The Internet

Manchester Attack Could Lead To Internet Crackdown (independent.co.uk) 105

New submitter boundary writes: The UK government looks to be about to put the most egregious parts of the Investigative Powers Act into force "soon after the election" (which is in a couple of weeks) in the wake of the recent bombing in Manchester. "Technical Capability Orders" require tech companies to break their own security. I wonder who'll comply? The Independent reports: "Government will ask parliament to allow the use of those powers if Theresa May is re-elected, senior ministers told The Sun. 'We will do this as soon as we can after the election, as long as we get back in,' The Sun said it was told by a government minister. 'The level of threat clearly proves there is no more time to waste now. The social media companies have been laughing in our faces for too long.'"
Databases

Vermont DMV Caught Using Illegal Facial Recognition Program (vocativ.com) 52

schwit1 quotes a report from Vocativ: The Vermont Department of Motor Vehicles has been caught using facial recognition software -- despite a state law preventing it. Documents obtained by the American Civil Liberties Union of Vermont describe such a program, which uses software to compare the DMV's database of names and driver's license photos with information with state and federal law enforcement. Vermont state law, however, specifically states that "The Department of Motor Vehicles shall not implement any procedures or processes that involve the use of biometric identifiers." The program, the ACLU says, invites state and federal agencies to submit photographs of persons of interest to the Vermont DMV, which it compares against its database of some 2.6 million Vermonters and shares potential matches. Since 2012, the agency has run at least 126 such searches on behalf of local police, the State Department, FBI, and Immigrations and Customs Enforcement.
Robotics

Robot Police Officer Goes On Duty In Dubai (bbc.com) 35

The first robot officer has joined the Dubai Police force tasked with patrolling the city's malls and tourist attractions. "People will be able to use it to report crimes, pay fines and get information by tapping a touchscreen on its chest," reports BBC. "Data collected by the robot will also be shared with the transport and traffic authorities." From the report: The government said the aim was for 25% of the force to be robotic by 2030 but they would not replace humans. "We are not going to replace our police officers with this tool," said Brig Khalid Al Razooqi, director general of smart services at Dubai Police. "But with the number of people in Dubai increasing, we want to relocate police officers so they work in the right areas and can concentrate on providing a safe city. "Most people visit police stations or customer service, but with this tool we can reach the public 24/7. It can protect people from crime because it can broadcast what is happening right away to our command and control center."
Government

The Trump Administration Wants To Be Able To Track and Hack Your Drone (fastcompany.com) 188

An anonymous reader shares a report: The Trump administration wants federal agencies to be able to track, hack, or even destroy drones that pose a threat to law enforcement and public safety operations, The New York Times reports. A proposed law, if passed by Congress, would let the government take down unmanned aircraft posing a danger to firefighting and search-and-rescue missions, prison operations, or "authorized protection of a person." The government will be required to respect "privacy, civil rights, and civil liberties" when exercising that power, the draft bill says. But records of anti-drone actions would be exempt from public disclosure under freedom of information laws, and people's right to sue over damaged and seized drones would be limited, according to the text of the proposal published by the Times. The administration, which would not comment on the proposal, scheduled a classified briefing on Wednesday for congressional staff members to discuss the issue.
Security

Wikimedia Is Clear To Sue the NSA Over Its Use of Warrantless Surveillance Tools (engadget.com) 56

The Wikimedia Foundation has the right to sue the National Security Agency over its use of warrantless surveillance tools, a federal appeals court ruled. "A district judge shot down Wikimedia's case in 2015, saying the group hadn't proved the NSA was actually illegally spying on its communications," reports Engadget. "In this case, proof was a tall order, considering information about the targeted surveillance system, Upstream, remains classified." From the report: The appeals court today ruled Wikimedia presented sufficient evidence that the NSA was in fact monitoring its communications, even if inadvertently. The Upstream system regularly tracks the physical backbone of the internet -- the cables and routers that actually transmit our emoji. With the help of telecom providers, the NSA then intercepts specific messages that contain "selectors," email addresses or other contact information for international targets under U.S. surveillance. "To put it simply, Wikimedia has plausibly alleged that its communications travel all of the roads that a communication can take, and that the NSA seizes all of the communications along at least one of those roads," the appeals court writes. "Thus, at least at this stage of the litigation, Wikimedia has standing to sue for a violation of the Fourth Amendment. And, because Wikimedia has self-censored its speech and sometimes forgone electronic communications in response to Upstream surveillance, it also has standing to sue for a violation of the First Amendment."
Security

