Sneaky ultrasonic adware makes homes vulnerable to ultrasonic hacking

ear_e-2_psf-png

Earlier this year, companies like Silverpush were outed for sneaking ultrasonic communications channels into peoples' devices, so that advertisers could covertly link different devices to a single user in order to build deeper, more complete surveillance profiles of them. Read the rest

Insecure internet-connected "honeypot" toaster hacked within an hour

lead_960

Andrew McGill's internet-connected toaster isn't really a toaster: it's a "honeypot" designed to resemble the insecure "internet of things" gadgets— cameras, LED lightbulbs, fridges, etc—that make up the vast botnets behind recent internet attacks. The honeypot was hacked within an hour.

I switched on the server at 1:12 p.m. Wednesday, fully expecting to wait days—or weeks—to see a hack attempt.

Wrong! The first one came at 1:53 p.m.

Lots of the hacking attempts use the password xc3511, the factory default of many old webcams. Amazing. I love the little bot's eye view of the toaster! Read the rest

Free cybersecurity course from the University of Helsinki and F-Secure

maxresdefault

It's free for anyone to take, and Finns can get credit at the Open University of University of Helsinki (yes, that's what it's called). Read the rest

Every Android device potentially vulnerable to "most serious" Linux escalation attack, ever

mud_cow_racing_-_pacu_jawi_-_w

The Dirty Cow vulnerability dates back to code included in the Linux kernel in 2007, and it can be trivially weaponized into an easy-to-run exploit that allows user-space programs to execute as root, meaning that attackers can take over the entire device by getting their targets to run apps without administrator privileges. Read the rest

China electronics maker will recall some devices sold in U.S. after massive IoT hack

000892a2-800

A China-based maker of surveillance cameras said Monday it will recall some products sold in the United States after a massive "Internet of Things" malware attack took down a major DNS provider in a massive DDOS attack. The stunningly broad attack brought much internet activity to a halt last Friday.

Read the rest

St. Jude heart implant devices can be hacked, security researchers say

download (20)
Security experts hired by the short-selling firm Muddy Waters said in a legal brief filed today that cardiac implants made by St. Jude Medical can be hacked. If hackers can pwn your heart device, the researchers say, they can kill you--from as far away as 100 feet.

Read the rest

Audit reveals significant vulnerabilities in Truecrypt and its successors

050-056c026d-1c66-4d42-9fae-a8

Veracrypt was created to fill the vacuum left by the implosion of disk-encryption tool Truecrypt, which mysteriously vanished in 2014, along with a "suicide note" (possibly containing a hidden message) that many interpreted as a warning that an intelligence agency had inserted a backdoor into the code, or was attempting to force Truecrypt's anonymous creators to do so. Read the rest

Half of all U.S. adults are in face-recognition databases, and Black people more likely to be targeted

MainHeaderImage

One in two American adults is in a law enforcement face recognition network.

“The Perpetual Lineup” report out today from a Georgetown University thinktank makes a compelling case for greater oversight of police facial-recognition software that “makes the images of more than 117 million Americans — a disproportionate number of whom are black — searchable by law enforcement agencies across the nation,” as the New York Times account reads.

Read the rest

Donald Trump's mail-servers are running Windows 2003

050-056c026d-1c66-4d42-9fae-a8

Security researcher Kevin Beaumont had a look at the mail servers operated by the Trump organization and found a veritable dumpster fire: systems running Windows 2003 (!), unpatched, badly configured. Read the rest

After being outed for massive hack and installing an NSA "rootkit," Yahoo cancels earnings call

national_security_agency_headq

What do you do if your ailing internet giant has been outed for losing, and then keeping silent about, 500 million user accounts, then letting American spy agencies install a rootkit on its mail service, possibly scuttling its impending, hail-mary acquisition by a risk-averse, old economy phone company? Just cancel your investor call and with it, any chance of awkward, on-the-record questions. (via /.) Read the rest

