Rage on, Internet, and the Peeple app may die before it can even be launched.The Washington Post reported:
When the app does launch, probably in late November, you will be able to assign reviews and one- to five-star ratings to everyone you know: your exes, your co-workers, the old guy who lives next door. You can't opt out — once someone puts your name in the Peeple system, it's there unless you violate the site's terms of service. And you can't delete bad or biased reviews — that would defeat the whole purpose.To read this article in full or to leave a comment, please click here
It's easy for someone with potentially malicious intentions to record your voice, as you leave traces of your voice when simply talking somewhere out in public, during mobile phone calls, in videos posted on social networking sites, or even when sending a recorded voice greeting card. Your voice is considered to be unique enough to serve as an authentication of your identity.But after studying the implications of commonplace voice leakage and developing voice impersonation attacks, researchers from the University of Alabama at Birmingham warned that an attacker, in possession of only a very limited number of your voice samples, with "just a few minutes worth of audio of a victim's voice," can clone your voice and could compromise your security, safety, and privacy.To read this article in full or to leave a comment, please click here
Within a span of a few days, two of three giants in the tech industry made changes that could directly affect your privacy; the third tried to clear up "privacy and Windows 10."Apple updates privacy policy, releases iOS security guideToday Apple published an updated privacy policy that explains, in detailed but easy-to-understand language, how it uses customers’ data. It begins with a message about Apple’s commitment to your privacy from Apple CEO Tim Cook. He promised Apple never "worked with any government agency from any country to create a backdoor in any of our products or services. We have also never allowed access to our servers. And we never will." Apple also revealed that 94% of the government data requests it receives deal with cops trying to find stolen iPhones.To read this article in full or to leave a comment, please click here
After Volkswagen used software that manipulated exhaust values and defeated emissions tests, it has affected 11 million VW diesel cars built since 2008. A 2007 letter from VW parts supplier Bosch warned Volkswagen not to use the software for regular operations; in 2011, a Volkswagen technician raised concerns about the illegal practices in connection with the emissions levels.“We should be allowed to know how the things we buy work,” Eben Moglen, a Columbia University law professor and technologist told the New York Times. “Let’s say everybody who bought a Volkswagen were guaranteed the right to read the source code of everything in the car. 99% of the buyers would never read anything, but out of the 11 million people whose car was cheating, one of them would have found it. And Volkswagen would have been caught in 2009, not 2015.”To read this article in full or to leave a comment, please click here
Windows 10, and even Windows 8.1 Update 3, uses Control Flow Guard (CFG) to protect against memory-corruption attacks. Close to the end of last year, Microsoft said the CFG security feature could "detect attempts to hijack your code" and stop executing the code "before the hijacker can do damage to your data or PC."This summer at Black Hat, Yunhai Zhang showed how to "Bypass Control Flow Guard Comprehensively" (pdf). And at DerbyCon on Friday, Jared DeMott and Rafal Wojtczuk will present "Gadgets Zoo: Bypassing Control Flow Guard in Windows 10."To read this article in full or to leave a comment, please click here
If you bought cyber insurance so you’d be covered if you were hacked, and then had $1.8 million stolen after being hacked, wouldn’t you expect your insurance claim to be paid? If so, then think again as the claim can be denied due to the wording of the risk insurance contract.BitPay, a Bitcoin payment processor, had purchased cyber insurance from Massachusetts Bay Insurance Company (MBIC), but BitPay was in for a rude awakening.In December 2014, an unknown hacker pulled off a social engineering attack; he spearphished BitPay’s Chief Financial Officer, managed to capture corporate credentials, then used the hacked email account to spoof emails to the CEO; the hacker tricked BitPay into making three separate transfer transactions over two days to the tune of 5,000 bitcoins, which were valued at $1,850,000. Well at least the company had cyber insurance, right? No; the insurance company denied the claim due to the wording in the contract; BitPay then sued the insurance company.To read this article in full or to leave a comment, please click here
