Hacking, Security & Privacy - Page 40

Cybercriminals targeting free and open source software continue to rattle developers and consumers, with high-profile attacks hitting security flaws that should have been resolved. Specifically, the Heartbleed and Shellshock exploits have led to an increased demand from private companies and the U.S. government to step up programming assistance, but that hasn't been well received among many open source developers. However, it has provided a much-needed wakeup call that open source software should be monitored more closely to prevent such high-profile breaches.

"It's going to be a wake-up call for a lot of people to understand why we aren't auditing this software better," said Greg Martin, Threat Stream Inc founder and chief technology officer. "Everybody's been scratching their heads and saying, 'How could we miss this?'"

Hackers are increasingly organized - and well-funded - and that has made it difficult to defend against attacks, especially open source software. In theory, open source software provides a much larger pool of developers to help fix flaws, but others say proprietary software is more secure since the code is closed off from the public.

Even with FBI Director James Comey speaking out against Google and Apple providing encryption security on smartphone devices, Apple shipped its Yosemite OS with FileVault by default. The FBI - and other government agencies - are worried that encryption will prevent law enforcement from cracking down on criminals... or so they say.

"With Apple's new operating system, the information stored on many iPhones and other Apple devices will be encrypted by default," Comey recently said. "Shortly after Apple's announcement, Google announced plans to follow suit with its Android operating system. This means the companies themselves won't be able to unlock phones, laptops, and tablets to reveal photos, documents, email, and recordings stored within."

It's impressive to see Google, Apple and other tech companies trying to put customers first - as many users become more concerned about security - and not listening to the FBI's rather questionable concerns.

Just days ago, August Germar showed off his Anonabox privacy router on Kickstarter, quickly flying past his pledge goal of $7500. Germar was promising a router that would give users near ultimate privacy, routing your Internet access through the Tor network. Germar raised $585,549 before Kickstarter suspended his Kickstarter, citing Germar "broke Kickstarter rules".

The Anonabox ball of thread began to unravel when some of its backers began to ask questions about Anonabox's custom hardware, as well as the promised security of its software. It snowballed to the point of many asking for the project to be cancelled, and asked others to report the misleading information to Kickstarter staff. Kickstarter emailed the project investors, telling backers that "a review of the project uncovered evidence that it broke Kickstarter's rules". These rules include the company to prohibit "offering purchased items and claiming to have made them yourself, presenting someone else's work as your own" and "misrepresenting or failing to disclose relevant facts about the project or its creator".

It all started on Tuesday night, with users seeing issues with the router's hardware, with its designer claiming was custom-designed. The backers found that all of the parts could be acquired from Chinese suppliers on sites such as Alibaba. Germar even confirmed with WIRED that the Anonabox prototype he had was built from "off-the-shelf case and a nearly stock board tweaked to add more flash memory storage, both sourced from the Chinese manufacturer Gainstrong", according to Wired.

Around 100 cybercriminal kingpins help wreak havoc on the world, according to Troels Oerting, the head of the Europol Cybercrime Center. Trying to crack down on cybercriminals can be a daunting task, especially trying to bring them to justice, as Web-based attack activity largely remains a borderless bureaucratic nightmare.

"We roughly know who they are," Oerting recently said. "If we can take them out of the equation then the rest will fall down. This is not a static number, it will increase unfortunately. We can still cope but the criminals have more resources and they do not have obstacles. They are driven by greed and profit and they produce malware at a speed that we have difficulties catching up with."

Not surprisingly, many of the leading cybercriminal bosses are in Russian-speaking countries - though cybersecurity experts also warned of growing threats from China. Trying to bring these criminals to justice is near impossible, with Russia and other Eastern European nations ignoring the western world when it comes to apprehending these criminals, Europol noted.

Computer security companies have had their hands full keeping PCs and other devices secure from cyberattackers, and while mobile malware is still overlooked, the threats are continuing to grow. There is serious concern that hackers will infect smartphones and tablets using malicious programs that are able to act like legitimate apps - giving them access to a large amount of information on mobile devices.

"We think the threat is real; we think it's a growing threat," said Gary Davis, McAfee chief consumer security evangelist. "We think there's a laissez-faire attitude with consumers not giving it the same kind of attention they give other threats."

