Get HideMyAss! VPN, PC Mag's Top 10 VPNs of 2016 for 55% off for a Limited Time ×
Bitcoin

North Korea Is Blackmailing Top South Korean Online Retailer For $2.66 Million 18

An anonymous reader writes from a report via Softpedia: South Korea says that North Korea is behind a data breach that occurred last May, where hackers stole details about 10 million user accounts from Interpark.com, one of the country's biggest shopping portals. The hackers later tried to extort Interpark management by requesting for 3 billion won ($2.66 million / 2.39 million euros), otherwise they were going to release the data on the internet. [The hackers wanted the money transferred to their accounts as Bitcoin.] Authorities say they tracked the source of the hack to an IP in North Korea, previously used in other attacks on South Korean infrastructure. "Besides the evidence related to the IP addresses and the techniques used in the attacks, investigators also said that the emails Interpark management received, written in the Korean language, contained words and vocabulary expressions that are only used in the North," reports Softpedia.
IT

The End of Gmane? (ingebrigtsen.no) 27

If any of you use mailing list archive Gmane, you would want to start looking at its alternative. Gmane developer Lars Ingebrigtsen announced Thursday that he is thinking about ending the decade-old email-to-news gateway. But first, for those unaware about Gmane, here's is what it does: It allows users to access electronic mailing lists as if they were Usenet newsgroups, and also through a variety of web interfaces. Gmane is an archive; it never expires messages (unless explicitly requested by users). Gmane also supports importing list postings made prior to a list's inclusion on the service.Ingebrigtsen said Gmane machines are under numerous DDoS attacks -- coupled with some other issues -- that have made him wonder whether it is worth the time and effort to keep Gmane ticking. He writes: I'm thinking about ending Gmane, at least as a web site. Perhaps continue running the SMTP-to-NNTP bridge? Perhaps not? I don't want to make 20-30K mailing lists start having bouncing addresses, but I could just funnel all incoming mail to /dev/null, I guess... The nice thing about a mailing list archive (with NNTP and HTTP interfaces) is that it enables software maintainers to say (whenever somebody suggests using Spiffy Collaboration Tool of the Month instead of yucky mailing lists) is "well, just read the stuff on Gmane, then". I feel like I'm letting down a generation here.As Gmane's future remains uncertain, Ingebrigtsen recommends people to have a look at Mail Archive.
Crime

Gary Johnson: I'd Consider Pardoning Snowden, Chelsea Manning (vocativ.com) 113

An anonymous reader writes from a report via Vocativ: [Vocativ reports:] "The U.S.'s most popular third-party presidential candidate says he would 'consider' pardoning the highest profile convicts of computer-related crimes in the country, including Chelsea Manning, Ross Ulbricht, and Jeremy Hammond. Libertarian candidate Gary Johnson, a former governor of New Mexico, also reiterated his possible willingness to pardon Edward Snowden, the former National Security Agency analyst who gave a cache of agency documents to journalists in 2013." "Having actually served as a governor and administered the power to grant pardons and clemency, Gary Johnson is very conscious and respectful of the need for processes for using that authority," Joe Hunter, Johnson's communications director, told Vocativ in a statement. "However, he has made it clear on numerous occasions that he would 'look seriously at' pardoning Edward Snowden, based on public information that Snowden's actions did not cause actual harm to any U.S. intelligence personnel. Likewise, he has said he would look favorably on pardoning Ross Ulbricht, consistent with his broader and long-standing commitment to pardon nonviolent drug offenders, whistleblowers, and others imprisoned under unjust and ill-advised laws," Hunter said. When Vocativ asked specifically about Chelsea Manning, Jeremy Hammond, Barrett Brown, and Matthew Keys, Hunter responded: "The same goes for the other individuals you have mentioned -- and hundreds, if not thousands, like them. Gov. Johnson finds it to be an outrage that the U.S. has the highest incarceration rate in the developed world, and announced in 2012 that, as President, he would promptly commence the process of pardoning nonviolent offenders who have done no real harm to others." The Green Party candidate Jill Stein has also shared her thoughts on pardoning Edward Snowden and Chelsea Manning. Not only would she pardon Snowden, but she said she would appoint him to her cabinet.
Democrats

