Compare cell phone plans using Wirefly's innovative plan comparison tool ×
United Kingdom

British Companies Are Selling Advanced Spy Tech To Authoritarian Regimes (vice.com) 54

An anonymous reader quotes a report from Motherboard: Since early 2015, over a dozen UK companies have been granted licenses to export powerful telecommunications interception technology to countries around the world, Motherboard has learned. Many of these exports include IMSI-catchers, devices which can monitor large numbers of mobile phones over broad areas. Some of the UK companies were given permission to export their products to authoritarian states such as Saudi Arabia, the United Arab Emirates, Turkey, and Egypt; countries with poor human rights records that have been well-documented to abuse surveillance technology. In 2015, the UK's Department for Business, Innovation and Skills (BIS) started publishing basic data about the exportation of telecommunications interception devices. Through the Freedom of Information Act, Motherboard obtained the names of companies that have applied for exportation licenses, as well as details on the technologies being shipped, including, in some cases, individual product names. The companies include a subsidiary of defense giant BAE Systems, as well as Pro-Solve International, ComsTrac, CellXion, Cobham, and Domo Tactical Communications (DTC). Many of these companies sell IMSI-catchers. IMSI-catchers, sometimes known as "Stingrays" after a particularly popular brand, are fake cell phone towers which force devices in their proximity to connect. In the data obtained by Motherboard, 33 licenses are explicitly marked as being for IMSI-catchers, including for export to Turkey and Indonesia. Other listings heavily suggest the export of IMSI-catchers too: one granted application to export to Iraq is for a "Wideband Passive GSM Monitoring System," which is a more technical description of what many IMSI-catchers do. In all, Motherboard received entries for 148 export license applications, from February 2015 to April 2016. A small number of the named companies do not provide interception capabilities, but defensive measures, for example to monitor the radio spectrum.
The Almighty Buck

Amazon Is Testing a 30-Hour, 75% Salary Workweek (washingtonpost.com) 161

Amazon is planning a pilot program in which a select group of workers will need to work for 30 hours a week, instead of the usual 40 to 70 hours, and make 75 percent of the salary + benefits (alternate source). From the report:Currently, the pilot program will be small, consisting of a few dozen people. These teams will work on tech products within the human resources division of the company, working Monday through Thursday from 10 a.m. to 2 p.m., with additional flex hours. Their salaries will be lower than 40-hour workers, but they will have the option to transition to full-time if they choose. Team members will be hired from inside and outside the company. As of now, Amazon does not have plans to alter the 40-hour workweek on a companywide level, the spokesman said.
Security

Dropbox Is Urging Users To Reset Their Passwords (fortune.com) 30

Dropbox is forcing a number of users to change their passwords after the cloud storage company found some account details linked to an old data breach. "The next time you visit dropbox.com, you may be asked to create a new password. We proactively initiated this password update prompt for Dropbox users who meet certain criteria," the company writes on its website. Fortune reports: The popular cloud storage said the move was related to the theft of an old set of Dropbox credentials, dating back to 2012. So the users the company has contacted are those who created Dropbox accounts before mid-2012 and have not updated their passwords since that time. Dropbox disclosed in July 2012 that some users were getting spammed, and the cause appeared to be the theft of usernames and passwords from other websites. As is often the case, some people reuse their usernames and passwords across different web services. (If it still needs saying, you really shouldn't reuse your passwords, ever.)
Medicine

The Big Short: Security Flaws Fuel Bet Against St. Jude (securityledger.com) 74

chicksdaddy writes: "Call it The Big Short -- or maybe just the medical device industry's 'Shot Heard Round The World': a report from Muddy Waters Research recommends that its readers bet against (or 'short') St. Jude Medical after learning of serious security vulnerabilities in a range of the company's implantable cardiac devices," The Security Ledger reports. "The Muddy Waters report on St. Jude's set off a steep sell off in St. Jude Medical's stock, which finished the day down 5%, helping to push down medical stocks overall. The report cites the 'strong possibility that close to half of STJ's revenue is about to disappear for approximately two years' as a result of 'product safety' issues stemming from remotely exploitable vulnerabilities in STJ's pacemakers, implantable cardioverter defibrillator (ICD), and cardiac resynchronization therapy (CRT) devices. The vulnerabilities are linked to St. Jude's Merlin at home remote patient management platform, said Muddy Waters. The firm cited research by MedSec Holdings Ltd., a cybersecurity research firm that identified the vulnerabilities in St. Jude's ecosystem. Muddy Waters said that the affected products should be recalled until the vulnerabilities are fixed. In an e-mail statement to Security Ledger, St. Jude's Chief Technology Officer, Phil Ebeling, called the allegations 'absolutely untrue.' 'There are several layers of security measures in place. We conduct security assessments on an ongoing basis and work with external experts specifically on Merlin at home and on all our devices,' Ebeling said."

