Government

Body Camera Study Shows No Effect On Police Use of Force Or Citizen Complaints (npr.org) 87

An anonymous reader quotes a report from NPR: Having police officers wear little cameras seems to have no discernible impact on citizen complaints or officers' use of force, at least in the nation's capital. That's the conclusion of a study performed as Washington, D.C., rolled out its huge camera program. The city has one of the largest forces in the country, with some 2,600 officers now wearing cameras on their collars or shirts. In the wake of high-profile shootings, many police departments have been rapidly adopting body-worn cameras, despite a dearth of solid research on how the technology can change policing. "We need science, rather than our speculations about it, to try to answer and understand what impacts the cameras are having," says David Yokum, director of the Lab @ DC. His group worked with local police officials to make sure that cameras were handed out in a way that let the researchers carefully compare officers who were randomly assigned to get cameras with those who were not. The study ran from June 2015 to last December. It's to be expected that these cameras might have little impact on the behavior of police officers in Washington, D.C., he says, because this particular force went through about a decade of federal oversight to help improve the department.
Android

Google Says 64 Percent of Chrome Traffic On Android Now Protected With HTTPS, 75 Percent On Mac, 66 Percent On Windows (techcrunch.com) 73

An anonymous reader quotes a report from TechCrunch: Google's push to make the web more secure by flagging sites using insecure HTTP connections appears to be working. The company announced today that 64 percent of Chrome traffic on Android is now protected, up 42 percent from a year ago. In addition, over 75 percent of Chrome traffic on both ChromeOS and Mac is now protected, up from 60 percent on Mac and 67 percent on ChromeOS a year ago. Windows traffic is up to 66 percent from 51 percent. Google also notes that 71 of the top 100 websites now use HTTPS by default, up from 37 percent a year ago. In the U.S., HTTPS usage in Chrome is up from 59 percent to 73 percent. Combined, these metrics paint a picture of fairly rapid progress in the switchover to HTTPS. This is something that Google has been heavily pushing by flagging and pressuring sites that hadn't yet adopted HTTPS.
Security

Student Expelled After Using Hardware Keylogger to Hack School, Change Grades (bleepingcomputer.com) 127

Catalin Cimpanu, writing for BleepingComputer: Kansas University (KU) officials have expelled a student for installing a hardware keylogger and using the data acquired from the device to hack into the school's grading system and chang his grades. KU did not release the student's name to the public, but they said the keystroke logging device had been installed on one of the computers in its lecture halls. The student used data collected from the device to change F grades into A grades. Professors said the incident would not have been noticed if the student didn't get greedy about modifications. The hardware device the student used was a run-of-the-mill hardware keylogger that anyone can buy on Amazon or eBay for prices as low as $20. Speaking to local media, various KU professors said they hope not to see any copycats in the near future.
Privacy

Smartwatches For Kids Are a Total Privacy Nightmare (gizmodo.com) 32

An anonymous reader shares a report: Kids' smartwatches are usually intended to help parents feel at ease that their children are safe when they're not around. But as it turns out, a number of these devices may do more harm than good. A 49-page report on smartwatches for children details all the ways in which they are a security nightmare. The report (PDF), conducted by the Norwegian Consumer Council (NCC) and European security firm Mnemonic, analyzed four kids' smartwatches -- Gator 2, Tinitell, Viksfjord, and Xplora. According the NCC's report, two of the aforementioned devices were vulnerable to hackers, affording them the ability to remotely control the apps on the device. Through a breached device, the NCC says a hacker could access information on a child's whereabouts in real-time, uncover their personal information, and even communicate with the child. What's more, one of the devices could allow someone "with some technical knowledge" to discreetly listen to the child's surroundings. Beyond these gross invasions of privacy, the Council said certain key features of these devices -- an SOS button and a feature that alerts parents when kids leave virtual boundaries -- were unreliable. The report also notes issues regarding collecting user data -- only one of the product's terms and services allowed parents to opt in to or out of data collection. And one watch, the Xplora app, gave up children's data to marketers, the NCC said.
Security

MasterCard Has Finally Realized That Signatures Are Obsolete and Stupid (fastcompany.com) 299