Numerous federal agencies rely on legacy systems that have security bolted on as an afterthought instead of security “being deeply embedded” in the systems. It is unsurprising that such older hardware, software and operating systems are vulnerable to intrusions. But sometimes security problems have more to do with human vulnerabilities – stupid PEBKAC and ID10T errors committed by the person behind the keyboard – than legacy systems. If the same people who handle sensitive government information also keep falling for phishing scams, should they have their security clearance revoked? Indeed they should, according to DHS chief security officer Paul Beckman.To read this article in full or to leave a comment, please click here
Curious if the NSA has ever spied on you? Privacy International launched a site so you can find out if Britain’s GCHQ spied on you; put another way, GCHQ can access NSA data so if the NSA gobbled up your communications, then this is how you can find out and get that digital dirt destroyed.Privacy International wrote:
Have you ever made a phone call, sent an email, or, you know, used the internet? Of course you have!Chances are, at some point over the past decade, your communications were swept up by the U.S. National Security Agency's mass surveillance program and passed onto Britain's intelligence agency GCHQ. A recent court ruling found that this sharing was unlawful but no one could find out if their records were collected and then illegally shared between these two agencies… until now!To read this article in full or to leave a comment, please click here
Some people with schizophrenia might be inclined to believe “they” are watching them, that “they” are tracking them, and ironically now “they” really might be via a “digital” pill that contains an ingestible sensor which gives doctors and caregivers the ability to track if and when a patient takes his medicine.According to an announcement by Otsuka Pharmaceutical and Proteus Digital Health:
This is the first time an FDA-approved medication (ABILIFY) has been combined and submitted for approval with a sensor within the medication tablet (the Proteus ingestible sensor) to measure actual medication-taking patterns and physiologic response. This objective information is communicated to the patient – and with the consent of the patient – to the patient’s physician and/or caregiver.To read this article in full or to leave a comment, please click here
A security researcher discovered a serious yet simple flaw in VxWorks, a real-time operating system for the Internet of Things, which an attacker could remotely exploit without needing any interaction with a user. The OS is used in everyday things like network routers to critical infrastructure as well in NASA’s Curiosity Rover on Mars and Boeing 787 Dreamliners.Searching for VxWorks via Shodan reveals about 100,000 internet-connected devices running the OS, but VxWorks supposedly powers “billions of intelligent devices.” The researcher warned that the vulnerability “allows remote code execution on most VxWorks-based devices.”To read this article in full or to leave a comment, please click here
Some unlucky individuals thought they had downloaded the Android app Adult Player to watch porn videos, but the app silently takes a photo of users while they use the app and then displays the image on the home screen, along with a ransom note demanding $500.Researchers from Zscaler's ThreatLab first discovered the "new mobile ransomware variant that leverages pornography to lure victims into downloading and installing it." Perhaps the desire for viewing porn is stronger than common sense, as the permissions asked to be activated as device admin. It asks for the right to monitor screen-unlock attempts and to "lock the phone or erase all the phone's data if too many incorrect passwords are typed."To read this article in full or to leave a comment, please click here
Microsoft released 12 security updates for September 2015 Patch Tuesday, five of which are rated critical and one is currently being exploited in the wild.Microsoft patches rated criticalMS15-097 contains a fix for a flaw currently being exploited in the wild, so it should be your top priority. It patches 11 vulnerabilities in Microsoft Graphics Component which could allow remote code execution.Qualys CTO Wolfgang Kandek wrote, “The bulletin is rated critical on Windows Vista and Server 2008, plus Microsoft Office 2007 and 2010, plus Lync 2007, 2010, 2013. In addition one of the vulnerabilities, rated as only as important in the bulletin is under attack in the wild: CVE-2015-2546 allows for an escalation of privilege once on the machines, allowing the attacker to become administrator of the targeted machine. CVE-2015-2546 affects all versions of Windows including Windows 10.”To read this article in full or to leave a comment, please click here
A security researcher used a homemade $60 system to outsmart self-driving car lidar sensors that cost thousands; he was able to trick an autonomous vehicle into slowing down and even launched a denial of service attack on a self-driving car's tracking system so that it came to a complete stop.Lidar, a remote sensing technology, is most commonly known as the circular “eye” mounted on the roof of most self-driving cars; it acts somewhat like radar as the lasers spin around to scan the area and detect objects. Lidar devices come in various sizes and prices. The lidar (Light Detection and Ranging) market is estimated to be a one billion market by 2020; it’s not used exclusively for driverless cars as seen in recent news about autonomous golf carts and surveying drones. Yet Jonathan Petit, a principal scientist at Security Innovation, believes lidar sensors are “the most susceptible technologies” in self-driving vehicles.To read this article in full or to leave a comment, please click here