DEFCON Conference To Target Voting Machines (politico.com) 105

An anonymous reader quotes a report from Politico: Hackers will target American voting machines -- as a public service, to prove how vulnerable they are. When over 25,000 of them descend on Caesar's Palace in Las Vegas at the end of July for DEFCON, the world's largest hacking conference, organizers are planning to have waiting what they call "a village" of different opportunities to test how easily voting machines can be manipulated. Some will let people go after the network software remotely, some will be broken apart to let people dig into the hardware, and some will be set up to see how a prepared hacker could fiddle with individual machines on site in a polling place through a combination of physical and virtual attacks. With all the attention on Russia's apparent attempts to meddle in American elections -- former President Barack Obama and aides have made many accusations toward Moscow, but insisted that there's no evidence of actual vote tampering -- voting machines were an obvious next target, said DEFCON founder Jeff Moss.
Microsoft

Microsoft Announces 'Windows 10 China Government Edition', Lets Country Use Its Own Encryption (windows.com) 108

At an event in China on Tuesday, Microsoft announced yet another new version of Windows 10. Called Windows 10 China Government Edition, the new edition is meant to be used by the Chinese government and state-owned enterprises, ending a standoff over the operating system by meeting the government's requests for increased security and data control. In a blog post, Windows chief Terry Myerson writes: The Windows 10 China Government Edition is based on Windows 10 Enterprise Edition, which already includes many of the security, identity, deployment, and manageability features governments and enterprises need. The China Government Edition will use these manageability features to remove features that are not needed by Chinese government employees like OneDrive, to manage all telemetry and updates, and to enable the government to use its own encryption algorithms within its computer systems.
Microsoft

Microsoft Says a Chinese 'Gaming Service' Company Is Hacking Xbox Accounts (theverge.com) 31

An anonymous reader shares a report: Since 2015, a Chinese gaming website has been hacking Xbox accounts and selling the proceeds on the open market, according to a complaint filed by Microsoft in federal court on Friday. On its website, iGSKY presents itself as a gaming service company, offering players a way to pay for in-game credits and rare items -- but according to Microsoft, many of those credits were coming from someone else's wallet. The complaint alleges that the company made nearly $2 million in purchases through hacked accounts and their associated credit cards, using purchases as a way to launder the resulting cash. On the site, cheap in-game points are also available for the FIFA games, Forza Horizon 3, Grand Theft Auto V, and Pokemon Go, among others.
Debian

Privacy-Focused Debian-Based Tails 3.0 Reaches RC Status (betanews.com) 32

BrianFagioli quotes BetaNews: Today, Tails achieves an important milestone. Version 3.0 reaches RC status -- meaning the first release candidate (RC1). In other words, it may soon be ready for a stable release -- if testing confirms as much. If you want to test it and provide feedback, you can download the ISO now. This is quite the significant upgrade, as the operating system is moving to a new base — Debian 9 "Stretch." The Debian kernel gets upgraded to 4.9.0-3, which is based on Linux kernel 4.9.25. As previously reported back in February, Tails 3.0 will drop 32-bit processor support too.

Using Tor is a huge part of the privacy aspect of Tails, and the tor web browser sees an update to 7.0a4. Tor itself is updated to 0.3.0.7-1. Less important is the move from Icedove to Thunderbird for email. This is really in name only, as Debian has begun using the "Thunderbird" branding again. From a feature perspective, it is inconsequential.

Government

Julian Assange Still Faces Legal Jeopardy In Three Countries (chicagotribune.com) 234