WikiLeaks Releases Hacked Voicemails From DNC Officials 101

An anonymous reader writes: Late Wednesday afternoon as the Democratic National Convention was in full swing, Julian Assange and WikiLeaks decided to follow through with an earlier statement by publishing hacked voicemails of top democratic officials. There are 29 leaked recordings, which are identified by phone number and total about 14 minutes combined. Many of the voicemails are messages of callers leaving their numbers in hopes of being called back. Others are from voters upset that the DNC was giving too much support to Sanders. The Hill reports that "One caller with an Arizona area code called to blast the DNC for putting Sanders surrogate Cornel West on the platform drafting committee. 'I'm furious for what you are doing for Bernie Sanders,' another caller says in a message. 'He's getting way too much influence. What I see is the Democratic Party bending over backwards for Bernie,' adds the caller, who threatens to leave the party if the DNC doesn't stop 'coddling' the Vermont senator."
Privacy

Using VPN in UAE Could Cost You $545,000 98

An anonymous reader writes: The President of the United Arab Emirates has issued a series of new federal laws relating to IT crimes, including a regulation that forbids anyone in the UAE from making use of virtual private networks to secure their web traffic from prying eyes. The new law states that anyone who uses a VPN or proxy server can be imprisoned and fined between $136,000-$545,000 if they are found to use VPNs fraudulently. Previously, the law was restricted to prosecuting people who used VPNs as part of an internet crime, but UK-based VPN and privacy advocate Private Internet Access says that the law has now changed to enable police in the UAE to go after anyone who uses VPNs to access blocked services, which is considered to be fraudulent use of an IP address.
Crime

Tor Project Confirms Sexual Misconduct By Developer Jacob Appelbaum (theverge.com) 372

An anonymous reader quotes a report from The Verge: The Tor Project, a nonprofit known for its online anonymity software, says it has verified claims that former employee Jacob Appelbaum engaged in "sexually aggressive behavior" with people inside and outside of its organization. "We have confirmed that the events did take place as reported," Shari Steele, Tor's executive director, tells The Verge. In a blog post today, Steele says that Tor began an investigation into Appelbaum's behavior after several people came forward with allegations of misconduct in late May. In a statement made in June, he said the allegations were "entirely false." He resigned from the Tor Project in May. "I want to thank all the people who broke the silence around Jacob's behavior," Steele writes. "It is because of you that this issue has now been addressed. I am grateful you spoke up, and I acknowledge and appreciate your courage." Steele says that Tor is now implementing a new anti-harassment policy, as well as a process for submitting complaints and having them reviewed. The changes will be put in place this week. Tor also announced last month that it would replace its entire board of directors.
Businesses

Tesla and Autopilot Supplier Mobileye Split Up After Fatal Crash (usatoday.com) 125

An anonymous reader quotes a report from USA Today: Tesla and Mobileye, one of the top suppliers to its Autopilot partial self-driving system, are parting ways in the wake of the May accident that killed an owner of one of its electric Model S sedans. Mobileye is considered a leader in developing the equipment that will be needed for fully self-driving cars. The Israeli tech company will continue to support and maintain current Tesla products, including upgrades that should help the Autopilot system with crash avoidance and to better allow the car to steer itself, said Chairman Amnon Shashua in releasing the company's second-quarter earnings Tuesday. Shashua said moving cars to higher levels of self-driving capability "is a paradigm shift both in terms of function complexity and the need to ensure an extremely high level of safety." He added there is "much at stake" in terms of Mobileye's reputation, and that it is best to end the relationship with Tesla by the end of the year. Tesla CEO Elon Musk, meeting with reporters at the company's new battery Gigafactory outside Reno, indicated that Tesla can go forward without Mobileye. "Us parting ways was somewhat inevitable. There's nothing unexpected here from our standpoint," Musk said. "We're committed to autonomy. They'll go their way, and we'll go ours."
Security

Rio Olympics Will Be First Sporting Event Watched By 'Eye In The Sky' Drone Cameras (fastcompany.com) 33

tedlistens quotes a report from Fast Company: When the Olympic Games begin next month in Rio de Janeiro, billions of people are expected to watch athletes from countries around the world compete. But also watching over the Olympic and Paralympic events will be a set of futuristic, balloon-mounted surveillance camera systems capable of monitoring a wide swath of the city in high resolution and in real-time. Initially developed for use by U.S. forces in Iraq and Afghanistan by Fairfax, Virginia-based Logos Technologies, the technology is sold under the name Simera, and offers live aerial views of a large area, or what the company calls 'wide-area motion imagery,' captured from a balloon tethered some 200 meters above the ground. The system's 13 cameras make it possible for operators to record detailed, 120-megapixel imagery of the movement of vehicles and pedestrians below in an area up to 40 square kilometers, depending on how high the balloon is deployed, and for up to three days at a time. The Rio Olympics marks the "first time [Simera] will be deployed by a non-U.S. government at a large-scale event," according to the company. Simera is being compared to a live city-wide Google Maps combined with TiVo, as it can let law enforcement view ground-level activities in real time in addition to letting them rewind through saved images. Doug Rombough, Logo's vice president of business development, says the image clarity is not good enough to make out individual faces or license plate numbers, though it is clear enough to follow individual people and vehicles around the city. "However, a higher resolution video camera attached to the same balloon, which captures images at 60 times that of full HD resolution, or 15 times 4K, at three frames per second, will allow operators to get a closer look at anything or anyone that looks suspicious," reports Fast Company.
Iphone