Despite the lack of mobile attacks, where Google Android devices receive 98 percent of total mobile threats found in the wild, other operating systems need to be aware of security problems. Furthermore, mobile malware still has a lot of room to grow, even with thousands of Android-based malicious threats already spotted by security researchers.

In this government-spies-on-everyone age, anonymity is hard to come by. But, a group of privacy-focused developers have taken to Kickstarter, asking for funding from the world for something they call, Anonabox. With a goal of $7500, they've blown past that with a huge $146,755 (at the time of writing), with another 28 days still to go.

Anonabox is an open-source router that automatically directs all of your data, with it connecting to your router through Wi-Fi or ethernet, through the Tor network. This hides users' IP addresses, and skips over censorship. Better yet, Anonabox is tiny - small enough that it could easily fit inside of your pocket, or be easily placed anywhere near your router.

Thanks to its tiny size, users can take it with them, plugging it into any router, making their work and Internet use completely anonymous. For people who travel, they could use it in their hotel rooms, or for people in China at an Internet cafe, they can skip over the Great Firewall of China. August Germar, who has spent four years working on Anonabox, explains: "Now all your programs, no matter what you do on your computer, are routed over the Tor network". Germar says that the idea behind Anonabox making the use of Tor easier, but for those who reside in Internet-repressive regimes. He added: "It was important to us that it be portable and small-something you can easily conceal or even throw away if you have to get rid of it".

Things do not look good as Sears Holding Corp said on Friday that its Kmart retail chains customer database may have been compromised last month. As a result, some of its customer's credit card and debit card details may have been stolen.

The company said on Friday that its Kmart's servers was affected by a malware. Kmart was not able to say how many customers are affected, and according to their investigation so far, no debit card pin numbers, email and phone contacts, social security number and personal information was stolen.

But, to be on the safe side, Kmart made an announcement that it will be providing a free credit-monitoring service for its customers who used a debit or a credit card during since last month until Thursday. Customers can then call Kmart customer service and report the unauthorized charges immediately. In the meantime, the company hired a security firm to look into the matter while working with its banking partners and federal authorities.

As part of his remote interview for the New Yorker Festival, Edward Snowden was asked various questions about what people can do about their privacy. His first reply was to cover the reform of government policies.

Snowden said that some people are fine with thinking along the lines of they "don't have anything to hide" but it's not about that according to the ex NSA contractor, who said "you're inverting the model of responsibility for how rights work". The full reply: "When you say, 'I have nothing to hide,' you're saying, 'I don't care about this right.' You're saying, 'I don't have this right, because I've got to the point where I have to justify it.' The way rights work is, the government has to justify its intrusion into your rights".

On an individual level, Snowden warns us all to find encrypted tools, and to stop using services that are "hostile to privacy". One of those services is Dropbox, where Snowden said "get rid of Dropbox", something that he said doesn't support encryption. Snowden did bring up Facebook and Google, both of which he said are "dangerous services". He also added to not send unencrypted text messages, but to instead of services like RedPhone and Silent Circle.

Hackers aren't only interested in embarrassing celebrities, as thousands of pictures and videos were stolen from Snapchat users and will be posted online. The online service was quick to confirm its servers weren't breached, however, users of third-party Snapchat apps were targeted - and will be posted online in a searchable database.

Unfortunately for the users, they believed the images were quickly purged after being sent - instead, "The Snappening" will be posted on 4chan and other websites soon enough.

"We can confirm that Snapchat's servers were never breached and were not the source of these leaks," a Snapchat spokesperson recently said. "Snapchatters were victimized by their use of third-party apps to send and receive Snaps, a practice that we expressly prohibit in our Terms of Use precisely because they compromise our users' security. We vigilantly monitor the App Store and Google Play for illegal third-party apps and have succeeded in getting many of these removed."

Millions of network-connected electricity meters used in Spain are susceptible to cyberattack by hackers, according to security researchers. The vulnerabilities could lead to electricity being terminated - or billing fraud - if hackers are able to access the smart meters.

The Spanish government has relied on these electricity meters to improve national energy efficiency, but didn't put a large enough emphasis on security efforts. The memory chips in the smart meters are reprogrammable and include flawed code, though the researchers won't outline what they did specifically until the problems are fixed.