More controversial: MedSec CEO Justine Bone acknowledged in an interview with Bloomberg that her company did not first reach out to St. Jude to provide them with information on the security holes before working with Muddy Waters. Information security experts who have worked with the medical device industry to improve security expressed confusion and dismay. "If safety was the goal then I think (MedSec's) execution was poor," said Joshua Corman of The Atlantic Institute and I Am The Cavalry. "And if profit was the goal it may come at the cost of safety. It seems like a high stakes game that people may live to regret."

Patents

Apple Patenting a Way To Collect Fingerprints, Photos of Thieves (appleinsider.com) 87

An anonymous reader quotes a report from Apple Insider: As published by the U.S. Patent and Trademark Office, Apple's invention covering "Biometric capture for unauthorized user identification" details the simple but brilliant -- and legally fuzzy -- idea of using an iPhone or iPad's Touch ID module, camera and other sensors to capture and store information about a potential thief. Apple's patent is also governed by device triggers, though different constraints might be applied to unauthorized user data aggregation. For example, in one embodiment a single failed authentication triggers the immediate capture of fingerprint data and a picture of the user. In other cases, the device might be configured to evaluate the factors that ultimately trigger biometric capture based on a set of defaults defined by internal security protocols or the user. Interestingly, the patent application mentions machine learning as a potential solution for deciding when to capture biometric data and how to manage it. Other data can augment the biometric information, for example time stamps, device location, speed, air pressure, audio data and more, all collected and logged as background operations. The deemed unauthorized user's data is then either stored locally on the device or sent to a remote server for further evaluation.
Encryption

PSA: PlayStation Network Gets Two-Step Verification (arstechnica.com) 41

Consider this a public service announcement: Sony has (finally) added two-factor authentication to PlayStation Network accounts. If you're a PlayStation user and are reading this right now, you really should go set it up so that someone doesn't try to take over your account and steal your password. Ars Technica details how you can set up the new security features: "Turn on your PS4 and go to Settings -> PlayStation Network Account Management -> Account Information -> Security -> 2-Step Verification. You can also set it up through the web by logging into your PSN account on the web and going through the Security tab under the Account header. From there, on-screen instructions will walk you through the process of using a text message to confirm your mobile device as a secondary layer of security for your PSN account. Two-factor support is not available when logging on to older PlayStation systems, so Sony recommends you generate a 'device setup password' to help protect the PS3, Vita, or PSP." Two-factor authentication comes five years after hackers breached PSN's security and stole 77 million accounts.
Communications

FCC Proposes 5G Cybersecurity Requirements, Asks For Industry Advice (fedscoop.com) 29

Presto Vivace quotes a report from FedScoop: "Cybersecurity issues must be addressed during the design phase for the entire 5G ecosystem, including devices. This will place a premium on collaboration among all stakeholders," said FCC chairman Tom Wheeler during a National Press Club event on June 20. "We continue to prefer an approach that emphasizes that industry develop cybersecurity standards just as we have done in wired networks." The FCC published a request Wednesday for comment on a new set of proposed 5G rules to the Federal Register focused on adding specific "performance requirements" for developers of example internet-connected devices. If a company hopes to secure a license to access higher-frequency 5G spectrum in the future then they will need to adhere to these specific requirements -- in other words, compliance is non-negotiable. Notably, these FCC "performance requirements" now include the submission of a network security plan. The report adds: "A quick review of the FCC's proposed 5G cybersecurity plan shows a six category split, organized by a companies' security approach, coordination efforts, standards and best practices, participation with standards bodies, other security approaches and plans with information sharing organizations. Security plans must be submitted to the commission at least six months before a 5G-ready product enters the market, according to the notice."
Wireless Networking

Italy Quake Rescuers Ask Locals To Unlock Their Wi-Fi (bbc.com) 139

Rescue teams searching for earthquake survivors in central Italy have asked locals to unlock their Wifi passwords. The Italian Red Cross says residents' home networks can assist with communications during the search for survivors, reports BBC. From the report: On Wednesday a 6.2 magnitude earthquake struck central Italy and killed more than 240 people. More than 4,300 rescuers are looking for survivors believed to still be trapped in the rubble. On Twitter, the Italian Red Cross posted a step-by-step guide which explains how local residents can switch off their Wifi network encryption. Similar requests have been made by the National Geological Association and Lazio Region. A security expert has warned that removing encryption from a home Wifi network carries its own risks, but added that those concerns are trivial in the context of the rescue operation.
Windows