An anonymous reader shares a report: For years, credit card companies have relied on an illegible squiggly line as the frontline of defense against credit card fraud. Customers are forced to use a pen (how retro!) to scrawl their signature on bills at restaurants and sign digitally at cash registers -- as if somehow in the age of chips, PINs, biometrics, and online fraud alerts, a line on a page is still a great tool against fraud prevention. Personally, I have been known to sign on the dotted line with a doodle of a piece of tofu and no one has ever stopped me, because signatures mean very little in this digital age. Companies are finally seeing the light. Starting in April 2018, MasterCard cardholders will no longer be required to sign their name when they purchase something using their debit or credit cards. The company has been moving away from requiring signatures for a few years now, with only about 80% of purchases (typically over a certain dollar amount) requiring a signature these days. MasterCard did some digging, though, and per its press release, realized that most of their customers "believe it would be easier to pay and that checkout lines would move faster if they didn't need to sign when making a purchase."
Facebook

Facebook Security Chief Says Its Corporate Network Is Run 'Like a College Campus' (zdnet.com) 82

An anonymous reader quotes a report from ZDNet: Facebook's security chief has told employees that the social media giant needs to improve its internal security practices to be more akin to a defense contractor, according to a leaked recording obtained by ZDNet. Alex Stamos made the comments to employees at a late-July internal meeting where he argued that the company had not done enough to respond to the growing threats that the company faces, citing both technical challenges and cultural issues at the company. "The threats that we are facing have increased significantly and the quality of the adversaries that we are facing," he said. "Both technically and from a cultural perspective I don't feel like we have caught up with our responsibility. The way that I explain to [management] is that we have the threat profile of a Northrop Grumman or a Raytheon or another defense contractor, but we run our corporate network, for example, like a college campus, almost," he said.
China

Apple Watch's LTE Suspended In China Possibly Due To Government Security Concerns (appleinsider.com) 18

The Apple Watch Series 3's best new feature has been mysteriously blocked in China. According to a report from The Wall Street Journal, China has cut off the Apple Watch's LTE connectivity on Sept. 28 after brief availability from China Unicom. Industry analysts claim that the suspension is probably from governmental concerns about not being able to track and confirm users of the device. AppleInsider reports: Apple issued a brief statement confirming the situation, and referring customers to China Unicom. Neither China Unicom, nor Chinese regulators have made any statement on the matter. The issue may stem from the eSIM in the Apple Watch. Devices like the iPhone have state-owned telecom company-issued SIM cards -- and the eSIM is embedded in the device by Apple. "The eSIM (system) isn't mature enough yet in China," one analyst said. "The government still needs to figure out how they can control the eSIM." The LTE version of the Apple Watch had only a trial certificate to operate on the Chinese LTE network. An analyst who asked not to be identified expects that Ministry of Industry and Information Technology may take months to figure out how the government will deal with the eSIM, and issue a formal certificate for operation.
Canada

Canada's 'Super Secret Spy Agency' Is Releasing a Malware-Fighting Tool To the Public (www.cbc.ca) 66

Matthew Braga, reporting for CBC News: Canada's electronic spy agency says it is taking the "unprecedented step" of releasing one of its own cyber defence tools to the public, in a bid to help companies and organizations better defend their computers and networks against malicious threats. The Communications Security Establishment (CSE) rarely goes into detail about its activities -- both offensive and defensive -- and much of what is known about the agency's activities have come from leaked documents obtained by U.S. National Security Agency whistleblower Edward Snowden and published in recent years. But as of late, CSE has acknowledged it needs to do a better job of explaining to Canadians exactly what it does. Today, it is pulling back the curtain on an open-source malware analysis tool called Assemblyline that CSE says is used to protect the Canadian government's sprawling infrastructure each day. "It's a tool that helps our analysts know what to look at, because it's overwhelming for the number of people we have to be able to protect things," Scott Jones, who heads the agency's IT security efforts, said in an interview with CBC News. On the one hand, open sourcing Assemblyline's code is a savvy act of public relations, and Jones readily admits the agency is trying to shed its "super secret spy agency" reputation in the interest of greater transparency.
Security

Targeted Fuzzing Is Improving Linux Security, Linus Torvalds Says (iu.edu) 62

On the sidelines of announcing the fifth release candidate for the Linux kernel version 4.14, Linus Torvalds said fuzzing, which involves stress testing a system by generating random code to induce errors, is helping the community find and fix a range of security vulnerabilities. He wrote: The other thing perhaps worth mentioning is how much random fuzzing people are doing, and it's finding things. We've always done fuzzing (who remembers the old "crashme" program that just generated random code and jumped to it? We used to do that quite actively very early on), but people have been doing some nice targeted fuzzing of driver subsystems etc, and there's been various fixes (not just this last week either) coming out of those efforts. Very nice to see.
EU

