Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Google

Google Preparing 'Invisible ReCAPTCHA' System For No User Interaction (bleepingcomputer.com) 28

An anonymous reader quotes a report from BleepingComputer: Google engineers are working on an improved version of the reCAPTCHA system that uses a computer algorithm to distinguish between automated bots and real humans, and requires no user interaction at all. Called "Invisible reCAPTCHA," and spotted by Windows IT Pro, the service is still under development, but the service is open for sign-ups, and any webmaster can help Google test its upcoming technology. Invisible reCAPTCHA comes two years after Google has revolutionized CAPTCHA technologies by releasing the No CAPTCHA reCAPTCHA service that requires users to click on one checkbox instead of solving complex visual puzzles made up of words and numbers. The service helped reduce the time needed to fill in forms, and maintained the same high-level of spam detection we've become accustomed from the reCAPTCHA service. The introduction of the new Invisible reCAPTCHA technology is unlikely to make the situation better for Tor users since CloudFlare will likely force them to solve the same puzzle if they come from IPs seen in the past performing suspicious actions. Nevertheless, CloudFlare started working on an alternative.
Security

Dailymotion Hack Exposes Millions of Accounts (zdnet.com) 9

Millions of accounts associated with video sharing site Dailymotion, one of the biggest video platforms in the world, have been stolen. From a ZDNet report: A hacker extracted 85.2 million unique email addresses and usernames from the company's systems, but about one-in-five accounts -- roughly 18.3 million-- had associated passwords, which were scrambled with the bcrypt hashing function, making the passwords difficult to crack. The hack is believed to have been carried out on October 20 by a hacker, whose identity isn't known, according to LeakedSource, a breach notification service, which obtained the data. Dailymotion launched in 2005, and is currently the 113rd most visited website in the world, according to Alexa rankings.
Google

New Google Trusted Contacts Service Shares User Location In Real Time (onthewire.io) 84

Reader Trailrunner7 writes: Google has spent a lot of time and money on security over the last few years, developing new technologies and systems to protect users' devices. One of the newer technologies the company has come up with is designed to provide security for users themselves rather than their laptops or phones.

On Monday Google launched a new app for Android called Trusted Contacts that allows users to share their locations and some limited other information with a set of close friends and family members. The system is a two-way road, so a user can actively share her location with her Trusted Contacts, and stop sharing it at her discretion. But, when a problem or potential emergency comes up, one of those contacts can request to get that user's location to see where she is at any moment. The app is designed to give users a way to reassure contacts that they're safe, or request help if there's something wrong.

Opera

Opera Developer Comes With Address Bar Speculative Prerenderer Feature (opera.com) 55

Earlier this month, Opera announced a new interesting feature with Opera 43 developer that predicts the website you're about to go to. The company explains: There are two ways we can predict what page the user will soon load. When the current page tells us so, and when we can determine from the users actions that they are about to load something. Pages can use the tag, and for instance Google uses that for search results if they are pretty sure of what you will load next. When someone writes in the address bar they are humanly slow. Sometimes it is obvious what they will write after just 1-2 characters but they will just keep writing or arrowing through suggestions for millions or billions of wasted clock cycles. We expect this feature to results in an average of 1 second faster loads from the address bar. The company insists that this feature saves time and energy without compromising the security. What's your thought?
Microsoft

Does Windows 10's Data Collection Trade Privacy For Microsoft's Security? (pcworld.com) 158

jader3rd shares an article from PC World arguing that Windows 10's data collection "trades your privacy for Microsoft's security." [Anonymized] usage data lets Microsoft beef up threat protection, says Rob Lefferts, Microsoft's director of program management for Windows Enterprise and Security. The information collected is used to improve various components in Windows Defender... For example, Windows Defender Application Guard for Microsoft Edge will put the Edge browser into a lightweight virtual machine to make it harder to break out of the browser and attack the operating system. With telemetry, Microsoft can see when infections get past Application Guard defenses and improve the security controls to reduce recurrences.