"Oh wait? We can do this? We were really scared," said Javier Vazquez Vidal, a security expert involved in the smart meter research. "We started thinking about the impact this could have. What happens if someone wants to attack an entire country?"

Home Depot is now working with banks and law enforcement to investigate a data breach that led cybercriminals to steal customer payment information, including debit and credit card data. The Home Depot breach could have started in April or May, and reportedly affected a large number of customers. The data made its way to an underground forum and was called "American Sanctions," reportedly in response to further U.S. and European sanctions against Russia.

"Protecting our customers' information is something we take extremely seriously, and we are aggressively gathering facts at this point while working to protect customers," said Paula Drake, Home Depot spokesperson.

Consumers are urged to use cash or credit card payments in retail stores - debit card payments can be risky, forcing shoppers to closely track their bank statements. Hackers taking a political stance, trying to retaliate against the U.S. for further sanctions in a tense situation between Russia and the Ukraine, adds another layer of chaos to data breaches.

The FBI is now investigating the celebrity hacker that posted numerous photos of celebrities on the Internet over the weekend. Many of the images, originally posted on 4chan and later shared on Reddit, Twitter and Imgur, featured celebrities such as Jennifer Lawrence, Kate Upton, Jenny McCarthy, and Mary Winstead.

Here is what the FBI noted: "The FBI is aware of the allegations concerning computer intrusions and the unlawful release of material involving high profile individuals, and is addressing the matter," said Laura Eimiller, FBI spokesperson, in a statement. "Any further comment would be inappropriate at this time."

Apple also is investigating the incident, as many of the images were reportedly stored online using its iCloud service.

A hacker is claiming to have completed a massive hack, where he has said that he has leaked out photos of some of the biggest female celebrities in the world, including Jennifer Lawrence, Kim Kardashian, and many more. Lawrence's reps have confirmed that the nude photos of her are indeed real, allegedly stolen from her Apple iCloud account.

A spokesperson told HuffPost: "This is a flagrant violation of privacy. The authorities have been contacted and will prosecute anyone who posts the stolen photos of Jennifer Lawrence." The hacker claims to have videos of celebrities too, and not just nude photos, as he is offering to release more of his treasure trove in exchange for money.

Representatives for many of the celebrities are coming out claiming that the photos are "completely fake," but there are some that are real, and in this instance, Jennifer Lawrence's reps coming out and confirming the images, proves that this hack has happened and at least some of the pictures are real.

The National Oceanic and Atmospheric Administration (NOAA) is being pressured by the U.S. Department of Commerce Office of Inspector General to fix several vulnerabilities currently found in the Joint Polar Satellite System (JPSS). There are at least a few different high-risk vulnerabilities found in the JPSS ground stations that could be exploited by clever cyberattacks.

Some of the issues would only require software updates or new security patches, but the NOAA is taking 11 to 14 months in some cases to fix the problems - the JPSS system requirements have 30 days to fix security problems, with the inspector general saying it shouldn't take more than three months to resolve problems.

"The remediation of high-risk vulnerabilities is critical to the continued success of the JPSS mission and should have a high priority," according to the report. "The more high-risk vulnerabilities that exist in the system, the higher the probability is that an attacker could compromise it. This could lead to a disruption of NOAA's ability to command and control the Suomi NPP satellite and to provide data that is used in numerical weather models that support weather predictions and climate monitoring."

For quite a while now, we've known that the NSA has been spying on millions of citizens within the United States. But with its ICREACH search engine, the US spy agency has a Google-like internal search engine that can quickly flick through some 850 billion files that it keeps on citizens, not just in the US, but across the world.

The Intercept, the new site from Glenn Greenwald, who broke the story on NSA whistleblower Edward Snowden, says that these records are available to 23 agencies. These 23 agencies include the likes of the FBI, the DEA and much more, who can easily access ICREACH. This means that the government can search for very specific bits of data of a target citizen, such as their phone number or email address, with it displaying a list of emails both two and from that person over a certain period of time, analysts can then work out a pattern of who that person is in contact with.

This is achieved thanks to metadata, but don't worry ICREACH doesn't include what was said within a phone call, but it does include who the person was talking to, who called them, and what time the call took place. This data can then be used to determine the target's pattern of behavior, so that if the target was calling a certain person at a particular time, they could plan for that time and listen in.