Though Sweden dropped an investigation into rape allegations against Julian Assange, "I can conclude, based on the evidence, that probable cause for this crime still exists," chief prosecutor Marianne Ny told reporters in Stockholm. An anonymous reader quotes Newsweek: Ny stressed in her statement Friday that the investigation could be reopened before the statute of limitations on the case expires in 2020. If Assange "went into British custody, then the Swedes may well revisit their decision ⦠as extradition is suddenly easier", tweeted legal expert David Allen Green. Assange failed to answer a bail hearing when he took refuge in the embassy, resulting in an active warrant for his arrest by London's Metropolitan Police, punishable by up to a year in prison. Foremost of Assange's concerns is possible extradition to the U.S., where he he could be detained on espionage charges... Ecuador has offered Assange asylum should he be able to leave Britain.
Meanwhile, The Chicago Tribune reports that "a federal inquiry is widely assumed to be underway by prosecutors in Virginia." According to a former senior Justice Department official, who requested anonymity to discuss the Assange case, American authorities are now presented with a "cat and mouse game." "The decision on whether to indict him rests largely on whether they can get their hands on him," the former official said. Indicting the head of an organization such as WikiLeaks presents a huge number of First Amendment issues, but the Trump White House has indicated such issues may be less of a hurdle than during previous administrations. Prosecutors could seek a sealed indictment -- or may have one already -- to be unveiled if and when Assange strays within reach of American law enforcement, the former official said.
Networking

Netgear Adds Support For "Collecting Analytics Data" To Popular R7000 Router 109

An anonymous reader writes: Netgear's latest firmware update for the R7000 includes new support for collecting analytics data. The update release notes include this caution:

NOTE:It is strongly recommended that after the firmware is updated to this version, log back in to the router s web GUI and configure the settings for this feature.

An article on Netgear's KB states updated last week that Netgear collects information including IP addresses, MAC, certain WiFi information, and information about connected devices.

Transportation

Delta Airlines Tests Facial Recognition To Speed Up Baggage Check-In (cnn.com) 57

Would you let Delta airlines scan your face if it meant you could skip the line to check-in your baggage? An anonymous reader quotes CNN: Delta is testing a face-scanning kiosk for baggage check... It uses facial recognition technology to match your identity to your passport photo. You tag your own bags, pay the fee and drop your luggage on a conveyor belt... Delta will test four of the machines at Minneapolis-St. Paul International Airport this summer. The airline spent $600,000 on the four kiosks.
A senior staff attorney at the EFF warns this could be a slippery slope -- at what point this morphs into airline surveillance? But a Delta spokerspeson insists the images won't be stored, that they're complying with privacy laws, and that the kiosks could double the number of passengers whisking through their check-in procedures.
Blackberry

BlackBerry Working With Automakers On Antivirus Tool For Your Car (reuters.com) 45

An anonymous reader quotes a report from Reuters: BlackBerry is working with at least two automakers to develop a security service that would remotely scan vehicles for computer viruses and tell drivers to pull over if they were in critical danger, according to a financial analyst. The service, which would also be able to install security patches to an idle car, is being tested by luxury automakers Aston Martin and Range Rover. The service could be launched as early as next year, generating about $10 a month per vehicle for BlackBerry, according to Papageorgiou, who has followed BlackBerry for more than 15 years. Vehicles increasingly rely on dozens of computers that connect to each other as well as the internet, mobile networks and Bluetooth communications systems that make them vulnerable to remote hacks.
Windows

Almost All WannaCry Victims Were Running Windows 7 (theverge.com) 123

An anonymous reader quotes a report from The Verge: According to data released today by Kaspersky Lab, roughly 98 percent of the computers affected by the ransomware were running some version of Windows 7, with less than one in a thousand running Windows XP. 2008 R2 Server clients were also hit hard, making up just over 1 percent of infections. Windows 7 is still by far the most common version of Windows, running on roughly four times as many computers as Windows 10 worldwide. Since more recent versions of Windows aren't vulnerable to WannaCry, it makes sense that most of the infections would hit computers running 7. Still, the stark disparity emphasizes how small of a role Windows XP seems to have played in spreading the infection, despite early concerns about the outdated operating system. The new figures also bear on the debate over Microsoft's patching practices, which generated significant criticism in the wake of the attack. Microsoft had released a public patch for Windows 7 months before the attack, but the patch for Windows XP was only released as an emergency measure after the worst of the damage had been done. The patch was available earlier to paying Custom Support customers, but most XP users were left vulnerable, each unpatched computer a potential vector to spread the ransomware further. Still, Kaspersky's figures suggest that unpatched XP devices played a relatively small role in the spread of the ransomware.
United States

Federal Agents Used a Stingray To Track an Immigrant's Phone (detroitnews.com) 103