Microsoft also pulls signals from other areas of the Windows ecosystem, such as Active Directory, with information from the Windows 10 device to look for patterns that can indicate a problem like ransomware infections and other attacks. To detect those patterns, Microsoft needs access to technical data, such as what processes are consuming system resources, hardware diagnostics, and file-level information like which applications had which files open, Lefferts says. Taken together, the hardware information, application details, and device driver data can be used to identify parts of the operating system are exposed and should be isolated into virtual containers.

The article points out that unlike home users, enterprise users of Windows 10 can select a lower level of data-sharing, but argues that enterprises "need to think twice before turning off Windows telemetry to increase corporate privacy" because Windows Update won't work without information about whether previous updates succeeded or failed.
Cloud

Canonical Sues Cloud Provider Over 'Unofficial' Ubuntu Images (ostatic.com) 46

An anonymous reader quotes OStatic's update on Canonical's lawsuit against a cloud provider: Canonical posted Thursday that they've been in a dispute with "a European cloud provider" over the use of their own homespun version of Ubuntu on their cloud servers. Their implementation disables even the most basic of security features and Canonical is worried something bad could happen and it'd reflect badly back on them... They said they've spent months trying to get the unnamed provider to use the standard Ubuntu as delivered to other commercial operations to no avail. Canonical feels they have no choice but to "take legal steps to remove these images." They're sure Red Hat and Microsoft wouldn't be treated like this.
Mark Shuttleworth, the founder of Ubuntu, wrote in his blog post that Ubuntu is "the leading cloud OS, running most workloads in public clouds today," whereas these homegrown images "are likely to behave unpredictably on update in weirdly creative and mysterious ways... We hear about these issues all the time, because users assume there is a problem with Ubuntu on that cloud; users expect that 'all things that claim to be Ubuntu are genuine', and they have a right to expect that...

"To count some of the ways we have seen home-grown images create operational and security nightmares for users: clouds have baked private keys into their public images, so that any user could SSH into any machine; clouds have made changes that then blocked security updates for over a week... When things like this happen, users are left feeling let down. As the company behind Ubuntu, it falls to Canonical to take action."
Security

70 Laptops Got Left Behind At An Airport Security Checkpoint In One Month (bravotv.com) 161

America's Transportation Security Administration has been making some surprising announcements on social media. An anonymous reader writes: A TSA spokesperson says 70 laptops were left behind in just one month at an airport security checkpoint in Newark. "And yes, there are plenty of shiny MacBooks in that pile," reported BravoTV, "which can cost in the $2,000 range new." The TSA shared an image of the 70 laptops on their Instagram page and on Twitter, prompting at least one mobile project designer to reclaim his laptop. "The most common way laptops are forgotten is when traveler's stack a bin on top of the bin their laptop is in," the TSA warns. "Out of sight out of mind."
The TSA is also sharing pictures on social media of the 70 guns they confiscated at security checkpoints in one week in November, reporting they've also confiscated a blowtorch, batarangs, and a replica of that baseball bat from "The Walking Dead". They're reporting they found 33 loaded firearms in carry-on luggage in one week, and remind readers that gun-carrying passengers "can face a penalty as high as $11,000. This is a friendly reminder to please leave these items at home."
United States

Sysadmin Gets Two Years In Prison For Sabotaging ISP (bleepingcomputer.com) 127

After being let go over a series of "personal issues" with his employer, things got worse for 26-year-old network administrator Dariusz J. Prugar, who will now have to spend two years in prison for hacking the ISP where he'd worked. An anonymous reader writes: Prugar had used his old credentials to log into the ISP's network and "take back" some of the scripts and software he wrote... "Seeking to hide his tracks, Prugar used an automated script that deleted various logs," reports Bleeping Computer. "As a side effect of removing some of these files, the ISP's systems crashed, affecting over 500 businesses and over 5,000 residential customers."

When the former ISP couldn't fix the issue, they asked Prugar to help. "During negotiations, instead of requesting money as payment, Prugar insisted that he'd be paid using the rights to the software and scripts he wrote while at the company, software which was now malfunctioning, a week after he left." This tipped off the company, who detected foul play, contacted the FBI and rebuilt its entire network.