Windows 10 Computers Crash When Amazon Kindles Are Plugged In (theguardian.com) 256

It appears that many users are facing an issue with their Windows 10 computers when they plug in an Amazon Kindle device. According to reports, post Windows 10 Anniversary Update installation, everytime a user connect their Amazon Paperwhite or Voyage, their desktop and laptop lock up and require rebooting. The Guardian reports:Pooka, a user of troubleshooting forum Ten Forums said: "I've had a Kindle paperwhite for a few years no and never had an issue with connecting it via USB. However, after the recent Windows 10 updates, my computer BSOD's [blue screen of death] and force restarts almost as soon as I plug my Kindle in." On Microsoft's forums, Rick Hale said: "On Tuesday, I upgraded to the Anniversary Edition of Windows 10. Last night, for the first time since the upgrade, I mounted my Kindle by plugging it into a USB 2 port. I immediately got the blue screen with the QR code. I rebooted and tried several different times, even using a different USB cable, but that made no difference."
Government

Malware Sold To Governments Helped Them Spy on iPhones (washingtonpost.com) 31

One of the world's most evasive digital arms dealers is believed to have been taking advantage of three security vulnerabilities in popular Apple products in its efforts to spy on dissidents and journalists, reports The New York Times. (Editor's note: the link could be paywalled, here's an alternate source). From the report: Investigators discovered that a company called the NSO Group, an Israeli outfit that sells software that invisibly tracks a target's mobile phone, was responsible for the intrusions. The NSO Group's software can read text messages and emails and track calls and contacts. It can even record sounds, collect passwords and trace the whereabouts of the phone user. In response, Apple on Thursday released a patched version of its mobile software, iOS 9.3.5. Users can get the patch through a normal software update.The Washington Post reports that these "zero-day" flaws were previously used by the governments to take over victims' phones by tricking them into clicking on a link to a text message. Motherboard says that this is the first time anyone has uncovered such an attack in the wild. "Until this month, no one had seen an attempted spyware infection leveraging three unknown bugs, or zero-days, in the iPhone. The tools and technology needed for such an attack, which is essentially a remote jailbreak of the iPhone, can be worth as much as one million dollars."
China

China To Crackdown On Unauthorised Radio Broadcasts (www.bgr.in) 44

An anonymous reader writes: Reportedly, in a national campaign aided by more than 30,000 airwave monitors, in over past six months, more than 500 sets of equipment for making unauthorised radio broadcasts were seized in China. The campaign, launched on February 15 by the State Council, resulted in 1,796 cases related to illegal radio stations, after 301,840 hours of monitoring from February to July, according to an online statement by the Ministry of Industry and Information Technology. The number of incidents was down by 50 per cent from April to August, the China Daily quoted the statement as saying. So-called pirate radios have appeared in most parts of China since 2015 and this "has been a channel for criminals to defraud and promote aphrodisiacs, along with counterfeit and poor-quality medicine," according to the Ministry of Public Security's Criminal Investigation Department. The operating cost of a pirate radio is low, but profit can be high. A pirate radio station that broadcasts advertisements for aphrodisiacs can pocket more than 70,000 yuan ($10,500) a month, with an overhead cost of no more than 10,000 yuan, investigators said in a post on Sina Weibo. It said most spare parts for broadcasting equipment can be bought on the internet.
Security

Over 25 Million Accounts Stolen After Mail.ru Forums Hacked (zdnet.com) 25

An anonymous reader writes: Over 25 million accounts associated with forums hosted by Russian internet giant Mail.ru have been stolen by hackers. Two hackers carried out attacks on three separate game-related forums in July and August. One forum alone accounted for almost half of the breached data -- a little under 13 million records; the other two forums making up over 12 million records. The databases were stolen in early August, according to breach notification site LeakedSource.com, which obtained a copy of the databases. The hackers' names aren't known, but used known SQL injection vulnerabilities found in older vBulletin forum software to get access to the databases. An analysis of the breached data showed that hackers took 12.8 million accounts from cfire.mail.ru; a total of 8.9 million records from parapa.mail.ru, and 3.2 million accounts from tanks.mail.ru. The hackers were able to obtain usernames, email addresses, scrambled passwords, and birthdays.
HP