The "Machete" cyberattack targeted Spanish speaking residents of Colombia, Ecuador and Venezuela, and the malware was recently noted by security firm Kaspersky Lab. The targeted attack campaign likely launched in 2010 and was improved in 2012, with the Machete operation still potentially active. The malware is sent as a RAR file attachment that includes a PowerPoint presentation, researchers noted.

The malware can log keystrokes, capture geolocation data, capture screenshots, record audio from PC microphone, take photos via Web camera, and copy files to a remote server, among other similar cybercriminal activities.

There were 85 victims in Colombia, 282 victims in Ecuador, and 372 victims in Venezuela, though also found 45 victims in Russia and small numbers of victims in the United States and Europe. Much like other malware distribution, the criminals rely on social engineering to trick users to unknowingly install it on their machines.

Social media service Diaspora, an open source, decentralized service consisting of individual nodes, utilizes thousands of private servers. Unfortunately, there isn't a way for the Diaspora project team to edit or remove content from a network node, and that's likely why IS chose it.

After being booted from Twitter and other social networking sites, the Islamic State is looking for new alternatives. In an attempt to spread images, videos and published propaganda to shock the west and appeal to new recruits, IS wants to have a collection of social media accounts to use.

"As many of the members of the core team are pod administrators ourselves, we know it can be hard to detect such users," the Diaspora blog reads. "We rely on our community members to use the report function to alert their podmin to any post or comment they believe to be a cause for concern. However, because this is such a crucial issue, we have also accumulated a list of accounts related to IS fighters, which are spread over a large number of pods, and we are in the process of talking to the podmins of those pods."

U.S. universities face a bigger threat of security data breaches than the retail and healthcare sectors, according to a recent study published by BitSight. As the school year begins again, hackers are preparing to target universities once again, the report said.

Using data based on major athletic conferences, including the Pacific-12, Big 10, Big 12, Southeastern Conference, Atlantic Coast Conference and Ivy League from July 2013 to June 2014, all divisions saw a drop in cybersecurity performance.

"From Social Security and credit card numbers to health records and intellectual property produced by research departments, colleges and universities house a vast amount of sensitive data," said Stephen Boyer, BitSight co-founder and CTO, in a statement to FierceCIO. "While not surprising given the unique challenges universities face securing open campus networks, it's concerning to see that they are rating so far below other industries that we've seen plagued by recent security problems."

Pro-Syrian hackers are using WhatsApp, Facebook, YouTube and Viber to share malware that is aimed at activists fighting for a regime change in Syria. In addition to Syrian Internet users, people were also targeted in the United States, France, Saudi Arabia, United Arab Emirates, Turkey, Palestine, Israel, Morocco and Lebanon, security researchers noted.

The malware is using remote access tools (RATs) and being shared to groups that support Syrian President Bashar al-Assad. The RAT technology are able to compromise PCs and systems in which they are installed, with attackers stealing credentials, remotely turning on microphones and video cameras, and controlling the infected PCs.

"Total Network Monitor (which is a legitimate application) is inside another sample found, being used with embedded malware for spying purposes," according to Kaspersky Lab researchers. "Offering security applications to protect against surveillance is one of the many techniques used by malware writing groups to get users desperate for privacy to execute these dubious programs."

Former NSA contractor Edward Snowden would "volunteer" for prison but only under the right circumstances, he said in a recent interview with Wired Magazine. Considering he faces charges that include conveying classified information to an unauthorized party, theft of government property and disclosing communications intelligence information, he would likely face significant prison time if convicted.

"I told the government I'd volunteer for prison, as long as it served the right purpose," Snowden told Wired earlier this month. "I care more about the country than what happens to me. But we can't allow the law to become a political weapon or agree to scare people away from standing up for their rights, no matter how good the deal is. I'm not going to be part of that."

Earlier in the month, Russian officials announced Snowden's asylum was extended for an additional three years - allowing him to remain in a safe location as he tries to figure out what to do long-term. Most U.S. politicians have been less than kind when describing Snowden's actions, and it seems unlikely he would receive a fair trial if he returns back to the United States. However, they are still keen to see him return home, because they certainly seem to have a lot of questions they would like him to answer.