Six years later, Prugar was found guilty after a one-week jury trial, and was ordered by the judge to pay $26,000 in restitution to the ISP (which went out of business in October of 2015). Prugar's two-year prison sentence begins December 27.
United Kingdom

For The UK's 'Snoopers' Charter', Politicians Voted Themselves An Exemption (independent.co.uk) 132

The "Snoopers' Charter" passed in the U.K. greatly expands the government's surveillance power. But before they'd enact the new Investigatory Powers Act, Britain's elected officials first voted to make themselves exempt from it. Sort of. An anonymous reader writes: While their internet browsing history will still be swept up, just like everyone else's, no one will ever be able to access it without specific approval from the Prime Minister. And according to The Independent, "That rule applies not only to members of the Westminster parliament but also politicians in the devolved assembly and members of the European Parliament."
The article adds that the exemption was the very first amendment they approved for the legislation. And for a very long time, the only amendment.
Security

Crooks Need Just Six Seconds To Guess A Credit Card Number (independent.co.uk) 107

schwit1 quotes The Independent: Criminals can work out the card number, expiration date, and security code for a Visa debit or credit card in as little as six seconds using guesswork, researchers have found... Fraudsters use a so-called Distributed Guessing Attack to get around security features put in place to stop online fraud, and this may have been the method used in the recent Tesco Bank hack...

According to a study published in the academic journal IEEE Security & Privacy, fraudsters could use computers to systematically fire different variations of security data at hundreds of websites simultaneously. Within seconds, by a process of elimination, the criminals could verify the correct card number, expiration date and the three-digit security number on the back of the card.

One of the researchers explained this attack combines two weaknesses into one powerful attack. "Firstly, current online payment systems do not detect multiple invalid payment requests from different websites... Secondly, different websites ask for different variations in the card data fields to validate an online purchase. This means it's quite easy to build up the information and piece it together like a jigsaw puzzle."
Iphone

iOS's 'Activation Lock' For Stolen iPads And iPhones Can Be Easily Bypassed (computerworld.com) 54

An anonymous reader quotes ComputerWorld: Two researchers claim to have found a way to bypass the activation lock feature in iOS that's supposed to prevent anyone from using an iPhone or iPad marked as lost by its owner... One of the few things allowed from the activation lock screen is connecting the device to a Wi-Fi network, including manually configuring one. [Security researcher] Hemanth had the idea of trying to crash the service that enforces the lock screen by entering very long strings of characters in the WPA2-Enterprise username and password fields.

The researcher claims that, after awhile, the screen froze, and he used the iPad smart cover sold by Apple to put the tablet to sleep and then reopen it... "After 20-25 seconds the Add Wifi Connection screen crashed to the iPad home screen, thereby bypassing the so-called Find My iPhone Activation Lock," he said in a blog post.

There's also a five-minute video on YouTube which purports to show a newer version of the same attack.
United States

The US Government Funds A War On Online Fake News (bangordailynews.com) 353

An anonymous reader quotes the Washington Post: Congressional negotiators on Wednesday approved an initiative to track and combat foreign propaganda amid growing concerns that Russian efforts to spread "fake news" and disinformation threaten U.S. national security. The measure, part of the National Defense Authorization Act approved by a conference committee, calls on the State Department to lead government-wide efforts to identify propaganda and counter its effects. The authorization is for $160 million over two years...

The Senate Intelligence Committee, meanwhile, has approved language in the fiscal year 2017 intelligence authorization bill calling for new executive branch efforts to combat what it characterized as "active measures" by Russia to manipulate people and governments through front groups, covert broadcasting or "media manipulation." "There is definitely bipartisan concern about the Russian government engaging in covert influence activities of this nature," Sen. Ron Wyden, D-Ore., a member of the Senate Intelligence Committee, said in a statement. "If you read section 501 of this year's intelligence authorization bill, it directs the President to set up an interagency committee to 'counter active measures by Russia to exert covert influence over peoples and governments.'"

Several senators on the intelligence committee also asked President Obama to declassify any information relating to the Russian government and the U.S. election.
China

China's New 'Social Credit Score' Law Means Full Access To Customer Data (insurancejournal.com) 82

AnonymousCube shares this quote about China's new 'Social Credit Score' law from an insurance industry magazine: "Companies are also required to give government investigators complete access to their data if there is suspected wrong-doing, and Internet operators must cooperate in any national security or crime-related investigation."