New York DA Wants Apple, Google To Roll Back Encryption (tomsguide.com) 249

An anonymous reader writes: Manhattan District Attorney Cyrus Vance Jr. called on Apple and Google to weaken their device encryption, arguing that thousands of crimes remained unsolved because no one can crack into the perpetrators' phones. Vance, speaking at the International Conference on Cyber Security here, said that law enforcement officials did not need an encryption "backdoor," sidestepping a concern of computer-security experts and device makers alike. Instead, Vance said, he only wanted the encryption standards rolled back to the point where the companies themselves can decrypt devices, but police cannot. This situation existed until September 2014, when Apple pushed out iOS 8, which Apple itself cannot decrypt. "Tim Cook was absolutely right when he told his shareholders that the iPhone changed the world," Vance said. "It's changed my world. It's letting criminals conduct their business with the knowledge we can't listen to them."
Privacy

Trump Calls For Russia To Cyber-Invade the United States To Find Clinton's 'Missing' Emails (gawker.com) 966

Republican presidential nominee Donald Trump publicly called on the Russian hackers allegedly responsible for the recent leak of DNC emails to launch another cyber-attack on the United States, this time to hack emails from Hillary Clinton's tenure as secretary of State, according to reporters who attended the press conference Wednesday. (Alternate source: NYTimes, Quartz, and MotherJones) "Russia, if you're listening, I hope you're able to find the 30,000 emails that are missing," Trump said. "I think you will probably be rewarded mightily by our press."

Clinton came under investigation for her use of a personal email address while serving as secretary of state. After turning over to the FBI all correspondence about government business during her years in the State Department, Clinton revealed at a press conference last year that she had deleted about half of her emails that pertained to personal matters, like her daughter's wedding. Attorney General Loretta Lynch ultimately decided not to pursue criminal charges against Clinton. Update: Here's a video of Trump saying that.
Security

LastPass Accounts Can Be 'Completely Compromised' When Users Visit Sites (theregister.co.uk) 133

Reader mask.of.sanity writes: A dangerous zero-day vulnerability has been found in popular cloud password vault LastPass, which can completely compromise user accounts when users visit malicious websites. The flaw is today being reported to LastPass by established Google Project zero hacker Tavis Ormandy who says he has found other "obvious critical problems". Interestingly, Mathias Karlsson, a security researcher has also independently found flaws in LastPass. In a blog post, he wrote that he was able to trick LastPass into believing he was on the real Twiter website and cough up the users' credentials of a bug in the LastPass password manager's autofill functionality. LastPass has fixed the bug, but Karlsson advises users to disable autofill functionality and use multi-factor authentication. At this point, it's not clear whether Ormandy is also talking about the same vulnerability.
Star Wars Prequels

Harrison Ford Could Have Died In Star Wars Set Incident, Court Hears (theguardian.com) 150

An anonymous reader writes: While filming Star Wars: The Force Awakens, Harrison Ford almost died when he was crushed by a hydraulic door on the set of the Millennium Falcon. He was reportedly knocked to the ground and crushed beneath the heavy door when he walked on to the set not believing it to be live. The 71-year-old actor suffered a broken left leg. Prosecutor Andrew Marshall said the door "could have killed somebody. The fact that it didn't was because an emergency stop was activated," he said. The company responsible, Foodles Production, pleaded guilty to two breaches under health and safety legislation, one count under section two of the Health and Safety at Work Act 1974, which related to a breach of duty in relation to employees, and a second under section three, a breach over people not employed by the company. The lawyer for Foodles Production, which is owned by Disney, said the company would contest the level of risk involved on August 22nd at Aylesbury crown court.
HP

Popular Wireless Keyboards From HP, Toshiba and Others Don't Use Encryption, Can Be Easily Snooped On (threatpost.com) 83