Joi Ito interviews Barack Obama for Wired: machine learning, neurodiversity, basic research and Star Trek

ito1-1

Joi Ito (previously) -- director of MIT Media Lab, former Creative Commons chief, investor, entrepreneur, and happy mutant -- interviewed Barack Obama for a special, Obama-edited issue of Wired. Read the rest

Information security needs its own National Institutes of Health

nih_clinical_research_center_a

Superstar security researcher Dan Kaminsky (previously) wants to create a "National Institutes of Health for computer security" -- a publicly funded research institution that figures out how to prevent and cope with large-scale security issues in networked devices. Read the rest

The clumsy, amateurish IoT botnet has now infected devices in virtually all of the world's countries

1476217504747570

Mirai, the clumsily written Internet of Things virus that harnessed so many devices in an attack on journalist Brian Krebs that it overloaded Akamai, has now spread to devices in either 164 or 177 countries -- that is, pretty much everywhere with reliable electricity and internet access.

Imperva, a company that provides protection to websites against Distributed Denial of Service (DDoS) attacks, is among the ones who have been busy investigating Mirai. According to their tally, the botnet made of Mirai-infected devices has reached a total of 164 countries. A pseudonymous researcher that goes by the name MalwareTech has also been mapping Mirai, and according to his tally, the total is even higher, at 177 countries.

Internet of Things Malware Has Apparently Reached Almost All Countries on Earth [Lorenzo Franceschi-Bicchierai/Motherboard] Read the rest

The Copyright Office wants your comments on whether it should be illegal to fix your own stuff

1201-cases-5-og

Under Section 1201 of the DMCA, a law passed in 1998, people who fix things can be sued (and even jailed!) for violating copyright law, if fixing stuff involves bypassing some kind of copyright lock; this has incentivized manufacturers so that fixing your stuff means breaking this law, allowing them to decide who gets to fix your stuff and how much you have to pay to have it fixed. Read the rest

Yahoo didn't install an NSA email scanner, it was a "buggy" NSA "rootkit"

national_security_agency_headq

Ex-Yahoo employees have spoken anonymously to Motherboard about the news that Yahoo had built an "email scanner" for a US security agency, likely the FBI or the NSA. These sources -- at least one of whom worked on the security team -- say that in actuality, the NSA or FBI had secretly installed a "rootkit" on Yahoo's mail servers and that this was discovered by the Yahoo security team (who had not been apprised of it), who, believing the company had been hacked, sounded the alarm, only to have the company executives tell them that the US government had installed the tool. Read the rest

FBI arrests "Shadow Brokers" leak suspect charged with theft of NSA cyberweapons

1199px-Nsa_sign1

Sometime over the last few weeks, the FBI made a secret arrest of a Maryland man who worked as a Booz Allen Hamilton contractor for the National Security Agency.

Read the rest

Yahoo secretly scanned its users' email for U.S. intelligence services

yahoo-end-era

Yahoo email accounts were scanned by the company on behalf of U.S. intelligence services from last year. This represents the first example of a U.S. service provider providing complete access to "all arriving messages," reports Reuters.

It is not known what information intelligence officials were looking for, only that they wanted Yahoo to search for a set of characters. That could mean a phrase in an email or an attachment, said the sources, who did not want to be identified.

Reuters was unable to determine what data Yahoo may have handed over, if any, and if intelligence officials had approached other email providers besides Yahoo with this kind of request.

According to the two former employees, Yahoo Chief Executive Marissa Mayer's decision to obey the directive roiled some senior executives and led to the June 2015 departure of Chief Information Security Officer Alex Stamos, who now holds the top security job at Facebook Inc.

It might not seem terribly meaningful to users, given the revelation that 500m Yahoo accounts (surely all of its users, or close to it) were hacked anyway, but there's a difference between a one-off break-in and a standing invitation. Over four years of Mayer's leadership, Yahoo suffered a "stunning collapse in valuation" and was sold to Verizon for $4.83bn. Completion of the deal is reportedly threatened by the recent stories about Yahoo's security failings. Read the rest

More posts