EU: No Encryption Backdoors But, Let's Help Each Other Crack That Crypto (theregister.co.uk) 81

The European Commission has proposed that member states help each other break into encrypted devices by sharing expertise around the bloc. From a report: In an attempt to tackle the rise of citizens using encryption and its effects on solving crimes, the commission decided to sidestep the well-worn, and well-ridiculed, path of demanding decryption backdoors in the stuff we all use. Instead, the plans set out in its antiterrorism measures on Wednesday take a more collegiate approach -- by offering member states more support when they actually get their hands on an encrypted device. "The commission's position is very clear -- we are not in favour of so-called backdoors, the utilisation of systemic vulnerabilities, because it weakens the overall security of our cyberspace, which we rely upon," security commissioner Julian King told a press briefing. "We're trying to move beyond a sometimes sterile debate between backdoors or no backdoors, and address some of the concrete law enforcement challenges. For instance, when [a member state] gets a device, how do they get information that might be encrypted on the device." [...] Share the wealth. "Some member states are more equipped technically to do that [extract information from a seized device] than others," King said. "We want to make sure no member state is at a disadvantage, by sharing the tech expertise among the member states and reinforcing the support that Europol can offer."
Businesses

Dodging Russian Spies, Customers Are Ripping Out Kaspersky (thedailybeast.com) 351

From a report: Multiple U.S. security consultants and other industry sources tell The Daily Beast customers are dropping their use of Kaspersky software all together, particularly in the financial sector, likely concerned that Russian spies can rummage through their files. Some security companies are being told to only provide U.S. products. And former Kaspersky employees describe the firm as reeling, with department closures and anticipation that researchers will jump ship soon. "We are under great pressure to only use American products no matter the technical or performance consequences," said a source in a cybersecurity firm which uses Kaspersky's anti-virus engine in its own services. The Daily Beast granted anonymity to some of the industry sources to discuss internal deliberations, as well as the former Kaspersky employees to talk candidly about recent events.
Security

Ask Slashdot: What Are Ways To Get Companies To Actually Focus On Security? 158

New submitter ctilsie242 writes: Many years ago, it was said that we would have a "cyber 9/11," a security event so drastic that it fundamentally would change how companies and people thought about security. However, this has not happened yet (mainly because the bad guys know that this would get organizations to shut their barn doors, stopping the gravy train.) With the perception that security has no financial returns, coupled with the opinion that "nobody can stop the hackers, so why even bother," what can actually be done to get businesses to have an actual focus on security. The only "security" I see is mainly protection from "jailbreaking," so legal owners of a product can't use or upgrade their devices. True security from other attack vectors are all but ignored. In fact, I have seen some development environments where someone doing anything about security would likely get the developer fired because it took time away from coding features dictated by marketing. I've seen environments where all code ran as root or System just because if the developers gave thought to any permission model at all, they would be tossed, and replaced by other developers who didn't care to "waste" their time on stuff like that.

One idea would be something similar to Underwriters Labs, except would grade products, perhaps with expanded standards above the "pass/fail" mark, such as Europe's "Sold Secure," or the "insurance lock" certification (which means that a security device is good enough for insurance companies to insure stuff secured by it.) There are always calls for regulation, but with regulatory capture being at a high point, and previous regulations having few teeth, this may not be a real solution in the U.S. Is our main hope the new data privacy laws being enacted in Europe, China, and Russia, which actually have heavy fines as well as criminal prosecutions (i.e. execs going to jail)? This especially applies to IoT devices where it is in their financial interest to make un-upgradable devices, forcing people to toss their 1.0 lightbulbs and buy 1.0.1 lightbulbs to fix a security issue, as opposed to making them secure in the first place, or having an upgrade mechanism. Is there something that can actually be done about the general disinterest by companies to make secure products, or is this just the way life is now?
Security

The Internet Is Ripe With In-Browser Miners and It's Getting Worse Each Day (bleepingcomputer.com) 355