Note that China has an extremely flexible definition of "national security". Additionally computer equipment will need to undergo mandatory certification, that could involve giving up source code, encryption keys, or even proprietary intellectual data, as Microsoft has been doing for some time.

The article suggests businesses like insurers "will likely see the cost of complying with this new action as a disincentive to conducting business in China."
Encryption

Encryption Backdoor Sneaks Into UK Law (theregister.co.uk) 133

Coisiche found a disturbing article from The Register about the U.K.'s new "Snoopers' Charter" law that has implications for tech companies around the world: Among the many unpleasant things in the Investigatory Powers Act that was officially signed into law this week, one that has not gained as much attention is the apparent ability for the U.K. government to undermine encryption and demand surveillance backdoors... As per the final wording of the law, comms providers on the receiving end of a "technical capacity notice" will be obliged to do various things on demand for government snoops -- such as disclosing details of any system upgrades and removing "electronic protection" on encrypted communications. Thus, by "technical capability," the government really means backdoors and deliberate security weaknesses so citizens' encrypted online activities can be intercepted, deciphered and monitored... At the end of the day, will the U.K. security services be able to read your email, your messages, your posts and private tweets, and your communications if they believe you pose a threat to national security? Yes, they will.
The bill added the Secretaries of State as a required signatory to the "technical capacity" notices, which "introduces a minor choke-point and a degree of accountability." But the article argues the law ultimately anticipates the breaking of encryption, and without customer notification. "The U.K. government can certainly insist that a company not based in the U.K. carry out its orders -- that situation is specifically included in the new law -- but as to whether it can realistically impose such a requirement, well, that will come down to how far those companies are willing to push back and how much they are willing to walk away from the U.K. market."
Security

The 'USB Killer' Has Been Mass Produced -- Available Online For About $50 (arstechnica.com) 235

New submitter npslider writes: The "USB Killer," a USB stick that fries almost everything that it is plugged into, has been mass produced -- available online for about $50. Ars Technica first wrote about this diabolical device that looks like a fairly humdrum memory stick a year ago. From the report: "The USB Killer is shockingly simple in its operation. As soon as you plug it in, a DC-to-DC converter starts drawing power from the host system and storing electricity in its bank of capacitors (the square-shaped components). When the capacitors reach a potential of -220V, the device dumps all of that electricity into the USB data lines, most likely frying whatever is on the other end. If the host doesn't just roll over and die, the USB stick does the charge-discharge process again and again until it sizzles. Since the USB Killer has gone on sale, it has been used to fry laptops (including an old ThinkPad and a brand new MacBook Pro), an Xbox One, the new Google Pixel phone, and some cars (infotainment units, rather than whole cars... for now). Notably, some devices fare better than others, and there's a range of possible outcomes -- the USB Killer doesn't just nuke everything completely." You can watch a video of EverythingApplePro using the USB Killer to fry a variety of electronic devices. It looks like the only real defense from the USB Killer is physically capping your ports.
Security

Hackers Steal $31 Million at Russia's Central Bank (cnn.com) 78

The Bank of Russia has confirmed Friday that hackers have stolen 2 billion rubles ($31 million) from correspondent accounts at the Russian central bank. Central bank security executive Artiom Sychev said it could've been much worse as hackers tried to steal 5 billion rubles, but the central banking authority managed to stop them. CNNMoney reports: Hackers also targeted the private banks and stole cash from their clients, the central bank reported. The central bank did not say when the heist occurred or how hackers moved the funds. But so far, the attack bears some similarity to a recent string of heists that has targeted the worldwide financial system. Researchers at the cybersecurity firm Symantec have concluded that the global banking system has been under sustained attack from a sophisticated group -- dubbed "Lazarus" -- that has been linked to North Korea. But it's unclear who has attacked Russian banks this time around. Earlier Friday, the Russian government claimed it had foiled an attempt to erode public confidence in its financial system. Russian's top law enforcement agency, the FSB, said hackers were planning to use a collection of computer servers in the Netherlands to attack Russian banks. Typically, hackers use this kind of infrastructure to launch a "denial of service" attack, which disrupts websites and business operations by flooding a target with data. The FSB said hackers also planned to spread fake news about Russian banks, sending mass text messages and publishing stories on social media questioning their financial stability and licenses to operate.
Earth