NASA's Outsourced Computer People Are Even Worse Than You Might Expect (arstechnica.com) 251

Eric berger, writing for ArsTechnica: As part of a plan to help NASA "modernize" its desktop and laptop computers, the space agency signed a $2.5 billion services contract with HP Enterprise Services in 2011. According to HP (now HPE), part of the Agency Consolidated End-User Service (ACES) program the computing company would "modernize NASA's entire end-user infrastructure by delivering a full range of personal computing services and devices to more than 60,000 users." HPE also said the program would "allow (NASA) employees to more easily collaborate in a secure computing environment." The services contract, alas, hasn't gone quite as well as one might have hoped. This week Federal News Radio reported that HPE is doing such a poor job that NASA's chief information officer, Renee Wynn, could no longer accept the security risks associated with the contract. Wynn, therefore, did not sign off on the authority to operate (ATO) for systems and tools.A spokesperson for NASA said: "NASA continues to work with HPE to remediate vulnerabilities. As required by NASA policy, system owners must accomplish this remediation within a specified period of time. For those vulnerabilities that cannot be fully remediated within the established time frame, a Plan of Actions and Milestones (POAM) must be developed, approved, and tracked to closure."
Android

Opera Brings Its Free VPN Service To Android (techcrunch.com) 26

Frederic Lardinois, writing for TechCrunch: Earlier this year, Opera launched its free and unlimited VPN service for iOS; today it is bringing the same functionality to Android. Like the iOS version, the Android app is based on Opera's acquisition of SurfEasy in 2015 and allows you to surf safely when you are on a public network. While Opera's marketing mostly focuses on safety, Opera VPN also allows you to appear as if you are in the U.S., Canada, Germany, Singapore and The Netherlands, so it's also a way to route around certain geo-restrictions without having to opt for a paid service. In addition to its VPN features, the service also allows you to block ad trackers. Somewhat ironically, though, the app itself will show you some pretty unintrusive ads. "The Opera VPN app for Android sets itself apart from other VPNs by offering a completely free service; without a data limit, no log-in required, advanced Wi-Fi protection features and no need for a subscription," says Chris Houston, the president of Opera's SurfEasy VPN division, in today's announcement.
Crime

FBI Authorized Informants To Break The Law 22,800 Times In 4 Years (dailydot.com) 106

blottsie quotes a report from the Daily Dot: Over a four-year period, the FBI authorized informants to break the law more than 22,800 times, according to newly reviewed documents. Official records obtained by the Daily Dot under the Freedom of Information Act show the Federal Bureau of Investigation gave informants permission at least 5,649 times in 2013 to engage in activity that would otherwise be considered a crime. In 2014, authorization was given 5,577 times, the records show. USA Today previously revealed confidential informants engaged in "otherwise illegal activity," as the bureau calls it, 5,658 times in 2011. The figure was at 5,939 the year before, according to documents acquired by the Huffington Post. In total, records obtained by reporters confirm the FBI authorized at least 22,823 crimes between 2011 and 2014. Unfortunately, many of those crimes can have serious and unintended consequences. One of the examples mentioned in the Daily Dot's report was of an FBI informant who "was responsible for facilitating the 2011 breach of Stratfor in one of the most high-profile cyberattacks of the last decade. While a handful of informants ultimately brought down the principal hacker responsible, the sting also caused Stratfor, an American intelligence firm, millions of dollars in damages and left and estimated 700,000 credit card holders vulnerable to fraud."
Canada

Ashley Madison Security Protocols Violated Canada, Austrialia Privacy Laws (www.cbc.ca) 29

The Office of the Privacy Commissioner of Canada said Tuesday that the Canada-based online dating and social networking service Ashely Madison used inadequate privacy and security technology while marketing itself as a discreet and secure way for consenting adults to have affairs. CBC.ca reports: "In a report Tuesday, the privacy watchdog says the Toronto-based company violated numerous privacy laws in Canada and abroad in the era before a massive data breach exposed confidential information from their clients to hackers. The hack stole correspondence, identifying details and even credit card information from millions of the site's users. The resulting scandal cost the company about a quarter of its annual revenues from irate customers who demanded refunds and cancelled their accounts. Working with a similar agency in Australia, the privacy group says the company knew that its security protocols were lacking but didn't do enough to guard against being hacked. The company even adorned its website with the logo of a 'trusted security award' -- a claim the company admits it fabricated." The report found that "poor habits such as inadequate authentication processes and sub-par key and password management practices were rampant at the company" and that "much of the company's efforts to monitor its own security were 'focused on detecting system performance issues and unusual employee requests for decryption of sensitive user data.'" What's more is that Ashley Madison continued to store personal information of its users even after some of which had deleted or deactivated their account(s). These people then had their information included in databases published online after the hack.
Privacy