Catalin Cimpanu, reporting for BleepingComputer: Ever since mid-September, when Coinhive launched and the whole cryptojacking frenzy started, the Internet has gone crazy with in-browser cryptocurrency miners, and new sites that offer similar services are popping up on a weekly basis. While one might argue that mining Monero in a site's background is an acceptable alternative to viewing intrusive ads, almost none of these services that have recently appeared provide a way to let users know what's happening, let alone a way to stop mining behavior. In other words, most are behaving like malware, intruding on users' computers and using resources without permission. [...] Bleeping Computer spotted two new services named MineMyTraffic and JSEcoin, while security researcher Troy Mursch also spotted Coin Have and PPoi, a Coinhive clone for Chinese users. On top of this, just last night, Microsoft spotted two new services called CoinBlind and CoinNebula, both offering similar in-browser mining services, with CoinNebula configured in such a way that users couldn't report abuse. Furthermore, none of these two services even have a homepage, revealing their true intentions to be deployed in questionable scenarios.
Chrome

Chrome 62 Released With OpenType Variable Fonts, HTTP Warnings In Incognito Mode (bleepingcomputer.com) 79

An anonymous reader writes: Earlier today, Google released version 62 of its Chrome browser that comes with quite a few new features but also fixes for 35 security issues. The most interesting new features are support for OpenType variable fonts, the Network Quality Estimator API, the ability to capture and stream DOM elements, and HTTP warnings for the browser's Normal and Incognito mode. The most interesting of the new features is variable fonts. Until now, web developers had to load multiple font families whenever they wanted variations on a font family. For example, if a developer was using the Open Sans font family on a site, if he wanted a font variation such as Regular, Bold, Black, Normal, Condensed, Expanded, Highlight, Slab, Heavy, Dashed, or another, he'd have to load a different font file for each. OpenType variable fonts allow font makers to merge all these font family variations in one file that developers can use on their site and control via CSS. This results in fewer files loaded on a website, saving bandwidth and improving page load times. Two other features that will interest mostly developers are the Network Quality Estimator and the Media Capture from DOM Elements APIs. As the name hints, the first grants developers access to network speed and performance metrics, information that some websites may use to adapt video streams, audio quality, or deliver low-fi versions of their sites. Developers can use the second API -- the Media Capture from DOM Elements -- to record videos of how page sections behave during interaction and stream the content over WebRTC. This latter API could be useful for developers debugging a page, but also support teams that want to see what's happening on the user's side.
Government

'Significant' Number of Equifax Victims Already Had Info Stolen, Says IRS (thehill.com) 105

An anonymous reader quotes a report from The Hill: The IRS does not expect the Equifax data breach to have a major effect on the upcoming tax filing season, Commissioner John Koskinen said Tuesday, adding that the agency believes a "significant" number of the victims already had their information stolen by cyber criminals. "We actually think that it won't make any significantly or noticeable difference," Koskinen told reporters during a briefing on the agency's data security efforts. "Our estimate is a significant percent of those taxpayers already had their information in the hands of criminals." The IRS estimates that more than 100 million Americans have had their personally identifiable information stolen by criminal hackers, he said.

The Equifax breach disclosed in early September is estimated to have affected more than 145 million U.S. consumers. "It's an important reminder to the public that everyone can take any actions that they can ... to make sure we can do everything we can to protect personal information," Koskinen said of the breach on Tuesday, in response to a reporter's question. The IRS commissioner advised Americans to "assume" their data is already in the hands of criminals and "act accordingly."

Open Source

Companies Overlook Risks in Open Source Software, Survey Finds (betanews.com) 131

An anonymous reader shares a report: Open source code helps software suppliers to be nimble and build products faster, but a new report reveals hidden software supply chain risks of open source that all software suppliers and IoT manufacturers should know about. The recent Equifax breach for example exploited a vulnerability in a widely used open source web framework, Apache Struts, and the study by software monetization specialist Flexera points out that as much as 50 percent of code in commercial and IoT software products is open source. "We can't lose sight that open source is indeed a clear win. Ready-to-go code gets products out the door faster, which is important given the lightning pace of the software space," says Jeff Luszcz, vice president of product management at Flexera. "However, most software engineers don't track open source use, and most software executives don't realize there's a gap and a security/compliance risk." Flexera surveyed 400 software suppliers, Internet of Things manufacturers and in-house development teams. It finds only 37 percent of respondents to the survey have an open source acquisition or usage policy, while 63 percent say either their companies either don't have a policy, or they don't know if one exists. Worryingly, of the 63 percent who say their companies don't have an open source acquisition or usage policy, 43 percent say they contribute to open source projects. There is an issue over who takes charge of open source software too. No one within their company is responsible for open source compliance, or they don't know who is, according to 39 percent of respondents.
Google

