-page document was this quirky assertion (emphasis ours): "At the same time, the Commission also should bear in mind that a more flexible approach to prioritization may be warranted and may be beneficial to the public... And paid prioritization may have other compelling applications in telemedicine. Likewise, for autonomous vehicles that may require instantaneous data transmission, black letter prohibitions on paid prioritization may actually stifle innovation instead of encouraging it. In other words, Comcast is arguing for paid prioritization and internet fast lanes to enable self-driving cars to communicate better with other vehicles and their surrounding environment, thus making them a safer and more efficient mode of transportation. The only problem is that autonomous and connected cars don't use wireless broadband to communicate. When cars talk with each other, they do it by exchanging data wirelessly over an unlicensed spectrum called the Dedicated Short Range Communications (DSRC) band, using technology similar to Wi-Fi. The FCC has set aside spectrum in the 5.9GHz band specifically for this purpose, and it is only meant to be used for vehicle-to-everything (V2X) applications. That includes vehicle-to-vehicle (V2V), vehicle-to-infrastructure (V2I), and vehicle-to-pedestrian (V2P) -- so cars talking to other cars, to traffic signals, to the phone in your pocket... you name it. Soon enough, all cars sold in the US will be required to include V2V technology for safety purposes, if the Department of Transportationâ(TM)s new rule goes into effect.
EU

EU Court to Rule On 'Right to Be Forgotten' Outside Europe (wsj.com) 181

The European Union's top court is set to decide whether the bloc's "right to be forgotten" policy stretches beyond Europe's borders, a test of how far national laws can -- or should -- stretch when regulating cyberspace. From a report: The case stems from France, where the highest administrative court on Wednesday asked the EU's Court of Justice to weigh in on a dispute between Alphabet's Google and France's privacy regulator over how broadly to apply the right (Editor's note: the link could be paywalled; alternative source), which allows EU residents to ask search engines to remove some links from searches for their own names. At issue: Can France force Google to apply it not just to searches in Europe, but anywhere in the world? The case will set a precedent for how far EU regulators can go in enforcing the bloc's strict new privacy law. It will also help define Europe's position on clashes between governments over how to regulate everything that happens on the internet -- from political debate to online commerce. France's regulator says enforcement of some fundamental rights -- like personal privacy -- is too easily circumvented on the borderless internet, and so must be implemented everywhere. Google argues that allowing any one country to apply its rules globally risks upsetting international law and, when it comes to content, creates a global censorship race among autocrats.
Privacy

Ask Slashdot: Is Password Masking On Its Way Out? 234

New submitter thegreatbob writes: Perhaps you've noticed in the last 5 years or so, progressively more entities have been providing the ability to reveal the contents of a password field. While this ability is, in many cases (especially on devices with lousy keyboards), legitimately useful, it does seem to be a reasonable source of concern. Fast forward to today; I was setting up a new router (cheapest dual-band router money can, from Tenda) and I was almost horrified to discover that it does not mask any of its passwords by default. So I ask Slashdot: is password masking really on its way out, and does password masking do anything beyond preventing the casual shoulder-surfer?
Communications

FCC Refuses To Release Text of More Than 40,000 Net Neutrality Complaints (arstechnica.com) 63

An anonymous reader quotes a report from Ars Technica: The Federal Communications Commission has denied a request to extend the deadline for filing public comments on its plan to overturn net neutrality rules, and the FCC is refusing to release the text of more than 40,000 net neutrality complaints that it has received since June 2015. The National Hispanic Media Coalition (NHMC) filed a Freedom of Information Act (FoIA) request in May of this year for tens of thousands of net neutrality complaints that Internet users filed against their ISPs. The NHMC argues that the details of these complaints are crucial for analyzing FCC Chairman Ajit Pai's proposal to overturn net neutrality rules. The coalition also asked the FCC to extend the initial comment deadline until 60 days after the commission fully complies with the FoIA request. A deadline extension would have given people more time to file public comments on the plan to eliminate net neutrality rules. Instead, the FCC yesterday denied the motion for an extension and said that it will only provide the text for a fraction of the complaints, because providing them all would be too burdensome.
Security