WikiLeaks Published Rape Victims' Names, Credit Cards, Medical Data (arstechnica.com) 301

Joe Mullin, writing for ArsTechnica: Even as WikiLeaks founder Julian Assange sits trapped in the Ecuadorean embassy, the WikiLeaks website continues to publish the secrets of various governments worldwide. But that's not all it's publishing. A report today by the Associated Press highlights citizens who had "sensitive family, financial or identity records" published by the site. "They published everything: my phone, address, name, details," said one Saudi man whose paternity dispute was revealed in documents published by the site. "If the family of my wife saw this... Publishing personal stuff like that could destroy people." One document dump, from Saudi diplomatic cables, held at least 124 medical files. The files named sick children, refugees, and patients with psychiatric conditions. In one case, the cables included the name of a Saudi who was arrested for being gay. In Saudi Arabia, homosexuality is punishable by death. In two other cases, WikiLeaks published the names of teenage rape victims. "This has nothing to do with politics or corruption," said Dr. Nayef al-Fayez, who had a patient with brain cancer whose personal details were published.
Android

Hey Google, Want To Fix Android Updates? Hit OEMs Where It Hurts (arstechnica.com) 188

Yesterday we talked about some of Nexus devices, including 2013's Nexus 5 not receiving an update, because it has been more than two years since the launch of the phone. But as you may know, this commitment to keeping the devices up to date is even worse when you look at what other Android OEMs are doing. ArsTechnica's Ron Amadeo has a solution: Google keeps missing the point when it comes to addressing Android's update situation. It keeps coming up with strategies to make updating "easier" for OEMs, but I don't think the problem is "ease of updating" -- it's creating any incentive for OEMs to update at all. Google seems to think that its partners will update phones because it's The Right Thing To Do by their customers and that handing out gold stars will send them scrambling to produce updates for their devices. I don't think that's ever going to happen. Google actually already tried the "shame" tactic and it didn't work. When Google-owned Motorola, Moto's update speed went through the roof. Motorola was achieving near-Nexus-like update speeds on many of its phones and was definitely putting other manufacturers to shame. But the increased update competition never really spurred other OEMs to start competing on update speeds. The bottom line is that Android partners only care about, well, the bottom line -- money. These companies already have your money, so updating a device that's already been sold is a needless expense. There's also a good argument to be made that updating a device hurts future sales. If your phone isn't updated, it will start to feel old, so you're more likely to buy a new phone sooner.
Security

Epic Games Forums Hacked, Again (betanews.com) 38

An anonymous reader writes: Epic Games, maker of popular games such as Unreal and Infinity Blade, announced today that its forums have been hacked. Now, if you don't reuse password that isn't a huge deal. But if you have used the same password on any service, perhaps even a variation of that password, you will want to ensure that you have changed password of all your accounts. In the meanwhile, here's Epic Games: "We believe a recent Unreal Engine and Unreal Tournament forum compromise revealed email addresses and other data entered into the forums, but no passwords in any form, neither salted, hashed, nor plaintext. While the data contained in the vBulletin account databases for these forums were leaked, the passwords for user accounts are stored elsewhere. These forums remain online and no passwords need to be reset", says Epic Games.ZDNet is reporting that thousands of passwords have been stolen.
Security

BHU's 'Tiger Will Power' Wi-Fi Router May Be The Most Insecure Router Ever Made (softpedia.com) 62

An anonymous reader writes from a report via Softpedia: A Wi-Fi router manufactured and sold only in China can easily run for the title of "most insecure router ever made." The BHU router, whose name translates to "Tiger Will Power," has a long list of security problems that include: four authentication bypass flaws (one of which is just hilarious); a built-in backdoor root account that gets created on every boot-up sequence; the fact that it opens the SSH port for external connections after every boot (somebody has to use that root backdoor account right?); a built-in proxy server that re-routes all traffic; an ad injection system that adds adverts to all the sites you visit; and a backup JS file embedded in the router firmware if the ad script fails to load from its server. For techies, there's a long technical write-up, which gets funnier and scarier at the same time as you read through it. "An attacker authenticating on the router can use a hardcoded session ID (SID) value of 700000000000000 to gain admin privileges," reports Softpedia. "If he misspells the SID and drops a zero, that's no problem. The BHU router will accept any value and still grant the user admin rights."

Slashdot Top Deals