'Google Just Made Gmail the Most Secure Email Provider on the Planet' (vice.com) 197

Google announced on Tuesday that it would offer stronger online security for "high risk" users who may be frequent targets of online attacks. The company said anyone with a personal Google account can enroll in the new "advanced protection," while noting that it will require users to "trade off a bit of convenience" for extra security. Motherboard reports: The main advantage in terms of security is the need for a key or token to log in as the second factor, instead of a code sent via SMS or via app. This is much better because there's no way for hackers to steal or phish this key from afar (there have been isolated incidents of hackers using social engineering to gain access to someone's cell phone number by getting the provider to issue a new SIM card, for instance). Thanks to these new features, Gmail is now the most secure email provider available on the internet if you are worried about hackers breaking into your private correspondence. "This is a major step in the right direction in offering the same kind of protection available to high-profile figures to everyday people," Kenneth White, a Washington D.C. based security consultant to federal agencies, told Motherboard. "They have really thought this through, and while it may not make sense for everyone, for those that need it, it's a much needed option."
Microsoft

Microsoft Responded Quietly After Detecting Secret Database Hack in 2013 (reuters.com) 46

Citing five former employees, Reuters reported on Tuesday that Microsoft's secret internal database for tracking bugs in its own software was broken into by a highly sophisticated hacking group more than four years ago. From the report: The company did not disclose the extent of the attack to the public or its customers after its discovery in 2013, but the five former employees described it to Reuters in separate interviews. Microsoft declined to discuss the incident. The database contained descriptions of critical and unfixed vulnerabilities in some of the most widely used software in the world, including the Windows operating system. Spies for governments around the globe and other hackers covet such information because it shows them how to create tools for electronic break-ins. The Microsoft flaws were fixed likely within months of the hack, according to the former employees. Yet speaking out for the first time, these former employees as well as U.S. officials informed of the breach by Reuters said it alarmed them because the hackers could have used the data at the time to mount attacks elsewhere, spreading their reach into government and corporate networks. "Bad guys with inside access to that information would literally have a 'skeleton key' for hundreds of millions of computers around the world," said Eric Rosenbach, who was U.S. deputy assistant secretary of defense for cyber at the time.
Wireless Networking

Every Patch For 'KRACK' Wi-Fi Vulnerability Available Right Now (zdnet.com) 134

An anonymous reader quotes a report from ZDNet: As reported previously by ZDNet, the bug, dubbed "KRACK" -- which stands for Key Reinstallation Attack -- is at heart a fundamental flaw in the way Wi-Fi Protected Access II (WPA2) operates. According to security researcher and academic Mathy Vanhoef, who discovered the flaw, threat actors can leverage the vulnerability to decrypt traffic, hijack connections, perform man-in-the-middle attacks, and eavesdrop on communication sent from a WPA2-enabled device. In total, ten CVE numbers have been preserved to describe the vulnerability and its impact, and according to the U.S. Department of Homeland Security (DHS), the main affected vendors are Aruba, Cisco, Espressif Systems, Fortinet, the FreeBSD Project, HostAP, Intel, Juniper Networks, Microchip Technology, Red Hat, Samsung, various units of Toshiba and Ubiquiti Networks. A list of the patches available is below. For the most up-to-date list with links to each patch/statement (if available), visit ZDNet's article.
Security

Ask Slashdot: What Are Some Hard Truths IT Must Learn To Accept? (cio.com) 420

snydeq writes: "The rise of shadow IT, shortcomings in the cloud, security breaches -- IT leadership is all about navigating hurdles and deficiencies, and learning to adapt to inevitable setbacks," writes Dan Tynan in an article on six hard truths IT must learn to accept. "It can be hard to admit that you've lost control over how your organization deploys technology, or that your network is porous and your code poorly written. Or no matter how much bandwidth you've budgeted for, it never quite seems to be enough, and that despite its bright promise, the cloud isn't the best solution for everything." What are some hard truths your organization has been dealing with? Tynan writes about how the idea of engineering teams sticking a server in a closet and using it to run their own skunkworks has become more open; how an organization can't do everything in the cloud, contrasting the 40 percent of CIOs surveyed by Gartner six years ago who believed they'd be running most of their IT operations in the cloud by now; and how your organization should assume from the get-go that your environment has already been compromised and design a security plan around that. Can you think of any other hard truths IT must learn to accept?

Slashdot Top Deals