Reader msm1267 writes: Wireless keyboards made by eight different companies suffer from a vulnerability that can allow attackers to eavesdrop on keystrokes from up to 250 feet away, researchers warned Tuesday. If exploited, the vulnerability, dubbed KeySniffer, could let an attacker glean passwords, credit card numbers, security questions and answers -- essentially anything typed on a keyboard, in clear text. Keyboards manufactured by Hewlett-Packard, Toshiba, Kensington, Insignia, Radio Shack, Anker, General Electric, and EagleTec are affected, according to Marc Newlin, a researcher with Bastille Networks who discovered the vulnerability. Bastille gave the manufacturers of the keyboards 90 days to address the vulnerability, but most vendors failed to respond to their findings. Newlin said only Jasco Products, a company that manufactures the affected keyboard (GE 98614) for General Electric, responded and claimed it no longer manufactures wireless devices, like keyboards. As there doesn't appear to be a way to actually fix the vulnerability, it's likely the companies will eventually consider the devices end of life.
Android

Motorola Confirms That It Will Not Commit To Monthly Security Patches (arstechnica.com) 161

If you are planning to purchase the Moto Z or a Moto G4 smartphone, be prepared to not see security updates rolling out to your phone every month -- and in a timely fashion. After Ars Technica called out Motorola's security policy as "unacceptable" and "insecure," in a recent review, the company tried to handle the PR disaster, but later folded. In a statement to the publication, the company said: Motorola understands that keeping phones up to date with Android security patches is important to our customers. We strive to push security patches as quickly as possible. However, because of the amount of testing and approvals that are necessary to deploy them, it's difficult to do this on a monthly basis for all our devices. It is often most efficient for us to bundle security updates in a scheduled Maintenance Release (MR) or OS upgrade. As we previously stated, Moto Z Droid Edition will receive Android Security Bulletins. Moto G4 will also receive them.Monthy security updates -- or the lack thereof -- remains one of the concerning issues that plagues the vast majority of Android devices. Unless it's a high-end smartphone, it is often rare to see the smartphone OEM keep the device's software updated for more than a year. Even with a flagship phone, the software update -- and corresponding security patches -- are typically guaranteed for only 18 to 24 months. Reports suggest that Google has been taking this issue seriously, and at some point, it was considering publicly shaming its partners that didn't roll out security updates to their respective devices fast enough.
Government

Obama Creates a Color-Coded Cyber Threat 'Schema' After the DNC Hack (vice.com) 131

The White House on Tuesday issued new instructions on how government agencies should respond to major cyber security attacks, in an attempt to combat perceptions that the Obama administration has been sluggish in addressing threats from sophisticated hacking adversaries, Reuters reports. The announcement comes amid reports that hackers working for Russia may have engineered the leak of emails stolen from the Democratic National Committee in an attempt to influence the outcome of the upcoming presidential election. Motherboard adds: George W. Bush's Homeland Security Advisory System -- the color-coded terrorism "threat level" indicator that became a symbol of post-9/11 fear mongering -- is getting its spiritual successor for hacking: the "Cyber Incident Severity Schema." President Obama announced a new policy directive Tuesday that will codify how the federal government will respond to hacking incidents against both the government and private American companies. [...] The Cyber Incident Severity Schema ranges from white (an "unsubstantiated or inconsequential event") to black (a hack that "poses an imminent threat to the provision of wide-scale critical infrastructure services, national government stability, or to the lives of U.S. persons") , with green, yellow, orange, and red falling in between. Any hack or threat of a hack rated at orange or above is a "significant cyber incident" that will trigger what the Obama administration is calling a "coordinated" response from government agencies. As you might expect, there are many unanswered questions here, and the federal government has announced so many cyber programs in the last few years that it's hard to know which, if any of them, will actually make the US government or its companies any safer from hackers.
Security

'DNC Hacker' Unmasked: He Really Works for Russia, Researchers Say (thedailybeast.com) 689