An anonymous reader shares a report: Investigators from Immigration and Custom Enforcement as well as the FBI have been using controversial cell-spoofing devices to secretly track down undocumented immigrants, court records show. According to a report the Detroit News, which obtained an unsealed federal search warrant affidavit, FBI and ICE agents in Michigan used a Stingray device to ensnare a restaurant worker from El Salvador in March. The devices, which were originally intended for counter-terrorism use, have come under fire because there are currently no clear rules governing when law enforcement is allowed to deploy them. Even in cases where authorities have a clear target in mind, they run the risk of exposing personal information of other innocent people in range. Until 2015, Federal investigators were free to deploy the devices without a search warrant. At that point the Justice Department laid out a policy requiring investigators get approval to use the devices first.
Twitter

A Bug in Twitter's Old Vine App May Have Exposed Your Email (cnet.com) 6

An anonymous reader shares a report: If you had a Vine account, there's an alert you may want to know about. The video app, which Twitter bought in 2012 and shut down last year after its six-second videos failed to take off, sent out emails to some users Friday alerting them to a vulnerability in its service. Yeah, that's right, Vine is dead, but your account may have been compromised anyway. Apparently, the "bug" potentially exposed email addresses to hackers or other "third parties under certain circumstances." The vulnerability apparently existed for less than 24 hours, or 14,400 Vine videos. "We take these incidents very seriously, and we're sorry this occurred," Vine wrote in its email. It also said the information exposed could not be used to access accounts, and there were no indications any of the data had been misused.
Security

French Researchers Find Last-ditch Cure To Unlock WannaCry Files (reuters.com) 36

French researchers said on Friday they had found a last-chance way for technicians to save Windows files encrypted by WannaCry, racing against a deadline as the ransomware threatens to start locking up victims' computers first infected a week ago. From a report: WannaCry, which started to sweep round the globe last Friday and has infected more than 300,000 computers in 150 nations, threatens to lock out victims who have not paid a sum of $300 to $600 within one week of infection. A loose-knit team of security researchers scattered across the globe said they had collaborated to develop a workaround to unlock the encryption key for files hit in the global attack, which several independent security researchers have confirmed. The researchers warned that their solution would only work in certain conditions, namely if computers had not been rebooted since becoming infected and if victims applied the fix before WannaCry carried out its threat to lock their files permanently. Also see: Windows XP PCs Infected By WannaCry Can Be Decrypted Without Paying Ransom.
Security

Hacker Steals 17 Million Zomato Users' Data, Briefly Puts It On Dark Web (hackread.com) 32

Waqas reports via Hack Read: Recently, HackRead found out a vendor going by the online handle of âoenclayâ is claiming to have hacked Zomato and selling the data of its 17 million registered users on a popular Dark Web marketplace. The database includes emails and password hashes of registered Zomato users while the price set for the whole package is USD 1,001.43 (BTC 0.5587). The vendor also shared a trove of sample data to prove that the data is legit. Here's a screenshot of the sample data publicly shared by "nclay." Upon testing the sample data on Zomato.com's login page, it was discovered that each and every account mentioned in the list exists on Zomato. Although Zomato didn't reply to our email but in their latest blog post the company has acknowledged the breach. Here's a full preview of the blog post published by Zomato 7hours ago: "Over 120 million users visit Zomato every month. What binds all of these varied individuals is the desire to enjoy the best a city has to offer, in terms of food. When Zomato users trust us with their personal information, they naturally expect the information to be safeguarded. And that's something we do diligently, without fail. We take cyber security very seriously -- if you've been a regular at Zomato for years, you'd agree."
Databases

Font Sharing Site DaFont Has Been Hacked, Exposing Thousands of Accounts (zdnet.com) 17

A popular font sharing site DaFont.com has been hacked, resulting in usernames, email addresses, and hashed passwords of 699,464 user accounts being stolen. ZDNet reports: The passwords were scrambled with the deprecated MD5 algorithm, which nowadays is easy to crack. As such, the hacker unscrambled over 98 percent of the passwords into plain text. The site's main database also contains the site's forum data, including private messages, among other site information. At the time of writing, there were over half-a-million posts on the site's forums. The hacker told ZDNet that he carried out his attack after he saw that others had also purportedly stolen the site's database. "I heard the database was getting traded around so I decided to dump it myself -- like I always do," the hacker told me. Asked about his motivations, he said it was "mainly just for the challenge [and] training my pentest skills." He told me that he exploited a union-based SQL injection vulnerability in the site's software, a flaw he said was "easy to find." The hacker provided the database to ZDNet for verification.

Slashdot Top Deals