Climate Change Will Stir 'Unimaginable' Refugee Crisis, Says Military (theguardian.com) 325

Citing military experts, The Guardian is reporting that if the rise in global warming is held under 2 degrees Celsius, there still could be a major humanitarian crisis to sort out. From the report: Climate change is set to cause a refugee crisis of "unimaginable scale," according to senior military figures, who warn that global warming is the greatest security threat of the 21st century and that mass migration will become the "new normal." The generals said the impacts of climate change were already factors in the conflicts driving a current crisis of migration into Europe, having been linked to the Arab Spring, the war in Syria and the Boko Haram terrorist insurgency. Military leaders have long warned that global warming could multiply and accelerate security threats around the world by provoking conflicts and migration. They are now warning that immediate action is required. "Climate change is the greatest security threat of the 21st century," said Maj Gen Munir Muniruzzaman, chairman of the Global Military Advisory Council on climate change and a former military adviser to the president of Bangladesh. He said one metre of sea level rise will flood 20% of his nation. "Weâ(TM)re going to see refugee problems on an unimaginable scale, potentially above 30 million people."
Security

Russia Says Foreign Spies Plan Cyber Attack On Banking System (reuters.com) 88

Russia said on Friday it had uncovered a plot by foreign spy agencies to sow chaos in Russia's banking system via a coordinated wave of cyber attacks and fake social media reports about banks going bust. From a report on Reuters: Russia's domestic intelligence agency, the Federal Security Service (FSB), said that the servers to be used in the alleged cyber attack were located in the Netherlands and registered to a Ukrainian web hosting company called BlazingFast. The attack, which was to target major national and provincial banks in several Russian cities, was meant to start on Dec. 5, the FSB said in a statement. "It was planned that the cyber attack would be accompanied by a mass send-out of SMS messages and publications in social media of a provocative nature regarding a crisis in the Russian banking system, bankruptcies and license withdrawals," it said. "The FSB is carrying out the necessary measures to neutralize threats to Russia's economic and information security."
Operating Systems

Taking a Stand Against Unofficial Ubuntu Images (ubuntu.com) 103

Canonical isn't pleased with cloud providers who are publishing broken, insecure images of Ubuntu despite being notified several times. In a blogpost, Mark Shuttleworth, the founder of Ubuntu, and the Executive Chairman and VP, Product Strategy at Canonical, made the situation public for all to see. An excerpt from the blog post: We are currently in dispute with a European cloud provider which has breached its contract and is publishing insecure, broken images of Ubuntu despite many months of coaxing to do it properly. The home-grown images on the cloud, VPS and bare metal services of this provider disable fundamental security mechanisms and modify the system in ways that are unsupportable. They are likely to behave unpredictably on update in weirdly creative and mysterious ways (the internet is full of fun examples). We hear about these issues all the time, because users assume there is a problem with Ubuntu on that cloud; users expect that 'all things that claim to be Ubuntu are genuine', and they have a right to expect that. We have spent many months of back and forth in which we unsuccessfully tried to establish the same operational framework on this cloud that already exists on tens of clouds around the world. We have on multiple occasions been promised it will be rectified to no avail. We are now ready to take legal steps to remove these images. We will seek to avoid affecting existing running users, but we must act to prevent future users from being misled. We do not make this move lightly, but have come to the view that the value of Ubuntu to its users rests on these commitments to security, quality and updates.
United Kingdom

UK Homes Lose Internet Access After Cyber-Attack (theguardian.com) 33

More than 100,000 people in the UK have had their internet access cut after a string of service providers were hit by what is believed to be a coordinated cyber-attack, taking the number affected in Europe up to about a million. From a report on The Guardian, shared by reader JoshTops: TalkTalk, one of Britain's biggest service providers, the Post Office and the Hull-based KCom were all affected by the malware known as the Mirai worm, which is spread via compromised computers. The Post Office said 100,000 customers had experienced problems since the attack began on Sunday and KCom put its figure at about 10,000 customers since Saturday. Earlier this week, Germany's Deutsche Telekom said up to 900,000 of its customers had lost their internet connection as part of the same incident.

Slashdot Top Deals