The hacker who claimed to compromise the DNC swore he was Romanian, but new investigation shows he worked directly for Russia President Vladimir Putin's government in Moscow. The Daily Beast reports: The hacker who claims to have stolen emails from the Democratic National Committee and provided them to WikiLeaks is actually an agent of the Russian government and part of an orchestrated attempt to influence U.S. media coverage surrounding the presidential election, a security research group concluded on Tuesday. The researchers, at Arlington, Va.-based ThreatConnect, traced the self-described Romanian hacker Guccifer 2.0 back to an Internet server in Russia and to a digital address that has been linked in the past to Russian online scams. Far from being a single, sophisticated hacker, Guccifer 2.0 is more likely a collection of people from the propaganda arm of the Russian government meant to deflect attention away from Moscow as the force behind the DNC hacks and leaks of emails, the researchers found. ThreatConnect is the first known group of experts to link the self-proclaimed hacker to a Russian operation, amidst an ongoing FBI investigation and a presidential campaign rocked by the release of DNC emails that have embarrassed senior party leaders and inflamed intraparty tensions turning the Democratic National Convention. The emails revealed that party insiders plotted ways to undermine Sen. Bernie Sanders' presidential bid. The researchers at the aforementioned security firm are basing their conclusion on three signals: the hacker used Russian computers to edit PDF files, he also used Russian VPN -- and other internet infrastructure from the country, and that he was unable to speak Romanian.
Security

Notorious Group OurMine Hacks TechCrunch (betanews.com) 12

Prominent technology blog TechCrunch -- which is often cited on Slashdot -- has become the latest victim of the OurMine hacking group. The notorious group gained access to Seattle-based writer Devin Coldewey's account, and posted the following message earlier today: "Hello Guys, don't worry we are just testing techcrunch security, we didn't change any passwords, please contact us." The post was then promoted as a ticker, the top banner in red and as the main story on TechCrunch's front page. BetaNews adds: The OurMine website says that the group offers "top notch vulnerability assessment", so it's possible that the hack was little more than a PR stunt touting for business. It did not take TechCrunch long to notice and remove the story (and presumably change a series of passwords...) but the site is yet to issue a statement about what has happened.
Security

Pop Star Tells Fans To Send Their Twitter Passwords, But It Might Be Illegal (arstechnica.com) 114

Cyrus Farivar, reporting for Ars Technica: As a new way to connect with his fans, Jack Johnson -- one half of the pop-rap duo Jack & Jack, not to be confused with the laid back Hawaiian singer-songwriter of the same name -- has spent the last month soliciting social media passwords. Using the hashtag #HackedByJohnson, the performer has tweeted at his fans to send him their passwords. (Why he didn't go for the shorter and catchier #JackHack, we'll never know.) Then, Johnson posts under his fans' Twitter accounts, leaving a short personalized message, as them. While Johnson and his fans likely find this password sharing silly and innocuous, legal experts say that Jack Johnson, 20, may be opening himself up to civil or criminal liability under the Computer Fraud and Abuse Act, a notorious anti-hacking statute that dates back to the 1980s. "While the entertainer in question likely considers this password collection to be a harmless personalized promotional activity, there may indeed be legal implication of both the fans' and the entertainer's conduct," Andrea Matwyshyn, a law professor at Northeastern University, told Ars.
Communications

NIST Prepares To Ban SMS-Based Two-Factor Authentication (softpedia.com) 147

An anonymous reader writes: "The U.S. National Institute for Standards and Technology (NIST) has released the latest draft version of the Digital Authentication Guideline that contains language hinting at a future ban of SMS-based Two-Factor Authentication (2FA)," reports Softpedia. The NIST DAG draft argues that SMS-based two-factor authentication is an insecure process because the phone may not always be in possession of the phone number, and because in the case of VoIP connections, SMS messages may be intercepted and not delivered to the phone. The guideline recommends the usage of tokens and software cryptographic authenticators instead. Even biometrics authentication is considered safe, under one condition: "Biometrics SHALL be used with another authentication factor (something you know or something you have)," the guideline's draft reads. The NIST DAG draft reads in part: "If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and will no longer be allowed in future releases of this guidance."
Security

Vine's Source Code Was Accidentally Made Public For Five Minutes (theregister.co.uk) 42

An anonymous reader writes from The Register: Vine, the six-second-video-loop app acquired by Twitter in 2012, had its source code made publicly available by a bounty-hunter for everyone to see. The Register reports: "According to this post by @avicoder (Vjex at GitHub), Vine's source code was for a while available on what was supposed to be a private Docker registry. While docker.vineapp.com, hosted at Amazon, wasn't meant to be available, @avicoder found he was able to download images with a simple pull request. After that it's all too easy: the docker pull https://docker.vineapp.com:443/library/vinewww request loaded the code, and he could then open the Docker image and run it. 'I was able to see the entire source code of Vine, its API keys and third party keys and secrets. Even running the image without any parameter, [it] was letting me host a replica of Vine locally.' The code included 'API keys, third party keys and secrets,' he writes. Twitter's bounty program paid out -- $10,080 -- and the problem was fixed in March (within five minutes of him demonstrating the issue)."

Slashdot Top Deals