Surveillance is so out of control that superheroes like Captain America fight against it; even the Avengers tried to show us the dangers of militarizing the Internet. Sure that might be coming from fictional characters just like the cosplay activism campaign going on Dragon Con this weekend in Atlanta. Yet as Project Secret Identity points out:To read this article in full or to leave a comment, please click here
Despite the negative and wide spread publicity around baby monitor hacks, sadly you shouldn’t expect an end to baby cam hacker stories any time soon. Today Rapid7 publicly disclosed 10 new vulnerabilities in baby monitors made by nine different manufacturers. On a grading scale, eight of the 10 Internet-connected baby monitors scored an “F” and one received a “D” grade.If you were curious about some redactions in the slides during Mark Stanislav’s “The Hand that Rocks the Cradle: Hacking IOT Baby Monitors” presentation at Def Con’s IOT Village, it was due to several new vulnerabilities he uncovered. Stanislav and Tod Beardsley have published a hacking IOT case study on baby monitors (pdf).To read this article in full or to leave a comment, please click here
As of today, Google's Chrome browser will automatically pause ads that use Flash by default. Most Flash ads were converted to HTML5 and those HTML5 ads will still work. Flash can quickly suck the power from a laptop battery, but even worse is the never-ending supply of Flash vulnerabilities.Supposedly, the version of Flash Player released in July had "additional protections to make entire classes of security flaws much harder to exploit in the future." The future is now then, because cybercriminals have wasted no time circumventing those extra security protections.To read this article in full or to leave a comment, please click here
Uber snapped up car hackers Charlie Miller and Chris Valasek. Miller, who had worked on Twitter’s security team, and Valasek, who had been working as Director of Vehicle Security Research at IOActive, will now join “dozens of autonomous vehicle experts hired from Carnegie Mellon University” working at Uber’s Advanced Technologies Center.To read this article in full or to leave a comment, please click here
Uber snapped up car hackers Charlie Miller and Chris Valasek. Miller, who had worked on Twitter's security team, and Valasek, who had been working as Director of Vehicle Security Research at IOActive, will now join "dozens of autonomous vehicle experts hired from Carnegie Mellon University" working at Uber's Advanced Technologies Center.To read this article in full or to leave a comment, please click here
The National Crime Agency (NCA), which is like a British version of the FBI, arrested six UK teenagers for allegedly using a DDoS-for-hire service to attack corporate websites. During Operation Vivarium, warrants were executed for six male teenagers – ages 15, 16, 17 and three 18-year-olds – accused of using the hacking group Lizard Squad’s Lizard Stresser tool which is capable of knocking websites offline for up to eight hours at a time.Lizard Squad took down Microsoft Xbox and Sony PlayStation networks on Christmas day; shortly thereafter, Lizard Squad released its Lizard Stresser service. According to Krebs on Security, the Lizard Stresser service “draws on Internet bandwidth from hacked home Internet routers around the globe that are protected by little more than factory-default usernames and passwords.”To read this article in full or to leave a comment, please click here
A team of University of Maryland Institute for Advanced Computer Studies (UMIACS) researchers developed "provable avoidance routing" that they call Alibi Routing; it's an overlay routing protocol that provides Internet users with a method to avoid sending their data through countries known for their censorship. Users specify where they want their packets NOT to go and Alibi Routing can provide "concrete proof" that users' data did not pass through "undesired geographic regions."The researchers unveiled Alibi Routing at the 2015 Association for Computing Machinery Special Interest Group on Data Communication (ACM SIGCOMM) conference. The research paper (pdf) "introduces a primitive, provable avoidance routing that, when given a destination and region to avoid, provides 'proof' after the fact that a packet and its response did not traverse the forbidden region. We rely on the insight that a packet could provide an 'alibi'—a place and time where it was—to prove that it must have avoided the forbidden region in transit from source to destination."To read this article in full or to leave a comment, please click here
Ms. Smith