Justice Dept. to charge 2 Russian spies and 2 criminal hackers with 2014 Yahoo breach of 500 million accounts

Before today's anticipated announcement by the Justice Department, more details are already leaking out about who they're after: “two Russian spies, and two criminal hackers.”

Read the rest

CBP conducted more device searches at the border in Feb than in all of 2015

There's been precious little litgation about the Customs and Border Protection Agency's far-reaching policy of invasively searching devices at the US border, so it's a legal greyzone (but you do have some rights). Read the rest

Listen: how to secure software by caring about humans, not security

Scout Brody is executive director of Simply Secure, a nonprofit that works to make security and privacy technologies usable by technologically unsophisticated people by focusing on usability and human factors. Read the rest

Washington Post and Jigsaw launch a collaborative pop-up dictionary of security jargon

Information security's biggest obstacle isn't the mere insecurity of so many of our tools and services: it's the widespread lack of general knowledge about fundamental security concepts, which allows scammers to trick people into turning off or ignoring security red flags. Read the rest

How the "tech support" scam works

Security researchers at Stony Brook deliberately visited websites that try to trick visitors into thinking that their computers are broken, urging them to call a toll-free "tech support" number run by con artists that infect the victim's computer with malware, lie to them about their computer's security, and con them out of an average of $291 for "cleanup services." Read the rest

Smart meters can overbill by 582%

A team from the University of Twente and the Amsterdam University of Applied Sciences have published a paper demonstrating gross overbillings by smart energy meters, ranging from -32% to +582% of actual power consumption. Read the rest

Wikileaks offers tech giants access to sourcecode for CIA Vault 7 exploits

Wikileaks' seismic Vault 7 release didn't follow the usual Wikileaks procedure: perhaps in response to earlier criticism, the organization redacted many of the files prior to their release, cutting names of CIA operatives and the sourcecode for the cyber-weapons the CIA had developed, which exploit widely used mobile devices, embedded systems, and operating systems. Read the rest

Advanced de-faking: using public sources to trace the true age of a suspected propaganda video

Henk van Ess teaches workshops in online investigative techniques; he worked with colleagues and a team of students from Axel Springer Academie to analyze a viral news video that purported to show a discarded missile launcher that had been discovered near Cairo's international airport in 2011, but only published last month. Read the rest

Testing products for data privacy and security

It’s an exciting and treacherous time to be a consumer. The benefits of new digital products and services are well documented, but the new risks they introduce are not. Basic security precautions are ignored to hasten time to market. Biased algorithms govern access to fair pricing. And four of the five most valuable companies in the world earn their revenue through products that mine vast quantities of consumer data, creating an unprecedented concentration of corporate power. A recent survey at Consumer Reports showed that 65% of Americans lack confidence their data is private or secure, with most consumers feeling powerless to do anything about it.

Mike Pence used his AOL account for Indiana government business, and got hacked

Indiana laws permit public officials to use personal email accounts for government business, so it does not appear that vice-president Mike Pence violated any laws when he opted to use his personal AOL account to communicate sensitive governmental information; however, he certainly thwarted the state's open records laws, and also exposed that information to hackers who made off with it. Read the rest

London cops use an insecure mail-server that lets third parties intercept mail in transit

Best practice for mail-servers is to turn on TLS by default, which means that when that mail server talks to other mail servers, it encrypts the connection to thwart eavesdroppers. Though the practice (sometimes called "opportunistic encryption") started out as something only paranoid organizations partook of, it's now so widespread that Google warns you if you attempt to use Gmail to send a message to someone whose server won't accept encrypted connections. Read the rest

USG: an open source anti-BadUSB hardware firewall for your USB port

BadUSB is bad news: malware that targets the firmware in your USB port's embedded system, bypassing the OS, antivirus software and other countermeasures. Read the rest

And now, a 5-minute ad for a service that lets you start your own ransomware "business"

Philadelphia is a crimeware-as-a-service business that sells a highly customizable ransomware package for budding entrepreneurs who want to dabble in crime. Read the rest

British police arrest suspect in last November's me-too Mirai botnet floods

Last October, floods of traffic from Internet of Things devices infected by the Mirai worm brought down several high profile internet services, from Level 3 to Dyn to Twitter and Reddit. Read the rest

Federal magistrate judge in Illinois rules that being forced to unlock your phone with a fingerprint could violate your rights

M. David Weisman, a magistrate judge in Illinois's Eastern Division, denied a federal warrant application that would have allowed law enforcement officers to force suspects to unlock their mobile devices with a fingerprint, ruling that the suspects' Fourth Amendment (undue search and seizure) and Fifth Amendment (self-incrimination) rights protected them from being forced to unlock their devices. Read the rest

What it's like to be spied on by Android stalkerware marketed to suspicious spouses

For $170, Motherboard's Joseph Cox bought SpyPhone Android Rec Pro, an Android app that you have to sideload on your target's phone (the software's manufacturer sells passcode-defeating apps that help you do this); once it's loaded, you activate it with an SMS and then you can covertly operate the phone's mic, steal its photos, and track its location. Read the rest

U.S. Homeland Security staff were unable to access DHS computer network because the security certificates expired

Some employees with the U.S. Department of Homeland Security who work in the Washington, D.C. area and in Philadelphia, PA were unable to access the DHS computer network on Tuesday, reports Reuters, citing “three sources familiar with the matter.”

Read the rest

More posts