Should We Ignore the South Carolina Election Hacking Story? (securityledger.com) 138

chicksdaddy provides five (or more) "good" reasons why we should ignore the South Carolina election hacking story that was reported yesterday. According to yesterday's reports, South Carolina's voter-registration system was hit with nearly 150,000 hack attempts on election day. Slashdot reader chicksdaddy writes from an opinion piece via The Security Ledger: What should we make of the latest reports from WSJ, The Hill, etc. that South Carolina's election systems were bombarded with 150,000 hacking attempts? Not much, argues Security Ledger in a news analysis that argues there are lots of good reasons to ignore this story, if not the very real problem of election hacking. The stories were based on this report from The South Carolina Election Commission. The key phrase in that report is "attempts to penetrate," Security Ledger notes. Information security professionals would refer to that by more mundane terms like "port scans" or probes. These are kind of the "dog bites man" stories of the cyber beat -- common (here's one from 2012 US News & World Report) but ill informed. "The kinds of undifferentiated scans that the report is talking about are the internet equivalent of people driving slowly past your house." While some of those 150,000 attempts may well be attempts to hack South Carolina's elections systems, many are undifferentiated, while some may be legitimate, if misdirected. Whatever the case, they're background noise on the internet and hardly unique to South Carolina's voter registration systems. They're certainly not evidence of sophisticated, nation-state efforts to crack the U.S. election system by Russia, China or anyone else, Security Ledger argues. "The problem with lumping all these 'hacking attempts' in the same breath as you talk about sophisticated and targeted attacks on the Clinton Campaign, the DCCC, and successful penetration of some state election boards is that it dramatically distorts the nature and scope of the threat to the U.S. election system which -- again -- is very real." The election story is one "that demands thoughtful and pointed reporting that can explore (and explode) efforts by foreign actors to subvert the U.S. vote and thus its democracy," the piece goes on to argue. "That's especially true in an environment in which regulators and elected officials seem strangely incurious about such incidents and disinclined to investigate them."
Bug

Flaw In IoT Security Cameras Leaves Millions of Devices Open To Hackers (vice.com) 53

New submitter Aliciadivo writes: A nasty vulnerability found in Axis security cameras could allow hackers to take full control of several types of Internet of Things devices, and in some cases, software programs, too. The Senrio research team found that devices and software programs using an open source software library called gSOAP to enable their product to communicate to the internet could be affected. Stephen Ridley, founder of Senrio, said: "I bet you all these other manufacturers have the same vulnerability throughout their product lines as well. It's a vulnerability in virtually every IoT device [...] Every kind of device you can possibly think of." A spokesperson for ONVIF, an electronics industry consortium that includes Axis and has includes some members that use gSOAP, said it has notified its members of the flaw, but it's not "up to each member to handle this in the way they best see fit." Also, gSOAP "is not in any way mandated by the ONVIF specifications, but as SOAP is the base for the ONVIF API, it is possible that ONVIF members would be affected." Hundreds of thousands of devices might be affected, as a search for the term "Axis" on Shodan, an engine that scours the internet for vulnerable devices, returns around 14,000 results. You can view Senrio Labs' video on the exploit (which they refer to as the "Devil's Ivy Exploit") here.
Social Networks

Nearly 90,000 Sex Bots Invaded Twitter in 'One of the Largest Malicious Campaigns Ever Recorded on a Social Network' (gizmodo.com) 53

An anonymous reader shares a report: Last week, Twitter's security team purged nearly 90,000 fake accounts after outside researchers discovered a massive botnet peddling links to fake "dating" and "romance" services. The accounts had already generated more than 8.5 million posts aimed at driving users to a variety of subscription-based scam websites with promises of -- you guessed it -- hot internet sex. The accounts were first identified by ZeroFOX, a Baltimore-based security firm that specializes in social-media threat detection. The researchers dubbed the botnet "SIREN" after sea-nymphs described in Greek mythology as half-bird half-woman creatures whose sweet songs often lured horny, drunken sailors to their rocky deaths. ZeroFOX's research into SIREN offers a rare glimpse into how efficient scammers have become at bypassing Twitter's anti-spam techniques. Further, it demonstrates how effective these types of botnets can be: The since-deleted accounts collectively generated upwards of 30 million clicks -- easily trackable since the links all used Google's URL shortening service.
Google

Google Bolsters Security To Prevent Another Google Docs Phishing Attack (zdnet.com) 25

Google is adding a set of features to its security roster to prevent a second run of last month's massive phishing attack. From a report: The company is adding warnings and interstitial screens to warn users that an app they are about to use is unverified and could put their account data at risk. This so-called "unverified app" screen will land on all new web apps that connect to Google user accounts to prevent a malicious app from appearing legitimate. Any Google Chrome user landing on a hacked or malicious website will recognize the prompt as the red warning screen. Some existing apps will also have to go through the same verification process as new apps, Google said. Google also said it will add those warnings to its Apps Scripts, which let Google use custom macros and add-ons for its productivity apps, like Google Docs.

Slashdot Top Deals